• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  ARIA implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  *
7  *  This file is provided under the Apache License 2.0, or the
8  *  GNU General Public License v2.0 or later.
9  *
10  *  **********
11  *  Apache License 2.0:
12  *
13  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
14  *  not use this file except in compliance with the License.
15  *  You may obtain a copy of the License at
16  *
17  *  http://www.apache.org/licenses/LICENSE-2.0
18  *
19  *  Unless required by applicable law or agreed to in writing, software
20  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22  *  See the License for the specific language governing permissions and
23  *  limitations under the License.
24  *
25  *  **********
26  *
27  *  **********
28  *  GNU General Public License v2.0 or later:
29  *
30  *  This program is free software; you can redistribute it and/or modify
31  *  it under the terms of the GNU General Public License as published by
32  *  the Free Software Foundation; either version 2 of the License, or
33  *  (at your option) any later version.
34  *
35  *  This program is distributed in the hope that it will be useful,
36  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
37  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
38  *  GNU General Public License for more details.
39  *
40  *  You should have received a copy of the GNU General Public License along
41  *  with this program; if not, write to the Free Software Foundation, Inc.,
42  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43  *
44  *  **********
45  */
46 
47 /*
48  * This implementation is based on the following standards:
49  * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
50  * [2] https://tools.ietf.org/html/rfc5794
51  */
52 
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58 
59 #if defined(MBEDTLS_ARIA_C)
60 
61 #include "mbedtls/aria.h"
62 
63 #include <string.h>
64 
65 #if defined(MBEDTLS_SELF_TEST)
66 #if defined(MBEDTLS_PLATFORM_C)
67 #include "mbedtls/platform.h"
68 #else
69 #include <stdio.h>
70 #define mbedtls_printf printf
71 #endif /* MBEDTLS_PLATFORM_C */
72 #endif /* MBEDTLS_SELF_TEST */
73 
74 #if !defined(MBEDTLS_ARIA_ALT)
75 
76 #include "mbedtls/platform_util.h"
77 
78 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
79     !defined(inline) && !defined(__cplusplus)
80 #define inline __inline
81 #endif
82 
83 /* Parameter validation macros */
84 #define ARIA_VALIDATE_RET( cond )                                       \
85     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
86 #define ARIA_VALIDATE( cond )                                           \
87     MBEDTLS_INTERNAL_VALIDATE( cond )
88 
89 /*
90  * 32-bit integer manipulation macros (little endian)
91  */
92 #ifndef GET_UINT32_LE
93 #define GET_UINT32_LE( n, b, i )                \
94 {                                               \
95     (n) = ( (uint32_t) (b)[(i)    ]       )     \
96         | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
97         | ( (uint32_t) (b)[(i) + 2] << 16 )     \
98         | ( (uint32_t) (b)[(i) + 3] << 24 );    \
99 }
100 #endif
101 
102 #ifndef PUT_UINT32_LE
103 #define PUT_UINT32_LE( n, b, i )                                \
104 {                                                               \
105     (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
106     (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
107     (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
108     (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
109 }
110 #endif
111 
112 /*
113  * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
114  *
115  * This is submatrix P1 in [1] Appendix B.1
116  *
117  * Common compilers fail to translate this to minimal number of instructions,
118  * so let's provide asm versions for common platforms with C fallback.
119  */
120 #if defined(MBEDTLS_HAVE_ASM)
121 #if defined(__arm__) /* rev16 available from v6 up */
122 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
123 #if defined(__GNUC__) && \
124     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
125     __ARM_ARCH >= 6
aria_p1(uint32_t x)126 static inline uint32_t aria_p1( uint32_t x )
127 {
128     uint32_t r;
129     __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
130     return( r );
131 }
132 #define ARIA_P1 aria_p1
133 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
134     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)135 static inline uint32_t aria_p1( uint32_t x )
136 {
137     uint32_t r;
138     __asm( "rev16 r, x" );
139     return( r );
140 }
141 #define ARIA_P1 aria_p1
142 #endif
143 #endif /* arm */
144 #if defined(__GNUC__) && \
145     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
146 /* I couldn't find an Intel equivalent of rev16, so two instructions */
147 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
148 #endif /* x86 gnuc */
149 #endif /* MBEDTLS_HAVE_ASM && GNUC */
150 #if !defined(ARIA_P1)
151 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
152 #endif
153 
154 /*
155  * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
156  *
157  * This is submatrix P2 in [1] Appendix B.1
158  *
159  * Common compilers will translate this to a single instruction.
