TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / c76ceb677bfd86a73ccaa585c11b8f5122599d77 / . / library / aria.c
blob: 9b5febc26a009cc0bf963542ab1d5814ccbbd657 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
51// 32-bit integer manipulation macros (little endian)
52
53#ifndef GET_UINT32_LE
54#define GET_UINT32_LE(n,b,i) \
55{ \
56 (n) = ( (uint32_t) (b)[(i) ] ) \
57 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
58 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
59 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
60}
61#endif
62
63#ifndef PUT_UINT32_LE
64#define PUT_UINT32_LE(n,b,i) \
65{ \
66 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
67 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
68 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
69 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
70}
71#endif
72
73// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
74#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
75
76// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
77#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
78
79// Affine Transform A
80// (ra, rb, rc, rd) = state in/out
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]81
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]82#define ARIA_A( ra, rb, rc, rd ) { \
83 uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]84 ta = rb; \
85 rb = ra; \
86 ra = ARIA_FLIP1( ta ); \
87 tb = ARIA_FLIP1( rd ); \
88 rd = ARIA_FLIP2( rc ); \
89 rc = ARIA_FLIP2( tb ); \
90 ta ^= rd; \
91 tc = ARIA_FLIP1( rb ); \
92 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
93 tb ^= ARIA_FLIP1( rd ); \
94 tc ^= ARIA_FLIP2( ra ); \
95 rb ^= ta ^ tb; \
96 tb = ARIA_FLIP1( tb ) ^ ta; \
97 ra ^= ARIA_FLIP2( tb ); \
98 ta = ARIA_FLIP1( ta ); \
99 rd ^= ARIA_FLIP2( ta ) ^ tc; \
100 tc = ARIA_FLIP1( tc ); \
101 rc ^= ARIA_FLIP2( tc ) ^ ta; \
102}
103
104
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]105/* ARIA Round function ( Substitution Layer SLx + Affine Transform A )
106 * (ra, rb, rc, rd) = state in/out
107 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]108 *
109 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A.
110 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A.
111 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]112
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]113#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \
114 uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]115 ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
116 (((uint32_t) sd[ rb >> 24]) << 8) ^ \
117 (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
118 (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
119 rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
120 (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
121 (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
122 (((uint32_t) sd[ ra >> 24]) << 24); \
123 ra = ta; \
124 ta = ( (uint32_t) sd[ rd >> 24]) ^ \
125 (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
126 (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
127 (((uint32_t) sa[ rd & 0xFF]) << 24); \
128 rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
129 (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
130 (((uint32_t) sd[ rc >> 24]) << 16) ^ \
131 (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
132 rc = ta; \
133 ta = ARIA_FLIP1( ra ) ^ rd; \
134 tc = ARIA_FLIP1( rb ); \
135 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
136 tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
137 tc ^= ARIA_FLIP2( ra ); \
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]138 rb ^= ta ^ tb; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]139 tb = ARIA_FLIP1( tb ) ^ ta; \
140 ra ^= ARIA_FLIP2( tb ); \
141 ta = ARIA_FLIP1( ta ); \
142 rd ^= ARIA_FLIP2( ta ) ^ tc; \
143 tc = ARIA_FLIP1( tc ); \
144 rc ^= ARIA_FLIP2( tc ) ^ ta; \
145}
146
147// S-Boxes
148
149static const uint8_t aria_sb1[0x100] =
150{
151 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
152 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
153 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
154 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
155 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
156 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
157 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
158 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
159 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
160 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
161 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
162 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
163 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
164 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
165 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
166 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
167 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
168 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
169 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
170 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
171 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
172 0xB0, 0x54, 0xBB, 0x16
173};
174
175static const uint8_t aria_sb2[0x100] =
176{
177 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
178 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
179 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
180 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
181 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
182 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
183 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
184 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
185 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
186 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
187 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
188 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
189 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
190 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
191 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
192 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
193 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
