Blame - library/aria.c - mirror/mbed-crypto - TrustedFirmware Git Browser

blob: 6f76538cfad000f27bdab25553f5726f3d21c792 [file] [log] [blame]

Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	1	/*
				2	* ARIA implementation
				3	*
				4	* Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
				5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
				18	*
				19	* This file is part of mbed TLS (https://tls.mbed.org)
				20	*/
				21
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	22	/*
				23	* This implementation is based on the following standards:
				24	* [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
				25	* [2] https://tools.ietf.org/html/rfc5794
				26	*/
				27
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	28	#if !defined(MBEDTLS_CONFIG_FILE)
				29	#include "mbedtls/config.h"
				30	#else
				31	#include MBEDTLS_CONFIG_FILE
				32	#endif
				33
				34	#if defined(MBEDTLS_ARIA_C)
				35
				36	#include "mbedtls/aria.h"
				37
				38	#include <string.h>
				39
				40	#if defined(MBEDTLS_SELF_TEST)
				41	#if defined(MBEDTLS_PLATFORM_C)
				42	#include "mbedtls/platform.h"
				43	#else
				44	#include <stdio.h>
				45	#define mbedtls_printf printf
				46	#endif /* MBEDTLS_PLATFORM_C */
				47	#endif /* MBEDTLS_SELF_TEST */
				48
				49	#if !defined(MBEDTLS_ARIA_ALT)
				50
				51	// 32-bit integer manipulation macros (little endian)
				52
				53	#ifndef GET_UINT32_LE
				54	#define GET_UINT32_LE(n,b,i) \
				55	{ \
				56	(n) = ( (uint32_t) (b)[(i) ] ) \
				57	\| ( (uint32_t) (b)[(i) + 1] << 8 ) \
				58	\| ( (uint32_t) (b)[(i) + 2] << 16 ) \
				59	\| ( (uint32_t) (b)[(i) + 3] << 24 ); \
				60	}
				61	#endif
				62
				63	#ifndef PUT_UINT32_LE
				64	#define PUT_UINT32_LE(n,b,i) \
				65	{ \
				66	(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
				67	(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
				68	(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
				69	(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
				70	}
				71	#endif
				72
				73	// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
				74	#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
				75
				76	// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
				77	#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
				78
				79	// Affine Transform A
				80	// (ra, rb, rc, rd) = state in/out
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	81
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	82	#define ARIA_A( ra, rb, rc, rd ) { \
				83	uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	84	ta = rb; \
				85	rb = ra; \
				86	ra = ARIA_FLIP1( ta ); \
				87	tb = ARIA_FLIP1( rd ); \
				88	rd = ARIA_FLIP2( rc ); \
				89	rc = ARIA_FLIP2( tb ); \
				90	ta ^= rd; \
				91	tc = ARIA_FLIP1( rb ); \
				92	ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
				93	tb ^= ARIA_FLIP1( rd ); \
				94	tc ^= ARIA_FLIP2( ra ); \
				95	rb ^= ta ^ tb; \
				96	tb = ARIA_FLIP1( tb ) ^ ta; \
				97	ra ^= ARIA_FLIP2( tb ); \
				98	ta = ARIA_FLIP1( ta ); \
				99	rd ^= ARIA_FLIP2( ta ) ^ tc; \
				100	tc = ARIA_FLIP1( tc ); \
				101	rc ^= ARIA_FLIP2( tc ) ^ ta; \
				102	}
				103
				104
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	105	/* ARIA Round function ( Substitution Layer SLx + Affine Transform A )
				106	* (ra, rb, rc, rd) = state in/out
				107	* (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	108	*
				109	* By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A.
				110	* By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A.
