/src/mbedtls/library/aria.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * ARIA implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 |
6 | | * |
7 | | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
8 | | * not use this file except in compliance with the License. |
9 | | * You may obtain a copy of the License at |
10 | | * |
11 | | * http://www.apache.org/licenses/LICENSE-2.0 |
12 | | * |
13 | | * Unless required by applicable law or agreed to in writing, software |
14 | | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
15 | | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
16 | | * See the License for the specific language governing permissions and |
17 | | * limitations under the License. |
18 | | */ |
19 | | |
20 | | /* |
21 | | * This implementation is based on the following standards: |
22 | | * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf |
23 | | * [2] https://tools.ietf.org/html/rfc5794 |
24 | | */ |
25 | | |
26 | | #include "common.h" |
27 | | |
28 | | #if defined(MBEDTLS_ARIA_C) |
29 | | |
30 | | #include "mbedtls/aria.h" |
31 | | |
32 | | #include <string.h> |
33 | | |
34 | | #include "mbedtls/platform.h" |
35 | | |
36 | | #if !defined(MBEDTLS_ARIA_ALT) |
37 | | |
38 | | #include "mbedtls/platform_util.h" |
39 | | |
40 | | /* Parameter validation macros */ |
41 | | #define ARIA_VALIDATE_RET(cond) \ |
42 | 106k | MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) |
43 | | #define ARIA_VALIDATE(cond) \ |
44 | 1.16k | MBEDTLS_INTERNAL_VALIDATE(cond) |
45 | | |
46 | | /* |
47 | | * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes |
48 | | * |
49 | | * This is submatrix P1 in [1] Appendix B.1 |
50 | | * |
51 | | * Common compilers fail to translate this to minimal number of instructions, |
52 | | * so let's provide asm versions for common platforms with C fallback. |
53 | | */ |
54 | | #if defined(MBEDTLS_HAVE_ASM) |
55 | | #if defined(__arm__) /* rev16 available from v6 up */ |
56 | | /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ |
57 | | #if defined(__GNUC__) && \ |
58 | | (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \ |
59 | | __ARM_ARCH >= 6 |
60 | | static inline uint32_t aria_p1(uint32_t x) |
61 | | { |
62 | | uint32_t r; |
63 | | __asm("rev16 %0, %1" : "=l" (r) : "l" (x)); |
64 | | return r; |
65 | | } |
66 | | #define ARIA_P1 aria_p1 |
67 | | #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ |
68 | | (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3) |
69 | | static inline uint32_t aria_p1(uint32_t x) |
70 | | { |
71 | | uint32_t r; |
72 | | __asm("rev16 r, x"); |
73 | | return r; |
74 | | } |
75 | | #define ARIA_P1 aria_p1 |
76 | | #endif |
77 | | #endif /* arm */ |
78 | | #if defined(__GNUC__) && \ |
79 | | defined(__i386__) || defined(__amd64__) || defined(__x86_64__) |
80 | | /* I couldn't find an Intel equivalent of rev16, so two instructions */ |
81 | 3.07M | #define ARIA_P1(x) ARIA_P2(ARIA_P3(x)) |
82 | | #endif /* x86 gnuc */ |
83 | | #endif /* MBEDTLS_HAVE_ASM && GNUC */ |
84 | | #if !defined(ARIA_P1) |
85 | | #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) |
86 | | #endif |
87 | | |
88 | | /* |
89 | | * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits |
90 | | * |
91 | | * This is submatrix P2 in [1] Appendix B.1 |
92 | | * |
93 | | * Common compilers will translate this to a single instruction. |
94 | | */ |
95 | 6.14M | #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) |
96 | | |
97 | | /* |
98 | | * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness |
99 | | * |
100 | | * This is submatrix P3 in [1] Appendix B.1 |
101 | | */ |
102 | 178k | #define ARIA_P3(x) MBEDTLS_BSWAP32(x) |
103 | | |
104 | | /* |
105 | | * ARIA Affine Transform |
106 | | * (a, b, c, d) = state in/out |
107 | | * |
108 | | * If we denote the first byte of input by 0, ..., the last byte by f, |
109 | | * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. |
110 | | * |
111 | | * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple |
112 | | * rearrangements on adjacent pairs, output is: |
113 | | * |
114 | | * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe |
115 | | * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd |
116 | | * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd |
117 | | * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc |
118 | | * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe |
119 | | * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc |
120 | | * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef |
121 | | * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef |
122 | | * |
123 | | * Note: another presentation of the A transform can be found as the first |
124 | | * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. |
125 | | * The implementation below uses only P1 and P2 as they are sufficient. |
126 | | */ |
127 | | static inline void aria_a(uint32_t *a, uint32_t *b, |
128 | | uint32_t *c, uint32_t *d) |
129 | 438k | { |
130 | 438k | uint32_t ta, tb, tc; |
131 | 438k | ta = *b; // 4567 |
132 | 438k | *b = *a; // 0123 |
133 | 438k | *a = ARIA_P2(ta); // 6745 |
134 | 438k | tb = ARIA_P2(*d); // efcd |
