Commit d42d0a4d authored by Pauli's avatar Pauli Committed by Andy Polyakov
Browse files

Implementation of the ARIA cipher as described in RFC 5794. 



This implementation is written in endian agnostic C code. No attempt
at providing machine specific assembly code has been made. This
implementation expands the evptests by including the test cases from
RFC 5794 and ARIA official site rather than providing an individual
test case. Support for ARIA has been integrated into the command line
applications, but not TLS. Implemented modes are CBC, CFB1, CFB8,
CFB128, CTR, ECB and OFB128.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2337)
parent ad39b31c

Configure

+4 −2
Original line number Diff line number Diff line 
#! /usr/bin/env perl

# -*- mode: perl; -*-

# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.

# Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.

#

# Licensed under the OpenSSL license (the "License").  You may not use

# this file except in compliance with the License.  You can obtain a copy
@@ -314,7 +314,7 @@ $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", " 
$config{sdirs} = [

    "objects",

    "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash",

    "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes",

    "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "chacha", "modes",

    "bn", "ec", "rsa", "dsa", "dh", "dso", "engine",

    "buffer", "bio", "stack", "lhash", "rand", "err",

    "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
@@ -333,6 +333,7 @@ my @dtls = qw(dtls1 dtls1_2); 


my @disablables = (

    "afalgeng",

    "aria",

    "asan",

    "asm",

    "async",
@@ -433,6 +434,7 @@ my %deprecated_disablables = ( 
# All of the following is disabled by default (RC5 was enabled before 0.9.8):



our %disabled = ( # "what"         => "comment"

                  "aria"                => "default",

                  "asan"		=> "default",

		  "crypto-mdebug"       => "default",

		  "crypto-mdebug-backtrace" => "default",

apps/openssl.c

+4 −1
Original line number Diff line number Diff line 
/*

 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy
@@ -571,6 +571,9 @@ static int SortFnByName(const void *_f1, const void *_f2) 
static void list_disabled(void)

{

    BIO_puts(bio_out, "Disabled algorithms:\n");

#ifdef OPENSSL_NO_ARIA

    BIO_puts(bio_out, "ARIA\n");

#endif

#ifdef OPENSSL_NO_BF

    BIO_puts(bio_out, "BF\n");

#endif

config

+2 −2
Original line number Diff line number Diff line 
#!/bin/sh

# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.

# Copyright 1998-2017 The OpenSSL Project Authors. All Rights Reserved.

#

# Licensed under the OpenSSL license (the "License").  You may not use

# this file except in compliance with the License.  You can obtain a copy
@@ -855,7 +855,7 @@ case "$GUESSOS" in 
  i386-*) options="$options 386" ;;

esac



for i in aes bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha

for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha

do

  if [ ! -d $THERE/crypto/$i ]

  then

crypto/aria/aria.c

0 → 100644
+454 −0
Original line number Diff line number Diff line 
/*

 * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

 * in the file LICENSE in the source distribution or at

 * https://www.openssl.org/source/license.html

 */



/* ====================================================================

 * Copyright (c) 2017 Oracle and/or its affiliates.  All rights reserved.

 */



#include <assert.h>

#include <openssl/e_os2.h>

#include <string.h>

#include "internal/aria.h"



static const unsigned char sb1[256] = {

    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,

    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,

    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,

    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,

    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,

    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,

    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,

    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,

    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,

    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,

    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,

    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,

    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,

    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,

    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,

    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,

    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,

    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,

    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,

    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,

    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,

    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,

    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,

    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,

    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,

    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,

    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,

    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,

    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,

    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,

    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,

    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16

};



