TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / cac5008b177f1b46d0769c42528a6eb9863ecb6e / . / library / aria.c
blob: 72bcc6acea238f4d30253fca13be4ee120eb9071 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]51/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
54}
55
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]59
60#ifndef GET_UINT32_LE
61#define GET_UINT32_LE(n,b,i) \
62{ \
63 (n) = ( (uint32_t) (b)[(i) ] ) \
64 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
67}
68#endif
69
70#ifndef PUT_UINT32_LE
71#define PUT_UINT32_LE(n,b,i) \
72{ \
73 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
74 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
75 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
76 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
77}
78#endif
79
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]80/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]81 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]82 *
83 * This is submatrix P1 in [1] Appendix B.1
84 */
85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]86
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]87/*
88 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
89 *
90 * This is submatrix P2 in [1] Appendix B.1
91 */
92#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]93
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]94/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame^]95 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
96 *
97 * This is submatrix P3 in [1] Appendix B.1
98 */
99#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
100
101/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]102 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]103 * (a, b, c, d) = state in/out
104 *
105 * If we denote the first by of input by 0, ..., the last byte by f,
106 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
107 *
108 * Reading [1] 2.4 or [2] 2.4.3 in colums and performing simple
109 * rearrangements on adjacent pairs, output is:
110 *
111 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
112 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
113 * b = 0101 + 2323 + 5476 + 8998 + baab + ecec + ffdd
114 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
115 * c = 0022 + 1133 + 4545 + 7667 + ab89 + dcdc + fefe
116 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
117 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cedf
118 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
119 *
120 * Note: another presentation of the A transform can be found as the first
121 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
122 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]123 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]124static inline void aria_a( uint32_t *a, uint32_t *b,
125 uint32_t *c, uint32_t *d )
126{
127 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]128 ta = *b; // 4567
129 *b = *a; // 0123
130 *a = ARIA_P2( ta ); // 6745
131 tb = ARIA_P2( *d ); // efcd
132 *d = ARIA_P1( *c ); // 98ba
133 *c = ARIA_P1( tb ); // fedc
134 ta ^= *d; // 4567+98ba
135 tc = ARIA_P2( *b ); // 2301
136 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
137 tb ^= ARIA_P2( *d ); // ba98+efcd
138 tc ^= ARIA_P1( *a ); // 2301+7654
139 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
140 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
141 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
142 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
143 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
144 tc = ARIA_P2( tc ); // 0123+5476
145 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]146}
147
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]148/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]149 * ARIA Substitution Layer SL1 / SL2
150 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]151 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]152 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]153 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
154 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]155 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]156static inline void aria_sl( uint32_t *a, uint32_t *b,
157 uint32_t *c, uint32_t *d,
158 const uint8_t sa[0x100], const uint8_t sb[0x100],
159 const uint8_t sc[0x100], const uint8_t sd[0x100] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]160{
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]161 *a = ( (uint32_t) sa[ *a & 0xFF]) ^
162 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
163 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
164 (((uint32_t) sd[ *a >> 24 ]) << 24);
165 *b = ( (uint32_t) sa[ *b & 0xFF]) ^
166 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
167 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
168 (((uint32_t) sd[ *b >> 24 ]) << 24);
169 *c = ( (uint32_t) sa[ *c & 0xFF]) ^
170 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
171 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
172 (((uint32_t) sd[ *c >> 24 ]) << 24);
173 *d = ( (uint32_t) sa[ *d & 0xFF]) ^
174 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
175 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
176 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]177}
178
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]179/*
180 * S-Boxes
181 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]182static const uint8_t aria_sb1[0x100] =
183{
184 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
185 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
186 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
187 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
188 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
189 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
190 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
191 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
192 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
193 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
194 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
195 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
196 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
197 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
198 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
199 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
200 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
201 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
202 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
203 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
204 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
205 0xB0, 0x54, 0xBB, 0x16
206};
207
208static const uint8_t aria_sb2[0x100] =
209{
210 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
