/src/mbedtls/library/aria.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * ARIA implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | /* |
9 | | * This implementation is based on the following standards: |
10 | | * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf |
11 | | * [2] https://tools.ietf.org/html/rfc5794 |
12 | | */ |
13 | | |
14 | | #include "common.h" |
15 | | |
16 | | #if defined(MBEDTLS_ARIA_C) |
17 | | |
18 | | #include "mbedtls/aria.h" |
19 | | |
20 | | #include <string.h> |
21 | | |
22 | | #include "mbedtls/platform.h" |
23 | | |
24 | | #if !defined(MBEDTLS_ARIA_ALT) |
25 | | |
26 | | #include "mbedtls/platform_util.h" |
27 | | |
28 | | /* |
29 | | * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes |
30 | | * |
31 | | * This is submatrix P1 in [1] Appendix B.1 |
32 | | * |
33 | | * Common compilers fail to translate this to minimal number of instructions, |
34 | | * so let's provide asm versions for common platforms with C fallback. |
35 | | */ |
36 | | #if defined(MBEDTLS_HAVE_ASM) |
37 | | #if defined(__arm__) /* rev16 available from v6 up */ |
38 | | /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ |
39 | | #if defined(__GNUC__) && \ |
40 | | (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \ |
41 | | __ARM_ARCH >= 6 |
42 | | static inline uint32_t aria_p1(uint32_t x) |
43 | | { |
44 | | uint32_t r; |
45 | | __asm("rev16 %0, %1" : "=l" (r) : "l" (x)); |
46 | | return r; |
47 | | } |
48 | | #define ARIA_P1 aria_p1 |
49 | | #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ |
50 | | (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3) |
51 | | static inline uint32_t aria_p1(uint32_t x) |
52 | | { |
53 | | uint32_t r; |
54 | | __asm("rev16 r, x"); |
55 | | return r; |
56 | | } |
57 | | #define ARIA_P1 aria_p1 |
58 | | #endif |
59 | | #endif /* arm */ |
60 | | #if defined(__GNUC__) && \ |
61 | | defined(__i386__) || defined(__amd64__) || defined(__x86_64__) |
62 | | /* I couldn't find an Intel equivalent of rev16, so two instructions */ |
63 | 142k | #define ARIA_P1(x) ARIA_P2(ARIA_P3(x)) |
64 | | #endif /* x86 gnuc */ |
65 | | #endif /* MBEDTLS_HAVE_ASM && GNUC */ |
66 | | #if !defined(ARIA_P1) |
67 | | #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) |
68 | | #endif |
69 | | |
70 | | /* |
71 | | * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits |
72 | | * |
73 | | * This is submatrix P2 in [1] Appendix B.1 |
74 | | * |
75 | | * Common compilers will translate this to a single instruction. |
76 | | */ |
77 | 285k | #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) |
78 | | |
79 | | /* |
80 | | * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness |
81 | | * |
82 | | * This is submatrix P3 in [1] Appendix B.1 |
83 | | */ |
84 | 13.0k | #define ARIA_P3(x) MBEDTLS_BSWAP32(x) |
85 | | |
86 | | /* |
87 | | * ARIA Affine Transform |
88 | | * (a, b, c, d) = state in/out |
89 | | * |
90 | | * If we denote the first byte of input by 0, ..., the last byte by f, |
91 | | * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. |
92 | | * |
93 | | * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple |
94 | | * rearrangements on adjacent pairs, output is: |
95 | | * |
96 | | * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe |
97 | | * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd |
98 | | * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd |
99 | | * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc |
100 | | * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe |
101 | | * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc |
102 | | * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef |
103 | | * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef |
104 | | * |
105 | | * Note: another presentation of the A transform can be found as the first |
106 | | * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. |
107 | | * The implementation below uses only P1 and P2 as they are sufficient. |
108 | | */ |
109 | | static inline void aria_a(uint32_t *a, uint32_t *b, |
110 | | uint32_t *c, uint32_t *d) |
111 | 20.4k | { |
112 | 20.4k | uint32_t ta, tb, tc; |
113 | 20.4k | ta = *b; // 4567 |
114 | 20.4k | *b = *a; // 0123 |
115 | 20.4k | *a = ARIA_P2(ta); // 6745 |
116 | 20.4k | tb = ARIA_P2(*d); // efcd |
117 | 20.4k | *d = ARIA_P1(*c); // 98ba |
118 | 20.4k | *c = ARIA_P1(tb); // fedc |
119 | 20.4k | ta ^= *d; // 4567+98ba |
120 | 20.4k | tc = ARIA_P2(*b); // 2301 |
121 | 20.4k | ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc |
122 | 20.4k | tb ^= ARIA_P2(*d); // ba98+efcd |
123 | 20.4k | tc ^= ARIA_P1(*a); // 2301+7654 |
124 | 20.4k | *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT |
125 | 20.4k | tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc |
126 | 20.4k | *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT |
127 | 20.4k | ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe |
