2017-11-30 11:37:55 +00:00
|
|
|
/*
|
|
|
|
* ARIA implementation
|
|
|
|
*
|
|
|
|
* Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
|
Update license headers to Apache-2.0 OR GPL-2.0-or-later
This will allow us to ship the LTS branches in a single archive
This commit was generated using the following script:
# ========================
#!/bin/sh
header1='\ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\
*\
* This file is provided under the Apache License 2.0, or the\
* GNU General Public License v2.0 or later.\
*\
* **********\
* Apache License 2.0:\
*\
* Licensed under the Apache License, Version 2.0 (the "License"); you may\
* not use this file except in compliance with the License.\
* You may obtain a copy of the License at\
*\
* http://www.apache.org/licenses/LICENSE-2.0\
*\
* Unless required by applicable law or agreed to in writing, software\
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
* See the License for the specific language governing permissions and\
* limitations under the License.\
*\
* **********\
*\
* **********\
* GNU General Public License v2.0 or later:\
*\
* This program is free software; you can redistribute it and/or modify\
* it under the terms of the GNU General Public License as published by\
* the Free Software Foundation; either version 2 of the License, or\
* (at your option) any later version.\
*\
* This program is distributed in the hope that it will be useful,\
* but WITHOUT ANY WARRANTY; without even the implied warranty of\
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\
* GNU General Public License for more details.\
*\
* You should have received a copy of the GNU General Public License along\
* with this program; if not, write to the Free Software Foundation, Inc.,\
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\
*\
* **********'
find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i "
# Normalize the first line of the copyright headers (no text on the first line of a block comment)
/^\/\*.*Copyright.*Arm/I s/\/\*/&\n */
# Insert new copyright header
/SPDX-License-Identifier/ i\
$header1
# Delete old copyright header
/SPDX-License-Identifier/,$ {
# Delete lines until the one preceding the mbedtls declaration
N
1,/This file is part of/ {
/This file is part of/! D
}
}
"
# Format copyright header for inclusion into scripts
header2=$(echo "$header1" | sed 's/^\\\? \* \?/#/')
find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i "
# Insert new copyright header
/SPDX-License-Identifier/ i\
$header2
# Delete old copyright header
/SPDX-License-Identifier/,$ {
# Delete lines until the one preceding the mbedtls declaration
N
1,/This file is part of/ {
/This file is part of/! D
}
}
"
# ========================
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-05 11:02:18 +00:00
|
|
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
|
|
*
|
|
|
|
* This file is provided under the Apache License 2.0, or the
|
|
|
|
* GNU General Public License v2.0 or later.
|
|
|
|
*
|
|
|
|
* **********
|
|
|
|
* Apache License 2.0:
|
2017-11-30 11:37:55 +00:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
* not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*
|
Update license headers to Apache-2.0 OR GPL-2.0-or-later
This will allow us to ship the LTS branches in a single archive
This commit was generated using the following script:
# ========================
#!/bin/sh
header1='\ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\
*\
* This file is provided under the Apache License 2.0, or the\
* GNU General Public License v2.0 or later.\
*\
* **********\
* Apache License 2.0:\
*\
* Licensed under the Apache License, Version 2.0 (the "License"); you may\
* not use this file except in compliance with the License.\
* You may obtain a copy of the License at\
*\
* http://www.apache.org/licenses/LICENSE-2.0\
*\
* Unless required by applicable law or agreed to in writing, software\
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
* See the License for the specific language governing permissions and\
* limitations under the License.\
*\
* **********\
*\
* **********\
* GNU General Public License v2.0 or later:\
*\
* This program is free software; you can redistribute it and/or modify\
* it under the terms of the GNU General Public License as published by\
* the Free Software Foundation; either version 2 of the License, or\
* (at your option) any later version.\
*\
* This program is distributed in the hope that it will be useful,\
* but WITHOUT ANY WARRANTY; without even the implied warranty of\
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\
* GNU General Public License for more details.\
*\
* You should have received a copy of the GNU General Public License along\
* with this program; if not, write to the Free Software Foundation, Inc.,\
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\
*\
* **********'
find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i "
# Normalize the first line of the copyright headers (no text on the first line of a block comment)
/^\/\*.*Copyright.*Arm/I s/\/\*/&\n */
# Insert new copyright header
/SPDX-License-Identifier/ i\
$header1
# Delete old copyright header
/SPDX-License-Identifier/,$ {
# Delete lines until the one preceding the mbedtls declaration
N
1,/This file is part of/ {
/This file is part of/! D
}
}
"
# Format copyright header for inclusion into scripts
header2=$(echo "$header1" | sed 's/^\\\? \* \?/#/')
find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i "
# Insert new copyright header
/SPDX-License-Identifier/ i\
$header2
# Delete old copyright header
/SPDX-License-Identifier/,$ {
# Delete lines until the one preceding the mbedtls declaration
N
1,/This file is part of/ {
/This file is part of/! D
}
}
"
# ========================
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-05 11:02:18 +00:00
|
|
|
* **********
|
|
|
|
*
|
|
|
|
* **********
|
|
|
|
* GNU General Public License v2.0 or later:
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License along
|
|
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
*
|
|
|
|
* **********
|
|
|
|
*
|
2017-11-30 11:37:55 +00:00
|
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
|
|
*/
|
|
|
|
|
2018-02-20 12:45:44 +00:00
|
|
|
/*
|
|
|
|
* This implementation is based on the following standards:
|
|
|
|
* [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
|
|
|
|
* [2] https://tools.ietf.org/html/rfc5794
|
|
|
|
*/
|
|
|
|
|
2017-11-30 11:37:55 +00:00
|
|
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
|
|
|
#include "mbedtls/config.h"
|
|
|
|
#else
|
|
|
|
#include MBEDTLS_CONFIG_FILE
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_ARIA_C)
|
|
|
|
|
|
|
|
#include "mbedtls/aria.h"
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_SELF_TEST)
|
|
|
|
#if defined(MBEDTLS_PLATFORM_C)
|
|
|
|
#include "mbedtls/platform.h"
|
|
|
|
#else
|
|
|
|
#include <stdio.h>
|
|
|
|
#define mbedtls_printf printf
|
|
|
|
#endif /* MBEDTLS_PLATFORM_C */
|
|
|
|
#endif /* MBEDTLS_SELF_TEST */
|
|
|
|
|
|
|
|
#if !defined(MBEDTLS_ARIA_ALT)
|
|
|
|
|
2018-05-22 14:05:33 +00:00
|
|
|
#include "mbedtls/platform_util.h"
|
|
|
|
|
2018-02-28 11:38:04 +00:00
|
|
|
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
|
|
|
!defined(inline) && !defined(__cplusplus)
|
|
|
|
#define inline __inline
|
|
|
|
#endif
|
|
|
|
|
2018-12-11 21:51:32 +00:00
|
|
|
/* Parameter validation macros */
|
|
|
|
#define ARIA_VALIDATE_RET( cond ) \
|
|
|
|
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
|
|
|
|
#define ARIA_VALIDATE( cond ) \
|
|
|
|
MBEDTLS_INTERNAL_VALIDATE( cond )
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* 32-bit integer manipulation macros (little endian)
|
|
|
|
*/
|
2017-11-30 11:37:55 +00:00
|
|
|
#ifndef GET_UINT32_LE
|
2018-02-28 09:54:31 +00:00
|
|
|
#define GET_UINT32_LE( n, b, i ) \
|
2017-11-30 11:37:55 +00:00
|
|
|
{ \
|
|
|
|
(n) = ( (uint32_t) (b)[(i) ] ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef PUT_UINT32_LE
|
2018-02-28 09:54:31 +00:00
|
|
|
#define PUT_UINT32_LE( n, b, i ) \
|
2017-11-30 11:37:55 +00:00
|
|
|
{ \
|
|
|
|
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
|
|
|
|
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
|
|
|
|
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
|
|
|
|
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2018-02-26 10:59:16 +00:00
|
|
|
/*
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
|
2018-02-26 10:59:16 +00:00
|
|
|
*
|
|
|
|
* This is submatrix P1 in [1] Appendix B.1
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
*
|
|
|
|
* Common compilers fail to translate this to minimal number of instructions,
|
|
|
|
* so let's provide asm versions for common platforms with C fallback.