211 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
212 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
213 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
214 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
215 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
216 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
217 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
218 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
219 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
220 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
221 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
222 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
223 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
224 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
225 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
226 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
227 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
228 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
229 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
230 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
231 0xAF, 0xBA, 0xB5, 0x81
232};
233
234static const uint8_t aria_is1[0x100] =
235{
236 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
237 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
238 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
239 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
240 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
241 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
242 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
243 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
244 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
245 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
247 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
249 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
250 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
251 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
252 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
253 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
254 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
255 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
256 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
257 0x55, 0x21, 0x0C, 0x7D
258};
259
260static const uint8_t aria_is2[0x100] =
261{
262 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
263 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
264 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
265 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
266 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
267 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
268 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
269 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
270 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
271 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
272 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
273 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
274 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
275 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
276 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
277 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
278 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
279 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
280 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
281 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
282 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
283 0x03, 0xA2, 0xAC, 0x60
284};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]285
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]286/*
287 * Helper for key schedule: r = FO( p, k ) ^ x
288 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]289static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]290 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
291{
292 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]293
294 a = p[0] ^ k[0];
295 b = p[1] ^ k[1];
296 c = p[2] ^ k[2];
297 d = p[3] ^ k[3];
298
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]299 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
300 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]301
302 r[0] = a ^ x[0];
303 r[1] = b ^ x[1];
304 r[2] = c ^ x[2];
305 r[3] = d ^ x[3];
306}
307
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]308/*
309 * Helper for key schedule: r = FE( p, k ) ^ x
310 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]311static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]312 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
313{
314 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]315
316 a = p[0] ^ k[0];
317 b = p[1] ^ k[1];
318 c = p[2] ^ k[2];
319 d = p[3] ^ k[3];
320
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]321 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
322 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]323
324 r[0] = a ^ x[0];
325 r[1] = b ^ x[1];
326 r[2] = c ^ x[2];
327 r[3] = d ^ x[3];
328}
329
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]330/*
331 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
332 *
333 * We chose to store bytes into 32-bit words in little-endian format (see
334 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
335 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]337 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]338{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]339 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]340 uint32_t t, u;
341
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]342 const uint8_t n1 = n % 32; // bit offset
343 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]344
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]345 j = (n / 32) % 4; // initial word offset
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame^]346 t = ARIA_P3( b[j] ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]347 for( i = 0; i < 4; i++ )
348 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]349 j = (j + 1) % 4; // get next word, big endian
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame^]350 u = ARIA_P3( b[j] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]351 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]352 t |= u >> n2;
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame^]353 t = ARIA_P3( t ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]354 r[i] = a[i] ^ t; // store
355 t = u; // move to next word
356 }
357}
358
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]359/*
360 * Set encryption key
361 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]362int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
