TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / a41ecdabedb6387c6ef50d0c5955a3b1d600e8c7 / . / library / aria.c
blob: 6857e992615dbadaf9e9cecc326f0dac50d8bd40 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]51/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
54}
55
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]59
60#ifndef GET_UINT32_LE
61#define GET_UINT32_LE(n,b,i) \
62{ \
63 (n) = ( (uint32_t) (b)[(i) ] ) \
64 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
67}
68#endif
69
70#ifndef PUT_UINT32_LE
71#define PUT_UINT32_LE(n,b,i) \
72{ \
73 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
74 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
75 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
76 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
77}
78#endif
79
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]80/* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]81#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
82
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]83/* modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]84#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
85
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]86/*
87 * Affine Transform A
88 * (ra, rb, rc, rd) = state in/out
89 */
90#define ARIA_A( ra, rb, rc, rd ) { \
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]91 uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]92 ta = rb; \
93 rb = ra; \
94 ra = ARIA_FLIP1( ta ); \
95 tb = ARIA_FLIP1( rd ); \
96 rd = ARIA_FLIP2( rc ); \
97 rc = ARIA_FLIP2( tb ); \
98 ta ^= rd; \
99 tc = ARIA_FLIP1( rb ); \
100 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
101 tb ^= ARIA_FLIP1( rd ); \
102 tc ^= ARIA_FLIP2( ra ); \
103 rb ^= ta ^ tb; \
104 tb = ARIA_FLIP1( tb ) ^ ta; \
105 ra ^= ARIA_FLIP2( tb ); \
106 ta = ARIA_FLIP1( ta ); \
107 rd ^= ARIA_FLIP2( ta ) ^ tc; \
108 tc = ARIA_FLIP1( tc ); \
109 rc ^= ARIA_FLIP2( tc ) ^ ta; \
110}
111
112
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]113/*
114 * ARIA Round function ( Substitution Layer SLx + Affine Transform A )
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]115 * (ra, rb, rc, rd) = state in/out
116 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]117 *
118 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A.
119 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A.
120 */
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]121#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \
122 uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]123 ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
124 (((uint32_t) sd[ rb >> 24]) << 8) ^ \
125 (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
126 (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
127 rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
128 (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
129 (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
130 (((uint32_t) sd[ ra >> 24]) << 24); \
131 ra = ta; \
132 ta = ( (uint32_t) sd[ rd >> 24]) ^ \
133 (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
134 (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
135 (((uint32_t) sa[ rd & 0xFF]) << 24); \
136 rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
137 (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
138 (((uint32_t) sd[ rc >> 24]) << 16) ^ \
139 (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
140 rc = ta; \
141 ta = ARIA_FLIP1( ra ) ^ rd; \
142 tc = ARIA_FLIP1( rb ); \
143 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
144 tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
145 tc ^= ARIA_FLIP2( ra ); \
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]146 rb ^= ta ^ tb; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]147 tb = ARIA_FLIP1( tb ) ^ ta; \
148 ra ^= ARIA_FLIP2( tb ); \
149 ta = ARIA_FLIP1( ta ); \
150 rd ^= ARIA_FLIP2( ta ) ^ tc; \
151 tc = ARIA_FLIP1( tc ); \
152 rc ^= ARIA_FLIP2( tc ) ^ ta; \
153}
154
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]155/*
156 * S-Boxes
157 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]158static const uint8_t aria_sb1[0x100] =
159{
160 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
161 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
162 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
163 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
164 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
165 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
166 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
167 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
168 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
169 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
170 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
171 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
172 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
173 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
174 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
175 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
176 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
177 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
178 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
179 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
180 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
181 0xB0, 0x54, 0xBB, 0x16
182};
183
184static const uint8_t aria_sb2[0x100] =
185{
186 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
187 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
188 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
189 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
190 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
191 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
192 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
193 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
194 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
195 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
196 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
197 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
198 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
199 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
200 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
201 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
202 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
203 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
204 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
205 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
