Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
aria.c
00001 /* 00002 * ARIA implementation 00003 * 00004 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 /* 00023 * This implementation is based on the following standards: 00024 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 00025 * [2] https://tools.ietf.org/html/rfc5794 00026 */ 00027 00028 #if !defined(MBEDTLS_CONFIG_FILE) 00029 #include "mbedtls/config.h" 00030 #else 00031 #include MBEDTLS_CONFIG_FILE 00032 #endif 00033 00034 #if defined(MBEDTLS_ARIA_C) 00035 00036 #include "mbedtls/aria.h" 00037 00038 #include <string.h> 00039 00040 #if defined(MBEDTLS_SELF_TEST) 00041 #if defined(MBEDTLS_PLATFORM_C) 00042 #include "mbedtls/platform.h" 00043 #else 00044 #include <stdio.h> 00045 #define mbedtls_printf printf 00046 #endif /* MBEDTLS_PLATFORM_C */ 00047 #endif /* MBEDTLS_SELF_TEST */ 00048 00049 #if !defined(MBEDTLS_ARIA_ALT) 00050 00051 #include "mbedtls/platform_util.h" 00052 00053 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00054 !defined(inline) && !defined(__cplusplus) 00055 #define inline __inline 00056 #endif 00057 00058 /* Parameter validation macros */ 00059 #define ARIA_VALIDATE_RET( cond ) \ 00060 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) 00061 #define ARIA_VALIDATE( cond ) \ 00062 MBEDTLS_INTERNAL_VALIDATE( cond ) 00063 00064 /* 00065 * 32-bit integer manipulation macros (little endian) 00066 */ 00067 #ifndef GET_UINT32_LE 00068 #define GET_UINT32_LE( n, b, i ) \ 00069 { \ 00070 (n) = ( (uint32_t) (b)[(i) ] ) \ 00071 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 00072 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 00073 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 00074 } 00075 #endif 00076 00077 #ifndef PUT_UINT32_LE 00078 #define PUT_UINT32_LE( n, b, i ) \ 00079 { \ 00080 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 00081 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 00082 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 00083 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 00084 } 00085 #endif 00086 00087 /* 00088 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 00089 * 00090 * This is submatrix P1 in [1] Appendix B.1 00091 * 00092 * Common compilers fail to translate this to minimal number of instructions, 00093 * so let's provide asm versions for common platforms with C fallback. 00094 */ 00095 #if defined(MBEDTLS_HAVE_ASM) 00096 #if defined(__arm__) /* rev16 available from v6 up */ 00097 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 00098 #if defined(__GNUC__) && \ 00099 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 00100 __ARM_ARCH >= 6 00101 static inline uint32_t aria_p1( uint32_t x ) 00102 { 00103 uint32_t r; 00104 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); 00105 return( r ); 00106 } 00107 #define ARIA_P1 aria_p1 00108 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 00109 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 00110 static inline uint32_t aria_p1( uint32_t x ) 00111 { 00112 uint32_t r; 00113 __asm( "rev16 r, x" ); 00114 return( r ); 00115 } 00116 #define ARIA_P1 aria_p1 00117 #endif 00118 #endif /* arm */ 00119 #if defined(__GNUC__) && \ 00120 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 00121 /* I couldn't find an Intel equivalent of rev16, so two instructions */ 00122 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) 00123 #endif /* x86 gnuc */ 00124 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 00125 #if !defined(ARIA_P1) 00126 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 00127 #endif 00128 00129 /* 00130 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 00131 * 00132 * This is submatrix P2 in [1] Appendix B.1 00133 * 00134 * Common compilers will translate this to a single instruction. 00135 */ 00136 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 00137 00138 /* 00139 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 00140 * 00141 * This is submatrix P3 in [1] Appendix B.1 00142 * 00143 * Some compilers fail to translate this to a single instruction, 00144 * so let's provide asm versions for common platforms with C fallback. 00145 */ 00146 #if defined(MBEDTLS_HAVE_ASM) 00147 #if defined(__arm__) /* rev available from v6 up */ 00148 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 00149 #if defined(__GNUC__) && \ 00150 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 00151 __ARM_ARCH >= 6 00152 static inline uint32_t aria_p3( uint32_t x ) 00153 { 00154 uint32_t r; 00155 __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); 00156 return( r ); 00157 } 00158 #define ARIA_P3 aria_p3 00159 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 00160 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 00161 static inline uint32_t aria_p3( uint32_t x ) 00162 { 00163 uint32_t r; 00164 __asm( "rev r, x" ); 00165 return( r ); 00166 } 00167 #define ARIA_P3 aria_p3 00168 #endif 00169 #endif /* arm */ 00170 #if defined(__GNUC__) && \ 00171 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 00172 static inline uint32_t aria_p3( uint32_t x ) 00173 { 00174 __asm( "bswap %0" : "=r" (x) : "0" (x) ); 00175 return( x ); 00176 } 00177 #define ARIA_P3 aria_p3 00178 #endif /* x86 gnuc */ 00179 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 00180 #if !defined(ARIA_P3) 00181 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) 