Blame - library/aria.c - mirror/mbed-crypto - TrustedFirmware Git Browser

blob: 5a5222f6afeb56f5ba016ed9eb40393d7d6976ec [file] [log] [blame]

Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	1	/*
				2	* ARIA implementation
				3	*
				4	* Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
				5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
				18	*
				19	* This file is part of mbed TLS (https://tls.mbed.org)
				20	*/
				21
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	22	/*
				23	* This implementation is based on the following standards:
				24	* [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
				25	* [2] https://tools.ietf.org/html/rfc5794
				26	*/
				27
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	28	#if !defined(MBEDTLS_CONFIG_FILE)
				29	#include "mbedtls/config.h"
				30	#else
				31	#include MBEDTLS_CONFIG_FILE
				32	#endif
				33
				34	#if defined(MBEDTLS_ARIA_C)
				35
				36	#include "mbedtls/aria.h"
				37
				38	#include <string.h>
				39
				40	#if defined(MBEDTLS_SELF_TEST)
				41	#if defined(MBEDTLS_PLATFORM_C)
				42	#include "mbedtls/platform.h"
				43	#else
				44	#include <stdio.h>
				45	#define mbedtls_printf printf
				46	#endif /* MBEDTLS_PLATFORM_C */
				47	#endif /* MBEDTLS_SELF_TEST */
				48
				49	#if !defined(MBEDTLS_ARIA_ALT)
				50
Manuel Pégourié-Gonnard	5645393	2018-02-21 10:08:31 +0100	[diff] [blame^]	51	/* Implementation that should never be optimized out by the compiler */
				52	static void mbedtls_zeroize( void *v, size_t n ) {
				53	volatile unsigned char p = (unsigned char)v; while( n-- ) *p++ = 0;
				54	}
				55
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	56	// 32-bit integer manipulation macros (little endian)
				57
				58	#ifndef GET_UINT32_LE
				59	#define GET_UINT32_LE(n,b,i) \
				60	{ \
				61	(n) = ( (uint32_t) (b)[(i) ] ) \
				62	\| ( (uint32_t) (b)[(i) + 1] << 8 ) \
				63	\| ( (uint32_t) (b)[(i) + 2] << 16 ) \
				64	\| ( (uint32_t) (b)[(i) + 3] << 24 ); \
				65	}
				66	#endif
				67
				68	#ifndef PUT_UINT32_LE
				69	#define PUT_UINT32_LE(n,b,i) \
				70	{ \
				71	(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
				72	(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
				73	(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
				74	(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
				75	}
				76	#endif
				77
				78	// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
				79	#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
				80
				81	// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
				82	#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
				83
				84	// Affine Transform A
				85	// (ra, rb, rc, rd) = state in/out
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	86
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	87	#define ARIA_A( ra, rb, rc, rd ) { \
				88	uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	89	ta = rb; \
				90	rb = ra; \
				91	ra = ARIA_FLIP1( ta ); \
				92	tb = ARIA_FLIP1( rd ); \
				93	rd = ARIA_FLIP2( rc ); \
				94	rc = ARIA_FLIP2( tb ); \
				95	ta ^= rd; \
				96	tc = ARIA_FLIP1( rb ); \
				97	ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
				98	tb ^= ARIA_FLIP1( rd ); \
				99	tc ^= ARIA_FLIP2( ra ); \
				100	rb ^= ta ^ tb; \
				101	tb = ARIA_FLIP1( tb ) ^ ta; \
				102	ra ^= ARIA_FLIP2( tb ); \
				103	ta = ARIA_FLIP1( ta ); \
				104	rd ^= ARIA_FLIP2( ta ) ^ tc; \
				105	tc = ARIA_FLIP1( tc ); \
				106	rc ^= ARIA_FLIP2( tc ) ^ ta; \
				107	}
				108
				109
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	110	/* ARIA Round function ( Substitution Layer SLx + Affine Transform A )
				111	* (ra, rb, rc, rd) = state in/out
				112	* (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	113	*
				114	* By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A.
				115	* By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A.