				111	*/
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	112
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	113	#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \
				114	uint32_t ta, tb, tc; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	115	ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
				116	(((uint32_t) sd[ rb >> 24]) << 8) ^ \
				117	(((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
				118	(((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
				119	rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
				120	(((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
				121	(((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
				122	(((uint32_t) sd[ ra >> 24]) << 24); \
				123	ra = ta; \
				124	ta = ( (uint32_t) sd[ rd >> 24]) ^ \
				125	(((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
				126	(((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
				127	(((uint32_t) sa[ rd & 0xFF]) << 24); \
				128	rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
				129	(((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
				130	(((uint32_t) sd[ rc >> 24]) << 16) ^ \
				131	(((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
				132	rc = ta; \
				133	ta = ARIA_FLIP1( ra ) ^ rd; \
				134	tc = ARIA_FLIP1( rb ); \
				135	ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
				136	tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
				137	tc ^= ARIA_FLIP2( ra ); \
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	138	rb ^= ta ^ tb; \
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	139	tb = ARIA_FLIP1( tb ) ^ ta; \
				140	ra ^= ARIA_FLIP2( tb ); \
				141	ta = ARIA_FLIP1( ta ); \
				142	rd ^= ARIA_FLIP2( ta ) ^ tc; \
				143	tc = ARIA_FLIP1( tc ); \
				144	rc ^= ARIA_FLIP2( tc ) ^ ta; \
				145	}
				146
				147	// S-Boxes
				148
				149	static const uint8_t aria_sb1[0x100] =
				150	{
				151	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
				152	0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
				153	0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
				154	0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
				155	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
				156	0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
				157	0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
				158	0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
				159	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
				160	0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
				161	0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
				162	0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
				163	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
				164	0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
				165	0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
				166	0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
				167	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
				168	0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
				169	0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
				170	0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
				171	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
				172	0xB0, 0x54, 0xBB, 0x16
				173	};
				174
				175	static const uint8_t aria_sb2[0x100] =
				176	{
				177	0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
				178	0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
				179	0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
				180	0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
				181	0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
				182	0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
				183	0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
				184	0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
				185	0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
				186	0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
				187	0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
				188	0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
				189	0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
				190	0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
				191	0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
				192	0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
				193	0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
				194	0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
				195	0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
				196	0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
				197	0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
				198	0xAF, 0xBA, 0xB5, 0x81
				199	};
				200
				201	static const uint8_t aria_is1[0x100] =
				202	{
				203	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
				204	0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
				205	0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
				206	0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
				207	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
				208	0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
				209	0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
				210	0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
				211	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
				212	0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
				213	0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
				214	0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
				215	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
				216	0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
				217	0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
				218	0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
				219	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
				220	0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
				221	0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
				222	0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
				223	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
				224	0x55, 0x21, 0x0C, 0x7D
				225	};
				226
				227	static const uint8_t aria_is2[0x100] =
				228	{
				229	0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
				230	0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
				231	0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
				232	0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
				233	0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
				234	0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
				235	0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
				236	0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
				237	0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
				238	0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
				239	0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
				240	0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
				241	0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
				242	0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
				243	0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
				244	0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
				245	0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
				246	0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
				247	0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
				248	0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
				249	0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
				250	0x03, 0xA2, 0xAC, 0x60
				251	};
				252	// FO and FE are helpers for key schedule
				253
				254	// r = FO( p, k ) ^ x
				255
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	256	static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	257	const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
				258	{
				259	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	260
				261	a = p[0] ^ k[0];
				262	b = p[1] ^ k[1];
				263	c = p[2] ^ k[2];
				264	d = p[3] ^ k[3];
				265
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	266	ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	267
				268	r[0] = a ^ x[0];
				269	r[1] = b ^ x[1];
				270	r[2] = c ^ x[2];
				271	r[3] = d ^ x[3];
				272	}
				273
				274	// r = FE( p, k ) ^ x
				275
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	276	static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	277	const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
				278	{
				279	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	280
				281	a = p[0] ^ k[0];
				282	b = p[1] ^ k[1];
				283	c = p[2] ^ k[2];
				284	d = p[3] ^ k[3];
				285
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	286	ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	287
				288	r[0] = a ^ x[0];
				289	r[1] = b ^ x[1];
				290	r[2] = c ^ x[2];
				291	r[3] = d ^ x[3];
				292	}
				293
				294	// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup.
				295	// This is relatively slow since our implementation is geared towards
				296	// little-endian targets and stores state in that order.
				297
				298	static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame^]	299	const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	300	{
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame^]	301	uint8_t i, j;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	302	uint32_t t, u;
				303
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame^]	304	const uint8_t n1 = n & 0x1F; // bit offset
				305	const uint8_t n2 = 32 - n1; // reverse bit offset
				306
				307	j = (n >> 5) & 3; // initial word offset
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	308	t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
				309	for( i = 0; i < 4; i++ )
				310	{
				311	j = (j + 1) & 3; // get next word, big endian
				312	u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
				313	t <<= n1; // rotate
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame^]	314	if (n2 < 32) // rotate 32 bits = 0 bits..