128 | 20.4k | *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT |
129 | 20.4k | tc = ARIA_P2(tc); // 0123+5476 |
130 | 20.4k | *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT |
131 | 20.4k | } |
132 | | |
133 | | /* |
134 | | * ARIA Substitution Layer SL1 / SL2 |
135 | | * (a, b, c, d) = state in/out |
136 | | * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) |
137 | | * |
138 | | * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 |
139 | | * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 |
140 | | */ |
141 | | static inline void aria_sl(uint32_t *a, uint32_t *b, |
142 | | uint32_t *c, uint32_t *d, |
143 | | const uint8_t sa[256], const uint8_t sb[256], |
144 | | const uint8_t sc[256], const uint8_t sd[256]) |
145 | 22.1k | { |
146 | 22.1k | *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^ |
147 | 22.1k | (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^ |
148 | 22.1k | (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^ |
149 | 22.1k | (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24); |
150 | 22.1k | *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^ |
151 | 22.1k | (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^ |
152 | 22.1k | (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^ |
153 | 22.1k | (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24); |
154 | 22.1k | *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^ |
155 | 22.1k | (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^ |
156 | 22.1k | (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^ |
157 | 22.1k | (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24); |
158 | 22.1k | *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^ |
159 | 22.1k | (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^ |
160 | 22.1k | (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^ |
161 | 22.1k | (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24); |
162 | 22.1k | } |
163 | | |
164 | | /* |
165 | | * S-Boxes |
166 | | */ |
167 | | static const uint8_t aria_sb1[256] = |
168 | | { |
169 | | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, |
170 | | 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
171 | | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, |
172 | | 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
173 | | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, |
174 | | 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
175 | | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, |
176 | | 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
177 | | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, |
178 | | 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
179 | | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, |
180 | | 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
181 | | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, |
182 | | 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
183 | | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, |
184 | | 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
185 | | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, |
186 | | 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
187 | | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, |
188 | | 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
189 | | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, |
190 | | 0xB0, 0x54, 0xBB, 0x16 |
191 | | }; |
192 | | |
193 | | static const uint8_t aria_sb2[256] = |
194 | | { |
195 | | 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, |
196 | | 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, |
197 | | 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, |
198 | | 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, |
199 | | 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, |
200 | | 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, |
201 | | 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, |
202 | | 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, |
203 | | 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, |
204 | | 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, |
205 | | 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, |
206 | | 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, |
207 | | 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, |
208 | | 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, |
209 | | 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, |
210 | | 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, |
211 | | 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, |
212 | | 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, |
213 | | 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, |
214 | | 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, |
215 | | 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, |
216 | | 0xAF, 0xBA, 0xB5, 0x81 |
217 | | }; |