00182 #endif 00183 00184 /* 00185 * ARIA Affine Transform 00186 * (a, b, c, d) = state in/out 00187 * 00188 * If we denote the first byte of input by 0, ..., the last byte by f, 00189 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 00190 * 00191 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 00192 * rearrangements on adjacent pairs, output is: 00193 * 00194 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 00195 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 00196 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 00197 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 00198 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 00199 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 00200 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 00201 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 00202 * 00203 * Note: another presentation of the A transform can be found as the first 00204 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 00205 * The implementation below uses only P1 and P2 as they are sufficient. 00206 */ 00207 static inline void aria_a( uint32_t *a, uint32_t *b, 00208 uint32_t *c, uint32_t *d ) 00209 { 00210 uint32_t ta, tb, tc; 00211 ta = *b; // 4567 00212 *b = *a; // 0123 00213 *a = ARIA_P2( ta ); // 6745 00214 tb = ARIA_P2( *d ); // efcd 00215 *d = ARIA_P1( *c ); // 98ba 00216 *c = ARIA_P1( tb ); // fedc 00217 ta ^= *d; // 4567+98ba 00218 tc = ARIA_P2( *b ); // 2301 00219 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc 00220 tb ^= ARIA_P2( *d ); // ba98+efcd 00221 tc ^= ARIA_P1( *a ); // 2301+7654 00222 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 00223 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 00224 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 00225 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe 00226 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 00227 tc = ARIA_P2( tc ); // 0123+5476 00228 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 00229 } 00230 00231 /* 00232 * ARIA Substitution Layer SL1 / SL2 00233 * (a, b, c, d) = state in/out 00234 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 00235 * 00236 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 00237 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 00238 */ 00239 static inline void aria_sl( uint32_t *a, uint32_t *b, 00240 uint32_t *c, uint32_t *d, 00241 const uint8_t sa[256], const uint8_t sb[256], 00242 const uint8_t sc[256], const uint8_t sd[256] ) 00243 { 00244 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ 00245 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ 00246 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ 00247 (((uint32_t) sd[ *a >> 24 ]) << 24); 00248 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ 00249 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ 00250 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ 00251 (((uint32_t) sd[ *b >> 24 ]) << 24); 00252 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ 00253 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ 00254 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ 00255 (((uint32_t) sd[ *c >> 24 ]) << 24); 00256 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ 00257 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ 00258 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ 00259 (((uint32_t) sd[ *d >> 24 ]) << 24); 00260 } 00261 00262 /* 00263 * S-Boxes 00264 */ 00265 static const uint8_t aria_sb1[256] = 00266 { 00267 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 00268 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 00269 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 00270 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 00271 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 00272 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 00273 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 00274 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 00275 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 00276 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 00277 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 00278 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 00279 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 00280 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 00281 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 00282 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 00283 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 00284 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 00285 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 00286 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 00287 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 00288 0xB0, 0x54, 0xBB, 0x16 00289 }; 00290 00291 static const uint8_t aria_sb2[256] = 00292 { 00293 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 00294 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 00295 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 00296 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 00297 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 00298 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 00299 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 00300 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 00301 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 