|
2018-02-26 10:59:16 +00:00
|
|
|
*/
|
2018-02-27 09:22:26 +00:00
|
|
|
#if defined(MBEDTLS_HAVE_ASM)
|
2018-03-01 09:37:47 +00:00
|
|
|
#if defined(__arm__) /* rev16 available from v6 up */
|
2018-02-27 09:22:26 +00:00
|
|
|
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
|
|
|
|
#if defined(__GNUC__) && \
|
2018-03-01 09:37:47 +00:00
|
|
|
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
|
|
|
|
__ARM_ARCH >= 6
|
2018-02-27 09:22:26 +00:00
|
|
|
static inline uint32_t aria_p1( uint32_t x )
|
|
|
|
{
|
|
|
|
uint32_t r;
|
2018-03-01 10:27:14 +00:00
|
|
|
__asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
|
2018-02-27 09:22:26 +00:00
|
|
|
return( r );
|
|
|
|
}
|
|
|
|
#define ARIA_P1 aria_p1
|
2018-03-01 09:37:47 +00:00
|
|
|
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
|
|
|
|
( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
|
2018-02-28 11:38:04 +00:00
|
|
|
static inline uint32_t aria_p1( uint32_t x )
|
2018-02-27 09:22:26 +00:00
|
|
|
{
|
|
|
|
uint32_t r;
|
|
|
|
__asm( "rev16 r, x" );
|
|
|
|
return( r );
|
|
|
|
}
|
|
|
|
#define ARIA_P1 aria_p1
|
|
|
|
#endif
|
|
|
|
#endif /* arm */
|
|
|
|
#if defined(__GNUC__) && \
|
|
|
|
defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
|
2018-05-22 11:39:01 +00:00
|
|
|
/* I couldn't find an Intel equivalent of rev16, so two instructions */
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
|
2018-02-27 09:22:26 +00:00
|
|
|
#endif /* x86 gnuc */
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
#endif /* MBEDTLS_HAVE_ASM && GNUC */
|
|
|
|
#if !defined(ARIA_P1)
|
2018-02-26 10:59:16 +00:00
|
|
|
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
#endif
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-26 10:59:16 +00:00
|
|
|
/*
|
|
|
|
* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
|
|
|
|
*
|
|
|
|
* This is submatrix P2 in [1] Appendix B.1
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
*
|
|
|
|
* Common compilers will translate this to a single instruction.
|
2018-02-26 10:59:16 +00:00
|
|
|
*/
|
|
|
|
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-26 14:23:03 +00:00
|
|
|
/*
|
|
|
|
* modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
|
|
|
|
*
|
|
|
|
* This is submatrix P3 in [1] Appendix B.1
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
*
|
|
|
|
* Some compilers fail to translate this to a single instruction,
|
|
|
|
* so let's provide asm versions for common platforms with C fallback.
|
2018-02-26 14:23:03 +00:00
|
|
|
*/
|
2018-02-27 09:22:26 +00:00
|
|
|
#if defined(MBEDTLS_HAVE_ASM)
|
2018-03-01 09:37:47 +00:00
|
|
|
#if defined(__arm__) /* rev available from v6 up */
|
2018-02-27 09:22:26 +00:00
|
|
|
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
|
|
|
|
#if defined(__GNUC__) && \
|
2018-03-01 09:37:47 +00:00
|
|
|
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
|
|
|
|
__ARM_ARCH >= 6
|
2018-02-27 09:22:26 +00:00
|
|
|
static inline uint32_t aria_p3( uint32_t x )
|
|
|
|
{
|
|
|
|
uint32_t r;
|
2018-03-01 10:27:14 +00:00
|
|
|
__asm( "rev %0, %1" : "=l" (r) : "l" (x) );
|
2018-02-27 09:22:26 +00:00
|
|
|
return( r );
|
|
|
|
}
|
|
|
|
#define ARIA_P3 aria_p3
|
2018-03-01 09:37:47 +00:00
|
|
|
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
|
|
|
|
( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
|
2018-02-28 11:38:04 +00:00
|
|
|
static inline uint32_t aria_p3( uint32_t x )
|
2018-02-27 09:22:26 +00:00
|
|
|
{
|
|
|
|
uint32_t r;
|
|
|
|
__asm( "rev r, x" );
|
|
|
|
return( r );
|
|
|
|
}
|
|
|
|
#define ARIA_P3 aria_p3
|
|
|
|
#endif
|
|
|
|
#endif /* arm */
|
|
|
|
#if defined(__GNUC__) && \
|
|
|
|
defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
static inline uint32_t aria_p3( uint32_t x )
|
|
|
|
{
|
2018-03-01 10:27:14 +00:00
|
|
|
__asm( "bswap %0" : "=r" (x) : "0" (x) );
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
return( x );
|
|
|
|
}
|
|
|
|
#define ARIA_P3 aria_p3
|
2018-02-27 09:22:26 +00:00
|
|
|
#endif /* x86 gnuc */
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
#endif /* MBEDTLS_HAVE_ASM && GNUC */
|
|
|
|
#if !defined(ARIA_P3)
|
2018-02-26 14:23:03 +00:00
|
|
|
#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
|
aria: optimise byte perms on Intel
(A similar commit for Arm follows.)
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.
ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)
I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)
Before:
O aria.o ins
s 7976 43,865
2 10520 37,631
3 13040 28,146
After:
O aria.o ins
s 7768 33,497
2 9816 28,268
3 11432 20,829
For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-26 15:08:40 +00:00
|
|
|
#endif
|
2018-02-26 14:23:03 +00:00
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
2018-02-21 11:35:19 +00:00
|
|
|
* ARIA Affine Transform
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* (a, b, c, d) = state in/out
|
|
|
|
*
|
2018-05-22 10:56:11 +00:00
|
|
|
* If we denote the first byte of input by 0, ..., the last byte by f,
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
|
|
|
|
*
|
2018-02-28 11:38:21 +00:00
|
|
|
* Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* rearrangements on adjacent pairs, output is:
|
|
|
|
*
|
|
|
|
* a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
|
|
|
|
* = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
|
aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.
#!/usr/bin/python3
RFC_A = """
y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14,
y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15,
y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15,
y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15,
y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13,
y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13,
y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15,
y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14,
y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15,
y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14,
y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12,
y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13,
y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14,
y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15.
"""
matrix = []
for l in RFC_A.split('\n')[1:-1]:
rhs = l.split('=')[1][:-1]
row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
matrix.append(row)
out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))
out2 = {}
for o, r in out.items():
row = list(r)
for i in range(len(r) - 1):
w1 = row[i]
if len(set(w1)) == 2:
w2 = row[i+1]
nw1 = nw2 = ''
for j in range(len(w1)):
if w1[j] in nw1:
nw1 += w2[j]
nw2 += w1[j]
else:
nw1 += w1[j]
nw2 += w2[j]
row[i] = nw1
row[i+1] = nw2
out2[o] = row
for o in 'abcd':
print(o, '=', ' + '.join(out[o]))
print(' ', '=', ' + '.join(out2[o]))
2018-03-01 13:48:10 +00:00
|
|
|
* b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
|
aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.
#!/usr/bin/python3
RFC_A = """
y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14,
y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15,
y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15,
y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15,
y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13,
y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13,
y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15,
y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14,
y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15,
y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14,
y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12,
y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13,
y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14,
y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15.
"""
matrix = []
for l in RFC_A.split('\n')[1:-1]:
rhs = l.split('=')[1][:-1]
row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
matrix.append(row)
out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))
out2 = {}
for o, r in out.items():
row = list(r)
for i in range(len(r) - 1):
w1 = row[i]
if len(set(w1)) == 2:
w2 = row[i+1]
nw1 = nw2 = ''
for j in range(len(w1)):
if w1[j] in nw1:
nw1 += w2[j]
nw2 += w1[j]
else:
nw1 += w1[j]
nw2 += w2[j]
row[i] = nw1
row[i+1] = nw2
out2[o] = row
for o in 'abcd':
print(o, '=', ' + '.join(out[o]))
print(' ', '=', ' + '.join(out2[o]))
2018-03-01 13:48:10 +00:00
|
|
|
* c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
|
aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.
#!/usr/bin/python3
RFC_A = """
y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14,
y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15,
y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15,
y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15,
y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13,
y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13,
y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15,
y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14,
y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15,
y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14,
y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12,
y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13,
y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14,
y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15.
"""
matrix = []
for l in RFC_A.split('\n')[1:-1]:
rhs = l.split('=')[1][:-1]
row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
matrix.append(row)
out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))
out2 = {}
for o, r in out.items():
row = list(r)
for i in range(len(r) - 1):
w1 = row[i]
if len(set(w1)) == 2:
w2 = row[i+1]
nw1 = nw2 = ''
for j in range(len(w1)):
if w1[j] in nw1:
nw1 += w2[j]
nw2 += w1[j]
else:
nw1 += w1[j]
nw2 += w2[j]
row[i] = nw1
row[i+1] = nw2
out2[o] = row
for o in 'abcd':
print(o, '=', ' + '.join(out[o]))
print(' ', '=', ' + '.join(out2[o]))
2018-03-01 13:48:10 +00:00
|
|
|
* d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
* = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
|
|
|
|
*
|
|
|
|
* Note: another presentation of the A transform can be found as the first
|
|
|
|
* half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
|
|
|
|
* The implementation below uses only P1 and P2 as they are sufficient.
|
2018-02-21 09:33:26 +00:00
|
|
|
*/
|
2018-02-21 11:35:19 +00:00
|
|
|
static inline void aria_a( uint32_t *a, uint32_t *b,
|
|
|
|
uint32_t *c, uint32_t *d )
|
|
|
|
{
|
|
|
|
uint32_t ta, tb, tc;
|
aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:
#!/usr/bin/python3
class Atom:
def __init__(self, val):
self.v = val
def __str__(self):
return self.v
def p1(self):
v = self.v
return Atom(v[1] + v[0] + v[3] + v[2])
def p2(self):
v = self.v
return Atom(v[2] + v[3] + v[0] + v[1])
def __xor__(self, other):
return Sum(self.tuple() + other.tuple())
def tuple(self):
return (self,)
class Sum:
def __init__(self, terms):
self.t = terms
assert(type(terms) == tuple)
for t in terms:
assert(type(t) == Atom)
def __str__(self):
return '+'.join(sorted((str(t) for t in self.t),
key=lambda v: int(v, 16)))
def p1(self):
return Sum(tuple(t.p1() for t in self.t))
def p2(self):
return Sum(tuple(t.p2() for t in self.t))
def tuple(self):
return self.t
def __xor__(self, other):
return Sum(self.t + other.tuple())
class LoggingDict(dict):
def __setitem__(self, key, val):
print(key, '=', val)
dict.__setitem__(self, key, val)
def set(self, key, val):
dict.__setitem__(self, key, val)
env = LoggingDict()
env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())
code = """
ta = rb;
rb = ra;
ra = ARIA_P2( ta );
tb = ARIA_P2( rd );
rd = ARIA_P1( rc );
rc = ARIA_P1( tb );
ta ^= rd;
tc = ARIA_P2( rb );
ta = ARIA_P1( ta ) ^ tc ^ rc;
tb ^= ARIA_P2( rd );
tc ^= ARIA_P1( ra );
rb ^= ta ^ tb;
tb = ARIA_P2( tb ) ^ ta;
ra ^= ARIA_P1( tb );
ta = ARIA_P2( ta );
rd ^= ARIA_P1( ta ) ^ tc;
tc = ARIA_P2( tc );
rc ^= ARIA_P1( tc ) ^ ta;
"""
exec(code, env)
2018-02-26 13:10:23 +00:00
|
|
|
ta = *b; // 4567
|
|
|
|
*b = *a; // 0123
|
|
|
|
*a = ARIA_P2( ta ); // 6745
|
|
|
|
tb = ARIA_P2( *d ); // efcd
|
|
|
|
*d = ARIA_P1( *c ); // 98ba
|
|
|
|
*c = ARIA_P1( tb ); // fedc
|
|
|
|
ta ^= *d; // 4567+98ba
|
|
|
|
tc = ARIA_P2( *b ); // 2301
|
|
|
|
ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
|
|
|
|
tb ^= ARIA_P2( *d ); // ba98+efcd
|
|
|
|
tc ^= ARIA_P1( *a ); // 2301+7654
|
|
|
|
*b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
|
|
|
|
tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
|
|
|
|
*a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
|
|
|
|
ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
|
|
|
|
*d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
|
|
|
|
tc = ARIA_P2( tc ); // 0123+5476
|
|
|
|
*c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
2018-02-21 11:35:19 +00:00
|
|
|
* ARIA Substitution Layer SL1 / SL2
|
|
|
|
* (a, b, c, d) = state in/out
|
2018-02-20 12:45:44 +00:00
|
|
|
* (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
|
|
|
|
*
|
2018-02-21 11:35:19 +00:00
|
|
|
* By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
|
|
|
|
* By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
|
2018-02-20 12:45:44 +00:00
|
|
|
*/
|
2018-02-21 11:35:19 +00:00
|
|
|
static inline void aria_sl( uint32_t *a, uint32_t *b,
|
|
|
|
uint32_t *c, uint32_t *d,
|
2018-05-22 11:01:09 +00:00
|
|
|
const uint8_t sa[256], const uint8_t sb[256],
|
|
|
|
const uint8_t sc[256], const uint8_t sd[256] )
|
aria: turn macro into static inline function
Besides documenting types better and so on, this give the compiler more room
to optimise either for size or performance.