206 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
207 0xAF, 0xBA, 0xB5, 0x81
208};
209
210static const uint8_t aria_is1[0x100] =
211{
212 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
213 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
214 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
215 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
216 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
217 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
218 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
219 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
220 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
221 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
223 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
224 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
225 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
226 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
227 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
229 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
230 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
231 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
233 0x55, 0x21, 0x0C, 0x7D
234};
235
236static const uint8_t aria_is2[0x100] =
237{
238 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
239 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
240 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
241 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
242 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
243 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
244 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
245 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
246 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
247 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
248 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
249 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
250 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
251 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
252 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
253 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
254 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
255 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
256 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
257 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
258 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
259 0x03, 0xA2, 0xAC, 0x60
260};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]261
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]262/*
263 * Helper for key schedule: r = FO( p, k ) ^ x
264 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]265static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]266 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
267{
268 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]269
270 a = p[0] ^ k[0];
271 b = p[1] ^ k[1];
272 c = p[2] ^ k[2];
273 d = p[3] ^ k[3];
274
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]275 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276
277 r[0] = a ^ x[0];
278 r[1] = b ^ x[1];
279 r[2] = c ^ x[2];
280 r[3] = d ^ x[3];
281}
282
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]283/*
284 * Helper for key schedule: r = FE( p, k ) ^ x
285 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]286static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]287 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
288{
289 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]290
291 a = p[0] ^ k[0];
292 b = p[1] ^ k[1];
293 c = p[2] ^ k[2];
294 d = p[3] ^ k[3];
295
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]296 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]297
298 r[0] = a ^ x[0];
299 r[1] = b ^ x[1];
300 r[2] = c ^ x[2];
301 r[3] = d ^ x[3];
302}
303
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]304/*
305 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
306 *
307 * We chose to store bytes into 32-bit words in little-endian format (see
308 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
309 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]310static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]311 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]312{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]313 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]314 uint32_t t, u;
315
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]316 const uint8_t n1 = n % 32; // bit offset
317 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]318
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]319 j = (n / 32) % 4; // initial word offset
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]320 t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
321 for( i = 0; i < 4; i++ )
322 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]323 j = (j + 1) % 4; // get next word, big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]324 u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
325 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]326 t |= u >> n2;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]327 t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
328 r[i] = a[i] ^ t; // store
329 t = u; // move to next word
330 }
331}
332
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]333/*
334 * Set encryption key
335 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
337 const unsigned char *key, unsigned int keybits)
338{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]339 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]340 const uint32_t rc[3][4] =
341 {
342 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
343 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
344 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
345 };
346
347 int i;
348 uint32_t w[4][4], *w2;
349
350 if (keybits != 128 && keybits != 192 && keybits != 256)
351 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
352
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]353 /* Copy key to W0 (and potential remainder to W1) */
354 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]355 GET_UINT32_LE( w[0][1], key, 4 );
356 GET_UINT32_LE( w[0][2], key, 8 );
357 GET_UINT32_LE( w[0][3], key, 12 );
358
359 memset(w[1], 0, 16);
360 if( keybits >= 192 )
361 {
362 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
363 GET_UINT32_LE( w[1][1], key, 20 );
364 }
365 if( keybits == 256 )
366 {
367 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
368 GET_UINT32_LE( w[1][3], key, 28 );
369 }
370
371 i = (keybits - 128) >> 6; // index: 0, 1, 2