135 | 438k | *d = ARIA_P1(*c); // 98ba |
136 | 438k | *c = ARIA_P1(tb); // fedc |
137 | 438k | ta ^= *d; // 4567+98ba |
138 | 438k | tc = ARIA_P2(*b); // 2301 |
139 | 438k | ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc |
140 | 438k | tb ^= ARIA_P2(*d); // ba98+efcd |
141 | 438k | tc ^= ARIA_P1(*a); // 2301+7654 |
142 | 438k | *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT |
143 | 438k | tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc |
144 | 438k | *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT |
145 | 438k | ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe |
146 | 438k | *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT |
147 | 438k | tc = ARIA_P2(tc); // 0123+5476 |
148 | 438k | *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT |
149 | 438k | } |
150 | | |
151 | | /* |
152 | | * ARIA Substitution Layer SL1 / SL2 |
153 | | * (a, b, c, d) = state in/out |
154 | | * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) |
155 | | * |
156 | | * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 |
157 | | * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 |
158 | | */ |
159 | | static inline void aria_sl(uint32_t *a, uint32_t *b, |
160 | | uint32_t *c, uint32_t *d, |
161 | | const uint8_t sa[256], const uint8_t sb[256], |
162 | | const uint8_t sc[256], const uint8_t sd[256]) |
163 | 469k | { |
164 | 469k | *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^ |
165 | 469k | (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^ |
166 | 469k | (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^ |
167 | 469k | (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24); |
168 | 469k | *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^ |
169 | 469k | (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^ |
170 | 469k | (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^ |
171 | 469k | (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24); |
172 | 469k | *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^ |
173 | 469k | (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^ |
174 | 469k | (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^ |
175 | 469k | (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24); |
176 | 469k | *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^ |
177 | 469k | (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^ |
178 | 469k | (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^ |
179 | 469k | (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24); |
180 | 469k | } |
181 | | |
182 | | /* |
183 | | * S-Boxes |
184 | | */ |
185 | | static const uint8_t aria_sb1[256] = |
186 | | { |
187 | | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, |
188 | | 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
189 | | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, |
190 | | 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
191 | | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, |
192 | | 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
193 | | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, |
194 | | 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
195 | | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, |
196 | | 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
197 | | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, |
198 | | 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
199 | | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, |
200 | | 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
201 | | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, |
202 | | 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
203 | | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, |
204 | | 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
205 | | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, |
206 | | 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
207 | | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, |
208 | | 0xB0, 0x54, 0xBB, 0x16 |
209 | | }; |
210 | | |
211 | | static const uint8_t aria_sb2[256] = |
212 | | { |
213 | | 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, |
214 | | 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, |
215 | | 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, |
216 | | 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, |
217 | | 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, |
218 | | 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, |
219 | | 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, |
220 | | 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, |
221 | | 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, |
222 | | 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, |
223 | | 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, |
224 | | 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, |
225 | | 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, |
226 | | 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, |
227 | | 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, |
228 | | 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, |