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	315	t \|= u >> n2;
				316	t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
				317	r[i] = a[i] ^ t; // store
				318	t = u; // move to next word
				319	}
				320	}
				321
				322	// Set encryption key
				323
				324	int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
				325	const unsigned char *key, unsigned int keybits)
				326	{
				327	// round constant masks
				328	const uint32_t rc[3][4] =
				329	{
				330	{ 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
				331	{ 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
				332	{ 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
				333	};
				334
				335	int i;
				336	uint32_t w[4][4], *w2;
				337
				338	if (keybits != 128 && keybits != 192 && keybits != 256)
				339	return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
				340
				341	// W0 = KL
				342	GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 \| W1
				343	GET_UINT32_LE( w[0][1], key, 4 );
				344	GET_UINT32_LE( w[0][2], key, 8 );
				345	GET_UINT32_LE( w[0][3], key, 12 );
				346
				347	memset(w[1], 0, 16);
				348	if( keybits >= 192 )
				349	{
				350	GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
				351	GET_UINT32_LE( w[1][1], key, 20 );
				352	}
				353	if( keybits == 256 )
				354	{
				355	GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
				356	GET_UINT32_LE( w[1][3], key, 28 );
				357	}
				358
				359	i = (keybits - 128) >> 6; // index: 0, 1, 2
				360	ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
				361
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	362	aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	363	i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	364	aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	365	i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnard	a6d639e	2018-02-20 13:45:44 +0100	[diff] [blame]	366	aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	367
				368	for( i = 0; i < 4; i++ ) // create round keys
				369	{
				370	w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard	9cc8924	2018-02-21 09:44:29 +0100	[diff] [blame^]	371	aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
				372	aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
				373	aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
				374	aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	375	}
				376	aria_rot128( ctx->rk[16], w[0], w[1], 19 );
				377
				378	return 0;
				379	}
				380
				381	// Set decryption key
				382
				383	int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
				384	const unsigned char *key, unsigned int keybits)
				385	{
				386	int i, j, k, ret;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	387
				388	ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
				389	if( ret != 0 )
				390	return ret;
				391
				392	// flip the order of round keys
				393	for( i = 0, j = ctx->nr; i < j; i++, j-- )
				394	{
				395	for( k = 0; k < 4; k++ )
				396	{
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	397	uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	398	ctx->rk[i][k] = ctx->rk[j][k];
				399	ctx->rk[j][k] = t;
				400	}
				401	}
				402
				403	// apply affine transform to middle keys
				404	for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	405	ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	406
				407	return 0;
				408	}
				409
				410	// Encrypt a block
				411
				412	int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
				413	int mode,
				414	const unsigned char input[16],
				415	unsigned char output[16] )
				416	{
				417	int i;
				418
				419	uint32_t a, b, c, d;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	420
				421	( (void) mode );
				422
				423	GET_UINT32_LE( a, input, 0 );
				424	GET_UINT32_LE( b, input, 4 );
				425	GET_UINT32_LE( c, input, 8 );
				426	GET_UINT32_LE( d, input, 12 );
				427
				428	i = 0;
				429	while (1)
				430	{
				431	a ^= ctx->rk[i][0];
				432	b ^= ctx->rk[i][1];
				433	c ^= ctx->rk[i][2];
				434	d ^= ctx->rk[i][3];
				435	i++;
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	436	ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	437
				438	a ^= ctx->rk[i][0];
				439	b ^= ctx->rk[i][1];
				440	c ^= ctx->rk[i][2];
				441	d ^= ctx->rk[i][3];
				442	i++;
				443	if (i >= ctx->nr)
				444	break;
				445
Manuel Pégourié-Gonnard	e1ad749	2018-02-20 13:59:05 +0100	[diff] [blame]	446	ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	447	}
				448
				449	// final substitution
				450
				451	a = ctx->rk[i][0] ^
				452	( (uint32_t) aria_is1[ a & 0xFF]) ^
				453	(((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
				454	(((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
				455	(((uint32_t) aria_sb2[ a >> 24 ]) << 24);
				456
				457	b = ctx->rk[i][1] ^
				458	( (uint32_t) aria_is1[ b & 0xFF]) ^
				459	(((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
				460	(((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
				461	(((uint32_t) aria_sb2[ b >> 24 ]) << 24);
				462
				463	c = ctx->rk[i][2] ^
				464	( (uint32_t) aria_is1[ c & 0xFF]) ^
				465	(((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
				466	(((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
				467	(((uint32_t) aria_sb2[ c >> 24 ]) << 24);
				468
				469	d = ctx->rk[i][3] ^
				470	( (uint32_t) aria_is1[ d & 0xFF]) ^
				471	(((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
				472	(((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
				473	(((uint32_t) aria_sb2[ d >> 24 ]) << 24);
				474
				475	PUT_UINT32_LE( a, output, 0 );
				476	PUT_UINT32_LE( b, output, 4 );
				477	PUT_UINT32_LE( c, output, 8 );
				478	PUT_UINT32_LE( d, output, 12 );