363 const unsigned char *key, unsigned int keybits)
364{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]365 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]366 const uint32_t rc[3][4] =
367 {
368 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
369 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
370 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
371 };
372
373 int i;
374 uint32_t w[4][4], *w2;
375
376 if (keybits != 128 && keybits != 192 && keybits != 256)
377 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
378
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]379 /* Copy key to W0 (and potential remainder to W1) */
380 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]381 GET_UINT32_LE( w[0][1], key, 4 );
382 GET_UINT32_LE( w[0][2], key, 8 );
383 GET_UINT32_LE( w[0][3], key, 12 );
384
385 memset(w[1], 0, 16);
386 if( keybits >= 192 )
387 {
388 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
389 GET_UINT32_LE( w[1][1], key, 20 );
390 }
391 if( keybits == 256 )
392 {
393 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
394 GET_UINT32_LE( w[1][3], key, 28 );
395 }
396
397 i = (keybits - 128) >> 6; // index: 0, 1, 2
398 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
399
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]400 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]401 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]402 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]404 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]405
406 for( i = 0; i < 4; i++ ) // create round keys
407 {
408 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]409 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
410 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
411 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
412 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]413 }
414 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
415
416 return 0;
417}
418
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]419/*
420 * Set decryption key
421 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]422int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
423 const unsigned char *key, unsigned int keybits)
424{
425 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]426
427 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
428 if( ret != 0 )
429 return ret;
430
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]431 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]432 for( i = 0, j = ctx->nr; i < j; i++, j-- )
433 {
434 for( k = 0; k < 4; k++ )
435 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]436 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]437 ctx->rk[i][k] = ctx->rk[j][k];
438 ctx->rk[j][k] = t;
439 }
440 }
441
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]442 /* apply affine transform to middle keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]444 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445
446 return 0;
447}
448
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]449/*
450 * Encrypt a block
451 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]452int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
453 int mode,
454 const unsigned char input[16],
455 unsigned char output[16] )
456{
457 int i;
458
459 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]460
461 ( (void) mode );
462
463 GET_UINT32_LE( a, input, 0 );
464 GET_UINT32_LE( b, input, 4 );
465 GET_UINT32_LE( c, input, 8 );
466 GET_UINT32_LE( d, input, 12 );
467
468 i = 0;
469 while (1)
470 {
471 a ^= ctx->rk[i][0];
472 b ^= ctx->rk[i][1];
473 c ^= ctx->rk[i][2];
474 d ^= ctx->rk[i][3];
475 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]476
477 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
478 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]479
480 a ^= ctx->rk[i][0];
481 b ^= ctx->rk[i][1];
482 c ^= ctx->rk[i][2];
483 d ^= ctx->rk[i][3];
484 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]485
486 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]487 if (i >= ctx->nr)
488 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]489 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490 }
491
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]492 /* final key mixing */
493 a ^= ctx->rk[i][0];
494 b ^= ctx->rk[i][1];
495 c ^= ctx->rk[i][2];
496 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]497
498 PUT_UINT32_LE( a, output, 0 );
499 PUT_UINT32_LE( b, output, 4 );
500 PUT_UINT32_LE( c, output, 8 );
501 PUT_UINT32_LE( d, output, 12 );
502
503 return 0;
504}
505
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]506/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]507void mbedtls_aria_init( mbedtls_aria_context *ctx )
508{
509 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
510}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]511
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]512/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]513void mbedtls_aria_free( mbedtls_aria_context *ctx )
514{
515 if( ctx == NULL )
516 return;
517
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]518 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]519}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]520
521#if defined(MBEDTLS_CIPHER_MODE_CBC)
522/*
523 * ARIA-CBC buffer encryption/decryption
524 */
525int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
526 int mode,
527 size_t length,
528 unsigned char iv[16],
529 const unsigned char *input,
530 unsigned char *output )
531{
532 int i;
533 unsigned char temp[16];
534
535 if( length % 16 )
536 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
537
538 if( mode == MBEDTLS_ARIA_DECRYPT )
539 {
540 while( length > 0 )
541 {
542 memcpy( temp, input, 16 );
543 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
544
545 for( i = 0; i < 16; i++ )
546 output[i] = (unsigned char)( output[i] ^ iv[i] );
547
548 memcpy( iv, temp, 16 );
549
550 input += 16;
551 output += 16;
552 length -= 16;
553 }
554 }
555 else
556 {
557 while( length > 0 )
558 {
559 for( i = 0; i < 16; i++ )
560 output[i] = (unsigned char)( input[i] ^ iv[i] );
561
562 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
563 memcpy( iv, output, 16 );
564
565 input += 16;
566 output += 16;
567 length -= 16;
568 }
569 }
570
571 return( 0 );
572}
573#endif /* MBEDTLS_CIPHER_MODE_CBC */
574
575#if defined(MBEDTLS_CIPHER_MODE_CFB)
576/*
577 * ARIA-CFB128 buffer encryption/decryption
578 */
579int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
580 int mode,
581 size_t length,
582 size_t *iv_off,
583 unsigned char iv[16],
584 const unsigned char *input,
585 unsigned char *output )
586{
587 int c;
588 size_t n = *iv_off;
589
590 if( mode == MBEDTLS_ARIA_DECRYPT )