372 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
373
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]374 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]375 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]376 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]377 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]378 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]379
380 for( i = 0; i < 4; i++ ) // create round keys
381 {
382 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]383 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
384 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
385 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
386 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387 }
388 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
389
390 return 0;
391}
392
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]393/*
394 * Set decryption key
395 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
397 const unsigned char *key, unsigned int keybits)
398{
399 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]400
401 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
402 if( ret != 0 )
403 return ret;
404
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]405 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]406 for( i = 0, j = ctx->nr; i < j; i++, j-- )
407 {
408 for( k = 0; k < 4; k++ )
409 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]410 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411 ctx->rk[i][k] = ctx->rk[j][k];
412 ctx->rk[j][k] = t;
413 }
414 }
415
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]416 /* apply affine transform to middle keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]417 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]418 ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]419
420 return 0;
421}
422
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]423/*
424 * Encrypt a block
425 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]426int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
427 int mode,
428 const unsigned char input[16],
429 unsigned char output[16] )
430{
431 int i;
432
433 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]434
435 ( (void) mode );
436
437 GET_UINT32_LE( a, input, 0 );
438 GET_UINT32_LE( b, input, 4 );
439 GET_UINT32_LE( c, input, 8 );
440 GET_UINT32_LE( d, input, 12 );
441
442 i = 0;
443 while (1)
444 {
445 a ^= ctx->rk[i][0];
446 b ^= ctx->rk[i][1];
447 c ^= ctx->rk[i][2];
448 d ^= ctx->rk[i][3];
449 i++;
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]450 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]451
452 a ^= ctx->rk[i][0];
453 b ^= ctx->rk[i][1];
454 c ^= ctx->rk[i][2];
455 d ^= ctx->rk[i][3];
456 i++;
457 if (i >= ctx->nr)
458 break;
459
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]460 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]461 }
462
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]463 /* final substitution */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]464 a = ctx->rk[i][0] ^
465 ( (uint32_t) aria_is1[ a & 0xFF]) ^
466 (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
467 (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
468 (((uint32_t) aria_sb2[ a >> 24 ]) << 24);
469
470 b = ctx->rk[i][1] ^
471 ( (uint32_t) aria_is1[ b & 0xFF]) ^
472 (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
473 (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
474 (((uint32_t) aria_sb2[ b >> 24 ]) << 24);
475
476 c = ctx->rk[i][2] ^
477 ( (uint32_t) aria_is1[ c & 0xFF]) ^
478 (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
479 (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
480 (((uint32_t) aria_sb2[ c >> 24 ]) << 24);
481
482 d = ctx->rk[i][3] ^
483 ( (uint32_t) aria_is1[ d & 0xFF]) ^
484 (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
485 (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
486 (((uint32_t) aria_sb2[ d >> 24 ]) << 24);
487
488 PUT_UINT32_LE( a, output, 0 );
489 PUT_UINT32_LE( b, output, 4 );
490 PUT_UINT32_LE( c, output, 8 );
491 PUT_UINT32_LE( d, output, 12 );
492
493 return 0;
494}
495
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]496/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]497void mbedtls_aria_init( mbedtls_aria_context *ctx )
498{
499 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
500}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]501
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]502/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]503void mbedtls_aria_free( mbedtls_aria_context *ctx )
504{
505 if( ctx == NULL )
506 return;
507
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]508 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]509}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]510
511#if defined(MBEDTLS_CIPHER_MODE_CBC)
512/*
513 * ARIA-CBC buffer encryption/decryption
514 */
515int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
516 int mode,
517 size_t length,
518 unsigned char iv[16],
519 const unsigned char *input,
520 unsigned char *output )
521{
522 int i;
523 unsigned char temp[16];
524
525 if( length % 16 )
526 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
527
528 if( mode == MBEDTLS_ARIA_DECRYPT )
529 {
530 while( length > 0 )
531 {
532 memcpy( temp, input, 16 );
533 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
534
535 for( i = 0; i < 16; i++ )
536 output[i] = (unsigned char)( output[i] ^ iv[i] );
537
538 memcpy( iv, temp, 16 );
539
540 input += 16;
541 output += 16;
542 length -= 16;
543 }
544 }
545 else
546 {
547 while( length > 0 )
548 {
549 for( i = 0; i < 16; i++ )
550 output[i] = (unsigned char)( input[i] ^ iv[i] );
551
552 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
553 memcpy( iv, output, 16 );
554
555 input += 16;
556 output += 16;
557 length -= 16;
558 }
559 }
560
561 return( 0 );
562}
563#endif /* MBEDTLS_CIPHER_MODE_CBC */
564
565#if defined(MBEDTLS_CIPHER_MODE_CFB)
566/*
567 * ARIA-CFB128 buffer encryption/decryption
568 */
569int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
570 int mode,
571 size_t length,
572 size_t *iv_off,
573 unsigned char iv[16],
574 const unsigned char *input,
575 unsigned char *output )
576{
577 int c;
578 size_t n = *iv_off;
579
580 if( mode == MBEDTLS_ARIA_DECRYPT )
581 {
582 while( length-- )
583 {
584 if( n == 0 )
585 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
586
587 c = *input++;
588 *output++ = (unsigned char)( c ^ iv[n] );
589 iv[n] = (unsigned char) c;
590
591 n = ( n + 1 ) & 0x0F;
592 }
593 }
594 else
595 {
596 while( length-- )
597 {
598 if( n == 0 )