194 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
195 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
196 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
197 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
198 0xAF, 0xBA, 0xB5, 0x81
199};
200
201static const uint8_t aria_is1[0x100] =
202{
203 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
204 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
206 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
207 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
208 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
209 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
210 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
212 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
213 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
214 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
215 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
216 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
217 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
218 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
220 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
221 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
222 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
223 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
224 0x55, 0x21, 0x0C, 0x7D
225};
226
227static const uint8_t aria_is2[0x100] =
228{
229 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
230 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
231 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
232 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
233 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
234 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
235 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
236 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
237 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
238 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
239 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
240 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
241 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
242 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
243 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
244 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
245 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
246 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
247 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
248 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
249 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
250 0x03, 0xA2, 0xAC, 0x60
251};
252// FO and FE are helpers for key schedule
253
254// r = FO( p, k ) ^ x
255
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]256static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]257 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
258{
259 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]260
261 a = p[0] ^ k[0];
262 b = p[1] ^ k[1];
263 c = p[2] ^ k[2];
264 d = p[3] ^ k[3];
265
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]266 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]267
268 r[0] = a ^ x[0];
269 r[1] = b ^ x[1];
270 r[2] = c ^ x[2];
271 r[3] = d ^ x[3];
272}
273
274// r = FE( p, k ) ^ x
275
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]276static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]277 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
278{
279 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]280
281 a = p[0] ^ k[0];
282 b = p[1] ^ k[1];
283 c = p[2] ^ k[2];
284 d = p[3] ^ k[3];
285
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]286 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]287
288 r[0] = a ^ x[0];
289 r[1] = b ^ x[1];
290 r[2] = c ^ x[2];
291 r[3] = d ^ x[3];
292}
293
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame^]294// Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]295// This is relatively slow since our implementation is geared towards
296// little-endian targets and stores state in that order.
297
298static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]299 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]300{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]301 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]302 uint32_t t, u;
303
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame^]304 const uint8_t n1 = n % 32; // bit offset
305 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]306
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame^]307 j = (n / 32) % 4; // initial word offset
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]308 t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
309 for( i = 0; i < 4; i++ )
310 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame^]311 j = (j + 1) % 4; // get next word, big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]312 u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
313 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame^]314 t |= u >> n2;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]315 t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
316 r[i] = a[i] ^ t; // store
317 t = u; // move to next word
318 }
319}
320
321// Set encryption key
322
323int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
324 const unsigned char *key, unsigned int keybits)
325{
326 // round constant masks
327 const uint32_t rc[3][4] =
328 {
329 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
330 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
331 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
332 };
333
334 int i;
335 uint32_t w[4][4], *w2;
336
337 if (keybits != 128 && keybits != 192 && keybits != 256)
338 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
339
340 // W0 = KL
341 GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1
342 GET_UINT32_LE( w[0][1], key, 4 );
343 GET_UINT32_LE( w[0][2], key, 8 );
344 GET_UINT32_LE( w[0][3], key, 12 );
345
346 memset(w[1], 0, 16);
347 if( keybits >= 192 )
348 {
349 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
350 GET_UINT32_LE( w[1][1], key, 20 );
351 }
352 if( keybits == 256 )
353 {
354 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
