TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a6d639e553aae26e487f0cddb0c0605f46fa614c / . / library / aria.c
blob: a9a2c25112682828a338593d3dd41912a7063787 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
51// 32-bit integer manipulation macros (little endian)
52
53#ifndef GET_UINT32_LE
54#define GET_UINT32_LE(n,b,i) \
55{ \
56 (n) = ( (uint32_t) (b)[(i) ] ) \
57 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
58 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
59 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
60}
61#endif
62
63#ifndef PUT_UINT32_LE
64#define PUT_UINT32_LE(n,b,i) \
65{ \
66 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
67 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
68 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
69 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
70}
71#endif
72
73// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
74#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
75
76// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
77#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
78
79// Affine Transform A
80// (ra, rb, rc, rd) = state in/out
81// (ta, tb, tc) = temporary variables
82
83#define ARIA_A( ra, rb, rc, rd, ta, tb, tc ) { \
84 ta = rb; \
85 rb = ra; \
86 ra = ARIA_FLIP1( ta ); \
87 tb = ARIA_FLIP1( rd ); \
88 rd = ARIA_FLIP2( rc ); \
89 rc = ARIA_FLIP2( tb ); \
90 ta ^= rd; \
91 tc = ARIA_FLIP1( rb ); \
92 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
93 tb ^= ARIA_FLIP1( rd ); \
94 tc ^= ARIA_FLIP2( ra ); \
95 rb ^= ta ^ tb; \
96 tb = ARIA_FLIP1( tb ) ^ ta; \
97 ra ^= ARIA_FLIP2( tb ); \
98 ta = ARIA_FLIP1( ta ); \
99 rd ^= ARIA_FLIP2( ta ) ^ tc; \
100 tc = ARIA_FLIP1( tc ); \
101 rc ^= ARIA_FLIP2( tc ) ^ ta; \
102}
103
104
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]105/* ARIA Round function ( Substitution Layer SLx + Affine Transform A )
106 * (ra, rb, rc, rd) = state in/out
107 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
108 * (ta, tb, tc) = temporary variables
109 *
110 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A.
111 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A.
112 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]113
114#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \
115 ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
116 (((uint32_t) sd[ rb >> 24]) << 8) ^ \
117 (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
118 (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
119 rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
120 (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
121 (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
122 (((uint32_t) sd[ ra >> 24]) << 24); \
123 ra = ta; \
124 ta = ( (uint32_t) sd[ rd >> 24]) ^ \
125 (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
126 (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
127 (((uint32_t) sa[ rd & 0xFF]) << 24); \
128 rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
129 (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
130 (((uint32_t) sd[ rc >> 24]) << 16) ^ \
131 (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
132 rc = ta; \
133 ta = ARIA_FLIP1( ra ) ^ rd; \
134 tc = ARIA_FLIP1( rb ); \
135 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
136 tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
137 tc ^= ARIA_FLIP2( ra ); \
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]138 rb ^= ta ^ tb; \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]139 tb = ARIA_FLIP1( tb ) ^ ta; \
140 ra ^= ARIA_FLIP2( tb ); \
141 ta = ARIA_FLIP1( ta ); \
142 rd ^= ARIA_FLIP2( ta ) ^ tc; \
143 tc = ARIA_FLIP1( tc ); \
144 rc ^= ARIA_FLIP2( tc ) ^ ta; \
145}
146
147// S-Boxes
148
149static const uint8_t aria_sb1[0x100] =
150{
151 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
152 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
153 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
154 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
155 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
156 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
157 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
158 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
159 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
160 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
161 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
162 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
163 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
164 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
165 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
166 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
167 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
168 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
169 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
170 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
171 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
172 0xB0, 0x54, 0xBB, 0x16
173};
174
175static const uint8_t aria_sb2[0x100] =
176{
177 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
178 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
179 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
180 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
181 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
182 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
183 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
184 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
185 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
186 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
187 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
188 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
189 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
190 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
191 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
192 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
