From 41efbaabc9abe692c1ba1f3aa25d8e26f7765620 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Thu, 30 Nov 2017 11:37:55 +0000 Subject: [PATCH 01/97] ARIA cipher implementation --- include/mbedtls/aria.h | 237 ++++++++++++++ library/aria.c | 706 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 943 insertions(+) create mode 100644 include/mbedtls/aria.h create mode 100644 library/aria.c diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h new file mode 100644 index 000000000..fc8ca98d7 --- /dev/null +++ b/include/mbedtls/aria.h @@ -0,0 +1,237 @@ +/** + * \file aria.h + * + * \brief ARIA block cipher + * + * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef MBEDTLS_ARIA_H +#define MBEDTLS_ARIA_H + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#include +#include + +#define MBEDTLS_ARIA_ENCRYPT 1 +#define MBEDTLS_ARIA_DECRYPT 0 + +#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */ +#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ + +#if !defined(MBEDTLS_ARIA_ALT) +// Regular implementation +// + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief ARIA context structure + */ + +typedef struct +{ + int nr; // rounds: nr = 12, 14, or 16 + uint32_t rk[17][4]; // nr+1 round keys (+1 for final) +} +mbedtls_aria_context; + +/** + * \brief Initialize ARIA context + * + * \param ctx ARIA context to be initialized + */ +void mbedtls_aria_init( mbedtls_aria_context *ctx ); + +/** + * \brief Clear ARIA context + * + * \param ctx ARIA context to be cleared + */ +void mbedtls_aria_free( mbedtls_aria_context *ctx ); + +/** + * \brief ARIA key schedule (encryption) + * + * \param ctx ARIA context to be initialized + * \param key encryption key + * \param keybits must be 128, 192 or 256 + * + * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH + */ +int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, const unsigned char *key, + unsigned int keybits ); + +/** + * \brief ARIA key schedule (decryption) + * + * \param ctx ARIA context to be initialized + * \param key decryption key + * \param keybits must be 128, 192 or 256 + * + * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH + */ +int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, const unsigned char *key, + unsigned int keybits ); + +/** + * \brief ARIA-ECB block encryption/decryption + * + * \param ctx ARIA context + * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT + * \param input 16-byte input block + * \param output 16-byte output block + * + * \return 0 if successful + */ +int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, + int mode, + const unsigned char input[16], + unsigned char output[16] ); + +#if defined(MBEDTLS_CIPHER_MODE_CBC) +/** + * \brief ARIA-CBC buffer encryption/decryption + * Length should be a multiple of the block + * size (16 bytes) + * + * \note Upon exit, the content of the IV is updated so that you can + * call the function same function again on the following + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If on the other hand you need to retain the contents of the + * IV, you should either save it manually or use the cipher + * module instead. + * + * \param ctx ARIA context + * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT + * \param length length of the input data + * \param iv initialization vector (updated after use) + * \param input buffer holding the input data + * \param output buffer holding the output data + * + * \return 0 if successful, or + * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH + */ +int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, + int mode, + size_t length, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ); +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +/** + * \brief ARIA-CFB128 buffer encryption/decryption + * + * Note: Due to the nature of CFB you should use the same key schedule for + * both encryption and decryption. So a context initialized with + * mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and CAMELLIE_DECRYPT. + * + * \note Upon exit, the content of the IV is updated so that you can + * call the function same function again on the following + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If on the other hand you need to retain the contents of the + * IV, you should either save it manually or use the cipher + * module instead. + * + * \param ctx ARIA context + * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT + * \param length length of the input data + * \param iv_off offset in IV (updated after use) + * \param iv initialization vector (updated after use) + * \param input buffer holding the input data + * \param output buffer holding the output data + * + * \return 0 if successful, or + * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH + */ +int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, + int mode, + size_t length, + size_t *iv_off, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ); +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +/** + * \brief ARIA-CTR buffer encryption/decryption + * + * Warning: You have to keep the maximum use of your counter in mind! + * + * Note: Due to the nature of CTR you should use the same key schedule for + * both encryption and decryption. So a context initialized with + * mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and MBEDTLS_ARIA_DECRYPT. + * + * \param ctx ARIA context + * \param length The length of the data + * \param nc_off The offset in the current stream_block (for resuming + * within current cipher stream). The offset pointer to + * should be 0 at the start of a stream. + * \param nonce_counter The 128-bit nonce and counter. + * \param stream_block The saved stream-block for resuming. Is overwritten + * by the function. + * \param input The input data stream + * \param output The output data stream + * + * \return 0 if successful + */ +int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, + size_t length, + size_t *nc_off, + unsigned char nonce_counter[16], + unsigned char stream_block[16], + const unsigned char *input, + unsigned char *output ); +#endif /* MBEDTLS_CIPHER_MODE_CTR */ + +#ifdef __cplusplus +} +#endif + +#else /* MBEDTLS_ARIA_ALT */ +#include "aria_alt.h" +#endif /* MBEDTLS_ARIA_ALT */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int mbedtls_aria_self_test( int verbose ); + +#ifdef __cplusplus +} +#endif + +#endif /* aria.h */ diff --git a/library/aria.c b/library/aria.c new file mode 100644 index 000000000..0eb22ecc8 --- /dev/null +++ b/library/aria.c @@ -0,0 +1,706 @@ +/* + * ARIA implementation + * + * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_ARIA_C) + +#include "mbedtls/aria.h" + +#include + +#if defined(MBEDTLS_SELF_TEST) +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif /* MBEDTLS_PLATFORM_C */ +#endif /* MBEDTLS_SELF_TEST */ + +#if !defined(MBEDTLS_ARIA_ALT) + +// 32-bit integer manipulation macros (little endian) + +#ifndef GET_UINT32_LE +#define GET_UINT32_LE(n,b,i) \ +{ \ + (n) = ( (uint32_t) (b)[(i) ] ) \ + | ( (uint32_t) (b)[(i) + 1] << 8 ) \ + | ( (uint32_t) (b)[(i) + 2] << 16 ) \ + | ( (uint32_t) (b)[(i) + 3] << 24 ); \ +} +#endif + +#ifndef PUT_UINT32_LE +#define PUT_UINT32_LE(n,b,i) \ +{ \ + (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ + (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ + (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ + (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ +} +#endif + +// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits +#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16)) + +// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes +#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) + +// Affine Transform A +// (ra, rb, rc, rd) = state in/out +// (ta, tb, tc) = temporary variables + +#define ARIA_A( ra, rb, rc, rd, ta, tb, tc ) { \ + ta = rb; \ + rb = ra; \ + ra = ARIA_FLIP1( ta ); \ + tb = ARIA_FLIP1( rd ); \ + rd = ARIA_FLIP2( rc ); \ + rc = ARIA_FLIP2( tb ); \ + ta ^= rd; \ + tc = ARIA_FLIP1( rb ); \ + ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \ + tb ^= ARIA_FLIP1( rd ); \ + tc ^= ARIA_FLIP2( ra ); \ + rb ^= ta ^ tb; \ + tb = ARIA_FLIP1( tb ) ^ ta; \ + ra ^= ARIA_FLIP2( tb ); \ + ta = ARIA_FLIP1( ta ); \ + rd ^= ARIA_FLIP2( ta ) ^ tc; \ + tc = ARIA_FLIP1( tc ); \ + rc ^= ARIA_FLIP2( tc ) ^ ta; \ +} + + +// ARIA Round function ( Substitution Layer SLx + Affine Transform A ) +// (ra, rb, rc, rd) = state in/out +// (sa, sb, sc, sd) = 256 8-bit S-Boxes +// (ta, tb, tc) = temporary variables + +#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \ + ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \ + (((uint32_t) sd[ rb >> 24]) << 8) ^ \ + (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \ + (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \ + rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \ + (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \ + (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \ + (((uint32_t) sd[ ra >> 24]) << 24); \ + ra = ta; \ + ta = ( (uint32_t) sd[ rd >> 24]) ^ \ + (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \ + (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \ + (((uint32_t) sa[ rd & 0xFF]) << 24); \ + rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \ + (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \ + (((uint32_t) sd[ rc >> 24]) << 16) ^ \ + (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \ + rc = ta; \ + ta = ARIA_FLIP1( ra ) ^ rd; \ + tc = ARIA_FLIP1( rb ); \ + ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \ + tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \ + tc ^= ARIA_FLIP2( ra ); \ + rb ^= ta^ tb; \ + tb = ARIA_FLIP1( tb ) ^ ta; \ + ra ^= ARIA_FLIP2( tb ); \ + ta = ARIA_FLIP1( ta ); \ + rd ^= ARIA_FLIP2( ta ) ^ tc; \ + tc = ARIA_FLIP1( tc ); \ + rc ^= ARIA_FLIP2( tc ) ^ ta; \ +} + +// S-Boxes + +static const uint8_t aria_sb1[0x100] = +{ + 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, + 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, + 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, + 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, + 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, + 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, + 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, + 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, + 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, + 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, + 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, + 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, + 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, + 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, + 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, + 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, + 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, + 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, + 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, + 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, + 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, + 0xB0, 0x54, 0xBB, 0x16 +}; + +static const uint8_t aria_sb2[0x100] = +{ + 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, + 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, + 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, + 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, + 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, + 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, + 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, + 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, + 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, + 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, + 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, + 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, + 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, + 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, + 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, + 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, + 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, + 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, + 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, + 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, + 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, + 0xAF, 0xBA, 0xB5, 0x81 +}; + +static const uint8_t aria_is1[0x100] = +{ + 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, + 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, + 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, + 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, + 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, + 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, + 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, + 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, + 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, + 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, + 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, + 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, + 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, + 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, + 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, + 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, + 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, + 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, + 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, + 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, + 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, + 0x55, 0x21, 0x0C, 0x7D +}; + +static const uint8_t aria_is2[0x100] = +{ + 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, + 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, + 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, + 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, + 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, + 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, + 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, + 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, + 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, + 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, + 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, + 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, + 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, + 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, + 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, + 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, + 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, + 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, + 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, + 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, + 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, + 0x03, 0xA2, 0xAC, 0x60 +}; +// FO and FE are helpers for key schedule + +// r = FO( p, k ) ^ x + +static void aria_fo( uint32_t r[4], + const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) +{ + uint32_t a, b, c, d; + uint32_t t, u, v; + + a = p[0] ^ k[0]; + b = p[1] ^ k[1]; + c = p[2] ^ k[2]; + d = p[3] ^ k[3]; + + ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v ); + + r[0] = a ^ x[0]; + r[1] = b ^ x[1]; + r[2] = c ^ x[2]; + r[3] = d ^ x[3]; +} + +// r = FE( p, k ) ^ x + +static void aria_fe(uint32_t r[4], + const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) +{ + uint32_t a, b, c, d; + uint32_t t, u, v; + + a = p[0] ^ k[0]; + b = p[1] ^ k[1]; + c = p[2] ^ k[2]; + d = p[3] ^ k[3]; + + ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v ); + + r[0] = a ^ x[0]; + r[1] = b ^ x[1]; + r[2] = c ^ x[2]; + r[3] = d ^ x[3]; +} + +// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup. +// This is relatively slow since our implementation is geared towards +// little-endian targets and stores state in that order. + +static void aria_rot128(uint32_t r[4], const uint32_t a[4], + const uint32_t b[4], int n) +{ + int i, j, n1, n2; + uint32_t t, u; + + j = (n >> 5) & 3; // word offset + n1 = n & 0x1F; // bit offsets + n2 = 32 - n1; // n1 should be nonzero! + t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian + for( i = 0; i < 4; i++ ) + { + j = (j + 1) & 3; // get next word, big endian + u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); + t <<= n1; // rotate + if (n2 < 32) // intel rotate 32 bits = 0 bits.. + t |= u >> n2; + t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian + r[i] = a[i] ^ t; // store + t = u; // move to next word + } +} + +// Set encryption key + +int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, + const unsigned char *key, unsigned int keybits) +{ + // round constant masks + const uint32_t rc[3][4] = + { + { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, + { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, + { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } + }; + + int i; + uint32_t w[4][4], *w2; + + if (keybits != 128 && keybits != 192 && keybits != 256) + return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH; + + // W0 = KL + GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1 + GET_UINT32_LE( w[0][1], key, 4 ); + GET_UINT32_LE( w[0][2], key, 8 ); + GET_UINT32_LE( w[0][3], key, 12 ); + + memset(w[1], 0, 16); + if( keybits >= 192 ) + { + GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key + GET_UINT32_LE( w[1][1], key, 20 ); + } + if( keybits == 256 ) + { + GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key + GET_UINT32_LE( w[1][3], key, 28 ); + } + + i = (keybits - 128) >> 6; // index: 0, 1, 2 + ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 + + aria_fo( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR + i = i < 2 ? i + 1 : 0; + aria_fe( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 + i = i < 2 ? i + 1 : 0; + aria_fo( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 + + for( i = 0; i < 4; i++ ) // create round keys + { + w2 = w[(i + 1) & 3]; + aria_rot128( ctx->rk[i ], w[i], w2, -19); + aria_rot128( ctx->rk[i + 4], w[i], w2, -31); + aria_rot128( ctx->rk[i + 8], w[i], w2, 61); + aria_rot128( ctx->rk[i + 12], w[i], w2, 31); + } + aria_rot128( ctx->rk[16], w[0], w[1], 19 ); + + return 0; +} + +// Set decryption key + +int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, + const unsigned char *key, unsigned int keybits) +{ + int i, j, k, ret; + uint32_t t, u, v; + + ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); + if( ret != 0 ) + return ret; + + // flip the order of round keys + for( i = 0, j = ctx->nr; i < j; i++, j-- ) + { + for( k = 0; k < 4; k++ ) + { + t = ctx->rk[i][k]; + ctx->rk[i][k] = ctx->rk[j][k]; + ctx->rk[j][k] = t; + } + } + + // apply affine transform to middle keys + for (i = 1; i < ctx->nr; i++ ) + { + ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3], + t, u, v ); + } + + return 0; +} + +// Encrypt a block + +int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, + int mode, + const unsigned char input[16], + unsigned char output[16] ) +{ + int i; + + uint32_t a, b, c, d; + uint32_t t, u, v; + + ( (void) mode ); + + GET_UINT32_LE( a, input, 0 ); + GET_UINT32_LE( b, input, 4 ); + GET_UINT32_LE( c, input, 8 ); + GET_UINT32_LE( d, input, 12 ); + + i = 0; + while (1) + { + a ^= ctx->rk[i][0]; + b ^= ctx->rk[i][1]; + c ^= ctx->rk[i][2]; + d ^= ctx->rk[i][3]; + i++; + ARIA_SLA( a, b, c, d, + aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v ); + + a ^= ctx->rk[i][0]; + b ^= ctx->rk[i][1]; + c ^= ctx->rk[i][2]; + d ^= ctx->rk[i][3]; + i++; + if (i >= ctx->nr) + break; + + ARIA_SLA( a, b, c, d, + aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v ); + } + + // final substitution + + a = ctx->rk[i][0] ^ + ( (uint32_t) aria_is1[ a & 0xFF]) ^ + (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^ + (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^ + (((uint32_t) aria_sb2[ a >> 24 ]) << 24); + + b = ctx->rk[i][1] ^ + ( (uint32_t) aria_is1[ b & 0xFF]) ^ + (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^ + (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^ + (((uint32_t) aria_sb2[ b >> 24 ]) << 24); + + c = ctx->rk[i][2] ^ + ( (uint32_t) aria_is1[ c & 0xFF]) ^ + (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^ + (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^ + (((uint32_t) aria_sb2[ c >> 24 ]) << 24); + + d = ctx->rk[i][3] ^ + ( (uint32_t) aria_is1[ d & 0xFF]) ^ + (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^ + (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^ + (((uint32_t) aria_sb2[ d >> 24 ]) << 24); + + PUT_UINT32_LE( a, output, 0 ); + PUT_UINT32_LE( b, output, 4 ); + PUT_UINT32_LE( c, output, 8 ); + PUT_UINT32_LE( d, output, 12 ); + + return 0; +} + + + +#if defined(MBEDTLS_CIPHER_MODE_CBC) +/* + * ARIA-CBC buffer encryption/decryption + */ +int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, + int mode, + size_t length, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ) +{ + int i; + unsigned char temp[16]; + + if( length % 16 ) + return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); + + if( mode == MBEDTLS_ARIA_DECRYPT ) + { + while( length > 0 ) + { + memcpy( temp, input, 16 ); + mbedtls_aria_crypt_ecb( ctx, mode, input, output ); + + for( i = 0; i < 16; i++ ) + output[i] = (unsigned char)( output[i] ^ iv[i] ); + + memcpy( iv, temp, 16 ); + + input += 16; + output += 16; + length -= 16; + } + } + else + { + while( length > 0 ) + { + for( i = 0; i < 16; i++ ) + output[i] = (unsigned char)( input[i] ^ iv[i] ); + + mbedtls_aria_crypt_ecb( ctx, mode, output, output ); + memcpy( iv, output, 16 ); + + input += 16; + output += 16; + length -= 16; + } + } + + return( 0 ); +} +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +/* + * ARIA-CFB128 buffer encryption/decryption + */ +int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, + int mode, + size_t length, + size_t *iv_off, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ) +{ + int c; + size_t n = *iv_off; + + if( mode == MBEDTLS_ARIA_DECRYPT ) + { + while( length-- ) + { + if( n == 0 ) + mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv ); + + c = *input++; + *output++ = (unsigned char)( c ^ iv[n] ); + iv[n] = (unsigned char) c; + + n = ( n + 1 ) & 0x0F; + } + } + else + { + while( length-- ) + { + if( n == 0 ) + mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv ); + + iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); + + n = ( n + 1 ) & 0x0F; + } + } + + *iv_off = n; + + return( 0 ); +} +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +/* + * ARIA-CTR buffer encryption/decryption + */ +int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, + size_t length, + size_t *nc_off, + unsigned char nonce_counter[16], + unsigned char stream_block[16], + const unsigned char *input, + unsigned char *output ) +{ + int c, i; + size_t n = *nc_off; + + while( length-- ) + { + if( n == 0 ) { + mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter, + stream_block ); + + for( i = 16; i > 0; i-- ) + if( ++nonce_counter[i - 1] != 0 ) + break; + } + c = *input++; + *output++ = (unsigned char)( c ^ stream_block[n] ); + + n = ( n + 1 ) & 0x0F; + } + + *nc_off = n; + + return( 0 ); +} +#endif /* MBEDTLS_CIPHER_MODE_CTR */ +#endif /* !MBEDTLS_ARIA_ALT */ + +#if defined(MBEDTLS_SELF_TEST) + +/* + * Checkup routine + */ + +int mbedtls_aria_self_test( int verbose ) +{ + // ECB test vectors from RFC 5794 + + const uint8_t aria_ecb_test_key[32] = // test key + { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit + }; + const uint8_t aria_ecb_test_pt[16] = // plaintext + { + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all + 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes + }; + const uint8_t aria_ecb_test_ct[3][16] = // ciphertext + { + { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit + 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 } + , + { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit + 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 } + , + { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit + 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } + }; + + int i; + uint8_t blk[16]; + mbedtls_aria_context ctx; + + for( i = 0; i < 3; i++ ) + { + // test encryption + if( verbose ) + printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i); + + mbedtls_aria_setkey_enc( &ctx, aria_ecb_test_key, 128 + 64 * i ); + mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, + aria_ecb_test_pt, blk ); + + if( memcmp( blk, aria_ecb_test_ct[i], 16 ) != 0 ) + { + if( verbose ) + printf( "failed\n" ); + return( 1 ); + } + if( verbose ) + printf( "passed\n" ); + + // test decryption + + if( verbose ) + printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i); + + mbedtls_aria_setkey_dec( &ctx, aria_ecb_test_key, 128 + 64 * i ); + mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, + aria_ecb_test_ct[i], blk ); + + if (memcmp( blk, aria_ecb_test_pt, 16 ) != 0) + { + if( verbose ) + printf( "failed\n" ); + return( 1 ); + } + if( verbose ) + printf( "passed\n" ); + } + printf("\n"); + + return( 0 ); +} + +#endif /* MBEDTLS_SELF_TEST */ + +#endif /* MBEDTLS_ARIA_C */ From 259fa60f6c430d8bd670afeba63a5c6a8df2c85d Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Thu, 30 Nov 2017 15:48:37 +0000 Subject: [PATCH 02/97] ARIA test vectors for CBC CFB CTR modes --- library/aria.c | 312 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 257 insertions(+), 55 deletions(-) diff --git a/library/aria.c b/library/aria.c index 0eb22ecc8..da31f09d7 100644 --- a/library/aria.c +++ b/library/aria.c @@ -19,7 +19,6 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -623,80 +622,283 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, #if defined(MBEDTLS_SELF_TEST) +// Basic ARIA ECB test vectors from RFC 5794 + +static const uint8_t aria_test1_ecb_key[32] = // test key +{ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit +}; + +static const uint8_t aria_test1_ecb_pt[16] = // plaintext +{ + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all + 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes +}; + +static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext +{ + { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit + 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, + { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit + 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, + { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit + 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } +}; + +// Mode tests from "Test Vectors for ARIA" Version 1.0 +// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf + +#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ + defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_CTR)) + +static const uint8_t aria_test2_key[32] = +{ + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit + 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit + 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit +}; + +static const uint8_t aria_test2_iv[16] = +{ + 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for all + 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 +}; + +static const uint8_t aria_test2_pt[48] = +{ + 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all + 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, + 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, + 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, + 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, + 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, +}; + +#endif /* defined(MBEDTLS_CIPHER_MODE_CBC) || \ + defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_CTR) */ + +#if defined(MBEDTLS_CIPHER_MODE_CBC) +static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt +{ + { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key + 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, + 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, + 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, + 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, + 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, + { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key + 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, + 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, + 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, + 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, + 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, + { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key + 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, + 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, + 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, + 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, + 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } +}; +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt +{ + { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key + 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, + 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, + 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, + 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, + 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, + { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key + 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, + 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, + 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, + 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, + 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, + { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key + 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, + 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, + 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, + 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, + 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } +}; +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt +{ + { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key + 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, + 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, + 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, + 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, + 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, + { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key + 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, + 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, + 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, + 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, + 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, + { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key + 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, + 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, + 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, + 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, + 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } +}; +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + /* * Checkup routine */ +#define ARIA_SELF_TEST_IF_FAIL \ + { \ + if( verbose ) \ + printf( "failed\n" ); \ + return( 1 ); \ + } else { \ + if( verbose ) \ + printf( "passed\n" ); \ + } + int mbedtls_aria_self_test( int verbose ) { - // ECB test vectors from RFC 5794 - - const uint8_t aria_ecb_test_key[32] = // test key - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit - 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit - }; - const uint8_t aria_ecb_test_pt[16] = // plaintext - { - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all - 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes - }; - const uint8_t aria_ecb_test_ct[3][16] = // ciphertext - { - { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit - 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 } - , - { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit - 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 } - , - { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit - 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } - }; - int i; uint8_t blk[16]; mbedtls_aria_context ctx; +#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ + defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_CTR)) + size_t j; + uint8_t buf[48], iv[16]; +#endif + + // Test set 1 for( i = 0; i < 3; i++ ) { - // test encryption + // test ECB encryption if( verbose ) printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i); - - mbedtls_aria_setkey_enc( &ctx, aria_ecb_test_key, 128 + 64 * i ); + mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, - aria_ecb_test_pt, blk ); - - if( memcmp( blk, aria_ecb_test_ct[i], 16 ) != 0 ) - { - if( verbose ) - printf( "failed\n" ); - return( 1 ); - } - if( verbose ) - printf( "passed\n" ); - - // test decryption + aria_test1_ecb_pt, blk ); + if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + // test ECB decryption if( verbose ) printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i); - - mbedtls_aria_setkey_dec( &ctx, aria_ecb_test_key, 128 + 64 * i ); + mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, - aria_ecb_test_ct[i], blk ); - - if (memcmp( blk, aria_ecb_test_pt, 16 ) != 0) - { - if( verbose ) - printf( "failed\n" ); - return( 1 ); - } - if( verbose ) - printf( "passed\n" ); + aria_test1_ecb_ct[i], blk ); + if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0) + ARIA_SELF_TEST_IF_FAIL; } - printf("\n"); + if( verbose ) + printf("\n"); + + // Test set 2 + +#if defined(MBEDTLS_CIPHER_MODE_CBC) + for( i = 0; i < 3; i++ ) + { + // Test CBC encryption + if( verbose ) + printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i); + mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); + memcpy( iv, aria_test2_iv, 16 ); + memset( buf, 0x55, sizeof(buf) ); + mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, + aria_test2_pt, buf ); + if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + + // Test CBC decryption + if( verbose ) + printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i); + mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); + memcpy( iv, aria_test2_iv, 16 ); + memset( buf, 0xAA, sizeof(buf) ); + mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, + aria_test2_cbc_ct[i], buf ); + if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + } + if( verbose ) + printf("\n"); + +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) + for( i = 0; i < 3; i++ ) + { + // Test CFB encryption + if( verbose ) + printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i); + mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); + memcpy( iv, aria_test2_iv, 16 ); + memset( buf, 0x55, sizeof(buf) ); + j = 0; + mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, + aria_test2_pt, buf ); + if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + + // Test CFB decryption + if( verbose ) + printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i); + mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); + memcpy( iv, aria_test2_iv, 16 ); + memset( buf, 0xAA, sizeof(buf) ); + j = 0; + mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, + iv, aria_test2_cfb_ct[i], buf ); + if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + } + if( verbose ) + printf("\n"); +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) + for( i = 0; i < 3; i++ ) + { + // Test CTR encryption + if( verbose ) + printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i); + mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); + memset( iv, 0, 16 ); // IV = 0 + memset( buf, 0x55, sizeof(buf) ); + j = 0; + mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, + aria_test2_pt, buf ); + if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + + // Test CTR decryption + if( verbose ) + printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i); + mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); + memset( iv, 0, 16 ); // IV = 0 + memset( buf, 0xAA, sizeof(buf) ); + j = 0; + mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, + aria_test2_ctr_ct[i], buf ); + if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) + ARIA_SELF_TEST_IF_FAIL; + } + if( verbose ) + printf("\n"); +#endif /* MBEDTLS_CIPHER_MODE_CTR */ return( 0 ); } From 3c0b53b2b0c88e289e6d5831e9c6d9b3c1c73b42 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Thu, 30 Nov 2017 16:00:34 +0000 Subject: [PATCH 03/97] ARIA build integration --- include/mbedtls/config.h | 9 +++++++++ include/mbedtls/error.h | 1 + library/CMakeLists.txt | 1 + library/Makefile | 1 + library/aria.c | 28 +++++++++++++++------------- library/error.c | 11 +++++++++++ library/version_features.c | 3 +++ programs/test/selftest.c | 4 ++++ scripts/generate_errors.pl | 2 +- 9 files changed, 46 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1c98558eb..8c217544b 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1797,6 +1797,15 @@ */ #define MBEDTLS_CAMELLIA_C +/** + * \def MBEDTLS_ARIA_C + * + * Enable the ARIA block cipher. + * + * Module: library/aria.c + */ +#define MBEDTLS_ARIA_C + /** * \def MBEDTLS_CCM_C * diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b4d3a875..5bdb6bb4a 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -63,6 +63,7 @@ * CTR_DBRG 4 0x0034-0x003A * ENTROPY 3 0x003C-0x0040 0x003D-0x003F * NET 11 0x0042-0x0052 0x0043-0x0045 + * ARIA 1 0x005C-0x005E * ASN1 7 0x0060-0x006C * CMAC 1 0x007A-0x007A * PBKDF2 1 0x007C-0x007C diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 02ccea8bc..96992c148 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -6,6 +6,7 @@ set(src_crypto aes.c aesni.c arc4.c + aria.c asn1parse.c asn1write.c base64.c diff --git a/library/Makefile b/library/Makefile index 65a102f3a..642028180 100644 --- a/library/Makefile +++ b/library/Makefile @@ -47,6 +47,7 @@ endif OBJS_CRYPTO= aes.o aesni.o arc4.o \ asn1parse.o asn1write.o base64.o \ bignum.o blowfish.o camellia.o \ + aria.o \ ccm.o cipher.o cipher_wrap.o \ cmac.o ctr_drbg.o des.o \ dhm.o ecdh.o ecdsa.o \ diff --git a/library/aria.c b/library/aria.c index da31f09d7..9121d8fb2 100644 --- a/library/aria.c +++ b/library/aria.c @@ -651,10 +651,8 @@ static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext // Mode tests from "Test Vectors for ARIA" Version 1.0 // http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf -#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ - defined(MBEDTLS_CIPHER_MODE_CFB) || \ +#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_CTR)) - static const uint8_t aria_test2_key[32] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit @@ -663,12 +661,6 @@ static const uint8_t aria_test2_key[32] = 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit }; -static const uint8_t aria_test2_iv[16] = -{ - 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for all - 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 -}; - static const uint8_t aria_test2_pt[48] = { 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all @@ -678,10 +670,15 @@ static const uint8_t aria_test2_pt[48] = 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, }; +#endif -#endif /* defined(MBEDTLS_CIPHER_MODE_CBC) || \ - defined(MBEDTLS_CIPHER_MODE_CFB) || \ - defined(MBEDTLS_CIPHER_MODE_CTR) */ +#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) +static const uint8_t aria_test2_iv[16] = +{ + 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB + 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV +}; +#endif #if defined(MBEDTLS_CIPHER_MODE_CBC) static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt @@ -774,10 +771,15 @@ int mbedtls_aria_self_test( int verbose ) int i; uint8_t blk[16]; mbedtls_aria_context ctx; + +#if (defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_CTR)) + size_t j; +#endif + #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_CTR)) - size_t j; uint8_t buf[48], iv[16]; #endif diff --git a/library/error.c b/library/error.c index 0292480ae..16680775f 100644 --- a/library/error.c +++ b/library/error.c @@ -65,6 +65,10 @@ #include "mbedtls/camellia.h" #endif +#if defined(MBEDTLS_ARIA_C) +#include "mbedtls/aria.h" +#endif + #if defined(MBEDTLS_CCM_C) #include "mbedtls/ccm.h" #endif @@ -642,6 +646,13 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" ); #endif /* MBEDTLS_CAMELLIA_C */ +#if defined(MBEDTLS_ARIA_C) + if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH) ) + mbedtls_snprintf( buf, buflen, "ARIA - Invalid key length" ); + if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) ) + mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" ); +#endif /* MBEDTLS_ARIA_C */ + #if defined(MBEDTLS_CCM_C) if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) ) mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" ); diff --git a/library/version_features.c b/library/version_features.c index da47e3d75..3b1319ef1 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -525,6 +525,9 @@ static const char *features[] = { #if defined(MBEDTLS_CAMELLIA_C) "MBEDTLS_CAMELLIA_C", #endif /* MBEDTLS_CAMELLIA_C */ +#if defined(MBEDTLS_ARIA_C) + "MBEDTLS_ARIA_C", +#endif /* MBEDTLS_ARIA_C */ #if defined(MBEDTLS_CCM_C) "MBEDTLS_CCM_C", #endif /* MBEDTLS_CCM_C */ diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 72a37342f..019071ba4 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -44,6 +44,7 @@ #include "mbedtls/des.h" #include "mbedtls/aes.h" #include "mbedtls/camellia.h" +#include "mbedtls/aria.h" #include "mbedtls/base64.h" #include "mbedtls/bignum.h" #include "mbedtls/rsa.h" @@ -225,6 +226,9 @@ const selftest_t selftests[] = #if defined(MBEDTLS_CAMELLIA_C) {"camellia", mbedtls_camellia_self_test}, #endif +#if defined(MBEDTLS_ARIA_C) + {"aria", mbedtls_aria_self_test}, +#endif #if defined(MBEDTLS_CTR_DRBG_C) {"ctr_drbg", mbedtls_ctr_drbg_self_test}, #endif diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 59618d4aa..95ec51211 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -29,7 +29,7 @@ if( @ARGV ) { my $error_format_file = $data_dir.'/error.fmt'; -my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH +my @low_level_modules = qw( AES ARC4 ARIA ASN1 BASE64 BIGNUM BLOWFISH CAMELLIA CCM CMAC CTR_DRBG DES ENTROPY GCM HMAC_DRBG MD2 MD4 MD5 NET OID PADLOCK PBKDF2 RIPEMD160 From 6ba68d4a3b421a6b6a2f38a72a7a00ff3ebd598d Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Fri, 1 Dec 2017 14:26:21 +0000 Subject: [PATCH 04/97] ARIA init and free --- library/aria.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/library/aria.c b/library/aria.c index 9121d8fb2..0e2c23a25 100644 --- a/library/aria.c +++ b/library/aria.c @@ -125,7 +125,7 @@ ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \ tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \ tc ^= ARIA_FLIP2( ra ); \ - rb ^= ta^ tb; \ + rb ^= ta ^ tb; \ tb = ARIA_FLIP1( tb ) ^ ta; \ ra ^= ARIA_FLIP2( tb ); \ ta = ARIA_FLIP1( ta ); \ @@ -478,7 +478,19 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, return 0; } +void mbedtls_aria_init( mbedtls_aria_context *ctx ) +{ + memset( ctx, 0, sizeof( mbedtls_aria_context ) ); +} +void mbedtls_aria_free( mbedtls_aria_context *ctx ) +{ + if( ctx == NULL ) + return; + + // compiler can't remove this since this is not a static function + memset( ctx, 0, sizeof( mbedtls_aria_context ) ); +} #if defined(MBEDTLS_CIPHER_MODE_CBC) /* @@ -772,9 +784,8 @@ int mbedtls_aria_self_test( int verbose ) uint8_t blk[16]; mbedtls_aria_context ctx; -#if (defined(MBEDTLS_CIPHER_MODE_CFB) || \ - defined(MBEDTLS_CIPHER_MODE_CTR)) - size_t j; +#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) + size_t j; #endif #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ From 8df81e029f0f1be2dda67b97ed56739d3a1a34d7 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Fri, 1 Dec 2017 14:26:40 +0000 Subject: [PATCH 05/97] Test suite for ARIA --- tests/CMakeLists.txt | 1 + tests/Makefile | 5 + tests/suites/test_suite_aria.data | 95 ++++++++ tests/suites/test_suite_aria.function | 318 ++++++++++++++++++++++++++ 4 files changed, 419 insertions(+) create mode 100644 tests/suites/test_suite_aria.data create mode 100644 tests/suites/test_suite_aria.function diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 16e19a927..c85d3a2d8 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -104,6 +104,7 @@ add_test_suite(version) add_test_suite(xtea) add_test_suite(x509parse) add_test_suite(x509write) +add_test_suite(aria) # Make data_files available in an out-of-source build if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) diff --git a/tests/Makefile b/tests/Makefile index 4787f2508..1e9b8aa47 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -50,6 +50,7 @@ APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \ test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \ test_suite_camellia$(EXEXT) test_suite_ccm$(EXEXT) \ + test_suite_aria$(EXEXT) \ test_suite_cmac$(EXEXT) \ test_suite_cipher.aes$(EXEXT) \ test_suite_cipher.arc4$(EXEXT) test_suite_cipher.ccm$(EXEXT) \ @@ -437,6 +438,10 @@ test_suite_version$(EXEXT): test_suite_version.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +test_suite_aria$(EXEXT): test_suite_aria.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + clean: ifndef WINDOWS rm -f $(APPS) *.c diff --git a/tests/suites/test_suite_aria.data b/tests/suites/test_suite_aria.data new file mode 100644 index 000000000..46c6eccc2 --- /dev/null +++ b/tests/suites/test_suite_aria.data @@ -0,0 +1,95 @@ +ARIA-128-ECB Encrypt - RFC 5794 +aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f":"00112233445566778899aabbccddeeff":"d718fbd6ab644c739da95f3be6451778":0 + +ARIA-128-ECB Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0 + +ARIA-192-ECB Encrypt - RFC 5794 +aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"00112233445566778899aabbccddeeff":"26449c1805dbe7aa25a468ce263a9e79":0 + +ARIA-192-ECB Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0 + +ARIA-256-ECB_Encrypt - RFC 5794 +aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"00112233445566778899aabbccddeeff":"f92bd7c79fb72e2f2b8f80c1972d24fc":0 + +ARIA-256-ECB_Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0 + +ARIA-128-ECB Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0 + +ARIA-192-ECB Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0 + +ARIA-256-ECB Decrypt - RFC 5794 +aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0 + +ARIA-128-ECB Encrypt - Official Test Vectors 1.0 +aria_encrypt_ecb:"00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":0 + +ARIA-128-ECB Decrypt - Official Test Vectors 1.0 +aria_decrypt_ecb:"00112233445566778899aabbccddeeff":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-192-ECB Encrypt - Official Test Vectors 1.0 +aria_encrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":0 + +ARIA-192-ECB Decrypt - Official Test Vectors 1.0 +aria_decrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-256-ECB Encrypt - Official Test Vectors 1.0 +aria_encrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":0 + +ARIA-256-ECB Decrypt - Official Test Vectors 1.0 +aria_decrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-128-CBC Encrypt - Official Test Vectors 1.0 +aria_encrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":0 + +ARIA-128-CBC Decrypt - Official Test Vectors 1.0 +aria_decrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-192-CBC Encrypt - Official Test Vectors 1.0 +aria_encrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":0 + +ARIA-192-CBC Decrypt - Official Test Vectors 1.0 +aria_decrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-256-CBC Encrypt - Official Test Vectors 1.0 +aria_encrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":0 + +ARIA-256-CBC Decrypt - Official Test Vectors 1.0 +aria_decrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-128-CTR Encrypt - Official Test Vectors 1.0 +aria_encrypt_ctr:"00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"ac5d7de805a0bf1c57c854501af60fa11497e2a34519dea1569e91e5b5ccae2ff3bfa1bf975f4571f48be191613546c3911163c085f871f0e7ae5f2a085b81851c2a3ddf20ecb8fa51901aec8ee4ba32a35dab67bb72cd9140ad188a967ac0fbbdfa94ea6cce47dcf8525ab5a814cfeb2bb60ee2b126e2d9d847c1a9e96f9019e3e6a7fe40d3829afb73db1cc245646addb62d9b907baaafbe46a73dbc131d3d":0 + +ARIA-192-CTR Encrypt - Official Test Vectors 1.0 +aria_encrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":0 + +ARIA-192-CTR Decrypt - Official Test Vectors 1.0 +aria_decrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-256-CTR Encrypt - Official Test Vectors 1.0 +aria_encrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":0 + +ARIA-256-CTR Decrypt - Official Test Vectors 1.0 +aria_decrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-128-CFB128 Encrypt - Official Test Vectors 1.0 +aria_encrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":0 + +ARIA-128-CFB128 Decrypt - Official Test Vectors 1.0 +aria_decrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-192-CFB128 Encrypt - Official Test Vectors 1.0 +aria_encrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":0 + +ARIA-192-CFB128 Decrypt - Official Test Vectors 1.0 +aria_decrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 + +ARIA-256-CFB128 Encrypt - Official Test Vectors 1.0 +aria_encrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":0 + +ARIA-256-CFB128 Decrypt - Official Test Vectors 1.0 +aria_decrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0 diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function new file mode 100644 index 000000000..2c3e34732 --- /dev/null +++ b/tests/suites/test_suite_aria.function @@ -0,0 +1,318 @@ +/* BEGIN_HEADER */ +#include "mbedtls/aria.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_ARIA_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, + char *hex_dst_string, int setkey_result ) +{ + unsigned char key_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + int key_len, data_len, i; + + memset( key_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + data_len = unhexify( src_str, hex_src_string ); + + TEST_ASSERT( mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ) == setkey_result ); + if( setkey_result == 0 ) + { + for( i = 0; i < data_len; i += 16 ) + { + TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, src_str + i, output + i ) == 0 ); + } + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + } + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, + char *hex_dst_string, int setkey_result ) +{ + unsigned char key_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + int key_len, data_len, i; + + memset( key_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + data_len = unhexify( src_str, hex_src_string ); + + TEST_ASSERT( mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 ) == setkey_result ); + if( setkey_result == 0 ) + { + for( i = 0; i < data_len; i += 16 ) + { + TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, + src_str + i, output + i ) == 0 ); + } + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + } + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ +void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int cbc_result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, + data_len, iv_str, src_str, output) == cbc_result ); + if( cbc_result == 0 ) + { + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + } + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ +void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int cbc_result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, + data_len, iv_str, src_str, output ) == cbc_result ); + if( cbc_result == 0 ) + { + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + } + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */ +void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + size_t iv_offset = 0; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, + data_len, &iv_offset, iv_str, src_str, output ) == result ); + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */ +void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + mbedtls_aria_context ctx; + size_t iv_offset = 0; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, + data_len, &iv_offset, iv_str, src_str, output ) == result ); + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */ +void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + unsigned char blk[16]; + mbedtls_aria_context ctx; + size_t iv_offset = 0; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, + &iv_offset, iv_str, blk, src_str, output ) == result ); + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */ +void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string, + char *hex_src_string, char *hex_dst_string, + int result ) +{ + unsigned char key_str[1000]; + unsigned char iv_str[1000]; + unsigned char src_str[1000]; + unsigned char dst_str[1000]; + unsigned char output[1000]; + unsigned char blk[16]; + mbedtls_aria_context ctx; + size_t iv_offset = 0; + int key_len, data_len; + + memset( key_str, 0x00, 1000 ); + memset( iv_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); + mbedtls_aria_init( &ctx ); + + key_len = unhexify( key_str, hex_key_string ); + unhexify( iv_str, hex_iv_string ); + data_len = unhexify( src_str, hex_src_string ); + + mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); + TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, + &iv_offset, iv_str, blk, src_str, output ) == result ); + hexify( dst_str, output, data_len ); + + TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); + +exit: + mbedtls_aria_free( &ctx ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +void aria_selftest() +{ + TEST_ASSERT( mbedtls_aria_self_test( 1 ) == 0 ); +} +/* END_CASE */ From 0fb47fe71f58902b255bde29a794bfd68f08dd34 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Fri, 1 Dec 2017 15:41:38 +0000 Subject: [PATCH 06/97] MBEDTLS_ARIA_ALT added as a feature --- include/mbedtls/config.h | 2 ++ library/version_features.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 8c217544b..3369620fb 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -271,6 +271,7 @@ */ //#define MBEDTLS_AES_ALT //#define MBEDTLS_ARC4_ALT +//#define MBEDTLS_ARIA_ALT //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_CCM_ALT @@ -288,6 +289,7 @@ //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT //#define MBEDTLS_XTEA_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is * implemented with two .c files: diff --git a/library/version_features.c b/library/version_features.c index 3b1319ef1..61088168c 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -90,6 +90,9 @@ static const char *features[] = { #if defined(MBEDTLS_ARC4_ALT) "MBEDTLS_ARC4_ALT", #endif /* MBEDTLS_ARC4_ALT */ +#if defined(MBEDTLS_ARIA_ALT) + "MBEDTLS_ARIA_ALT", +#endif /* MBEDTLS_ARIA_ALT */ #if defined(MBEDTLS_BLOWFISH_ALT) "MBEDTLS_BLOWFISH_ALT", #endif /* MBEDTLS_BLOWFISH_ALT */ From 07478d6f309d1a82f753b300fb05eb3c68df1958 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Fri, 1 Dec 2017 16:20:15 +0000 Subject: [PATCH 07/97] something to do with whitespaces --- library/error.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/library/error.c b/library/error.c index 16680775f..0e0cc51fc 100644 --- a/library/error.c +++ b/library/error.c @@ -49,6 +49,10 @@ #include "mbedtls/arc4.h" #endif +#if defined(MBEDTLS_ARIA_C) +#include "mbedtls/aria.h" +#endif + #if defined(MBEDTLS_BASE64_C) #include "mbedtls/base64.h" #endif @@ -65,10 +69,6 @@ #include "mbedtls/camellia.h" #endif -#if defined(MBEDTLS_ARIA_C) -#include "mbedtls/aria.h" -#endif - #if defined(MBEDTLS_CCM_C) #include "mbedtls/ccm.h" #endif @@ -585,6 +585,13 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" ); #endif /* MBEDTLS_ARC4_C */ +#if defined(MBEDTLS_ARIA_C) + if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH) ) + mbedtls_snprintf( buf, buflen, "ARIA - Invalid key length" ); + if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) ) + mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" ); +#endif /* MBEDTLS_ARIA_C */ + #if defined(MBEDTLS_ASN1_PARSE_C) if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) ) mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" ); @@ -646,13 +653,6 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" ); #endif /* MBEDTLS_CAMELLIA_C */ -#if defined(MBEDTLS_ARIA_C) - if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH) ) - mbedtls_snprintf( buf, buflen, "ARIA - Invalid key length" ); - if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) ) - mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" ); -#endif /* MBEDTLS_ARIA_C */ - #if defined(MBEDTLS_CCM_C) if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) ) mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" ); From c06e1014e1ee7cbf45346bf71ecfefcd48ad5ead Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Thu, 7 Dec 2017 11:51:13 +0000 Subject: [PATCH 08/97] ARIA ciphersuites for TLS 1.2 --- include/mbedtls/cipher.h | 19 ++ include/mbedtls/ssl_ciphersuites.h | 57 ++++- library/cipher_wrap.c | 392 +++++++++++++++++++++++++++++ library/ssl_ciphersuites.c | 385 +++++++++++++++++++++++++++- library/ssl_tls.c | 10 +- 5 files changed, 856 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index d1f4efef8..fec259f7a 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -84,6 +84,7 @@ typedef enum { MBEDTLS_CIPHER_ID_CAMELLIA, MBEDTLS_CIPHER_ID_BLOWFISH, MBEDTLS_CIPHER_ID_ARC4, + MBEDTLS_CIPHER_ID_ARIA, } mbedtls_cipher_id_t; /** @@ -143,6 +144,24 @@ typedef enum { MBEDTLS_CIPHER_CAMELLIA_128_CCM, MBEDTLS_CIPHER_CAMELLIA_192_CCM, MBEDTLS_CIPHER_CAMELLIA_256_CCM, + MBEDTLS_CIPHER_ARIA_128_ECB, + MBEDTLS_CIPHER_ARIA_192_ECB, + MBEDTLS_CIPHER_ARIA_256_ECB, + MBEDTLS_CIPHER_ARIA_128_CBC, + MBEDTLS_CIPHER_ARIA_192_CBC, + MBEDTLS_CIPHER_ARIA_256_CBC, + MBEDTLS_CIPHER_ARIA_128_CFB128, + MBEDTLS_CIPHER_ARIA_192_CFB128, + MBEDTLS_CIPHER_ARIA_256_CFB128, + MBEDTLS_CIPHER_ARIA_128_CTR, + MBEDTLS_CIPHER_ARIA_192_CTR, + MBEDTLS_CIPHER_ARIA_256_CTR, + MBEDTLS_CIPHER_ARIA_128_GCM, + MBEDTLS_CIPHER_ARIA_192_GCM, + MBEDTLS_CIPHER_ARIA_256_GCM, + MBEDTLS_CIPHER_ARIA_128_CCM, + MBEDTLS_CIPHER_ARIA_192_CCM, + MBEDTLS_CIPHER_ARIA_256_CCM, } mbedtls_cipher_type_t; /** Supported cipher modes. */ diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 545468a51..5223f02e0 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -169,6 +169,61 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A /**< Weak! No SSL3! */ #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B /**< Weak! No SSL3! */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D +#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 0xC03E +#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 0xC03F +#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 0xC040 +#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 0xC041 +#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 0xC042 +#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043 +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 +#define MBEDTLS_TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 0xC046 +#define MBEDTLS_TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 0xC047 +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 +#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 0xC054 +#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 0xC055 +#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 0xC056 +#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057 +#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058 +#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059 +#define MBEDTLS_TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 0xC05A +#define MBEDTLS_TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 0xC05B +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 + #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */ #define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 /**< Not in SSL3! */ @@ -267,7 +322,7 @@ typedef enum { defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED #endif diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index dc76af8ff..47851e9c0 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -45,6 +45,10 @@ #include "mbedtls/camellia.h" #endif +#if defined(MBEDTLS_ARIA_C) +#include "mbedtls/aria.h" +#endif + #if defined(MBEDTLS_DES_C) #include "mbedtls/des.h" #endif @@ -822,6 +826,363 @@ static const mbedtls_cipher_info_t camellia_256_ccm_info = { #endif /* MBEDTLS_CAMELLIA_C */ +#if defined(MBEDTLS_ARIA_C) + +static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation, + const unsigned char *input, unsigned char *output ) +{ + return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, operation, input, + output ); +} + +#if defined(MBEDTLS_CIPHER_MODE_CBC) +static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, + size_t length, unsigned char *iv, + const unsigned char *input, unsigned char *output ) +{ + return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv, + input, output ); +} +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +static int aria_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation, + size_t length, size_t *iv_off, unsigned char *iv, + const unsigned char *input, unsigned char *output ) +{ + return mbedtls_aria_crypt_cfb128( (mbedtls_aria_context *) ctx, operation, length, + iv_off, iv, input, output ); +} +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +static int aria_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off, + unsigned char *nonce_counter, unsigned char *stream_block, + const unsigned char *input, unsigned char *output ) +{ + return mbedtls_aria_crypt_ctr( (mbedtls_aria_context *) ctx, length, nc_off, + nonce_counter, stream_block, input, output ); +} +#endif /* MBEDTLS_CIPHER_MODE_CTR */ + +static int aria_setkey_dec_wrap( void *ctx, const unsigned char *key, + unsigned int key_bitlen ) +{ + return mbedtls_aria_setkey_dec( (mbedtls_aria_context *) ctx, key, key_bitlen ); +} + +static int aria_setkey_enc_wrap( void *ctx, const unsigned char *key, + unsigned int key_bitlen ) +{ + return mbedtls_aria_setkey_enc( (mbedtls_aria_context *) ctx, key, key_bitlen ); +} + +static void * aria_ctx_alloc( void ) +{ + mbedtls_aria_context *ctx; + ctx = mbedtls_calloc( 1, sizeof( mbedtls_aria_context ) ); + + if( ctx == NULL ) + return( NULL ); + + mbedtls_aria_init( ctx ); + + return( ctx ); +} + +static void aria_ctx_free( void *ctx ) +{ + mbedtls_aria_free( (mbedtls_aria_context *) ctx ); + mbedtls_free( ctx ); +} + +static const mbedtls_cipher_base_t aria_info = { + MBEDTLS_CIPHER_ID_ARIA, + aria_crypt_ecb_wrap, +#if defined(MBEDTLS_CIPHER_MODE_CBC) + aria_crypt_cbc_wrap, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CFB) + aria_crypt_cfb128_wrap, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CTR) + aria_crypt_ctr_wrap, +#endif +#if defined(MBEDTLS_CIPHER_MODE_STREAM) + NULL, +#endif + aria_setkey_enc_wrap, + aria_setkey_dec_wrap, + aria_ctx_alloc, + aria_ctx_free +}; + +static const mbedtls_cipher_info_t aria_128_ecb_info = { + MBEDTLS_CIPHER_ARIA_128_ECB, + MBEDTLS_MODE_ECB, + 128, + "ARIA-128-ECB", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_192_ecb_info = { + MBEDTLS_CIPHER_ARIA_192_ECB, + MBEDTLS_MODE_ECB, + 192, + "ARIA-192-ECB", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_256_ecb_info = { + MBEDTLS_CIPHER_ARIA_256_ECB, + MBEDTLS_MODE_ECB, + 256, + "ARIA-256-ECB", + 16, + 0, + 16, + &aria_info +}; + +#if defined(MBEDTLS_CIPHER_MODE_CBC) +static const mbedtls_cipher_info_t aria_128_cbc_info = { + MBEDTLS_CIPHER_ARIA_128_CBC, + MBEDTLS_MODE_CBC, + 128, + "ARIA-128-CBC", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_192_cbc_info = { + MBEDTLS_CIPHER_ARIA_192_CBC, + MBEDTLS_MODE_CBC, + 192, + "ARIA-192-CBC", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_256_cbc_info = { + MBEDTLS_CIPHER_ARIA_256_CBC, + MBEDTLS_MODE_CBC, + 256, + "ARIA-256-CBC", + 16, + 0, + 16, + &aria_info +}; +#endif /* MBEDTLS_CIPHER_MODE_CBC */ + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +static const mbedtls_cipher_info_t aria_128_cfb128_info = { + MBEDTLS_CIPHER_ARIA_128_CFB128, + MBEDTLS_MODE_CFB, + 128, + "ARIA-128-CFB128", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_192_cfb128_info = { + MBEDTLS_CIPHER_ARIA_192_CFB128, + MBEDTLS_MODE_CFB, + 192, + "ARIA-192-CFB128", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_256_cfb128_info = { + MBEDTLS_CIPHER_ARIA_256_CFB128, + MBEDTLS_MODE_CFB, + 256, + "ARIA-256-CFB128", + 16, + 0, + 16, + &aria_info +}; +#endif /* MBEDTLS_CIPHER_MODE_CFB */ + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +static const mbedtls_cipher_info_t aria_128_ctr_info = { + MBEDTLS_CIPHER_ARIA_128_CTR, + MBEDTLS_MODE_CTR, + 128, + "ARIA-128-CTR", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_192_ctr_info = { + MBEDTLS_CIPHER_ARIA_192_CTR, + MBEDTLS_MODE_CTR, + 192, + "ARIA-192-CTR", + 16, + 0, + 16, + &aria_info +}; + +static const mbedtls_cipher_info_t aria_256_ctr_info = { + MBEDTLS_CIPHER_ARIA_256_CTR, + MBEDTLS_MODE_CTR, + 256, + "ARIA-256-CTR", + 16, + 0, + 16, + &aria_info +}; +#endif /* MBEDTLS_CIPHER_MODE_CTR */ + +#if defined(MBEDTLS_GCM_C) +static int gcm_aria_setkey_wrap( void *ctx, const unsigned char *key, + unsigned int key_bitlen ) +{ + return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA, + key, key_bitlen ); +} + +static const mbedtls_cipher_base_t gcm_aria_info = { + MBEDTLS_CIPHER_ID_ARIA, + NULL, +#if defined(MBEDTLS_CIPHER_MODE_CBC) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CFB) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CTR) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_STREAM) + NULL, +#endif + gcm_aria_setkey_wrap, + gcm_aria_setkey_wrap, + gcm_ctx_alloc, + gcm_ctx_free, +}; + +static const mbedtls_cipher_info_t aria_128_gcm_info = { + MBEDTLS_CIPHER_ARIA_128_GCM, + MBEDTLS_MODE_GCM, + 128, + "ARIA-128-GCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &gcm_aria_info +}; + +static const mbedtls_cipher_info_t aria_192_gcm_info = { + MBEDTLS_CIPHER_ARIA_192_GCM, + MBEDTLS_MODE_GCM, + 192, + "ARIA-192-GCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &gcm_aria_info +}; + +static const mbedtls_cipher_info_t aria_256_gcm_info = { + MBEDTLS_CIPHER_ARIA_256_GCM, + MBEDTLS_MODE_GCM, + 256, + "ARIA-256-GCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &gcm_aria_info +}; +#endif /* MBEDTLS_GCM_C */ + +#if defined(MBEDTLS_CCM_C) +static int ccm_aria_setkey_wrap( void *ctx, const unsigned char *key, + unsigned int key_bitlen ) +{ + return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA, + key, key_bitlen ); +} + +static const mbedtls_cipher_base_t ccm_aria_info = { + MBEDTLS_CIPHER_ID_ARIA, + NULL, +#if defined(MBEDTLS_CIPHER_MODE_CBC) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CFB) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CTR) + NULL, +#endif +#if defined(MBEDTLS_CIPHER_MODE_STREAM) + NULL, +#endif + ccm_aria_setkey_wrap, + ccm_aria_setkey_wrap, + ccm_ctx_alloc, + ccm_ctx_free, +}; + +static const mbedtls_cipher_info_t aria_128_ccm_info = { + MBEDTLS_CIPHER_ARIA_128_CCM, + MBEDTLS_MODE_CCM, + 128, + "ARIA-128-CCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; + +static const mbedtls_cipher_info_t aria_192_ccm_info = { + MBEDTLS_CIPHER_ARIA_192_CCM, + MBEDTLS_MODE_CCM, + 192, + "ARIA-192-CCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; + +static const mbedtls_cipher_info_t aria_256_ccm_info = { + MBEDTLS_CIPHER_ARIA_256_CCM, + MBEDTLS_MODE_CCM, + 256, + "ARIA-256-CCM", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; +#endif /* MBEDTLS_CCM_C */ + +#endif /* MBEDTLS_ARIA_C */ + #if defined(MBEDTLS_DES_C) static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation, @@ -1427,6 +1788,37 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = #endif #endif /* MBEDTLS_CAMELLIA_C */ +#if defined(MBEDTLS_ARIA_C) + { MBEDTLS_CIPHER_ARIA_128_ECB, &aria_128_ecb_info }, + { MBEDTLS_CIPHER_ARIA_192_ECB, &aria_192_ecb_info }, + { MBEDTLS_CIPHER_ARIA_256_ECB, &aria_256_ecb_info }, +#if defined(MBEDTLS_CIPHER_MODE_CBC) + { MBEDTLS_CIPHER_ARIA_128_CBC, &aria_128_cbc_info }, + { MBEDTLS_CIPHER_ARIA_192_CBC, &aria_192_cbc_info }, + { MBEDTLS_CIPHER_ARIA_256_CBC, &aria_256_cbc_info }, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CFB) + { MBEDTLS_CIPHER_ARIA_128_CFB128, &aria_128_cfb128_info }, + { MBEDTLS_CIPHER_ARIA_192_CFB128, &aria_192_cfb128_info }, + { MBEDTLS_CIPHER_ARIA_256_CFB128, &aria_256_cfb128_info }, +#endif +#if defined(MBEDTLS_CIPHER_MODE_CTR) + { MBEDTLS_CIPHER_ARIA_128_CTR, &aria_128_ctr_info }, + { MBEDTLS_CIPHER_ARIA_192_CTR, &aria_192_ctr_info }, + { MBEDTLS_CIPHER_ARIA_256_CTR, &aria_256_ctr_info }, +#endif +#if defined(MBEDTLS_GCM_C) + { MBEDTLS_CIPHER_ARIA_128_GCM, &aria_128_gcm_info }, + { MBEDTLS_CIPHER_ARIA_192_GCM, &aria_192_gcm_info }, + { MBEDTLS_CIPHER_ARIA_256_GCM, &aria_256_gcm_info }, +#endif +#if defined(MBEDTLS_CCM_C) + { MBEDTLS_CIPHER_ARIA_128_CCM, &aria_128_ccm_info }, + { MBEDTLS_CIPHER_ARIA_192_CCM, &aria_192_ccm_info }, + { MBEDTLS_CIPHER_ARIA_256_CCM, &aria_256_ccm_info }, +#endif +#endif /* MBEDTLS_ARIA_C */ + #if defined(MBEDTLS_DES_C) { MBEDTLS_CIPHER_DES_ECB, &des_ecb_info }, { MBEDTLS_CIPHER_DES_EDE_ECB, &des_ede_ecb_info }, diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 95e6163cc..9734ec079 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -47,7 +47,7 @@ * 1. By key exchange: * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: - * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES + * AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-256 > 3DES * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 * 4. By hash function used when relevant * 5. By key exchange/auth again: EC > non-EC @@ -81,6 +81,14 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + /* All ARIA-256 ephemeral suites */ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, + MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, + MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, + /* All AES-128 ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, @@ -105,6 +113,14 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + /* All ARIA-128 ephemeral suites */ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, + MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, + MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, + /* All remaining >= 128-bit ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, @@ -194,12 +210,16 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, + MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384, MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, + MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, @@ -211,6 +231,8 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, + MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384, MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_PSK_WITH_AES_128_CCM, @@ -219,6 +241,8 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, + MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, @@ -1688,6 +1712,365 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_DES_C */ #endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */ +#if defined(MBEDTLS_ARIA_C) + +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384, + "TLS-RSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384, + "TLS-RSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256, + "TLS-RSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256, + "TLS-RSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384, + "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256, + "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384, + "TLS-PSK-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384, + "TLS-PSK-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256, + "TLS-PSK-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256, + "TLS-PSK-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, + "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, + "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, + "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, + "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, + "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, + "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, + "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, + "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, + "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, + "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, + "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, + "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, + "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, + "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, + "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, + "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) + +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384", + MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C)) + { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, + "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384", + MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256", + MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C)) + { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, + "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256", + MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif + +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ + +#endif /* MBEDTLS_ARIA_C */ + + { 0, "", MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE, 0, 0, 0, 0, 0 } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ff52104ff..2ff04c5fc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1269,7 +1269,7 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx, #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) + ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) ) #define SSL_SOME_MODES_USE_MAC #endif @@ -1470,7 +1470,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) + ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) if( mode == MBEDTLS_MODE_CBC ) { int ret; @@ -1586,7 +1586,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ + ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -1730,7 +1730,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ - ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) + ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) if( mode == MBEDTLS_MODE_CBC ) { /* @@ -1942,7 +1942,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_CIPHER_MODE_CBC && - ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ + ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); From 841192ba88c22c24b3e45429ffbf998f40e6b469 Mon Sep 17 00:00:00 2001 From: "Markku-Juhani O. Saarinen" Date: Thu, 7 Dec 2017 12:36:55 +0000 Subject: [PATCH 09/97] fixed a macro to uppercase for a test script (.._TLS_DH_anon_WITH.. -> _DH_ANON_WITH_) --- include/mbedtls/ssl_ciphersuites.