591 {
592 while( length-- )
593 {
594 if( n == 0 )
595 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
596
597 c = *input++;
598 *output++ = (unsigned char)( c ^ iv[n] );
599 iv[n] = (unsigned char) c;
600
601 n = ( n + 1 ) & 0x0F;
602 }
603 }
604 else
605 {
606 while( length-- )
607 {
608 if( n == 0 )
609 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
610
611 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
612
613 n = ( n + 1 ) & 0x0F;
614 }
615 }
616
617 *iv_off = n;
618
619 return( 0 );
620}
621#endif /* MBEDTLS_CIPHER_MODE_CFB */
622
623#if defined(MBEDTLS_CIPHER_MODE_CTR)
624/*
625 * ARIA-CTR buffer encryption/decryption
626 */
627int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
628 size_t length,
629 size_t *nc_off,
630 unsigned char nonce_counter[16],
631 unsigned char stream_block[16],
632 const unsigned char *input,
633 unsigned char *output )
634{
635 int c, i;
636 size_t n = *nc_off;
637
638 while( length-- )
639 {
640 if( n == 0 ) {
641 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
642 stream_block );
643
644 for( i = 16; i > 0; i-- )
645 if( ++nonce_counter[i - 1] != 0 )
646 break;
647 }
648 c = *input++;
649 *output++ = (unsigned char)( c ^ stream_block[n] );
650
651 n = ( n + 1 ) & 0x0F;
652 }
653
654 *nc_off = n;
655
656 return( 0 );
657}
658#endif /* MBEDTLS_CIPHER_MODE_CTR */
659#endif /* !MBEDTLS_ARIA_ALT */
660
661#if defined(MBEDTLS_SELF_TEST)
662
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]663/*
664 * Basic ARIA ECB test vectors from RFC 5794
665 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]666static const uint8_t aria_test1_ecb_key[32] = // test key
667{
668 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
669 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
670 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
671 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
672};
673
674static const uint8_t aria_test1_ecb_pt[16] = // plaintext
675{
676 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
677 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
678};
679
680static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
681{
682 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
683 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
684 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
685 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
686 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
687 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
688};
689
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]690/*
691 * Mode tests from "Test Vectors for ARIA" Version 1.0
692 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
693 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]694#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]695 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]696static const uint8_t aria_test2_key[32] =
697{
698 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
699 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
700 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
701 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
702};
703
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]704static const uint8_t aria_test2_pt[48] =
705{
706 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
707 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
708 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
709 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
710 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
711 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
712};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]713#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]714
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]715#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
716static const uint8_t aria_test2_iv[16] =
717{
718 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
719 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
720};
721#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]722
723#if defined(MBEDTLS_CIPHER_MODE_CBC)
724static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
725{
726 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
727 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
728 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
729 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
730 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
731 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
732 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
733 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
734 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
735 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
736 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
737 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
738 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
739 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
740 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
741 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
742 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
743 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
744};
745#endif /* MBEDTLS_CIPHER_MODE_CBC */
746
747#if defined(MBEDTLS_CIPHER_MODE_CFB)
748static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
749{
750 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
751 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
752 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
753 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
754 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
755 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
756 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
757 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
758 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
759 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
760 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
761 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
762 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
763 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
764 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
765 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
766 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
767 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
768};
769#endif /* MBEDTLS_CIPHER_MODE_CFB */
770
771#if defined(MBEDTLS_CIPHER_MODE_CTR)
772static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
773{
774 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
775 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
776 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
777 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