218 | | |
219 | | static const uint8_t aria_is1[256] = |
220 | | { |
221 | | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, |
222 | | 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
223 | | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, |
224 | | 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
225 | | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, |
226 | | 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
227 | | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, |
228 | | 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
229 | | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, |
230 | | 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
231 | | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, |
232 | | 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
233 | | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, |
234 | | 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
235 | | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, |
236 | | 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
237 | | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, |
238 | | 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
239 | | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, |
240 | | 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
241 | | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, |
242 | | 0x55, 0x21, 0x0C, 0x7D |
243 | | }; |
244 | | |
245 | | static const uint8_t aria_is2[256] = |
246 | | { |
247 | | 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, |
248 | | 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, |
249 | | 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, |
250 | | 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, |
251 | | 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, |
252 | | 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, |
253 | | 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, |
254 | | 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, |
255 | | 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, |
256 | | 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, |
257 | | 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, |
258 | | 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, |
259 | | 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, |
260 | | 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, |
261 | | 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, |
262 | | 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, |
263 | | 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, |
264 | | 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, |
265 | | 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, |
266 | | 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, |
267 | | 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, |
268 | | 0x03, 0xA2, 0xAC, 0x60 |
269 | | }; |
270 | | |
271 | | /* |
272 | | * Helper for key schedule: r = FO( p, k ) ^ x |
273 | | */ |
274 | | static void aria_fo_xor(uint32_t r[4], const uint32_t p[4], |
275 | | const uint32_t k[4], const uint32_t x[4]) |
276 | 170 | { |
277 | 170 | uint32_t a, b, c, d; |
278 | | |
279 | 170 | a = p[0] ^ k[0]; |
280 | 170 | b = p[1] ^ k[1]; |
281 | 170 | c = p[2] ^ k[2]; |
282 | 170 | d = p[3] ^ k[3]; |
283 | | |
284 | 170 | aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); |
285 | 170 | aria_a(&a, &b, &c, &d); |
286 | | |
287 | 170 | r[0] = a ^ x[0]; |
288 | 170 | r[1] = b ^ x[1]; |
289 | 170 | r[2] = c ^ x[2]; |
290 | 170 | r[3] = d ^ x[3]; |
291 | 170 | } |
292 | | |
293 | | /* |
294 | | * Helper for key schedule: r = FE( p, k ) ^ x |
295 | | */ |
296 | | static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], |
297 | | const uint32_t k[4], const uint32_t x[4]) |
298 | 85 | { |
299 | 85 | uint32_t a, b, c, d; |
300 | | |
301 | 85 | a = p[0] ^ k[0]; |
302 | 85 | b = p[1] ^ k[1]; |
303 | 85 | c = p[2] ^ k[2]; |
304 | 85 | d = p[3] ^ k[3]; |
305 | | |
306 | 85 | aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); |
307 | 85 | aria_a(&a, &b, &c, &d); |
308 | | |
309 | 85 | r[0] = a ^ x[0]; |
310 | 85 | r[1] = b ^ x[1]; |
311 | 85 | r[2] = c ^ x[2]; |
312 | 85 | r[3] = d ^ x[3]; |
313 | 85 | } |
314 | | |
315 | | /* |
316 | | * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. |
317 | | * |
318 | | * We chose to store bytes into 32-bit words in little-endian format (see |
319 | | * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse |
320 | | * bytes here. |
321 | | */ |
322 | | static void aria_rot128(uint32_t r[4], const uint32_t a[4], |
323 | | const uint32_t b[4], uint8_t n) |
324 | 1.44k | { |
325 | 1.44k | uint8_t i, j; |
326 | 1.44k | uint32_t t, u; |
327 | | |
328 | 1.44k | const uint8_t n1 = n % 32; // bit offset |
329 | 1.44k | const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset |
330 | | |
331 | 1.44k | j = (n / 32) % 4; // initial word offset |
