AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ARIA cipher implementation

Browse Source
This commit is contained in:
Markku-Juhani O. Saarinen 2017-11-30 11:37:55 +00:00 committed by Manuel Pégourié-Gonnard
parent 1bf6123fca
commit 41efbaabc9
2 changed files with 943 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
include/mbedtls/aria.h Normal file
View File

@ -0,0 +1,237 @@
/**
* \file aria.h
*
* \brief ARIA block cipher
*
* Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ARIA_H
#define MBEDTLS_ARIA_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include <stddef.h>
#include <stdint.h>
#define MBEDTLS_ARIA_ENCRYPT 1
#define MBEDTLS_ARIA_DECRYPT 0
#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
#if !defined(MBEDTLS_ARIA_ALT)
// Regular implementation
//
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief ARIA context structure
*/
typedef struct
{
int nr; // rounds: nr = 12, 14, or 16
uint32_t rk[17][4]; // nr+1 round keys (+1 for final)
}
mbedtls_aria_context;
/**
* \brief Initialize ARIA context
*
* \param ctx ARIA context to be initialized
*/
void mbedtls_aria_init( mbedtls_aria_context *ctx );
/**
* \brief Clear ARIA context
*
* \param ctx ARIA context to be cleared
*/
void mbedtls_aria_free( mbedtls_aria_context *ctx );
/**
* \brief ARIA key schedule (encryption)
*
* \param ctx ARIA context to be initialized
* \param key encryption key
* \param keybits must be 128, 192 or 256
*
* \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
*/
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, const unsigned char *key,
unsigned int keybits );
/**
* \brief ARIA key schedule (decryption)
*
* \param ctx ARIA context to be initialized
* \param key decryption key
* \param keybits must be 128, 192 or 256
*
* \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
*/
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, const unsigned char *key,
unsigned int keybits );
/**
* \brief ARIA-ECB block encryption/decryption
*
* \param ctx ARIA context
* \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT
* \param input 16-byte input block
* \param output 16-byte output block
*
* \return 0 if successful
*/
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
int mode,
const unsigned char input[16],
unsigned char output[16] );
#if defined(MBEDTLS_CIPHER_MODE_CBC)
/**
* \brief ARIA-CBC buffer encryption/decryption
* Length should be a multiple of the block
* size (16 bytes)
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
* block(s) of data and get the same result as if it was
* encrypted in one call. This allows a "streaming" usage.
* If on the other hand you need to retain the contents of the
* IV, you should either save it manually or use the cipher
* module instead.
*
* \param ctx ARIA context
* \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT
* \param length length of the input data
* \param iv initialization vector (updated after use)
* \param input buffer holding the input data
* \param output buffer holding the output data
*
* \return 0 if successful, or
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
*/
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
int mode,
size_t length,
unsigned char iv[16],
const unsigned char *input,
unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/**
* \brief ARIA-CFB128 buffer encryption/decryption
*
* Note: Due to the nature of CFB you should use the same key schedule for
* both encryption and decryption. So a context initialized with
* mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and CAMELLIE_DECRYPT.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
* block(s) of data and get the same result as if it was
* encrypted in one call. This allows a "streaming" usage.
* If on the other hand you need to retain the contents of the
* IV, you should either save it manually or use the cipher
* module instead.
*
* \param ctx ARIA context
* \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT
* \param length length of the input data
* \param iv_off offset in IV (updated after use)
* \param iv initialization vector (updated after use)
* \param input buffer holding the input data
* \param output buffer holding the output data
*
* \return 0 if successful, or
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
*/
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
int mode,
size_t length,
size_t *iv_off,
unsigned char iv[16],
const unsigned char *input,
unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_CFB */
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/**
* \brief ARIA-CTR buffer encryption/decryption
*
* Warning: You have to keep the maximum use of your counter in mind!
*
* Note: Due to the nature of CTR you should use the same key schedule for
* both encryption and decryption. So a context initialized with
* mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and MBEDTLS_ARIA_DECRYPT.
*
* \param ctx ARIA context
* \param length The length of the data
* \param nc_off The offset in the current stream_block (for resuming
* within current cipher stream). The offset pointer to
* should be 0 at the start of a stream.
* \param nonce_counter The 128-bit nonce and counter.
* \param stream_block The saved stream-block for resuming. Is overwritten
* by the function.