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 5223f02e0..05f2d6557 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -179,8 +179,8 @@ extern "C" { #define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 -#define MBEDTLS_TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 0xC046 -#define MBEDTLS_TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 0xC047 +#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 0xC046 +#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 0xC047 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 #define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A @@ -199,8 +199,8 @@ extern "C" { #define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057 #define MBEDTLS_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058 #define MBEDTLS_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059 -#define MBEDTLS_TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 0xC05A -#define MBEDTLS_TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 0xC05B +#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 0xC05A +#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 0xC05B #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D #define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E From 392c2d2524a23e53739d2974ed417966ecfc0f7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Feb 2018 11:06:14 +0100 Subject: [PATCH 10/97] compat.sh: run 1.2-only tests with DTLS too --- tests/compat.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 672bdab78..832390467 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -687,7 +687,7 @@ add_mbedtls_ciphersuites() ;; "RSA") - if [ "$MODE" = "tls1_2" ]; + if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ TLS-RSA-WITH-AES-128-CCM \ @@ -715,7 +715,7 @@ add_mbedtls_ciphersuites() TLS-RSA-PSK-WITH-NULL-SHA \ " fi - if [ "$MODE" = "tls1_2" ]; + if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ TLS-PSK-WITH-AES-128-CCM \ From a0e47088d867953bb0b8c029bffac91aa4c2a8a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Feb 2018 11:07:58 +0100 Subject: [PATCH 11/97] compat.sh: add self-interop tests for ARIA suites --- tests/compat.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 832390467..ba44cdb5f 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -682,6 +682,10 @@ add_mbedtls_ciphersuites() TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ + TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ + TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ " fi ;; @@ -698,6 +702,14 @@ add_mbedtls_ciphersuites() TLS-RSA-WITH-AES-256-CCM-8 \ TLS-DHE-RSA-WITH-AES-128-CCM-8 \ TLS-DHE-RSA-WITH-AES-256-CCM-8 \ + TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ + TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ + TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ + TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ " fi ;; @@ -726,6 +738,14 @@ add_mbedtls_ciphersuites() TLS-PSK-WITH-AES-256-CCM-8 \ TLS-DHE-PSK-WITH-AES-128-CCM-8 \ TLS-DHE-PSK-WITH-AES-256-CCM-8 \ + TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ + TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ + TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ + TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ + TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ + TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ + TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ + TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ " fi ;; From 7299dfd86bd09b658a1dad6809b790af9cd35995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Feb 2018 11:43:55 +0100 Subject: [PATCH 12/97] compat.sh: add ARIA interop tests with OpenSSL Disabled by default, needs OpenSSL >= 1.1.1 - tested locally with 1.1.1-pre1 Local version of OpenSSL was compiled with: ./config --prefix=$HOME/usr/openssl-1.1.1-pre1 -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' make make install With OpenSSL 1.1.1-pre1, two ciphersuites were incorrectly skipped, but this has since been fixed in OpenSSL master, see: https://github.com/openssl/openssl/issues/5406 --- tests/compat.sh | 64 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index ba44cdb5f..63c1636ed 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -53,7 +53,12 @@ MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" -EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) +# exclude: +# - NULL: excluded from our default config +# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions +# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) +# - ARIA: requires OpenSSL >= 1.1.1 +EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" @@ -226,6 +231,9 @@ reset_ciphersuites() G_CIPHERS="" } +# Ciphersuites that can be used with all peers. +# Since we currently have three possible peers, each ciphersuite should appear +# three times: in each peer's list (with the name that this peer uses). add_common_ciphersuites() { case $TYPE in @@ -422,6 +430,12 @@ add_common_ciphersuites() esac } +# Ciphersuites usable only with Mbed TLS and OpenSSL +# Each ciphersuite should appear two times, once with its OpenSSL name, once +# with its Mbed TLS name. +# +# NOTE: for some reason RSA-PSK doesn't work with OpenSSL, +# so RSA-PSK ciphersuites need to go in other sections. add_openssl_ciphersuites() { case $TYPE in @@ -451,12 +465,16 @@ add_openssl_ciphersuites() TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \ TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \ TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ + TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDH-ECDSA-AES128-SHA256 \ ECDH-ECDSA-AES256-SHA384 \ ECDH-ECDSA-AES128-GCM-SHA256 \ ECDH-ECDSA-AES256-GCM-SHA384 \ + ECDHE-ECDSA-ARIA256-GCM-SHA384 \ + ECDHE-ECDSA-ARIA128-GCM-SHA256 \ " fi ;; @@ -470,13 +488,42 @@ add_openssl_ciphersuites() DES-CBC-SHA \ EDH-RSA-DES-CBC-SHA \ " + if [ `minor_ver "$MODE"` -ge 3 ] + then + M_CIPHERS="$M_CIPHERS \ + TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ + " + O_CIPHERS="$O_CIPHERS \ + ECDHE-ARIA256-GCM-SHA384 \ + DHE-RSA-ARIA256-GCM-SHA384 \ + ECDHE-ARIA128-GCM-SHA256 \ + DHE-RSA-ARIA128-GCM-SHA256 \ + " + fi ;; "PSK") + if [ `minor_ver "$MODE"` -ge 3 ] + then + M_CIPHERS="$M_CIPHERS \ + TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ + TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ + " + O_CIPHERS="$O_CIPHERS \ + PSK-ARIA256-GCM-SHA384 \ + PSK-ARIA128-GCM-SHA256 \ + " + fi ;; esac } +# Ciphersuites usable only with Mbed TLS and GnuTLS +# Each ciphersuite should appear two times, once with its GnuTLS name, once +# with its Mbed TLS name. add_gnutls_ciphersuites() { case $TYPE in @@ -661,6 +708,9 @@ add_gnutls_ciphersuites() esac } +# Ciphersuites usable only with Mbed TLS (not currently supported by another +# peer usable in this script). This provide only very rudimentaty testing, as +# this is not interop testing, but it's better than nothing. add_mbedtls_ciphersuites() { case $TYPE in @@ -682,9 +732,7 @@ add_mbedtls_ciphersuites() TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ - TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ " fi @@ -702,12 +750,8 @@ add_mbedtls_ciphersuites() TLS-RSA-WITH-AES-256-CCM-8 \ TLS-DHE-RSA-WITH-AES-128-CCM-8 \ TLS-DHE-RSA-WITH-AES-256-CCM-8 \ - TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ " @@ -738,14 +782,12 @@ add_mbedtls_ciphersuites() TLS-PSK-WITH-AES-256-CCM-8 \ TLS-DHE-PSK-WITH-AES-128-CCM-8 \ TLS-DHE-PSK-WITH-AES-256-CCM-8 \ - TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ + TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ + TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ " fi ;; From 4db944c5f4beea927c23bb1ed5d6989a8eafe707 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 10:19:56 +0100 Subject: [PATCH 13/97] Don't declare unsupported ciphersuites Removed DSS, static DH, DH_anon --- include/mbedtls/ssl_ciphersuites.h | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 05f2d6557..6d11d4b14 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -171,16 +171,8 @@ extern "C" { #define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C #define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D -#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 0xC03E -#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 0xC03F -#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 0xC040 -#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 0xC041 -#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 0xC042 -#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 -#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 0xC046 -#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 0xC047 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 #define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A @@ -193,14 +185,6 @@ extern "C" { #define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 #define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 -#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 0xC054 -#define MBEDTLS_TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 0xC055 -#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 0xC056 -#define MBEDTLS_TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057 -#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058 -#define MBEDTLS_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059 -#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 0xC05A -#define MBEDTLS_TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 0xC05B #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D #define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E From 9decaf57b74619060a91f457b1e48bce639f5afb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 10:21:52 +0100 Subject: [PATCH 14/97] Document Aria suites as TLS 1.2-only --- include/mbedtls/ssl_ciphersuites.h | 76 +++++++++++++++--------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 6d11d4b14..13f84a435 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -169,44 +169,44 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A /**< Weak! No SSL3! */ #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B /**< Weak! No SSL3! */ -#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C -#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F -#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 -#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 -#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 -#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 -#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A -#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F -#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 -#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */ From af37f0f68f314bcb315ecbf8e51996dff48b050d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 11:03:40 +0100 Subject: [PATCH 15/97] Add remaining ARIA suites to priority list Those suites were defined in ciphersuite_definitions[] but not included in ciphersuite_preference[] which meant they couldn't be negotiated unless explicitly added by the user. Add them so that they're usable by default like any other suite. --- library/ssl_ciphersuites.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 9734ec079..2e9a0fd79 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -47,7 +47,7 @@ * 1. By key exchange: * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: - * AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-256 > 3DES + * AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 * 4. By hash function used when relevant * 5. By key exchange/auth again: EC > non-EC @@ -137,6 +137,9 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, + MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, + MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, @@ -148,6 +151,9 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, + MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, + MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, @@ -177,6 +183,14 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + /* All ARIA-256 suites */ + MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384, + MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, + MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, + MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384, + /* All AES-128 suites */ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_RSA_WITH_AES_128_CCM, @@ -199,6 +213,14 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + /* All ARIA-128 suites */ + MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256, + MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, + MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, + MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256, + /* All remaining >= 128-bit suites */ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, From bba64067bf584d76625e6719f6d3991c9d480704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 11:58:44 +0100 Subject: [PATCH 16/97] compat.sh: add remaining ARIA suites --- tests/compat.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 63c1636ed..93e6b3a6d 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -493,14 +493,18 @@ add_openssl_ciphersuites() M_CIPHERS="$M_CIPHERS \ TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-RSA-WITH-ARIA-256-GCM-SHA384 \ TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDHE-ARIA256-GCM-SHA384 \ DHE-RSA-ARIA256-GCM-SHA384 \ + ARIA256-GCM-SHA384 \ ECDHE-ARIA128-GCM-SHA256 \ DHE-RSA-ARIA128-GCM-SHA256 \ + ARIA128-GCM-SHA256 \ " fi ;; @@ -509,10 +513,14 @@ add_openssl_ciphersuites() if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ + TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \ + TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ " O_CIPHERS="$O_CIPHERS \ + DHE-PSK-ARIA256-GCM-SHA384 \ + DHE-PSK-ARIA128-GCM-SHA256 \ PSK-ARIA256-GCM-SHA384 \ PSK-ARIA128-GCM-SHA256 \ " @@ -734,6 +742,10 @@ add_mbedtls_ciphersuites() TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ + TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \ + TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \ + TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \ " fi ;; @@ -754,6 +766,8 @@ add_mbedtls_ciphersuites() TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ + TLS-RSA-WITH-ARIA-256-CBC-SHA384 \ + TLS-RSA-WITH-ARIA-128-CBC-SHA256 \ " fi ;; @@ -788,6 +802,10 @@ add_mbedtls_ciphersuites() TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \ + TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ + TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ + TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ " fi ;; From 6b3689237d51b7542f8ccc92cdbde18eff33da53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 12:02:07 +0100 Subject: [PATCH 17/97] Add compat.sh ARIA run to all.sh Warning: needs OpenSSL >= 1.1.1-pre1 installed and environment variable OPENSSL_NEXT pointing to it. --- scripts/output_env.sh | 5 +++++ tests/scripts/all.sh | 13 ++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/scripts/output_env.sh b/scripts/output_env.sh index 1afaac33e..19b7c061f 100755 --- a/scripts/output_env.sh +++ b/scripts/output_env.sh @@ -81,6 +81,11 @@ if [ -n "${OPENSSL_LEGACY+set}" ]; then echo fi +if [ -n "${OPENSSL_NEXT+set}" ]; then + print_version "$OPENSSL_NEXT" "version" "openssl next version not found!" + echo +fi + : ${GNUTLS_CLI:=gnutls-cli} print_version "$GNUTLS_CLI" "--version" "gnuTLS client not found!" "head -n 1" echo diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d5fc12d0a..764fa2c26 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -101,6 +101,7 @@ YOTTA=1 # Default commands, can be overriden by the environment : ${OPENSSL:="openssl"} : ${OPENSSL_LEGACY:="$OPENSSL"} +: ${OPENSSL_NEXT:="$OPENSSL"} : ${GNUTLS_CLI:="gnutls-cli"} : ${GNUTLS_SERV:="gnutls-serv"} : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"} @@ -141,6 +142,7 @@ Tool path options: --gnutls-legacy-serv= GnuTLS server executable to use for legacy tests. --openssl= OpenSSL executable to use for most tests. --openssl-legacy= OpenSSL executable to use for legacy tests e.g. SSLv3. + --openssl-next= OpenSSL executable to use for recent things like ARIA EOF } @@ -268,6 +270,10 @@ while [ $# -gt 0 ]; do shift OPENSSL_LEGACY="$1" ;; + --openssl-next) + shift + OPENSSL_NEXT="$1" + ;; --out-of-source-dir) shift OUT_OF_SOURCE_DIR="$1" @@ -397,6 +403,7 @@ echo "FORCE: $FORCE" echo "SEED: ${SEED-"UNSET"}" echo "OPENSSL: $OPENSSL" echo "OPENSSL_LEGACY: $OPENSSL_LEGACY" +echo "OPENSSL_NEXT: $OPENSSL_NEXT" echo "GNUTLS_CLI: $GNUTLS_CLI" echo "GNUTLS_SERV: $GNUTLS_SERV" echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI" @@ -419,7 +426,8 @@ export GNUTLS_SERV="$GNUTLS_SERV" [ ! -z ${SEED+set} ] && export SEED # Make sure the tools we need are available. -check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$GNUTLS_CLI" "$GNUTLS_SERV" \ +check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \ + "$GNUTLS_CLI" "$GNUTLS_SERV" \ "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" "doxygen" "dot" \ "arm-none-eabi-gcc" "i686-w64-mingw32-gcc" if [ $RUN_ARMCC -ne 0 ]; then @@ -547,6 +555,9 @@ if_build_succeeded tests/ssl-opt.sh -f Default msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' +msg "test: compat.sh ARIA" +if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA' + msg "test/build: curves.pl (gcc)" # ~ 4 min cleanup cmake -D CMAKE_BUILD_TYPE:String=Debug . From 442f03b9e1f8c5452f66a1ab315a41c5dcf3bb39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 13:56:54 +0100 Subject: [PATCH 18/97] cmake: keep test list in alphabetic order --- tests/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index c85d3a2d8..8c9ba45e4 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -49,6 +49,7 @@ add_test_suite(aes aes.cbc) add_test_suite(aes aes.cfb) add_test_suite(aes aes.rest) add_test_suite(arc4) +add_test_suite(aria) add_test_suite(asn1write) add_test_suite(base64) add_test_suite(blowfish) @@ -104,7 +105,6 @@ add_test_suite(version) add_test_suite(xtea) add_test_suite(x509parse) add_test_suite(x509write) -add_test_suite(aria) # Make data_files available in an out-of-source build if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) From a6d639e553aae26e487f0cddb0c0605f46fa614c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 13:45:44 +0100 Subject: [PATCH 19/97] aria: improve some comments & internal names --- include/mbedtls/error.h | 2 +- library/aria.c | 28 +++++++++++++++++++--------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 5bdb6bb4a..b65c25cb3 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -63,7 +63,7 @@ * CTR_DBRG 4 0x0034-0x003A * ENTROPY 3 0x003C-0x0040 0x003D-0x003F * NET 11 0x0042-0x0052 0x0043-0x0045 - * ARIA 1 0x005C-0x005E + * ARIA 2 0x005C-0x005E * ASN1 7 0x0060-0x006C * CMAC 1 0x007A-0x007A * PBKDF2 1 0x007C-0x007C diff --git a/library/aria.c b/library/aria.c index 0e2c23a25..a9a2c2511 100644 --- a/library/aria.c +++ b/library/aria.c @@ -19,6 +19,12 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ +/* + * This implementation is based on the following standards: + * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf + * [2] https://tools.ietf.org/html/rfc5794 + */ + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -96,10 +102,14 @@ } -// ARIA Round function ( Substitution Layer SLx + Affine Transform A ) -// (ra, rb, rc, rd) = state in/out -// (sa, sb, sc, sd) = 256 8-bit S-Boxes -// (ta, tb, tc) = temporary variables +/* ARIA Round function ( Substitution Layer SLx + Affine Transform A ) + * (ra, rb, rc, rd) = state in/out + * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) + * (ta, tb, tc) = temporary variables + * + * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A. + * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A. + */ #define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \ ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \ @@ -243,7 +253,7 @@ static const uint8_t aria_is2[0x100] = // r = FO( p, k ) ^ x -static void aria_fo( uint32_t r[4], +static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; @@ -264,7 +274,7 @@ static void aria_fo( uint32_t r[4], // r = FE( p, k ) ^ x -static void aria_fe(uint32_t r[4], +static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; @@ -350,11 +360,11 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, i = (keybits - 128) >> 6; // index: 0, 1, 2 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 - aria_fo( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR + aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR i = i < 2 ? i + 1 : 0; - aria_fe( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 + aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 i = i < 2 ? i + 1 : 0; - aria_fo( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 + aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 for( i = 0; i < 4; i++ ) // create round keys { From e1ad7491c5dee991f5855092d9b6a64c7bfb4084 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Feb 2018 13:59:05 +0100 Subject: [PATCH 20/97] aria: clean up interface of internal macros --- library/aria.c | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/library/aria.c b/library/aria.c index a9a2c2511..4c4f3bb18 100644 --- a/library/aria.c +++ b/library/aria.c @@ -78,9 +78,9 @@ // Affine Transform A // (ra, rb, rc, rd) = state in/out -// (ta, tb, tc) = temporary variables -#define ARIA_A( ra, rb, rc, rd, ta, tb, tc ) { \ +#define ARIA_A( ra, rb, rc, rd ) { \ + uint32_t ta, tb, tc; \ ta = rb; \ rb = ra; \ ra = ARIA_FLIP1( ta ); \ @@ -105,13 +105,13 @@ /* ARIA Round function ( Substitution Layer SLx + Affine Transform A ) * (ra, rb, rc, rd) = state in/out * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) - * (ta, tb, tc) = temporary variables * * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A. * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A. */ -#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \ +#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \ + uint32_t ta, tb, tc; \ ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \ (((uint32_t) sd[ rb >> 24]) << 8) ^ \ (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \ @@ -257,14 +257,13 @@ static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; - uint32_t t, u, v; a = p[0] ^ k[0]; b = p[1] ^ k[1]; c = p[2] ^ k[2]; d = p[3] ^ k[3]; - ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v ); + ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -278,14 +277,13 @@ static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; - uint32_t t, u, v; a = p[0] ^ k[0]; b = p[1] ^ k[1]; c = p[2] ^ k[2]; d = p[3] ^ k[3]; - ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v ); + ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -385,7 +383,6 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { int i, j, k, ret; - uint32_t t, u, v; ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); if( ret != 0 ) @@ -396,7 +393,7 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, { for( k = 0; k < 4; k++ ) { - t = ctx->rk[i][k]; + uint32_t t = ctx->rk[i][k]; ctx->rk[i][k] = ctx->rk[j][k]; ctx->rk[j][k] = t; } @@ -404,10 +401,7 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, // apply affine transform to middle keys for (i = 1; i < ctx->nr; i++ ) - { - ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3], - t, u, v ); - } + ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] ); return 0; } @@ -422,7 +416,6 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, int i; uint32_t a, b, c, d; - uint32_t t, u, v; ( (void) mode ); @@ -439,8 +432,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, c ^= ctx->rk[i][2]; d ^= ctx->rk[i][3]; i++; - ARIA_SLA( a, b, c, d, - aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v ); + ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); a ^= ctx->rk[i][0]; b ^= ctx->rk[i][1]; @@ -450,8 +442,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, if (i >= ctx->nr) break; - ARIA_SLA( a, b, c, d, - aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v ); + ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); } // final substitution From 9cc89248fe2773c611b996e2499f4f6327cb90a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 09:44:29 +0100 Subject: [PATCH 21/97] aria: use unsigned type for bit count --- library/aria.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/library/aria.c b/library/aria.c index 4c4f3bb18..6f76538cf 100644 --- a/library/aria.c +++ b/library/aria.c @@ -296,21 +296,22 @@ static void aria_fe_xor(uint32_t r[4], // little-endian targets and stores state in that order. static void aria_rot128(uint32_t r[4], const uint32_t a[4], - const uint32_t b[4], int n) + const uint32_t b[4], uint8_t n) { - int i, j, n1, n2; + uint8_t i, j; uint32_t t, u; - j = (n >> 5) & 3; // word offset - n1 = n & 0x1F; // bit offsets - n2 = 32 - n1; // n1 should be nonzero! + const uint8_t n1 = n & 0x1F; // bit offset + const uint8_t n2 = 32 - n1; // reverse bit offset + + j = (n >> 5) & 3; // initial word offset t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian for( i = 0; i < 4; i++ ) { j = (j + 1) & 3; // get next word, big endian u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); t <<= n1; // rotate - if (n2 < 32) // intel rotate 32 bits = 0 bits.. + if (n2 < 32) // rotate 32 bits = 0 bits.. t |= u >> n2; t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian r[i] = a[i] ^ t; // store @@ -367,10 +368,10 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, for( i = 0; i < 4; i++ ) // create round keys { w2 = w[(i + 1) & 3]; - aria_rot128( ctx->rk[i ], w[i], w2, -19); - aria_rot128( ctx->rk[i + 4], w[i], w2, -31); - aria_rot128( ctx->rk[i + 8], w[i], w2, 61); - aria_rot128( ctx->rk[i + 12], w[i], w2, 31); + aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 ); + aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 ); + aria_rot128( ctx->rk[i + 8], w[i], w2, 61 ); + aria_rot128( ctx->rk[i + 12], w[i], w2, 31 ); } aria_rot128( ctx->rk[16], w[0], w[1], 19 ); From c76ceb677bfd86a73ccaa585c11b8f5122599d77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 09:50:17 +0100 Subject: [PATCH 22/97] aria: move conditional outside of loop --- library/aria.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/library/aria.c b/library/aria.c index 6f76538cf..9b5febc26 100644 --- a/library/aria.c +++ b/library/aria.c @@ -291,7 +291,7 @@ static void aria_fe_xor(uint32_t r[4], r[3] = d ^ x[3]; } -// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup. +// Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. // This is relatively slow since our implementation is geared towards // little-endian targets and stores state in that order. @@ -301,18 +301,17 @@ static void aria_rot128(uint32_t r[4], const uint32_t a[4], uint8_t i, j; uint32_t t, u; - const uint8_t n1 = n & 0x1F; // bit offset - const uint8_t n2 = 32 - n1; // reverse bit offset + const uint8_t n1 = n % 32; // bit offset + const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset - j = (n >> 5) & 3; // initial word offset + j = (n / 32) % 4; // initial word offset t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian for( i = 0; i < 4; i++ ) { - j = (j + 1) & 3; // get next word, big endian + j = (j + 1) % 4; // get next word, big endian u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); t <<= n1; // rotate - if (n2 < 32) // rotate 32 bits = 0 bits.. - t |= u >> n2; + t |= u >> n2; t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian r[i] = a[i] ^ t; // store t = u; // move to next word From 56453937a15d8de5e64a61158feb67cee87ee0b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 10:08:31 +0100 Subject: [PATCH 23/97] aria: use mbedtls_zeroize() --- library/aria.