160  */
161 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
162 
163 /*
164  * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
165  *
166  * This is submatrix P3 in [1] Appendix B.1
167  *
168  * Some compilers fail to translate this to a single instruction,
169  * so let's provide asm versions for common platforms with C fallback.
170  */
171 #if defined(MBEDTLS_HAVE_ASM)
172 #if defined(__arm__) /* rev available from v6 up */
173 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
174 #if defined(__GNUC__) && \
175     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
176     __ARM_ARCH >= 6
aria_p3(uint32_t x)177 static inline uint32_t aria_p3( uint32_t x )
178 {
179     uint32_t r;
180     __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
181     return( r );
182 }
183 #define ARIA_P3 aria_p3
184 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
185     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)186 static inline uint32_t aria_p3( uint32_t x )
187 {
188     uint32_t r;
189     __asm( "rev r, x" );
190     return( r );
191 }
192 #define ARIA_P3 aria_p3
193 #endif
194 #endif /* arm */
195 #if defined(__GNUC__) && \
196     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)197 static inline uint32_t aria_p3( uint32_t x )
198 {
199     __asm( "bswap %0" : "=r" (x) : "0" (x) );
200     return( x );
201 }
202 #define ARIA_P3 aria_p3
203 #endif /* x86 gnuc */
204 #endif /* MBEDTLS_HAVE_ASM && GNUC */
205 #if !defined(ARIA_P3)
206 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
207 #endif
208 
209 /*
210  * ARIA Affine Transform
211  * (a, b, c, d) = state in/out
212  *
213  * If we denote the first byte of input by 0, ..., the last byte by f,
214  * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
215  *
216  * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
217  * rearrangements on adjacent pairs, output is:
218  *
219  * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
220  *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
221  * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
222  *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
223  * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
224  *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
225  * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
226  *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
227  *
228  * Note: another presentation of the A transform can be found as the first
229  * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
230  * The implementation below uses only P1 and P2 as they are sufficient.
231  */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)232 static inline void aria_a( uint32_t *a, uint32_t *b,
233                            uint32_t *c, uint32_t *d )
234 {
235     uint32_t ta, tb, tc;
236     ta  =  *b;                      // 4567
237     *b  =  *a;                      // 0123
238     *a  =  ARIA_P2( ta );           // 6745
239     tb  =  ARIA_P2( *d );           // efcd
240     *d  =  ARIA_P1( *c );           // 98ba
241     *c  =  ARIA_P1( tb );           // fedc
242     ta  ^= *d;                      // 4567+98ba
243     tc  =  ARIA_P2( *b );           // 2301
244     ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
245     tb  ^= ARIA_P2( *d );           // ba98+efcd
246     tc  ^= ARIA_P1( *a );           // 2301+7654
247     *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
248     tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
249     *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
250     ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
251     *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
252     tc  =  ARIA_P2( tc );           // 0123+5476
253     *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
254 }
255 
256 /*
257  * ARIA Substitution Layer SL1 / SL2
258  * (a, b, c, d) = state in/out
259  * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
260  *
261  * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
262  * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
263  */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])264 static inline void aria_sl( uint32_t *a, uint32_t *b,
265                             uint32_t *c, uint32_t *d,
266                             const uint8_t sa[256], const uint8_t sb[256],
267                             const uint8_t sc[256], const uint8_t sd[256] )
268 {
269     *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
270          (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
271          (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
272          (((uint32_t) sd[ *a >> 24        ]) << 24);
273     *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
274          (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
275          (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
276          (((uint32_t) sd[ *b >> 24        ]) << 24);
277     *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
278          (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
279          (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
280          (((uint32_t) sd[ *c >> 24        ]) << 24);
281     *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
282          (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
283          (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
284          (((uint32_t) sd[ *d >> 24        ]) << 24);
285 }
286 
287 /*
288  * S-Boxes
289  */
290 static const uint8_t aria_sb1[256] =
291 {
292     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
293     0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
294     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
295     0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
296     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
297     0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
298     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
299     0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
300     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
301     0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
302     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
303     0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
