TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 64744f88b60c8654884b99afa707cc32edbf4488 / . / library / aria.c
blob: dc2192afe95c8a8131e65e5d6787be6708f3e8e3 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]51/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
54}
55
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]59
60#ifndef GET_UINT32_LE
61#define GET_UINT32_LE(n,b,i) \
62{ \
63 (n) = ( (uint32_t) (b)[(i) ] ) \
64 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
67}
68#endif
69
70#ifndef PUT_UINT32_LE
71#define PUT_UINT32_LE(n,b,i) \
72{ \
73 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
74 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
75 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
76 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
77}
78#endif
79
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]80/* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]81#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
82
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]83/* modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]84#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
85
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]86/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]87 * ARIA Affine Transform
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]88 * (ra, rb, rc, rd) = state in/out
89 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]90static inline void aria_a( uint32_t *a, uint32_t *b,
91 uint32_t *c, uint32_t *d )
92{
93 uint32_t ta, tb, tc;
94 ta = *b;
95 *b = *a;
96 *a = ARIA_FLIP1( ta );
97 tb = ARIA_FLIP1( *d );
98 *d = ARIA_FLIP2( *c );
99 *c = ARIA_FLIP2( tb );
100 ta ^= *d;
101 tc = ARIA_FLIP1( *b );
102 ta = ARIA_FLIP2( ta ) ^ tc ^ *c;
103 tb ^= ARIA_FLIP1( *d );
104 tc ^= ARIA_FLIP2( *a );
105 *b ^= ta ^ tb;
106 tb = ARIA_FLIP1( tb ) ^ ta;
107 *a ^= ARIA_FLIP2( tb );
108 ta = ARIA_FLIP1( ta );
109 *d ^= ARIA_FLIP2( ta ) ^ tc;
110 tc = ARIA_FLIP1( tc );
111 *c ^= ARIA_FLIP2( tc ) ^ ta;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]112}
113
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]114/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]115 * ARIA Substitution Layer SL1 / SL2
116 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]117 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]118 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]119 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
120 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]121 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]122static inline void aria_sl( uint32_t *a, uint32_t *b,
123 uint32_t *c, uint32_t *d,
124 const uint8_t sa[0x100], const uint8_t sb[0x100],
125 const uint8_t sc[0x100], const uint8_t sd[0x100] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]126{
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]127 *a = ( (uint32_t) sa[ *a & 0xFF]) ^
128 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
129 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
130 (((uint32_t) sd[ *a >> 24 ]) << 24);
131 *b = ( (uint32_t) sa[ *b & 0xFF]) ^
132 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
133 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
134 (((uint32_t) sd[ *b >> 24 ]) << 24);
135 *c = ( (uint32_t) sa[ *c & 0xFF]) ^
136 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
137 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
138 (((uint32_t) sd[ *c >> 24 ]) << 24);
139 *d = ( (uint32_t) sa[ *d & 0xFF]) ^
140 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
141 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
142 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]143}
144
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]145/*
146 * S-Boxes
147 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]148static const uint8_t aria_sb1[0x100] =
149{
150 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
151 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
152 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
153 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
154 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
155 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
156 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
157 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
158 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
159 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
160 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
161 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
162 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
163 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
164 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
165 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
166 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
167 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
168 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
169 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
170 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
171 0xB0, 0x54, 0xBB, 0x16
172};
173
174static const uint8_t aria_sb2[0x100] =
175{
176 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
177 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
178 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
179 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
180 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
181 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
182 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
183 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
184 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
185 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
186 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
187 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
188 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
189 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
190 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
191 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
192 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
193 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
194 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
195 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
196 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
197 0xAF, 0xBA, 0xB5, 0x81
198};
199
200static const uint8_t aria_is1[0x100] =
201{
202 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
203 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
204 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
205 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
206 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
207 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
208 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
209 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
210 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
211 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
212 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
213 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
214 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
215 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
217 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
218 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
219 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
220 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
221 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
222 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
223 0x55, 0x21, 0x0C, 0x7D
224};
225
226static const uint8_t aria_is2[0x100] =
227{
228 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
229 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
230 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
231 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
232 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
233 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
234 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