00302 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 00303 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 00304 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 00305 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 00306 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 00307 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 00308 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 00309 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 00310 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 00311 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 00312 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 00313 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 00314 0xAF, 0xBA, 0xB5, 0x81 00315 }; 00316 00317 static const uint8_t aria_is1[256] = 00318 { 00319 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 00320 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 00321 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 00322 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 00323 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 00324 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 00325 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 00326 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 00327 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 00328 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 00329 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 00330 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 00331 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 00332 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 00333 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 00334 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 00335 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 00336 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 00337 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 00338 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 00339 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 00340 0x55, 0x21, 0x0C, 0x7D 00341 }; 00342 00343 static const uint8_t aria_is2[256] = 00344 { 00345 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 00346 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 00347 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 00348 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 00349 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 00350 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 00351 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 00352 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 00353 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 00354 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 00355 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 00356 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 00357 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 00358 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 00359 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 00360 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 00361 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 00362 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 00363 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 00364 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 00365 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 00366 0x03, 0xA2, 0xAC, 0x60 00367 }; 00368 00369 /* 00370 * Helper for key schedule: r = FO( p, k ) ^ x 00371 */ 00372 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], 00373 const uint32_t k[4], const uint32_t x[4] ) 00374 { 00375 uint32_t a, b, c, d; 00376 00377 a = p[0] ^ k[0]; 00378 b = p[1] ^ k[1]; 00379 c = p[2] ^ k[2]; 00380 d = p[3] ^ k[3]; 00381 00382 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 00383 aria_a( &a, &b, &c, &d ); 00384 00385 r[0] = a ^ x[0]; 00386 r[1] = b ^ x[1]; 00387 r[2] = c ^ x[2]; 00388 r[3] = d ^ x[3]; 00389 } 00390 00391 /* 00392 * Helper for key schedule: r = FE( p, k ) ^ x 00393 */ 00394 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], 00395 const uint32_t k[4], const uint32_t x[4] ) 00396 { 00397 uint32_t a, b, c, d; 00398 00399 a = p[0] ^ k[0]; 00400 b = p[1] ^ k[1]; 00401 c = p[2] ^ k[2]; 00402 d = p[3] ^ k[3]; 00403 00404 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 00405 aria_a( &a, &b, &c, &d ); 00406 00407 r[0] = a ^ x[0]; 00408 r[1] = b ^ x[1]; 00409 r[2] = c ^ x[2]; 00410 r[3] = d ^ x[3]; 00411 } 00412 00413 /* 00414 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 00415 * 00416 * We chose to store bytes into 32-bit words in little-endian format (see 00417 * GET/PUT_UINT32_LE) so we need to reverse bytes here. 00418 */ 00419 static void aria_rot128( uint32_t r[4], const uint32_t a[4], 00420 const uint32_t b[4], uint8_t n ) 00421 { 00422 uint8_t i, j; 00423 uint32_t t, u; 00424 00425 const uint8_t n1 = n % 32; // bit offset 00426 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 00427 00428 j = ( n / 32 ) % 4; // initial word offset 00429 t = ARIA_P3( b[j] ); // big endian 00430 for( i = 0; i < 4; i++ ) 00431 { 00432 j = ( j + 1 ) % 4; // get next word, big endian 00433 u = ARIA_P3( b[j] ); 00434 t <<= n1; // rotate 00435 t |= u >> n2; 00436 t = ARIA_P3( t ); // back to little endian 00437 r[i] = a[i] ^ t; // store 00438 t = u; // move to next word 00439 } 00440 } 00441 00442 /* 00443 * Set encryption key 00444 */ 00445 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, 00446 const unsigned char *key, unsigned int keybits ) 00447 { 00448 /* round constant masks */ 00449 const uint32_t rc[3][4] = 00450 { 00451 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 00452 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 00453 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 00454 }; 00455 00456 int i; 00457 uint32_t w[4][4], *w2; 00458 ARIA_VALIDATE_RET( ctx != NULL ); 00459 ARIA_VALIDATE_RET( key != NULL ); 00460 00461 if( keybits != 128 && keybits != 192 && keybits != 256 ) 00462 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 00463 00464 /* Copy key to W0 (and potential remainder to W1) */ 00465 GET_UINT32_LE( w[0][0], key, 0 ); 00466 GET_UINT32_LE( w[0][1], key, 4 ); 00467 GET_UINT32_LE( w[0][2], key, 8 ); 00468 GET_UINT32_LE( w[0][3], key, 12 ); 00469 00470 memset( w[1], 0, 16 ); 00471 if( keybits >= 192 ) 00472 { 00473 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key 00474 GET_UINT32_LE( w[1][1], key, 20 ); 00475 } 00476 if( keybits == 256 ) 00477 { 00478 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key 00479 GET_UINT32_LE( w[1][3], key, 28 ); 00480 } 00481 00482 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 00483 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 00484 00485 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR 00486 i = i < 2 ? i + 1 : 0; 00487 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 00488 i = i < 2 ? i + 1 : 0; 00489 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 00490 00491 for( i = 0; i < 4; i++ ) // create round keys 00492 { 00493 w2 = w[(i + 1) & 3]; 00494 aria_rot128( ctx->rk [i ], w[i], w2, 128 - 19 ); 00495 aria_rot128( ctx->rk [i + 4], w[i], w2, 128 - 31 ); 00496 aria_rot128( ctx->rk [i + 8], w[i], w2, 61 ); 00497 aria_rot128( ctx->rk [i + 12], w[i], w2, 31 ); 00498 } 00499 aria_rot128( ctx->rk [16], w[0], w[1], 19 ); 00500 00501 /* w holds enough info to reconstruct the round keys */ 00502 mbedtls_platform_zeroize( w, sizeof( w ) ); 00503 00504 return( 0 ); 00505 } 00506 00507 /* 00508 * Set decryption key 00509 */ 00510 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, 00511 const unsigned char *key, unsigned int keybits ) 00512 { 00513 int i, j, k, ret; 00514 ARIA_VALIDATE_RET( ctx != NULL ); 00515 ARIA_VALIDATE_RET( key != NULL ); 00516 00517 ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); 00518 if( ret != 0 ) 00519 return( ret ); 00520 00521 /* flip the order of round keys */ 00522 for( i = 0, j = ctx->nr ; i < j; i++, j-- ) 00523 { 00524 for( k = 0; k < 4; k++ ) 00525 { 00526 uint32_t t = ctx->rk [i][k]; 00527 ctx->rk [i][k] = ctx->rk [j][k]; 00528 ctx->rk [j][k] = t; 00529 } 00530 } 00531 00532 /* apply affine transform to middle keys */ 00533 for( i = 1; i < ctx->nr ; i++ ) 00534 { 00535 aria_a( &ctx->rk [i][0], &ctx->rk [i][1], 00536 &ctx->rk [i][2], &ctx->rk [i][3] ); 00537 } 00538 00539 return( 0 ); 00540 } 00541 00542 /* 00543 * Encrypt a block 00544 */ 00545 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, 00546 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 00547 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) 00548 { 00549 int i; 00550 00551 uint32_t a, b, c, d; 00552 ARIA_VALIDATE_RET( ctx != NULL ); 00553 ARIA_VALIDATE_RET( input != NULL ); 00554 ARIA_VALIDATE_RET( output != NULL ); 00555 00556 GET_UINT32_LE( a, input, 0 ); 00557 GET_UINT32_LE( b, input, 4 ); 00558 GET_UINT32_LE( c, input, 8 ); 00559 GET_UINT32_LE( d, input, 12 ); 00560 00561 i = 0; 00562 while( 1 ) 00563 { 00564 a ^= ctx->rk [i][0]; 00565 b ^= ctx->rk [i][1]; 00566 c ^= ctx->rk [i][2]; 00567 d ^= ctx->rk [i][3]; 00568 i++; 00569 00570 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 00571 aria_a( &a, &b, &c, &d ); 00572 00573 a ^= ctx->rk [i][0]; 00574 b ^= ctx->rk [i][1]; 00575 c ^= ctx->rk [i][2]; 00576 d ^= ctx->rk [i][3]; 00577 i++; 00578 00579 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 00580 if( i >= ctx->nr ) 00581 break; 00582 aria_a( &a, &b, &c, &d ); 00583 } 00584 00585 /* final key mixing */ 00586 a ^= ctx->rk [i][0]; 00587 b ^= ctx->rk [i][1]; 00588 c ^= ctx->rk [i][2]; 00589 d ^= ctx->rk [i][3]; 00590 00591 PUT_UINT32_LE( a, output, 0 ); 00592 PUT_UINT32_LE( b, output, 4 ); 00593 PUT_UINT32_LE( c, output, 8 ); 00594 PUT_UINT32_LE( d, output, 12 ); 00595 00596 return( 0 ); 00597 } 00598 00599 /* Initialize context */ 00600 void mbedtls_aria_init( mbedtls_aria_context *ctx ) 00601 { 00602 ARIA_VALIDATE( ctx != NULL ); 00603 memset( ctx, 0, sizeof( mbedtls_aria_context ) ); 00604 } 00605 00606 /* Clear context */ 00607 void mbedtls_aria_free( mbedtls_aria_context *ctx ) 00608 { 00609 if( ctx == NULL ) 00610 return; 00611 00612 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); 00613 } 00614 00615 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00616 /* 00617 * ARIA-CBC buffer encryption/decryption 00618 */ 00619 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, 00620 int mode, 00621 size_t length, 00622 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 00623 const unsigned char *input, 00624 unsigned char *output ) 00625 { 00626 int i; 00627 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 00628 00629 ARIA_VALIDATE_RET( ctx != NULL ); 