304     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
305     0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
306     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
307     0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
308     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
309     0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
310     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
311     0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
312     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
313     0xB0, 0x54, 0xBB, 0x16
314 };
315 
316 static const uint8_t aria_sb2[256] =
317 {
318     0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
319     0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
320     0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
321     0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
322     0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
323     0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
324     0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
325     0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
326     0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
327     0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
328     0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
329     0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
330     0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
331     0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
332     0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
333     0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
334     0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
335     0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
336     0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
337     0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
338     0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
339     0xAF, 0xBA, 0xB5, 0x81
340 };
341 
342 static const uint8_t aria_is1[256] =
343 {
344     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
345     0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
346     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
347     0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
348     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
349     0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
350     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
351     0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
352     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
353     0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
354     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
355     0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
356     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
357     0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
358     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
359     0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
360     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
361     0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
362     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
363     0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
364     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
365     0x55, 0x21, 0x0C, 0x7D
366 };
367 
368 static const uint8_t aria_is2[256] =
369 {
370     0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
371     0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
372     0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
373     0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
374     0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
375     0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
376     0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
377     0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
378     0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
379     0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
380     0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
381     0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
382     0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
383     0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
384     0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
385     0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
386     0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
387     0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
388     0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
389     0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
390     0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
391     0x03, 0xA2, 0xAC, 0x60
392 };
393 
394 /*
395  * Helper for key schedule: r = FO( p, k ) ^ x
396  */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])397 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
398                          const uint32_t k[4], const uint32_t x[4] )
399 {
400     uint32_t a, b, c, d;
401 
402     a = p[0] ^ k[0];
403     b = p[1] ^ k[1];
404     c = p[2] ^ k[2];
405     d = p[3] ^ k[3];
406 
407     aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
408     aria_a( &a, &b, &c, &d );
409 
410     r[0] = a ^ x[0];
411     r[1] = b ^ x[1];
412     r[2] = c ^ x[2];
413     r[3] = d ^ x[3];
414 }
415 
416 /*
417  * Helper for key schedule: r = FE( p, k ) ^ x
418  */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])419 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
420                          const uint32_t k[4], const uint32_t x[4] )
421 {
422     uint32_t a, b, c, d;
423 
424     a = p[0] ^ k[0];
425     b = p[1] ^ k[1];
426     c = p[2] ^ k[2];
427     d = p[3] ^ k[3];
428 
429     aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
430     aria_a( &a, &b, &c, &d );
431 
432     r[0] = a ^ x[0];
433     r[1] = b ^ x[1];
434     r[2] = c ^ x[2];
435     r[3] = d ^ x[3];
436 }
437 
438 /*
439  * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
440  *
441  * We chose to store bytes into 32-bit words in little-endian format (see
442  * GET/PUT_UINT32_LE) so we need to reverse bytes here.