235 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
236 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
237 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
238 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
239 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
240 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
241 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
242 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
243 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
244 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
245 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
246 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
247 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
248 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
249 0x03, 0xA2, 0xAC, 0x60
250};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]251
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]252/*
253 * Helper for key schedule: r = FO( p, k ) ^ x
254 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]255static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]256 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
257{
258 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]259
260 a = p[0] ^ k[0];
261 b = p[1] ^ k[1];
262 c = p[2] ^ k[2];
263 d = p[3] ^ k[3];
264
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]265 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
266 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]267
268 r[0] = a ^ x[0];
269 r[1] = b ^ x[1];
270 r[2] = c ^ x[2];
271 r[3] = d ^ x[3];
272}
273
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]274/*
275 * Helper for key schedule: r = FE( p, k ) ^ x
276 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]277static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
279{
280 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]281
282 a = p[0] ^ k[0];
283 b = p[1] ^ k[1];
284 c = p[2] ^ k[2];
285 d = p[3] ^ k[3];
286
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]287 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
288 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]289
290 r[0] = a ^ x[0];
291 r[1] = b ^ x[1];
292 r[2] = c ^ x[2];
293 r[3] = d ^ x[3];
294}
295
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]296/*
297 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
298 *
299 * We chose to store bytes into 32-bit words in little-endian format (see
300 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
301 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]302static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]303 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]304{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]305 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]306 uint32_t t, u;
307
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]308 const uint8_t n1 = n % 32; // bit offset
309 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]310
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]311 j = (n / 32) % 4; // initial word offset
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]312 t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
313 for( i = 0; i < 4; i++ )
314 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]315 j = (j + 1) % 4; // get next word, big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]316 u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
317 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]318 t |= u >> n2;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]319 t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
320 r[i] = a[i] ^ t; // store
321 t = u; // move to next word
322 }
323}
324
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]325/*
326 * Set encryption key
327 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]328int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
329 const unsigned char *key, unsigned int keybits)
330{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]331 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]332 const uint32_t rc[3][4] =
333 {
334 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
335 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
336 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
337 };
338
339 int i;
340 uint32_t w[4][4], *w2;
341
342 if (keybits != 128 && keybits != 192 && keybits != 256)
343 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
344
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]345 /* Copy key to W0 (and potential remainder to W1) */
346 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]347 GET_UINT32_LE( w[0][1], key, 4 );
348 GET_UINT32_LE( w[0][2], key, 8 );
349 GET_UINT32_LE( w[0][3], key, 12 );
350
351 memset(w[1], 0, 16);
352 if( keybits >= 192 )
353 {
354 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
355 GET_UINT32_LE( w[1][1], key, 20 );
356 }
357 if( keybits == 256 )
358 {
359 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
360 GET_UINT32_LE( w[1][3], key, 28 );
361 }
362
363 i = (keybits - 128) >> 6; // index: 0, 1, 2
364 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
365
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]366 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]367 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]368 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]369 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]370 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]371
372 for( i = 0; i < 4; i++ ) // create round keys
373 {
374 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]375 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
376 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
377 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
378 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]379 }
380 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
381
382 return 0;
383}
384
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]385/*
386 * Set decryption key
387 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]388int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
389 const unsigned char *key, unsigned int keybits)
390{
391 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]392
393 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
394 if( ret != 0 )
395 return ret;
396
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]397 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]398 for( i = 0, j = ctx->nr; i < j; i++, j-- )
399 {
400 for( k = 0; k < 4; k++ )
401 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]402 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403 ctx->rk[i][k] = ctx->rk[j][k];
404 ctx->rk[j][k] = t;
405 }
406 }
407
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]408 /* apply affine transform to middle keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]409 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]410 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411
412 return 0;
413}
414
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]415/*
416 * Encrypt a block
417 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
419 int mode,
420 const unsigned char input[16],
421 unsigned char output[16] )
422{
423 int i;
424
425 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]426
427 ( (void) mode );
428
429 GET_UINT32_LE( a, input, 0 );
430 GET_UINT32_LE( b, input, 4 );
431 GET_UINT32_LE( c, input, 8 );
432 GET_UINT32_LE( d, input, 12 );
433
434 i = 0;
435 while (1)
436 {
437 a ^= ctx->rk[i][0];
438 b ^= ctx->rk[i][1];
439 c ^= ctx->rk[i][2];
440 d ^= ctx->rk[i][3];
441 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]442
443 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
444 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445
446 a ^= ctx->rk[i][0];
447 b ^= ctx->rk[i][1];
448 c ^= ctx->rk[i][2];
449 d ^= ctx->rk[i][3];
450 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]451
452 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]453 if (i >= ctx->nr)