193 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
194 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
195 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
196 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
197 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
198 0xAF, 0xBA, 0xB5, 0x81
199};
200
201static const uint8_t aria_is1[0x100] =
202{
203 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
204 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
206 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
207 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
208 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
209 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
210 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
212 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
213 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
214 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
215 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
216 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
217 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
218 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
220 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
221 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
222 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
223 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
224 0x55, 0x21, 0x0C, 0x7D
225};
226
227static const uint8_t aria_is2[0x100] =
228{
229 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
230 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
231 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
232 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
233 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
234 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
235 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
236 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
237 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
238 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
239 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
240 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
241 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
242 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
243 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
244 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
245 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
246 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
247 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
248 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
249 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
250 0x03, 0xA2, 0xAC, 0x60
251};
252// FO and FE are helpers for key schedule
253
254// r = FO( p, k ) ^ x
255
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]256static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]257 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
258{
259 uint32_t a, b, c, d;
260 uint32_t t, u, v;
261
262 a = p[0] ^ k[0];
263 b = p[1] ^ k[1];
264 c = p[2] ^ k[2];
265 d = p[3] ^ k[3];
266
267 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
268
269 r[0] = a ^ x[0];
270 r[1] = b ^ x[1];
271 r[2] = c ^ x[2];
272 r[3] = d ^ x[3];
273}
274
275// r = FE( p, k ) ^ x
276
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]277static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
279{
280 uint32_t a, b, c, d;
281 uint32_t t, u, v;
282
283 a = p[0] ^ k[0];
284 b = p[1] ^ k[1];
285 c = p[2] ^ k[2];
286 d = p[3] ^ k[3];
287
288 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
289
290 r[0] = a ^ x[0];
291 r[1] = b ^ x[1];
292 r[2] = c ^ x[2];
293 r[3] = d ^ x[3];
294}
295
296// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup.
297// This is relatively slow since our implementation is geared towards
298// little-endian targets and stores state in that order.
299
300static void aria_rot128(uint32_t r[4], const uint32_t a[4],
301 const uint32_t b[4], int n)
302{
303 int i, j, n1, n2;
304 uint32_t t, u;
305
306 j = (n >> 5) & 3; // word offset
307 n1 = n & 0x1F; // bit offsets
308 n2 = 32 - n1; // n1 should be nonzero!
309 t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
310 for( i = 0; i < 4; i++ )
311 {
312 j = (j + 1) & 3; // get next word, big endian
313 u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
314 t <<= n1; // rotate
315 if (n2 < 32) // intel rotate 32 bits = 0 bits..
316 t |= u >> n2;
317 t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
318 r[i] = a[i] ^ t; // store
319 t = u; // move to next word
320 }
321}
322
323// Set encryption key
324
325int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
326 const unsigned char *key, unsigned int keybits)
327{
328 // round constant masks
329 const uint32_t rc[3][4] =
330 {
331 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
332 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
333 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
334 };
335
336 int i;
337 uint32_t w[4][4], *w2;
338
339 if (keybits != 128 && keybits != 192 && keybits != 256)
340 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
341
342 // W0 = KL
343 GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1
344 GET_UINT32_LE( w[0][1], key, 4 );
345 GET_UINT32_LE( w[0][2], key, 8 );
346 GET_UINT32_LE( w[0][3], key, 12 );
347
348 memset(w[1], 0, 16);
349 if( keybits >= 192 )
350 {
351 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
352 GET_UINT32_LE( w[1][1], key, 20 );
353 }
354 if( keybits == 256 )
355 {
356 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
357 GET_UINT32_LE( w[1][3], key, 28 );
358 }
359
360 i = (keybits - 128) >> 6; // index: 0, 1, 2
361 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
362
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]363 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]364 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]365 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]366 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame^]367 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]368