static const unsigned char sb2[256] = {

    0xe2, 0x4e, 0x54, 0xfc, 0x94, 0xc2, 0x4a, 0xcc,

    0x62, 0x0d, 0x6a, 0x46, 0x3c, 0x4d, 0x8b, 0xd1,

    0x5e, 0xfa, 0x64, 0xcb, 0xb4, 0x97, 0xbe, 0x2b,

    0xbc, 0x77, 0x2e, 0x03, 0xd3, 0x19, 0x59, 0xc1,

    0x1d, 0x06, 0x41, 0x6b, 0x55, 0xf0, 0x99, 0x69,

    0xea, 0x9c, 0x18, 0xae, 0x63, 0xdf, 0xe7, 0xbb,

    0x00, 0x73, 0x66, 0xfb, 0x96, 0x4c, 0x85, 0xe4,

    0x3a, 0x09, 0x45, 0xaa, 0x0f, 0xee, 0x10, 0xeb,

    0x2d, 0x7f, 0xf4, 0x29, 0xac, 0xcf, 0xad, 0x91,

    0x8d, 0x78, 0xc8, 0x95, 0xf9, 0x2f, 0xce, 0xcd,

    0x08, 0x7a, 0x88, 0x38, 0x5c, 0x83, 0x2a, 0x28,

    0x47, 0xdb, 0xb8, 0xc7, 0x93, 0xa4, 0x12, 0x53,

    0xff, 0x87, 0x0e, 0x31, 0x36, 0x21, 0x58, 0x48,

    0x01, 0x8e, 0x37, 0x74, 0x32, 0xca, 0xe9, 0xb1,

    0xb7, 0xab, 0x0c, 0xd7, 0xc4, 0x56, 0x42, 0x26,

    0x07, 0x98, 0x60, 0xd9, 0xb6, 0xb9, 0x11, 0x40,

    0xec, 0x20, 0x8c, 0xbd, 0xa0, 0xc9, 0x84, 0x04,

    0x49, 0x23, 0xf1, 0x4f, 0x50, 0x1f, 0x13, 0xdc,

    0xd8, 0xc0, 0x9e, 0x57, 0xe3, 0xc3, 0x7b, 0x65,

    0x3b, 0x02, 0x8f, 0x3e, 0xe8, 0x25, 0x92, 0xe5,

    0x15, 0xdd, 0xfd, 0x17, 0xa9, 0xbf, 0xd4, 0x9a,

    0x7e, 0xc5, 0x39, 0x67, 0xfe, 0x76, 0x9d, 0x43,

    0xa7, 0xe1, 0xd0, 0xf5, 0x68, 0xf2, 0x1b, 0x34,

    0x70, 0x05, 0xa3, 0x8a, 0xd5, 0x79, 0x86, 0xa8,

    0x30, 0xc6, 0x51, 0x4b, 0x1e, 0xa6, 0x27, 0xf6,

    0x35, 0xd2, 0x6e, 0x24, 0x16, 0x82, 0x5f, 0xda,

    0xe6, 0x75, 0xa2, 0xef, 0x2c, 0xb2, 0x1c, 0x9f,

    0x5d, 0x6f, 0x80, 0x0a, 0x72, 0x44, 0x9b, 0x6c,

    0x90, 0x0b, 0x5b, 0x33, 0x7d, 0x5a, 0x52, 0xf3,

    0x61, 0xa1, 0xf7, 0xb0, 0xd6, 0x3f, 0x7c, 0x6d,

    0xed, 0x14, 0xe0, 0xa5, 0x3d, 0x22, 0xb3, 0xf8,

    0x89, 0xde, 0x71, 0x1a, 0xaf, 0xba, 0xb5, 0x81

};



static const unsigned char sb3[256] = {

    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,

    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,

    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,

    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,

    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,

    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,

    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,

    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,

    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,

    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,

    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,

    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,

    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,

    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,

    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,

    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,

    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,

    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,

    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,

    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,

    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,

    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,

    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,

    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,

    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,

    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,

    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,

    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,

    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,

    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,

    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,

    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d

};