443  */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)444 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
445                          const uint32_t b[4], uint8_t n )
446 {
447     uint8_t i, j;
448     uint32_t t, u;
449 
450     const uint8_t n1 = n % 32;              // bit offset
451     const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
452 
453     j = ( n / 32 ) % 4;                     // initial word offset
454     t = ARIA_P3( b[j] );                    // big endian
455     for( i = 0; i < 4; i++ )
456     {
457         j = ( j + 1 ) % 4;                  // get next word, big endian
458         u = ARIA_P3( b[j] );
459         t <<= n1;                           // rotate
460         t |= u >> n2;
461         t = ARIA_P3( t );                   // back to little endian
462         r[i] = a[i] ^ t;                    // store
463         t = u;                              // move to next word
464     }
465 }
466 
467 /*
468  * Set encryption key
469  */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)470 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
471                              const unsigned char *key, unsigned int keybits )
472 {
473     /* round constant masks */
474     const uint32_t rc[3][4] =
475     {
476         {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
477         {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
478         {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
479     };
480 
481     int i;
482     uint32_t w[4][4], *w2;
483     ARIA_VALIDATE_RET( ctx != NULL );
484     ARIA_VALIDATE_RET( key != NULL );
485 
486     if( keybits != 128 && keybits != 192 && keybits != 256 )
487         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
488 
489     /* Copy key to W0 (and potential remainder to W1) */
490     GET_UINT32_LE( w[0][0], key,  0 );
491     GET_UINT32_LE( w[0][1], key,  4 );
492     GET_UINT32_LE( w[0][2], key,  8 );
493     GET_UINT32_LE( w[0][3], key, 12 );
494 
495     memset( w[1], 0, 16 );
496     if( keybits >= 192 )
497     {
498         GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
499         GET_UINT32_LE( w[1][1], key, 20 );
500     }
501     if( keybits == 256 )
502     {
503         GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
504         GET_UINT32_LE( w[1][3], key, 28 );
505     }
506 
507     i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
508     ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
509 
510     aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
511     i = i < 2 ? i + 1 : 0;
512     aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
513     i = i < 2 ? i + 1 : 0;
514     aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
515 
516     for( i = 0; i < 4; i++ )                // create round keys
517     {
518         w2 = w[(i + 1) & 3];
519         aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
520         aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
521         aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
522         aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
523     }
524     aria_rot128( ctx->rk[16], w[0], w[1], 19 );
525 
526     /* w holds enough info to reconstruct the round keys */
527     mbedtls_platform_zeroize( w, sizeof( w ) );
528 
529     return( 0 );
530 }
531 
532 /*
533  * Set decryption key
534  */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)535 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
536                              const unsigned char *key, unsigned int keybits )
537 {
538     int i, j, k, ret;
539     ARIA_VALIDATE_RET( ctx != NULL );
540     ARIA_VALIDATE_RET( key != NULL );
541 
542     ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
543     if( ret != 0 )
544         return( ret );
545 
546     /* flip the order of round keys */
547     for( i = 0, j = ctx->nr; i < j; i++, j-- )
548     {
549         for( k = 0; k < 4; k++ )
550         {
551             uint32_t t = ctx->rk[i][k];
552             ctx->rk[i][k] = ctx->rk[j][k];
553             ctx->rk[j][k] = t;
554         }
555     }
556 
557     /* apply affine transform to middle keys */
558     for( i = 1; i < ctx->nr; i++ )
559     {
560         aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
561                 &ctx->rk[i][2], &ctx->rk[i][3] );
562     }
563 
564     return( 0 );
565 }
566 
567 /*
568  * Encrypt a block
569  */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])570 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
571                             const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
572                             unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
573 {
574     int i;
575 
576     uint32_t a, b, c, d;
577     ARIA_VALIDATE_RET( ctx != NULL );
578     ARIA_VALIDATE_RET( input != NULL );
579     ARIA_VALIDATE_RET( output != NULL );
580 
581     GET_UINT32_LE( a, input,  0 );
582     GET_UINT32_LE( b, input,  4 );
583     GET_UINT32_LE( c, input,  8 );
584     GET_UINT32_LE( d, input, 12 );
585 
586     i = 0;
587     while( 1 )
588     {
589         a ^= ctx->rk[i][0];
590         b ^= ctx->rk[i][1];
591         c ^= ctx->rk[i][2];
592         d ^= ctx->rk[i][3];
593         i++;
594 
595         aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
596         aria_a( &a, &b, &c, &d );
597 
598         a ^= ctx->rk[i][0];
599         b ^= ctx->rk[i][1];
600         c ^= ctx->rk[i][2];
601         d ^= ctx->rk[i][3];
602         i++;
603 
604         aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
605         if( i >= ctx->nr )
606             break;
607         aria_a( &a, &b, &c, &d );
608     }
609 
610     /* final key mixing */
611     a ^= ctx->rk[i][0];
612     b ^= ctx->rk[i][1];
613     c ^= ctx->rk[i][2];
614     d ^= ctx->rk[i][3];
615 
616     PUT_UINT32_LE( a, output,  0 );
617     PUT_UINT32_LE( b, output,  4 );
618     PUT_UINT32_LE( c, output,  8 );
619     PUT_UINT32_LE( d, output, 12 );
620 
621     return( 0 );
622 }
623 
624 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)625 void mbedtls_aria_init( mbedtls_aria_context *ctx )
626 {
627     ARIA_VALIDATE( ctx != NULL );
628     memset( ctx, 0, sizeof( mbedtls_aria_context ) );
629 }
630 
631 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)632 void mbedtls_aria_free( mbedtls_aria_context *ctx )