599 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
600
601 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
602
603 n = ( n + 1 ) & 0x0F;
604 }
605 }
606
607 *iv_off = n;
608
609 return( 0 );
610}
611#endif /* MBEDTLS_CIPHER_MODE_CFB */
612
613#if defined(MBEDTLS_CIPHER_MODE_CTR)
614/*
615 * ARIA-CTR buffer encryption/decryption
616 */
617int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
618 size_t length,
619 size_t *nc_off,
620 unsigned char nonce_counter[16],
621 unsigned char stream_block[16],
622 const unsigned char *input,
623 unsigned char *output )
624{
625 int c, i;
626 size_t n = *nc_off;
627
628 while( length-- )
629 {
630 if( n == 0 ) {
631 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
632 stream_block );
633
634 for( i = 16; i > 0; i-- )
635 if( ++nonce_counter[i - 1] != 0 )
636 break;
637 }
638 c = *input++;
639 *output++ = (unsigned char)( c ^ stream_block[n] );
640
641 n = ( n + 1 ) & 0x0F;
642 }
643
644 *nc_off = n;
645
646 return( 0 );
647}
648#endif /* MBEDTLS_CIPHER_MODE_CTR */
649#endif /* !MBEDTLS_ARIA_ALT */
650
651#if defined(MBEDTLS_SELF_TEST)
652
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]653/*
654 * Basic ARIA ECB test vectors from RFC 5794
655 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]656static const uint8_t aria_test1_ecb_key[32] = // test key
657{
658 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
659 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
660 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
661 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
662};
663
664static const uint8_t aria_test1_ecb_pt[16] = // plaintext
665{
666 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
667 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
668};
669
670static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
671{
672 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
673 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
674 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
675 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
676 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
677 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
678};
679
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]680/*
681 * Mode tests from "Test Vectors for ARIA" Version 1.0
682 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
683 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]684#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]685 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]686static const uint8_t aria_test2_key[32] =
687{
688 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
689 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
690 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
691 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
692};
693
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]694static const uint8_t aria_test2_pt[48] =
695{
696 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
697 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
698 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
699 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
700 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
701 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
702};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]703#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]704
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]705#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
706static const uint8_t aria_test2_iv[16] =
707{
708 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
709 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
710};
711#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]712
713#if defined(MBEDTLS_CIPHER_MODE_CBC)
714static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
715{
716 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
717 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
718 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
719 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
720 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
721 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
722 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
723 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
724 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
725 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
726 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
727 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
728 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
729 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
730 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
731 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
732 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
733 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
734};
735#endif /* MBEDTLS_CIPHER_MODE_CBC */
736
737#if defined(MBEDTLS_CIPHER_MODE_CFB)
738static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
739{
740 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
741 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
742 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
743 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
744 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
745 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
746 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
747 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
748 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
749 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
750 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
751 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
752 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
753 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
754 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
755 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
756 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
757 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
758};
759#endif /* MBEDTLS_CIPHER_MODE_CFB */
760
761#if defined(MBEDTLS_CIPHER_MODE_CTR)
762static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
763{
764 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
765 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
766 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
767 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
768 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
769 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
770 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
