TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / f205a012b84e5e06df624841c57158bb1fed0268 / . / library / aria.c
blob: 4c59d70c7ece0efdbdce099405b87a1e7beac575 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]51/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
54}
55
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]59
60#ifndef GET_UINT32_LE
61#define GET_UINT32_LE(n,b,i) \
62{ \
63 (n) = ( (uint32_t) (b)[(i) ] ) \
64 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
67}
68#endif
69
70#ifndef PUT_UINT32_LE
71#define PUT_UINT32_LE(n,b,i) \
72{ \
73 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
74 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
75 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
76 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
77}
78#endif
79
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]80/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame^]81 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]82 *
83 * This is submatrix P1 in [1] Appendix B.1
84 */
85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]86
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]87/*
88 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
89 *
90 * This is submatrix P2 in [1] Appendix B.1
91 */
92#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]93
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]94/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]95 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame^]96 * (a, b, c, d) = state in/out
97 *
98 * If we denote the first by of input by 0, ..., the last byte by f,
99 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
100 *
101 * Reading [1] 2.4 or [2] 2.4.3 in colums and performing simple
102 * rearrangements on adjacent pairs, output is:
103 *
104 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
105 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
106 * b = 0101 + 2323 + 5476 + 8998 + baab + ecec + ffdd
107 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
108 * c = 0022 + 1133 + 4545 + 7667 + ab89 + dcdc + fefe
109 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
110 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cedf
111 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
112 *
113 * Note: another presentation of the A transform can be found as the first
114 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
115 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]116 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]117static inline void aria_a( uint32_t *a, uint32_t *b,
118 uint32_t *c, uint32_t *d )
119{
120 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame^]121 ta = *b; // 4567
122 *b = *a; // 0123
123 *a = ARIA_P2( ta ); // 6745
124 tb = ARIA_P2( *d ); // efcd
125 *d = ARIA_P1( *c ); // 98ba
126 *c = ARIA_P1( tb ); // fedc
127 ta ^= *d; // 4567+98ba
128 tc = ARIA_P2( *b ); // 2301
129 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
130 tb ^= ARIA_P2( *d ); // ba98+efcd
131 tc ^= ARIA_P1( *a ); // 2301+7654
132 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
133 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
134 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
135 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
136 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
137 tc = ARIA_P2( tc ); // 0123+5476
138 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]139}
140
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]141/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]142 * ARIA Substitution Layer SL1 / SL2
143 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]144 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]145 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]146 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
147 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]148 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]149static inline void aria_sl( uint32_t *a, uint32_t *b,
150 uint32_t *c, uint32_t *d,
151 const uint8_t sa[0x100], const uint8_t sb[0x100],
152 const uint8_t sc[0x100], const uint8_t sd[0x100] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]153{
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]154 *a = ( (uint32_t) sa[ *a & 0xFF]) ^
155 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
156 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
157 (((uint32_t) sd[ *a >> 24 ]) << 24);
158 *b = ( (uint32_t) sa[ *b & 0xFF]) ^
159 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
160 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
161 (((uint32_t) sd[ *b >> 24 ]) << 24);
162 *c = ( (uint32_t) sa[ *c & 0xFF]) ^
163 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
164 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
165 (((uint32_t) sd[ *c >> 24 ]) << 24);
166 *d = ( (uint32_t) sa[ *d & 0xFF]) ^
167 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
168 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
169 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]170}
171
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]172/*
173 * S-Boxes
174 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]175static const uint8_t aria_sb1[0x100] =
176{
177 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
178 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
179 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
180 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
181 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
182 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
183 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
184 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
185 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
186 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
187 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
188 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
189 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
190 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
191 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
192 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
193 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
194 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
195 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
196 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
197 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
198 0xB0, 0x54, 0xBB, 0x16
199};
200
201static const uint8_t aria_sb2[0x100] =
202{
203 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
204 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
205 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
206 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