332 | 1.44k | t = ARIA_P3(b[j]); // big endian |
333 | 7.22k | for (i = 0; i < 4; i++) { |
334 | 5.78k | j = (j + 1) % 4; // get next word, big endian |
335 | 5.78k | u = ARIA_P3(b[j]); |
336 | 5.78k | t <<= n1; // rotate |
337 | 5.78k | t |= u >> n2; |
338 | 5.78k | t = ARIA_P3(t); // back to little endian |
339 | 5.78k | r[i] = a[i] ^ t; // store |
340 | 5.78k | t = u; // move to next word |
341 | 5.78k | } |
342 | 1.44k | } |
343 | | |
344 | | /* |
345 | | * Set encryption key |
346 | | */ |
347 | | int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, |
348 | | const unsigned char *key, unsigned int keybits) |
349 | 85 | { |
350 | | /* round constant masks */ |
351 | 85 | const uint32_t rc[3][4] = |
352 | 85 | { |
353 | 85 | { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, |
354 | 85 | { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, |
355 | 85 | { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } |
356 | 85 | }; |
357 | | |
358 | 85 | int i; |
359 | 85 | uint32_t w[4][4], *w2; |
360 | | |
361 | 85 | if (keybits != 128 && keybits != 192 && keybits != 256) { |
362 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
363 | 0 | } |
364 | | |
365 | | /* Copy key to W0 (and potential remainder to W1) */ |
366 | 85 | w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0); |
367 | 85 | w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4); |
368 | 85 | w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8); |
369 | 85 | w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12); |
370 | | |
371 | 85 | memset(w[1], 0, 16); |
372 | 85 | if (keybits >= 192) { |
373 | 26 | w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key |
374 | 26 | w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20); |
375 | 26 | } |
376 | 85 | if (keybits == 256) { |
377 | 10 | w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key |
378 | 10 | w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28); |
379 | 10 | } |
380 | | |
381 | 85 | i = (keybits - 128) >> 6; // index: 0, 1, 2 |
382 | 85 | ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 |
383 | | |
384 | 85 | aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR |
385 | 85 | i = i < 2 ? i + 1 : 0; |
386 | 85 | aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0 |
387 | 85 | i = i < 2 ? i + 1 : 0; |
388 | 85 | aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1 |
389 | | |
390 | 425 | for (i = 0; i < 4; i++) { // create round keys |
391 | 340 | w2 = w[(i + 1) & 3]; |
392 | 340 | aria_rot128(ctx->rk[i], w[i], w2, 128 - 19); |
393 | 340 | aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31); |
394 | 340 | aria_rot128(ctx->rk[i + 8], w[i], w2, 61); |
395 | 340 | aria_rot128(ctx->rk[i + 12], w[i], w2, 31); |
396 | 340 | } |
397 | 85 | aria_rot128(ctx->rk[16], w[0], w[1], 19); |
398 | | |
399 | | /* w holds enough info to reconstruct the round keys */ |
400 | 85 | mbedtls_platform_zeroize(w, sizeof(w)); |
401 | | |
402 | 85 | return 0; |
403 | 85 | } |
404 | | |
405 | | /* |
406 | | * Set decryption key |
407 | | */ |
408 | | #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
409 | | int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, |
410 | | const unsigned char *key, unsigned int keybits) |
411 | 7 | { |
412 | 7 | int i, j, k, ret; |
413 | | |
414 | 7 | ret = mbedtls_aria_setkey_enc(ctx, key, keybits); |
415 | 7 | if (ret != 0) { |
416 | 0 | return ret; |
417 | 0 | } |
418 | | |
419 | | /* flip the order of round keys */ |
420 | 54 | for (i = 0, j = ctx->nr; i < j; i++, j--) { |
421 | 235 | for (k = 0; k < 4; k++) { |
422 | 188 | uint32_t t = ctx->rk[i][k]; |
423 | 188 | ctx->rk[i][k] = ctx->rk[j][k]; |
424 | 188 | ctx->rk[j][k] = t; |
425 | 188 | } |
426 | 47 | } |
427 | | |
428 | | /* apply affine transform to middle keys */ |
429 | 94 | for (i = 1; i < ctx->nr; i++) { |
430 | 87 | aria_a(&ctx->rk[i][0], &ctx->rk[i][1], |
431 | 87 | &ctx->rk[i][2], &ctx->rk[i][3]); |
432 | 87 | } |
433 | | |
434 | 7 | return 0; |
435 | 7 | } |
436 | | #endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ |
437 | | |
438 | | /* |
439 | | * Encrypt a block |
440 | | */ |
441 | | int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, |
442 | | const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], |
443 | | unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) |
444 | 1.81k | { |
445 | 1.81k | int i; |
446 | | |
447 | 1.81k | uint32_t a, b, c, d; |
448 | | |
449 | 1.81k | a = MBEDTLS_GET_UINT32_LE(input, 0); |
450 | 1.81k | b = MBEDTLS_GET_UINT32_LE(input, 4); |
451 | 1.81k | c = MBEDTLS_GET_UINT32_LE(input, 8); |
452 | 1.81k | d = MBEDTLS_GET_UINT32_LE(input, 12); |
453 | | |
454 | 1.81k | i = 0; |
455 | 10.9k | while (1) { |
456 | 10.9k | a ^= ctx->rk[i][0]; |
457 | 10.9k | b ^= ctx->rk[i][1]; |
458 | 10.9k | c ^= ctx->rk[i][2]; |
459 | 10.9k | d ^= ctx->rk[i][3]; |
460 | 10.9k | i++; |
461 | | |