771 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
772 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
773 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
774 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
775 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
776 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
777 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
778 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
779 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
780 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
781 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
782};
783#endif /* MBEDTLS_CIPHER_MODE_CFB */
784
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]785#define ARIA_SELF_TEST_IF_FAIL \
786 { \
787 if( verbose ) \
788 printf( "failed\n" ); \
789 return( 1 ); \
790 } else { \
791 if( verbose ) \
792 printf( "passed\n" ); \
793 }
794
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]795/*
796 * Checkup routine
797 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]798int mbedtls_aria_self_test( int verbose )
799{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]800 int i;
801 uint8_t blk[16];
802 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]803
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]804#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
805 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]806#endif
807
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]808#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
809 defined(MBEDTLS_CIPHER_MODE_CFB) || \
810 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]811 uint8_t buf[48], iv[16];
812#endif
813
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]814 /*
815 * Test set 1
816 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]817 for( i = 0; i < 3; i++ )
818 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]819 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]820 if( verbose )
821 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]822 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]823 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]824 aria_test1_ecb_pt, blk );
825 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
826 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]827
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]828 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]829 if( verbose )
830 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]831 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]832 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]833 aria_test1_ecb_ct[i], blk );
834 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
835 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]836 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]837 if( verbose )
838 printf("\n");
839
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]840 /*
841 * Test set 2
842 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]843#if defined(MBEDTLS_CIPHER_MODE_CBC)
844 for( i = 0; i < 3; i++ )
845 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]846 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]847 if( verbose )
848 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
849 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
850 memcpy( iv, aria_test2_iv, 16 );
851 memset( buf, 0x55, sizeof(buf) );
852 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
853 aria_test2_pt, buf );
854 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
855 ARIA_SELF_TEST_IF_FAIL;
856
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]857 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]858 if( verbose )
859 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
860 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
861 memcpy( iv, aria_test2_iv, 16 );
862 memset( buf, 0xAA, sizeof(buf) );
863 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
864 aria_test2_cbc_ct[i], buf );
865 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
866 ARIA_SELF_TEST_IF_FAIL;
867 }
868 if( verbose )
869 printf("\n");
870
871#endif /* MBEDTLS_CIPHER_MODE_CBC */
872
873#if defined(MBEDTLS_CIPHER_MODE_CFB)
874 for( i = 0; i < 3; i++ )
875 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]876 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]877 if( verbose )
878 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
879 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
880 memcpy( iv, aria_test2_iv, 16 );
881 memset( buf, 0x55, sizeof(buf) );
882 j = 0;
883 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
884 aria_test2_pt, buf );
885 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
886 ARIA_SELF_TEST_IF_FAIL;
887
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]888 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]889 if( verbose )
890 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
891 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
892 memcpy( iv, aria_test2_iv, 16 );
893 memset( buf, 0xAA, sizeof(buf) );
894 j = 0;
895 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
896 iv, aria_test2_cfb_ct[i], buf );
897 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
898 ARIA_SELF_TEST_IF_FAIL;
899 }
900 if( verbose )
901 printf("\n");
902#endif /* MBEDTLS_CIPHER_MODE_CFB */
903
904#if defined(MBEDTLS_CIPHER_MODE_CTR)
905 for( i = 0; i < 3; i++ )
906 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]907 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]908 if( verbose )
909 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
910 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
911 memset( iv, 0, 16 ); // IV = 0
912 memset( buf, 0x55, sizeof(buf) );
913 j = 0;
914 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
915 aria_test2_pt, buf );
916 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
917 ARIA_SELF_TEST_IF_FAIL;
918
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame^]919 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]920 if( verbose )
921 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
922 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
923 memset( iv, 0, 16 ); // IV = 0
924 memset( buf, 0xAA, sizeof(buf) );
925 j = 0;
926 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
927 aria_test2_ctr_ct[i], buf );
928 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
929 ARIA_SELF_TEST_IF_FAIL;
930 }
931 if( verbose )
932 printf("\n");
933#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]934
935 return( 0 );
936}
937
938#endif /* MBEDTLS_SELF_TEST */
939
940#endif /* MBEDTLS_ARIA_C */