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/aria.c b/library/aria.c index 9b5febc26..5a5222f6a 100644 --- a/library/aria.c +++ b/library/aria.c @@ -48,6 +48,11 @@ #if !defined(MBEDTLS_ARIA_ALT) +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; +} + // 32-bit integer manipulation macros (little endian) #ifndef GET_UINT32_LE @@ -489,8 +494,7 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx ) if( ctx == NULL ) return; - // compiler can't remove this since this is not a static function - memset( ctx, 0, sizeof( mbedtls_aria_context ) ); + mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) ); } #if defined(MBEDTLS_CIPHER_MODE_CBC) From a41ecdabedb6387c6ef50d0c5955a3b1d600e8c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 10:33:26 +0100 Subject: [PATCH 24/97] aria: closer to usual comment style We're not absolutely consistent in the rest of the library, but we tend to use C99-style comments less often. Change to use C89-style comments everywhere except for end-of-line comments --- library/aria.c | 122 +++++++++++++++++++++++++++---------------------- 1 file changed, 68 insertions(+), 54 deletions(-) diff --git a/library/aria.c b/library/aria.c index 5a5222f6a..6857e9926 100644 --- a/library/aria.c +++ b/library/aria.c @@ -53,7 +53,9 @@ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } -// 32-bit integer manipulation macros (little endian) +/* + * 32-bit integer manipulation macros (little endian) + */ #ifndef GET_UINT32_LE #define GET_UINT32_LE(n,b,i) \ @@ -75,16 +77,17 @@ static void mbedtls_zeroize( void *v, size_t n ) { } #endif -// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits +/* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits */ #define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16)) -// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes +/* modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes */ #define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) -// Affine Transform A -// (ra, rb, rc, rd) = state in/out - -#define ARIA_A( ra, rb, rc, rd ) { \ +/* + * Affine Transform A + * (ra, rb, rc, rd) = state in/out + */ +#define ARIA_A( ra, rb, rc, rd ) { \ uint32_t ta, tb, tc; \ ta = rb; \ rb = ra; \ @@ -107,14 +110,14 @@ static void mbedtls_zeroize( void *v, size_t n ) { } -/* ARIA Round function ( Substitution Layer SLx + Affine Transform A ) +/* + * ARIA Round function ( Substitution Layer SLx + Affine Transform A ) * (ra, rb, rc, rd) = state in/out * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) * * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A. * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A. */ - #define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \ uint32_t ta, tb, tc; \ ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \ @@ -149,8 +152,9 @@ static void mbedtls_zeroize( void *v, size_t n ) { rc ^= ARIA_FLIP2( tc ) ^ ta; \ } -// S-Boxes - +/* + * S-Boxes + */ static const uint8_t aria_sb1[0x100] = { 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, @@ -254,10 +258,10 @@ static const uint8_t aria_is2[0x100] = 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60 }; -// FO and FE are helpers for key schedule - -// r = FO( p, k ) ^ x +/* + * Helper for key schedule: r = FO( p, k ) ^ x + */ static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { @@ -276,8 +280,9 @@ static void aria_fo_xor( uint32_t r[4], r[3] = d ^ x[3]; } -// r = FE( p, k ) ^ x - +/* + * Helper for key schedule: r = FE( p, k ) ^ x + */ static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) { @@ -296,10 +301,12 @@ static void aria_fe_xor(uint32_t r[4], r[3] = d ^ x[3]; } -// Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. -// This is relatively slow since our implementation is geared towards -// little-endian targets and stores state in that order. - +/* + * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. + * + * We chose to store bytes into 32-bit words in little-endian format (see + * GET/PUT_UINT32_LE) so we need to reverse bytes here. + */ static void aria_rot128(uint32_t r[4], const uint32_t a[4], const uint32_t b[4], uint8_t n) { @@ -323,12 +330,13 @@ static void aria_rot128(uint32_t r[4], const uint32_t a[4], } } -// Set encryption key - +/* + * Set encryption key + */ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { - // round constant masks + /* round constant masks */ const uint32_t rc[3][4] = { { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, @@ -342,8 +350,8 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, if (keybits != 128 && keybits != 192 && keybits != 256) return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH; - // W0 = KL - GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1 + /* Copy key to W0 (and potential remainder to W1) */ + GET_UINT32_LE( w[0][0], key, 0 ); GET_UINT32_LE( w[0][1], key, 4 ); GET_UINT32_LE( w[0][2], key, 8 ); GET_UINT32_LE( w[0][3], key, 12 ); @@ -382,8 +390,9 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, return 0; } -// Set decryption key - +/* + * Set decryption key + */ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits) { @@ -393,7 +402,7 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, if( ret != 0 ) return ret; - // flip the order of round keys + /* flip the order of round keys */ for( i = 0, j = ctx->nr; i < j; i++, j-- ) { for( k = 0; k < 4; k++ ) @@ -404,15 +413,16 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, } } - // apply affine transform to middle keys + /* apply affine transform to middle keys */ for (i = 1; i < ctx->nr; i++ ) ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] ); return 0; } -// Encrypt a block - +/* + * Encrypt a block + */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, int mode, const unsigned char input[16], @@ -450,8 +460,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); } - // final substitution - + /* final substitution */ a = ctx->rk[i][0] ^ ( (uint32_t) aria_is1[ a & 0xFF]) ^ (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^ @@ -484,11 +493,13 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, return 0; } +/* Initialize context */ void mbedtls_aria_init( mbedtls_aria_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_aria_context ) ); } +/* Clear context */ void mbedtls_aria_free( mbedtls_aria_context *ctx ) { if( ctx == NULL ) @@ -639,8 +650,9 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, #if defined(MBEDTLS_SELF_TEST) -// Basic ARIA ECB test vectors from RFC 5794 - +/* + * Basic ARIA ECB test vectors from RFC 5794 + */ static const uint8_t aria_test1_ecb_key[32] = // test key { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit @@ -665,9 +677,10 @@ static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } }; -// Mode tests from "Test Vectors for ARIA" Version 1.0 -// http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf - +/* + * Mode tests from "Test Vectors for ARIA" Version 1.0 + * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf + */ #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_CTR)) static const uint8_t aria_test2_key[32] = @@ -769,10 +782,6 @@ static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt }; #endif /* MBEDTLS_CIPHER_MODE_CFB */ -/* - * Checkup routine - */ - #define ARIA_SELF_TEST_IF_FAIL \ { \ if( verbose ) \ @@ -783,6 +792,9 @@ static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt printf( "passed\n" ); \ } +/* + * Checkup routine + */ int mbedtls_aria_self_test( int verbose ) { int i; @@ -799,11 +811,12 @@ int mbedtls_aria_self_test( int verbose ) uint8_t buf[48], iv[16]; #endif - // Test set 1 - + /* + * Test set 1 + */ for( i = 0; i < 3; i++ ) { - // test ECB encryption + /* test ECB encryption */ if( verbose ) printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); @@ -812,7 +825,7 @@ int mbedtls_aria_self_test( int verbose ) if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 ) ARIA_SELF_TEST_IF_FAIL; - // test ECB decryption + /* test ECB decryption */ if( verbose ) printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); @@ -824,12 +837,13 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf("\n"); - // Test set 2 - + /* + * Test set 2 + */ #if defined(MBEDTLS_CIPHER_MODE_CBC) for( i = 0; i < 3; i++ ) { - // Test CBC encryption + /* Test CBC encryption */ if( verbose ) printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); @@ -840,7 +854,7 @@ int mbedtls_aria_self_test( int verbose ) if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) ARIA_SELF_TEST_IF_FAIL; - // Test CBC decryption + /* Test CBC decryption */ if( verbose ) printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); @@ -859,7 +873,7 @@ int mbedtls_aria_self_test( int verbose ) #if defined(MBEDTLS_CIPHER_MODE_CFB) for( i = 0; i < 3; i++ ) { - // Test CFB encryption + /* Test CFB encryption */ if( verbose ) printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); @@ -871,7 +885,7 @@ int mbedtls_aria_self_test( int verbose ) if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) ARIA_SELF_TEST_IF_FAIL; - // Test CFB decryption + /* Test CFB decryption */ if( verbose ) printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); @@ -890,7 +904,7 @@ int mbedtls_aria_self_test( int verbose ) #if defined(MBEDTLS_CIPHER_MODE_CTR) for( i = 0; i < 3; i++ ) { - // Test CTR encryption + /* Test CTR encryption */ if( verbose ) printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); @@ -902,7 +916,7 @@ int mbedtls_aria_self_test( int verbose ) if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) ARIA_SELF_TEST_IF_FAIL; - // Test CTR decryption + /* Test CTR decryption */ if( verbose ) printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); From 62e813ca62a19fa6eaf8014edaa32fc6daa440ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 10:47:47 +0100 Subject: [PATCH 25/97] Add aria to benchmark program --- programs/test/benchmark.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 2864caf84..f548c1d7e 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -54,21 +54,26 @@ int main( void ) #include "mbedtls/sha1.h" #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" + #include "mbedtls/arc4.h" #include "mbedtls/des.h" #include "mbedtls/aes.h" +#include "mbedtls/aria.h" #include "mbedtls/blowfish.h" #include "mbedtls/camellia.h" #include "mbedtls/gcm.h" #include "mbedtls/ccm.h" #include "mbedtls/cmac.h" + #include "mbedtls/havege.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/hmac_drbg.h" + #include "mbedtls/rsa.h" #include "mbedtls/dhm.h" #include "mbedtls/ecdsa.h" #include "mbedtls/ecdh.h" + #include "mbedtls/error.h" #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) @@ -229,7 +234,7 @@ typedef struct { char md4, md5, ripemd160, sha1, sha256, sha512, arc4, des3, des, aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac, - camellia, blowfish, + aria, camellia, blowfish, havege, ctr_drbg, hmac_drbg, rsa, dhm, ecdsa, ecdh; } todo_list; @@ -282,6 +287,8 @@ int main( int argc, char *argv[] ) todo.aes_cmac = 1; else if( strcmp( argv[i], "des3_cmac" ) == 0 ) todo.des3_cmac = 1; + else if( strcmp( argv[i], "aria" ) == 0 ) + todo.aria = 1; else if( strcmp( argv[i], "camellia" ) == 0 ) todo.camellia = 1; else if( strcmp( argv[i], "blowfish" ) == 0 ) @@ -498,6 +505,28 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_CMAC_C */ #endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_ARIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC) + if( todo.aria ) + { + int keysize; + mbedtls_aria_context aria; + mbedtls_aria_init( &aria ); + for( keysize = 128; keysize <= 256; keysize += 64 ) + { + mbedtls_snprintf( title, sizeof( title ), "ARIA-CBC-%d", keysize ); + + memset( buf, 0, sizeof( buf ) ); + memset( tmp, 0, sizeof( tmp ) ); + mbedtls_aria_setkey_enc( &aria, tmp, keysize ); + + TIME_AND_TSC( title, + mbedtls_aria_crypt_cbc( &aria, MBEDTLS_ARIA_ENCRYPT, + BUFSIZE, tmp, buf, buf ) ); + } + mbedtls_aria_free( &aria ); + } +#endif + #if defined(MBEDTLS_CAMELLIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC) if( todo.camellia ) { From 8c76a9489e0a947dbf59e22f77ceae5414ed8c34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 12:03:22 +0100 Subject: [PATCH 26/97] aria: turn macro into static inline function Besides documenting types better and so on, this give the compiler more room to optimise either for size or performance. Here are some before/after measurements of: - size of aria.o in bytes (less is better) - instruction count for the selftest function (less is better) with various -O flags. Before: O aria.o ins s 10896 37,256 2 11176 37,199 3 12248 27,752 After: O aria.o ins s 8784 41,408 2 11112 37,001 3 13096 27,438 The new version allows the compiler to reach smaller size with -Os while maintaining (actually slightly improving) performance with -O2 and -O3. Measurements were done on x86_64 (but since this is mainly about inlining code, this should transpose well to other platforms) using the following helper program and script, after disabling CBC, CFB and CTR in config.h, in order to focus on the core functions. ==> st.c <== #include "mbedtls/aria.h" int main( void ) { return mbedtls_aria_self_test( 0 ); } ==> p.sh <== #!/bin/sh set -eu ccount () { ( valgrind --tool=callgrind --dump-line=no --callgrind-out-file=/dev/null --collect-atstart=no --toggle-collect=main $1 ) 2>&1 | sed -n -e 's/.*refs: *\([0-9,]*\)/\1/p' } printf "O\taria.o\tins\n" for O in s 2 3; do GCC="gcc -Wall -Wextra -Werror -Iinclude" $GCC -O$O -c library/aria.c $GCC -O1 st.c aria.o -o st ./st SIZE=$( du -b aria.o | cut -f1 ) INS=$( ccount ./st ) printf "$O\t$SIZE\t$INS\n" done --- library/aria.c | 87 +++++++++++++++++++++++++++++--------------------- 1 file changed, 51 insertions(+), 36 deletions(-) diff --git a/library/aria.c b/library/aria.c index 6857e9926..b71cc3845 100644 --- a/library/aria.c +++ b/library/aria.c @@ -118,38 +118,53 @@ static void mbedtls_zeroize( void *v, size_t n ) { * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A. * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A. */ -#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd ) { \ - uint32_t ta, tb, tc; \ - ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \ - (((uint32_t) sd[ rb >> 24]) << 8) ^ \ - (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \ - (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \ - rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \ - (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \ - (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \ - (((uint32_t) sd[ ra >> 24]) << 24); \ - ra = ta; \ - ta = ( (uint32_t) sd[ rd >> 24]) ^ \ - (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \ - (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \ - (((uint32_t) sa[ rd & 0xFF]) << 24); \ - rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \ - (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \ - (((uint32_t) sd[ rc >> 24]) << 16) ^ \ - (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \ - rc = ta; \ - ta = ARIA_FLIP1( ra ) ^ rd; \ - tc = ARIA_FLIP1( rb ); \ - ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \ - tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \ - tc ^= ARIA_FLIP2( ra ); \ - rb ^= ta ^ tb; \ - tb = ARIA_FLIP1( tb ) ^ ta; \ - ra ^= ARIA_FLIP2( tb ); \ - ta = ARIA_FLIP1( ta ); \ - rd ^= ARIA_FLIP2( ta ) ^ tc; \ - tc = ARIA_FLIP1( tc ); \ - rc ^= ARIA_FLIP2( tc ) ^ ta; \ +static inline void aria_sla( uint32_t *a, uint32_t *b, + uint32_t *c, uint32_t *d, + const uint8_t sa[0x100], const uint8_t sb[0x100], + const uint8_t sc[0x100], const uint8_t sd[0x100] ) +{ + uint32_t ra, rb, rc, rd, ta, tb, tc; + + ra = *a; + rb = *b; + rc = *c; + rd = *d; + + ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ + (((uint32_t) sd[ rb >> 24]) << 8) ^ + (((uint32_t) sa[ rb & 0xFF]) << 16) ^ + (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); + rb = ( (uint32_t) sa[ ra & 0xFF]) ^ + (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ + (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ + (((uint32_t) sd[ ra >> 24]) << 24); + ra = ta; + ta = ( (uint32_t) sd[ rd >> 24]) ^ + (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ + (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ + (((uint32_t) sa[ rd & 0xFF]) << 24); + rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ + (((uint32_t) sa[ rc & 0xFF]) << 8) ^ + (((uint32_t) sd[ rc >> 24]) << 16) ^ + (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); + rc = ta; + ta = ARIA_FLIP1( ra ) ^ rd; + tc = ARIA_FLIP1( rb ); + ta = ARIA_FLIP2( ta ) ^ tc ^ rc; + tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); + tc ^= ARIA_FLIP2( ra ); + rb ^= ta ^ tb; + tb = ARIA_FLIP1( tb ) ^ ta; + ra ^= ARIA_FLIP2( tb ); + ta = ARIA_FLIP1( ta ); + rd ^= ARIA_FLIP2( ta ) ^ tc; + tc = ARIA_FLIP1( tc ); + rc ^= ARIA_FLIP2( tc ) ^ ta; + + *a = ra; + *b = rb; + *c = rc; + *d = rd; } /* @@ -272,7 +287,7 @@ static void aria_fo_xor( uint32_t r[4], c = p[2] ^ k[2]; d = p[3] ^ k[3]; - ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + aria_sla( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -293,7 +308,7 @@ static void aria_fe_xor(uint32_t r[4], c = p[2] ^ k[2]; d = p[3] ^ k[3]; - ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); + aria_sla( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -447,7 +462,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, c ^= ctx->rk[i][2]; d ^= ctx->rk[i][3]; i++; - ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + aria_sla( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); a ^= ctx->rk[i][0]; b ^= ctx->rk[i][1]; @@ -457,7 +472,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, if (i >= ctx->nr) break; - ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); + aria_sla( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); } /* final substitution */ From 64744f88b60c8654884b99afa707cc32edbf4488 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 21 Feb 2018 12:35:19 +0100 Subject: [PATCH 27/97] aria: define SLA() as sl(a()) This decreases the size with -Os by nearly 1k while not hurting performance too much with -O2 and -O3 Before: O aria.o ins s 8784 41,408 2 11112 37,001 3 13096 27,438 After: O aria.o ins s 7976 43,865 2 10520 37,631 3 13040 28,146 (See previous commit for measurement details.) --- library/aria.c | 165 +++++++++++++++++++------------------------------ 1 file changed, 63 insertions(+), 102 deletions(-) diff --git a/library/aria.c b/library/aria.c index b71cc3845..dc2192afe 100644 --- a/library/aria.c +++ b/library/aria.c @@ -84,87 +84,62 @@ static void mbedtls_zeroize( void *v, size_t n ) { #define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) /* - * Affine Transform A + * ARIA Affine Transform * (ra, rb, rc, rd) = state in/out */ -#define ARIA_A( ra, rb, rc, rd ) { \ - uint32_t ta, tb, tc; \ - ta = rb; \ - rb = ra; \ - ra = ARIA_FLIP1( ta ); \ - tb = ARIA_FLIP1( rd ); \ - rd = ARIA_FLIP2( rc ); \ - rc = ARIA_FLIP2( tb ); \ - ta ^= rd; \ - tc = ARIA_FLIP1( rb ); \ - ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \ - tb ^= ARIA_FLIP1( rd ); \ - tc ^= ARIA_FLIP2( ra ); \ - rb ^= ta ^ tb; \ - tb = ARIA_FLIP1( tb ) ^ ta; \ - ra ^= ARIA_FLIP2( tb ); \ - ta = ARIA_FLIP1( ta ); \ - rd ^= ARIA_FLIP2( ta ) ^ tc; \ - tc = ARIA_FLIP1( tc ); \ - rc ^= ARIA_FLIP2( tc ) ^ ta; \ +static inline void aria_a( uint32_t *a, uint32_t *b, + uint32_t *c, uint32_t *d ) +{ + uint32_t ta, tb, tc; + ta = *b; + *b = *a; + *a = ARIA_FLIP1( ta ); + tb = ARIA_FLIP1( *d ); + *d = ARIA_FLIP2( *c ); + *c = ARIA_FLIP2( tb ); + ta ^= *d; + tc = ARIA_FLIP1( *b ); + ta = ARIA_FLIP2( ta ) ^ tc ^ *c; + tb ^= ARIA_FLIP1( *d ); + tc ^= ARIA_FLIP2( *a ); + *b ^= ta ^ tb; + tb = ARIA_FLIP1( tb ) ^ ta; + *a ^= ARIA_FLIP2( tb ); + ta = ARIA_FLIP1( ta ); + *d ^= ARIA_FLIP2( ta ) ^ tc; + tc = ARIA_FLIP1( tc ); + *c ^= ARIA_FLIP2( tc ) ^ ta; } - /* - * ARIA Round function ( Substitution Layer SLx + Affine Transform A ) - * (ra, rb, rc, rd) = state in/out + * ARIA Substitution Layer SL1 / SL2 + * (a, b, c, d) = state in/out * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) * - * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1-then-A. - * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2-then-A. + * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 + * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 */ -static inline void aria_sla( uint32_t *a, uint32_t *b, - uint32_t *c, uint32_t *d, - const uint8_t sa[0x100], const uint8_t sb[0x100], - const uint8_t sc[0x100], const uint8_t sd[0x100] ) +static inline void aria_sl( uint32_t *a, uint32_t *b, + uint32_t *c, uint32_t *d, + const uint8_t sa[0x100], const uint8_t sb[0x100], + const uint8_t sc[0x100], const uint8_t sd[0x100] ) { - uint32_t ra, rb, rc, rd, ta, tb, tc; - - ra = *a; - rb = *b; - rc = *c; - rd = *d; - - ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ - (((uint32_t) sd[ rb >> 24]) << 8) ^ - (((uint32_t) sa[ rb & 0xFF]) << 16) ^ - (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); - rb = ( (uint32_t) sa[ ra & 0xFF]) ^ - (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ - (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ - (((uint32_t) sd[ ra >> 24]) << 24); - ra = ta; - ta = ( (uint32_t) sd[ rd >> 24]) ^ - (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ - (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ - (((uint32_t) sa[ rd & 0xFF]) << 24); - rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ - (((uint32_t) sa[ rc & 0xFF]) << 8) ^ - (((uint32_t) sd[ rc >> 24]) << 16) ^ - (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); - rc = ta; - ta = ARIA_FLIP1( ra ) ^ rd; - tc = ARIA_FLIP1( rb ); - ta = ARIA_FLIP2( ta ) ^ tc ^ rc; - tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); - tc ^= ARIA_FLIP2( ra ); - rb ^= ta ^ tb; - tb = ARIA_FLIP1( tb ) ^ ta; - ra ^= ARIA_FLIP2( tb ); - ta = ARIA_FLIP1( ta ); - rd ^= ARIA_FLIP2( ta ) ^ tc; - tc = ARIA_FLIP1( tc ); - rc ^= ARIA_FLIP2( tc ) ^ ta; - - *a = ra; - *b = rb; - *c = rc; - *d = rd; + *a = ( (uint32_t) sa[ *a & 0xFF]) ^ + (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ + (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ + (((uint32_t) sd[ *a >> 24 ]) << 24); + *b = ( (uint32_t) sa[ *b & 0xFF]) ^ + (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ + (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ + (((uint32_t) sd[ *b >> 24 ]) << 24); + *c = ( (uint32_t) sa[ *c & 0xFF]) ^ + (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ + (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ + (((uint32_t) sd[ *c >> 24 ]) << 24); + *d = ( (uint32_t) sa[ *d & 0xFF]) ^ + (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ + (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ + (((uint32_t) sd[ *d >> 24 ]) << 24); } /* @@ -287,7 +262,8 @@ static void aria_fo_xor( uint32_t r[4], c = p[2] ^ k[2]; d = p[3] ^ k[3]; - aria_sla( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + aria_a( &a, &b, &c, &d ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -308,7 +284,8 @@ static void aria_fe_xor(uint32_t r[4], c = p[2] ^ k[2]; d = p[3] ^ k[3]; - aria_sla( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); + aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); + aria_a( &a, &b, &c, &d ); r[0] = a ^ x[0]; r[1] = b ^ x[1]; @@ -430,7 +407,7 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, /* apply affine transform to middle keys */ for (i = 1; i < ctx->nr; i++ ) - ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3] ); + aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] ); return 0; } @@ -462,43 +439,27 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, c ^= ctx->rk[i][2]; d ^= ctx->rk[i][3]; i++; - aria_sla( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + + aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); + aria_a( &a, &b, &c, &d ); a ^= ctx->rk[i][0]; b ^= ctx->rk[i][1]; c ^= ctx->rk[i][2]; d ^= ctx->rk[i][3]; i++; + + aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); if (i >= ctx->nr) break; - - aria_sla( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); + aria_a( &a, &b, &c, &d ); } - /* final substitution */ - a = ctx->rk[i][0] ^ - ( (uint32_t) aria_is1[ a & 0xFF]) ^ - (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^ - (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^ - (((uint32_t) aria_sb2[ a >> 24 ]) << 24); - - b = ctx->rk[i][1] ^ - ( (uint32_t) aria_is1[ b & 0xFF]) ^ - (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^ - (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^ - (((uint32_t) aria_sb2[ b >> 24 ]) << 24); - - c = ctx->rk[i][2] ^ - ( (uint32_t) aria_is1[ c & 0xFF]) ^ - (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^ - (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^ - (((uint32_t) aria_sb2[ c >> 24 ]) << 24); - - d = ctx->rk[i][3] ^ - ( (uint32_t) aria_is1[ d & 0xFF]) ^ - (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^ - (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^ - (((uint32_t) aria_sb2[ d >> 24 ]) << 24); + /* final key mixing */ + a ^= ctx->rk[i][0]; + b ^= ctx->rk[i][1]; + c ^= ctx->rk[i][2]; + d ^= ctx->rk[i][3]; PUT_UINT32_LE( a, output, 0 ); PUT_UINT32_LE( b, output, 4 ); From 35ad891aee79b94b5aa179bcf149c86e50a74dbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Feb 2018 11:59:16 +0100 Subject: [PATCH 28/97] aria: internal names closer to standard document --- library/aria.c | 50 +++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/library/aria.c b/library/aria.c index dc2192afe..19172f847 100644 --- a/library/aria.c +++ b/library/aria.c @@ -77,11 +77,19 @@ static void mbedtls_zeroize( void *v, size_t n ) { } #endif -/* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits */ -#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16)) +/* + * modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes + * + * This is submatrix P1 in [1] Appendix B.1 + */ +#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) -/* modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes */ -#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) +/* + * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits + * + * This is submatrix P2 in [1] Appendix B.1 + */ +#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) /* * ARIA Affine Transform @@ -93,22 +101,22 @@ static inline void aria_a( uint32_t *a, uint32_t *b, uint32_t ta, tb, tc; ta = *b; *b = *a; - *a = ARIA_FLIP1( ta ); - tb = ARIA_FLIP1( *d ); - *d = ARIA_FLIP2( *c ); - *c = ARIA_FLIP2( tb ); + *a = ARIA_P2( ta ); + tb = ARIA_P2( *d ); + *d = ARIA_P1( *c ); + *c = ARIA_P1( tb ); ta ^= *d; - tc = ARIA_FLIP1( *b ); - ta = ARIA_FLIP2( ta ) ^ tc ^ *c; - tb ^= ARIA_FLIP1( *d ); - tc ^= ARIA_FLIP2( *a ); + tc = ARIA_P2( *b ); + ta = ARIA_P1( ta ) ^ tc ^ *c; + tb ^= ARIA_P2( *d ); + tc ^= ARIA_P1( *a ); *b ^= ta ^ tb; - tb = ARIA_FLIP1( tb ) ^ ta; - *a ^= ARIA_FLIP2( tb ); - ta = ARIA_FLIP1( ta ); - *d ^= ARIA_FLIP2( ta ) ^ tc; - tc = ARIA_FLIP1( tc ); - *c ^= ARIA_FLIP2( tc ) ^ ta; + tb = ARIA_P2( tb ) ^ ta; + *a ^= ARIA_P1( tb ); + ta = ARIA_P2( ta ); + *d ^= ARIA_P1( ta ) ^ tc; + tc = ARIA_P2( tc ); + *c ^= ARIA_P1( tc ) ^ ta; } /* @@ -309,14 +317,14 @@ static void aria_rot128(uint32_t r[4], const uint32_t a[4], const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset j = (n / 32) % 4; // initial word offset - t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian + t = ARIA_P2( ARIA_P1( b[j] ) ); // big endian for( i = 0; i < 4; i++ ) { j = (j + 1) % 4; // get next word, big endian - u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); + u = ARIA_P2( ARIA_P1( b[j] ) ); t <<= n1; // rotate t |= u >> n2; - t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian + t = ARIA_P2( ARIA_P1( t ) ); // back to little endian r[i] = a[i] ^ t; // store t = u; // move to next word } From f205a012b84e5e06df624841c57158bb1fed0268 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Feb 2018 14:10:23 +0100 Subject: [PATCH 29/97] aria: comment implementation of A transform The line-by-line comments were generated using the following Python 3 script: #!/usr/bin/python3 class Atom: def __init__(self, val): self.v = val def __str__(self): return self.v def p1(self): v = self.v return Atom(v[1] + v[0] + v[3] + v[2]) def p2(self): v = self.v return Atom(v[2] + v[3] + v[0] + v[1]) def __xor__(self, other): return Sum(self.tuple() + other.tuple()) def tuple(self): return (self,) class Sum: def __init__(self, terms): self.t = terms assert(type(terms) == tuple) for t in terms: assert(type(t) == Atom) def __str__(self): return '+'.join(sorted((str(t) for t in self.t), key=lambda v: int(v, 16))) def p1(self): return Sum(tuple(t.p1() for t in self.t)) def p2(self): return Sum(tuple(t.p2() for t in self.t)) def tuple(self): return self.t def __xor__(self, other): return Sum(self.t + other.tuple()) class LoggingDict(dict): def __setitem__(self, key, val): print(key, '=', val) dict.__setitem__(self, key, val) def set(self, key, val): dict.__setitem__(self, key, val) env = LoggingDict() env.set('ra', Atom('0123')) env.set('rb', Atom('4567')) env.set('rc', Atom('89ab')) env.set('rd', Atom('cdef')) env.set('ARIA_P1', lambda x: x.p1()) env.set('ARIA_P2', lambda x: x.p2()) code = """ ta = rb; rb = ra; ra = ARIA_P2( ta ); tb = ARIA_P2( rd ); rd = ARIA_P1( rc ); rc = ARIA_P1( tb ); ta ^= rd; tc = ARIA_P2( rb ); ta = ARIA_P1( ta ) ^ tc ^ rc; tb ^= ARIA_P2( rd ); tc ^= ARIA_P1( ra ); rb ^= ta ^ tb; tb = ARIA_P2( tb ) ^ ta; ra ^= ARIA_P1( tb ); ta = ARIA_P2( ta ); rd ^= ARIA_P1( ta ) ^ tc; tc = ARIA_P2( tc ); rc ^= ARIA_P1( tc ) ^ ta; """ exec(code, env) --- library/aria.c | 59 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 20 deletions(-) diff --git a/library/aria.c b/library/aria.c index 19172f847..4c59d70c7 100644 --- a/library/aria.c +++ b/library/aria.c @@ -78,7 +78,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { #endif /* - * modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes + * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes * * This is submatrix P1 in [1] Appendix B.1 */ @@ -93,30 +93,49 @@ static void mbedtls_zeroize( void *v, size_t n ) { /* * ARIA Affine Transform - * (ra, rb, rc, rd) = state in/out + * (a, b, c, d) = state in/out + * + * If we denote the first by of input by 0, ..., the last byte by f, + * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. + * + * Reading [1] 2.4 or [2] 2.4.3 in colums and performing simple + * rearrangements on adjacent pairs, output is: + * + * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe + * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd + * b = 0101 + 2323 + 5476 + 8998 + baab + ecec + ffdd + * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc + * c = 0022 + 1133 + 4545 + 7667 + ab89 + dcdc + fefe + * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc + * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cedf + * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef + * + * Note: another presentation of the A transform can be found as the first + * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. + * The implementation below uses only P1 and P2 as they are sufficient. */ static inline void aria_a( uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d ) { uint32_t ta, tb, tc; - ta = *b; - *b = *a; - *a = ARIA_P2( ta ); - tb = ARIA_P2( *d ); - *d = ARIA_P1( *c ); - *c = ARIA_P1( tb ); - ta ^= *d; - tc = ARIA_P2( *b ); - ta = ARIA_P1( ta ) ^ tc ^ *c; - tb ^= ARIA_P2( *d ); - tc ^= ARIA_P1( *a ); - *b ^= ta ^ tb; - tb = ARIA_P2( tb ) ^ ta; - *a ^= ARIA_P1( tb ); - ta = ARIA_P2( ta ); - *d ^= ARIA_P1( ta ) ^ tc; - tc = ARIA_P2( tc ); - *c ^= ARIA_P1( tc ) ^ ta; + ta = *b; // 4567 + *b = *a; // 0123 + *a = ARIA_P2( ta ); // 6745 + tb = ARIA_P2( *d ); // efcd + *d = ARIA_P1( *c ); // 98ba + *c = ARIA_P1( tb ); // fedc + ta ^= *d; // 4567+98ba + tc = ARIA_P2( *b ); // 2301 + ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc + tb ^= ARIA_P2( *d ); // ba98+efcd + tc ^= ARIA_P1( *a ); // 2301+7654 + *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT + tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc + *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT + ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe + *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT + tc = ARIA_P2( tc ); // 0123+5476 + *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT } /* From cac5008b177f1b46d0769c42528a6eb9863ecb6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Feb 2018 15:23:03 +0100 Subject: [PATCH 30/97] aria: define P3 macro This will allow to replace it with an optimised implementation later --- library/aria.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/library/aria.c b/library/aria.c index 4c59d70c7..72bcc6ace 100644 --- a/library/aria.c +++ b/library/aria.c @@ -91,6 +91,13 @@ static void mbedtls_zeroize( void *v, size_t n ) { */ #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) +/* + * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness + * + * This is submatrix P3 in [1] Appendix B.1 + */ +#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) + /* * ARIA Affine Transform * (a, b, c, d) = state in/out @@ -336,14 +343,14 @@ static void aria_rot128(uint32_t r[4], const uint32_t a[4], const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset j = (n / 32) % 4; // initial word offset - t = ARIA_P2( ARIA_P1( b[j] ) ); // big endian + t = ARIA_P3( b[j] ); // big endian for( i = 0; i < 4; i++ ) { j = (j + 1) % 4; // get next word, big endian - u = ARIA_P2( ARIA_P1( b[j] ) ); + u = ARIA_P3( b[j] ); t <<= n1; // rotate t |= u >> n2; - t = ARIA_P2( ARIA_P1( t ) ); // back to little endian + t = ARIA_P3( t ); // back to little endian r[i] = a[i] ^ t; // store t = u; // move to next word } From fb0e4f0d1a34bc7eca5b87169925c5c086db6c35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Feb 2018 16:08:40 +0100 Subject: [PATCH 31/97] aria: optimise byte perms on Intel (A similar commit for Arm follows.) Use specific instructions for moving bytes around in a word. This speeds things up, and as a side-effect, slightly lowers code size. ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.) I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it two instructions, which is still much better than the code generated with the previous mask-shift-or definition, and speeds up en/decryption. (Neither Clang 3.8 nor GCC 5.4 find this.) Before: O aria.o ins s 7976 43,865 2 10520 37,631 3 13040 28,146 After: O aria.o ins s 7768 33,497 2 9816 28,268 3 11432 20,829 For measurement method, see previous commit: "aria: turn macro into static inline function" --- library/aria.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/library/aria.c b/library/aria.c index 72bcc6ace..f6ad7f126 100644 --- a/library/aria.c +++ b/library/aria.c @@ -81,13 +81,26 @@ static void mbedtls_zeroize( void *v, size_t n ) { * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes * * This is submatrix P1 in [1] Appendix B.1 + * + * Common compilers fail to translate this to minimal number of instructions, + * so let's provide asm versions for common platforms with C fallback. */ +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) +#if defined(__i386__) || defined(__amd64__) || defined( __x86_64__) +/* I couldn't find an Intel equivalent of ret16, so two instructions */ +#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) +#endif +#endif /* MBEDTLS_HAVE_ASM && GNUC */ +#if !defined(ARIA_P1) #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) +#endif /* * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits * * This is submatrix P2 in [1] Appendix B.1 + * + * Common compilers will translate this to a single instruction. */ #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) @@ -95,8 +108,23 @@ static void mbedtls_zeroize( void *v, size_t n ) { * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness * * This is submatrix P3 in [1] Appendix B.1 + * + * Some compilers fail to translate this to a single instruction, + * so let's provide asm versions for common platforms with C fallback. */ +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) +#if defined(__i386__) || defined(__amd64__) || defined( __x86_64__) +static inline uint32_t aria_p3( uint32_t x ) +{ + asm( "bswap %0" : "=r" (x) : "0" (x) ); + return( x ); +} +#define ARIA_P3 aria_p3 +#endif +#endif /* MBEDTLS_HAVE_ASM && GNUC */ +#if !defined(ARIA_P3) #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) +#endif /* * ARIA Affine Transform From 377b2b624d5a5d894965236f0ae7fe8d09813a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Feb 2018 10:22:26 +0100 Subject: [PATCH 32/97] aria: optimize byte perms on Arm Use specific instructions for moving bytes around in a word. This speeds things up, and as a side-effect, slightly lowers code size. ARIA_P3 and ARIA_P1 are now 1 single-cycle instruction each (those instructions are available in all architecture versions starting from v6-M). Note: ARIA_P3 was already translated to a single instruction by Clang 3.8 and armclang 6.5, but not arm-gcc 5.4 nor armcc 5.06. ARIA_P2 is already efficiently translated to the minimal number of instruction (1 in ARM mode, 2 in thumb mode) by all tested compilers Manually compiled and inspected generated code with the following compilers: arm-gcc 5.4, clang 3.8, armcc 5.06 (with and without --gnu), armclang 6.5. Size reduction (arm-none-eabi-gcc -march=armv6-m -mthumb -Os): 5288 -> 5044 B Effect on executing time of self-tests on a few boards: FRDM-K64F (Cortex-M4): 444 -> 385 us (-13%) LPC1768 (Cortex-M3): 488 -> 432 us (-11%) FRDM-KL64Z (Cortex-M0): 1429 -> 1134 us (-20%) Measured using a config.h with no cipher mode and the following program with aria.c and aria.h copy-pasted to the online compiler: #include "mbed.h" #include "aria.h" int main() { Timer t; t.start(); int ret = mbedtls_aria_self_test(0); t.stop(); printf("ret = %d; time = %d us\n", ret, t.read_us()); } --- library/aria.c | 56 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 50 insertions(+), 6 deletions(-) diff --git a/library/aria.c b/library/aria.c index f6ad7f126..1d1daa18a 100644 --- a/library/aria.c +++ b/library/aria.c @@ -85,11 +85,33 @@ static void mbedtls_zeroize( void *v, size_t n ) { * Common compilers fail to translate this to minimal number of instructions, * so let's provide asm versions for common platforms with C fallback. */ -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) -#if defined(__i386__) || defined(__amd64__) || defined( __x86_64__) +#if defined(MBEDTLS_HAVE_ASM) +#if defined(__arm__) +/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ +#if defined(__GNUC__) && \ + ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) +static inline uint32_t aria_p1( uint32_t x ) +{ + uint32_t r; + asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); + return( r ); +} +#define ARIA_P1 aria_p1 +#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 +static __inline uint32_t aria_p1( uint32_t x ) +{ + uint32_t r; + __asm( "rev16 r, x" ); + return( r ); +} +#define ARIA_P1 aria_p1 +#endif +#endif /* arm */ +#if defined(__GNUC__) && \ + defined(__i386__) || defined(__amd64__) || defined( __x86_64__) /* I couldn't find an Intel equivalent of ret16, so two instructions */ #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) -#endif +#endif /* x86 gnuc */ #endif /* MBEDTLS_HAVE_ASM && GNUC */ #if !defined(ARIA_P1) #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) @@ -112,15 +134,37 @@ static void mbedtls_zeroize( void *v, size_t n ) { * Some compilers fail to translate this to a single instruction, * so let's provide asm versions for common platforms with C fallback. */ -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) -#if defined(__i386__) || defined(__amd64__) || defined( __x86_64__) +#if defined(MBEDTLS_HAVE_ASM) +#if defined(__arm__) +/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ +#if defined(__GNUC__) && \ + ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) +static inline uint32_t aria_p3( uint32_t x ) +{ + uint32_t r; + asm( "rev %0, %1" : "=l" (r) : "l" (x) ); + return( r ); +} +#define ARIA_P3 aria_p3 +#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 +static __inline uint32_t aria_p3( uint32_t x ) +{ + uint32_t r; + __asm( "rev r, x" ); + return( r ); +} +#define ARIA_P3 aria_p3 +#endif +#endif /* arm */ +#if defined(__GNUC__) && \ + defined(__i386__) || defined(__amd64__) || defined( __x86_64__) static inline uint32_t aria_p3( uint32_t x ) { asm( "bswap %0" : "=r" (x) : "0" (x) ); return( x ); } #define ARIA_P3 aria_p3 -#endif +#endif /* x86 gnuc */ #endif /* MBEDTLS_HAVE_ASM && GNUC */ #if !defined(ARIA_P3) #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) From 26b54fabaf5b9a7f5859910df7d6d6366e89f822 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Feb 2018 12:20:20 +0100 Subject: [PATCH 33/97] aria: document optional asm usage in config.h --- include/mbedtls/config.