229 | | 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, |
230 | | 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, |
231 | | 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, |
232 | | 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, |
233 | | 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, |
234 | | 0xAF, 0xBA, 0xB5, 0x81 |
235 | | }; |
236 | | |
237 | | static const uint8_t aria_is1[256] = |
238 | | { |
239 | | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, |
240 | | 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
241 | | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, |
242 | | 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
243 | | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, |
244 | | 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
245 | | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, |
246 | | 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
247 | | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, |
248 | | 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
249 | | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, |
250 | | 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
251 | | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, |
252 | | 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
253 | | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, |
254 | | 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
255 | | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, |
256 | | 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
257 | | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, |
258 | | 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
259 | | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, |
260 | | 0x55, 0x21, 0x0C, 0x7D |
261 | | }; |
262 | | |
263 | | static const uint8_t aria_is2[256] = |
264 | | { |
265 | | 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, |
266 | | 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, |
267 | | 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, |
268 | | 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, |
269 | | 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, |
270 | | 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, |
271 | | 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, |
272 | | 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, |
273 | | 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, |
274 | | 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, |
275 | | 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, |
276 | | 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, |
277 | | 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, |
278 | | 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, |
279 | | 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, |
280 | | 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, |
281 | | 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, |
282 | | 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, |
283 | | 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, |
284 | | 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, |
285 | | 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, |
286 | | 0x03, 0xA2, 0xAC, 0x60 |
287 | | }; |
288 | | |
289 | | /* |
290 | | * Helper for key schedule: r = FO( p, k ) ^ x |
291 | | */ |
292 | | static void aria_fo_xor(uint32_t r[4], const uint32_t p[4], |
293 | | const uint32_t k[4], const uint32_t x[4]) |
294 | 2.32k | { |
295 | 2.32k | uint32_t a, b, c, d; |
296 | | |
297 | 2.32k | a = p[0] ^ k[0]; |
298 | 2.32k | b = p[1] ^ k[1]; |
299 | 2.32k | c = p[2] ^ k[2]; |
300 | 2.32k | d = p[3] ^ k[3]; |
301 | | |
302 | 2.32k | aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); |
303 | 2.32k | aria_a(&a, &b, &c, &d); |
304 | | |
305 | 2.32k | r[0] = a ^ x[0]; |
306 | 2.32k | r[1] = b ^ x[1]; |
307 | 2.32k | r[2] = c ^ x[2]; |
308 | 2.32k | r[3] = d ^ x[3]; |
309 | 2.32k | } |
310 | | |
311 | | /* |
312 | | * Helper for key schedule: r = FE( p, k ) ^ x |
313 | | */ |
314 | | static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], |
315 | | const uint32_t k[4], const uint32_t x[4]) |
316 | 1.16k | { |
317 | 1.16k | uint32_t a, b, c, d; |
318 | | |
319 | 1.16k | a = p[0] ^ k[0]; |
320 | 1.16k | b = p[1] ^ k[1]; |
321 | 1.16k | c = p[2] ^ k[2]; |
322 | 1.16k | d = p[3] ^ k[3]; |
323 | | |
324 | 1.16k | aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); |
325 | 1.16k | aria_a(&a, &b, &c, &d); |
326 | | |
327 | 1.16k | r[0] = a ^ x[0]; |
328 | 1.16k | r[1] = b ^ x[1]; |
329 | 1.16k | r[2] = c ^ x[2]; |
330 | 1.16k | r[3] = d ^ x[3]; |
331 | 1.16k | } |
332 | | |
333 | | /* |
334 | | * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. |
335 | | * |
336 | | * We chose to store bytes into 32-bit words in little-endian format (see |
337 | | * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse |
338 | | * bytes here. |
339 | | */ |
340 | | static void aria_rot128(uint32_t r[4], const uint32_t a[4], |
341 | | const uint32_t b[4], uint8_t n) |
342 | 19.7k | { |
343 | 19.7k | uint8_t i, j; |
344 | 19.7k | uint32_t t, u; |
345 | | |