462 | 10.9k | aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); |
463 | 10.9k | aria_a(&a, &b, &c, &d); |
464 | | |
465 | 10.9k | a ^= ctx->rk[i][0]; |
466 | 10.9k | b ^= ctx->rk[i][1]; |
467 | 10.9k | c ^= ctx->rk[i][2]; |
468 | 10.9k | d ^= ctx->rk[i][3]; |
469 | 10.9k | i++; |
470 | | |
471 | 10.9k | aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); |
472 | 10.9k | if (i >= ctx->nr) { |
473 | 1.81k | break; |
474 | 1.81k | } |
475 | 9.12k | aria_a(&a, &b, &c, &d); |
476 | 9.12k | } |
477 | | |
478 | | /* final key mixing */ |
479 | 1.81k | a ^= ctx->rk[i][0]; |
480 | 1.81k | b ^= ctx->rk[i][1]; |
481 | 1.81k | c ^= ctx->rk[i][2]; |
482 | 1.81k | d ^= ctx->rk[i][3]; |
483 | | |
484 | 1.81k | MBEDTLS_PUT_UINT32_LE(a, output, 0); |
485 | 1.81k | MBEDTLS_PUT_UINT32_LE(b, output, 4); |
486 | 1.81k | MBEDTLS_PUT_UINT32_LE(c, output, 8); |
487 | 1.81k | MBEDTLS_PUT_UINT32_LE(d, output, 12); |
488 | | |
489 | 1.81k | return 0; |
490 | 1.81k | } |
491 | | |
492 | | /* Initialize context */ |
493 | | void mbedtls_aria_init(mbedtls_aria_context *ctx) |
494 | 150 | { |
495 | 150 | memset(ctx, 0, sizeof(mbedtls_aria_context)); |
496 | 150 | } |
497 | | |
498 | | /* Clear context */ |
499 | | void mbedtls_aria_free(mbedtls_aria_context *ctx) |
500 | 150 | { |
501 | 150 | if (ctx == NULL) { |
502 | 0 | return; |
503 | 0 | } |
504 | | |
505 | 150 | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context)); |
506 | 150 | } |
507 | | |
508 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
509 | | /* |
510 | | * ARIA-CBC buffer encryption/decryption |
511 | | */ |
512 | | int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, |
513 | | int mode, |
514 | | size_t length, |
515 | | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
516 | | const unsigned char *input, |
517 | | unsigned char *output) |
518 | 0 | { |
519 | 0 | unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; |
520 | |
|
521 | 0 | if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { |
522 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
523 | 0 | } |
524 | | |
525 | 0 | if (length % MBEDTLS_ARIA_BLOCKSIZE) { |
526 | 0 | return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; |
527 | 0 | } |
528 | | |
529 | 0 | if (mode == MBEDTLS_ARIA_DECRYPT) { |
530 | 0 | while (length > 0) { |
531 | 0 | memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE); |
532 | 0 | mbedtls_aria_crypt_ecb(ctx, input, output); |
533 | |
|
534 | 0 | mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE); |
535 | |
|
536 | 0 | memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE); |
537 | |
|
538 | 0 | input += MBEDTLS_ARIA_BLOCKSIZE; |
539 | 0 | output += MBEDTLS_ARIA_BLOCKSIZE; |
540 | 0 | length -= MBEDTLS_ARIA_BLOCKSIZE; |
541 | 0 | } |
542 | 0 | } else { |
543 | 0 | while (length > 0) { |
544 | 0 | mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE); |
545 | |
|
546 | 0 | mbedtls_aria_crypt_ecb(ctx, output, output); |
547 | 0 | memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE); |
548 | |
|
549 | 0 | input += MBEDTLS_ARIA_BLOCKSIZE; |
550 | 0 | output += MBEDTLS_ARIA_BLOCKSIZE; |
551 | 0 | length -= MBEDTLS_ARIA_BLOCKSIZE; |
552 | 0 | } |
553 | 0 | } |
554 | |
|
555 | 0 | return 0; |
556 | 0 | } |
557 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
558 | | |
559 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
560 | | /* |
561 | | * ARIA-CFB128 buffer encryption/decryption |
562 | | */ |
563 | | int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, |
564 | | int mode, |
565 | | size_t length, |
566 | | size_t *iv_off, |
567 | | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
568 | | const unsigned char *input, |
569 | | unsigned char *output) |
570 | 0 | { |
571 | 0 | unsigned char c; |
572 | 0 | size_t n; |
573 | |
|
574 | 0 | if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { |
575 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
576 | 0 | } |
577 | | |
578 | 0 | n = *iv_off; |
579 | | |
580 | | /* An overly large value of n can lead to an unlimited |
581 | | * buffer overflow. */ |
582 | 0 | if (n >= MBEDTLS_ARIA_BLOCKSIZE) { |
583 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
584 | 0 | } |
585 | | |
586 | 0 | if (mode == MBEDTLS_ARIA_DECRYPT) { |
587 | 0 | while (length--) { |
588 | 0 | if (n == 0) { |
589 | 0 | mbedtls_aria_crypt_ecb(ctx, iv, iv); |
590 | 0 | } |
591 | |
|
592 | 0 | c = *input++; |
593 | 0 | *output++ = c ^ iv[n]; |
594 | 0 | iv[n] = c; |
595 | |
|
596 | 0 | n = (n + 1) & 0x0F; |
597 | 0 | } |
598 | 0 | } else { |
599 | 0 | while (length--) { |
600 | 0 | if (n == 0) { |
601 | 0 | mbedtls_aria_crypt_ecb(ctx, iv, iv); |
602 | 0 | } |
603 | |
|
604 | 0 | iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); |
605 | |
|
606 | 0 | n = (n + 1) & 0x0F; |
607 | 0 | } |
608 | 0 | } |
609 | |
|
610 | 0 | *iv_off = n; |
611 | |
|
612 | 0 | return 0; |
613 | 0 | } |