				116	*/
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	117
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	118	#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \
				119	uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	120	ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
				121	(((uint32_t) sd[ rb >> 24]) << 8) ^ \
				122	(((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
				123	(((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
				124	rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
				125	(((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
				126	(((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
				127	(((uint32_t) sd[ ra >> 24]) << 24); \
				128	ra = ta; \
				129	ta = ( (uint32_t) sd[ rd >> 24]) ^ \
				130	(((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
				131	(((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
				132	(((uint32_t) sa[ rd & 0xFF]) << 24); \
				133	rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
				134	(((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
				135	(((uint32_t) sd[ rc >> 24]) << 16) ^ \
				136	(((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
				137	rc = ta; \
				138	ta = ARIA_FLIP1( ra ) ^ rd; \
				139	tc = ARIA_FLIP1( rb ); \
				140	ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
				141	tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
				142	tc ^= ARIA_FLIP2( ra ); \
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	143	rb ^= ta ^ tb; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	144	tb = ARIA_FLIP1( tb ) ^ ta; \
				145	ra ^= ARIA_FLIP2( tb ); \
				146	ta = ARIA_FLIP1( ta ); \
				147	rd ^= ARIA_FLIP2( ta ) ^ tc; \
				148	tc = ARIA_FLIP1( tc ); \
				149	rc ^= ARIA_FLIP2( tc ) ^ ta; \
				150	}
				151
				152	// S-Boxes
				153
				154	static const uint8_t aria_sb1[0x100] =
				155	{
				156	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
				157	0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
				158	0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
				159	0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
				160	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
				161	0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
				162	0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
				163	0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
				164	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
				165	0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
				166	0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
				167	0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
				168	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
				169	0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
				170	0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
				171	0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
				172	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
				173	0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
				174	0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
				175	0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
				176	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
				177	0xB0, 0x54, 0xBB, 0x16
				178	};
				179
				180	static const uint8_t aria_sb2[0x100] =
				181	{
				182	0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
				183	0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
				184	0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
				185	0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
				186	0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
				187	0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
				188	0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
				189	0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
				190	0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
				191	0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
				192	0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
				193	0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
				194	0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
				195	0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
				196	0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
				197	0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
				198	0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
				199	0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
				200	0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
				201	0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
				202	0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
				203	0xAF, 0xBA, 0xB5, 0x81
				204	};
				205
				206	static const uint8_t aria_is1[0x100] =
				207	{
				208	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
				209	0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
				210	0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
				211	0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
				212	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
				213	0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
				214	0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
				215	0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
				216	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
				217	0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
				218	0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
				219	0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
				220	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
				221	0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
				222	0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
				223	0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
				224	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
				225	0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
				226	0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
				227	0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
				228	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
				229	0x55, 0x21, 0x0C, 0x7D
				230	};
				231
				232	static const uint8_t aria_is2[0x100] =
				233	{
				234	0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
				235	0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
				236	0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
				237	0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
				238	0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
				239	0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
				240	0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
				241	0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
				242	0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
				243	0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
				244	0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
				245	0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
				246	0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
				247	0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
				248	0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
				249	0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
				250	0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
				251	0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
				252	0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
				253	0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
				254	0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
				255	0x03, 0xA2, 0xAC, 0x60
				256	};
				257	// FO and FE are helpers for key schedule
				258
				259	// r = FO( p, k ) ^ x
				260
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	261	static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	262	const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
				263	{
				264	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	265
				266	a = p[0] ^ k[0];
				267	b = p[1] ^ k[1];
				268	c = p[2] ^ k[2];
				269	d = p[3] ^ k[3];
				270
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	271	ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	272
				273	r[0] = a ^ x[0];
				274	r[1] = b ^ x[1];
				275	r[2] = c ^ x[2];
				276	r[3] = d ^ x[3];
				277	}
				278
				279	// r = FE( p, k ) ^ x
				280
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	281	static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	282	const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
				283	{
				284	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	285
				286	a = p[0] ^ k[0];
				287	b = p[1] ^ k[1];
				288	c = p[2] ^ k[2];
				289	d = p[3] ^ k[3];
				290
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	291	ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	292
				293	r[0] = a ^ x[0];
				294	r[1] = b ^ x[1];
				295	r[2] = c ^ x[2];
				296	r[3] = d ^ x[3];
				297	}
				298
Manuel Pégourié-Gonnard	c76ceb6	2018-02-21 09:50:17 +0100	[diff] [blame]	299	// Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	300	// This is relatively slow since our implementation is geared towards
				301	// little-endian targets and stores state in that order.