454 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]455 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]456 }
457
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame^]458 /* final key mixing */
459 a ^= ctx->rk[i][0];
460 b ^= ctx->rk[i][1];
461 c ^= ctx->rk[i][2];
462 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]463
464 PUT_UINT32_LE( a, output, 0 );
465 PUT_UINT32_LE( b, output, 4 );
466 PUT_UINT32_LE( c, output, 8 );
467 PUT_UINT32_LE( d, output, 12 );
468
469 return 0;
470}
471
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]472/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]473void mbedtls_aria_init( mbedtls_aria_context *ctx )
474{
475 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
476}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]477
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]478/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]479void mbedtls_aria_free( mbedtls_aria_context *ctx )
480{
481 if( ctx == NULL )
482 return;
483
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]484 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]485}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]486
487#if defined(MBEDTLS_CIPHER_MODE_CBC)
488/*
489 * ARIA-CBC buffer encryption/decryption
490 */
491int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
492 int mode,
493 size_t length,
494 unsigned char iv[16],
495 const unsigned char *input,
496 unsigned char *output )
497{
498 int i;
499 unsigned char temp[16];
500
501 if( length % 16 )
502 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
503
504 if( mode == MBEDTLS_ARIA_DECRYPT )
505 {
506 while( length > 0 )
507 {
508 memcpy( temp, input, 16 );
509 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
510
511 for( i = 0; i < 16; i++ )
512 output[i] = (unsigned char)( output[i] ^ iv[i] );
513
514 memcpy( iv, temp, 16 );
515
516 input += 16;
517 output += 16;
518 length -= 16;
519 }
520 }
521 else
522 {
523 while( length > 0 )
524 {
525 for( i = 0; i < 16; i++ )
526 output[i] = (unsigned char)( input[i] ^ iv[i] );
527
528 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
529 memcpy( iv, output, 16 );
530
531 input += 16;
532 output += 16;
533 length -= 16;
534 }
535 }
536
537 return( 0 );
538}
539#endif /* MBEDTLS_CIPHER_MODE_CBC */
540
541#if defined(MBEDTLS_CIPHER_MODE_CFB)
542/*
543 * ARIA-CFB128 buffer encryption/decryption
544 */
545int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
546 int mode,
547 size_t length,
548 size_t *iv_off,
549 unsigned char iv[16],
550 const unsigned char *input,
551 unsigned char *output )
552{
553 int c;
554 size_t n = *iv_off;
555
556 if( mode == MBEDTLS_ARIA_DECRYPT )
557 {
558 while( length-- )
559 {
560 if( n == 0 )
561 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
562
563 c = *input++;
564 *output++ = (unsigned char)( c ^ iv[n] );
565 iv[n] = (unsigned char) c;
566
567 n = ( n + 1 ) & 0x0F;
568 }
569 }
570 else
571 {
572 while( length-- )
573 {
574 if( n == 0 )
575 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
576
577 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
578
579 n = ( n + 1 ) & 0x0F;
580 }
581 }
582
583 *iv_off = n;
584
585 return( 0 );
586}
587#endif /* MBEDTLS_CIPHER_MODE_CFB */
588
589#if defined(MBEDTLS_CIPHER_MODE_CTR)
590/*
591 * ARIA-CTR buffer encryption/decryption
592 */
593int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
594 size_t length,
595 size_t *nc_off,
596 unsigned char nonce_counter[16],
597 unsigned char stream_block[16],
598 const unsigned char *input,
599 unsigned char *output )
600{
601 int c, i;
602 size_t n = *nc_off;
603
604 while( length-- )
605 {
606 if( n == 0 ) {
607 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
608 stream_block );
609
610 for( i = 16; i > 0; i-- )
611 if( ++nonce_counter[i - 1] != 0 )
612 break;
613 }
614 c = *input++;
615 *output++ = (unsigned char)( c ^ stream_block[n] );
616
617 n = ( n + 1 ) & 0x0F;
618 }
619
620 *nc_off = n;
621
622 return( 0 );
623}
624#endif /* MBEDTLS_CIPHER_MODE_CTR */
625#endif /* !MBEDTLS_ARIA_ALT */
626
627#if defined(MBEDTLS_SELF_TEST)
628
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]629/*
630 * Basic ARIA ECB test vectors from RFC 5794
631 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]632static const uint8_t aria_test1_ecb_key[32] = // test key
633{
634 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
635 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
636 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
637 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
638};
639
640static const uint8_t aria_test1_ecb_pt[16] = // plaintext
641{
642 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
643 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
644};
645
646static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
647{
648 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
649 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
650 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
651 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
652 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
653 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
654};
655
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]656/*
657 * Mode tests from "Test Vectors for ARIA" Version 1.0
658 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
659 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]660#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]661 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]662static const uint8_t aria_test2_key[32] =
663{
664 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
665 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
666 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
667 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
668};
669
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]670static const uint8_t aria_test2_pt[48] =
671{
672 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
673 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
674 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
675 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
676 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
677 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
678};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]679#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]680
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]681#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
682static const uint8_t aria_test2_iv[16] =
683{
684 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
685 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
686};
687#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]688
689#if defined(MBEDTLS_CIPHER_MODE_CBC)
690static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
691{
692 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
693 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
694 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
695 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
696 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
697 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
698 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
699 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
700 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
701 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
702 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
703 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
704 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
705 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
706 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
707 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
708 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
709 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
710};
711#endif /* MBEDTLS_CIPHER_MODE_CBC */
712
713#if defined(MBEDTLS_CIPHER_MODE_CFB)
714static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
715{
716 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
717 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