614 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
615 | | |
616 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
617 | | /* |
618 | | * ARIA-CTR buffer encryption/decryption |
619 | | */ |
620 | | int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, |
621 | | size_t length, |
622 | | size_t *nc_off, |
623 | | unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], |
624 | | unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], |
625 | | const unsigned char *input, |
626 | | unsigned char *output) |
627 | 8 | { |
628 | 8 | int c, i; |
629 | 8 | size_t n; |
630 | | |
631 | 8 | n = *nc_off; |
632 | | /* An overly large value of n can lead to an unlimited |
633 | | * buffer overflow. */ |
634 | 8 | if (n >= MBEDTLS_ARIA_BLOCKSIZE) { |
635 | 0 | return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; |
636 | 0 | } |
637 | | |
638 | 383 | while (length--) { |
639 | 375 | if (n == 0) { |
640 | 24 | mbedtls_aria_crypt_ecb(ctx, nonce_counter, |
641 | 24 | stream_block); |
642 | | |
643 | 24 | for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) { |
644 | 24 | if (++nonce_counter[i - 1] != 0) { |
645 | 24 | break; |
646 | 24 | } |
647 | 24 | } |
648 | 24 | } |
649 | 375 | c = *input++; |
650 | 375 | *output++ = (unsigned char) (c ^ stream_block[n]); |
651 | | |
652 | 375 | n = (n + 1) & 0x0F; |
653 | 375 | } |
654 | | |
655 | 8 | *nc_off = n; |
656 | | |
657 | 8 | return 0; |
658 | 8 | } |
659 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
660 | | #endif /* !MBEDTLS_ARIA_ALT */ |
661 | | |
662 | | #if defined(MBEDTLS_SELF_TEST) |
663 | | |
664 | | /* |
665 | | * Basic ARIA ECB test vectors from RFC 5794 |
666 | | */ |
667 | | static const uint8_t aria_test1_ecb_key[32] = // test key |
668 | | { |
669 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit |
670 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
671 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit |
672 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit |
673 | | }; |
674 | | |
675 | | static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext |
676 | | { |
677 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all |
678 | | 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes |
679 | | }; |
680 | | |
681 | | static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext |
682 | | { |
683 | | { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit |
684 | | 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, |
685 | | { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit |
686 | | 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, |
687 | | { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit |
688 | | 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } |
689 | | }; |
690 | | |
691 | | /* |
692 | | * Mode tests from "Test Vectors for ARIA" Version 1.0 |
693 | | * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf |
694 | | */ |
695 | | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
696 | | defined(MBEDTLS_CIPHER_MODE_CTR)) |
697 | | static const uint8_t aria_test2_key[32] = |
698 | | { |
699 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit |
700 | | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, |
701 | | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit |
702 | | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit |
703 | | }; |
704 | | |
705 | | static const uint8_t aria_test2_pt[48] = |
706 | | { |
707 | | 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all |
708 | | 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, |
709 | | 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, |
710 | | 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, |
711 | | 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, |
712 | | 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, |
713 | | }; |
714 | | #endif |
715 | | |
716 | | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) |
717 | | static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = |
718 | | { |
719 | | 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB |
720 | | 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV |
721 | | }; |
722 | | #endif |
723 | | |
724 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
725 | | static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext |
726 | | { |
727 | | { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key |
728 | | 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, |
729 | | 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, |
730 | | 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, |
731 | | 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, |
732 | | 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, |
733 | | { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key |
734 | | 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, |
735 | | 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, |