				302
				303	static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame]	304	const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	305	{
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame]	306	uint8_t i, j;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	307	uint32_t t, u;
				308
Manuel Pégourié-Gonnard	c76ceb6	2018-02-21 09:50:17 +0100	[diff] [blame]	309	const uint8_t n1 = n % 32; // bit offset
				310	const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame]	311
Manuel Pégourié-Gonnard	c76ceb6	2018-02-21 09:50:17 +0100	[diff] [blame]	312	j = (n / 32) % 4; // initial word offset
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	313	t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
				314	for( i = 0; i < 4; i++ )
				315	{
Manuel Pégourié-Gonnard	c76ceb6	2018-02-21 09:50:17 +0100	[diff] [blame]	316	j = (j + 1) % 4; // get next word, big endian
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	317	u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
				318	t <<= n1; // rotate
Manuel Pégourié-Gonnard	c76ceb6	2018-02-21 09:50:17 +0100	[diff] [blame]	319	t \|= u >> n2;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	320	t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
				321	r[i] = a[i] ^ t; // store
				322	t = u; // move to next word
				323	}
				324	}
				325
				326	// Set encryption key
				327
				328	int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
				329	const unsigned char *key, unsigned int keybits)
				330	{
				331	// round constant masks
				332	const uint32_t rc[3][4] =
				333	{
				334	{ 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
				335	{ 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
				336	{ 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
				337	};
				338
				339	int i;
				340	uint32_t w[4][4], *w2;
				341
				342	if (keybits != 128 && keybits != 192 && keybits != 256)
				343	return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
				344
				345	// W0 = KL
				346	GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 \| W1
				347	GET_UINT32_LE( w[0][1], key, 4 );
				348	GET_UINT32_LE( w[0][2], key, 8 );
				349	GET_UINT32_LE( w[0][3], key, 12 );
				350
				351	memset(w[1], 0, 16);
				352	if( keybits >= 192 )
				353	{
				354	GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
				355	GET_UINT32_LE( w[1][1], key, 20 );
				356	}
				357	if( keybits == 256 )
				358	{
				359	GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
				360	GET_UINT32_LE( w[1][3], key, 28 );
				361	}
				362
				363	i = (keybits - 128) >> 6; // index: 0, 1, 2
				364	ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
				365
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	366	aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	367	i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	368	aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	369	i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	370	aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	371
				372	for( i = 0; i < 4; i++ ) // create round keys
				373	{
				374	w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame]	375	aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
				376	aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
				377	aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
				378	aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	379	}
				380	aria_rot128( ctx->rk[16], w[0], w[1], 19 );
				381
				382	return 0;
				383	}
				384
				385	// Set decryption key
				386
				387	int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
				388	const unsigned char *key, unsigned int keybits)
				389	{
				390	int i, j, k, ret;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	391
				392	ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
				393	if( ret != 0 )
				394	return ret;
				395
				396	// flip the order of round keys
				397	for( i = 0, j = ctx->nr; i < j; i++, j-- )
				398	{
				399	for( k = 0; k < 4; k++ )
				400	{
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	401	uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	402	ctx->rk[i][k] = ctx->rk[j][k];
				403	ctx->rk[j][k] = t;
				404	}
				405	}
				406
				407	// apply affine transform to middle keys
				408	for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	409	ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	410
				411	return 0;
				412	}
				413
				414	// Encrypt a block
				415
				416	int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
				417	int mode,
				418	const unsigned char input[16],
				419	unsigned char output[16] )
				420	{
				421	int i;
				422
				423	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	424
				425	( (void) mode );
				426
				427	GET_UINT32_LE( a, input, 0 );
				428	GET_UINT32_LE( b, input, 4 );
				429	GET_UINT32_LE( c, input, 8 );
				430	GET_UINT32_LE( d, input, 12 );
				431
				432	i = 0;
				433	while (1)
				434	{
				435	a ^= ctx->rk[i][0];
				436	b ^= ctx->rk[i][1];
				437	c ^= ctx->rk[i][2];
				438	d ^= ctx->rk[i][3];
				439	i++;
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	440	ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	441
				442	a ^= ctx->rk[i][0];
				443	b ^= ctx->rk[i][1];
				444	c ^= ctx->rk[i][2];
				445	d ^= ctx->rk[i][3];
				446	i++;
				447	if (i >= ctx->nr)
				448	break;
				449
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	450	ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	451	}
				452
				453	// final substitution
				454
				455	a = ctx->rk[i][0] ^
				456	( (uint32_t) aria_is1[ a & 0xFF]) ^
				457	(((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
				458	(((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
				459	(((uint32_t) aria_sb2[ a >> 24 ]) << 24);
				460
				461	b = ctx->rk[i][1] ^
				462	( (uint32_t) aria_is1[ b & 0xFF]) ^
				463	(((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
				464	(((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