355 GET_UINT32_LE( w[1][3], key, 28 );
356 }
357
358 i = (keybits - 128) >> 6; // index: 0, 1, 2
359 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
360
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]361 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]362 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]363 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]364 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]365 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]366
367 for( i = 0; i < 4; i++ ) // create round keys
368 {
369 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]370 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
371 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
372 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
373 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]374 }
375 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
376
377 return 0;
378}
379
380// Set decryption key
381
382int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
383 const unsigned char *key, unsigned int keybits)
384{
385 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]386
387 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
388 if( ret != 0 )
389 return ret;
390
391 // flip the order of round keys
392 for( i = 0, j = ctx->nr; i < j; i++, j-- )
393 {
394 for( k = 0; k < 4; k++ )
395 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]396 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]397 ctx->rk[i][k] = ctx->rk[j][k];
398 ctx->rk[j][k] = t;
399 }
400 }
401
402 // apply affine transform to middle keys
403 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]404 ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]405
406 return 0;
407}
408
409// Encrypt a block
410
411int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
412 int mode,
413 const unsigned char input[16],
414 unsigned char output[16] )
415{
416 int i;
417
418 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]419
420 ( (void) mode );
421
422 GET_UINT32_LE( a, input, 0 );
423 GET_UINT32_LE( b, input, 4 );
424 GET_UINT32_LE( c, input, 8 );
425 GET_UINT32_LE( d, input, 12 );
426
427 i = 0;
428 while (1)
429 {
430 a ^= ctx->rk[i][0];
431 b ^= ctx->rk[i][1];
432 c ^= ctx->rk[i][2];
433 d ^= ctx->rk[i][3];
434 i++;
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]435 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]436
437 a ^= ctx->rk[i][0];
438 b ^= ctx->rk[i][1];
439 c ^= ctx->rk[i][2];
440 d ^= ctx->rk[i][3];
441 i++;
442 if (i >= ctx->nr)
443 break;
444
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]445 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]446 }
447
448 // final substitution
449
450 a = ctx->rk[i][0] ^
451 ( (uint32_t) aria_is1[ a & 0xFF]) ^
452 (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
453 (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
454 (((uint32_t) aria_sb2[ a >> 24 ]) << 24);
455
456 b = ctx->rk[i][1] ^
457 ( (uint32_t) aria_is1[ b & 0xFF]) ^
458 (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
459 (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
460 (((uint32_t) aria_sb2[ b >> 24 ]) << 24);
461
462 c = ctx->rk[i][2] ^
463 ( (uint32_t) aria_is1[ c & 0xFF]) ^
464 (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
465 (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
466 (((uint32_t) aria_sb2[ c >> 24 ]) << 24);
467
468 d = ctx->rk[i][3] ^
469 ( (uint32_t) aria_is1[ d & 0xFF]) ^
470 (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
471 (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
472 (((uint32_t) aria_sb2[ d >> 24 ]) << 24);
473
474 PUT_UINT32_LE( a, output, 0 );
475 PUT_UINT32_LE( b, output, 4 );
476 PUT_UINT32_LE( c, output, 8 );
477 PUT_UINT32_LE( d, output, 12 );
478
479 return 0;
480}
481
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]482void mbedtls_aria_init( mbedtls_aria_context *ctx )
483{
484 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
485}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]486
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]487void mbedtls_aria_free( mbedtls_aria_context *ctx )
488{
489 if( ctx == NULL )
490 return;
491
492 // compiler can't remove this since this is not a static function
493 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
494}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]495
496#if defined(MBEDTLS_CIPHER_MODE_CBC)
497/*
498 * ARIA-CBC buffer encryption/decryption
499 */
500int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
501 int mode,
502 size_t length,
503 unsigned char iv[16],
504 const unsigned char *input,
505 unsigned char *output )
506{
507 int i;
508 unsigned char temp[16];
509
510 if( length % 16 )
511 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
512
513 if( mode == MBEDTLS_ARIA_DECRYPT )
514 {
515 while( length > 0 )
516 {
517 memcpy( temp, input, 16 );
518 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
519
520 for( i = 0; i < 16; i++ )
521 output[i] = (unsigned char)( output[i] ^ iv[i] );
522
523 memcpy( iv, temp, 16 );
524
525 input += 16;
526 output += 16;
527 length -= 16;
528 }
529 }
530 else
531 {
532 while( length > 0 )
533 {
534 for( i = 0; i < 16; i++ )
535 output[i] = (unsigned char)( input[i] ^ iv[i] );
536
537 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
538 memcpy( iv, output, 16 );
539
540 input += 16;
541 output += 16;
542 length -= 16;
543 }
544 }
545
546 return( 0 );
547}
548#endif /* MBEDTLS_CIPHER_MODE_CBC */
549
550#if defined(MBEDTLS_CIPHER_MODE_CFB)
551/*
552 * ARIA-CFB128 buffer encryption/decryption
553 */
554int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
555 int mode,
556 size_t length,
557 size_t *iv_off,
558 unsigned char iv[16],
559 const unsigned char *input,
560 unsigned char *output )
561{
562 int c;
563 size_t n = *iv_off;
564
565 if( mode == MBEDTLS_ARIA_DECRYPT )
566 {
567 while( length-- )
568 {
569 if( n == 0 )
570 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
571
572 c = *input++;
573 *output++ = (unsigned char)( c ^ iv[n] );
574 iv[n] = (unsigned char) c;
575
576 n = ( n + 1 ) & 0x0F;
577 }
578 }
579 else
580 {
581 while( length-- )
582 {
583 if( n == 0 )
584 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