207 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
208 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
209 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
210 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
211 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
212 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
213 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
214 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
215 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
216 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
217 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
218 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
219 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
220 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
221 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
222 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
223 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
224 0xAF, 0xBA, 0xB5, 0x81
225};
226
227static const uint8_t aria_is1[0x100] =
228{
229 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
230 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
231 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
232 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
233 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
234 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
235 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
236 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
238 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
239 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
240 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
242 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
243 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
244 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
245 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
246 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
247 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
248 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
249 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
250 0x55, 0x21, 0x0C, 0x7D
251};
252
253static const uint8_t aria_is2[0x100] =
254{
255 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
256 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
257 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
258 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
259 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
260 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
261 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
262 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
263 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
264 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
265 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
266 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
267 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
268 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
269 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
270 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
271 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
272 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
273 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
274 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
275 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
276 0x03, 0xA2, 0xAC, 0x60
277};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]279/*
280 * Helper for key schedule: r = FO( p, k ) ^ x
281 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]282static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]283 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
284{
285 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286
287 a = p[0] ^ k[0];
288 b = p[1] ^ k[1];
289 c = p[2] ^ k[2];
290 d = p[3] ^ k[3];
291
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]292 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
293 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]294
295 r[0] = a ^ x[0];
296 r[1] = b ^ x[1];
297 r[2] = c ^ x[2];
298 r[3] = d ^ x[3];
299}
300
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]301/*
302 * Helper for key schedule: r = FE( p, k ) ^ x
303 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]304static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]305 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
306{
307 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]308
309 a = p[0] ^ k[0];
310 b = p[1] ^ k[1];
311 c = p[2] ^ k[2];
312 d = p[3] ^ k[3];
313
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]314 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
315 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]316
317 r[0] = a ^ x[0];
318 r[1] = b ^ x[1];
319 r[2] = c ^ x[2];
320 r[3] = d ^ x[3];
321}
322
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]323/*
324 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
325 *
326 * We chose to store bytes into 32-bit words in little-endian format (see
327 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
328 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]329static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]330 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]331{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]332 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]333 uint32_t t, u;
334
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]335 const uint8_t n1 = n % 32; // bit offset
336 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]337
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]338 j = (n / 32) % 4; // initial word offset
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]339 t = ARIA_P2( ARIA_P1( b[j] ) ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]340 for( i = 0; i < 4; i++ )
341 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]342 j = (j + 1) % 4; // get next word, big endian
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]343 u = ARIA_P2( ARIA_P1( b[j] ) );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]344 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]345 t |= u >> n2;
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]346 t = ARIA_P2( ARIA_P1( t ) ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]347 r[i] = a[i] ^ t; // store
348 t = u; // move to next word
349 }
350}
351
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]352/*
353 * Set encryption key
354 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]355int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
356 const unsigned char *key, unsigned int keybits)
