• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  ARIA implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 /*
21  * This implementation is based on the following standards:
22  * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23  * [2] https://tools.ietf.org/html/rfc5794
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_ARIA_C)
29 
30 #include "mbedtls/aria.h"
31 
32 #include <string.h>
33 
34 #if defined(MBEDTLS_SELF_TEST)
35 #if defined(MBEDTLS_PLATFORM_C)
36 #include "mbedtls/platform.h"
37 #else
38 #include <stdio.h>
39 #define mbedtls_printf printf
40 #endif /* MBEDTLS_PLATFORM_C */
41 #endif /* MBEDTLS_SELF_TEST */
42 
43 #if !defined(MBEDTLS_ARIA_ALT)
44 
45 #include "mbedtls/platform_util.h"
46 
47 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
48     !defined(inline) && !defined(__cplusplus)
49 #define inline __inline
50 #endif
51 
52 /* Parameter validation macros */
53 #define ARIA_VALIDATE_RET( cond )                                       \
54     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
55 #define ARIA_VALIDATE( cond )                                           \
56     MBEDTLS_INTERNAL_VALIDATE( cond )
57 
58 /*
59  * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
60  *
61  * This is submatrix P1 in [1] Appendix B.1
62  *
63  * Common compilers fail to translate this to minimal number of instructions,
64  * so let's provide asm versions for common platforms with C fallback.
65  */
66 #if defined(MBEDTLS_HAVE_ASM)
67 #if defined(__arm__) /* rev16 available from v6 up */
68 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
69 #if defined(__GNUC__) && \
70     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
71     __ARM_ARCH >= 6
aria_p1(uint32_t x)72 static inline uint32_t aria_p1( uint32_t x )
73 {
74     uint32_t r;
75     __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
76     return( r );
77 }
78 #define ARIA_P1 aria_p1
79 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
80     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)81 static inline uint32_t aria_p1( uint32_t x )
82 {
83     uint32_t r;
84     __asm( "rev16 r, x" );
85     return( r );
86 }
87 #define ARIA_P1 aria_p1
88 #endif
89 #endif /* arm */
90 #if defined(__GNUC__) && \
91     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
92 /* I couldn't find an Intel equivalent of rev16, so two instructions */
93 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
94 #endif /* x86 gnuc */
95 #endif /* MBEDTLS_HAVE_ASM && GNUC */
96 #if !defined(ARIA_P1)
97 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
98 #endif
99 
100 /*
101  * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
102  *
103  * This is submatrix P2 in [1] Appendix B.1
104  *
105  * Common compilers will translate this to a single instruction.
106  */
107 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
108 
109 /*
110  * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
111  *
112  * This is submatrix P3 in [1] Appendix B.1
113  *
114  * Some compilers fail to translate this to a single instruction,
115  * so let's provide asm versions for common platforms with C fallback.
116  */
117 #if defined(MBEDTLS_HAVE_ASM)
118 #if defined(__arm__) /* rev available from v6 up */
119 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
120 #if defined(__GNUC__) && \
121     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
122     __ARM_ARCH >= 6
aria_p3(uint32_t x)123 static inline uint32_t aria_p3( uint32_t x )
124 {
125     uint32_t r;
126     __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
127     return( r );
128 }
129 #define ARIA_P3 aria_p3
130 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
131     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)132 static inline uint32_t aria_p3( uint32_t x )
133 {
134     uint32_t r;
135     __asm( "rev r, x" );
136     return( r );
137 }
138 #define ARIA_P3 aria_p3
139 #endif
140 #endif /* arm */
141 #if defined(__GNUC__) && \
142     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)143 static inline uint32_t aria_p3( uint32_t x )
144 {
145     __asm( "bswap %0" : "=r" (x) : "0" (x) );
146     return( x );
147 }
148 #define ARIA_P3 aria_p3
149 #endif /* x86 gnuc */
150 #endif /* MBEDTLS_HAVE_ASM && GNUC */
151 #if !defined(ARIA_P3)
152 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
153 #endif
154 
155 /*
156  * ARIA Affine Transform
157  * (a, b, c, d) = state in/out
158  *
159  * If we denote the first byte of input by 0, ..., the last byte by f,
160  * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
161  *
162  * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
163  * rearrangements on adjacent pairs, output is:
164  *
165  * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
166  *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
167  * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
168  *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
169  * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
170  *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
171  * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
172  *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
173  *
174  * Note: another presentation of the A transform can be found as the first
175  * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
176  * The implementation below uses only P1 and P2 as they are sufficient.
