/* * ARIA implementation * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /* * This implementation is based on the following standards: * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf * [2] https://tools.ietf.org/html/rfc5794 */ #include "common.h" #if defined(MBEDTLS_ARIA_C) #include "mbedtls/aria.h" #include <string.h> #include "mbedtls/platform.h" #if !defined(MBEDTLS_ARIA_ALT) #include "mbedtls/platform_util.h" /* * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes * * This is submatrix P1 in [1] Appendix B.1 * * Common compilers fail to translate this to minimal number of instructions, * so let's provide asm versions for common platforms with C fallback. */ #if defined(MBEDTLS_HAVE_ASM) #if defined(__arm__) /* rev16 available from v6 up */ /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ #if defined(__GNUC__) && \ (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \ __ARM_ARCH >= 6 static inline uint32_t aria_p1(uint32_t x) { uint32_t r; __asm("rev16 %0, %1" : "=l" (r) : "l" (x)); return r; } #define ARIA_P1 … #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3) static inline uint32_t aria_p1(uint32_t x) { uint32_t r; __asm("rev16 r, x"); return r; } #define ARIA_P1 … #endif #endif /* arm */ #if defined(__GNUC__) && \ defined(__i386__) || defined(__amd64__) || defined(__x86_64__) /* I couldn't find an Intel equivalent of rev16, so two instructions */ #define ARIA_P1(x) … #endif /* x86 gnuc */ #endif /* MBEDTLS_HAVE_ASM && GNUC */ #if !defined(ARIA_P1) #define ARIA_P1 … #endif /* * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits * * This is submatrix P2 in [1] Appendix B.1 * * Common compilers will translate this to a single instruction. */ #define ARIA_P2(x) … /* * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness * * This is submatrix P3 in [1] Appendix B.1 */ #define ARIA_P3(x) … /* * ARIA Affine Transform * (a, b, c, d) = state in/out * * If we denote the first byte of input by 0, ..., the last byte by f, * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. * * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple * rearrangements on adjacent pairs, output is: * * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef * * Note: another presentation of the A transform can be found as the first * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. * The implementation below uses only P1 and P2 as they are sufficient. */ static inline void aria_a(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d) { … } /* * ARIA Substitution Layer SL1 / SL2 * (a, b, c, d) = state in/out * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) * * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 */ static inline void aria_sl(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d, const uint8_t sa[256], const uint8_t sb[256], const uint8_t sc[256], const uint8_t sd[256]) { … } /* * S-Boxes */ static const uint8_t aria_sb1[256] = …; static const uint8_t aria_sb2[256] = …; static const uint8_t aria_is1[256] = …; static const uint8_t aria_is2[256] = …; /* * Helper for key schedule: r = FO( p, k ) ^ x */ static void aria_fo_xor(uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4]) { … } /* * Helper for key schedule: r = FE( p, k ) ^ x */ static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4]) { … } /* * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. * * We chose to store bytes into 32-bit words in little-endian format (see * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse * bytes here. */ static void aria_rot128(uint32_t r[4], const uint32_t a[4], const uint32_t b[4], uint8_t n) { … } /* * Set encryption key */ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { … } /* * Set decryption key */ #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { … } #endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ /* * Encrypt a block */ int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) { … } /* Initialize context */ void mbedtls_aria_init(mbedtls_aria_context *ctx) { … } /* Clear context */ void mbedtls_aria_free(mbedtls_aria_context *ctx) { … } #if defined(MBEDTLS_CIPHER_MODE_CBC) /* * ARIA-CBC buffer encryption/decryption */ int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, int mode, size_t length, unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output) { … } #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) /* * ARIA-CFB128 buffer encryption/decryption */ int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output) { … } #endif /* MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) /* * ARIA-CTR buffer encryption/decryption */ int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output) { … } #endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* !MBEDTLS_ARIA_ALT */ #if defined(MBEDTLS_SELF_TEST) /* * Basic ARIA ECB test vectors from RFC 5794 */ static const uint8_t aria_test1_ecb_key[32] = …// test key { … }; static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = …// plaintext { … }; static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = …// ciphertext { … }; /* * Mode tests from "Test Vectors for ARIA" Version 1.0 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf */ #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_CTR)) static const uint8_t aria_test2_key[32] = …; static const uint8_t aria_test2_pt[48] = …; #endif #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = …; #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) static const uint8_t aria_test2_cbc_ct[3][48] = …// CBC ciphertext { … }; #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) static const uint8_t aria_test2_cfb_ct[3][48] = …// CFB ciphertext { … }; #endif /* MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) static const uint8_t aria_test2_ctr_ct[3][48] = …// CTR ciphertext { … }; #endif /* MBEDTLS_CIPHER_MODE_CFB */ #define ARIA_SELF_TEST_ASSERT(cond) … /* * Checkup routine */ int mbedtls_aria_self_test(int verbose) { … } #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_ARIA_C */
Codebase Browser
godot