357{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]358 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]359 const uint32_t rc[3][4] =
360 {
361 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
362 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
363 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
364 };
365
366 int i;
367 uint32_t w[4][4], *w2;
368
369 if (keybits != 128 && keybits != 192 && keybits != 256)
370 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
371
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]372 /* Copy key to W0 (and potential remainder to W1) */
373 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]374 GET_UINT32_LE( w[0][1], key, 4 );
375 GET_UINT32_LE( w[0][2], key, 8 );
376 GET_UINT32_LE( w[0][3], key, 12 );
377
378 memset(w[1], 0, 16);
379 if( keybits >= 192 )
380 {
381 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
382 GET_UINT32_LE( w[1][1], key, 20 );
383 }
384 if( keybits == 256 )
385 {
386 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
387 GET_UINT32_LE( w[1][3], key, 28 );
388 }
389
390 i = (keybits - 128) >> 6; // index: 0, 1, 2
391 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
392
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]393 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]394 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]395 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]397 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]398
399 for( i = 0; i < 4; i++ ) // create round keys
400 {
401 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]402 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
403 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
404 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
405 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]406 }
407 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
408
409 return 0;
410}
411
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]412/*
413 * Set decryption key
414 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]415int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
416 const unsigned char *key, unsigned int keybits)
417{
418 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]419
420 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
421 if( ret != 0 )
422 return ret;
423
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]424 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]425 for( i = 0, j = ctx->nr; i < j; i++, j-- )
426 {
427 for( k = 0; k < 4; k++ )
428 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]429 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]430 ctx->rk[i][k] = ctx->rk[j][k];
431 ctx->rk[j][k] = t;
432 }
433 }
434
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]435 /* apply affine transform to middle keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]436 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]437 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]438
439 return 0;
440}
441
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]442/*
443 * Encrypt a block
444 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
446 int mode,
447 const unsigned char input[16],
448 unsigned char output[16] )
449{
450 int i;
451
452 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]453
454 ( (void) mode );
455
456 GET_UINT32_LE( a, input, 0 );
457 GET_UINT32_LE( b, input, 4 );
458 GET_UINT32_LE( c, input, 8 );
459 GET_UINT32_LE( d, input, 12 );
460
461 i = 0;
462 while (1)
463 {
464 a ^= ctx->rk[i][0];
465 b ^= ctx->rk[i][1];
466 c ^= ctx->rk[i][2];
467 d ^= ctx->rk[i][3];
468 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]469
470 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
471 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]472
473 a ^= ctx->rk[i][0];
474 b ^= ctx->rk[i][1];
475 c ^= ctx->rk[i][2];
476 d ^= ctx->rk[i][3];
477 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]478
479 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]480 if (i >= ctx->nr)
481 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]482 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483 }
484
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]485 /* final key mixing */
486 a ^= ctx->rk[i][0];
487 b ^= ctx->rk[i][1];
488 c ^= ctx->rk[i][2];
489 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490
491 PUT_UINT32_LE( a, output, 0 );
492 PUT_UINT32_LE( b, output, 4 );
493 PUT_UINT32_LE( c, output, 8 );
494 PUT_UINT32_LE( d, output, 12 );
495
496 return 0;
497}
498
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]499/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]500void mbedtls_aria_init( mbedtls_aria_context *ctx )
501{
502 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
503}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]504
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]505/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]506void mbedtls_aria_free( mbedtls_aria_context *ctx )
507{
508 if( ctx == NULL )
509 return;
510
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]511 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]512}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]513
514#if defined(MBEDTLS_CIPHER_MODE_CBC)
515/*
516 * ARIA-CBC buffer encryption/decryption
517 */
518int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
519 int mode,
520 size_t length,
521 unsigned char iv[16],
522 const unsigned char *input,
523 unsigned char *output )
524{
525 int i;
526 unsigned char temp[16];
527
528 if( length % 16 )
529 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
530
531 if( mode == MBEDTLS_ARIA_DECRYPT )
532 {
533 while( length > 0 )
534 {
535 memcpy( temp, input, 16 );
536 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
537
538 for( i = 0; i < 16; i++ )
539 output[i] = (unsigned char)( output[i] ^ iv[i] );
540
541 memcpy( iv, temp, 16 );
542
543 input += 16;
544 output += 16;
545 length -= 16;
546 }
547 }
548 else
549 {
550 while( length > 0 )
551 {
552 for( i = 0; i < 16; i++ )
553 output[i] = (unsigned char)( input[i] ^ iv[i] );
554
555 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
556 memcpy( iv, output, 16 );
557
558 input += 16;
559 output += 16;
560 length -= 16;
561 }
562 }
563
564 return( 0 );
565}
566#endif /* MBEDTLS_CIPHER_MODE_CBC */
567
568#if defined(MBEDTLS_CIPHER_MODE_CFB)
569/*
570 * ARIA-CFB128 buffer encryption/decryption
571 */
572int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
573 int mode,
574 size_t length,
575 size_t *iv_off,
576 unsigned char iv[16],
577 const unsigned char *input,
578 unsigned char *output )
579{
580 int c;
581 size_t n = *iv_off;
582
583 if( mode == MBEDTLS_ARIA_DECRYPT )
584 {
585 while( length-- )
586 {
587 if( n == 0 )
588 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