718 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
719 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
720 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
721 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
722 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
723 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
724 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
725 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
726 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
727 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
728 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
729 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
730 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
731 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
732 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
733 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
734};
735#endif /* MBEDTLS_CIPHER_MODE_CFB */
736
737#if defined(MBEDTLS_CIPHER_MODE_CTR)
738static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
739{
740 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
741 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
742 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
743 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
744 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
745 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
746 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
747 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
748 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
749 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
750 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
751 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
752 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
753 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
754 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
755 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
756 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
757 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
758};
759#endif /* MBEDTLS_CIPHER_MODE_CFB */
760
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]761#define ARIA_SELF_TEST_IF_FAIL \
762 { \
763 if( verbose ) \
764 printf( "failed\n" ); \
765 return( 1 ); \
766 } else { \
767 if( verbose ) \
768 printf( "passed\n" ); \
769 }
770
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]771/*
772 * Checkup routine
773 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]774int mbedtls_aria_self_test( int verbose )
775{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]776 int i;
777 uint8_t blk[16];
778 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]779
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]780#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
781 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]782#endif
783
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]784#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
785 defined(MBEDTLS_CIPHER_MODE_CFB) || \
786 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]787 uint8_t buf[48], iv[16];
788#endif
789
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]790 /*
791 * Test set 1
792 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]793 for( i = 0; i < 3; i++ )
794 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]795 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]796 if( verbose )
797 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]798 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]799 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]800 aria_test1_ecb_pt, blk );
801 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
802 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]803
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]804 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]805 if( verbose )
806 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]807 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]808 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]809 aria_test1_ecb_ct[i], blk );
810 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
811 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]812 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]813 if( verbose )
814 printf("\n");
815
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]816 /*
817 * Test set 2
818 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]819#if defined(MBEDTLS_CIPHER_MODE_CBC)
820 for( i = 0; i < 3; i++ )
821 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]822 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]823 if( verbose )
824 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
825 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
826 memcpy( iv, aria_test2_iv, 16 );
827 memset( buf, 0x55, sizeof(buf) );
828 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
829 aria_test2_pt, buf );
830 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
831 ARIA_SELF_TEST_IF_FAIL;
832
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]833 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]834 if( verbose )
835 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
836 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
837 memcpy( iv, aria_test2_iv, 16 );
838 memset( buf, 0xAA, sizeof(buf) );
839 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
840 aria_test2_cbc_ct[i], buf );
841 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
842 ARIA_SELF_TEST_IF_FAIL;
843 }
844 if( verbose )
845 printf("\n");
846
847#endif /* MBEDTLS_CIPHER_MODE_CBC */
848
849#if defined(MBEDTLS_CIPHER_MODE_CFB)
850 for( i = 0; i < 3; i++ )
851 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]852 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]853 if( verbose )
854 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
855 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
856 memcpy( iv, aria_test2_iv, 16 );
857 memset( buf, 0x55, sizeof(buf) );
858 j = 0;
859 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
860 aria_test2_pt, buf );
861 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
862 ARIA_SELF_TEST_IF_FAIL;
863
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]864 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]865 if( verbose )
866 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
867 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
868 memcpy( iv, aria_test2_iv, 16 );
869 memset( buf, 0xAA, sizeof(buf) );
870 j = 0;
871 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
872 iv, aria_test2_cfb_ct[i], buf );
873 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
874 ARIA_SELF_TEST_IF_FAIL;
875 }
876 if( verbose )
877 printf("\n");
878#endif /* MBEDTLS_CIPHER_MODE_CFB */
879
880#if defined(MBEDTLS_CIPHER_MODE_CTR)
881 for( i = 0; i < 3; i++ )
882 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]883 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]884 if( verbose )
885 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
886 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
887 memset( iv, 0, 16 ); // IV = 0
888 memset( buf, 0x55, sizeof(buf) );
889 j = 0;
890 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
891 aria_test2_pt, buf );
892 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
893 ARIA_SELF_TEST_IF_FAIL;
894
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]895 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]896 if( verbose )
897 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
898 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
899 memset( iv, 0, 16 ); // IV = 0
900 memset( buf, 0xAA, sizeof(buf) );
901 j = 0;
902 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
903 aria_test2_ctr_ct[i], buf );
904 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
905 ARIA_SELF_TEST_IF_FAIL;
906 }
907 if( verbose )
908 printf("\n");
909#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]910
911 return( 0 );
912}
913
914#endif /* MBEDTLS_SELF_TEST */
915
916#endif /* MBEDTLS_ARIA_C */