				465	(((uint32_t) aria_sb2[ b >> 24 ]) << 24);
				466
				467	c = ctx->rk[i][2] ^
				468	( (uint32_t) aria_is1[ c & 0xFF]) ^
				469	(((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
				470	(((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
				471	(((uint32_t) aria_sb2[ c >> 24 ]) << 24);
				472
				473	d = ctx->rk[i][3] ^
				474	( (uint32_t) aria_is1[ d & 0xFF]) ^
				475	(((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
				476	(((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
				477	(((uint32_t) aria_sb2[ d >> 24 ]) << 24);
				478
				479	PUT_UINT32_LE( a, output, 0 );
				480	PUT_UINT32_LE( b, output, 4 );
				481	PUT_UINT32_LE( c, output, 8 );
				482	PUT_UINT32_LE( d, output, 12 );
				483
				484	return 0;
				485	}
				486
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	487	void mbedtls_aria_init( mbedtls_aria_context *ctx )
				488	{
				489	memset( ctx, 0, sizeof( mbedtls_aria_context ) );
				490	}
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	491
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	492	void mbedtls_aria_free( mbedtls_aria_context *ctx )
				493	{
				494	if( ctx == NULL )
				495	return;
				496
Manuel Pégourié-Gonnard	5645393	2018-02-21 10:08:31 +0100	[diff] [blame^]	497	mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	498	}
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	499
				500	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				501	/*
				502	* ARIA-CBC buffer encryption/decryption
				503	*/
				504	int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
				505	int mode,
				506	size_t length,
				507	unsigned char iv[16],
				508	const unsigned char *input,
				509	unsigned char *output )
				510	{
				511	int i;
				512	unsigned char temp[16];
				513
				514	if( length % 16 )
				515	return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
				516
				517	if( mode == MBEDTLS_ARIA_DECRYPT )
				518	{
				519	while( length > 0 )
				520	{
				521	memcpy( temp, input, 16 );
				522	mbedtls_aria_crypt_ecb( ctx, mode, input, output );
				523
				524	for( i = 0; i < 16; i++ )
				525	output[i] = (unsigned char)( output[i] ^ iv[i] );
				526
				527	memcpy( iv, temp, 16 );
				528
				529	input += 16;
				530	output += 16;
				531	length -= 16;
				532	}
				533	}
				534	else
				535	{
				536	while( length > 0 )
				537	{
				538	for( i = 0; i < 16; i++ )
				539	output[i] = (unsigned char)( input[i] ^ iv[i] );
				540
				541	mbedtls_aria_crypt_ecb( ctx, mode, output, output );
				542	memcpy( iv, output, 16 );
				543
				544	input += 16;
				545	output += 16;
				546	length -= 16;
				547	}
				548	}
				549
				550	return( 0 );
				551	}
				552	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				553
				554	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				555	/*
				556	* ARIA-CFB128 buffer encryption/decryption
				557	*/
				558	int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
				559	int mode,
				560	size_t length,
				561	size_t *iv_off,
				562	unsigned char iv[16],
				563	const unsigned char *input,
				564	unsigned char *output )
				565	{
				566	int c;
				567	size_t n = *iv_off;
				568
				569	if( mode == MBEDTLS_ARIA_DECRYPT )
				570	{
				571	while( length-- )
				572	{
				573	if( n == 0 )
				574	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
				575
				576	c = *input++;
				577	*output++ = (unsigned char)( c ^ iv[n] );
				578	iv[n] = (unsigned char) c;
				579
				580	n = ( n + 1 ) & 0x0F;
				581	}
				582	}
				583	else
				584	{
				585	while( length-- )
				586	{
				587	if( n == 0 )
				588	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
				589
				590	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
				591
				592	n = ( n + 1 ) & 0x0F;
				593	}
				594	}
				595
				596	*iv_off = n;
				597
				598	return( 0 );
				599	}
				600	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				601
				602	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				603	/*
				604	* ARIA-CTR buffer encryption/decryption
				605	*/
				606	int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
				607	size_t length,
				608	size_t *nc_off,
				609	unsigned char nonce_counter[16],
				610	unsigned char stream_block[16],
				611	const unsigned char *input,
				612	unsigned char *output )
				613	{
				614	int c, i;
				615	size_t n = *nc_off;
				616
				617	while( length-- )
				618	{
				619	if( n == 0 ) {
				620	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
				621	stream_block );
				622
				623	for( i = 16; i > 0; i-- )
				624	if( ++nonce_counter[i - 1] != 0 )
				625	break;
				626	}
				627	c = *input++;
				628	*output++ = (unsigned char)( c ^ stream_block[n] );
				629
				630	n = ( n + 1 ) & 0x0F;
				631	}
				632
				633	*nc_off = n;
				634
				635	return( 0 );
				636	}
				637	#endif /* MBEDTLS_CIPHER_MODE_CTR */
				638	#endif /* !MBEDTLS_ARIA_ALT */
				639
				640	#if defined(MBEDTLS_SELF_TEST)
				641
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	642	// Basic ARIA ECB test vectors from RFC 5794
				643
				644	static const uint8_t aria_test1_ecb_key[32] = // test key
				645	{
				646	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
				647	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
				648	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
				649	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
				650	};
				651
				652	static const uint8_t aria_test1_ecb_pt[16] = // plaintext
				653	{
				654	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
				655	0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
				656	};
				657
				658	static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
				659	{
				660	{ 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
				661	0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
				662	{ 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
				663	0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