				479
				480	return 0;
				481	}
				482
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	483	void mbedtls_aria_init( mbedtls_aria_context *ctx )
				484	{
				485	memset( ctx, 0, sizeof( mbedtls_aria_context ) );
				486	}
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	487
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	488	void mbedtls_aria_free( mbedtls_aria_context *ctx )
				489	{
				490	if( ctx == NULL )
				491	return;
				492
				493	// compiler can't remove this since this is not a static function
				494	memset( ctx, 0, sizeof( mbedtls_aria_context ) );
				495	}
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	496
				497	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				498	/*
				499	* ARIA-CBC buffer encryption/decryption
				500	*/
				501	int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
				502	int mode,
				503	size_t length,
				504	unsigned char iv[16],
				505	const unsigned char *input,
				506	unsigned char *output )
				507	{
				508	int i;
				509	unsigned char temp[16];
				510
				511	if( length % 16 )
				512	return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
				513
				514	if( mode == MBEDTLS_ARIA_DECRYPT )
				515	{
				516	while( length > 0 )
				517	{
				518	memcpy( temp, input, 16 );
				519	mbedtls_aria_crypt_ecb( ctx, mode, input, output );
				520
				521	for( i = 0; i < 16; i++ )
				522	output[i] = (unsigned char)( output[i] ^ iv[i] );
				523
				524	memcpy( iv, temp, 16 );
				525
				526	input += 16;
				527	output += 16;
				528	length -= 16;
				529	}
				530	}
				531	else
				532	{
				533	while( length > 0 )
				534	{
				535	for( i = 0; i < 16; i++ )
				536	output[i] = (unsigned char)( input[i] ^ iv[i] );
				537
				538	mbedtls_aria_crypt_ecb( ctx, mode, output, output );
				539	memcpy( iv, output, 16 );
				540
				541	input += 16;
				542	output += 16;
				543	length -= 16;
				544	}
				545	}
				546
				547	return( 0 );
				548	}
				549	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				550
				551	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				552	/*
				553	* ARIA-CFB128 buffer encryption/decryption
				554	*/
				555	int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
				556	int mode,
				557	size_t length,
				558	size_t *iv_off,
				559	unsigned char iv[16],
				560	const unsigned char *input,
				561	unsigned char *output )
				562	{
				563	int c;
				564	size_t n = *iv_off;
				565
				566	if( mode == MBEDTLS_ARIA_DECRYPT )
				567	{
				568	while( length-- )
				569	{
				570	if( n == 0 )
				571	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
				572
				573	c = *input++;
				574	*output++ = (unsigned char)( c ^ iv[n] );
				575	iv[n] = (unsigned char) c;
				576
				577	n = ( n + 1 ) & 0x0F;
				578	}
				579	}
				580	else
				581	{
				582	while( length-- )
				583	{
				584	if( n == 0 )
				585	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
				586
				587	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
				588
				589	n = ( n + 1 ) & 0x0F;
				590	}
				591	}
				592
				593	*iv_off = n;
				594
				595	return( 0 );
				596	}
				597	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				598
				599	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				600	/*
				601	* ARIA-CTR buffer encryption/decryption
				602	*/
				603	int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
				604	size_t length,
				605	size_t *nc_off,
				606	unsigned char nonce_counter[16],
				607	unsigned char stream_block[16],
				608	const unsigned char *input,
				609	unsigned char *output )
				610	{
				611	int c, i;
				612	size_t n = *nc_off;
				613
				614	while( length-- )
				615	{
				616	if( n == 0 ) {
				617	mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
				618	stream_block );
				619
				620	for( i = 16; i > 0; i-- )
				621	if( ++nonce_counter[i - 1] != 0 )
				622	break;
				623	}
				624	c = *input++;
				625	*output++ = (unsigned char)( c ^ stream_block[n] );
				626
				627	n = ( n + 1 ) & 0x0F;
				628	}
				629
				630	*nc_off = n;
				631
				632	return( 0 );
				633	}
				634	#endif /* MBEDTLS_CIPHER_MODE_CTR */
				635	#endif /* !MBEDTLS_ARIA_ALT */
				636
				637	#if defined(MBEDTLS_SELF_TEST)
				638
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	639	// Basic ARIA ECB test vectors from RFC 5794
				640
				641	static const uint8_t aria_test1_ecb_key[32] = // test key
				642	{
				643	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
				644	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
				645	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
				646	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
				647	};
				648
				649	static const uint8_t aria_test1_ecb_pt[16] = // plaintext
				650	{
				651	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
				652	0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
				653	};
				654
				655	static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
				656	{
				657	{ 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
				658	0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
				659	{ 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
				660	0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
				661	{ 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
				662	0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
				663	};
				664
				665	// Mode tests from "Test Vectors for ARIA" Version 1.0
				666	// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
				667
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	668	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| defined(MBEDTLS_CIPHER_MODE_CFB) \|\| \