Here are some before/after measurements of:
- size of aria.o in bytes (less is better)
- instruction count for the selftest function (less is better)
with various -O flags.
Before:
O aria.o ins
s 10896 37,256
2 11176 37,199
3 12248 27,752
After:
O aria.o ins
s 8784 41,408
2 11112 37,001
3 13096 27,438
The new version allows the compiler to reach smaller size with -Os while
maintaining (actually slightly improving) performance with -O2 and -O3.
Measurements were done on x86_64 (but since this is mainly about inlining
code, this should transpose well to other platforms) using the following
helper program and script, after disabling CBC, CFB and CTR in config.h, in
order to focus on the core functions.
==> st.c <==
#include "mbedtls/aria.h"
int main( void ) {
return mbedtls_aria_self_test( 0 );
}
==> p.sh <==
#!/bin/sh
set -eu
ccount () {
(
valgrind --tool=callgrind --dump-line=no --callgrind-out-file=/dev/null --collect-atstart=no --toggle-collect=main $1
) 2>&1 | sed -n -e 's/.*refs: *\([0-9,]*\)/\1/p'
}
printf "O\taria.o\tins\n"
for O in s 2 3; do
GCC="gcc -Wall -Wextra -Werror -Iinclude"
$GCC -O$O -c library/aria.c
$GCC -O1 st.c aria.o -o st
./st
SIZE=$( du -b aria.o | cut -f1 )
INS=$( ccount ./st )
printf "$O\t$SIZE\t$INS\n"
done
2018-02-21 11:03:22 +00:00
|
|
|
{
|
2018-03-01 08:33:20 +00:00
|
|
|
*a = ( (uint32_t) sa[ *a & 0xFF] ) ^
|
2018-02-21 11:35:19 +00:00
|
|
|
(((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
|
|
|
|
(((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
|
|
|
|
(((uint32_t) sd[ *a >> 24 ]) << 24);
|
2018-03-01 08:33:20 +00:00
|
|
|
*b = ( (uint32_t) sa[ *b & 0xFF] ) ^
|
2018-02-21 11:35:19 +00:00
|
|
|
(((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
|
|
|
|
(((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
|
|
|
|
(((uint32_t) sd[ *b >> 24 ]) << 24);
|
2018-03-01 08:33:20 +00:00
|
|
|
*c = ( (uint32_t) sa[ *c & 0xFF] ) ^
|
2018-02-21 11:35:19 +00:00
|
|
|
(((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
|
|
|
|
(((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
|
|
|
|
(((uint32_t) sd[ *c >> 24 ]) << 24);
|
2018-03-01 08:33:20 +00:00
|
|
|
*d = ( (uint32_t) sa[ *d & 0xFF] ) ^
|
2018-02-21 11:35:19 +00:00
|
|
|
(((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
|
|
|
|
(((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
|
|
|
|
(((uint32_t) sd[ *d >> 24 ]) << 24);
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* S-Boxes
|
|
|
|
*/
|
2018-05-22 11:01:09 +00:00
|
|
|
static const uint8_t aria_sb1[256] =
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
|
|
|
|
0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
|
|
|
|
0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
|
|
|
|
0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
|
|
|
|
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
|
|
|
|
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
|
|
|
|
0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
|
|
|
|
0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
|
|
|
|
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
|
|
|
|
0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
|
|
|
|
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
|
|
|
|
0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
|
|
|
|
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
|
|
|
|
0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
|
|
|
|
0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
|
|
|
|
0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
|
|
|
|
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
|
|
|
|
0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
|
|
|
|
0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
|
|
|
|
0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
|
|
|
|
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
|
|
|
|
0xB0, 0x54, 0xBB, 0x16
|
|
|
|
};
|
|
|
|
|
2018-05-22 11:01:09 +00:00
|
|
|
static const uint8_t aria_sb2[256] =
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
|
|
|
|
0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
|
|
|
|
0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
|
|
|
|
0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
|
|
|
|
0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
|
|
|
|
0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
|
|
|
|
0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
|
|
|
|
0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
|
|
|
|
0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
|
|
|
|
0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
|
|
|
|
0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
|
|
|
|
0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
|
|
|
|
0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
|
|
|
|
0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
|
|
|
|
0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
|
|
|
|
0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
|
|
|
|
0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
|
|
|
|
0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
|
|
|
|
0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
|
|
|
|
0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
|
|
|
|
0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
|
|
|
|
0xAF, 0xBA, 0xB5, 0x81
|
|
|
|
};
|
|
|
|
|
2018-05-22 11:01:09 +00:00
|
|
|
static const uint8_t aria_is1[256] =
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
|
|
|
|
0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
|
|
|
|
0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
|
|
|
|
0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
|
|
|
|
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
|
|
|
|
0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
|
|
|
|
0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
|
|
|
|
0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
|
|
|
|
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
|
|
|
|
0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
|
|
|
|
0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
|
|
|
|
0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
|
|
|
|
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
|
|
|
|
0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
|
|
|
|
0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
|
|
|
|
0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
|
|
|
|
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
|
|
|
|
0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
|
|
|
|
0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
|
|
|
|
0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
|
|
|
|
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
|
|
|
|
0x55, 0x21, 0x0C, 0x7D
|
|
|
|
};
|
|
|
|
|
2018-05-22 11:01:09 +00:00
|
|
|
static const uint8_t aria_is2[256] =
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
|
|
|
|
0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
|
|
|
|
0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
|
|
|
|
0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
|
|
|
|
0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
|
|
|
|
0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
|
|
|
|
0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
|
|