346 | 19.7k | const uint8_t n1 = n % 32; // bit offset |
347 | 19.7k | const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset |
348 | | |
349 | 19.7k | j = (n / 32) % 4; // initial word offset |
350 | 19.7k | t = ARIA_P3(b[j]); // big endian |
351 | 98.9k | for (i = 0; i < 4; i++) { |
352 | 79.1k | j = (j + 1) % 4; // get next word, big endian |
353 | 79.1k | u = ARIA_P3(b[j]); |
354 | 79.1k | t <<= n1; // rotate |
355 | 79.1k | t |= u >> n2; |
356 | 79.1k | t = ARIA_P3(t); // back to little endian |
357 | 79.1k | r[i] = a[i] ^ t; // store |
358 | 79.1k | t = u; // move to next word |
359 | 79.1k | } |
360 | 19.7k | } |
361 | | |
362 | | /* |
363 | | * Set encryption key |
364 | | */ |
365 | | int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, |
366 | | const unsigned char *key, unsigned int keybits) |
367 | 1.16k | { |
368 | | /* round constant masks */ |
369 | 1.16k | const uint32_t rc[3][4] = |
370 | 1.16k | { |
371 | 1.16k | { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, |
372 | 1.16k | { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, |
373 | 1.16k | { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } |
374 | 1.16k | }; |
375 | | |
376 | 1.16k | int i; |
377 | 1.16k | uint32_t w[4][4], *w2; |
378 | 1.16k | ARIA_VALIDATE_RET(ctx != NULL); |
379 | 1.16k | ARIA_VALIDATE_RET(key != NULL); |
380 | | |
381 | 1.16k | if (keybits != 128 && keybits != 192 && keybits != 256) { |
382 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
383 | 0 | } |
384 | | |
385 | | /* Copy key to W0 (and potential remainder to W1) */ |
386 | 1.16k | w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0); |
387 | 1.16k | w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4); |
388 | 1.16k | w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8); |
389 | 1.16k | w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12); |
390 | | |
391 | 1.16k | memset(w[1], 0, 16); |
392 | 1.16k | if (keybits >= 192) { |
393 | 518 | w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key |
394 | 518 | w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20); |
395 | 518 | } |
396 | 1.16k | if (keybits == 256) { |
397 | 518 | w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key |
398 | 518 | w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28); |
399 | 518 | } |
400 | | |
401 | 1.16k | i = (keybits - 128) >> 6; // index: 0, 1, 2 |
402 | 1.16k | ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 |
403 | | |
404 | 1.16k | aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR |
405 | 1.16k | i = i < 2 ? i + 1 : 0; |
406 | 1.16k | aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0 |
407 | 1.16k | i = i < 2 ? i + 1 : 0; |
408 | 1.16k | aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1 |
409 | | |
410 | 5.82k | for (i = 0; i < 4; i++) { // create round keys |
411 | 4.65k | w2 = w[(i + 1) & 3]; |
412 | 4.65k | aria_rot128(ctx->rk[i], w[i], w2, 128 - 19); |
413 | 4.65k | aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31); |
414 | 4.65k | aria_rot128(ctx->rk[i + 8], w[i], w2, 61); |
415 | 4.65k | aria_rot128(ctx->rk[i + 12], w[i], w2, 31); |
416 | 4.65k | } |
417 | 1.16k | aria_rot128(ctx->rk[16], w[0], w[1], 19); |
418 | | |
419 | | /* w holds enough info to reconstruct the round keys */ |
420 | 1.16k | mbedtls_platform_zeroize(w, sizeof(w)); |
421 | | |
422 | 1.16k | return 0; |
423 | 1.16k | } |
424 | | |
425 | | /* |
426 | | * Set decryption key |
427 | | */ |
428 | | int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, |
429 | | const unsigned char *key, unsigned int keybits) |
430 | 233 | { |
431 | 233 | int i, j, k, ret; |
432 | 233 | ARIA_VALIDATE_RET(ctx != NULL); |
433 | 233 | ARIA_VALIDATE_RET(key != NULL); |
434 | | |
435 | 233 | ret = mbedtls_aria_setkey_enc(ctx, key, keybits); |
436 | 233 | if (ret != 0) { |
437 | 0 | return ret; |
438 | 0 | } |
439 | | |
440 | | /* flip the order of round keys */ |
441 | 1.85k | for (i = 0, j = ctx->nr; i < j; i++, j--) { |
442 | 8.10k | for (k = 0; k < 4; k++) { |
443 | 6.48k | uint32_t t = ctx->rk[i][k]; |
444 | 6.48k | ctx->rk[i][k] = ctx->rk[j][k]; |
445 | 6.48k | ctx->rk[j][k] = t; |
446 | 6.48k | } |
447 | 1.62k | } |
448 | | |
449 | | /* apply affine transform to middle keys */ |
450 | 3.24k | for (i = 1; i < ctx->nr; i++) { |
451 | 3.00k | aria_a(&ctx->rk[i][0], &ctx->rk[i][1], |
452 | 3.00k | &ctx->rk[i][2], &ctx->rk[i][3]); |
453 | 3.00k | } |
454 | | |
455 | 233 | return 0; |
456 | 233 | } |
457 | | |
458 | | /* |
459 | | * Encrypt a block |
460 | | */ |
461 | | int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, |
462 | | const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], |
463 | | unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) |
464 | 33.7k | { |
465 | 33.7k | int i; |
466 | | |
467 | 33.7k | uint32_t a, b, c, d; |
468 | 33.7k | ARIA_VALIDATE_RET(ctx != NULL); |
469 | 33.7k | ARIA_VALIDATE_RET(input != NULL); |
470 | 33.7k | ARIA_VALIDATE_RET(output != NULL); |
471 | | |
472 | 33.7k | a = MBEDTLS_GET_UINT32_LE(input, 0); |
473 | 33.7k | b = MBEDTLS_GET_UINT32_LE(input, 4); |
474 | 33.7k | c = MBEDTLS_GET_UINT32_LE(input, 8); |
475 | 33.7k | d = MBEDTLS_GET_UINT32_LE(input, 12); |