736 | | 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, |
737 | | 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, |
738 | | 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, |
739 | | { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key |
740 | | 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, |
741 | | 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, |
742 | | 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, |
743 | | 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, |
744 | | 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } |
745 | | }; |
746 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
747 | | |
748 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
749 | | static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext |
750 | | { |
751 | | { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key |
752 | | 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, |
753 | | 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, |
754 | | 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, |
755 | | 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, |
756 | | 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, |
757 | | { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key |
758 | | 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, |
759 | | 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, |
760 | | 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, |
761 | | 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, |
762 | | 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, |
763 | | { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key |
764 | | 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, |
765 | | 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, |
766 | | 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, |
767 | | 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, |
768 | | 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } |
769 | | }; |
770 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
771 | | |
772 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
773 | | static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext |
774 | | { |
775 | | { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key |
776 | | 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, |
777 | | 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, |
778 | | 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, |
779 | | 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, |
780 | | 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, |
781 | | { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key |
782 | | 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, |
783 | | 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, |
784 | | 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, |
785 | | 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, |
786 | | 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, |
787 | | { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key |
788 | | 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, |
789 | | 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, |
790 | | 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, |
791 | | 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, |
792 | | 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } |
793 | | }; |
794 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
795 | | |
796 | | #define ARIA_SELF_TEST_ASSERT(cond) \ |
797 | 0 | do { \ |
798 | 0 | if (cond) { \ |
799 | 0 | if (verbose) \ |
800 | 0 | mbedtls_printf("failed\n"); \ |
801 | 0 | goto exit; \ |
802 | 0 | } else { \ |
803 | 0 | if (verbose) \ |
804 | 0 | mbedtls_printf("passed\n"); \ |
805 | 0 | } \ |
806 | 0 | } while (0) |
807 | | |
808 | | /* |
809 | | * Checkup routine |
810 | | */ |
811 | | int mbedtls_aria_self_test(int verbose) |
812 | 0 | { |
813 | 0 | int i; |
814 | 0 | uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; |
815 | 0 | mbedtls_aria_context ctx; |
816 | 0 | int ret = 1; |
817 | |
|
818 | 0 | #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) |
819 | 0 | size_t j; |
820 | 0 | #endif |
821 | |
|
822 | 0 | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ |
823 | 0 | defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
824 | 0 | defined(MBEDTLS_CIPHER_MODE_CTR)) |
825 | 0 | uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; |
826 | 0 | #endif |
827 | |
|
828 | 0 | mbedtls_aria_init(&ctx); |
829 | | |
830 | | /* |
831 | | * Test set 1 |
832 | | */ |
833 | 0 | for (i = 0; i < 3; i++) { |
834 | | /* test ECB encryption */ |
835 | 0 | if (verbose) { |
836 | 0 | mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i); |
837 | 0 | } |
838 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i); |
839 | 0 | mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk); |
840 | 0 | ARIA_SELF_TEST_ASSERT( |