369 for( i = 0; i < 4; i++ ) // create round keys
370 {
371 w2 = w[(i + 1) & 3];
372 aria_rot128( ctx->rk[i ], w[i], w2, -19);
373 aria_rot128( ctx->rk[i + 4], w[i], w2, -31);
374 aria_rot128( ctx->rk[i + 8], w[i], w2, 61);
375 aria_rot128( ctx->rk[i + 12], w[i], w2, 31);
376 }
377 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
378
379 return 0;
380}
381
382// Set decryption key
383
384int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
385 const unsigned char *key, unsigned int keybits)
386{
387 int i, j, k, ret;
388 uint32_t t, u, v;
389
390 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
391 if( ret != 0 )
392 return ret;
393
394 // flip the order of round keys
395 for( i = 0, j = ctx->nr; i < j; i++, j-- )
396 {
397 for( k = 0; k < 4; k++ )
398 {
399 t = ctx->rk[i][k];
400 ctx->rk[i][k] = ctx->rk[j][k];
401 ctx->rk[j][k] = t;
402 }
403 }
404
405 // apply affine transform to middle keys
406 for (i = 1; i < ctx->nr; i++ )
407 {
408 ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3],
409 t, u, v );
410 }
411
412 return 0;
413}
414
415// Encrypt a block
416
417int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
418 int mode,
419 const unsigned char input[16],
420 unsigned char output[16] )
421{
422 int i;
423
424 uint32_t a, b, c, d;
425 uint32_t t, u, v;
426
427 ( (void) mode );
428
429 GET_UINT32_LE( a, input, 0 );
430 GET_UINT32_LE( b, input, 4 );
431 GET_UINT32_LE( c, input, 8 );
432 GET_UINT32_LE( d, input, 12 );
433
434 i = 0;
435 while (1)
436 {
437 a ^= ctx->rk[i][0];
438 b ^= ctx->rk[i][1];
439 c ^= ctx->rk[i][2];
440 d ^= ctx->rk[i][3];
441 i++;
442 ARIA_SLA( a, b, c, d,
443 aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
444
445 a ^= ctx->rk[i][0];
446 b ^= ctx->rk[i][1];
447 c ^= ctx->rk[i][2];
448 d ^= ctx->rk[i][3];
449 i++;
450 if (i >= ctx->nr)
451 break;
452
453 ARIA_SLA( a, b, c, d,
454 aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
455 }
456
457 // final substitution
458
459 a = ctx->rk[i][0] ^
460 ( (uint32_t) aria_is1[ a & 0xFF]) ^
461 (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
462 (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
463 (((uint32_t) aria_sb2[ a >> 24 ]) << 24);
464
465 b = ctx->rk[i][1] ^
466 ( (uint32_t) aria_is1[ b & 0xFF]) ^
467 (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
468 (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
469 (((uint32_t) aria_sb2[ b >> 24 ]) << 24);
470
471 c = ctx->rk[i][2] ^
472 ( (uint32_t) aria_is1[ c & 0xFF]) ^
473 (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
474 (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
475 (((uint32_t) aria_sb2[ c >> 24 ]) << 24);
476
477 d = ctx->rk[i][3] ^
478 ( (uint32_t) aria_is1[ d & 0xFF]) ^
479 (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
480 (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
481 (((uint32_t) aria_sb2[ d >> 24 ]) << 24);
482
483 PUT_UINT32_LE( a, output, 0 );
484 PUT_UINT32_LE( b, output, 4 );
485 PUT_UINT32_LE( c, output, 8 );
486 PUT_UINT32_LE( d, output, 12 );
487
488 return 0;
489}
490
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]491void mbedtls_aria_init( mbedtls_aria_context *ctx )
492{
493 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
494}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]495
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]496void mbedtls_aria_free( mbedtls_aria_context *ctx )
497{
498 if( ctx == NULL )
499 return;
500
501 // compiler can't remove this since this is not a static function
502 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
503}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]504
505#if defined(MBEDTLS_CIPHER_MODE_CBC)
506/*
507 * ARIA-CBC buffer encryption/decryption
508 */
509int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
510 int mode,
511 size_t length,
512 unsigned char iv[16],
513 const unsigned char *input,
514 unsigned char *output )
515{
516 int i;
517 unsigned char temp[16];
518
519 if( length % 16 )
520 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
521
522 if( mode == MBEDTLS_ARIA_DECRYPT )
523 {
524 while( length > 0 )
525 {
526 memcpy( temp, input, 16 );
527 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
528
529 for( i = 0; i < 16; i++ )
530 output[i] = (unsigned char)( output[i] ^ iv[i] );
531
532 memcpy( iv, temp, 16 );
533
534 input += 16;
535 output += 16;
536 length -= 16;
537 }
538 }
539 else
540 {
541 while( length > 0 )
542 {
543 for( i = 0; i < 16; i++ )
544 output[i] = (unsigned char)( input[i] ^ iv[i] );
545
546 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
547 memcpy( iv, output, 16 );
548
549 input += 16;
550 output += 16;
551 length -= 16;
552 }
553 }
554
555 return( 0 );
556}
557#endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559#if defined(MBEDTLS_CIPHER_MODE_CFB)
560/*
561 * ARIA-CFB128 buffer encryption/decryption
562 */
563int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 size_t *iv_off,
567 unsigned char iv[16],
568 const unsigned char *input,
569 unsigned char *output )
570{
571 int c;
572 size_t n = *iv_off;
573
574 if( mode == MBEDTLS_ARIA_DECRYPT )
575 {
576 while( length-- )
577 {
578 if( n == 0 )
579 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
580
581 c = *input++;
582 *output++ = (unsigned char)( c ^ iv[n] );
583 iv[n] = (unsigned char) c;
584
585 n = ( n + 1 ) & 0x0F;
586 }
587 }
588 else
589 {
590 while( length-- )
591 {
592 if( n == 0 )
593 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
594
595 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
596
597 n = ( n + 1 ) & 0x0F;
598 }
599 }
600
601 *iv_off = n;
602
603 return( 0 );
604}
605#endif /* MBEDTLS_CIPHER_MODE_CFB */
606
607#if defined(MBEDTLS_CIPHER_MODE_CTR)
608/*
609 * ARIA-CTR buffer encryption/decryption
610 */
611int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
612 size_t length,
613 size_t *nc_off,
614 unsigned char nonce_counter[16],