585
586 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
587
588 n = ( n + 1 ) & 0x0F;
589 }
590 }
591
592 *iv_off = n;
593
594 return( 0 );
595}
596#endif /* MBEDTLS_CIPHER_MODE_CFB */
597
598#if defined(MBEDTLS_CIPHER_MODE_CTR)
599/*
600 * ARIA-CTR buffer encryption/decryption
601 */
602int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
603 size_t length,
604 size_t *nc_off,
605 unsigned char nonce_counter[16],
606 unsigned char stream_block[16],
607 const unsigned char *input,
608 unsigned char *output )
609{
610 int c, i;
611 size_t n = *nc_off;
612
613 while( length-- )
614 {
615 if( n == 0 ) {
616 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
617 stream_block );
618
619 for( i = 16; i > 0; i-- )
620 if( ++nonce_counter[i - 1] != 0 )
621 break;
622 }
623 c = *input++;
624 *output++ = (unsigned char)( c ^ stream_block[n] );
625
626 n = ( n + 1 ) & 0x0F;
627 }
628
629 *nc_off = n;
630
631 return( 0 );
632}
633#endif /* MBEDTLS_CIPHER_MODE_CTR */
634#endif /* !MBEDTLS_ARIA_ALT */
635
636#if defined(MBEDTLS_SELF_TEST)
637
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]638// Basic ARIA ECB test vectors from RFC 5794
639
640static const uint8_t aria_test1_ecb_key[32] = // test key
641{
642 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
643 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
644 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
645 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
646};
647
648static const uint8_t aria_test1_ecb_pt[16] = // plaintext
649{
650 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
651 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
652};
653
654static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
655{
656 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
657 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
658 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
659 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
660 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
661 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
662};
663
664// Mode tests from "Test Vectors for ARIA" Version 1.0
665// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
666
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]667#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]668 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]669static const uint8_t aria_test2_key[32] =
670{
671 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
672 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
673 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
674 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
675};
676
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]677static const uint8_t aria_test2_pt[48] =
678{
679 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
680 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
681 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
682 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
683 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
684 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
685};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]686#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]687
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]688#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
689static const uint8_t aria_test2_iv[16] =
690{
691 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
692 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
693};
694#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]695
696#if defined(MBEDTLS_CIPHER_MODE_CBC)
697static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
698{
699 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
700 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
701 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
702 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
703 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
704 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
705 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
706 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
707 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
708 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
709 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
710 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
711 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
712 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
713 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
714 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
715 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
716 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
717};
718#endif /* MBEDTLS_CIPHER_MODE_CBC */
719
720#if defined(MBEDTLS_CIPHER_MODE_CFB)
721static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
722{
723 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
724 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
725 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
726 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
727 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
728 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
729 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
730 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
731 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
732 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
733 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
734 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
735 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
736 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
737 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
738 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
739 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
740 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
741};
742#endif /* MBEDTLS_CIPHER_MODE_CFB */
743
744#if defined(MBEDTLS_CIPHER_MODE_CTR)
745static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
746{
747 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
748 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
749 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