static const unsigned char sb4[256] = {

    0x30, 0x68, 0x99, 0x1b, 0x87, 0xb9, 0x21, 0x78,

    0x50, 0x39, 0xdb, 0xe1, 0x72, 0x09, 0x62, 0x3c,

    0x3e, 0x7e, 0x5e, 0x8e, 0xf1, 0xa0, 0xcc, 0xa3,

    0x2a, 0x1d, 0xfb, 0xb6, 0xd6, 0x20, 0xc4, 0x8d,

    0x81, 0x65, 0xf5, 0x89, 0xcb, 0x9d, 0x77, 0xc6,

    0x57, 0x43, 0x56, 0x17, 0xd4, 0x40, 0x1a, 0x4d,

    0xc0, 0x63, 0x6c, 0xe3, 0xb7, 0xc8, 0x64, 0x6a,

    0x53, 0xaa, 0x38, 0x98, 0x0c, 0xf4, 0x9b, 0xed,

    0x7f, 0x22, 0x76, 0xaf, 0xdd, 0x3a, 0x0b, 0x58,

    0x67, 0x88, 0x06, 0xc3, 0x35, 0x0d, 0x01, 0x8b,

    0x8c, 0xc2, 0xe6, 0x5f, 0x02, 0x24, 0x75, 0x93,

    0x66, 0x1e, 0xe5, 0xe2, 0x54, 0xd8, 0x10, 0xce,

    0x7a, 0xe8, 0x08, 0x2c, 0x12, 0x97, 0x32, 0xab,

    0xb4, 0x27, 0x0a, 0x23, 0xdf, 0xef, 0xca, 0xd9,

    0xb8, 0xfa, 0xdc, 0x31, 0x6b, 0xd1, 0xad, 0x19,

    0x49, 0xbd, 0x51, 0x96, 0xee, 0xe4, 0xa8, 0x41,

    0xda, 0xff, 0xcd, 0x55, 0x86, 0x36, 0xbe, 0x61,

    0x52, 0xf8, 0xbb, 0x0e, 0x82, 0x48, 0x69, 0x9a,

    0xe0, 0x47, 0x9e, 0x5c, 0x04, 0x4b, 0x34, 0x15,

    0x79, 0x26, 0xa7, 0xde, 0x29, 0xae, 0x92, 0xd7,

    0x84, 0xe9, 0xd2, 0xba, 0x5d, 0xf3, 0xc5, 0xb0,

    0xbf, 0xa4, 0x3b, 0x71, 0x44, 0x46, 0x2b, 0xfc,

    0xeb, 0x6f, 0xd5, 0xf6, 0x14, 0xfe, 0x7c, 0x70,

    0x5a, 0x7d, 0xfd, 0x2f, 0x18, 0x83, 0x16, 0xa5,

    0x91, 0x1f, 0x05, 0x95, 0x74, 0xa9, 0xc1, 0x5b,

    0x4a, 0x85, 0x6d, 0x13, 0x07, 0x4f, 0x4e, 0x45,

    0xb2, 0x0f, 0xc9, 0x1c, 0xa6, 0xbc, 0xec, 0x73,

    0x90, 0x7b, 0xcf, 0x59, 0x8f, 0xa1, 0xf9, 0x2d,

    0xf2, 0xb1, 0x00, 0x94, 0x37, 0x9f, 0xd0, 0x2e,

    0x9c, 0x6e, 0x28, 0x3f, 0x80, 0xf0, 0x3d, 0xd3,

    0x25, 0x8a, 0xb5, 0xe7, 0x42, 0xb3, 0xc7, 0xea,

    0xf7, 0x4c, 0x11, 0x33, 0x03, 0xa2, 0xac, 0x60

};



static const ARIA_u128 c1 = {

    0x51, 0x7c, 0xc1, 0xb7, 0x27, 0x22, 0x0a, 0x94,

    0xfe, 0x13, 0xab, 0xe8, 0xfa, 0x9a, 0x6e, 0xe0

};



static const ARIA_u128 c2 = {

    0x6d, 0xb1, 0x4a, 0xcc, 0x9e, 0x21, 0xc8, 0x20,

    0xff, 0x28, 0xb1, 0xd5, 0xef, 0x5d, 0xe2, 0xb0

};



static const ARIA_u128 c3 = {

    0xdb, 0x92, 0x37, 0x1d, 0x21, 0x26, 0xe9, 0x70,

    0x03, 0x24, 0x97, 0x75, 0x04, 0xe8, 0xc9, 0x0e

};



/*

 * Exclusive or two 128 bit values into the result.