* \param input The input data stream
* \param output The output data stream
*
* \return 0 if successful
*/
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
size_t length,
size_t *nc_off,
unsigned char nonce_counter[16],
unsigned char stream_block[16],
const unsigned char *input,
unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#ifdef __cplusplus
}
#endif
#else /* MBEDTLS_ARIA_ALT */
#include "aria_alt.h"
#endif /* MBEDTLS_ARIA_ALT */
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_aria_self_test( int verbose );
#ifdef __cplusplus
}
#endif
#endif /* aria.h */

706
library/aria.c Normal file
View File

@ -0,0 +1,706 @@
/*
* ARIA implementation
*
* Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_ARIA_C)
#include "mbedtls/aria.h"
#include <string.h>
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_ARIA_ALT)
// 32-bit integer manipulation macros (little endian)
#ifndef GET_UINT32_LE
#define GET_UINT32_LE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
// Affine Transform A
// (ra, rb, rc, rd) = state in/out
// (ta, tb, tc) = temporary variables
#define ARIA_A( ra, rb, rc, rd, ta, tb, tc ) { \
ta = rb; \
rb = ra; \
ra = ARIA_FLIP1( ta ); \
tb = ARIA_FLIP1( rd ); \
rd = ARIA_FLIP2( rc ); \
rc = ARIA_FLIP2( tb ); \
ta ^= rd; \
tc = ARIA_FLIP1( rb ); \
ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
tb ^= ARIA_FLIP1( rd ); \
tc ^= ARIA_FLIP2( ra ); \
rb ^= ta ^ tb; \
tb = ARIA_FLIP1( tb ) ^ ta; \
ra ^= ARIA_FLIP2( tb ); \
ta = ARIA_FLIP1( ta ); \
rd ^= ARIA_FLIP2( ta ) ^ tc; \
tc = ARIA_FLIP1( tc ); \
rc ^= ARIA_FLIP2( tc ) ^ ta; \
}
// ARIA Round function ( Substitution Layer SLx + Affine Transform A )
// (ra, rb, rc, rd) = state in/out
// (sa, sb, sc, sd) = 256 8-bit S-Boxes
// (ta, tb, tc) = temporary variables
#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \
ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
(((uint32_t) sd[ rb >> 24]) << 8) ^ \
(((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
(((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
(((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
(((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
(((uint32_t) sd[ ra >> 24]) << 24); \
ra = ta; \
ta = ( (uint32_t) sd[ rd >> 24]) ^ \
(((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
(((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
(((uint32_t) sa[ rd & 0xFF]) << 24); \
rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
(((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
(((uint32_t) sd[ rc >> 24]) << 16) ^ \
(((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
rc = ta; \
ta = ARIA_FLIP1( ra ) ^ rd; \
tc = ARIA_FLIP1( rb ); \
ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
tc ^= ARIA_FLIP2( ra ); \
rb ^= ta^ tb; \
tb = ARIA_FLIP1( tb ) ^ ta; \
ra ^= ARIA_FLIP2( tb ); \
ta = ARIA_FLIP1( ta ); \
rd ^= ARIA_FLIP2( ta ) ^ tc; \
tc = ARIA_FLIP1( tc ); \
rc ^= ARIA_FLIP2( tc ) ^ ta; \
}
// S-Boxes
static const uint8_t aria_sb1[0x100] =
{
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
0xB0, 0x54, 0xBB, 0x16
};
static const uint8_t aria_sb2[0x100] =
{
0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
0xAF, 0xBA, 0xB5, 0x81
};
static const uint8_t aria_is1[0x100] =
{
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
0x55, 0x21, 0x0C, 0x7D
};
static const uint8_t aria_is2[0x100] =
{
0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
0x03, 0xA2, 0xAC, 0x60
};
// FO and FE are helpers for key schedule
// r = FO( p, k ) ^ x
static void aria_fo( uint32_t r[4],
const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
{
uint32_t a, b, c, d;
uint32_t t, u, v;
a = p[0] ^ k[0];
b = p[1] ^ k[1];
c = p[2] ^ k[2];
d = p[3] ^ k[3];
ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
r[0] = a ^ x[0];
r[1] = b ^ x[1];
r[2] = c ^ x[2];
r[3] = d ^ x[3];
}
// r = FE( p, k ) ^ x
static void aria_fe(uint32_t r[4],
const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
{
uint32_t a, b, c, d;
uint32_t t, u, v;
a = p[0] ^ k[0];
b = p[1] ^ k[1];
c = p[2] ^ k[2];
d = p[3] ^ k[3];
ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
r[0] = a ^ x[0];
r[1] = b ^ x[1];
r[2] = c ^ x[2];
r[3] = d ^ x[3];
}
// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup.