633 {
634     if( ctx == NULL )
635         return;
636 
637     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
638 }
639 
640 #if defined(MBEDTLS_CIPHER_MODE_CBC)
641 /*
642  * ARIA-CBC buffer encryption/decryption
643  */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)644 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
645                             int mode,
646                             size_t length,
647                             unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
648                             const unsigned char *input,
649                             unsigned char *output )
650 {
651     int i;
652     unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
653 
654     ARIA_VALIDATE_RET( ctx != NULL );
655     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
656                        mode == MBEDTLS_ARIA_DECRYPT );
657     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
658     ARIA_VALIDATE_RET( length == 0 || output != NULL );
659     ARIA_VALIDATE_RET( iv != NULL );
660 
661     if( length % MBEDTLS_ARIA_BLOCKSIZE )
662         return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
663 
664     if( mode == MBEDTLS_ARIA_DECRYPT )
665     {
666         while( length > 0 )
667         {
668             memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
669             mbedtls_aria_crypt_ecb( ctx, input, output );
670 
671             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
672                 output[i] = (unsigned char)( output[i] ^ iv[i] );
673 
674             memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
675 
676             input  += MBEDTLS_ARIA_BLOCKSIZE;
677             output += MBEDTLS_ARIA_BLOCKSIZE;
678             length -= MBEDTLS_ARIA_BLOCKSIZE;
679         }
680     }
681     else
682     {
683         while( length > 0 )
684         {
685             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
686                 output[i] = (unsigned char)( input[i] ^ iv[i] );
687 
688             mbedtls_aria_crypt_ecb( ctx, output, output );
689             memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
690 
691             input  += MBEDTLS_ARIA_BLOCKSIZE;
692             output += MBEDTLS_ARIA_BLOCKSIZE;
693             length -= MBEDTLS_ARIA_BLOCKSIZE;
694         }
695     }
696 
697     return( 0 );
698 }
699 #endif /* MBEDTLS_CIPHER_MODE_CBC */
700 
701 #if defined(MBEDTLS_CIPHER_MODE_CFB)
702 /*
703  * ARIA-CFB128 buffer encryption/decryption
704  */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)705 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
706                                int mode,
707                                size_t length,
708                                size_t *iv_off,
709                                unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
710                                const unsigned char *input,
711                                unsigned char *output )
712 {
713     unsigned char c;
714     size_t n;
715 
716     ARIA_VALIDATE_RET( ctx != NULL );
717     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
718                        mode == MBEDTLS_ARIA_DECRYPT );
719     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
720     ARIA_VALIDATE_RET( length == 0 || output != NULL );
721     ARIA_VALIDATE_RET( iv != NULL );
722     ARIA_VALIDATE_RET( iv_off != NULL );
723 
724     n = *iv_off;
725 
726     /* An overly large value of n can lead to an unlimited
727      * buffer overflow. Therefore, guard against this
728      * outside of parameter validation. */
729     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
730         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
731 
732     if( mode == MBEDTLS_ARIA_DECRYPT )
733     {
734         while( length-- )
735         {
736             if( n == 0 )
737                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
738 
739             c = *input++;
740             *output++ = c ^ iv[n];
741             iv[n] = c;
742 
743             n = ( n + 1 ) & 0x0F;
744         }
745     }
746     else
747     {
748         while( length-- )
749         {
750             if( n == 0 )
751                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
752 
753             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
754 
755             n = ( n + 1 ) & 0x0F;
756         }
757     }
758 
759     *iv_off = n;
760 
761     return( 0 );
762 }
763 #endif /* MBEDTLS_CIPHER_MODE_CFB */
764 
765 #if defined(MBEDTLS_CIPHER_MODE_CTR)
766 /*
767  * ARIA-CTR buffer encryption/decryption
768  */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)769 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
770                             size_t length,
771                             size_t *nc_off,
772                             unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
773                             unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
774                             const unsigned char *input,
775                             unsigned char *output )
776 {
777     int c, i;
778     size_t n;
779 
780     ARIA_VALIDATE_RET( ctx != NULL );
781     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
782     ARIA_VALIDATE_RET( length == 0 || output != NULL );
783     ARIA_VALIDATE_RET( nonce_counter != NULL );
784     ARIA_VALIDATE_RET( stream_block  != NULL );
785     ARIA_VALIDATE_RET( nc_off != NULL );
786 
787     n = *nc_off;
788     /* An overly large value of n can lead to an unlimited
789      * buffer overflow. Therefore, guard against this
790      * outside of parameter validation. */
791     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
792         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
793 
794     while( length-- )
795     {
796         if( n == 0 ) {
797             mbedtls_aria_crypt_ecb( ctx, nonce_counter,
798                                 stream_block );
799 
800             for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
801                 if( ++nonce_counter[i - 1] != 0 )
802                     break;
803         }
804         c = *input++;
805         *output++ = (unsigned char)( c ^ stream_block[n] );
806 
807         n = ( n + 1 ) & 0x0F;
808     }
809 
810     *nc_off = n;