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 3369620fb..ed69f14b1 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -48,10 +48,14 @@ * Requires support for asm() in compiler. * * Used in: + * library/aria.c * library/timing.c - * library/padlock.c * include/mbedtls/bn_mul.h * + * Required by: + * MBEDTLS_AESNI_C + * MBEDTLS_PADLOCK_C + * * Comment to disable the use of assembly code. */ #define MBEDTLS_HAVE_ASM From 2268b967cbbe7f8fd8fb555d5cbe8fc64a35a254 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Feb 2018 12:22:36 +0100 Subject: [PATCH 34/97] aria: disable by default in config.h --- include/mbedtls/config.h | 5 +++-- tests/compat.sh | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index ed69f14b1..e342e4ce9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1806,11 +1806,12 @@ /** * \def MBEDTLS_ARIA_C * - * Enable the ARIA block cipher. + * Enable the ARIA block cipher (and TLS ciphersuites that use it, if other + * requirements for them are met too). * * Module: library/aria.c */ -#define MBEDTLS_ARIA_C +//#define MBEDTLS_ARIA_C /** * \def MBEDTLS_CCM_C diff --git a/tests/compat.sh b/tests/compat.sh index 93e6b3a6d..0a863fa48 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -57,7 +57,7 @@ FILTER="" # - NULL: excluded from our default config # - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) -# - ARIA: requires OpenSSL >= 1.1.1 +# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA' VERBOSE="" MEMCHECK=0 From 08d1e91ca938b00bdad07889b1b4fae4ff350e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Feb 2018 12:43:35 +0100 Subject: [PATCH 35/97] aria: add ChangeLog entry --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 68fb6f5e9..b24afbbe6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Features + * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites + (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h + = mbed TLS 2.7.x branch released 2018-xx-xx Default behavior changes From 525168c7ef7842c9611e728b900e9870a1f701db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 10:47:02 +0100 Subject: [PATCH 36/97] aria: expand config.h entry: ciphersuites & caller --- include/mbedtls/config.h | 46 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e342e4ce9..59bb3bd9e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1806,10 +1806,52 @@ /** * \def MBEDTLS_ARIA_C * - * Enable the ARIA block cipher (and TLS ciphersuites that use it, if other - * requirements for them are met too). + * Enable the ARIA block cipher. * * Module: library/aria.c + * Caller: library/cipher.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * + * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */ //#define MBEDTLS_ARIA_C From fdd43543291ff2547cb0b495157f06846bd2b5a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 10:49:02 +0100 Subject: [PATCH 37/97] config.h: SSL no longer uses ciphers directly --- include/mbedtls/config.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 59bb3bd9e..0a35e6ec2 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1585,7 +1585,7 @@ * Enable the AES block cipher. * * Module: library/aes.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * library/pem.c * library/ctr_drbg.c * @@ -1660,7 +1660,7 @@ * Enable the ARCFOUR stream cipher. * * Module: library/arc4.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): @@ -1754,7 +1754,7 @@ * Enable the Camellia block cipher. * * Module: library/camellia.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): @@ -1941,7 +1941,7 @@ * * Module: library/des.c * Caller: library/pem.c - * library/ssl_tls.c + * library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): From 4231e7f46fe49e29f718a694375bd67671491d3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 10:54:31 +0100 Subject: [PATCH 38/97] Fix some whitespace and other style issues In addition to whitespace: - wrapped a few long lines - added parenthesis to return statements --- include/mbedtls/aria.h | 50 +++++++++--------- include/mbedtls/ssl_ciphersuites.h | 76 +++++++++++++-------------- library/aria.c | 62 +++++++++++----------- tests/suites/test_suite_aria.function | 41 +++++++++------ 4 files changed, 120 insertions(+), 109 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index fc8ca98d7..1617bf167 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -81,8 +81,9 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx ); * * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH */ -int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, const unsigned char *key, - unsigned int keybits ); +int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, + const unsigned char *key, + unsigned int keybits ); /** * \brief ARIA key schedule (decryption) @@ -93,8 +94,9 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, const unsigned char *key * * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH */ -int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, const unsigned char *key, - unsigned int keybits ); +int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, + const unsigned char *key, + unsigned int keybits ); /** * \brief ARIA-ECB block encryption/decryption @@ -107,9 +109,9 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, const unsigned char *key * \return 0 if successful */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, - int mode, - const unsigned char input[16], - unsigned char output[16] ); + int mode, + const unsigned char input[16], + unsigned char output[16] ); #if defined(MBEDTLS_CIPHER_MODE_CBC) /** @@ -136,11 +138,11 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH */ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, - int mode, - size_t length, - unsigned char iv[16], - const unsigned char *input, - unsigned char *output ); + int mode, + size_t length, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) @@ -171,12 +173,12 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH */ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, - int mode, - size_t length, - size_t *iv_off, - unsigned char iv[16], - const unsigned char *input, - unsigned char *output ); + int mode, + size_t length, + size_t *iv_off, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) @@ -203,12 +205,12 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * \return 0 if successful */ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, - size_t length, - size_t *nc_off, - unsigned char nonce_counter[16], - unsigned char stream_block[16], - const unsigned char *input, - unsigned char *output ); + size_t length, + size_t *nc_off, + unsigned char nonce_counter[16], + unsigned char stream_block[16], + const unsigned char *input, + unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ #ifdef __cplusplus diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 13f84a435..7d5eba091 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -169,44 +169,44 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A /**< Weak! No SSL3! */ #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B /**< Weak! No SSL3! */ -#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */ -#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */ -#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 /**< TLS 1.2 */ -#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */ -#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */ -#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E /**< TLS 1.2 */ -#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */ diff --git a/library/aria.c b/library/aria.c index 1d1daa18a..41ed7599a 100644 --- a/library/aria.c +++ b/library/aria.c @@ -56,9 +56,8 @@ static void mbedtls_zeroize( void *v, size_t n ) { /* * 32-bit integer manipulation macros (little endian) */ - #ifndef GET_UINT32_LE -#define GET_UINT32_LE(n,b,i) \ +#define GET_UINT32_LE( n, b, i ) \ { \ (n) = ( (uint32_t) (b)[(i) ] ) \ | ( (uint32_t) (b)[(i) + 1] << 8 ) \ @@ -68,7 +67,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { #endif #ifndef PUT_UINT32_LE -#define PUT_UINT32_LE(n,b,i) \ +#define PUT_UINT32_LE( n, b, i ) \ { \ (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ @@ -431,8 +430,8 @@ static void aria_rot128(uint32_t r[4], const uint32_t a[4], /* * Set encryption key */ -int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, - const unsigned char *key, unsigned int keybits) +int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, + const unsigned char *key, unsigned int keybits ) { /* round constant masks */ const uint32_t rc[3][4] = @@ -446,7 +445,7 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, uint32_t w[4][4], *w2; if (keybits != 128 && keybits != 192 && keybits != 256) - return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH; + return( MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH ); /* Copy key to W0 (and potential remainder to W1) */ GET_UINT32_LE( w[0][0], key, 0 ); @@ -485,20 +484,20 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, } aria_rot128( ctx->rk[16], w[0], w[1], 19 ); - return 0; + return( 0 ); } /* * Set decryption key */ -int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, - const unsigned char *key, unsigned int keybits) +int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, + const unsigned char *key, unsigned int keybits ) { int i, j, k, ret; ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); if( ret != 0 ) - return ret; + return( ret ); /* flip the order of round keys */ for( i = 0, j = ctx->nr; i < j; i++, j-- ) @@ -513,9 +512,12 @@ int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, /* apply affine transform to middle keys */ for (i = 1; i < ctx->nr; i++ ) - aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] ); + { + aria_a( &ctx->rk[i][0], &ctx->rk[i][1], + &ctx->rk[i][2], &ctx->rk[i][3] ); + } - return 0; + return( 0 ); } /* @@ -572,7 +574,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, PUT_UINT32_LE( c, output, 8 ); PUT_UINT32_LE( d, output, 12 ); - return 0; + return( 0 ); } /* Initialize context */ @@ -595,11 +597,11 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx ) * ARIA-CBC buffer encryption/decryption */ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, - int mode, - size_t length, - unsigned char iv[16], - const unsigned char *input, - unsigned char *output ) + int mode, + size_t length, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ) { int i; unsigned char temp[16]; @@ -649,12 +651,12 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, * ARIA-CFB128 buffer encryption/decryption */ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, - int mode, - size_t length, - size_t *iv_off, - unsigned char iv[16], - const unsigned char *input, - unsigned char *output ) + int mode, + size_t length, + size_t *iv_off, + unsigned char iv[16], + const unsigned char *input, + unsigned char *output ) { int c; size_t n = *iv_off; @@ -697,12 +699,12 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * ARIA-CTR buffer encryption/decryption */ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, - size_t length, - size_t *nc_off, - unsigned char nonce_counter[16], - unsigned char stream_block[16], - const unsigned char *input, - unsigned char *output ) + size_t length, + size_t *nc_off, + unsigned char nonce_counter[16], + unsigned char stream_block[16], + const unsigned char *input, + unsigned char *output ) { int c, i; size_t n = *nc_off; diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index 2c3e34732..d3d8ebeea 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -27,12 +27,14 @@ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, key_len = unhexify( key_str, hex_key_string ); data_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ) == setkey_result ); + TEST_ASSERT( mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ) + == setkey_result ); if( setkey_result == 0 ) { for( i = 0; i < data_len; i += 16 ) { - TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, src_str + i, output + i ) == 0 ); + TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, + src_str + i, output + i ) == 0 ); } hexify( dst_str, output, data_len ); @@ -55,16 +57,17 @@ void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, mbedtls_aria_context ctx; int key_len, data_len, i; - memset( key_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, 1000 ); + memset( src_str, 0x00, 1000 ); + memset( dst_str, 0x00, 1000 ); + memset( output, 0x00, 1000 ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); data_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 ) == setkey_result ); + TEST_ASSERT( mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 ) + == setkey_result ); if( setkey_result == 0 ) { for( i = 0; i < data_len; i += 16 ) @@ -107,8 +110,9 @@ void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string, data_len = unhexify( src_str, hex_src_string ); mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); - TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, - data_len, iv_str, src_str, output) == cbc_result ); + TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, data_len, + iv_str, src_str, output ) + == cbc_result ); if( cbc_result == 0 ) { hexify( dst_str, output, data_len ); @@ -146,8 +150,9 @@ void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string, data_len = unhexify( src_str, hex_src_string ); mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 ); - TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, - data_len, iv_str, src_str, output ) == cbc_result ); + TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, data_len, + iv_str, src_str, output ) + == cbc_result ); if( cbc_result == 0 ) { hexify( dst_str, output, data_len ); @@ -187,7 +192,8 @@ void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, - data_len, &iv_offset, iv_str, src_str, output ) == result ); + data_len, &iv_offset, iv_str, + src_str, output ) == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -224,7 +230,8 @@ void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, - data_len, &iv_offset, iv_str, src_str, output ) == result ); + data_len, &iv_offset, iv_str, + src_str, output ) == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -261,8 +268,8 @@ void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string, data_len = unhexify( src_str, hex_src_string ); mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); - TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, - &iv_offset, iv_str, blk, src_str, output ) == result ); + TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str, + blk, src_str, output ) == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -299,8 +306,8 @@ void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string, data_len = unhexify( src_str, hex_src_string ); mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); - TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, - &iv_offset, iv_str, blk, src_str, output ) == result ); + TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str, + blk, src_str, output ) == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); From 5aa4e3b1d0d13f7a5a265d469860b26a2110052a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 11:55:49 +0100 Subject: [PATCH 39/97] aria: align documentation on AES --- include/mbedtls/aria.h | 219 +++++++++++++++++++++++++---------------- 1 file changed, 136 insertions(+), 83 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 1617bf167..67c747ef7 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -3,7 +3,13 @@ * * \brief ARIA block cipher * - * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved + * The ARIA algorithm is a symmetric block cipher that can encrypt and + * decrypt information. It is defined by the Korean Agency for + * Technology and Standards (KATS) in KS X 1213:2004 (in + * Korean, but see http://210.104.33.10/ARIA/index-e.html in English) + * and also described by the IETF in RFC 5794. + */ +/* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -33,8 +39,8 @@ #include #include -#define MBEDTLS_ARIA_ENCRYPT 1 -#define MBEDTLS_ARIA_DECRYPT 0 +#define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */ +#define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */ #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */ #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ @@ -48,65 +54,85 @@ extern "C" { #endif /** - * \brief ARIA context structure + * \brief The ARIA context-type definition. */ typedef struct { - int nr; // rounds: nr = 12, 14, or 16 - uint32_t rk[17][4]; // nr+1 round keys (+1 for final) + int nr; /*!< The number of rounds (12, 14 or 16) */ + uint32_t rk[17][4]; /*!< The ARIA round keys. */ } mbedtls_aria_context; /** - * \brief Initialize ARIA context + * \brief This function initializes the specified ARIA context. * - * \param ctx ARIA context to be initialized + * It must be the first API called before using + * the context. + * + * \param ctx The ARIA context to initialize. */ void mbedtls_aria_init( mbedtls_aria_context *ctx ); /** - * \brief Clear ARIA context + * \brief This function releases and clears the specified ARIA context. * - * \param ctx ARIA context to be cleared + * \param ctx The ARIA context to clear. */ void mbedtls_aria_free( mbedtls_aria_context *ctx ); /** - * \brief ARIA key schedule (encryption) + * \brief This function sets the encryption key. * - * \param ctx ARIA context to be initialized - * \param key encryption key - * \param keybits must be 128, 192 or 256 + * \param ctx The ARIA context to which the key should be bound. + * \param key The encryption key. + * \param keybits The size of data passed in bits. Valid options are: + *
  • 128 bits
    • + *
  • 192 bits
    • + *
  • 256 bits
* - * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH + * \return \c 0 on success or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH + * on failure. */ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits ); /** - * \brief ARIA key schedule (decryption) + * \brief This function sets the decryption key. * - * \param ctx ARIA context to be initialized - * \param key decryption key - * \param keybits must be 128, 192 or 256 + * \param ctx The ARIA context to which the key should be bound. + * \param key The decryption key. + * \param keybits The size of data passed. Valid options are: + *
  • 128 bits
    • + *
  • 192 bits
    • + *
  • 256 bits
* - * \return 0 if successful, or MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH + * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH on failure. */ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits ); /** - * \brief ARIA-ECB block encryption/decryption + * \brief This function performs an ARIA single-block encryption or + * decryption operation. * - * \param ctx ARIA context - * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT - * \param input 16-byte input block - * \param output 16-byte output block + * It performs the operation defined in the \p mode parameter + * (encrypt or decrypt), on the input data buffer defined in + * the \p input parameter. * - * \return 0 if successful + * mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or + * mbedtls_aes_setkey_dec() must be called before the first + * call to this API with the same context. + * + * \param ctx The ARIA context to use for encryption or decryption. + * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or + * #MBEDTLS_ARIA_DECRYPT. + * \param input The 16-Byte buffer holding the input data. + * \param output The 16-Byte buffer holding the output data. + + * \return \c 0 on success. */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, int mode, @@ -115,62 +141,83 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, #if defined(MBEDTLS_CIPHER_MODE_CBC) /** - * \brief ARIA-CBC buffer encryption/decryption - * Length should be a multiple of the block - * size (16 bytes) + * \brief This function performs an ARIA-CBC encryption or decryption operation + * on full blocks. * - * \note Upon exit, the content of the IV is updated so that you can - * call the function same function again on the following - * block(s) of data and get the same result as if it was - * encrypted in one call. This allows a "streaming" usage. - * If on the other hand you need to retain the contents of the - * IV, you should either save it manually or use the cipher - * module instead. + * It performs the operation defined in the \p mode + * parameter (encrypt/decrypt), on the input data buffer defined in + * the \p input parameter. * - * \param ctx ARIA context - * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT - * \param length length of the input data - * \param iv initialization vector (updated after use) - * \param input buffer holding the input data - * \param output buffer holding the output data + * It can be called as many times as needed, until all the input + * data is processed. mbedtls_aes_init(), and either + * mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called + * before the first call to this API with the same context. * - * \return 0 if successful, or - * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH + * \note This function operates on aligned blocks, that is, the input size + * must be a multiple of the ARIA block size of 16 Bytes. + * + * \note Upon exit, the content of the IV is updated so that you can + * call the same function again on the next + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If you need to retain the contents of the IV, you should + * either save it manually or use the cipher module instead. + * + * + * \param ctx The ARIA context to use for encryption or decryption. + * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or + * #MBEDTLS_ARIA_DECRYPT. + * \param length The length of the input data in Bytes. This must be a + * multiple of the block size (16 Bytes). + * \param iv Initialization vector (updated after use). + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH + * on failure. */ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, int mode, size_t length, - unsigned char iv[16], + unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) /** - * \brief ARIA-CFB128 buffer encryption/decryption + * \brief This function performs an ARIA-CFB128 encryption or decryption + * operation. * - * Note: Due to the nature of CFB you should use the same key schedule for - * both encryption and decryption. So a context initialized with - * mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and CAMELLIE_DECRYPT. + * It performs the operation defined in the \p mode + * parameter (encrypt or decrypt), on the input data buffer + * defined in the \p input parameter. * - * \note Upon exit, the content of the IV is updated so that you can - * call the function same function again on the following - * block(s) of data and get the same result as if it was - * encrypted in one call. This allows a "streaming" usage. - * If on the other hand you need to retain the contents of the - * IV, you should either save it manually or use the cipher - * module instead. + * For CFB, you must set up the context with mbedtls_aes_setkey_enc(), + * regardless of whether you are performing an encryption or decryption + * operation, that is, regardless of the \p mode parameter. This is + * because CFB mode uses the same key schedule for encryption and + * decryption. * - * \param ctx ARIA context - * \param mode MBEDTLS_ARIA_ENCRYPT or MBEDTLS_ARIA_DECRYPT - * \param length length of the input data - * \param iv_off offset in IV (updated after use) - * \param iv initialization vector (updated after use) - * \param input buffer holding the input data - * \param output buffer holding the output data + * \note Upon exit, the content of the IV is updated so that you can + * call the same function again on the next + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If you need to retain the contents of the + * IV, you must either save it manually or use the cipher + * module instead. * - * \return 0 if successful, or - * MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH + * + * \param ctx The ARIA context to use for encryption or decryption. + * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or + * #MBEDTLS_ARIA_DECRYPT. + * \param length The length of the input data. + * \param iv_off The offset in IV (updated after use). + * \param iv The initialization vector (updated after use). + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success. */ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, int mode, @@ -183,26 +230,32 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, #if defined(MBEDTLS_CIPHER_MODE_CTR) /** - * \brief ARIA-CTR buffer encryption/decryption + * \brief This function performs an ARIA-CTR encryption or decryption + * operation. * - * Warning: You have to keep the maximum use of your counter in mind! + * This function performs the operation defined in the \p mode + * parameter (encrypt/decrypt), on the input data buffer + * defined in the \p input parameter. * - * Note: Due to the nature of CTR you should use the same key schedule for - * both encryption and decryption. So a context initialized with - * mbedtls_aria_setkey_enc() for both MBEDTLS_ARIA_ENCRYPT and MBEDTLS_ARIA_DECRYPT. + * Due to the nature of CTR, you must use the same key schedule + * for both encryption and decryption operations. Therefore, you + * must use the context initialized with mbedtls_aes_setkey_enc() + * for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT. * - * \param ctx ARIA context - * \param length The length of the data - * \param nc_off The offset in the current stream_block (for resuming - * within current cipher stream). The offset pointer to - * should be 0 at the start of a stream. - * \param nonce_counter The 128-bit nonce and counter. - * \param stream_block The saved stream-block for resuming. Is overwritten - * by the function. - * \param input The input data stream - * \param output The output data stream + * \warning You must keep the maximum use of your counter in mind. * - * \return 0 if successful + * \param ctx The ARIA context to use for encryption or decryption. + * \param length The length of the input data. + * \param nc_off The offset in the current \p stream_block, for + * resuming within the current cipher stream. The + * offset pointer should be 0 at the start of a stream. + * \param nonce_counter The 128-bit nonce and counter. + * \param stream_block The saved stream block for resuming. This is + * overwritten by the function. + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success. */ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, size_t length, @@ -226,9 +279,9 @@ extern "C" { #endif /** - * \brief Checkup routine + * \brief Checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_aria_self_test( int verbose ); From 22997b7200575a94e77a87b2aa45cdfceb289494 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 12:29:41 +0100 Subject: [PATCH 40/97] block ciphers: improve CTR nonce warning --- include/mbedtls/aes.h | 19 ++++++++++++++++++- include/mbedtls/aria.h | 19 ++++++++++++++++++- include/mbedtls/blowfish.h | 19 ++++++++++++++++++- include/mbedtls/camellia.h | 21 +++++++++++++++++++-- 4 files changed, 73 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 46016dcb7..27be76168 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -300,7 +300,24 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, * must use the context initialized with mbedtls_aes_setkey_enc() * for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT. * - * \warning You must keep the maximum use of your counter in mind. + * \warning You must never reuse a nonce value with the same key. Doing so + * would void the encryption for the two messages encrypted with + * the same nonce and key. + * + * There are two common strategies for managing nonces with CTR: + * + * 1. Use a counter starting at 0 or a random value. With this + * strategy, this function will increment the counter for you, so + * you only need to preserve the \p nonce_counter buffer between + * calls. With this strategy, you must not encrypt more than + * 2**128 blocks of data. + * 2. Use a randomly-generated \p nonce_counter for each call. + * With this strategy, you need to ensure the nonce is generated + * in an unbiased way and you must not encrypt more than 2**64 + * block of data. + * + * Note that for both stategies, the limit is in number of blocks + * and that an AES block is 16 bytes. * * \param ctx The AES context to use for encryption or decryption. * \param length The length of the input data. diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 67c747ef7..572430860 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -242,7 +242,24 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * must use the context initialized with mbedtls_aes_setkey_enc() * for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT. * - * \warning You must keep the maximum use of your counter in mind. + * \warning You must never reuse a nonce value with the same key. Doing so + * would void the encryption for the two messages encrypted with + * the same nonce and key. + * + * There are two common strategies for managing nonces with CTR: + * + * 1. Use a counter starting at 0 or a random value. With this + * strategy, this function will increment the counter for you, so + * you only need to preserve the \p nonce_counter buffer between + * calls. With this strategy, you must not encrypt more than + * 2**128 blocks of data. + * 2. Use a randomly-generated \p nonce_counter for each call. + * With this strategy, you need to ensure the nonce is generated + * in an unbiased way and you must not encrypt more than 2**64 + * block of data. + * + * Note that for both stategies, the limit is in number of blocks + * and that an ARIA block is 16 bytes. * * \param ctx The ARIA context to use for encryption or decryption. * \param length The length of the input data. diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index c0ef5a04c..4b4916e03 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -170,7 +170,24 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx, /** * \brief Blowfish-CTR buffer encryption/decryption * - * Warning: You have to keep the maximum use of your counter in mind! + * \warning You must never reuse a nonce value with the same key. Doing so + * would void the encryption for the two messages encrypted with + * the same nonce and key. + * + * There are two common strategies for managing nonces with CTR: + * + * 1. Use a counter starting at 0 or a random value. With this + * strategy, this function will increment the counter for you, so + * you only need to preserve the \p nonce_counter buffer between + * calls. With this strategy, you must not encrypt more than + * 2**64 blocks of data. + * 2. Use a randomly-generated \p nonce_counter for each call. + * With this strategy, you need to ensure the nonce is generated + * in an unbiased way and you must not encrypt more than 2**32 + * block of data. + * + * Note that for both stategies, the limit is in number of blocks + * and that a Blowfish block is 8 bytes. * * \param ctx Blowfish context * \param length The length of the data diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index cf07629d9..1b138fc9e 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -183,12 +183,29 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, /** * \brief CAMELLIA-CTR buffer encryption/decryption * - * Warning: You have to keep the maximum use of your counter in mind! - * * Note: Due to the nature of CTR you should use the same key schedule for * both encryption and decryption. So a context initialized with * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT. * + * \warning You must never reuse a nonce value with the same key. Doing so + * would void the encryption for the two messages encrypted with + * the same nonce and key. + * + * There are two common strategies for managing nonces with CTR: + * + * 1. Use a counter starting at 0 or a random value. With this + * strategy, this function will increment the counter for you, so + * you only need to preserve the \p nonce_counter buffer between + * calls. With this strategy, you must not encrypt more than + * 2**128 blocks of data. + * 2. Use a randomly-generated \p nonce_counter for each call. + * With this strategy, you need to ensure the nonce is generated + * in an unbiased way and you must not encrypt more than 2**64 + * block of data. + * + * Note that for both stategies, the limit is in number of blocks + * and that a CAMELLIA block is 16 bytes. + * * \param ctx CAMELLIA context * \param length The length of the data * \param nc_off The offset in the current stream_block (for resuming From c0bb66f47ea6101ba077f7a037ebd52a85574c45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 12:38:04 +0100 Subject: [PATCH 41/97] aria: improve compiler inline compatibility --- library/aria.