// This is relatively slow since our implementation is geared towards
// little-endian targets and stores state in that order.
static void aria_rot128(uint32_t r[4], const uint32_t a[4],
const uint32_t b[4], int n)
{
int i, j, n1, n2;
uint32_t t, u;
j = (n >> 5) & 3; // word offset
n1 = n & 0x1F; // bit offsets
n2 = 32 - n1; // n1 should be nonzero!
t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
for( i = 0; i < 4; i++ )
{
j = (j + 1) & 3; // get next word, big endian
u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
t <<= n1; // rotate
if (n2 < 32) // intel rotate 32 bits = 0 bits..
t |= u >> n2;
t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
r[i] = a[i] ^ t; // store
t = u; // move to next word
}
}
// Set encryption key
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
const unsigned char *key, unsigned int keybits)
{
// round constant masks
const uint32_t rc[3][4] =
{
{ 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
{ 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
{ 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
};
int i;
uint32_t w[4][4], *w2;
if (keybits != 128 && keybits != 192 && keybits != 256)
return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
// W0 = KL
GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1
GET_UINT32_LE( w[0][1], key, 4 );
GET_UINT32_LE( w[0][2], key, 8 );
GET_UINT32_LE( w[0][3], key, 12 );
memset(w[1], 0, 16);
if( keybits >= 192 )
{
GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
GET_UINT32_LE( w[1][1], key, 20 );
}
if( keybits == 256 )
{
GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
GET_UINT32_LE( w[1][3], key, 28 );
}
i = (keybits - 128) >> 6; // index: 0, 1, 2
ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
aria_fo( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
i = i < 2 ? i + 1 : 0;
aria_fe( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
i = i < 2 ? i + 1 : 0;
aria_fo( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
for( i = 0; i < 4; i++ ) // create round keys
{
w2 = w[(i + 1) & 3];
aria_rot128( ctx->rk[i ], w[i], w2, -19);
aria_rot128( ctx->rk[i + 4], w[i], w2, -31);
aria_rot128( ctx->rk[i + 8], w[i], w2, 61);
aria_rot128( ctx->rk[i + 12], w[i], w2, 31);
}
aria_rot128( ctx->rk[16], w[0], w[1], 19 );
return 0;
}
// Set decryption key
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
const unsigned char *key, unsigned int keybits)
{
int i, j, k, ret;
uint32_t t, u, v;
ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
if( ret != 0 )
return ret;
// flip the order of round keys
for( i = 0, j = ctx->nr; i < j; i++, j-- )
{
for( k = 0; k < 4; k++ )
{
t = ctx->rk[i][k];
ctx->rk[i][k] = ctx->rk[j][k];
ctx->rk[j][k] = t;
}
}
// apply affine transform to middle keys
for (i = 1; i < ctx->nr; i++ )
{
ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3],
t, u, v );
}
return 0;
}
// Encrypt a block
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
int mode,
const unsigned char input[16],
unsigned char output[16] )
{
int i;
uint32_t a, b, c, d;
uint32_t t, u, v;
( (void) mode );
GET_UINT32_LE( a, input, 0 );
GET_UINT32_LE( b, input, 4 );
GET_UINT32_LE( c, input, 8 );
GET_UINT32_LE( d, input, 12 );
i = 0;
while (1)
{
a ^= ctx->rk[i][0];
b ^= ctx->rk[i][1];
c ^= ctx->rk[i][2];
d ^= ctx->rk[i][3];
i++;
ARIA_SLA( a, b, c, d,
aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
a ^= ctx->rk[i][0];
b ^= ctx->rk[i][1];
c ^= ctx->rk[i][2];
d ^= ctx->rk[i][3];
i++;
if (i >= ctx->nr)
break;
ARIA_SLA( a, b, c, d,
aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
}
// final substitution
a = ctx->rk[i][0] ^
( (uint32_t) aria_is1[ a & 0xFF]) ^
(((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
(((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
(((uint32_t) aria_sb2[ a >> 24 ]) << 24);
b = ctx->rk[i][1] ^
( (uint32_t) aria_is1[ b & 0xFF]) ^
(((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
(((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
(((uint32_t) aria_sb2[ b >> 24 ]) << 24);
c = ctx->rk[i][2] ^
( (uint32_t) aria_is1[ c & 0xFF]) ^
(((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
(((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