589
590 c = *input++;
591 *output++ = (unsigned char)( c ^ iv[n] );
592 iv[n] = (unsigned char) c;
593
594 n = ( n + 1 ) & 0x0F;
595 }
596 }
597 else
598 {
599 while( length-- )
600 {
601 if( n == 0 )
602 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
603
604 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
605
606 n = ( n + 1 ) & 0x0F;
607 }
608 }
609
610 *iv_off = n;
611
612 return( 0 );
613}
614#endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616#if defined(MBEDTLS_CIPHER_MODE_CTR)
617/*
618 * ARIA-CTR buffer encryption/decryption
619 */
620int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
621 size_t length,
622 size_t *nc_off,
623 unsigned char nonce_counter[16],
624 unsigned char stream_block[16],
625 const unsigned char *input,
626 unsigned char *output )
627{
628 int c, i;
629 size_t n = *nc_off;
630
631 while( length-- )
632 {
633 if( n == 0 ) {
634 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
635 stream_block );
636
637 for( i = 16; i > 0; i-- )
638 if( ++nonce_counter[i - 1] != 0 )
639 break;
640 }
641 c = *input++;
642 *output++ = (unsigned char)( c ^ stream_block[n] );
643
644 n = ( n + 1 ) & 0x0F;
645 }
646
647 *nc_off = n;
648
649 return( 0 );
650}
651#endif /* MBEDTLS_CIPHER_MODE_CTR */
652#endif /* !MBEDTLS_ARIA_ALT */
653
654#if defined(MBEDTLS_SELF_TEST)
655
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]656/*
657 * Basic ARIA ECB test vectors from RFC 5794
658 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]659static const uint8_t aria_test1_ecb_key[32] = // test key
660{
661 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
662 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
663 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
664 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
665};
666
667static const uint8_t aria_test1_ecb_pt[16] = // plaintext
668{
669 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
670 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
671};
672
673static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
674{
675 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
676 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
677 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
678 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
679 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
680 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
681};
682
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]683/*
684 * Mode tests from "Test Vectors for ARIA" Version 1.0
685 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
686 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]687#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]688 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]689static const uint8_t aria_test2_key[32] =
690{
691 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
692 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
693 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
694 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
695};
696
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]697static const uint8_t aria_test2_pt[48] =
698{
699 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
700 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
701 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
702 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
703 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
704 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
705};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]706#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]707
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]708#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
709static const uint8_t aria_test2_iv[16] =
710{
711 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
712 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
713};
714#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]715
716#if defined(MBEDTLS_CIPHER_MODE_CBC)
717static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
718{
719 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
720 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
721 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
722 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
723 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
724 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
725 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
726 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
727 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
728 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
729 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
730 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
731 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
732 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
733 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
734 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
735 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
736 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
737};
738#endif /* MBEDTLS_CIPHER_MODE_CBC */
739
740#if defined(MBEDTLS_CIPHER_MODE_CFB)
741static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
742{
743 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
744 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
745 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
746 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
747 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
748 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
749 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
750 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
751 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
752 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
753 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
754 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
755 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
756 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
757 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
758 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
759 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
760 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
761};
762#endif /* MBEDTLS_CIPHER_MODE_CFB */
763
764#if defined(MBEDTLS_CIPHER_MODE_CTR)
765static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
766{
767 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
768 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
769 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
770 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