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/aria.c b/library/aria.c index 41ed7599a..a9b88713d 100644 --- a/library/aria.c +++ b/library/aria.c @@ -48,6 +48,11 @@ #if !defined(MBEDTLS_ARIA_ALT) +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; @@ -97,7 +102,7 @@ static inline uint32_t aria_p1( uint32_t x ) } #define ARIA_P1 aria_p1 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 -static __inline uint32_t aria_p1( uint32_t x ) +static inline uint32_t aria_p1( uint32_t x ) { uint32_t r; __asm( "rev16 r, x" ); @@ -146,7 +151,7 @@ static inline uint32_t aria_p3( uint32_t x ) } #define ARIA_P3 aria_p3 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 -static __inline uint32_t aria_p3( uint32_t x ) +static inline uint32_t aria_p3( uint32_t x ) { uint32_t r; __asm( "rev r, x" ); From f3a46a9b4f1a710f522c0a17c51c3d079b43b0a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 28 Feb 2018 12:38:21 +0100 Subject: [PATCH 42/97] aria: fix some typos in comments --- library/aria.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/aria.c b/library/aria.c index a9b88713d..f6d1c5498 100644 --- a/library/aria.c +++ b/library/aria.c @@ -181,7 +181,7 @@ static inline uint32_t aria_p3( uint32_t x ) * If we denote the first by of input by 0, ..., the last byte by f, * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. * - * Reading [1] 2.4 or [2] 2.4.3 in colums and performing simple + * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple * rearrangements on adjacent pairs, output is: * * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe @@ -800,7 +800,7 @@ static const uint8_t aria_test2_iv[16] = #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) -static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt +static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext { { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, @@ -824,7 +824,7 @@ static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) -static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt +static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext { { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, @@ -848,7 +848,7 @@ static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt #endif /* MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) -static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt +static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext { { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, From 3c80009615d4cf266f21d7d0c635208279c55880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 09:02:16 +0100 Subject: [PATCH 43/97] aria: add error codes for hw implementations --- include/mbedtls/aria.h | 2 ++ include/mbedtls/error.h | 2 +- library/error.c | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 572430860..69518eec0 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -44,6 +44,8 @@ #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */ #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ +#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */ +#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */ #if !defined(MBEDTLS_ARIA_ALT) // Regular implementation diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index b65c25cb3..30c4972f8 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -63,7 +63,7 @@ * CTR_DBRG 4 0x0034-0x003A * ENTROPY 3 0x003C-0x0040 0x003D-0x003F * NET 11 0x0042-0x0052 0x0043-0x0045 - * ARIA 2 0x005C-0x005E + * ARIA 4 0x0058-0x005E * ASN1 7 0x0060-0x006C * CMAC 1 0x007A-0x007A * PBKDF2 1 0x007C-0x007C diff --git a/library/error.c b/library/error.c index 0e0cc51fc..56d7f2a17 100644 --- a/library/error.c +++ b/library/error.c @@ -590,6 +590,10 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "ARIA - Invalid key length" ); if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" ); + if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) ) + mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" ); + if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" ); #endif /* MBEDTLS_ARIA_C */ #if defined(MBEDTLS_ASN1_PARSE_C) From 5ad88b6d0d5096383df3be046a846e85ffc53a8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 09:20:47 +0100 Subject: [PATCH 44/97] aria: define constants for block size and max rounds --- include/mbedtls/aria.h | 17 ++++++----- library/aria.c | 66 +++++++++++++++++++++--------------------- 2 files changed, 43 insertions(+), 40 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 69518eec0..bcbc03da5 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -42,6 +42,9 @@ #define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */ #define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */ +#define MBEDTLS_ARIA_BLOCKSIZE 16 /**< ARIA block size in bytes. */ +#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */ + #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */ #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ #define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */ @@ -58,11 +61,11 @@ extern "C" { /** * \brief The ARIA context-type definition. */ - typedef struct { int nr; /*!< The number of rounds (12, 14 or 16) */ - uint32_t rk[17][4]; /*!< The ARIA round keys. */ + /*! The ARIA round keys. */ + uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4]; } mbedtls_aria_context; @@ -138,8 +141,8 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, int mode, - const unsigned char input[16], - unsigned char output[16] ); + const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], + unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ); #if defined(MBEDTLS_CIPHER_MODE_CBC) /** @@ -225,7 +228,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, int mode, size_t length, size_t *iv_off, - unsigned char iv[16], + unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ @@ -279,8 +282,8 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, size_t length, size_t *nc_off, - unsigned char nonce_counter[16], - unsigned char stream_block[16], + unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], + unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ diff --git a/library/aria.c b/library/aria.c index f6d1c5498..f1bde7885 100644 --- a/library/aria.c +++ b/library/aria.c @@ -530,8 +530,8 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, int mode, - const unsigned char input[16], - unsigned char output[16] ) + const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], + unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) { int i; @@ -604,46 +604,46 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx ) int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, int mode, size_t length, - unsigned char iv[16], + unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ) { int i; - unsigned char temp[16]; + unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; - if( length % 16 ) + if( length % MBEDTLS_ARIA_BLOCKSIZE ) return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); if( mode == MBEDTLS_ARIA_DECRYPT ) { while( length > 0 ) { - memcpy( temp, input, 16 ); + memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); mbedtls_aria_crypt_ecb( ctx, mode, input, output ); - for( i = 0; i < 16; i++ ) + for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) output[i] = (unsigned char)( output[i] ^ iv[i] ); - memcpy( iv, temp, 16 ); + memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); - input += 16; - output += 16; - length -= 16; + input += MBEDTLS_ARIA_BLOCKSIZE; + output += MBEDTLS_ARIA_BLOCKSIZE; + length -= MBEDTLS_ARIA_BLOCKSIZE; } } else { while( length > 0 ) { - for( i = 0; i < 16; i++ ) + for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) output[i] = (unsigned char)( input[i] ^ iv[i] ); mbedtls_aria_crypt_ecb( ctx, mode, output, output ); - memcpy( iv, output, 16 ); + memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); - input += 16; - output += 16; - length -= 16; + input += MBEDTLS_ARIA_BLOCKSIZE; + output += MBEDTLS_ARIA_BLOCKSIZE; + length -= MBEDTLS_ARIA_BLOCKSIZE; } } @@ -659,7 +659,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, int mode, size_t length, size_t *iv_off, - unsigned char iv[16], + unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ) { @@ -706,8 +706,8 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, size_t length, size_t *nc_off, - unsigned char nonce_counter[16], - unsigned char stream_block[16], + unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], + unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output ) { @@ -720,7 +720,7 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter, stream_block ); - for( i = 16; i > 0; i-- ) + for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) if( ++nonce_counter[i - 1] != 0 ) break; } @@ -750,13 +750,13 @@ static const uint8_t aria_test1_ecb_key[32] = // test key 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit }; -static const uint8_t aria_test1_ecb_pt[16] = // plaintext +static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes }; -static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext +static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext { { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, @@ -792,7 +792,7 @@ static const uint8_t aria_test2_pt[48] = #endif #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) -static const uint8_t aria_test2_iv[16] = +static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = { 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV @@ -887,7 +887,7 @@ static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext int mbedtls_aria_self_test( int verbose ) { int i; - uint8_t blk[16]; + uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; mbedtls_aria_context ctx; #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) @@ -897,7 +897,7 @@ int mbedtls_aria_self_test( int verbose ) #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_CTR)) - uint8_t buf[48], iv[16]; + uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; #endif /* @@ -911,7 +911,7 @@ int mbedtls_aria_self_test( int verbose ) mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, aria_test1_ecb_pt, blk ); - if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 ) + if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) ARIA_SELF_TEST_IF_FAIL; /* test ECB decryption */ @@ -920,7 +920,7 @@ int mbedtls_aria_self_test( int verbose ) mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, aria_test1_ecb_ct[i], blk ); - if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0) + if (memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0) ARIA_SELF_TEST_IF_FAIL; } if( verbose ) @@ -936,7 +936,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); - memcpy( iv, aria_test2_iv, 16 ); + memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); memset( buf, 0x55, sizeof(buf) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, aria_test2_pt, buf ); @@ -947,7 +947,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); - memcpy( iv, aria_test2_iv, 16 ); + memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); memset( buf, 0xAA, sizeof(buf) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, aria_test2_cbc_ct[i], buf ); @@ -966,7 +966,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); - memcpy( iv, aria_test2_iv, 16 ); + memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); memset( buf, 0x55, sizeof(buf) ); j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, @@ -978,7 +978,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); - memcpy( iv, aria_test2_iv, 16 ); + memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); memset( buf, 0xAA, sizeof(buf) ); j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, @@ -997,7 +997,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); - memset( iv, 0, 16 ); // IV = 0 + memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 memset( buf, 0x55, sizeof(buf) ); j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, @@ -1009,7 +1009,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); - memset( iv, 0, 16 ); // IV = 0 + memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 memset( buf, 0xAA, sizeof(buf) ); j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, From 7fc08795c1fa8f3d667a19abfd7bf58e5b237285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 09:33:20 +0100 Subject: [PATCH 45/97] aria: more whitespace fixes --- library/aria.c | 68 +++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/library/aria.c b/library/aria.c index f1bde7885..c7cdb9790 100644 --- a/library/aria.c +++ b/library/aria.c @@ -234,19 +234,19 @@ static inline void aria_sl( uint32_t *a, uint32_t *b, const uint8_t sa[0x100], const uint8_t sb[0x100], const uint8_t sc[0x100], const uint8_t sd[0x100] ) { - *a = ( (uint32_t) sa[ *a & 0xFF]) ^ + *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ (((uint32_t) sd[ *a >> 24 ]) << 24); - *b = ( (uint32_t) sa[ *b & 0xFF]) ^ + *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ (((uint32_t) sd[ *b >> 24 ]) << 24); - *c = ( (uint32_t) sa[ *c & 0xFF]) ^ + *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ (((uint32_t) sd[ *c >> 24 ]) << 24); - *d = ( (uint32_t) sa[ *d & 0xFF]) ^ + *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ (((uint32_t) sd[ *d >> 24 ]) << 24); @@ -362,8 +362,8 @@ static const uint8_t aria_is2[0x100] = /* * Helper for key schedule: r = FO( p, k ) ^ x */ -static void aria_fo_xor( uint32_t r[4], - const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) +static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], + const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; @@ -384,8 +384,8 @@ static void aria_fo_xor( uint32_t r[4], /* * Helper for key schedule: r = FE( p, k ) ^ x */ -static void aria_fe_xor(uint32_t r[4], - const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] ) +static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], + const uint32_t k[4], const uint32_t x[4] ) { uint32_t a, b, c, d; @@ -409,8 +409,8 @@ static void aria_fe_xor(uint32_t r[4], * We chose to store bytes into 32-bit words in little-endian format (see * GET/PUT_UINT32_LE) so we need to reverse bytes here. */ -static void aria_rot128(uint32_t r[4], const uint32_t a[4], - const uint32_t b[4], uint8_t n) +static void aria_rot128( uint32_t r[4], const uint32_t a[4], + const uint32_t b[4], uint8_t n ) { uint8_t i, j; uint32_t t, u; @@ -449,7 +449,7 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, int i; uint32_t w[4][4], *w2; - if (keybits != 128 && keybits != 192 && keybits != 256) + if( keybits != 128 && keybits != 192 && keybits != 256 ) return( MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH ); /* Copy key to W0 (and potential remainder to W1) */ @@ -458,7 +458,7 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, GET_UINT32_LE( w[0][2], key, 8 ); GET_UINT32_LE( w[0][3], key, 12 ); - memset(w[1], 0, 16); + memset( w[1], 0, 16 ); if( keybits >= 192 ) { GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key @@ -516,7 +516,7 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, } /* apply affine transform to middle keys */ - for (i = 1; i < ctx->nr; i++ ) + for( i = 1; i < ctx->nr; i++ ) { aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] ); @@ -545,7 +545,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, GET_UINT32_LE( d, input, 12 ); i = 0; - while (1) + while( 1 ) { a ^= ctx->rk[i][0]; b ^= ctx->rk[i][1]; @@ -563,7 +563,7 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, i++; aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); - if (i >= ctx->nr) + if( i >= ctx->nr ) break; aria_a( &a, &b, &c, &d ); } @@ -907,7 +907,7 @@ int mbedtls_aria_self_test( int verbose ) { /* test ECB encryption */ if( verbose ) - printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i); + printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, aria_test1_ecb_pt, blk ); @@ -916,15 +916,15 @@ int mbedtls_aria_self_test( int verbose ) /* test ECB decryption */ if( verbose ) - printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i); + printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, aria_test1_ecb_ct[i], blk ); - if (memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0) + if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) ARIA_SELF_TEST_IF_FAIL; } if( verbose ) - printf("\n"); + printf( "\n" ); /* * Test set 2 @@ -934,10 +934,10 @@ int mbedtls_aria_self_test( int verbose ) { /* Test CBC encryption */ if( verbose ) - printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i); + printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); - memset( buf, 0x55, sizeof(buf) ); + memset( buf, 0x55, sizeof( buf ) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, aria_test2_pt, buf ); if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) @@ -945,17 +945,17 @@ int mbedtls_aria_self_test( int verbose ) /* Test CBC decryption */ if( verbose ) - printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i); + printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); - memset( buf, 0xAA, sizeof(buf) ); + memset( buf, 0xAA, sizeof( buf ) ); mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, aria_test2_cbc_ct[i], buf ); if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) ARIA_SELF_TEST_IF_FAIL; } if( verbose ) - printf("\n"); + printf( "\n" ); #endif /* MBEDTLS_CIPHER_MODE_CBC */ @@ -964,10 +964,10 @@ int mbedtls_aria_self_test( int verbose ) { /* Test CFB encryption */ if( verbose ) - printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i); + printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); - memset( buf, 0x55, sizeof(buf) ); + memset( buf, 0x55, sizeof( buf ) ); j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, aria_test2_pt, buf ); @@ -976,10 +976,10 @@ int mbedtls_aria_self_test( int verbose ) /* Test CFB decryption */ if( verbose ) - printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i); + printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); - memset( buf, 0xAA, sizeof(buf) ); + memset( buf, 0xAA, sizeof( buf ) ); j = 0; mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, iv, aria_test2_cfb_ct[i], buf ); @@ -987,7 +987,7 @@ int mbedtls_aria_self_test( int verbose ) ARIA_SELF_TEST_IF_FAIL; } if( verbose ) - printf("\n"); + printf( "\n" ); #endif /* MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) @@ -995,10 +995,10 @@ int mbedtls_aria_self_test( int verbose ) { /* Test CTR encryption */ if( verbose ) - printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i); + printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 - memset( buf, 0x55, sizeof(buf) ); + memset( buf, 0x55, sizeof( buf ) ); j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, aria_test2_pt, buf ); @@ -1007,10 +1007,10 @@ int mbedtls_aria_self_test( int verbose ) /* Test CTR decryption */ if( verbose ) - printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i); + printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 - memset( buf, 0xAA, sizeof(buf) ); + memset( buf, 0xAA, sizeof( buf ) ); j = 0; mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, aria_test2_ctr_ct[i], buf ); @@ -1018,7 +1018,7 @@ int mbedtls_aria_self_test( int verbose ) ARIA_SELF_TEST_IF_FAIL; } if( verbose ) - printf("\n"); + printf( "\n" ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ return( 0 ); From 906bc90b301762ccd5bde86f825b33dce96bfc3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 09:39:01 +0100 Subject: [PATCH 46/97] aria: number of rounds is non-negative --- include/mbedtls/aria.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index bcbc03da5..b3617505d 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -63,7 +63,7 @@ extern "C" { */ typedef struct { - int nr; /*!< The number of rounds (12, 14 or 16) */ + unsigned char nr; /*!< The number of rounds (12, 14 or 16) */ /*! The ARIA round keys. */ uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4]; } From d82d79154cc0683e18d370fd98814a33905d98e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 09:43:21 +0100 Subject: [PATCH 47/97] aria: fix more whitespace --- tests/suites/test_suite_aria.function | 28 +++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index d3d8ebeea..38fc7e3d7 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -9,7 +9,7 @@ /* BEGIN_CASE */ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, - char *hex_dst_string, int setkey_result ) + char *hex_dst_string, int setkey_result ) { unsigned char key_str[1000]; unsigned char src_str[1000]; @@ -48,7 +48,7 @@ exit: /* BEGIN_CASE */ void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, - char *hex_dst_string, int setkey_result ) + char *hex_dst_string, int setkey_result ) { unsigned char key_str[1000]; unsigned char src_str[1000]; @@ -87,8 +87,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int cbc_result ) + char *hex_src_string, char *hex_dst_string, + int cbc_result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; @@ -127,8 +127,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */ void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int cbc_result ) + char *hex_src_string, char *hex_dst_string, + int cbc_result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; @@ -167,8 +167,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */ void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int result ) + char *hex_src_string, char *hex_dst_string, + int result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; @@ -205,8 +205,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */ void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int result ) + char *hex_src_string, char *hex_dst_string, + int result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; @@ -243,8 +243,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */ void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int result ) + char *hex_src_string, char *hex_dst_string, + int result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; @@ -281,8 +281,8 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */ void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string, - char *hex_src_string, char *hex_dst_string, - int result ) + char *hex_src_string, char *hex_dst_string, + int result ) { unsigned char key_str[1000]; unsigned char iv_str[1000]; From 8abc34988165be7aaca736d8f016c9025e4f40c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 10:02:47 +0100 Subject: [PATCH 48/97] aria: rationalize buffer sizes in test functions --- include/mbedtls/aria.h | 5 +- tests/suites/test_suite_aria.function | 169 ++++++++++++++------------ 2 files changed, 92 insertions(+), 82 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index b3617505d..2eed2f974 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -42,8 +42,9 @@ #define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */ #define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */ -#define MBEDTLS_ARIA_BLOCKSIZE 16 /**< ARIA block size in bytes. */ -#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */ +#define MBEDTLS_ARIA_BLOCKSIZE 16 /**< ARIA block size in bytes. */ +#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */ +#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */ #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */ #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index 38fc7e3d7..b36340606 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -1,5 +1,14 @@ /* BEGIN_HEADER */ #include "mbedtls/aria.h" + +/* Maxium size of data used by test vectors + * WARNING: to be adapted if and when adding larger test cases */ +#define ARIA_MAX_DATASIZE 160 + +/* Maximum sizes of hexified things */ +#define ARIA_MAX_KEY_STR ( 2 * MBEDTLS_ARIA_MAX_KEYSIZE + 1 ) +#define ARIA_BLOCK_STR ( 2 * MBEDTLS_ARIA_BLOCKSIZE + 1 ) +#define ARIA_MAX_DATA_STR ( 2 * ARIA_MAX_DATASIZE + 1 ) /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -11,17 +20,17 @@ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, char *hex_dst_string, int setkey_result ) { - unsigned char key_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; int key_len, data_len, i; - memset( key_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -31,7 +40,7 @@ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, == setkey_result ); if( setkey_result == 0 ) { - for( i = 0; i < data_len; i += 16 ) + for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, src_str + i, output + i ) == 0 ); @@ -50,17 +59,17 @@ exit: void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, char *hex_dst_string, int setkey_result ) { - unsigned char key_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; int key_len, data_len, i; - memset( key_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -70,7 +79,7 @@ void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, == setkey_result ); if( setkey_result == 0 ) { - for( i = 0; i < data_len; i += 16 ) + for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, src_str + i, output + i ) == 0 ); @@ -90,19 +99,19 @@ void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int cbc_result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -130,19 +139,19 @@ void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int cbc_result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -170,20 +179,20 @@ void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; size_t iv_offset = 0; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -208,20 +217,20 @@ void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; mbedtls_aria_context ctx; size_t iv_offset = 0; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -246,21 +255,21 @@ void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; - unsigned char blk[16]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; + unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE]; mbedtls_aria_context ctx; size_t iv_offset = 0; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); @@ -284,21 +293,21 @@ void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string, char *hex_src_string, char *hex_dst_string, int result ) { - unsigned char key_str[1000]; - unsigned char iv_str[1000]; - unsigned char src_str[1000]; - unsigned char dst_str[1000]; - unsigned char output[1000]; - unsigned char blk[16]; + unsigned char key_str[ARIA_MAX_KEY_STR]; + unsigned char iv_str[ARIA_BLOCK_STR]; + unsigned char src_str[ARIA_MAX_DATA_STR]; + unsigned char dst_str[ARIA_MAX_DATA_STR]; + unsigned char output[ARIA_MAX_DATASIZE]; + unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE]; mbedtls_aria_context ctx; size_t iv_offset = 0; int key_len, data_len; - memset( key_str, 0x00, 1000 ); - memset( iv_str, 0x00, 1000 ); - memset( src_str, 0x00, 1000 ); - memset( dst_str, 0x00, 1000 ); - memset( output, 0x00, 1000 ); + memset( key_str, 0x00, sizeof( key_str ) ); + memset( iv_str, 0x00, sizeof( iv_str ) ); + memset( src_str, 0x00, sizeof( src_str ) ); + memset( dst_str, 0x00, sizeof( dst_str ) ); + memset( output, 0x00, sizeof( output ) ); mbedtls_aria_init( &ctx ); key_len = unhexify( key_str, hex_key_string ); From 2078725feb3cb741a7d9224a3349421efbc9e64a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 10:37:47 +0100 Subject: [PATCH 49/97] aria: check arm arch version for asm rev and rev16 are only supported from v6 (all profiles) and up. arm-none-eabi-gcc picks a lower architecture version by default, which means before this commit it would fail to build (assembler error) unless you manually specified -march=armv6-m -mthumb or similar, which broke all.sh. Source for version-checking macros: - GCC/Clang: use the -E -dM - = 6000000 ) + ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ + __ARM_ARCH >= 6 static inline uint32_t aria_p1( uint32_t x ) { uint32_t r; @@ -101,7 +102,8 @@ static inline uint32_t aria_p1( uint32_t x ) return( r ); } #define ARIA_P1 aria_p1 -#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 +#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ + ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) static inline uint32_t aria_p1( uint32_t x ) { uint32_t r; @@ -139,10 +141,11 @@ static inline uint32_t aria_p1( uint32_t x ) * so let's provide asm versions for common platforms with C fallback. */ #if defined(MBEDTLS_HAVE_ASM) -#if defined(__arm__) +#if defined(__arm__) /* rev available from v6 up */ /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ #if defined(__GNUC__) && \ - ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) + ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ + __ARM_ARCH >= 6 static inline uint32_t aria_p3( uint32_t x ) { uint32_t r; @@ -150,7 +153,8 @@ static inline uint32_t aria_p3( uint32_t x ) return( r ); } #define ARIA_P3 aria_p3 -#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 +#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ + ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) static inline uint32_t aria_p3( uint32_t x ) { uint32_t r; From 21662148f71fd622e9533ae9a11f9f19085b526f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 11:27:14 +0100 Subject: [PATCH 50/97] aria: improve compiler compat by using __asm gcc --std=c99 doesn't like the shorter "asm" (this broke all.sh) --- library/aria.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/aria.c b/library/aria.c index 7a43d416b..55efd9a52 100644 --- a/library/aria.c +++ b/library/aria.c @@ -98,7 +98,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { static inline uint32_t aria_p1( uint32_t x ) { uint32_t r; - asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); + __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); return( r ); } #define ARIA_P1 aria_p1 @@ -149,7 +149,7 @@ static inline uint32_t aria_p1( uint32_t x ) static inline uint32_t aria_p3( uint32_t x ) { uint32_t r; - asm( "rev %0, %1" : "=l" (r) : "l" (x) ); + __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); return( r ); } #define ARIA_P3 aria_p3 @@ -168,7 +168,7 @@ static inline uint32_t aria_p3( uint32_t x ) defined(__i386__) || defined(__amd64__) || defined( __x86_64__) static inline uint32_t aria_p3( uint32_t x ) { - asm( "bswap %0" : "=r" (x) : "0" (x) ); + __asm( "bswap %0" : "=r" (x) : "0" (x) ); return( x ); } #define ARIA_P3 aria_p3 From f6b787cbcc7944b3974aae896d4547c7d2847ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 13:48:21 +0100 Subject: [PATCH 51/97] Fix typo in documentation (CTR warning) --- include/mbedtls/aes.h | 2 +- include/mbedtls/aria.h | 2 +- include/mbedtls/blowfish.h | 2 +- include/mbedtls/camellia.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 27be76168..22eb116b8 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -314,7 +314,7 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, * 2. Use a randomly-generated \p nonce_counter for each call. * With this strategy, you need to ensure the nonce is generated * in an unbiased way and you must not encrypt more than 2**64 - * block of data. + * blocks of data. * * Note that for both stategies, the limit is in number of blocks * and that an AES block is 16 bytes. diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 2eed2f974..0c4960b1b 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -262,7 +262,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * 2. Use a randomly-generated \p nonce_counter for each call. * With this strategy, you need to ensure the nonce is generated * in an unbiased way and you must not encrypt more than 2**64 - * block of data. + * blocks of data. * * Note that for both stategies, the limit is in number of blocks * and that an ARIA block is 16 bytes. diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index 4b4916e03..f4e8afcb6 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -184,7 +184,7 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx, * 2. Use a randomly-generated \p nonce_counter for each call. * With this strategy, you need to ensure the nonce is generated * in an unbiased way and you must not encrypt more than 2**32 - * block of data. + * blocks of data. * * Note that for both stategies, the limit is in number of blocks * and that a Blowfish block is 8 bytes. diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 1b138fc9e..74e09615b 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -201,7 +201,7 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, * 2. Use a randomly-generated \p nonce_counter for each call. * With this strategy, you need to ensure the nonce is generated * in an unbiased way and you must not encrypt more than 2**64 - * block of data. + * blocks of data. * * Note that for both stategies, the limit is in number of blocks * and that a CAMELLIA block is 16 bytes. From 977dc36b1455a764de6657bbb61e935dfcdc1991 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 13:51:52 +0100 Subject: [PATCH 52/97] aria test suite: uniformize line wrapping --- tests/suites/test_suite_aria.function | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index b36340606..a662047cd 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -43,7 +43,8 @@ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, - src_str + i, output + i ) == 0 ); + src_str + i, output + i ) + == 0 ); } hexify( dst_str, output, data_len ); @@ -82,7 +83,8 @@ void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, - src_str + i, output + i ) == 0 ); + src_str + i, output + i ) + == 0 ); } hexify( dst_str, output, data_len ); @@ -202,7 +204,8 @@ void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, data_len, &iv_offset, iv_str, - src_str, output ) == result ); + src_str, output ) + == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -240,7 +243,8 @@ void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, data_len, &iv_offset, iv_str, - src_str, output ) == result ); + src_str, output ) + == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -278,7 +282,8 @@ void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str, - blk, src_str, output ) == result ); + blk, src_str, output ) + == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); @@ -316,7 +321,8 @@ void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string, mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 ); TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str, - blk, src_str, output ) == result ); + blk, src_str, output ) + == result ); hexify( dst_str, output, data_len ); TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 ); From 366e1b046457f2e9d1c62fab6c32669e04a3fe11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 1 Mar 2018 14:48:10 +0100 Subject: [PATCH 53/97] aria: fix comment on aria_a function The new version of the comment has been generated by the following python3 script, when the first constant is copy-pasted from RFC 5794 2.4.3. #!/usr/bin/python3 RFC_A = """ y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14, y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15, y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15, y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14, y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15, y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15, y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13, y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13, y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15, y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14, y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15, y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14, y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12, y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13, y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14, y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15. """ matrix = [] for l in RFC_A.split('\n')[1:-1]: rhs = l.split('=')[1][:-1] row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^')) matrix.append(row) out = {} out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4]))) out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8]))) out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12]))) out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:]))) out2 = {} for o, r in out.items(): row = list(r) for i in range(len(r) - 1): w1 = row[i] if len(set(w1)) == 2: w2 = row[i+1] nw1 = nw2 = '' for j in range(len(w1)): if w1[j] in nw1: nw1 += w2[j] nw2 += w1[j] else: nw1 += w1[j] nw2 += w2[j] row[i] = nw1 row[i+1] = nw2 out2[o] = row for o in 'abcd': print(o, '=', ' + '.join(out[o])) print(' ', '=', ' + '.join(out2[o])) --- library/aria.