476 | | |
477 | 33.7k | i = 0; |
478 | 233k | while (1) { |
479 | 233k | a ^= ctx->rk[i][0]; |
480 | 233k | b ^= ctx->rk[i][1]; |
481 | 233k | c ^= ctx->rk[i][2]; |
482 | 233k | d ^= ctx->rk[i][3]; |
483 | 233k | i++; |
484 | | |
485 | 233k | aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); |
486 | 233k | aria_a(&a, &b, &c, &d); |
487 | | |
488 | 233k | a ^= ctx->rk[i][0]; |
489 | 233k | b ^= ctx->rk[i][1]; |
490 | 233k | c ^= ctx->rk[i][2]; |
491 | 233k | d ^= ctx->rk[i][3]; |
492 | 233k | i++; |
493 | | |
494 | 233k | aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); |
495 | 233k | if (i >= ctx->nr) { |
496 | 33.7k | break; |
497 | 33.7k | } |
498 | 199k | aria_a(&a, &b, &c, &d); |
499 | 199k | } |
500 | | |
501 | | /* final key mixing */ |
502 | 33.7k | a ^= ctx->rk[i][0]; |
503 | 33.7k | b ^= ctx->rk[i][1]; |
504 | 33.7k | c ^= ctx->rk[i][2]; |
505 | 33.7k | d ^= ctx->rk[i][3]; |
506 | | |
507 | 33.7k | MBEDTLS_PUT_UINT32_LE(a, output, 0); |
508 | 33.7k | MBEDTLS_PUT_UINT32_LE(b, output, 4); |
509 | 33.7k | MBEDTLS_PUT_UINT32_LE(c, output, 8); |
510 | 33.7k | MBEDTLS_PUT_UINT32_LE(d, output, 12); |
511 | | |
512 | 33.7k | return 0; |
513 | 33.7k | } |
514 | | |
515 | | /* Initialize context */ |
516 | | void mbedtls_aria_init(mbedtls_aria_context *ctx) |
517 | 1.16k | { |
518 | 1.16k | ARIA_VALIDATE(ctx != NULL); |
519 | 1.16k | memset(ctx, 0, sizeof(mbedtls_aria_context)); |
520 | 1.16k | } |
521 | | |
522 | | /* Clear context */ |
523 | | void mbedtls_aria_free(mbedtls_aria_context *ctx) |
524 | 1.16k | { |
525 | 1.16k | if (ctx == NULL) { |
526 | 0 | return; |
527 | 0 | } |
528 | | |
529 | 1.16k | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context)); |
530 | 1.16k | } |
531 | | |
532 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
533 | | /* |
534 | | * ARIA-CBC buffer encryption/decryption |
535 | | */ |
536 | | int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, |
537 | | int mode, |
538 | | size_t length, |
539 | | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
540 | | const unsigned char *input, |
541 | | unsigned char *output) |
542 | 513 | { |
543 | 513 | unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; |
544 | | |
545 | 513 | ARIA_VALIDATE_RET(ctx != NULL); |
546 | 513 | ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || |
547 | 513 | mode == MBEDTLS_ARIA_DECRYPT); |
548 | 513 | ARIA_VALIDATE_RET(length == 0 || input != NULL); |
549 | 513 | ARIA_VALIDATE_RET(length == 0 || output != NULL); |
550 | 513 | ARIA_VALIDATE_RET(iv != NULL); |
551 | | |
552 | 513 | if (length % MBEDTLS_ARIA_BLOCKSIZE) { |
553 | 0 | return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; |
554 | 0 | } |
555 | | |
556 | 513 | if (mode == MBEDTLS_ARIA_DECRYPT) { |
557 | 6.57k | while (length > 0) { |
558 | 6.50k | memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE); |
559 | 6.50k | mbedtls_aria_crypt_ecb(ctx, input, output); |
560 | | |
561 | 6.50k | mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE); |
562 | | |
563 | 6.50k | memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE); |
564 | | |
565 | 6.50k | input += MBEDTLS_ARIA_BLOCKSIZE; |
566 | 6.50k | output += MBEDTLS_ARIA_BLOCKSIZE; |
567 | 6.50k | length -= MBEDTLS_ARIA_BLOCKSIZE; |
568 | 6.50k | } |
569 | 437 | } else { |
570 | 2.08k | while (length > 0) { |
571 | 1.64k | mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE); |
572 | | |
573 | 1.64k | mbedtls_aria_crypt_ecb(ctx, output, output); |
574 | 1.64k | memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE); |
575 | | |
576 | 1.64k | input += MBEDTLS_ARIA_BLOCKSIZE; |
577 | 1.64k | output += MBEDTLS_ARIA_BLOCKSIZE; |
578 | 1.64k | length -= MBEDTLS_ARIA_BLOCKSIZE; |
579 | 1.64k | } |
580 | 437 | } |
581 | | |
582 | 513 | return 0; |
583 | 513 | } |
584 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
585 | | |
586 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
587 | | /* |
588 | | * ARIA-CFB128 buffer encryption/decryption |
589 | | */ |
590 | | int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, |
591 | | int mode, |
592 | | size_t length, |
593 | | size_t *iv_off, |
594 | | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
595 | | const unsigned char *input, |
596 | | unsigned char *output) |
597 | 0 | { |
598 | 0 | unsigned char c; |
599 | 0 | size_t n; |
600 | |
|
601 | 0 | ARIA_VALIDATE_RET(ctx != NULL); |
602 | 0 | ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || |
603 | 0 | mode == MBEDTLS_ARIA_DECRYPT); |
604 | 0 | ARIA_VALIDATE_RET(length == 0 || input != NULL); |
605 | 0 | ARIA_VALIDATE_RET(length == 0 || output != NULL); |
606 | 0 | ARIA_VALIDATE_RET(iv != NULL); |
607 | 0 | ARIA_VALIDATE_RET(iv_off != NULL); |
608 | |
|
609 | 0 | n = *iv_off; |
610 | | |
611 | | /* An overly large value of n can lead to an unlimited |
612 | | * buffer overflow. Therefore, guard against this |
613 | | * outside of parameter validation. */ |
614 | 0 | if (n >= MBEDTLS_ARIA_BLOCKSIZE) { |
615 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
616 | 0 | } |
617 | | |
618 | 0 | if (mode == MBEDTLS_ARIA_DECRYPT) { |
619 | 0 | while (length--) { |