|
|
0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
|
|
|
|
0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
|
|
|
|
0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
|
|
|
|
0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
|
|
|
|
0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
|
|
|
|
0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
|
|
|
|
0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
|
|
|
|
0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
|
|
|
|
0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
|
|
|
|
0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
|
|
|
|
0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
|
|
|
|
0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
|
|
|
|
0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
|
|
|
|
0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
|
|
|
|
0x03, 0xA2, 0xAC, 0x60
|
|
|
|
};
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Helper for key schedule: r = FO( p, k ) ^ x
|
|
|
|
*/
|
2018-03-01 08:33:20 +00:00
|
|
|
static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
|
|
|
|
const uint32_t k[4], const uint32_t x[4] )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
uint32_t a, b, c, d;
|
|
|
|
|
|
|
|
a = p[0] ^ k[0];
|
|
|
|
b = p[1] ^ k[1];
|
|
|
|
c = p[2] ^ k[2];
|
|
|
|
d = p[3] ^ k[3];
|
|
|
|
|
2018-02-21 11:35:19 +00:00
|
|
|
aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
|
|
|
|
aria_a( &a, &b, &c, &d );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
r[0] = a ^ x[0];
|
|
|
|
r[1] = b ^ x[1];
|
|
|
|
r[2] = c ^ x[2];
|
|
|
|
r[3] = d ^ x[3];
|
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Helper for key schedule: r = FE( p, k ) ^ x
|
|
|
|
*/
|
2018-03-01 08:33:20 +00:00
|
|
|
static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
|
|
|
|
const uint32_t k[4], const uint32_t x[4] )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
uint32_t a, b, c, d;
|
|
|
|
|
|
|
|
a = p[0] ^ k[0];
|
|
|
|
b = p[1] ^ k[1];
|
|
|
|
c = p[2] ^ k[2];
|
|
|
|
d = p[3] ^ k[3];
|
|
|
|
|
2018-02-21 11:35:19 +00:00
|
|
|
aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
|
|
|
|
aria_a( &a, &b, &c, &d );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
r[0] = a ^ x[0];
|
|
|
|
r[1] = b ^ x[1];
|
|
|
|
r[2] = c ^ x[2];
|
|
|
|
r[3] = d ^ x[3];
|
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
|
|
|
|
*
|
|
|
|
* We chose to store bytes into 32-bit words in little-endian format (see
|
|
|
|
* GET/PUT_UINT32_LE) so we need to reverse bytes here.
|
|
|
|
*/
|
2018-03-01 08:33:20 +00:00
|
|
|
static void aria_rot128( uint32_t r[4], const uint32_t a[4],
|
|
|
|
const uint32_t b[4], uint8_t n )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
2018-02-21 08:44:29 +00:00
|
|
|
uint8_t i, j;
|
2017-11-30 11:37:55 +00:00
|
|
|
uint32_t t, u;
|
|
|
|
|
2018-02-21 08:50:17 +00:00
|
|
|
const uint8_t n1 = n % 32; // bit offset
|
|
|
|
const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
|
2018-02-21 08:44:29 +00:00
|
|
|
|
2018-05-22 11:01:09 +00:00
|
|
|
j = ( n / 32 ) % 4; // initial word offset
|
2018-02-26 14:23:03 +00:00
|
|
|
t = ARIA_P3( b[j] ); // big endian
|
2017-11-30 11:37:55 +00:00
|
|
|
for( i = 0; i < 4; i++ )
|
|
|
|
{
|
2018-05-22 11:01:09 +00:00
|
|
|
j = ( j + 1 ) % 4; // get next word, big endian
|
2018-02-26 14:23:03 +00:00
|
|
|
u = ARIA_P3( b[j] );
|
2017-11-30 11:37:55 +00:00
|
|
|
t <<= n1; // rotate
|
2018-02-21 08:50:17 +00:00
|
|
|
t |= u >> n2;
|
2018-02-26 14:23:03 +00:00
|
|
|
t = ARIA_P3( t ); // back to little endian
|
2017-11-30 11:37:55 +00:00
|
|
|
r[i] = a[i] ^ t; // store
|
|
|
|
t = u; // move to next word
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Set encryption key
|
|
|
|
*/
|
2018-02-28 09:54:31 +00:00
|
|
|
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
|
|
|
|
const unsigned char *key, unsigned int keybits )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
2018-02-21 09:33:26 +00:00
|
|
|
/* round constant masks */
|
2017-11-30 11:37:55 +00:00
|
|
|
const uint32_t rc[3][4] =
|
|
|
|
{
|
|
|
|
{ 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
|
|
|
|
{ 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
|
|
|
|
{ 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
|
|
|
|
};
|
|
|
|
|
|
|
|
int i;
|
|
|
|
uint32_t w[4][4], *w2;
|
2018-12-11 21:51:32 +00:00
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( key != NULL );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-03-01 08:33:20 +00:00
|
|
|
if( keybits != 128 && keybits != 192 && keybits != 256 )
|
2018-12-17 13:19:06 +00:00
|
|
|
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Copy key to W0 (and potential remainder to W1) */
|
|
|
|
GET_UINT32_LE( w[0][0], key, 0 );
|
2017-11-30 11:37:55 +00:00
|
|
|
GET_UINT32_LE( w[0][1], key, 4 );
|
|
|
|
GET_UINT32_LE( w[0][2], key, 8 );
|
|
|
|
GET_UINT32_LE( w[0][3], key, 12 );
|
|
|
|
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( w[1], 0, 16 );
|
2017-11-30 11:37:55 +00:00
|
|
|
if( keybits >= 192 )
|
|
|
|
{
|
|
|
|
GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
|
|
|
|
GET_UINT32_LE( w[1][1], key, 20 );
|
|
|
|
}
|
|
|
|
if( keybits == 256 )
|
|
|
|
{
|
|
|
|
GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
|
|
|
|
GET_UINT32_LE( w[1][3], key, 28 );
|
|
|
|
}
|
|
|
|
|
2018-05-22 11:01:09 +00:00
|
|
|
i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
|
2017-11-30 11:37:55 +00:00
|
|
|
ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
|
|
|
|
|
2018-02-20 12:45:44 +00:00
|
|
|
aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
|
2017-11-30 11:37:55 +00:00
|
|
|
i = i < 2 ? i + 1 : 0;
|
2018-02-20 12:45:44 +00:00
|
|
|
aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
|
2017-11-30 11:37:55 +00:00
|
|
|
i = i < 2 ? i + 1 : 0;
|
2018-02-20 12:45:44 +00:00
|
|
|
aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
for( i = 0; i < 4; i++ ) // create round keys
|
|
|
|
{
|
|
|
|
w2 = w[(i + 1) & 3];
|
2018-02-21 08:44:29 +00:00
|
|
|
aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
|
|
|
|
aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
|
|
|
|
aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
|
|
|
|
aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
aria_rot128( ctx->rk[16], w[0], w[1], 19 );
|
|
|
|
|
2018-05-22 11:07:07 +00:00
|
|
|
/* w holds enough info to reconstruct the round keys */
|
2018-05-22 14:05:33 +00:00
|
|
|
mbedtls_platform_zeroize( w, sizeof( w ) );
|
2018-05-22 11:07:07 +00:00
|
|
|
|
2018-02-28 09:54:31 +00:00
|
|
|
return( 0 );
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Set decryption key
|
|
|
|
*/
|
2018-02-28 09:54:31 +00:00
|
|
|
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
|
|
|
|
const unsigned char *key, unsigned int keybits )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
int i, j, k, ret;
|
2018-12-11 21:51:32 +00:00
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( key != NULL );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
|
|
|
|
if( ret != 0 )
|
2018-02-28 09:54:31 +00:00
|
|
|
return( ret );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* flip the order of round keys */
|
2017-11-30 11:37:55 +00:00
|
|
|
for( i = 0, j = ctx->nr; i < j; i++, j-- )