778 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
779 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
780 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
781 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
782 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
783 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
784 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
785 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
786 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
787 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
788 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
789 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
790 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
791 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
792};
793#endif /* MBEDTLS_CIPHER_MODE_CFB */
794
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]795#define ARIA_SELF_TEST_IF_FAIL \
796 { \
797 if( verbose ) \
798 printf( "failed\n" ); \
799 return( 1 ); \
800 } else { \
801 if( verbose ) \
802 printf( "passed\n" ); \
803 }
804
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]805/*
806 * Checkup routine
807 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]808int mbedtls_aria_self_test( int verbose )
809{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]810 int i;
811 uint8_t blk[16];
812 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]813
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]814#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
815 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]816#endif
817
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]818#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
819 defined(MBEDTLS_CIPHER_MODE_CFB) || \
820 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]821 uint8_t buf[48], iv[16];
822#endif
823
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]824 /*
825 * Test set 1
826 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]827 for( i = 0; i < 3; i++ )
828 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]829 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]830 if( verbose )
831 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]832 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]833 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]834 aria_test1_ecb_pt, blk );
835 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
836 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]837
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]838 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]839 if( verbose )
840 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]841 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]842 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]843 aria_test1_ecb_ct[i], blk );
844 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
845 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]846 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]847 if( verbose )
848 printf("\n");
849
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]850 /*
851 * Test set 2
852 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]853#if defined(MBEDTLS_CIPHER_MODE_CBC)
854 for( i = 0; i < 3; i++ )
855 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]856 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]857 if( verbose )
858 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
859 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
860 memcpy( iv, aria_test2_iv, 16 );
861 memset( buf, 0x55, sizeof(buf) );
862 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
863 aria_test2_pt, buf );
864 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
865 ARIA_SELF_TEST_IF_FAIL;
866
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]867 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]868 if( verbose )
869 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
870 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
871 memcpy( iv, aria_test2_iv, 16 );
872 memset( buf, 0xAA, sizeof(buf) );
873 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
874 aria_test2_cbc_ct[i], buf );
875 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
876 ARIA_SELF_TEST_IF_FAIL;
877 }
878 if( verbose )
879 printf("\n");
880
881#endif /* MBEDTLS_CIPHER_MODE_CBC */
882
883#if defined(MBEDTLS_CIPHER_MODE_CFB)
884 for( i = 0; i < 3; i++ )
885 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]886 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]887 if( verbose )
888 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
889 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
890 memcpy( iv, aria_test2_iv, 16 );
891 memset( buf, 0x55, sizeof(buf) );
892 j = 0;
893 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
894 aria_test2_pt, buf );
895 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
896 ARIA_SELF_TEST_IF_FAIL;
897
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]898 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]899 if( verbose )
900 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
901 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
902 memcpy( iv, aria_test2_iv, 16 );
903 memset( buf, 0xAA, sizeof(buf) );
904 j = 0;
905 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
906 iv, aria_test2_cfb_ct[i], buf );
907 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
908 ARIA_SELF_TEST_IF_FAIL;
909 }
910 if( verbose )
911 printf("\n");
912#endif /* MBEDTLS_CIPHER_MODE_CFB */
913
914#if defined(MBEDTLS_CIPHER_MODE_CTR)
915 for( i = 0; i < 3; i++ )
916 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]917 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]918 if( verbose )
919 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
920 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
921 memset( iv, 0, 16 ); // IV = 0
922 memset( buf, 0x55, sizeof(buf) );
923 j = 0;
924 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
925 aria_test2_pt, buf );
926 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
927 ARIA_SELF_TEST_IF_FAIL;
928
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]929 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]930 if( verbose )
931 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
932 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
933 memset( iv, 0, 16 ); // IV = 0
934 memset( buf, 0xAA, sizeof(buf) );
935 j = 0;
936 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
937 aria_test2_ctr_ct[i], buf );
938 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
939 ARIA_SELF_TEST_IF_FAIL;
940 }
941 if( verbose )
942 printf("\n");
943#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]944
945 return( 0 );
946}
947
948#endif /* MBEDTLS_SELF_TEST */
949
950#endif /* MBEDTLS_ARIA_C */