00630 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 00631 mode == MBEDTLS_ARIA_DECRYPT ); 00632 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 00633 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 00634 ARIA_VALIDATE_RET( iv != NULL ); 00635 00636 if( length % MBEDTLS_ARIA_BLOCKSIZE ) 00637 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); 00638 00639 if( mode == MBEDTLS_ARIA_DECRYPT ) 00640 { 00641 while( length > 0 ) 00642 { 00643 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); 00644 mbedtls_aria_crypt_ecb( ctx, input, output ); 00645 00646 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 00647 output[i] = (unsigned char)( output[i] ^ iv[i] ); 00648 00649 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); 00650 00651 input += MBEDTLS_ARIA_BLOCKSIZE; 00652 output += MBEDTLS_ARIA_BLOCKSIZE; 00653 length -= MBEDTLS_ARIA_BLOCKSIZE; 00654 } 00655 } 00656 else 00657 { 00658 while( length > 0 ) 00659 { 00660 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 00661 output[i] = (unsigned char)( input[i] ^ iv[i] ); 00662 00663 mbedtls_aria_crypt_ecb( ctx, output, output ); 00664 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); 00665 00666 input += MBEDTLS_ARIA_BLOCKSIZE; 00667 output += MBEDTLS_ARIA_BLOCKSIZE; 00668 length -= MBEDTLS_ARIA_BLOCKSIZE; 00669 } 00670 } 00671 00672 return( 0 ); 00673 } 00674 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00675 00676 #if defined(MBEDTLS_CIPHER_MODE_CFB) 00677 /* 00678 * ARIA-CFB128 buffer encryption/decryption 00679 */ 00680 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, 00681 int mode, 00682 size_t length, 00683 size_t *iv_off, 00684 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 00685 const unsigned char *input, 00686 unsigned char *output ) 00687 { 00688 unsigned char c; 00689 size_t n; 00690 00691 ARIA_VALIDATE_RET( ctx != NULL ); 00692 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 00693 mode == MBEDTLS_ARIA_DECRYPT ); 00694 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 00695 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 00696 ARIA_VALIDATE_RET( iv != NULL ); 00697 ARIA_VALIDATE_RET( iv_off != NULL ); 00698 00699 n = *iv_off; 00700 00701 /* An overly large value of n can lead to an unlimited 00702 * buffer overflow. Therefore, guard against this 00703 * outside of parameter validation. */ 00704 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 00705 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 00706 00707 if( mode == MBEDTLS_ARIA_DECRYPT ) 00708 { 00709 while( length-- ) 00710 { 00711 if( n == 0 ) 00712 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 00713 00714 c = *input++; 00715 *output++ = c ^ iv[n]; 00716 iv[n] = c; 00717 00718 n = ( n + 1 ) & 0x0F; 00719 } 00720 } 00721 else 00722 { 00723 while( length-- ) 00724 { 00725 if( n == 0 ) 00726 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 00727 00728 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 00729 00730 n = ( n + 1 ) & 0x0F; 00731 } 00732 } 00733 00734 *iv_off = n; 00735 00736 return( 0 ); 00737 } 00738 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 00739 00740 #if defined(MBEDTLS_CIPHER_MODE_CTR) 00741 /* 00742 * ARIA-CTR buffer encryption/decryption 00743 */ 00744 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, 00745 size_t length, 00746 size_t *nc_off, 00747 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 00748 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 00749 const unsigned char *input, 00750 unsigned char *output ) 00751 { 00752 int c, i; 00753 size_t n; 00754 00755 ARIA_VALIDATE_RET( ctx != NULL ); 00756 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 00757 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 00758 ARIA_VALIDATE_RET( nonce_counter != NULL ); 00759 ARIA_VALIDATE_RET( stream_block != NULL ); 00760 ARIA_VALIDATE_RET( nc_off != NULL ); 00761 00762 n = *nc_off; 00763 /* An overly large value of n can lead to an unlimited 00764 * buffer overflow. Therefore, guard against this 00765 * outside of parameter validation. */ 00766 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 00767 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 00768 00769 while( length-- ) 00770 { 00771 if( n == 0 ) { 00772 mbedtls_aria_crypt_ecb( ctx, nonce_counter, 00773 stream_block ); 00774 00775 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) 00776 if( ++nonce_counter[i - 1] != 0 ) 00777 break; 00778 } 00779 c = *input++; 00780 *output++ = (unsigned char)( c ^ stream_block[n] ); 00781 00782 n = ( n + 1 ) & 0x0F; 00783 } 00784 00785 *nc_off = n; 00786 00787 return( 0 ); 00788 } 00789 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 00790 #endif /* !MBEDTLS_ARIA_ALT */ 00791 00792 #if defined(MBEDTLS_SELF_TEST) 00793 00794 /* 00795 * Basic ARIA ECB test vectors from RFC 5794 00796 */ 00797 static const uint8_t aria_test1_ecb_key[32] = // test key 00798 { 00799 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 00800 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 00801 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 00802 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 00803 }; 00804 00805 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 00806 { 00807 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 00808 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 00809 }; 00810 00811 