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	669	defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	670	static const uint8_t aria_test2_key[32] =
				671	{
				672	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
				673	0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
				674	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
				675	0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
				676	};
				677
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	678	static const uint8_t aria_test2_pt[48] =
				679	{
				680	0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
				681	0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
				682	0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
				683	0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
				684	0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
				685	0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
				686	};
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	687	#endif
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	688
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	689	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| defined(MBEDTLS_CIPHER_MODE_CFB))
				690	static const uint8_t aria_test2_iv[16] =
				691	{
				692	0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
				693	0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
				694	};
				695	#endif
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	696
				697	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				698	static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
				699	{
				700	{ 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
				701	0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
				702	0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
				703	0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
				704	0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
				705	0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
				706	{ 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
				707	0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
				708	0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
				709	0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
				710	0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
				711	0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
				712	{ 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
				713	0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
				714	0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
				715	0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
				716	0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
				717	0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
				718	};
				719	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				720
				721	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				722	static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
				723	{
				724	{ 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
				725	0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
				726	0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
				727	0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
				728	0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
				729	0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
				730	{ 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
				731	0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
				732	0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
				733	0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
				734	0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
				735	0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
				736	{ 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
				737	0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
				738	0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
				739	0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
				740	0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
				741	0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
				742	};
				743	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				744
				745	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				746	static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
				747	{
				748	{ 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
				749	0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
				750	0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
				751	0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
				752	0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
				753	0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
				754	{ 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
				755	0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
				756	0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
				757	0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
				758	0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
				759	0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
				760	{ 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
				761	0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
				762	0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
				763	0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
				764	0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
				765	0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
				766	};
				767	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				768
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	769	/*
				770	* Checkup routine
				771	*/
				772
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	773	#define ARIA_SELF_TEST_IF_FAIL \
				774	{ \
				775	if( verbose ) \
				776	printf( "failed\n" ); \
				777	return( 1 ); \