811 
812     return( 0 );
813 }
814 #endif /* MBEDTLS_CIPHER_MODE_CTR */
815 #endif /* !MBEDTLS_ARIA_ALT */
816 
817 #if defined(MBEDTLS_SELF_TEST)
818 
819 /*
820  * Basic ARIA ECB test vectors from RFC 5794
821  */
822 static const uint8_t aria_test1_ecb_key[32] =           // test key
823 {
824     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
825     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
826     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
827     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
828 };
829 
830 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
831 {
832     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
833     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
834 };
835 
836 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
837 {
838     { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
839       0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
840     { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
841       0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
842     { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
843       0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
844 };
845 
846 /*
847  * Mode tests from "Test Vectors for ARIA"  Version 1.0
848  * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
849  */
850 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
851     defined(MBEDTLS_CIPHER_MODE_CTR))
852 static const uint8_t aria_test2_key[32] =
853 {
854     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
855     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
856     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
857     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
858 };
859 
860 static const uint8_t aria_test2_pt[48] =
861 {
862     0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
863     0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
864     0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
865     0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
866     0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
867     0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
868 };
869 #endif
870 
871 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
872 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
873 {
874     0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
875     0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
876 };
877 #endif
878 
879 #if defined(MBEDTLS_CIPHER_MODE_CBC)
880 static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
881 {
882     { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
883       0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
884       0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
885       0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
886       0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
887       0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
888     { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
889       0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
890       0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
891       0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
892       0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
893       0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
894     { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
895       0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
896       0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
897       0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
898       0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
899       0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
900 };
901 #endif /* MBEDTLS_CIPHER_MODE_CBC */
902 
903 #if defined(MBEDTLS_CIPHER_MODE_CFB)
904 static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
905 {
906     { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
907       0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
908       0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
909       0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
910       0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
911       0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
912     { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
913       0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
914       0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
915       0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
916       0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
917       0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
918     { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
919       0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
920       0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
921       0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
922       0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
923       0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
924 };
925 #endif /* MBEDTLS_CIPHER_MODE_CFB */
926 
927 #if defined(MBEDTLS_CIPHER_MODE_CTR)
928 static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
929 {
930     { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
931       0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
932       0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
933       0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
934       0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
935       0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
936     { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
937       0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
938       0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
939       0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
940       0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
941       0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
942     { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
943       0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
944       0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
945       0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
946       0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