				664	{ 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
				665	0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
				666	};
				667
				668	// Mode tests from "Test Vectors for ARIA" Version 1.0
				669	// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
				670
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	671	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| defined(MBEDTLS_CIPHER_MODE_CFB) \|\| \
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	672	defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	673	static const uint8_t aria_test2_key[32] =
				674	{
				675	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
				676	0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
				677	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
				678	0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
				679	};
				680
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	681	static const uint8_t aria_test2_pt[48] =
				682	{
				683	0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
				684	0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
				685	0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
				686	0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
				687	0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
				688	0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
				689	};
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	690	#endif
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	691
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	692	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| defined(MBEDTLS_CIPHER_MODE_CFB))
				693	static const uint8_t aria_test2_iv[16] =
				694	{
				695	0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
				696	0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
				697	};
				698	#endif
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	699
				700	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				701	static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
				702	{
				703	{ 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
				704	0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
				705	0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
				706	0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
				707	0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
				708	0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
				709	{ 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
				710	0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
				711	0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
				712	0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
				713	0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
				714	0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
				715	{ 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
				716	0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
				717	0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
				718	0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
				719	0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
				720	0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
				721	};
				722	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				723
				724	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				725	static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
				726	{
				727	{ 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
				728	0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
				729	0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
				730	0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
				731	0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
				732	0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
				733	{ 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
				734	0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
				735	0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
				736	0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
				737	0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
				738	0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
				739	{ 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
				740	0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
				741	0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
				742	0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
				743	0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
				744	0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
				745	};
				746	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				747
				748	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				749	static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
				750	{
				751	{ 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
				752	0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
				753	0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
				754	0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
				755	0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
				756	0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
				757	{ 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
				758	0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
				759	0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
				760	0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
				761	0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
				762	0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
				763	{ 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
				764	0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
				765	0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
				766	0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
				767	0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
				768	0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
				769	};
				770	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				771