750 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
751 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
752 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
753 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
754 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
755 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
756 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
757 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
758 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
759 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
760 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
761 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
762 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
763 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
764 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
765};
766#endif /* MBEDTLS_CIPHER_MODE_CFB */
767
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]768/*
769 * Checkup routine
770 */
771
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]772#define ARIA_SELF_TEST_IF_FAIL \
773 { \
774 if( verbose ) \
775 printf( "failed\n" ); \
776 return( 1 ); \
777 } else { \
778 if( verbose ) \
779 printf( "passed\n" ); \
780 }
781
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]782int mbedtls_aria_self_test( int verbose )
783{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]784 int i;
785 uint8_t blk[16];
786 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]787
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]788#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
789 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]790#endif
791
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]792#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
793 defined(MBEDTLS_CIPHER_MODE_CFB) || \
794 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]795 uint8_t buf[48], iv[16];
796#endif
797
798 // Test set 1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]799
800 for( i = 0; i < 3; i++ )
801 {
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]802 // test ECB encryption
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]803 if( verbose )
804 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]805 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]806 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]807 aria_test1_ecb_pt, blk );
808 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
809 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]810
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]811 // test ECB decryption
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]812 if( verbose )
813 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]814 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]815 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]816 aria_test1_ecb_ct[i], blk );
817 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
818 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]819 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]820 if( verbose )
821 printf("\n");
822
823 // Test set 2
824
825#if defined(MBEDTLS_CIPHER_MODE_CBC)
826 for( i = 0; i < 3; i++ )
827 {
828 // Test CBC encryption
829 if( verbose )
830 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
831 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
832 memcpy( iv, aria_test2_iv, 16 );
833 memset( buf, 0x55, sizeof(buf) );
834 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
835 aria_test2_pt, buf );
836 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
837 ARIA_SELF_TEST_IF_FAIL;
838
839 // Test CBC decryption
840 if( verbose )
841 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
842 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
843 memcpy( iv, aria_test2_iv, 16 );
844 memset( buf, 0xAA, sizeof(buf) );
845 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
846 aria_test2_cbc_ct[i], buf );
847 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
848 ARIA_SELF_TEST_IF_FAIL;
849 }
850 if( verbose )
851 printf("\n");
852
853#endif /* MBEDTLS_CIPHER_MODE_CBC */
854
855#if defined(MBEDTLS_CIPHER_MODE_CFB)
856 for( i = 0; i < 3; i++ )
857 {
858 // Test CFB encryption
859 if( verbose )
860 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
861 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
862 memcpy( iv, aria_test2_iv, 16 );
863 memset( buf, 0x55, sizeof(buf) );
864 j = 0;
865 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
866 aria_test2_pt, buf );
867 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
868 ARIA_SELF_TEST_IF_FAIL;
869
870 // Test CFB decryption
871 if( verbose )
872 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
873 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
874 memcpy( iv, aria_test2_iv, 16 );
875 memset( buf, 0xAA, sizeof(buf) );
876 j = 0;
877 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
878 iv, aria_test2_cfb_ct[i], buf );
879 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
880 ARIA_SELF_TEST_IF_FAIL;
881 }
882 if( verbose )
883 printf("\n");
884#endif /* MBEDTLS_CIPHER_MODE_CFB */
885
886#if defined(MBEDTLS_CIPHER_MODE_CTR)
887 for( i = 0; i < 3; i++ )
888 {
889 // Test CTR encryption
890 if( verbose )
891 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
892 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
893 memset( iv, 0, 16 ); // IV = 0
894 memset( buf, 0x55, sizeof(buf) );
895 j = 0;
896 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
897 aria_test2_pt, buf );
898 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
899 ARIA_SELF_TEST_IF_FAIL;
900
901 // Test CTR decryption
902 if( verbose )
903 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
904 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
905 memset( iv, 0, 16 ); // IV = 0
906 memset( buf, 0xAA, sizeof(buf) );
907 j = 0;
908 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
909 aria_test2_ctr_ct[i], buf );
910 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
911 ARIA_SELF_TEST_IF_FAIL;
912 }
913 if( verbose )
914 printf("\n");
915#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]916
917 return( 0 );
918}
919
920#endif /* MBEDTLS_SELF_TEST */
921
922#endif /* MBEDTLS_ARIA_C */