				778	} else { \
				779	if( verbose ) \
				780	printf( "passed\n" ); \
				781	}
				782
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	783	int mbedtls_aria_self_test( int verbose )
				784	{
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	785	int i;
				786	uint8_t blk[16];
				787	mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	788
Markku-Juhani O. Saarinen	6ba68d4	2017-12-01 14:26:21 +0000	[diff] [blame]	789	#if (defined(MBEDTLS_CIPHER_MODE_CFB) \|\| defined(MBEDTLS_CIPHER_MODE_CTR))
				790	size_t j;
Markku-Juhani O. Saarinen	3c0b53b	2017-11-30 16:00:34 +0000	[diff] [blame]	791	#endif
				792
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	793	#if (defined(MBEDTLS_CIPHER_MODE_CBC) \|\| \
				794	defined(MBEDTLS_CIPHER_MODE_CFB) \|\| \
				795	defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	796	uint8_t buf[48], iv[16];
				797	#endif
				798
				799	// Test set 1
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	800
				801	for( i = 0; i < 3; i++ )
				802	{
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	803	// test ECB encryption
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	804	if( verbose )
				805	printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	806	mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	807	mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	808	aria_test1_ecb_pt, blk );
				809	if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
				810	ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	811
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	812	// test ECB decryption
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	813	if( verbose )
				814	printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	815	mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	816	mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	817	aria_test1_ecb_ct[i], blk );
				818	if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
				819	ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	820	}
Markku-Juhani O. Saarinen	259fa60	2017-11-30 15:48:37 +0000	[diff] [blame]	821	if( verbose )
				822	printf("\n");
				823
				824	// Test set 2
				825
				826	#if defined(MBEDTLS_CIPHER_MODE_CBC)
				827	for( i = 0; i < 3; i++ )
				828	{
				829	// Test CBC encryption
				830	if( verbose )
				831	printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
				832	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				833	memcpy( iv, aria_test2_iv, 16 );
				834	memset( buf, 0x55, sizeof(buf) );
				835	mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
				836	aria_test2_pt, buf );
				837	if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
				838	ARIA_SELF_TEST_IF_FAIL;
				839
				840	// Test CBC decryption
				841	if( verbose )
				842	printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
				843	mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
				844	memcpy( iv, aria_test2_iv, 16 );
				845	memset( buf, 0xAA, sizeof(buf) );
				846	mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
				847	aria_test2_cbc_ct[i], buf );
				848	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				849	ARIA_SELF_TEST_IF_FAIL;
				850	}
				851	if( verbose )
				852	printf("\n");
				853
				854	#endif /* MBEDTLS_CIPHER_MODE_CBC */
				855
				856	#if defined(MBEDTLS_CIPHER_MODE_CFB)
				857	for( i = 0; i < 3; i++ )
				858	{
				859	// Test CFB encryption
				860	if( verbose )
				861	printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
				862	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				863	memcpy( iv, aria_test2_iv, 16 );
				864	memset( buf, 0x55, sizeof(buf) );
				865	j = 0;
				866	mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
				867	aria_test2_pt, buf );
				868	if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
				869	ARIA_SELF_TEST_IF_FAIL;
				870
				871	// Test CFB decryption
				872	if( verbose )
				873	printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
				874	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				875	memcpy( iv, aria_test2_iv, 16 );
				876	memset( buf, 0xAA, sizeof(buf) );
				877	j = 0;
				878	mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
				879	iv, aria_test2_cfb_ct[i], buf );
				880	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				881	ARIA_SELF_TEST_IF_FAIL;
				882	}
				883	if( verbose )
				884	printf("\n");
				885	#endif /* MBEDTLS_CIPHER_MODE_CFB */
				886
				887	#if defined(MBEDTLS_CIPHER_MODE_CTR)
				888	for( i = 0; i < 3; i++ )
				889	{
				890	// Test CTR encryption
				891	if( verbose )
				892	printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
				893	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				894	memset( iv, 0, 16 ); // IV = 0
				895	memset( buf, 0x55, sizeof(buf) );
				896	j = 0;
				897	mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
				898	aria_test2_pt, buf );
				899	if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
				900	ARIA_SELF_TEST_IF_FAIL;
				901
				902	// Test CTR decryption
				903	if( verbose )
				904	printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
				905	mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
				906	memset( iv, 0, 16 ); // IV = 0
				907	memset( buf, 0xAA, sizeof(buf) );
				908	j = 0;
				909	mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
				910	aria_test2_ctr_ct[i], buf );
				911	if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
				912	ARIA_SELF_TEST_IF_FAIL;
				913	}
				914	if( verbose )
				915	printf("\n");
				916	#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen	41efbaa	2017-11-30 11:37:55 +0000	[diff] [blame]	917
				918	return( 0 );
				919	}
				920
				921	#endif /* MBEDTLS_SELF_TEST */
				922
				923	#endif /* MBEDTLS_ARIA_C */