|
|
|
|
{
|
|
|
|
for( k = 0; k < 4; k++ )
|
|
|
|
{
|
2018-02-20 12:59:05 +00:00
|
|
|
uint32_t t = ctx->rk[i][k];
|
2017-11-30 11:37:55 +00:00
|
|
|
ctx->rk[i][k] = ctx->rk[j][k];
|
|
|
|
ctx->rk[j][k] = t;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* apply affine transform to middle keys */
|
2018-03-01 08:33:20 +00:00
|
|
|
for( i = 1; i < ctx->nr; i++ )
|
2018-02-28 09:54:31 +00:00
|
|
|
{
|
|
|
|
aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
|
|
|
|
&ctx->rk[i][2], &ctx->rk[i][3] );
|
|
|
|
}
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-28 09:54:31 +00:00
|
|
|
return( 0 );
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Encrypt a block
|
|
|
|
*/
|
2017-11-30 11:37:55 +00:00
|
|
|
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
|
2018-03-01 08:20:47 +00:00
|
|
|
const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
|
|
|
|
unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
uint32_t a, b, c, d;
|
2018-12-11 21:51:32 +00:00
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( input != NULL );
|
|
|
|
ARIA_VALIDATE_RET( output != NULL );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
GET_UINT32_LE( a, input, 0 );
|
|
|
|
GET_UINT32_LE( b, input, 4 );
|
|
|
|
GET_UINT32_LE( c, input, 8 );
|
|
|
|
GET_UINT32_LE( d, input, 12 );
|
|
|
|
|
|
|
|
i = 0;
|
2018-03-01 08:33:20 +00:00
|
|
|
while( 1 )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
a ^= ctx->rk[i][0];
|
|
|
|
b ^= ctx->rk[i][1];
|
|
|
|
c ^= ctx->rk[i][2];
|
|
|
|
d ^= ctx->rk[i][3];
|
|
|
|
i++;
|
2018-02-21 11:35:19 +00:00
|
|
|
|
|
|
|
aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
|
|
|
|
aria_a( &a, &b, &c, &d );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
a ^= ctx->rk[i][0];
|
|
|
|
b ^= ctx->rk[i][1];
|
|
|
|
c ^= ctx->rk[i][2];
|
|
|
|
d ^= ctx->rk[i][3];
|
|
|
|
i++;
|
2018-02-21 11:35:19 +00:00
|
|
|
|
|
|
|
aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
|
2018-03-01 08:33:20 +00:00
|
|
|
if( i >= ctx->nr )
|
2017-11-30 11:37:55 +00:00
|
|
|
break;
|
2018-02-21 11:35:19 +00:00
|
|
|
aria_a( &a, &b, &c, &d );
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 11:35:19 +00:00
|
|
|
/* final key mixing */
|
|
|
|
a ^= ctx->rk[i][0];
|
|
|
|
b ^= ctx->rk[i][1];
|
|
|
|
c ^= ctx->rk[i][2];
|
|
|
|
d ^= ctx->rk[i][3];
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
PUT_UINT32_LE( a, output, 0 );
|
|
|
|
PUT_UINT32_LE( b, output, 4 );
|
|
|
|
PUT_UINT32_LE( c, output, 8 );
|
|
|
|
PUT_UINT32_LE( d, output, 12 );
|
|
|
|
|
2018-02-28 09:54:31 +00:00
|
|
|
return( 0 );
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Initialize context */
|
2017-12-01 14:26:21 +00:00
|
|
|
void mbedtls_aria_init( mbedtls_aria_context *ctx )
|
|
|
|
{
|
2018-12-11 21:51:32 +00:00
|
|
|
ARIA_VALIDATE( ctx != NULL );
|
2017-12-01 14:26:21 +00:00
|
|
|
memset( ctx, 0, sizeof( mbedtls_aria_context ) );
|
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Clear context */
|
2017-12-01 14:26:21 +00:00
|
|
|
void mbedtls_aria_free( mbedtls_aria_context *ctx )
|
|
|
|
{
|
|
|
|
if( ctx == NULL )
|
|
|
|
return;
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-05-22 14:05:33 +00:00
|
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
|
2017-12-01 14:26:21 +00:00
|
|
|
}
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
|
|
|
/*
|
|
|
|
* ARIA-CBC buffer encryption/decryption
|
|
|
|
*/
|
|
|
|
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
|
2018-02-28 09:54:31 +00:00
|
|
|
int mode,
|
|
|
|
size_t length,
|
2018-03-01 08:20:47 +00:00
|
|
|
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
|
2018-02-28 09:54:31 +00:00
|
|
|
const unsigned char *input,
|
|
|
|
unsigned char *output )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
int i;
|
2018-03-01 08:20:47 +00:00
|
|
|
unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-12-11 21:51:32 +00:00
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
|
|
|
|
mode == MBEDTLS_ARIA_DECRYPT );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || input != NULL );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || output != NULL );
|
|
|
|
ARIA_VALIDATE_RET( iv != NULL );
|
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
if( length % MBEDTLS_ARIA_BLOCKSIZE )
|
2018-12-18 09:42:58 +00:00
|
|
|
return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
if( mode == MBEDTLS_ARIA_DECRYPT )
|
|
|
|
{
|
|
|
|
while( length > 0 )
|
|
|
|
{
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( ctx, input, output );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
|
2017-11-30 11:37:55 +00:00
|
|
|
output[i] = (unsigned char)( output[i] ^ iv[i] );
|
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
input += MBEDTLS_ARIA_BLOCKSIZE;
|
|
|
|
output += MBEDTLS_ARIA_BLOCKSIZE;
|
|
|
|
length -= MBEDTLS_ARIA_BLOCKSIZE;
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
while( length > 0 )
|
|
|
|
{
|
2018-03-01 08:20:47 +00:00
|
|
|
for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
|
2017-11-30 11:37:55 +00:00
|
|
|
output[i] = (unsigned char)( input[i] ^ iv[i] );
|
|
|
|
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( ctx, output, output );
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
input += MBEDTLS_ARIA_BLOCKSIZE;
|
|
|
|
output += MBEDTLS_ARIA_BLOCKSIZE;
|
|
|
|
length -= MBEDTLS_ARIA_BLOCKSIZE;
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
|
|
|
/*
|
|
|
|
* ARIA-CFB128 buffer encryption/decryption
|
|
|
|
*/
|
|
|
|
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
|
2018-02-28 09:54:31 +00:00
|
|
|
int mode,
|
|
|
|
size_t length,
|
|
|
|
size_t *iv_off,
|
2018-03-01 08:20:47 +00:00
|
|
|
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
|
2018-02-28 09:54:31 +00:00
|
|
|
const unsigned char *input,
|
|
|
|
unsigned char *output )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
2018-05-22 11:30:28 +00:00
|
|
|
unsigned char c;
|
2018-12-11 21:51:32 +00:00
|
|
|
size_t n;
|
|
|
|
|
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
|
|
|
|
mode == MBEDTLS_ARIA_DECRYPT );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || input != NULL );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || output != NULL );
|
|
|
|
ARIA_VALIDATE_RET( iv != NULL );
|
|
|
|
ARIA_VALIDATE_RET( iv_off != NULL );
|
|
|
|
|
|
|
|
n = *iv_off;
|
|
|
|
|
|
|
|
/* An overly large value of n can lead to an unlimited
|
|
|
|
* buffer overflow. Therefore, guard against this
|
|
|
|
* outside of parameter validation. */
|
|
|
|
if( n >= MBEDTLS_ARIA_BLOCKSIZE )
|
|
|
|
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
if( mode == MBEDTLS_ARIA_DECRYPT )
|
|
|
|
{
|
|
|
|
while( length-- )
|
|
|
|
{
|
|
|
|
if( n == 0 )
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( ctx, iv, iv );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
c = *input++;
|
2018-05-22 11:30:28 +00:00
|
|
|
*output++ = c ^ iv[n];
|
|
|
|
iv[n] = c;
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
n = ( n + 1 ) & 0x0F;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
while( length-- )
|
|
|
|
{
|
|
|
|
if( n == 0 )
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( ctx, iv, iv );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
|
|
|
|
|
|
|
|