947       0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
948 };
949 #endif /* MBEDTLS_CIPHER_MODE_CFB */
950 
951 #define ARIA_SELF_TEST_IF_FAIL              \
952         {                                   \
953             if( verbose )                   \
954                 mbedtls_printf( "failed\n" );       \
955             goto exit;                              \
956         } else {                            \
957             if( verbose )                   \
958                 mbedtls_printf( "passed\n" );       \
959         }
960 
961 /*
962  * Checkup routine
963  */
mbedtls_aria_self_test(int verbose)964 int mbedtls_aria_self_test( int verbose )
965 {
966     int i;
967     uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
968     mbedtls_aria_context ctx;
969     int ret = 1;
970 
971 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
972     size_t j;
973 #endif
974 
975 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
976      defined(MBEDTLS_CIPHER_MODE_CFB) || \
977      defined(MBEDTLS_CIPHER_MODE_CTR))
978     uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
979 #endif
980 
981     mbedtls_aria_init( &ctx );
982 
983     /*
984      * Test set 1
985      */
986     for( i = 0; i < 3; i++ )
987     {
988         /* test ECB encryption */
989         if( verbose )
990             mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
991         mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
992         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
993         if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
994             ARIA_SELF_TEST_IF_FAIL;
995 
996         /* test ECB decryption */
997         if( verbose )
998             mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
999         mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
1000         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
1001         if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
1002             ARIA_SELF_TEST_IF_FAIL;
1003     }
1004     if( verbose )
1005         mbedtls_printf( "\n" );
1006 
1007     /*
1008      * Test set 2
1009      */
1010 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1011     for( i = 0; i < 3; i++ )
1012     {
1013         /* Test CBC encryption */
1014         if( verbose )
1015             mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
1016         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1017         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1018         memset( buf, 0x55, sizeof( buf ) );
1019         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
1020             aria_test2_pt, buf );
1021         if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
1022             ARIA_SELF_TEST_IF_FAIL;
1023 
1024         /* Test CBC decryption */
1025         if( verbose )
1026             mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
1027         mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1028         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1029         memset( buf, 0xAA, sizeof( buf ) );
1030         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1031             aria_test2_cbc_ct[i], buf );
1032         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1033             ARIA_SELF_TEST_IF_FAIL;
1034     }
1035     if( verbose )
1036         mbedtls_printf( "\n" );
1037 
1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1039 
1040 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1041     for( i = 0; i < 3; i++ )
1042     {
1043         /* Test CFB encryption */
1044         if( verbose )
1045             mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
1046         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1047         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1048         memset( buf, 0x55, sizeof( buf ) );
1049         j = 0;
1050         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1051             aria_test2_pt, buf );
1052         if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1053             ARIA_SELF_TEST_IF_FAIL;
1054 
1055         /* Test CFB decryption */
1056         if( verbose )
1057             mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
1058         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1059         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1060         memset( buf, 0xAA, sizeof( buf ) );
1061         j = 0;
1062         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1063             iv, aria_test2_cfb_ct[i], buf );
1064         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1065             ARIA_SELF_TEST_IF_FAIL;
1066     }
1067     if( verbose )
1068         mbedtls_printf( "\n" );
1069 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1070 
1071 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1072     for( i = 0; i < 3; i++ )
1073     {
1074         /* Test CTR encryption */
1075         if( verbose )
1076             mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
1077         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1078         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1079         memset( buf, 0x55, sizeof( buf ) );
1080         j = 0;
1081         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1082             aria_test2_pt, buf );
1083         if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1084             ARIA_SELF_TEST_IF_FAIL;
1085 
1086         /* Test CTR decryption */
1087         if( verbose )
1088             mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
1089         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1090         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1091         memset( buf, 0xAA, sizeof( buf ) );
1092         j = 0;
1093         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1094             aria_test2_ctr_ct[i], buf );
1095         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1096             ARIA_SELF_TEST_IF_FAIL;
1097     }
1098     if( verbose )
1099         mbedtls_printf( "\n" );
1100 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1101 
1102     ret = 0;
1103 
1104 exit:
1105     mbedtls_aria_free( &ctx );
1106     return( ret );
1107 }
1108 
1109 #endif /* MBEDTLS_SELF_TEST */
1110 
1111 #endif /* MBEDTLS_ARIA_C */
1112