620 | 0 | if (n == 0) { |
621 | 0 | mbedtls_aria_crypt_ecb(ctx, iv, iv); |
622 | 0 | } |
623 | |
|
624 | 0 | c = *input++; |
625 | 0 | *output++ = c ^ iv[n]; |
626 | 0 | iv[n] = c; |
627 | |
|
628 | 0 | n = (n + 1) & 0x0F; |
629 | 0 | } |
630 | 0 | } else { |
631 | 0 | while (length--) { |
632 | 0 | if (n == 0) { |
633 | 0 | mbedtls_aria_crypt_ecb(ctx, iv, iv); |
634 | 0 | } |
635 | |
|
636 | 0 | iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); |
637 | |
|
638 | 0 | n = (n + 1) & 0x0F; |
639 | 0 | } |
640 | 0 | } |
641 | |
|
642 | 0 | *iv_off = n; |
643 | |
|
644 | 0 | return 0; |
645 | 0 | } |
646 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
647 | | |
648 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
649 | | /* |
650 | | * ARIA-CTR buffer encryption/decryption |
651 | | */ |
652 | | int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, |
653 | | size_t length, |
654 | | size_t *nc_off, |
655 | | unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], |
656 | | unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], |
657 | | const unsigned char *input, |
658 | | unsigned char *output) |
659 | 0 | { |
660 | 0 | int c, i; |
661 | 0 | size_t n; |
662 | |
|
663 | 0 | ARIA_VALIDATE_RET(ctx != NULL); |
664 | 0 | ARIA_VALIDATE_RET(length == 0 || input != NULL); |
665 | 0 | ARIA_VALIDATE_RET(length == 0 || output != NULL); |
666 | 0 | ARIA_VALIDATE_RET(nonce_counter != NULL); |
667 | 0 | ARIA_VALIDATE_RET(stream_block != NULL); |
668 | 0 | ARIA_VALIDATE_RET(nc_off != NULL); |
669 | |
|
670 | 0 | n = *nc_off; |
671 | | /* An overly large value of n can lead to an unlimited |
672 | | * buffer overflow. Therefore, guard against this |
673 | | * outside of parameter validation. */ |
674 | 0 | if (n >= MBEDTLS_ARIA_BLOCKSIZE) { |
675 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
676 | 0 | } |
677 | | |
678 | 0 | while (length--) { |
679 | 0 | if (n == 0) { |
680 | 0 | mbedtls_aria_crypt_ecb(ctx, nonce_counter, |
681 | 0 | stream_block); |
682 | |
|
683 | 0 | for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) { |
684 | 0 | if (++nonce_counter[i - 1] != 0) { |
685 | 0 | break; |
686 | 0 | } |
687 | 0 | } |
688 | 0 | } |
689 | 0 | c = *input++; |
690 | 0 | *output++ = (unsigned char) (c ^ stream_block[n]); |
691 | |
|
692 | 0 | n = (n + 1) & 0x0F; |
693 | 0 | } |
694 | |
|
695 | 0 | *nc_off = n; |
696 | |
|
697 | 0 | return 0; |
698 | 0 | } |
699 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
700 | | #endif /* !MBEDTLS_ARIA_ALT */ |
701 | | |
702 | | #if defined(MBEDTLS_SELF_TEST) |
703 | | |
704 | | /* |
705 | | * Basic ARIA ECB test vectors from RFC 5794 |
706 | | */ |
707 | | static const uint8_t aria_test1_ecb_key[32] = // test key |
708 | | { |
709 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit |
710 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
711 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit |
712 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit |
713 | | }; |
714 | | |
715 | | static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext |
716 | | { |
717 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all |
718 | | 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes |
719 | | }; |
720 | | |
721 | | static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext |
722 | | { |
723 | | { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit |
724 | | 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, |
725 | | { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit |
726 | | 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, |
727 | | { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit |
728 | | 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } |
729 | | }; |
730 | | |
731 | | /* |
732 | | * Mode tests from "Test Vectors for ARIA" Version 1.0 |
733 | | * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf |
734 | | */ |
735 | | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
736 | | defined(MBEDTLS_CIPHER_MODE_CTR)) |
737 | | static const uint8_t aria_test2_key[32] = |
738 | | { |
739 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit |
740 | | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, |
741 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit |
742 | | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit |
743 | | }; |
744 | | |
745 | | static const uint8_t aria_test2_pt[48] = |
746 | | { |
747 | | 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all |
748 | | 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, |
749 | | 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, |
750 | | 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, |
751 | | 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, |
752 | | 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, |
753 | | }; |
754 | | #endif |
755 | | |
756 | | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) |
757 | | static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = |
758 | | { |
759 | | 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB |
760 | | 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV |
761 | | }; |
762 | | #endif |