n = ( n + 1 ) & 0x0F;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*iv_off = n;
|
|
|
|
|
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CFB */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CTR)
|
|
|
|
/*
|
|
|
|
* ARIA-CTR buffer encryption/decryption
|
|
|
|
*/
|
|
|
|
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
|
2018-02-28 09:54:31 +00:00
|
|
|
size_t length,
|
|
|
|
size_t *nc_off,
|
2018-03-01 08:20:47 +00:00
|
|
|
unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
|
|
|
|
unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
|
2018-02-28 09:54:31 +00:00
|
|
|
const unsigned char *input,
|
|
|
|
unsigned char *output )
|
2017-11-30 11:37:55 +00:00
|
|
|
{
|
|
|
|
int c, i;
|
2018-12-11 21:51:32 +00:00
|
|
|
size_t n;
|
|
|
|
|
|
|
|
ARIA_VALIDATE_RET( ctx != NULL );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || input != NULL );
|
|
|
|
ARIA_VALIDATE_RET( length == 0 || output != NULL );
|
|
|
|
ARIA_VALIDATE_RET( nonce_counter != NULL );
|
|
|
|
ARIA_VALIDATE_RET( stream_block != NULL );
|
|
|
|
ARIA_VALIDATE_RET( nc_off != NULL );
|
|
|
|
|
|
|
|
n = *nc_off;
|
|
|
|
/* An overly large value of n can lead to an unlimited
|
|
|
|
* buffer overflow. Therefore, guard against this
|
|
|
|
* outside of parameter validation. */
|
|
|
|
if( n >= MBEDTLS_ARIA_BLOCKSIZE )
|
|
|
|
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
while( length-- )
|
|
|
|
{
|
|
|
|
if( n == 0 ) {
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( ctx, nonce_counter,
|
2017-11-30 11:37:55 +00:00
|
|
|
stream_block );
|
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
|
2017-11-30 11:37:55 +00:00
|
|
|
if( ++nonce_counter[i - 1] != 0 )
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
c = *input++;
|
|
|
|
*output++ = (unsigned char)( c ^ stream_block[n] );
|
|
|
|
|
|
|
|
n = ( n + 1 ) & 0x0F;
|
|
|
|
}
|
|
|
|
|
|
|
|
*nc_off = n;
|
|
|
|
|
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CTR */
|
|
|
|
#endif /* !MBEDTLS_ARIA_ALT */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_SELF_TEST)
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Basic ARIA ECB test vectors from RFC 5794
|
|
|
|
*/
|
2017-11-30 15:48:37 +00:00
|
|
|
static const uint8_t aria_test1_ecb_key[32] = // test key
|
|
|
|
{
|
|
|
|
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
|
|
|
|
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
|
|
|
|
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
|
|
|
|
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
|
|
|
|
};
|
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
|
2017-11-30 15:48:37 +00:00
|
|
|
{
|
|
|
|
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
|
|
|
|
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
|
|
|
|
};
|
|
|
|
|
2018-03-01 08:20:47 +00:00
|
|
|
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
|
2017-11-30 15:48:37 +00:00
|
|
|
{
|
|
|
|
{ 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
|
|
|
|
0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
|
|
|
|
{ 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
|
|
|
|
0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
|
|
|
|
{ 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
|
|
|
|
0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
|
|
|
|
};
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Mode tests from "Test Vectors for ARIA" Version 1.0
|
|
|
|
* http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
|
|
|
|
*/
|
2017-11-30 16:00:34 +00:00
|
|
|
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
|
2017-11-30 15:48:37 +00:00
|
|
|
defined(MBEDTLS_CIPHER_MODE_CTR))
|
|
|
|
static const uint8_t aria_test2_key[32] =
|
|
|
|
{
|
|
|
|
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
|
|
|
|
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
|
|
|
|
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
|
|
|
|
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
|
|
|
|
};
|
|
|
|
|
|
|
|
static const uint8_t aria_test2_pt[48] =
|
|
|
|
{
|
|
|
|
0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
|
|
|
|
0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
|
|
|
|
0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
|
|
|
|
0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
|
|
|
|
0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
|
|
|
|
0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
|
|
|
|
};
|
2017-11-30 16:00:34 +00:00
|
|
|
#endif
|
2017-11-30 15:48:37 +00:00
|
|
|
|
2017-11-30 16:00:34 +00:00
|
|
|
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
|
2018-03-01 08:20:47 +00:00
|
|
|
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
|
2017-11-30 16:00:34 +00:00
|
|
|
{
|
|
|
|
0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
|
|
|
|
0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
|
|
|
|
};
|
|
|
|
#endif
|
2017-11-30 15:48:37 +00:00
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
2018-02-28 11:38:21 +00:00
|
|
|
static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
|
2017-11-30 15:48:37 +00:00
|
|
|
{
|
|
|
|
{ 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
|
|
|
|
0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
|
|
|
|
0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
|
|
|
|
0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
|
|
|
|
0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
|
|
|
|
0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
|
|
|
|
{ 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
|
|
|
|
0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
|
|
|
|
0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
|
|
|
|
0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
|
|
|
|
0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
|
|
|
|
0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
|
|
|
|
{ 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
|
|
|
|
0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
|
|
|
|
0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
|
|
|
|
0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
|
|
|
|
0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
|
|
|
|
0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
|
|
|
|
};
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
2018-02-28 11:38:21 +00:00
|
|
|
static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
|
2017-11-30 15:48:37 +00:00
|
|
|
{
|
|
|
|
{ 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
|
|
|
|
0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
|
|
|
|
0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
|
|
|
|
0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
|
|
|
|
0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
|
|
|
|
0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
|
|
|
|
{ 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
|
|
|
|
0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
|
|
|
|
0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
|
|
|
|
0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
|
|
|
|
0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
|
|
|
|
0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
|
|
|
|
{ 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
|
|
|
|
0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