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 00812 { 00813 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 00814 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 00815 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 00816 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 00817 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 00818 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 00819 }; 00820 00821 /* 00822 * Mode tests from "Test Vectors for ARIA" Version 1.0 00823 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 00824 */ 00825 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 00826 defined(MBEDTLS_CIPHER_MODE_CTR)) 00827 static const uint8_t aria_test2_key[32] = 00828 { 00829 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 00830 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 00831 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 00832 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 00833 }; 00834 00835 static const uint8_t aria_test2_pt[48] = 00836 { 00837 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 00838 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 00839 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 00840 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 00841 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 00842 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 00843 }; 00844 #endif 00845 00846 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 00847 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 00848 { 00849 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 00850 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 00851 }; 00852 #endif 00853 00854 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00855 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 00856 { 00857 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 00858 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 00859 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 00860 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 00861 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 00862 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 00863 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 00864 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 00865 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 00866 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 00867 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 00868 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 00869 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 00870 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 00871 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 00872 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 00873 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 00874 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 00875 }; 00876 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00877 00878 #if defined(MBEDTLS_CIPHER_MODE_CFB) 00879 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 00880 { 00881 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 00882 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 00883 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 00884 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 00885 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 00886 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 00887 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 00888 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 00889 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 00890 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 00891 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 00892 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 00893 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 00894 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 00895 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 00896 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 00897 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 00898 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 00899 }; 00900 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 00901 00902 #if defined(MBEDTLS_CIPHER_MODE_CTR) 00903 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 00904 { 00905 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 00906 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 00907 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 00908 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 00909 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 00910 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 00911 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 00912 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 00913 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 00914 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 00915 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 00916 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 00917 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 00918 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 00919 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 00920 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 00921 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 