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	772	/*
				773	* Checkup routine
				774	*/
				775
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	776	#define ARIA_SELF_TEST_IF_FAIL \
				777	{ \
				778	if( verbose ) \
				779	printf( "failed\n" ); \
				780	return( 1 ); \
				781	} else { \
				782	if( verbose ) \
				783	printf( "passed\n" ); \
				784	}
				785
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	786	int mbedtls_aria_self_test( int verbose )
				787	{
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	788	int i;
				789	uint8_t blk[16];
				790	mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	791
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	792	#if (defined(MBEDTLS_CIPHER_MODE_CFB) \|\| defined(MBEDTLS_CIPHER_MODE_CTR))
				793	size_t j;
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	794	#endif
				795
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	796	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| \
				797	defined(MBEDTLS_CIPHER_MODE_CFB) \|\| \
				798	defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	799	uint8_t buf[48], iv[16];
				800	#endif
				801
				802	// Test set 1
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	803
				804	for( i = 0; i < 3; i++ )
				805	{
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	806	// test ECB encryption
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	807	if( verbose )
				808	printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	809	mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	810	mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	811	aria_test1_ecb_pt, blk );
				812	if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
				813	ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	814
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	815	// test ECB decryption
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	816	if( verbose )
				817	printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	818	mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	819	mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	820	aria_test1_ecb_ct[i], blk );
				821	if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
				822	ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	823	}
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	824	if( verbose )
				825	printf("\n");
				826
				827	// Test set 2
				828
				829	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				830	for( i = 0; i < 3; i++ )
				831	{
				832	// Test CBC encryption
				833	if( verbose )
				834	printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
				835	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				836	memcpy( iv, aria_test2_iv, 16 );
				837	memset( buf, 0x55, sizeof(buf) );
				838	mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
				839	aria_test2_pt, buf );
				840	if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
				841	ARIA_SELF_TEST_IF_FAIL;
				842
				843	// Test CBC decryption
				844	if( verbose )
				845	printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
				846	mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
				847	memcpy( iv, aria_test2_iv, 16 );
				848	memset( buf, 0xAA, sizeof(buf) );
				849	mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
				850	aria_test2_cbc_ct[i], buf );
				851	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				852	ARIA_SELF_TEST_IF_FAIL;
				853	}
				854	if( verbose )
				855	printf("\n");
				856
				857	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				858
				859	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				860	for( i = 0; i < 3; i++ )
				861	{
				862	// Test CFB encryption
				863	if( verbose )
				864	printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
				865	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				866	memcpy( iv, aria_test2_iv, 16 );
				867	memset( buf, 0x55, sizeof(buf) );
				868	j = 0;
				869	mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
				870	aria_test2_pt, buf );
				871	if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
				872	ARIA_SELF_TEST_IF_FAIL;
				873
				874	// Test CFB decryption
				875	if( verbose )
				876	printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
				877	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				878	memcpy( iv, aria_test2_iv, 16 );
				879	memset( buf, 0xAA, sizeof(buf) );
				880	j = 0;
				881	mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
				882	iv, aria_test2_cfb_ct[i], buf );
				883	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				884	ARIA_SELF_TEST_IF_FAIL;
				885	}
				886	if( verbose )
				887	printf("\n");
				888	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				889
				890	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				891	for( i = 0; i < 3; i++ )
				892	{
				893	// Test CTR encryption
				894	if( verbose )
				895	printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
				896	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				897	memset( iv, 0, 16 ); // IV = 0
				898	memset( buf, 0x55, sizeof(buf) );
				899	j = 0;
				900	mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
				901	aria_test2_pt, buf );
				902	if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
				903	ARIA_SELF_TEST_IF_FAIL;
				904
				905	// Test CTR decryption
				906	if( verbose )
				907	printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
				908	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				909	memset( iv, 0, 16 ); // IV = 0
				910	memset( buf, 0xAA, sizeof(buf) );
				911	j = 0;
				912	mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
				913	aria_test2_ctr_ct[i], buf );
				914	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				915	ARIA_SELF_TEST_IF_FAIL;
				916	}
				917	if( verbose )
				918	printf("\n");
				919	#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	920
				921	return( 0 );
				922	}
				923
				924	#endif /* MBEDTLS_SELF_TEST */
				925
				926	#endif /* MBEDTLS_ARIA_C */