763 | | |
764 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
765 | | static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext |
766 | | { |
767 | | { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key |
768 | | 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, |
769 | | 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, |
770 | | 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, |
771 | | 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, |
772 | | 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, |
773 | | { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key |
774 | | 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, |
775 | | 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, |
776 | | 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, |
777 | | 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, |
778 | | 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, |
779 | | { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key |
780 | | 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, |
781 | | 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, |
782 | | 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, |
783 | | 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, |
784 | | 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } |
785 | | }; |
786 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
787 | | |
788 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
789 | | static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext |
790 | | { |
791 | | { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key |
792 | | 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, |
793 | | 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, |
794 | | 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, |
795 | | 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, |
796 | | 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, |
797 | | { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key |
798 | | 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, |
799 | | 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, |
800 | | 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, |
801 | | 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, |
802 | | 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, |
803 | | { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key |
804 | | 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, |
805 | | 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, |
806 | | 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, |
807 | | 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, |
808 | | 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } |
809 | | }; |
810 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
811 | | |
812 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
813 | | static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext |
814 | | { |
815 | | { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key |
816 | | 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, |
817 | | 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, |
818 | | 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, |
819 | | 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, |
820 | | 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, |
821 | | { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key |
822 | | 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, |
823 | | 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, |
824 | | 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, |
825 | | 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, |
826 | | 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, |
827 | | { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key |
828 | | 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, |
829 | | 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, |
830 | | 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, |
831 | | 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, |
832 | | 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } |
833 | | }; |
834 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
835 | | |
836 | | #define ARIA_SELF_TEST_ASSERT(cond) \ |
837 | 0 | do { \ |
838 | 0 | if (cond) { \ |
839 | 0 | if (verbose) \ |
840 | 0 | mbedtls_printf("failed\n"); \ |
841 | 0 | goto exit; \ |
842 | 0 | } else { \ |
843 | 0 | if (verbose) \ |
844 | 0 | mbedtls_printf("passed\n"); \ |
845 | 0 | } \ |
846 | 0 | } while (0) |
847 | | |
848 | | /* |
849 | | * Checkup routine |
850 | | */ |
851 | | int mbedtls_aria_self_test(int verbose) |
852 | 0 | { |
853 | 0 | int i; |
854 | 0 | uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; |
855 | 0 | mbedtls_aria_context ctx; |
856 | 0 | int ret = 1; |
857 | |
|
858 | 0 | #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) |
859 | 0 | size_t j; |
860 | 0 | #endif |
861 | |
|
862 | 0 | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ |
863 | 0 | defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
864 | 0 | defined(MBEDTLS_CIPHER_MODE_CTR)) |
865 | 0 | uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; |