00922 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 00923 }; 00924 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 00925 00926 #define ARIA_SELF_TEST_IF_FAIL \ 00927 { \ 00928 if( verbose ) \ 00929 mbedtls_printf( "failed\n" ); \ 00930 return( 1 ); \ 00931 } else { \ 00932 if( verbose ) \ 00933 mbedtls_printf( "passed\n" ); \ 00934 } 00935 00936 /* 00937 * Checkup routine 00938 */ 00939 int mbedtls_aria_self_test( int verbose ) 00940 { 00941 int i; 00942 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 00943 mbedtls_aria_context ctx; 00944 00945 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 00946 size_t j; 00947 #endif 00948 00949 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 00950 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 00951 defined(MBEDTLS_CIPHER_MODE_CTR)) 00952 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 00953 #endif 00954 00955 /* 00956 * Test set 1 00957 */ 00958 for( i = 0; i < 3; i++ ) 00959 { 00960 /* test ECB encryption */ 00961 if( verbose ) 00962 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); 00963 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 00964 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); 00965 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 00966 ARIA_SELF_TEST_IF_FAIL; 00967 00968 /* test ECB decryption */ 00969 if( verbose ) 00970 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); 00971 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 00972 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); 00973 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 00974 ARIA_SELF_TEST_IF_FAIL; 00975 } 00976 if( verbose ) 00977 mbedtls_printf( "\n" ); 00978 00979 /* 00980 * Test set 2 00981 */ 00982 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00983 for( i = 0; i < 3; i++ ) 00984 { 00985 /* Test CBC encryption */ 00986 if( verbose ) 00987 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); 00988 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 00989 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 00990 memset( buf, 0x55, sizeof( buf ) ); 00991 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 00992 aria_test2_pt, buf ); 00993 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) 00994 ARIA_SELF_TEST_IF_FAIL; 00995 00996 /* Test CBC decryption */ 00997 if( verbose ) 00998 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); 00999 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); 01000 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 01001 memset( buf, 0xAA, sizeof( buf ) ); 01002 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 01003 aria_test2_cbc_ct[i], buf ); 01004 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 01005 ARIA_SELF_TEST_IF_FAIL; 01006 } 01007 if( verbose ) 01008 mbedtls_printf( "\n" ); 01009 01010 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01011 01012 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01013 for( i = 0; i < 3; i++ ) 01014 { 01015 /* Test CFB encryption */ 01016 if( verbose ) 01017 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); 01018 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 01019 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 01020 memset( buf, 0x55, sizeof( buf ) ); 01021 j = 0; 01022 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 01023 aria_test2_pt, buf ); 01024 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) 01025 ARIA_SELF_TEST_IF_FAIL; 01026 01027 /* Test CFB decryption */ 01028 if( verbose ) 01029 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); 01030 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 01031 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 01032 memset( buf, 0xAA, sizeof( buf ) ); 01033 j = 0; 01034 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 01035 iv, aria_test2_cfb_ct[i], buf ); 01036 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 01037 ARIA_SELF_TEST_IF_FAIL; 01038 } 01039 if( verbose ) 01040 mbedtls_printf( "\n" ); 01041 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01042 01043 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01044 for( i = 0; i < 3; i++ ) 01045 { 01046 /* Test CTR encryption */ 01047 if( verbose ) 01048 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); 01049 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 01050 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 01051 memset( buf, 0x55, sizeof( buf ) ); 01052 j = 0; 01053 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 01054 aria_test2_pt, buf ); 01055 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) 01056 ARIA_SELF_TEST_IF_FAIL; 01057 01058 /* Test CTR decryption */ 01059 if( verbose ) 01060 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); 01061 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 01062 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 01063 memset( buf, 0xAA, sizeof( buf ) ); 01064 j = 0; 01065 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 01066 aria_test2_ctr_ct[i], buf ); 01067 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 01068 ARIA_SELF_TEST_IF_FAIL; 01069 } 01070 if( verbose ) 01071 mbedtls_printf( "\n" ); 01072 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01073 01074 return( 0 ); 01075 } 01076 01077 #endif /* MBEDTLS_SELF_TEST */ 01078 01079 #endif /* MBEDTLS_ARIA_C */
Generated on Tue Jul 12 2022 13:54:01 by
1.7.2