615 unsigned char stream_block[16],
616 const unsigned char *input,
617 unsigned char *output )
618{
619 int c, i;
620 size_t n = *nc_off;
621
622 while( length-- )
623 {
624 if( n == 0 ) {
625 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
626 stream_block );
627
628 for( i = 16; i > 0; i-- )
629 if( ++nonce_counter[i - 1] != 0 )
630 break;
631 }
632 c = *input++;
633 *output++ = (unsigned char)( c ^ stream_block[n] );
634
635 n = ( n + 1 ) & 0x0F;
636 }
637
638 *nc_off = n;
639
640 return( 0 );
641}
642#endif /* MBEDTLS_CIPHER_MODE_CTR */
643#endif /* !MBEDTLS_ARIA_ALT */
644
645#if defined(MBEDTLS_SELF_TEST)
646
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]647// Basic ARIA ECB test vectors from RFC 5794
648
649static const uint8_t aria_test1_ecb_key[32] = // test key
650{
651 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
652 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
653 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
654 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
655};
656
657static const uint8_t aria_test1_ecb_pt[16] = // plaintext
658{
659 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
660 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
661};
662
663static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
664{
665 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
666 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
667 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
668 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
669 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
670 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
671};
672
673// Mode tests from "Test Vectors for ARIA" Version 1.0
674// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
675
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]676#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]677 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]678static const uint8_t aria_test2_key[32] =
679{
680 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
681 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
682 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
683 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
684};
685
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]686static const uint8_t aria_test2_pt[48] =
687{
688 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
689 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
690 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
691 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
692 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
693 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
694};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]695#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]696
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]697#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
698static const uint8_t aria_test2_iv[16] =
699{
700 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
701 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
702};
703#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]704
705#if defined(MBEDTLS_CIPHER_MODE_CBC)
706static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
707{
708 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
709 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
710 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
711 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
712 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
713 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
714 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
715 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
716 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
717 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
718 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
719 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
720 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
721 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
722 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
723 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
724 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
725 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
726};
727#endif /* MBEDTLS_CIPHER_MODE_CBC */
728
729#if defined(MBEDTLS_CIPHER_MODE_CFB)
730static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
731{
732 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
733 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
734 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
735 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
736 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
737 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
738 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
739 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
740 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
741 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
742 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
743 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
744 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
745 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
746 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
747 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
748 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
749 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
750};
751#endif /* MBEDTLS_CIPHER_MODE_CFB */
752
753#if defined(MBEDTLS_CIPHER_MODE_CTR)
754static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
755{
756 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
757 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
758 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
759 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
760 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
761 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