 * It is safe for the result to be the same as the either input.

 */

static void xor128(ARIA_u128 o, const ARIA_u128 x, const ARIA_u128 y)

{

    int i;



    for (i = 0; i < ARIA_BLOCK_SIZE; i++)

        o[i] = x[i] ^ y[i];

}



/*

 * Generalised circular rotate right and exclusive or function.

 * It is safe for the output to overlap either input.

 */

static ossl_inline void rotnr(unsigned int n, ARIA_u128 o, const ARIA_u128 xor,

                              const ARIA_u128 z)

{

    const unsigned int bytes = n / 8, bits = n % 8;

    unsigned int i;

    ARIA_u128 t;



    for (i = 0; i < ARIA_BLOCK_SIZE; i++)

        t[(i + bytes) % ARIA_BLOCK_SIZE] = z[i];

    for (i = 0; i < ARIA_BLOCK_SIZE; i++)

        o[i] = ((t[i] >> bits) |

                (t[i ? i - 1 : ARIA_BLOCK_SIZE - 1] << (8 - bits))) ^ xor[i];

}



/*

 * Circular rotate 19 bits right and xor.

 * It is safe for the output to overlap either input.

 */

static void rot19r(ARIA_u128 o, const ARIA_u128 xor, const ARIA_u128 z)

{

    rotnr(19, o, xor, z);

}



/*

 * Circular rotate 31 bits right and xor.

 * It is safe for the output to overlap either input.

 */

static void rot31r(ARIA_u128 o, const ARIA_u128 xor, const ARIA_u128 z)

{

    rotnr(31, o, xor, z);

}



/*

 * Circular rotate 61 bits left and xor.

 * It is safe for the output to overlap either input.

 */

static void rot61l(ARIA_u128 o, const ARIA_u128 xor, const ARIA_u128 z)

{

    rotnr(8 * ARIA_BLOCK_SIZE - 61, o, xor, z);

}



/*

 * Circular rotate 31 bits left and xor.

 * It is safe for the output to overlap either input.

 */

static void rot31l(ARIA_u128 o, const ARIA_u128 xor, const ARIA_u128 z)

{

    rotnr(8 * ARIA_BLOCK_SIZE - 31, o, xor, z);

}



/*

 * Circular rotate 19 bits left and xor.

 * It is safe for the output to overlap either input.

 */

static void rot19l(ARIA_u128 o, const ARIA_u128 xor, const ARIA_u128 z)

{

    rotnr(8 * ARIA_BLOCK_SIZE - 19, o, xor, z);

}



/*

 * First substitution and xor layer, used for odd steps.

 * It is safe for the input and output to be the same.

 */

static void sl1(ARIA_u128 o, const ARIA_u128 x, const ARIA_u128 y)

{

    unsigned int i;

    for (i = 0; i < ARIA_BLOCK_SIZE; i += 4) {

        o[i    ] = sb1[x[i    ] ^ y[i    ]];

        o[i + 1] = sb2[x[i + 1] ^ y[i + 1]];

        o[i + 2] = sb3[x[i + 2] ^ y[i + 2]];

        o[i + 3] = sb4[x[i + 3] ^ y[i + 3]];

    }

}



/*

 * Second substitution and xor layer, used for even steps.

 * It is safe for the input and output to be the same.