|
|
|
|
0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
|
|
|
|
0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
|
|
|
|
0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
|
|
|
|
0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
|
|
|
|
};
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CFB */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CTR)
|
2018-02-28 11:38:21 +00:00
|
|
|
static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
|
2017-11-30 15:48:37 +00:00
|
|
|
{
|
|
|
|
{ 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
|
|
|
|
0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
|
|
|
|
0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
|
|
|
|
0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
|
|
|
|
0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
|
|
|
|
0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
|
|
|
|
{ 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
|
|
|
|
0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
|
|
|
|
0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
|
|
|
|
0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
|
|
|
|
0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
|
|
|
|
0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
|
|
|
|
{ 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
|
|
|
|
0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
|
|
|
|
0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
|
|
|
|
0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
|
|
|
|
0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
|
|
|
|
0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
|
|
|
|
};
|
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CFB */
|
|
|
|
|
|
|
|
#define ARIA_SELF_TEST_IF_FAIL \
|
|
|
|
{ \
|
|
|
|
if( verbose ) \
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "failed\n" ); \
|
2017-11-30 15:48:37 +00:00
|
|
|
return( 1 ); \
|
|
|
|
} else { \
|
|
|
|
if( verbose ) \
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "passed\n" ); \
|
2017-11-30 15:48:37 +00:00
|
|
|
}
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Checkup routine
|
|
|
|
*/
|
2017-11-30 11:37:55 +00:00
|
|
|
int mbedtls_aria_self_test( int verbose )
|
|
|
|
{
|
|
|
|
int i;
|
2018-03-01 08:20:47 +00:00
|
|
|
uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
|
2017-11-30 11:37:55 +00:00
|
|
|
mbedtls_aria_context ctx;
|
2017-11-30 16:00:34 +00:00
|
|
|
|
2017-12-01 14:26:21 +00:00
|
|
|
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
|
|
|
|
size_t j;
|
2017-11-30 16:00:34 +00:00
|
|
|
#endif
|
|
|
|
|
2017-11-30 15:48:37 +00:00
|
|
|
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
|
|
|
|
defined(MBEDTLS_CIPHER_MODE_CFB) || \
|
|
|
|
defined(MBEDTLS_CIPHER_MODE_CTR))
|
2018-03-01 08:20:47 +00:00
|
|
|
uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
|
2017-11-30 15:48:37 +00:00
|
|
|
#endif
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Test set 1
|
|
|
|
*/
|
2017-11-30 11:37:55 +00:00
|
|
|
for( i = 0; i < 3; i++ )
|
|
|
|
{
|
2018-02-21 09:33:26 +00:00
|
|
|
/* test ECB encryption */
|
2017-11-30 11:37:55 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
|
2018-03-01 08:20:47 +00:00
|
|
|
if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
|
2017-11-30 15:48:37 +00:00
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* test ECB decryption */
|
2017-11-30 11:37:55 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
|
2018-05-22 11:18:01 +00:00
|
|
|
mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
|
2018-03-01 08:33:20 +00:00
|
|
|
if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
|
2017-11-30 15:48:37 +00:00
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
}
|
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "\n" );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/*
|
|
|
|
* Test set 2
|
|
|
|
*/
|
2017-11-30 15:48:37 +00:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
|
|
|
for( i = 0; i < 3; i++ )
|
|
|
|
{
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CBC encryption */
|
2017-11-30 11:37:55 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0x55, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
|
|
|
|
aria_test2_pt, buf );
|
|
|
|
if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CBC decryption */
|
2017-11-30 15:48:37 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0xAA, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
|
|
|
|
aria_test2_cbc_ct[i], buf );
|
|
|
|
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
}
|
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "\n" );
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2017-11-30 15:48:37 +00:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
2017-11-30 11:37:55 +00:00
|
|
|
|
2017-11-30 15:48:37 +00:00
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
|
|
|
for( i = 0; i < 3; i++ )
|
|
|
|
{
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CFB encryption */
|
2017-11-30 15:48:37 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0x55, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
j = 0;
|
|
|
|
mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
|
|
|
|
aria_test2_pt, buf );
|
|
|
|
if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CFB decryption */
|
2017-11-30 11:37:55 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0xAA, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
j = 0;
|
|
|
|
mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
|
|
|
|
iv, aria_test2_cfb_ct[i], buf );
|
|
|
|
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
2017-11-30 11:37:55 +00:00
|
|
|
}
|
2017-11-30 15:48:37 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "\n" );
|
2017-11-30 15:48:37 +00:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CFB */
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_CIPHER_MODE_CTR)
|
|
|
|
for( i = 0; i < 3; i++ )
|
|
|
|
{
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CTR encryption */
|
2017-11-30 15:48:37 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0x55, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
j = 0;
|
|
|
|
mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
|
|
|
|
aria_test2_pt, buf );
|
|
|
|
if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
|
2018-02-21 09:33:26 +00:00
|
|
|
/* Test CTR decryption */
|
2017-11-30 15:48:37 +00:00
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
|
2017-11-30 15:48:37 +00:00
|
|
|
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
|
2018-03-01 08:20:47 +00:00
|
|
|
memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
|
2018-03-01 08:33:20 +00:00
|
|
|
memset( buf, 0xAA, sizeof( buf ) );
|
2017-11-30 15:48:37 +00:00
|
|
|
j = 0;
|
|
|
|
mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
|
|
|
|
aria_test2_ctr_ct[i], buf );
|
|
|
|
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
|
|
|
|
ARIA_SELF_TEST_IF_FAIL;
|
|
|
|
}
|
|
|
|
if( verbose )
|
2018-08-13 10:49:52 +00:00
|
|
|
mbedtls_printf( "\n" );
|
2017-11-30 15:48:37 +00:00
|
|
|
#endif /* MBEDTLS_CIPHER_MODE_CTR */
|
2017-11-30 11:37:55 +00:00
|
|
|
|
|
|
|
return( 0 );
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* MBEDTLS_SELF_TEST */
|
|
|
|
|
|
|
|
#endif /* MBEDTLS_ARIA_C */
|