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/aria.c b/library/aria.c index 55efd9a52..fdc2137fe 100644 --- a/library/aria.c +++ b/library/aria.c @@ -190,11 +190,11 @@ static inline uint32_t aria_p3( uint32_t x ) * * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd - * b = 0101 + 2323 + 5476 + 8998 + baab + ecec + ffdd + * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc - * c = 0022 + 1133 + 4545 + 7667 + ab89 + dcdc + fefe + * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc - * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cedf + * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef * * Note: another presentation of the A transform can be found as the first From ce5673cbe651c42d32062cc73ab53d2513928e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 6 Mar 2018 09:54:10 +0100 Subject: [PATCH 54/97] Add reference to github issue in compat.sh --- tests/compat.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 0a863fa48..b914386bb 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -435,7 +435,8 @@ add_common_ciphersuites() # with its Mbed TLS name. # # NOTE: for some reason RSA-PSK doesn't work with OpenSSL, -# so RSA-PSK ciphersuites need to go in other sections. +# so RSA-PSK ciphersuites need to go in other sections, see +# https://github.com/ARMmbed/mbedtls/issues/1419 add_openssl_ciphersuites() { case $TYPE in From 84052570355bb5608248f162b622068b7b9eaa7c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Mar 2018 12:12:47 +0100 Subject: [PATCH 55/97] Support out-of-tree testing with CMake Create extra symbolic links with CMake so that SSL testing (ssl-opt.sh and compat.sh) works in out-of-tree builds. --- CMakeLists.txt | 30 ++++++++++++++++++++++++++++++ include/CMakeLists.txt | 6 ++++++ tests/CMakeLists.txt | 27 ++++++--------------------- 3 files changed, 42 insertions(+), 21 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ca4cba216..df03dd607 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -56,6 +56,30 @@ set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE} CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull" FORCE) +# Create a symbolic link from ${base_name} in the binary directory +# to the corresponding path in the source directory. +function(link_to_source base_name) + # Get OS dependent path to use in `execute_process` + file(TO_NATIVE_PATH "${CMAKE_CURRENT_BINARY_DIR}/${base_name}" link) + file(TO_NATIVE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}" target) + + if (NOT EXISTS ${link}) + if (CMAKE_HOST_UNIX) + set(command ln -s ${target} ${link}) + else() + set(command cmd.exe /c mklink /j ${link} ${target}) + endif() + + execute_process(COMMAND ${command} + RESULT_VARIABLE result + ERROR_VARIABLE output) + + if (NOT ${result} EQUAL 0) + message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}") + endif() + endif() +endfunction(link_to_source) + string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}") if(CMAKE_COMPILER_IS_GNUCC) @@ -164,3 +188,9 @@ if(ENABLE_TESTING) ) endif(UNIX) endif() + +# Make scripts and data files needed for testing available in an +# out-of-source build. +if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) + link_to_source(scripts) +endif() diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 985a3530b..3081b2678 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -9,3 +9,9 @@ if(INSTALL_MBEDTLS_HEADERS) PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ) endif(INSTALL_MBEDTLS_HEADERS) + +# Make scripts and data files needed for testing available in an +# out-of-source build. +if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) + link_to_source(mbedtls) +endif() diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 16e19a927..9fd4916bb 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -105,26 +105,11 @@ add_test_suite(xtea) add_test_suite(x509parse) add_test_suite(x509write) -# Make data_files available in an out-of-source build +# Make scripts and data files needed for testing available in an +# out-of-source build. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) - # Get OS dependent path to use in `execute_process` - file(TO_NATIVE_PATH "${CMAKE_CURRENT_BINARY_DIR}/data_files" link) - file(TO_NATIVE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/data_files" target) - - if (NOT EXISTS ${link}) - if (CMAKE_HOST_UNIX) - set(command ln -s ${target} ${link}) - else() - set(command cmd.exe /c mklink /j ${link} ${target}) - endif() - - execute_process(COMMAND ${command} - RESULT_VARIABLE result - ERROR_VARIABLE output) - - if (NOT ${result} EQUAL 0) - message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}") - endif() - endif() + link_to_source(compat.sh) + link_to_source(data_files) + link_to_source(scripts) + link_to_source(ssl-opt.sh) endif() - From 31b07e283321b1470c31466d10ca8a8099b73bba Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Mar 2018 12:15:06 +0100 Subject: [PATCH 56/97] all.sh: be more conservative when cleaning up CMake artefacts Only delete things that we expect to find, to avoid deleting other things that people might have lying around in their build tree. Explicitly skip .git to avoid e.g. accidentally matching a branch name. --- tests/scripts/all.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b559af8e1..7caebd5dc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -149,7 +149,13 @@ cleanup() { command make clean - find . -name yotta -prune -o -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} \+ + # Remove CMake artefacts + find . -name .git -prune -o -name yotta -prune -o \ + -iname CMakeFiles -exec rm -rf {} \+ -o \ + \( -iname cmake_install.cmake -o \ + -iname CTestTestfile.cmake -o \ + -iname CMakeCache.txt \) -exec rm {} \+ + # Recover files overwritten by in-tree CMake builds rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile From a71d64c74fccffb1affe07cda551f6d073c88a88 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Mar 2018 12:16:57 +0100 Subject: [PATCH 57/97] all.sh: fix cleanup happening during an out-of-tree build --- tests/scripts/all.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7caebd5dc..00dc9ca2e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -147,6 +147,10 @@ EOF # remove built files as well as the cmake cache/config cleanup() { + if [ -n "${MBEDTLS_ROOT_DIR+set}" ]; then + cd "$MBEDTLS_ROOT_DIR" + fi + command make clean # Remove CMake artefacts @@ -857,6 +861,7 @@ msg "test: cmake 'out-of-source' build" make test cd "$MBEDTLS_ROOT_DIR" rm -rf "$OUT_OF_SOURCE_DIR" +unset MBEDTLS_ROOT_DIR From 0114ffc76bc4ff85b665e27cd180bd2e80968a77 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Mar 2018 12:17:20 +0100 Subject: [PATCH 58/97] all.sh: Verify out-of-tree testing with CMake Run a test case in ssl-opt.sh to validate that testing works in an out-of-tree CMake build. --- tests/scripts/all.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 00dc9ca2e..cbf4837e6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -859,6 +859,17 @@ make msg "test: cmake 'out-of-source' build" make test +# Test an SSL option that requires an auxiliary script in test/scripts/. +# Also ensure that there are no error messages such as +# "No such file or directory", which would indicate that some required +# file is missing (ssl-opt.sh tolerates the absence of some files so +# may exit with status 0 but emit errors). +if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err +if [ -s ssl-opt.err ]; then + cat ssl-opt.err >&2 + record_status [ ! -s ssl-opt.err ] + rm ssl-opt.err +fi cd "$MBEDTLS_ROOT_DIR" rm -rf "$OUT_OF_SOURCE_DIR" unset MBEDTLS_ROOT_DIR From b2f09c32658668d0d79469ed32c86b6836a4beb1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Mar 2018 12:38:00 +0100 Subject: [PATCH 59/97] Support out-of-tree testing with CMake: add ChangeLog entry. Fixes #1193 --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8db021591..5d8673373 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.x.x branch released xxxx-xx-xx + +Changes + * Support TLS testing in out-of-source builds using cmake. Fixes #1193. + = mbed TLS 2.7.0 branch released 2018-02-03 Security From be038366eab275e7157f979b2d57fc0da00eab3e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Mar 2018 17:12:46 +0100 Subject: [PATCH 60/97] Fix some comments regarding what files are symlinked --- CMakeLists.txt | 3 +-- include/CMakeLists.txt | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index df03dd607..8b26e6e7c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -189,8 +189,7 @@ if(ENABLE_TESTING) endif(UNIX) endif() -# Make scripts and data files needed for testing available in an -# out-of-source build. +# Make scripts needed for testing available in an out-of-source build. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(scripts) endif() diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 3081b2678..1b581a54d 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -10,8 +10,7 @@ if(INSTALL_MBEDTLS_HEADERS) endif(INSTALL_MBEDTLS_HEADERS) -# Make scripts and data files needed for testing available in an -# out-of-source build. +# Make config.h available in an out-of-source build. ssl-opt.sh requires it. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(mbedtls) endif() From c33c7c8363e998a0d7b54f1f310372757c67ada4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 5 Apr 2018 15:57:56 +0200 Subject: [PATCH 61/97] Copy DartConfiguration.tcl, needed for make memcheck --- CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8b26e6e7c..e9a632e9b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -192,4 +192,8 @@ endif() # Make scripts needed for testing available in an out-of-source build. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(scripts) + # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to + # keep things simple with the sed commands in the memcheck target. + configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl + ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY) endif() From 3c5f9498e5dedfdb46174b7b479b1f679e1f994e Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 11 Jan 2018 19:51:27 +0000 Subject: [PATCH 62/97] genereate_visualc_files.pl deletes old files Add a function that deletes all the old Visual Studio prokect files before generating the new ones. This ensure that project files for delete example applications are removed from the repository. --- scripts/generate_visualc_files.pl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl index 8d36653b4..0f5423971 100755 --- a/scripts/generate_visualc_files.pl +++ b/scripts/generate_visualc_files.pl @@ -171,12 +171,22 @@ sub gen_vsx_solution { content_to_file( $out, $vsx_sln_file ); } +sub del_vsx_files { + unlink glob "'$vsx_dir/*.$vsx_ext'"; + unlink $vsx_main_file; + unlink $vsx_sln_file; +} + sub main { if( ! check_dirs() ) { chdir '..' or die; check_dirs or die "Must but run from mbedTLS root or scripts dir\n"; } + # Remove old files to ensure that, for example, project files from deleted + # apps are not kept + del_vsx_files(); + my @app_list = get_app_list(); my @headers = <$header_dir/*.h>; my @sources = <$source_dir/*.c>; From 4c1e2ec286e0b990b62c9708cb4645e36c324654 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 10 Jan 2018 11:03:45 +0000 Subject: [PATCH 63/97] Check generated-visualc-files in check-generated-files --- tests/scripts/check-generated-files.sh | 62 ++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 9 deletions(-) diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index 0400bc754..f471ad292 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -1,6 +1,12 @@ -#!/bin/sh +#! /usr/bin/env sh -# check if generated files are up-to-date +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2018, ARM Limited, All Rights Reserved +# +# Purpose +# +# Check if generated files are up-to-date. set -eu @@ -11,14 +17,52 @@ fi check() { - FILE=$1 - SCRIPT=$2 + SCRIPT=$1 + TO_CHECK=$2 + PATTERN="" + + if [ -d $TO_CHECK ]; then + for FILE in $TO_CHECK/*; do + FILES="$FILE $FILES" + done + else + FILES=$TO_CHECK + fi + + for FILE in $FILES; do + cp $FILE $FILE.bak + done - cp $FILE $FILE.bak $SCRIPT - diff $FILE $FILE.bak - mv $FILE.bak $FILE + + # Compare the script output to the old files and remove backups + for FILE in $FILES; do + if ! diff $FILE $FILE.bak >/dev/null 2>&1; then + echo "'$FILE' was either modified or deleted by '$SCRIPT'" + exit 1 + fi + mv $FILE.bak $FILE + + if [ -d $TO_CHECK ]; then + # Create a grep regular expression that we can check against the + # directory contents to test whether new files have been created + if [ -z $PATTERN ]; then + PATTERN="$(basename $FILE)" + else + PATTERN="$PATTERN\|$(basename $FILE)" + fi + fi + done + + if [ -d $TO_CHECK ]; then + # Check if there are any new files + if ls -1 $TO_CHECK | grep -v "$PATTERN" >/dev/null 2>&1; then + echo "Files were created by '$SCRIPT'" + exit 1 + fi + fi } -check library/error.c scripts/generate_errors.pl -check library/version_features.c scripts/generate_features.pl +check scripts/generate_errors.pl library/error.c +check scripts/generate_features.pl library/version_features.c +check scripts/generate_visualc_files.pl visualc/VS2010 From 5121d4b32fbc4b3f8cb37948f1bafa20f70a0d39 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 11 Apr 2018 20:35:19 -0500 Subject: [PATCH 64/97] Remove refs to VS6 from generate_visualc_files.pl --- scripts/generate_visualc_files.pl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl index 0f5423971..e042a4493 100755 --- a/scripts/generate_visualc_files.pl +++ b/scripts/generate_visualc_files.pl @@ -1,8 +1,7 @@ #!/usr/bin/perl -# Generate files for MS Visual Studio: -# - for VS6: main project (library) file, individual app files, workspace -# - for VS2010: main file, individual apps, solution file +# Generate main file, individual apps and solution files for MS Visual Studio +# 2010 # # Must be run from mbedTLS root or scripts directory. # Takes no argument. From dfeda4818627d70f1e43e4841fcffc02f24c42a0 Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 11 Apr 2018 20:55:22 -0500 Subject: [PATCH 65/97] Remove VS project files from deleted example apps --- visualc/VS2010/md5sum.vcxproj | 170 --------------------------------- visualc/VS2010/sha1sum.vcxproj | 170 --------------------------------- visualc/VS2010/sha2sum.vcxproj | 170 --------------------------------- 3 files changed, 510 deletions(-) delete mode 100644 visualc/VS2010/md5sum.vcxproj delete mode 100644 visualc/VS2010/sha1sum.vcxproj delete mode 100644 visualc/VS2010/sha2sum.vcxproj diff --git a/visualc/VS2010/md5sum.vcxproj b/visualc/VS2010/md5sum.vcxproj deleted file mode 100644 index 6f20e57e7..000000000 --- a/visualc/VS2010/md5sum.vcxproj +++ /dev/null @@ -1,170 +0,0 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - Release - Win32 - - - Release - x64 - - - - - - - - {46cf2d25-6a36-4189-b59c-e4815388e554} - true - - - - {80FE1ECF-6992-A275-7973-E2976718D128} - Win32Proj - md5sum - - - - Application - true - Unicode - - - Application - true - Unicode - - - Application - false - true - Unicode - - - Application - false - true - Unicode - Windows7.1SDK - - - - - - - - - - - - - - - - - - - true - - - true - - - false - - - false - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - Level3 - - - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - - - - - Level3 - - - MaxSpeed - true - true - WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - %(AdditionalDependencies); - - - - - - diff --git a/visualc/VS2010/sha1sum.vcxproj b/visualc/VS2010/sha1sum.vcxproj deleted file mode 100644 index 2c3674b45..000000000 --- a/visualc/VS2010/sha1sum.vcxproj +++ /dev/null @@ -1,170 +0,0 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - Release - Win32 - - - Release - x64 - - - - - - - - {46cf2d25-6a36-4189-b59c-e4815388e554} - true - - - - {E91D12D7-01C0-357F-CAB1-8478B096743C} - Win32Proj - sha1sum - - - - Application - true - Unicode - - - Application - true - Unicode - - - Application - false - true - Unicode - - - Application - false - true - Unicode - Windows7.1SDK - - - - - - - - - - - - - - - - - - - true - - - true - - - false - - - false - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - Level3 - - - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - - - - - Level3 - - - MaxSpeed - true - true - WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - %(AdditionalDependencies); - - - - - - diff --git a/visualc/VS2010/sha2sum.vcxproj b/visualc/VS2010/sha2sum.vcxproj deleted file mode 100644 index b1afb674d..000000000 --- a/visualc/VS2010/sha2sum.vcxproj +++ /dev/null @@ -1,170 +0,0 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - Release - Win32 - - - Release - x64 - - - - - - - - {46cf2d25-6a36-4189-b59c-e4815388e554} - true - - - - {8C5CF095-A0A4-54FB-0D48-8DF2B7FE4CA5} - Win32Proj - sha2sum - - - - Application - true - Unicode - - - Application - true - Unicode - - - Application - false - true - Unicode - - - Application - false - true - Unicode - Windows7.1SDK - - - - - - - - - - - - - - - - - - - true - - - true - - - false - - - false - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - - - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - NotSet - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - Debug - - - false - - - - - Level3 - - - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) - - - - - Level3 - - - MaxSpeed - true - true - WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - ../../include - - - Console - true - true - true - Release - %(AdditionalDependencies); - - - - - - From c4ec716ec84b456262a8da43903b7afc212e48bc Mon Sep 17 00:00:00 2001 From: Andres AG Date: Wed, 11 Apr 2018 21:13:20 -0500 Subject: [PATCH 66/97] Fix uninitialized var in check-generated-files.sh --- tests/scripts/check-generated-files.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index f471ad292..4976bacf5 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -20,6 +20,7 @@ check() SCRIPT=$1 TO_CHECK=$2 PATTERN="" + FILES="" if [ -d $TO_CHECK ]; then for FILE in $TO_CHECK/*; do From 3f7f8170d6ba71da9a9f624ef9da6c9edeb64b50 Mon Sep 17 00:00:00 2001 From: Mohammad Azim Khan Date: Thu, 23 Nov 2017 17:49:05 +0000 Subject: [PATCH 67/97] Check invalid nc_off Uninitialized nc_off value >0xf passed by the caller can cause array out-of-bound. --- include/mbedtls/aes.h | 1 + library/aes.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 46016dcb7..d252930fd 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -49,6 +49,7 @@ /* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ +#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0024 /**< Invalid input data. */ /* Error codes in range 0x0023-0x0025 */ #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ diff --git a/library/aes.c b/library/aes.c index da94b1943..3bb851520 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1082,6 +1082,9 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, int c, i; size_t n = *nc_off; + if ( n > 0x0F ) + return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); + while( length-- ) { if( n == 0 ) { From e5b5bd7a400391f3730a43f6191d7c5e7f89bf21 Mon Sep 17 00:00:00 2001 From: Mohammad Azim Khan Date: Fri, 24 Nov 2017 10:52:51 +0000 Subject: [PATCH 68/97] Allocate a unique err code for MBEDTLS_ERR_AES_BAD_INPUT_DATA --- include/mbedtls/aes.h | 4 ++-- include/mbedtls/error.h | 2 +- library/error.c | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index d252930fd..8b9280d97 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -49,9 +49,9 @@ /* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ -#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0024 /**< Invalid input data. */ -/* Error codes in range 0x0023-0x0025 */ +/* Error codes in range 0x0021-0x0025 */ +#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 /**< Invalid input data. */ #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */ diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b4d3a875..786d02e32 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -53,7 +53,7 @@ * GCM 3 0x0012-0x0014 0x0013-0x0013 * BLOWFISH 3 0x0016-0x0018 0x0017-0x0017 * THREADING 3 0x001A-0x001E - * AES 4 0x0020-0x0022 0x0023-0x0025 + * AES 5 0x0020-0x0022 0x0021-0x0025 * CAMELLIA 3 0x0024-0x0026 0x0027-0x0027 * XTEA 2 0x0028-0x0028 0x0029-0x0029 * BASE64 2 0x002A-0x002C diff --git a/library/error.c b/library/error.c index 96ab20376..37058254c 100644 --- a/library/error.c +++ b/library/error.c @@ -572,6 +572,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "AES - Invalid key length" ); if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" ); + if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) ) + mbedtls_snprintf( buf, buflen, "AES - Invalid input data" ); if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) ) mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" ); if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) ) From 0b3f00c3cfe715044710ecaefdec2b78ce306da4 Mon Sep 17 00:00:00 2001 From: Mohammad Azim Khan Date: Tue, 1 May 2018 10:17:48 +0100 Subject: [PATCH 69/97] Avoid -Wformat-truncation warning on gcc7 --- tests/suites/main_test.function | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 1390f9fbb..abf332036 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -226,12 +226,23 @@ int parse_arguments( char *buf, size_t len, char *params[50] ) return( cnt ); } +#if defined(__GNUC__) +/* At high optimization levels (e.g. gcc -O3), this function may be + * inlined in run_test_snprintf. This can trigger a spurious warning about + * potential misuse of snprintf from gcc -Wformat-truncation (observed with + * gcc 7.2). This warning makes tests in run_test_snprintf redundant on gcc + * only. They are still valid for other compilers. Avoid this warning by + * forbidding inlining of this function by gcc. */ +__attribute__((__noinline__)) +#endif static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret ) { int ret; char buf[10] = "xxxxxxxxx"; const char ref[10] = "xxxxxxxxx"; + if( n >= sizeof( buf ) ) + return( -1 ); ret = mbedtls_snprintf( buf, n, "%s", "123" ); if( ret < 0 || (size_t) ret >= n ) ret = -1; From 707e9624e07538eaf43078cd19a3658121dfc892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 9 May 2018 10:57:04 +0200 Subject: [PATCH 70/97] Update visualc project files --- visualc/VS2010/mbedTLS.vcxproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index f13f83cc1..b2df4b4ad 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -149,6 +149,7 @@ + @@ -222,6 +223,7 @@ + From 10d9ce332f9aabfcc4382fb2e35c56454c20140c Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Wed, 28 Feb 2018 10:02:55 +0000 Subject: [PATCH 71/97] Add script for source integrity checking --- tests/scripts/check-files.py | 223 +++++++++++++++++++++++++++++++++++ 1 file changed, 223 insertions(+) create mode 100755 tests/scripts/check-files.py diff --git a/tests/scripts/check-files.py b/tests/scripts/check-files.py new file mode 100755 index 000000000..f560d0378 --- /dev/null +++ b/tests/scripts/check-files.py @@ -0,0 +1,223 @@ +#!/usr/bin/env python3 +""" +This file is part of Mbed TLS (https://tls.mbed.org) + +Copyright (c) 2018, Arm Limited, All Rights Reserved + +Purpose + +This script checks the current state of the source code for minor issues, +including incorrect file permissions, presence of tabs, non-Unix line endings, +trailing whitespace, presence of UTF-8 BOM, and TODO comments. +Note: requires python 3, must be run from Mbed TLS root. +""" + +import os +import argparse +import logging +import codecs +import sys + + +class IssueTracker(object): + """Base class for issue tracking. Issues should inherit from this and + overwrite either issue_with_line if they check the file line by line, or + overwrite check_file_for_issue if they check the file as a whole.""" + + def __init__(self): + self.heading = "" + self.files_exemptions = [] + self.files_with_issues = {} + + def should_check_file(self, filepath): + for files_exemption in self.files_exemptions: + if filepath.endswith(files_exemption): + return False + return True + + def issue_with_line(self, line): + raise NotImplementedError + + def check_file_for_issue(self, filepath): + with open(filepath, "rb") as f: + for i, line in enumerate(iter(f.readline, b"")): + self.check_file_line(filepath, line, i + 1) + + def check_file_line(self, filepath, line, line_number): + if self.issue_with_line(line): + if filepath not in self.files_with_issues.keys(): + self.files_with_issues[filepath] = [] + self.files_with_issues[filepath].append(line_number) + + def output_file_issues(self, logger): + if self.files_with_issues.values(): + logger.info(self.heading) + for filename, lines in sorted(self.files_with_issues.items()): + if lines: + logger.info("{}: {}".format( + filename, ", ".join(str(x) for x in lines) + )) + else: + logger.info(filename) + logger.info("") + + +class PermissionIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "Incorrect permissions:" + + def check_file_for_issue(self, filepath): + if not (os.access(filepath, os.X_OK) == + filepath.endswith((".sh", ".pl", ".py"))): + self.files_with_issues[filepath] = None + + +class EndOfFileNewlineIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "Missing newline at end of file:" + + def check_file_for_issue(self, filepath): + with open(filepath, "rb") as f: + if not f.read().endswith(b"\n"): + self.files_with_issues[filepath] = None + + +class Utf8BomIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "UTF-8 BOM present:" + + def check_file_for_issue(self, filepath): + with open(filepath, "rb") as f: + if f.read().startswith(codecs.BOM_UTF8): + self.files_with_issues[filepath] = None + + +class LineEndingIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "Non Unix line endings:" + + def issue_with_line(self, line): + return b"\r" in line + + +class TrailingWhitespaceIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "Trailing whitespace:" + self.files_exemptions = [".md"] + + def issue_with_line(self, line): + return line.rstrip(b"\r\n") != line.rstrip() + + +class TabIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "Tabs present:" + self.files_exemptions = [ + "Makefile", "generate_visualc_files.pl" + ] + + def issue_with_line(self, line): + return b"\t" in line + + +class TodoIssueTracker(IssueTracker): + + def __init__(self): + super().__init__() + self.heading = "TODO present:" + self.files_exemptions = [ + __file__, "benchmark.c", "pull_request_template.md" + ] + + def issue_with_line(self, line): + return b"todo" in line.lower() + + +class IntegrityChecker(object): + + def __init__(self, log_file): + self.check_repo_path() + self.logger = None + self.setup_logger(log_file) + self.files_to_check = ( + ".c", ".h", ".sh", ".pl", ".py", ".md", ".function", ".data", + "Makefile", "CMakeLists.txt", "ChangeLog" + ) + self.issues_to_check = [ + PermissionIssueTracker(), + EndOfFileNewlineIssueTracker(), + Utf8BomIssueTracker(), + LineEndingIssueTracker(), + TrailingWhitespaceIssueTracker(), + TabIssueTracker(), + TodoIssueTracker(), + ] + + def check_repo_path(self): + if not all(os.path.isdir(d) for d in ["include", "library", "tests"]): + raise Exception("Must be run from Mbed TLS root") + + def setup_logger(self, log_file, level=logging.INFO): + self.logger = logging.getLogger() + self.logger.setLevel(level) + if log_file: + handler = logging.FileHandler(log_file) + self.logger.addHandler(handler) + else: + console = logging.StreamHandler() + self.logger.addHandler(console) + + def check_files(self): + for root, dirs, files in sorted(os.walk(".")): + for filename in sorted(files): + filepath = os.path.join(root, filename) + if (os.path.join("yotta", "module") in filepath or + not filepath.endswith(self.files_to_check)): + continue + for issue_to_check in self.issues_to_check: + if issue_to_check.should_check_file(filepath): + issue_to_check.check_file_for_issue(filepath) + + def output_issues(self): + integrity_return_code = 0 + for issue_to_check in self.issues_to_check: + if issue_to_check.files_with_issues: + integrity_return_code = 1 + issue_to_check.output_file_issues(self.logger) + return integrity_return_code + + +def run_main(): + parser = argparse.ArgumentParser( + description=( + "This script checks the current state of the source code for " + "minor issues, including incorrect file permissions, " + "presence of tabs, non-Unix line endings, trailing whitespace, " + "presence of UTF-8 BOM, and TODO comments. " + "Note: requires python 3, must be run from Mbed TLS root." + ) + ) + parser.add_argument( + "-l", "--log_file", type=str, help="path to optional output log", + ) + check_args = parser.parse_args() + integrity_check = IntegrityChecker(check_args.log_file) + integrity_check.check_files() + return_code = integrity_check.output_issues() + sys.exit(return_code) + + +if __name__ == "__main__": + run_main() From a07039cfe2e4574b40e08ecb03774b55b210948c Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Tue, 13 Mar 2018 16:48:16 +0000 Subject: [PATCH 72/97] Add check-files.py to all.sh --- tests/scripts/all.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e6c7549e6..6eb25026e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -413,6 +413,10 @@ tests/scripts/check-generated-files.sh msg "test: doxygen markup outside doxygen blocks" # < 1s tests/scripts/check-doxy-blocks.pl +msg "test: check-files.py" # < 1s +cleanup +tests/scripts/check-files.py + msg "test/build: declared and exported names" # < 3s cleanup tests/scripts/check-names.sh From 2699de33703c06ac32ed860ffc705a40999085ce Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Mon, 21 May 2018 11:40:22 +0100 Subject: [PATCH 73/97] Add check-files.py to pre-push.sh --- tests/git-scripts/pre-push.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/git-scripts/pre-push.sh b/tests/git-scripts/pre-push.sh index ee54a6cff..7407f44b9 100755 --- a/tests/git-scripts/pre-push.sh +++ b/tests/git-scripts/pre-push.sh @@ -45,3 +45,4 @@ run_test() run_test ./tests/scripts/check-doxy-blocks.pl run_test ./tests/scripts/check-names.sh run_test ./tests/scripts/check-generated-files.sh +run_test ./tests/scripts/check-files.py From 4d393b983539522511b6f6e9335d25e5c1d000d5 Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Mon, 21 May 2018 11:59:28 +0100 Subject: [PATCH 74/97] Add check-files.py to travis.yml --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index fa01e5a24..4d23652c6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,6 +9,7 @@ script: - tests/scripts/check-generated-files.sh - tests/scripts/check-doxy-blocks.pl - tests/scripts/check-names.sh +- tests/scripts/check-files.py - tests/scripts/doxygen.sh - cmake -D CMAKE_BUILD_TYPE:String="Check" . - make From 9d410733c2ee607a569f5452e68806ebc17db541 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 12:49:22 +0200 Subject: [PATCH 75/97] Fix typos from copy-pasting --- include/mbedtls/aria.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 0c4960b1b..0cf06c4c7 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -128,8 +128,8 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, * (encrypt or decrypt), on the input data buffer defined in * the \p input parameter. * - * mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or - * mbedtls_aes_setkey_dec() must be called before the first + * mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or + * mbedtls_aria_setkey_dec() must be called before the first * call to this API with the same context. * * \param ctx The ARIA context to use for encryption or decryption. @@ -155,8 +155,8 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, * the \p input parameter. * * It can be called as many times as needed, until all the input - * data is processed. mbedtls_aes_init(), and either - * mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called + * data is processed. mbedtls_aria_init(), and either + * mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called * before the first call to this API with the same context. * * \note This function operates on aligned blocks, that is, the input size @@ -199,7 +199,7 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, * parameter (encrypt or decrypt), on the input data buffer * defined in the \p input parameter. * - * For CFB, you must set up the context with mbedtls_aes_setkey_enc(), + * For CFB, you must set up the context with mbedtls_aria_setkey_enc(), * regardless of whether you are performing an encryption or decryption * operation, that is, regardless of the \p mode parameter. This is * because CFB mode uses the same key schedule for encryption and @@ -245,7 +245,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * * Due to the nature of CTR, you must use the same key schedule * for both encryption and decryption operations. Therefore, you - * must use the context initialized with mbedtls_aes_setkey_enc() + * must use the context initialized with mbedtls_aria_setkey_enc() * for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT. * * \warning You must never reuse a nonce value with the same key. Doing so From d418b0dcbaf2a680905bdc3bf07bbe69dc3bf0ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 12:56:11 +0200 Subject: [PATCH 76/97] Fix typo in comment --- library/aria.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aria.c b/library/aria.c index fdc2137fe..f5354a9d0 100644 --- a/library/aria.c +++ b/library/aria.c @@ -182,7 +182,7 @@ static inline uint32_t aria_p3( uint32_t x ) * ARIA Affine Transform * (a, b, c, d) = state in/out * - * If we denote the first by of input by 0, ..., the last byte by f, + * If we denote the first byte of input by 0, ..., the last byte by f, * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. * * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple From 12e2fbdf293ca414e4ee45671d44dd7a2c7f35b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 13:01:09 +0200 Subject: [PATCH 77/97] Style adjustments --- library/aria.