 */

static void sl2(ARIA_u128 o, const ARIA_u128 x, const ARIA_u128 y)

{

    unsigned int i;

    for (i = 0; i < ARIA_BLOCK_SIZE; i += 4) {

        o[i    ] = sb3[x[i    ] ^ y[i    ]];

        o[i + 1] = sb4[x[i + 1] ^ y[i + 1]];

        o[i + 2] = sb1[x[i + 2] ^ y[i + 2]];

        o[i + 3] = sb2[x[i + 3] ^ y[i + 3]];

    }

}



/*

 * Diffusion layer step

 * It is NOT safe for the input and output to overlap.

 */

static void a(ARIA_u128 y, const ARIA_u128 x)

{

    y[ 0] = x[3] ^ x[4] ^ x[6] ^ x[ 8] ^ x[ 9] ^ x[13] ^ x[14];

    y[ 1] = x[2] ^ x[5] ^ x[7] ^ x[ 8] ^ x[ 9] ^ x[12] ^ x[15];

    y[ 2] = x[1] ^ x[4] ^ x[6] ^ x[10] ^ x[11] ^ x[12] ^ x[15];

    y[ 3] = x[0] ^ x[5] ^ x[7] ^ x[10] ^ x[11] ^ x[13] ^ x[14];

    y[ 4] = x[0] ^ x[2] ^ x[5] ^ x[ 8] ^ x[11] ^ x[14] ^ x[15];

    y[ 5] = x[1] ^ x[3] ^ x[4] ^ x[ 9] ^ x[10] ^ x[14] ^ x[15];

    y[ 6] = x[0] ^ x[2] ^ x[7] ^ x[ 9] ^ x[10] ^ x[12] ^ x[13];

    y[ 7] = x[1] ^ x[3] ^ x[6] ^ x[ 8] ^ x[11] ^ x[12] ^ x[13];

    y[ 8] = x[0] ^ x[1] ^ x[4] ^ x[ 7] ^ x[10] ^ x[13] ^ x[15];

    y[ 9] = x[0] ^ x[1] ^ x[5] ^ x[ 6] ^ x[11] ^ x[12] ^ x[14];

    y[10] = x[2] ^ x[3] ^ x[5] ^ x[ 6] ^ x[ 8] ^ x[13] ^ x[15];

    y[11] = x[2] ^ x[3] ^ x[4] ^ x[ 7] ^ x[ 9] ^ x[12] ^ x[14];

    y[12] = x[1] ^ x[2] ^ x[6] ^ x[ 7] ^ x[ 9] ^ x[11] ^ x[12];

    y[13] = x[0] ^ x[3] ^ x[6] ^ x[ 7] ^ x[ 8] ^ x[10] ^ x[13];

    y[14] = x[0] ^ x[3] ^ x[4] ^ x[ 5] ^ x[ 9] ^ x[11] ^ x[14];

    y[15] = x[1] ^ x[2] ^ x[4] ^ x[ 5] ^ x[ 8] ^ x[10] ^ x[15];

}



/*

 * Odd round function

 * Apply the first substitution layer and then a diffusion step.

 * It is safe for the input and output to overlap.

 */

static ossl_inline void FO(ARIA_u128 o, const ARIA_u128 d, const ARIA_u128 rk)

{

	ARIA_u128 y;



	sl1(y, d, rk);

	a(o, y);

}



/*

 * Even round function

 * Apply the second substitution layer and then a diffusion step.

 * It is safe for the input and output to overlap.

 */

static ossl_inline void FE(ARIA_u128 o, const ARIA_u128 d, const ARIA_u128 rk)

{

	ARIA_u128 y;



	sl2(y, d, rk);

	a(o, y);

}



/*

 * Encrypt or decrypt a single block

 * in and out can overlap

 */

static void do_encrypt(ARIA_u128 o, const ARIA_u128 pin, unsigned int rounds,

                       const ARIA_u128 *keys)

{

    ARIA_u128 p;

    unsigned int i;



    memcpy(p, pin, sizeof(p));

    for (i = 0; i < rounds - 2; i += 2) {

        FO(p, p, keys[i]);

        FE(p, p, keys[i + 1]);

    }

    FO(p, p, keys[rounds - 2]);

    sl2(o, p, keys[rounds - 1]);

    xor128(o, o, keys[rounds]);

}



/*

 * Encrypt a single block

 * in and out can overlap

 */

void aria_encrypt(const unsigned char *in, unsigned char *out,

                  const ARIA_KEY *key)

{

    assert(in != NULL && out != NULL && key != NULL);

    do_encrypt(out, in, key->rounds, key->rd_key);

}





/*

 * Expand the cipher key into the encryption key schedule.