866 | 0 | #endif |
867 | |
|
868 | 0 | mbedtls_aria_init(&ctx); |
869 | | |
870 | | /* |
871 | | * Test set 1 |
872 | | */ |
873 | 0 | for (i = 0; i < 3; i++) { |
874 | | /* test ECB encryption */ |
875 | 0 | if (verbose) { |
876 | 0 | mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i); |
877 | 0 | } |
878 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i); |
879 | 0 | mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk); |
880 | 0 | ARIA_SELF_TEST_ASSERT( |
881 | 0 | memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) |
882 | 0 | != 0); |
883 | | |
884 | | /* test ECB decryption */ |
885 | 0 | if (verbose) { |
886 | 0 | mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i); |
887 | 0 | } |
888 | 0 | mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i); |
889 | 0 | mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk); |
890 | 0 | ARIA_SELF_TEST_ASSERT( |
891 | 0 | memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) |
892 | 0 | != 0); |
893 | 0 | } |
894 | 0 | if (verbose) { |
895 | 0 | mbedtls_printf("\n"); |
896 | 0 | } |
897 | | |
898 | | /* |
899 | | * Test set 2 |
900 | | */ |
901 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
902 | 0 | for (i = 0; i < 3; i++) { |
903 | | /* Test CBC encryption */ |
904 | 0 | if (verbose) { |
905 | 0 | mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i); |
906 | 0 | } |
907 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
908 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
909 | 0 | memset(buf, 0x55, sizeof(buf)); |
910 | 0 | mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, |
911 | 0 | aria_test2_pt, buf); |
912 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48) |
913 | 0 | != 0); |
914 | | |
915 | | /* Test CBC decryption */ |
916 | 0 | if (verbose) { |
917 | 0 | mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i); |
918 | 0 | } |
919 | 0 | mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i); |
920 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
921 | 0 | memset(buf, 0xAA, sizeof(buf)); |
922 | 0 | mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, |
923 | 0 | aria_test2_cbc_ct[i], buf); |
924 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
925 | 0 | } |
926 | 0 | if (verbose) { |
927 | 0 | mbedtls_printf("\n"); |
928 | 0 | } |
929 | |
|
930 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
931 | |
|
932 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
933 | 0 | for (i = 0; i < 3; i++) { |
934 | | /* Test CFB encryption */ |
935 | 0 | if (verbose) { |
936 | 0 | mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i); |
937 | 0 | } |
938 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
939 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
940 | 0 | memset(buf, 0x55, sizeof(buf)); |
941 | 0 | j = 0; |
942 | 0 | mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, |
943 | 0 | aria_test2_pt, buf); |
944 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0); |
945 | | |
946 | | /* Test CFB decryption */ |
947 | 0 | if (verbose) { |
948 | 0 | mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i); |
949 | 0 | } |
950 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
951 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
952 | 0 | memset(buf, 0xAA, sizeof(buf)); |
953 | 0 | j = 0; |
954 | 0 | mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, |
955 | 0 | iv, aria_test2_cfb_ct[i], buf); |
956 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
957 | 0 | } |
958 | 0 | if (verbose) { |
959 | 0 | mbedtls_printf("\n"); |
960 | 0 | } |
961 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
962 | |
|
963 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
964 | 0 | for (i = 0; i < 3; i++) { |
965 | | /* Test CTR encryption */ |
966 | 0 | if (verbose) { |
967 | 0 | mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i); |
968 | 0 | } |
969 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
970 | 0 | memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 |
971 | 0 | memset(buf, 0x55, sizeof(buf)); |
972 | 0 | j = 0; |
973 | 0 | mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, |
974 | 0 | aria_test2_pt, buf); |
975 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0); |
976 | | |
977 | | /* Test CTR decryption */ |
978 | 0 | if (verbose) { |
979 | 0 | mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i); |
980 | 0 | } |
981 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
982 | 0 | memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 |
983 | 0 | memset(buf, 0xAA, sizeof(buf)); |
984 | 0 | j = 0; |
985 | 0 | mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, |
986 | 0 | aria_test2_ctr_ct[i], buf); |
987 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
988 | 0 | } |
989 | 0 | if (verbose) { |
990 | 0 | mbedtls_printf("\n"); |
991 | 0 | } |
992 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
993 | |
|
994 | 0 | ret = 0; |
995 | |
|
996 | 0 | exit: |
997 | 0 | mbedtls_aria_free(&ctx); |
998 | 0 | return ret; |
999 | 0 | } |
1000 | | |
1001 | | #endif /* MBEDTLS_SELF_TEST */ |
1002 | | |
1003 | | #endif /* MBEDTLS_ARIA_C */ |