(((uint32_t) aria_sb2[ c >> 24 ]) << 24);
d = ctx->rk[i][3] ^
( (uint32_t) aria_is1[ d & 0xFF]) ^
(((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
(((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
(((uint32_t) aria_sb2[ d >> 24 ]) << 24);
PUT_UINT32_LE( a, output, 0 );
PUT_UINT32_LE( b, output, 4 );
PUT_UINT32_LE( c, output, 8 );
PUT_UINT32_LE( d, output, 12 );
return 0;
}
#if defined(MBEDTLS_CIPHER_MODE_CBC)
/*
* ARIA-CBC buffer encryption/decryption
*/
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
int mode,
size_t length,
unsigned char iv[16],
const unsigned char *input,
unsigned char *output )
{
int i;
unsigned char temp[16];
if( length % 16 )
return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
if( mode == MBEDTLS_ARIA_DECRYPT )
{
while( length > 0 )
{
memcpy( temp, input, 16 );
mbedtls_aria_crypt_ecb( ctx, mode, input, output );
for( i = 0; i < 16; i++ )
output[i] = (unsigned char)( output[i] ^ iv[i] );
memcpy( iv, temp, 16 );
input += 16;
output += 16;
length -= 16;
}
}
else
{
while( length > 0 )
{
for( i = 0; i < 16; i++ )
output[i] = (unsigned char)( input[i] ^ iv[i] );
mbedtls_aria_crypt_ecb( ctx, mode, output, output );
memcpy( iv, output, 16 );
input += 16;
output += 16;
length -= 16;
}
}
return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/*
* ARIA-CFB128 buffer encryption/decryption
*/
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
int mode,
size_t length,
size_t *iv_off,
unsigned char iv[16],
const unsigned char *input,
unsigned char *output )
{
int c;
size_t n = *iv_off;
if( mode == MBEDTLS_ARIA_DECRYPT )
{
while( length-- )
{
if( n == 0 )
mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
c = *input++;
*output++ = (unsigned char)( c ^ iv[n] );
iv[n] = (unsigned char) c;
n = ( n + 1 ) & 0x0F;
}
}
else
{
while( length-- )
{
if( n == 0 )
mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
n = ( n + 1 ) & 0x0F;
}
}
*iv_off = n;
return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CFB */
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/*
* ARIA-CTR buffer encryption/decryption
*/
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
size_t length,
size_t *nc_off,
unsigned char nonce_counter[16],
unsigned char stream_block[16],
const unsigned char *input,
unsigned char *output )
{
int c, i;
size_t n = *nc_off;
while( length-- )
{
if( n == 0 ) {
mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
stream_block );
for( i = 16; i > 0; i-- )
if( ++nonce_counter[i - 1] != 0 )
break;
}
c = *input++;
*output++ = (unsigned char)( c ^ stream_block[n] );
n = ( n + 1 ) & 0x0F;
}
*nc_off = n;
return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#endif /* !MBEDTLS_ARIA_ALT */
#if defined(MBEDTLS_SELF_TEST)
/*
* Checkup routine
*/
int mbedtls_aria_self_test( int verbose )
{
// ECB test vectors from RFC 5794
const uint8_t aria_ecb_test_key[32] = // test key
{
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
};
const uint8_t aria_ecb_test_pt[16] = // plaintext
{
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
};
const uint8_t aria_ecb_test_ct[3][16] = // ciphertext
{
{ 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }
,
{ 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }
,
{ 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
};
int i;
uint8_t blk[16];
mbedtls_aria_context ctx;
for( i = 0; i < 3; i++ )
{
// test encryption
if( verbose )
printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
mbedtls_aria_setkey_enc( &ctx, aria_ecb_test_key, 128 + 64 * i );
mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
aria_ecb_test_pt, blk );
if( memcmp( blk, aria_ecb_test_ct[i], 16 ) != 0 )
{
if( verbose )
printf( "failed\n" );
return( 1 );
}
if( verbose )
printf( "passed\n" );
// test decryption
if( verbose )
printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
mbedtls_aria_setkey_dec( &ctx, aria_ecb_test_key, 128 + 64 * i );
mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
aria_ecb_test_ct[i], blk );
if (memcmp( blk, aria_ecb_test_pt, 16 ) != 0)
{
if( verbose )
printf( "failed\n" );
return( 1 );
}
if( verbose )
printf( "passed\n" );
}
printf("\n");
return( 0 );
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_ARIA_C */