771 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
772 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
773 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
774 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
775 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
776 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
777 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
778 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
779 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
780 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
781 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
782 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
783 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
784 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
785};
786#endif /* MBEDTLS_CIPHER_MODE_CFB */
787
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]788#define ARIA_SELF_TEST_IF_FAIL \
789 { \
790 if( verbose ) \
791 printf( "failed\n" ); \
792 return( 1 ); \
793 } else { \
794 if( verbose ) \
795 printf( "passed\n" ); \
796 }
797
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]798/*
799 * Checkup routine
800 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]801int mbedtls_aria_self_test( int verbose )
802{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]803 int i;
804 uint8_t blk[16];
805 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]806
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]807#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
808 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]809#endif
810
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]811#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
812 defined(MBEDTLS_CIPHER_MODE_CFB) || \
813 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]814 uint8_t buf[48], iv[16];
815#endif
816
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]817 /*
818 * Test set 1
819 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]820 for( i = 0; i < 3; i++ )
821 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]822 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]823 if( verbose )
824 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]825 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]826 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]827 aria_test1_ecb_pt, blk );
828 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
829 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]830
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]831 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]832 if( verbose )
833 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]834 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]835 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]836 aria_test1_ecb_ct[i], blk );
837 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
838 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]839 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]840 if( verbose )
841 printf("\n");
842
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]843 /*
844 * Test set 2
845 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]846#if defined(MBEDTLS_CIPHER_MODE_CBC)
847 for( i = 0; i < 3; i++ )
848 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]849 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]850 if( verbose )
851 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
852 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
853 memcpy( iv, aria_test2_iv, 16 );
854 memset( buf, 0x55, sizeof(buf) );
855 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
856 aria_test2_pt, buf );
857 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
858 ARIA_SELF_TEST_IF_FAIL;
859
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]860 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]861 if( verbose )
862 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
863 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
864 memcpy( iv, aria_test2_iv, 16 );
865 memset( buf, 0xAA, sizeof(buf) );
866 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
867 aria_test2_cbc_ct[i], buf );
868 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
869 ARIA_SELF_TEST_IF_FAIL;
870 }
871 if( verbose )
872 printf("\n");
873
874#endif /* MBEDTLS_CIPHER_MODE_CBC */
875
876#if defined(MBEDTLS_CIPHER_MODE_CFB)
877 for( i = 0; i < 3; i++ )
878 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]879 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]880 if( verbose )
881 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
882 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
883 memcpy( iv, aria_test2_iv, 16 );
884 memset( buf, 0x55, sizeof(buf) );
885 j = 0;
886 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
887 aria_test2_pt, buf );
888 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
889 ARIA_SELF_TEST_IF_FAIL;
890
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]891 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]892 if( verbose )
893 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
894 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
895 memcpy( iv, aria_test2_iv, 16 );
896 memset( buf, 0xAA, sizeof(buf) );
897 j = 0;
898 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
899 iv, aria_test2_cfb_ct[i], buf );
900 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
901 ARIA_SELF_TEST_IF_FAIL;
902 }
903 if( verbose )
904 printf("\n");
905#endif /* MBEDTLS_CIPHER_MODE_CFB */
906
907#if defined(MBEDTLS_CIPHER_MODE_CTR)
908 for( i = 0; i < 3; i++ )
909 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]910 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]911 if( verbose )
912 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
913 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
914 memset( iv, 0, 16 ); // IV = 0
915 memset( buf, 0x55, sizeof(buf) );
916 j = 0;
917 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
918 aria_test2_pt, buf );
919 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
920 ARIA_SELF_TEST_IF_FAIL;
921
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]922 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]923 if( verbose )
924 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
925 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
926 memset( iv, 0, 16 ); // IV = 0
927 memset( buf, 0xAA, sizeof(buf) );
928 j = 0;
929 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
930 aria_test2_ctr_ct[i], buf );
931 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
932 ARIA_SELF_TEST_IF_FAIL;
933 }
934 if( verbose )
935 printf("\n");
936#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]937
938 return( 0 );
939}
940
941#endif /* MBEDTLS_SELF_TEST */
942
943#endif /* MBEDTLS_ARIA_C */