 * We short circuit execution of the last two

 * or four rotations based on the key size.

 */

int aria_set_encrypt_key(const unsigned char *userKey, const int bits,

                         ARIA_KEY *key)

{

    const unsigned char *ck1, *ck2, *ck3;

    ARIA_u128 kr, w0, w1, w2, w3;



    if (!userKey || !key)

        return -1;

    memcpy(w0, userKey, sizeof(w0));

    switch (bits) {

    default:

        return -2;

    case 128:

        key->rounds = 12;

        ck1 = c1;

        ck2 = c2;

        ck3 = c3;

        memset(kr, 0, sizeof(kr));

        break;



    case 192:

        key->rounds = 14;

        ck1 = c2;

        ck2 = c3;

        ck3 = c1;

        memcpy(kr, userKey + ARIA_BLOCK_SIZE, sizeof(kr) / 2);

        memset(kr + ARIA_BLOCK_SIZE / 2, 0, sizeof(kr) / 2);

        break;



    case 256:

        key->rounds = 16;

        ck1 = c3;

        ck2 = c1;

        ck3 = c2;

        memcpy(kr, userKey + ARIA_BLOCK_SIZE, sizeof(kr));

        break;

    }



    FO(w3, w0, ck1);	xor128(w1, w3, kr);

    FE(w3, w1, ck2);	xor128(w2, w3, w0);

    FO(kr, w2, ck3);	xor128(w3, kr, w1);



    rot19r(key->rd_key[ 0], w0, w1);

    rot19r(key->rd_key[ 1], w1, w2);

    rot19r(key->rd_key[ 2], w2, w3);

    rot19r(key->rd_key[ 3], w3, w0);



    rot31r(key->rd_key[ 4], w0, w1);

    rot31r(key->rd_key[ 5], w1, w2);

    rot31r(key->rd_key[ 6], w2, w3);

    rot31r(key->rd_key[ 7], w3, w0);



    rot61l(key->rd_key[ 8], w0, w1);

    rot61l(key->rd_key[ 9], w1, w2);

    rot61l(key->rd_key[10], w2, w3);

    rot61l(key->rd_key[11], w3, w0);



    rot31l(key->rd_key[12], w0, w1);

    if (key->rounds > 12) {

        rot31l(key->rd_key[13], w1, w2);

        rot31l(key->rd_key[14], w2, w3);



        if (key->rounds > 14) {

            rot31l(key->rd_key[15], w3, w0);

            rot19l(key->rd_key[16], w0, w1);

        }

    }

    return 0;

}



/*

 * Expand the cipher key into the decryption key schedule.

 */

int aria_set_decrypt_key(const unsigned char *userKey, const int bits,

                         ARIA_KEY *key)

{

    ARIA_KEY ek;

    const int r = aria_set_encrypt_key(userKey, bits, &ek);

    unsigned int i, rounds = ek.rounds;



    if (r == 0) {

        key->rounds = rounds;

        memcpy(key->rd_key[0], ek.rd_key[rounds], sizeof(key->rd_key[0]));

        for (i = 1; i < rounds; i++)

            a(key->rd_key[i], ek.rd_key[rounds - i]);

        memcpy(key->rd_key[rounds], ek.rd_key[0], sizeof(key->rd_key[rounds]));

    }

    return r;

}

crypto/aria/build.info

0 → 100644
+4 −0
Original line number Diff line number Diff line 
LIBS=../../libcrypto

SOURCE[../../libcrypto]=\

        aria.c