762 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
763 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
764 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
765 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
766 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
767 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
768 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
769 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
770 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
771 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
772 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
773 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
774};
775#endif /* MBEDTLS_CIPHER_MODE_CFB */
776
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]777/*
778 * Checkup routine
779 */
780
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]781#define ARIA_SELF_TEST_IF_FAIL \
782 { \
783 if( verbose ) \
784 printf( "failed\n" ); \
785 return( 1 ); \
786 } else { \
787 if( verbose ) \
788 printf( "passed\n" ); \
789 }
790
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]791int mbedtls_aria_self_test( int verbose )
792{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]793 int i;
794 uint8_t blk[16];
795 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]796
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]797#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
798 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]799#endif
800
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]801#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
802 defined(MBEDTLS_CIPHER_MODE_CFB) || \
803 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]804 uint8_t buf[48], iv[16];
805#endif
806
807 // Test set 1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]808
809 for( i = 0; i < 3; i++ )
810 {
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]811 // test ECB encryption
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]812 if( verbose )
813 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]814 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]815 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]816 aria_test1_ecb_pt, blk );
817 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
818 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]819
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]820 // test ECB decryption
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]821 if( verbose )
822 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]823 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]824 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]825 aria_test1_ecb_ct[i], blk );
826 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
827 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]828 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]829 if( verbose )
830 printf("\n");
831
832 // Test set 2
833
834#if defined(MBEDTLS_CIPHER_MODE_CBC)
835 for( i = 0; i < 3; i++ )
836 {
837 // Test CBC encryption
838 if( verbose )
839 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
840 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
841 memcpy( iv, aria_test2_iv, 16 );
842 memset( buf, 0x55, sizeof(buf) );
843 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
844 aria_test2_pt, buf );
845 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
846 ARIA_SELF_TEST_IF_FAIL;
847
848 // Test CBC decryption
849 if( verbose )
850 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
851 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
852 memcpy( iv, aria_test2_iv, 16 );
853 memset( buf, 0xAA, sizeof(buf) );
854 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
855 aria_test2_cbc_ct[i], buf );
856 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
857 ARIA_SELF_TEST_IF_FAIL;
858 }
859 if( verbose )
860 printf("\n");
861
862#endif /* MBEDTLS_CIPHER_MODE_CBC */
863
864#if defined(MBEDTLS_CIPHER_MODE_CFB)
865 for( i = 0; i < 3; i++ )
866 {
867 // Test CFB encryption
868 if( verbose )
869 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
870 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
871 memcpy( iv, aria_test2_iv, 16 );
872 memset( buf, 0x55, sizeof(buf) );
873 j = 0;
874 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
875 aria_test2_pt, buf );
876 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
877 ARIA_SELF_TEST_IF_FAIL;
878
879 // Test CFB decryption
880 if( verbose )
881 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
882 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
883 memcpy( iv, aria_test2_iv, 16 );
884 memset( buf, 0xAA, sizeof(buf) );
885 j = 0;
886 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
887 iv, aria_test2_cfb_ct[i], buf );
888 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
889 ARIA_SELF_TEST_IF_FAIL;
890 }
891 if( verbose )
892 printf("\n");
893#endif /* MBEDTLS_CIPHER_MODE_CFB */
894
895#if defined(MBEDTLS_CIPHER_MODE_CTR)
896 for( i = 0; i < 3; i++ )
897 {
898 // Test CTR encryption
899 if( verbose )
900 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
901 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
902 memset( iv, 0, 16 ); // IV = 0
903 memset( buf, 0x55, sizeof(buf) );
904 j = 0;
905 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
906 aria_test2_pt, buf );
907 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
908 ARIA_SELF_TEST_IF_FAIL;
909
910 // Test CTR decryption
911 if( verbose )
912 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
913 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
914 memset( iv, 0, 16 ); // IV = 0
915 memset( buf, 0xAA, sizeof(buf) );
916 j = 0;
917 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
918 aria_test2_ctr_ct[i], buf );
919 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
920 ARIA_SELF_TEST_IF_FAIL;
921 }
922 if( verbose )
923 printf("\n");
924#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]925
926 return( 0 );
927}
928
929#endif /* MBEDTLS_SELF_TEST */
930
931#endif /* MBEDTLS_ARIA_C */