841 | 0 | memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) |
842 | 0 | != 0); |
843 | | |
844 | | /* test ECB decryption */ |
845 | 0 | if (verbose) { |
846 | 0 | mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i); |
847 | | #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
848 | | mbedtls_printf("skipped\n"); |
849 | | #endif |
850 | 0 | } |
851 | |
|
852 | 0 | #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
853 | 0 | mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i); |
854 | 0 | mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk); |
855 | 0 | ARIA_SELF_TEST_ASSERT( |
856 | 0 | memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) |
857 | 0 | != 0); |
858 | 0 | #endif |
859 | 0 | } |
860 | 0 | if (verbose) { |
861 | 0 | mbedtls_printf("\n"); |
862 | 0 | } |
863 | | |
864 | | /* |
865 | | * Test set 2 |
866 | | */ |
867 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
868 | 0 | for (i = 0; i < 3; i++) { |
869 | | /* Test CBC encryption */ |
870 | 0 | if (verbose) { |
871 | 0 | mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i); |
872 | 0 | } |
873 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
874 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
875 | 0 | memset(buf, 0x55, sizeof(buf)); |
876 | 0 | mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, |
877 | 0 | aria_test2_pt, buf); |
878 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48) |
879 | 0 | != 0); |
880 | | |
881 | | /* Test CBC decryption */ |
882 | 0 | if (verbose) { |
883 | 0 | mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i); |
884 | 0 | } |
885 | 0 | mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i); |
886 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
887 | 0 | memset(buf, 0xAA, sizeof(buf)); |
888 | 0 | mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, |
889 | 0 | aria_test2_cbc_ct[i], buf); |
890 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
891 | 0 | } |
892 | 0 | if (verbose) { |
893 | 0 | mbedtls_printf("\n"); |
894 | 0 | } |
895 | |
|
896 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
897 | |
|
898 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
899 | 0 | for (i = 0; i < 3; i++) { |
900 | | /* Test CFB encryption */ |
901 | 0 | if (verbose) { |
902 | 0 | mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i); |
903 | 0 | } |
904 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
905 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
906 | 0 | memset(buf, 0x55, sizeof(buf)); |
907 | 0 | j = 0; |
908 | 0 | mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, |
909 | 0 | aria_test2_pt, buf); |
910 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0); |
911 | | |
912 | | /* Test CFB decryption */ |
913 | 0 | if (verbose) { |
914 | 0 | mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i); |
915 | 0 | } |
916 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
917 | 0 | memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); |
918 | 0 | memset(buf, 0xAA, sizeof(buf)); |
919 | 0 | j = 0; |
920 | 0 | mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, |
921 | 0 | iv, aria_test2_cfb_ct[i], buf); |
922 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
923 | 0 | } |
924 | 0 | if (verbose) { |
925 | 0 | mbedtls_printf("\n"); |
926 | 0 | } |
927 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
928 | |
|
929 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
930 | 0 | for (i = 0; i < 3; i++) { |
931 | | /* Test CTR encryption */ |
932 | 0 | if (verbose) { |
933 | 0 | mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i); |
934 | 0 | } |
935 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
936 | 0 | memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 |
937 | 0 | memset(buf, 0x55, sizeof(buf)); |
938 | 0 | j = 0; |
939 | 0 | mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, |
940 | 0 | aria_test2_pt, buf); |
941 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0); |
942 | | |
943 | | /* Test CTR decryption */ |
944 | 0 | if (verbose) { |
945 | 0 | mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i); |
946 | 0 | } |
947 | 0 | mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); |
948 | 0 | memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 |
949 | 0 | memset(buf, 0xAA, sizeof(buf)); |
950 | 0 | j = 0; |
951 | 0 | mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, |
952 | 0 | aria_test2_ctr_ct[i], buf); |
953 | 0 | ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); |
954 | 0 | } |
955 | 0 | if (verbose) { |
956 | 0 | mbedtls_printf("\n"); |
957 | 0 | } |
958 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
959 | |
|
960 | 0 | ret = 0; |
961 | |
|
962 | 0 | exit: |
963 | 0 | mbedtls_aria_free(&ctx); |
964 | 0 | return ret; |
965 | 0 | } |
966 | | |
967 | | #endif /* MBEDTLS_SELF_TEST */ |
968 | | |
969 | | #endif /* MBEDTLS_ARIA_C */ |