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/library/aria.c b/library/aria.c index f5354a9d0..fbdc0ec56 100644 --- a/library/aria.c +++ b/library/aria.c @@ -235,8 +235,8 @@ static inline void aria_a( uint32_t *a, uint32_t *b, */ static inline void aria_sl( uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d, - const uint8_t sa[0x100], const uint8_t sb[0x100], - const uint8_t sc[0x100], const uint8_t sd[0x100] ) + const uint8_t sa[256], const uint8_t sb[256], + const uint8_t sc[256], const uint8_t sd[256] ) { *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ @@ -259,7 +259,7 @@ static inline void aria_sl( uint32_t *a, uint32_t *b, /* * S-Boxes */ -static const uint8_t aria_sb1[0x100] = +static const uint8_t aria_sb1[256] = { 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, @@ -285,7 +285,7 @@ static const uint8_t aria_sb1[0x100] = 0xB0, 0x54, 0xBB, 0x16 }; -static const uint8_t aria_sb2[0x100] = +static const uint8_t aria_sb2[256] = { 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, @@ -311,7 +311,7 @@ static const uint8_t aria_sb2[0x100] = 0xAF, 0xBA, 0xB5, 0x81 }; -static const uint8_t aria_is1[0x100] = +static const uint8_t aria_is1[256] = { 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, @@ -337,7 +337,7 @@ static const uint8_t aria_is1[0x100] = 0x55, 0x21, 0x0C, 0x7D }; -static const uint8_t aria_is2[0x100] = +static const uint8_t aria_is2[256] = { 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, @@ -422,11 +422,11 @@ static void aria_rot128( uint32_t r[4], const uint32_t a[4], const uint8_t n1 = n % 32; // bit offset const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset - j = (n / 32) % 4; // initial word offset + j = ( n / 32 ) % 4; // initial word offset t = ARIA_P3( b[j] ); // big endian for( i = 0; i < 4; i++ ) { - j = (j + 1) % 4; // get next word, big endian + j = ( j + 1 ) % 4; // get next word, big endian u = ARIA_P3( b[j] ); t <<= n1; // rotate t |= u >> n2; @@ -474,7 +474,7 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, GET_UINT32_LE( w[1][3], key, 28 ); } - i = (keybits - 128) >> 6; // index: 0, 1, 2 + i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR From 89924ddc7e861d8c86bc90b7a0fc049998863221 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 13:07:07 +0200 Subject: [PATCH 78/97] Wipe sensitive info from the stack --- library/aria.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/aria.c b/library/aria.c index fbdc0ec56..498a13264 100644 --- a/library/aria.c +++ b/library/aria.c @@ -493,6 +493,9 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, } aria_rot128( ctx->rk[16], w[0], w[1], 19 ); + /* w holds enough info to reconstruct the round keys */ + mbedtls_zeroize( w, sizeof( w ) ); + return( 0 ); } From 08c337d058bef5f66bc8c28c5fa8b9df7b80b3ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 13:18:01 +0200 Subject: [PATCH 79/97] Remove useless parameter from function --- include/mbedtls/aria.h | 9 +++------ library/aria.c | 19 +++++++------------ library/cipher_wrap.c | 6 ++++-- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 0cf06c4c7..153c76a71 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -124,24 +124,21 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, * \brief This function performs an ARIA single-block encryption or * decryption operation. * - * It performs the operation defined in the \p mode parameter - * (encrypt or decrypt), on the input data buffer defined in - * the \p input parameter. + * It performs encryption or decryption (depending on whether + * the key was set for encryption on decryption) on the input + * data buffer defined in the \p input parameter. * * mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or * mbedtls_aria_setkey_dec() must be called before the first * call to this API with the same context. * * \param ctx The ARIA context to use for encryption or decryption. - * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or - * #MBEDTLS_ARIA_DECRYPT. * \param input The 16-Byte buffer holding the input data. * \param output The 16-Byte buffer holding the output data. * \return \c 0 on success. */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, - int mode, const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ); diff --git a/library/aria.c b/library/aria.c index 498a13264..646978e89 100644 --- a/library/aria.c +++ b/library/aria.c @@ -536,7 +536,6 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, * Encrypt a block */ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, - int mode, const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) { @@ -544,8 +543,6 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, uint32_t a, b, c, d; - ( (void) mode ); - GET_UINT32_LE( a, input, 0 ); GET_UINT32_LE( b, input, 4 ); GET_UINT32_LE( c, input, 8 ); @@ -626,7 +623,7 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, while( length > 0 ) { memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); - mbedtls_aria_crypt_ecb( ctx, mode, input, output ); + mbedtls_aria_crypt_ecb( ctx, input, output ); for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) output[i] = (unsigned char)( output[i] ^ iv[i] ); @@ -645,7 +642,7 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) output[i] = (unsigned char)( input[i] ^ iv[i] ); - mbedtls_aria_crypt_ecb( ctx, mode, output, output ); + mbedtls_aria_crypt_ecb( ctx, output, output ); memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); input += MBEDTLS_ARIA_BLOCKSIZE; @@ -678,7 +675,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, while( length-- ) { if( n == 0 ) - mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv ); + mbedtls_aria_crypt_ecb( ctx, iv, iv ); c = *input++; *output++ = (unsigned char)( c ^ iv[n] ); @@ -692,7 +689,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, while( length-- ) { if( n == 0 ) - mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv ); + mbedtls_aria_crypt_ecb( ctx, iv, iv ); iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); @@ -724,7 +721,7 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, while( length-- ) { if( n == 0 ) { - mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter, + mbedtls_aria_crypt_ecb( ctx, nonce_counter, stream_block ); for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) @@ -916,8 +913,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); - mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, - aria_test1_ecb_pt, blk ); + mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) ARIA_SELF_TEST_IF_FAIL; @@ -925,8 +921,7 @@ int mbedtls_aria_self_test( int verbose ) if( verbose ) printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); - mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, - aria_test1_ecb_ct[i], blk ); + mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) ARIA_SELF_TEST_IF_FAIL; } diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index 47851e9c0..b1ab8f164 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -831,7 +831,8 @@ static const mbedtls_cipher_info_t camellia_256_ccm_info = { static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation, const unsigned char *input, unsigned char *output ) { - return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, operation, input, + (void) operation; + return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, input, output ); } @@ -840,7 +841,8 @@ static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length, unsigned char *iv, const unsigned char *input, unsigned char *output ) { - return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv, + (void) operation; + return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, length, iv, input, output ); } #endif /* MBEDTLS_CIPHER_MODE_CBC */ From 565e4e0fb2fd86469f4969469afaff16965d48f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 13:30:28 +0200 Subject: [PATCH 80/97] Use more appropriate type for local variable --- library/aria.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/aria.c b/library/aria.c index 646978e89..ad15cebfa 100644 --- a/library/aria.c +++ b/library/aria.c @@ -667,7 +667,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, const unsigned char *input, unsigned char *output ) { - int c; + unsigned char c; size_t n = *iv_off; if( mode == MBEDTLS_ARIA_DECRYPT ) @@ -678,8 +678,8 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, mbedtls_aria_crypt_ecb( ctx, iv, iv ); c = *input++; - *output++ = (unsigned char)( c ^ iv[n] ); - iv[n] = (unsigned char) c; + *output++ = c ^ iv[n]; + iv[n] = c; n = ( n + 1 ) & 0x0F; } From 2df4bfe80336ecaee77262eddd15b752a78b07cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 13:39:01 +0200 Subject: [PATCH 81/97] Fix typo in comments --- library/aria.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aria.c b/library/aria.c index ad15cebfa..25beafc09 100644 --- a/library/aria.c +++ b/library/aria.c @@ -115,7 +115,7 @@ static inline uint32_t aria_p1( uint32_t x ) #endif /* arm */ #if defined(__GNUC__) && \ defined(__i386__) || defined(__amd64__) || defined( __x86_64__) -/* I couldn't find an Intel equivalent of ret16, so two instructions */ +/* I couldn't find an Intel equivalent of rev16, so two instructions */ #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) #endif /* x86 gnuc */ #endif /* MBEDTLS_HAVE_ASM && GNUC */ From c0893122df60de5d2ecdb45fb14d318f353e1045 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 15:17:20 +0200 Subject: [PATCH 82/97] Add ifdef for selftest in header file See https://github.com/ARMmbed/mbedtls/pull/975 --- include/mbedtls/aria.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 153c76a71..ea68ae9eb 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -298,12 +298,14 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, extern "C" { #endif +#if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine. * * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_aria_self_test( int verbose ); +#endif /* MBEDTLS_SELF_TEST */ #ifdef __cplusplus } From 0960b80d53b6338dd9dd5e79f2c082c0ab83dcf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 15:22:07 +0200 Subject: [PATCH 83/97] Move to new header style for ALT implementations See https://github.com/ARMmbed/mbedtls-restricted/pull/357 --- include/mbedtls/aria.h | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index ea68ae9eb..4bb1fc28a 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -70,6 +70,10 @@ typedef struct } mbedtls_aria_context; +#else /* MBEDTLS_ARIA_ALT */ +#include "aria_alt.h" +#endif /* MBEDTLS_ARIA_ALT */ + /** * \brief This function initializes the specified ARIA context. * @@ -286,18 +290,6 @@ int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, unsigned char *output ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ -#ifdef __cplusplus -} -#endif - -#else /* MBEDTLS_ARIA_ALT */ -#include "aria_alt.h" -#endif /* MBEDTLS_ARIA_ALT */ - -#ifdef __cplusplus -extern "C" { -#endif - #if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine. From 7124fb63be173bec1f73af56e5a14328f51780d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 May 2018 16:05:33 +0200 Subject: [PATCH 84/97] Use zeroize function from new platform_util --- library/aria.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/library/aria.c b/library/aria.c index 25beafc09..e9bcd6d13 100644 --- a/library/aria.c +++ b/library/aria.c @@ -48,16 +48,13 @@ #if !defined(MBEDTLS_ARIA_ALT) +#include "mbedtls/platform_util.h" + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline #endif -/* Implementation that should never be optimized out by the compiler */ -static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; -} - /* * 32-bit integer manipulation macros (little endian) */ @@ -494,7 +491,7 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, aria_rot128( ctx->rk[16], w[0], w[1], 19 ); /* w holds enough info to reconstruct the round keys */ - mbedtls_zeroize( w, sizeof( w ) ); + mbedtls_platform_zeroize( w, sizeof( w ) ); return( 0 ); } @@ -598,7 +595,7 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx ) if( ctx == NULL ) return; - mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) ); + mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); } #if defined(MBEDTLS_CIPHER_MODE_CBC) From 8a1b2c88060d05865794047958a44f34645b9f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 23 May 2018 13:26:22 +0200 Subject: [PATCH 85/97] Update CTR documentation --- include/mbedtls/aria.h | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 4bb1fc28a..8e59ffc04 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -255,19 +255,44 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * * There are two common strategies for managing nonces with CTR: * - * 1. Use a counter starting at 0 or a random value. With this - * strategy, this function will increment the counter for you, so - * you only need to preserve the \p nonce_counter buffer between - * calls. With this strategy, you must not encrypt more than - * 2**128 blocks of data. - * 2. Use a randomly-generated \p nonce_counter for each call. - * With this strategy, you need to ensure the nonce is generated - * in an unbiased way and you must not encrypt more than 2**64 + * 1. You can handle everything as a single message processed over + * successive calls to this function. In that case, you want to + * set \p nonce_counter and \p nc_off to 0 for the first call, and + * then preserve the values of \p nonce_counter, \p nc_off and \p + * stream_block across calls to this function as they will be + * updated by this function. + * + * With this strategy, you must not encrypt more than 2**128 * blocks of data. * + * 2. You can encrypt separate messages by dividing the \p + * nonce_counter buffer in two areas: the first one used for a + * per-message nonce, handled by yourself, and the second one + * updated by this function internally. + * + * For example, you might reserve the first 12 bytes for the + * per-message nonce, and the last 4 bytes for internal use. In that + * case, before calling this function on a new message you need to + * set the first 12 bytes of \p nonce_counter to your chosen nonce + * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p + * stream_block to be ignored). That way, you can encrypt at most + * 2**96 messages of up to 2**32 blocks each. + * + * The per-message nonce (or information sufficient to reconstruct + * it) needs to be communicated with the ciphertext and must be unique. + * The recommended way to ensure uniqueness is to use a message + * counter. An alternative is to generate random nonces, but this + * limits the number of messages that can be securely encrypted: + * for example, with 96-bit random nonces, you should not encrypt + * more than 2**32 messages with the same key. + * * Note that for both stategies, the limit is in number of blocks * and that an ARIA block is 16 bytes. * + * \warning Upon return, \p stream_block constains sensitive data. Its + * content must not be written to insecure storage and should be + * securely discarded as soon as it's no longer needed. + * * \param ctx The ARIA context to use for encryption or decryption. * \param length The length of the input data. * \param nc_off The offset in the current \p stream_block, for From a64fba41fb034e908b1b59700499b2265b0ddb29 Mon Sep 17 00:00:00 2001 From: Moran Peker Date: Sun, 25 Feb 2018 13:29:03 +0200 Subject: [PATCH 86/97] Remove double declaration of mbedtls_ssl_list_ciphersuites Raised by TrinityTonic. #1359 --- ChangeLog | 4 ++++ include/mbedtls/ssl.h | 8 -------- 2 files changed, 4 insertions(+), 8 deletions(-) mode change 100644 => 100755 include/mbedtls/ssl.h diff --git a/ChangeLog b/ChangeLog index 348864c0e..5d697049b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ API Changes Therefore, mbedtls_platform_zeroize() is moved to the platform module to facilitate testing and maintenance. +Bugfix + * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by + TrinityTonic. #1359. + = mbed TLS 2.9.0 branch released 2018-04-30 Security diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h old mode 100644 new mode 100755 index f91066d57..250031a6d --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -946,14 +946,6 @@ extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl); extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl); #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ -/** - * \brief Returns the list of ciphersuites supported by the SSL/TLS module. - * - * \return a statically allocated array of ciphersuites, the last - * entry is 0. - */ -const int *mbedtls_ssl_list_ciphersuites( void ); - /** * \brief Return the name of the ciphersuite associated with the * given ID From f5842864d8f26664a65e45a1383ed3dbe509278a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 May 2018 11:51:58 +0200 Subject: [PATCH 87/97] Slightly tune ARIA CTR documentation --- include/mbedtls/aria.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 8e59ffc04..04f9240ea 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -263,7 +263,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * updated by this function. * * With this strategy, you must not encrypt more than 2**128 - * blocks of data. + * blocks of data with the same key. * * 2. You can encrypt separate messages by dividing the \p * nonce_counter buffer in two areas: the first one used for a @@ -276,7 +276,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * set the first 12 bytes of \p nonce_counter to your chosen nonce * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p * stream_block to be ignored). That way, you can encrypt at most - * 2**96 messages of up to 2**32 blocks each. + * 2**96 messages of up to 2**32 blocks each with the same key. * * The per-message nonce (or information sufficient to reconstruct * it) needs to be communicated with the ciphertext and must be unique. @@ -286,8 +286,8 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * for example, with 96-bit random nonces, you should not encrypt * more than 2**32 messages with the same key. * - * Note that for both stategies, the limit is in number of blocks - * and that an ARIA block is 16 bytes. + * Note that for both stategies, sizes are measured in blocks and + * that an ARIA block is 16 bytes. * * \warning Upon return, \p stream_block constains sensitive data. Its * content must not be written to insecure storage and should be From 4f24e9502e3de9ebd749482935bc58b9087e197a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 May 2018 11:59:30 +0200 Subject: [PATCH 88/97] Update CTR doc for other 128-bit block ciphers --- include/mbedtls/aes.h | 43 ++++++++++++++++++++++++++++---------- include/mbedtls/camellia.h | 43 ++++++++++++++++++++++++++++---------- 2 files changed, 64 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 4c0429d45..731e5685b 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -315,18 +315,39 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, * * There are two common strategies for managing nonces with CTR: * - * 1. Use a counter starting at 0 or a random value. With this - * strategy, this function will increment the counter for you, so - * you only need to preserve the \p nonce_counter buffer between - * calls. With this strategy, you must not encrypt more than - * 2**128 blocks of data. - * 2. Use a randomly-generated \p nonce_counter for each call. - * With this strategy, you need to ensure the nonce is generated - * in an unbiased way and you must not encrypt more than 2**64 - * blocks of data. + * 1. You can handle everything as a single message processed over + * successive calls to this function. In that case, you want to + * set \p nonce_counter and \p nc_off to 0 for the first call, and + * then preserve the values of \p nonce_counter, \p nc_off and \p + * stream_block across calls to this function as they will be + * updated by this function. * - * Note that for both stategies, the limit is in number of blocks - * and that an AES block is 16 bytes. + * With this strategy, you must not encrypt more than 2**128 + * blocks of data with the same key. + * + * 2. You can encrypt separate messages by dividing the \p + * nonce_counter buffer in two areas: the first one used for a + * per-message nonce, handled by yourself, and the second one + * updated by this function internally. + * + * For example, you might reserve the first 12 bytes for the + * per-message nonce, and the last 4 bytes for internal use. In that + * case, before calling this function on a new message you need to + * set the first 12 bytes of \p nonce_counter to your chosen nonce + * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p + * stream_block to be ignored). That way, you can encrypt at most + * 2**96 messages of up to 2**32 blocks each with the same key. + * + * The per-message nonce (or information sufficient to reconstruct + * it) needs to be communicated with the ciphertext and must be unique. + * The recommended way to ensure uniqueness is to use a message + * counter. An alternative is to generate random nonces, but this + * limits the number of messages that can be securely encrypted: + * for example, with 96-bit random nonces, you should not encrypt + * more than 2**32 messages with the same key. + * + * Note that for both stategies, sizes are measured in blocks and + * that an AES block is 16 bytes. * * \param ctx The AES context to use for encryption or decryption. * \param length The length of the input data. diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 2eb945d5f..1d3610fea 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -197,18 +197,39 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, * * There are two common strategies for managing nonces with CTR: * - * 1. Use a counter starting at 0 or a random value. With this - * strategy, this function will increment the counter for you, so - * you only need to preserve the \p nonce_counter buffer between - * calls. With this strategy, you must not encrypt more than - * 2**128 blocks of data. - * 2. Use a randomly-generated \p nonce_counter for each call. - * With this strategy, you need to ensure the nonce is generated - * in an unbiased way and you must not encrypt more than 2**64 - * blocks of data. + * 1. You can handle everything as a single message processed over + * successive calls to this function. In that case, you want to + * set \p nonce_counter and \p nc_off to 0 for the first call, and + * then preserve the values of \p nonce_counter, \p nc_off and \p + * stream_block across calls to this function as they will be + * updated by this function. * - * Note that for both stategies, the limit is in number of blocks - * and that a CAMELLIA block is 16 bytes. + * With this strategy, you must not encrypt more than 2**128 + * blocks of data with the same key. + * + * 2. You can encrypt separate messages by dividing the \p + * nonce_counter buffer in two areas: the first one used for a + * per-message nonce, handled by yourself, and the second one + * updated by this function internally. + * + * For example, you might reserve the first 12 bytes for the + * per-message nonce, and the last 4 bytes for internal use. In that + * case, before calling this function on a new message you need to + * set the first 12 bytes of \p nonce_counter to your chosen nonce + * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p + * stream_block to be ignored). That way, you can encrypt at most + * 2**96 messages of up to 2**32 blocks each with the same key. + * + * The per-message nonce (or information sufficient to reconstruct + * it) needs to be communicated with the ciphertext and must be unique. + * The recommended way to ensure uniqueness is to use a message + * counter. An alternative is to generate random nonces, but this + * limits the number of messages that can be securely encrypted: + * for example, with 96-bit random nonces, you should not encrypt + * more than 2**32 messages with the same key. + * + * Note that for both stategies, sizes are measured in blocks and + * that a CAMELLIA block is 16 bytes. * * \param ctx CAMELLIA context * \param length The length of the data From d0f143b1c9be651c08a9b16bc8f21aeeb589eca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 May 2018 12:01:58 +0200 Subject: [PATCH 89/97] Update CTR doc for the 64-bit block cipher - constants need adjustment - don't mention "random nonces" as the space is too small --- include/mbedtls/blowfish.h | 40 +++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index 0318db697..fb16782aa 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -180,18 +180,36 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx, * * There are two common strategies for managing nonces with CTR: * - * 1. Use a counter starting at 0 or a random value. With this - * strategy, this function will increment the counter for you, so - * you only need to preserve the \p nonce_counter buffer between - * calls. With this strategy, you must not encrypt more than - * 2**64 blocks of data. - * 2. Use a randomly-generated \p nonce_counter for each call. - * With this strategy, you need to ensure the nonce is generated - * in an unbiased way and you must not encrypt more than 2**32 - * blocks of data. + * 1. You can handle everything as a single message processed over + * successive calls to this function. In that case, you want to + * set \p nonce_counter and \p nc_off to 0 for the first call, and + * then preserve the values of \p nonce_counter, \p nc_off and \p + * stream_block across calls to this function as they will be + * updated by this function. * - * Note that for both stategies, the limit is in number of blocks - * and that a Blowfish block is 8 bytes. + * With this strategy, you must not encrypt more than 2**64 + * blocks of data with the same key. + * + * 2. You can encrypt separate messages by dividing the \p + * nonce_counter buffer in two areas: the first one used for a + * per-message nonce, handled by yourself, and the second one + * updated by this function internally. + * + * For example, you might reserve the first 4 bytes for the + * per-message nonce, and the last 4 bytes for internal use. In that + * case, before calling this function on a new message you need to + * set the first 4 bytes of \p nonce_counter to your chosen nonce + * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p + * stream_block to be ignored). That way, you can encrypt at most + * 2**32 messages of up to 2**32 blocks each with the same key. + * + * The per-message nonce (or information sufficient to reconstruct + * it) needs to be communicated with the ciphertext and must be unique. + * The recommended way to ensure uniqueness is to use a message + * counter. + * + * Note that for both stategies, sizes are measured in blocks and + * that a Blowfish block is 8 bytes. * * \param ctx Blowfish context * \param length The length of the data From 39f25616b3b26ee069094cf6c957c6a2d3439c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 May 2018 14:06:02 +0200 Subject: [PATCH 90/97] Fix edit mistake in cipher_wrap.c Error was from 08c337d058bef --- library/cipher_wrap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index b1ab8f164..a9ef8195c 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -841,8 +841,7 @@ static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length, unsigned char *iv, const unsigned char *input, unsigned char *output ) { - (void) operation; - return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, length, iv, + return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv, input, output ); } #endif /* MBEDTLS_CIPHER_MODE_CBC */ From fa0c47d4c81e0340770c3224dca1e5c082789535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 May 2018 19:02:06 +0200 Subject: [PATCH 91/97] Fix typo in doc and copy missing warning --- include/mbedtls/aes.h | 4 ++++ include/mbedtls/aria.h | 2 +- include/mbedtls/blowfish.h | 4 ++++ include/mbedtls/camellia.h | 4 ++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 731e5685b..104c8f535 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -349,6 +349,10 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, * Note that for both stategies, sizes are measured in blocks and * that an AES block is 16 bytes. * + * \warning Upon return, \p stream_block contains sensitive data. Its + * content must not be written to insecure storage and should be + * securely discarded as soon as it's no longer needed. + * * \param ctx The AES context to use for encryption or decryption. * \param length The length of the input data. * \param nc_off The offset in the current \p stream_block, for diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 04f9240ea..bae0621b2 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -289,7 +289,7 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, * Note that for both stategies, sizes are measured in blocks and * that an ARIA block is 16 bytes. * - * \warning Upon return, \p stream_block constains sensitive data. Its + * \warning Upon return, \p stream_block contains sensitive data. Its * content must not be written to insecure storage and should be * securely discarded as soon as it's no longer needed. * diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index fb16782aa..985faa43f 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -211,6 +211,10 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx, * Note that for both stategies, sizes are measured in blocks and * that a Blowfish block is 8 bytes. * + * \warning Upon return, \p stream_block contains sensitive data. Its + * content must not be written to insecure storage and should be + * securely discarded as soon as it's no longer needed. + * * \param ctx Blowfish context * \param length The length of the data * \param nc_off The offset in the current stream_block (for resuming diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 1d3610fea..7e4721af7 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -231,6 +231,10 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx, * Note that for both stategies, sizes are measured in blocks and * that a CAMELLIA block is 16 bytes. * + * \warning Upon return, \p stream_block contains sensitive data. Its + * content must not be written to insecure storage and should be + * securely discarded as soon as it's no longer needed. + * * \param ctx CAMELLIA context * \param length The length of the data * \param nc_off The offset in the current stream_block (for resuming From e7d3f8e2ea94b03dceb7effd300edda9fd9822b9 Mon Sep 17 00:00:00 2001 From: Zach van Rijn Date: Mon, 21 May 2018 10:52:34 -0400 Subject: [PATCH 92/97] Fix MicroBlaze register typo. --- include/mbedtls/bn_mul.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h index 354c1cc1a..f4b2b561d 100644 --- a/include/mbedtls/bn_mul.h +++ b/include/mbedtls/bn_mul.h @@ -521,7 +521,7 @@ "swi r3, %2 \n\t" \ : "=m" (c), "=m" (d), "=m" (s) \ : "m" (s), "m" (d), "m" (c), "m" (b) \ - : "r3", "r4" "r5", "r6", "r7", "r8", \ + : "r3", "r4", "r5", "r6", "r7", "r8", \ "r9", "r10", "r11", "r12", "r13" \ ); From d72700a8ed22511d26187013a88653e199a2e7ef Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Fri, 1 Jun 2018 19:11:55 +0100 Subject: [PATCH 93/97] Add ChangeLog entry for PR#1651 --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 348864c0e..093b3a80b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ API Changes Therefore, mbedtls_platform_zeroize() is moved to the platform module to facilitate testing and maintenance. +Bugfix + * Fix an issue with MicroBlaze support in bn_mul.h which was causing the + build to fail. Found by zv-io. Fixes #1651. + = mbed TLS 2.9.0 branch released 2018-04-30 Security From 6e962b2762396c7bd1e810a53d0b497d4bd30c13 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Tue, 5 Jun 2018 10:25:04 +0100 Subject: [PATCH 94/97] Fix file permissions for ssl.h Correct the file permissions for ssl.h which were inadvertently made executable in PR#1402 --- include/mbedtls/ssl.h | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 include/mbedtls/ssl.h diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h old mode 100755 new mode 100644 From d08a2f7245c1e20e791c0ff3d4b8bbce5198a7d5 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Tue, 5 Jun 2018 15:53:06 +0100 Subject: [PATCH 95/97] Adapt the ARIA test cases for new ECB function Commit 08c337d058be "Remove useless parameter from function" removed the parameter mode from the functions mbedtls_aria_crypt_ecb() which broke their respective test suite. This commit fixes those test cases. --- tests/suites/test_suite_aria.function | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function index a662047cd..4e39078ff 100644 --- a/tests/suites/test_suite_aria.function +++ b/tests/suites/test_suite_aria.function @@ -42,9 +42,8 @@ void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string, { for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { - TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT, - src_str + i, output + i ) - == 0 ); + TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i ) + == 0 ); } hexify( dst_str, output, data_len ); @@ -82,8 +81,7 @@ void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string, { for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE ) { - TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT, - src_str + i, output + i ) + TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i ) == 0 ); } hexify( dst_str, output, data_len ); From ab72727da4b72c9c4e9059fae983b817b502d639 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Wed, 6 Jun 2018 13:55:05 +0200 Subject: [PATCH 96/97] Add a disabled CMAC define in the no-entropy configuration --- configs/config-no-entropy.h | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index b4a0930b9..7d34ad52e 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -82,6 +82,7 @@ #define MBEDTLS_X509_USE_C #define MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_CRL_PARSE_C +//#define MBEDTLS_CMAC_C /* Miscellaneous options */ #define MBEDTLS_AES_ROM_TABLES From d5a09f1e68a6c154a0b0ff9556c5fe1cd919c803 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Wed, 6 Jun 2018 14:47:47 +0100 Subject: [PATCH 97/97] Updated version number to 2.10.0 for release --- ChangeLog | 2 +- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8ebe9bb61..4fbdb3d25 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.10.0 branch released 2018-06-06 Features * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index e27c221bb..9449cbbba 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.9.0 source code documentation + * @mainpage mbed TLS v2.10.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 510fa85b0..ddcbc2e04 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.9.0" +PROJECT_NAME = "mbed TLS v2.10.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index aa52ce21e..83e3c1726 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -39,7 +39,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 9 +#define MBEDTLS_VERSION_MINOR 10 #define MBEDTLS_VERSION_PATCH 0 /** @@ -47,9 +47,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02090000 -#define MBEDTLS_VERSION_STRING "2.9.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.9.0" +#define MBEDTLS_VERSION_NUMBER 0x020A0000 +#define MBEDTLS_VERSION_STRING "2.10.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.10.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 7ec08e7b7..6e5faa5a0 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -143,15 +143,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.9.0 SOVERSION 2) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.10.0 SOVERSION 2) target_link_libraries(mbedcrypto ${libs}) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.9.0 SOVERSION 0) + set_target_properties(mbedx509 PROPERTIES VERSION 2.10.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.9.0 SOVERSION 10) + set_target_properties(mbedtls PROPERTIES VERSION 2.10.0 SOVERSION 10) target_link_libraries(mbedtls ${libs} mbedx509) install(TARGETS mbedtls mbedx509 mbedcrypto diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 0aca47023..999a93365 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.9.0" +check_compiletime_version:"2.10.0" Check runtime library version -check_runtime_version:"2.9.0" +check_runtime_version:"2.10.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0