177  */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)178 static inline void aria_a( uint32_t *a, uint32_t *b,
179                            uint32_t *c, uint32_t *d )
180 {
181     uint32_t ta, tb, tc;
182     ta  =  *b;                      // 4567
183     *b  =  *a;                      // 0123
184     *a  =  ARIA_P2( ta );           // 6745
185     tb  =  ARIA_P2( *d );           // efcd
186     *d  =  ARIA_P1( *c );           // 98ba
187     *c  =  ARIA_P1( tb );           // fedc
188     ta  ^= *d;                      // 4567+98ba
189     tc  =  ARIA_P2( *b );           // 2301
190     ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
191     tb  ^= ARIA_P2( *d );           // ba98+efcd
192     tc  ^= ARIA_P1( *a );           // 2301+7654
193     *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
194     tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
195     *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
196     ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
197     *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
198     tc  =  ARIA_P2( tc );           // 0123+5476
199     *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
200 }
201 
202 /*
203  * ARIA Substitution Layer SL1 / SL2
204  * (a, b, c, d) = state in/out
205  * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
206  *
207  * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
208  * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
209  */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])210 static inline void aria_sl( uint32_t *a, uint32_t *b,
211                             uint32_t *c, uint32_t *d,
212                             const uint8_t sa[256], const uint8_t sb[256],
213                             const uint8_t sc[256], const uint8_t sd[256] )
214 {
215     *a = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *a ) ]       ) ^
216          (((uint32_t) sb[ MBEDTLS_BYTE_1( *a ) ]) <<  8) ^
217          (((uint32_t) sc[ MBEDTLS_BYTE_2( *a ) ]) << 16) ^
218          (((uint32_t) sd[ MBEDTLS_BYTE_3( *a ) ]) << 24);
219     *b = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *b ) ]       ) ^
220          (((uint32_t) sb[ MBEDTLS_BYTE_1( *b ) ]) <<  8) ^
221          (((uint32_t) sc[ MBEDTLS_BYTE_2( *b ) ]) << 16) ^
222          (((uint32_t) sd[ MBEDTLS_BYTE_3( *b ) ]) << 24);
223     *c = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *c ) ]       ) ^
224          (((uint32_t) sb[ MBEDTLS_BYTE_1( *c ) ]) <<  8) ^
225          (((uint32_t) sc[ MBEDTLS_BYTE_2( *c ) ]) << 16) ^
226          (((uint32_t) sd[ MBEDTLS_BYTE_3( *c ) ]) << 24);
227     *d = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *d ) ]       ) ^
228          (((uint32_t) sb[ MBEDTLS_BYTE_1( *d ) ]) <<  8) ^
229          (((uint32_t) sc[ MBEDTLS_BYTE_2( *d ) ]) << 16) ^
230          (((uint32_t) sd[ MBEDTLS_BYTE_3( *d ) ]) << 24);
231 }
232 
233 /*
234  * S-Boxes
235  */
236 static const uint8_t aria_sb1[256] =
237 {
238     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
239     0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
240     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
241     0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
242     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
243     0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
244     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
245     0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
246     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
247     0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
248     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
249     0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
250     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
251     0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
252     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
253     0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
254     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
255     0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
256     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
257     0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
258     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
259     0xB0, 0x54, 0xBB, 0x16
260 };
261 
262 static const uint8_t aria_sb2[256] =
263 {
264     0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
265     0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
266     0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
267     0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
268     0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
269     0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
270     0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
271     0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
272     0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
273     0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
274     0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
275     0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
276     0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
277     0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
278     0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
279     0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
280     0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
281     0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
282     0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
283     0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
284     0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
285     0xAF, 0xBA, 0xB5, 0x81
286 };
287 
288 static const uint8_t aria_is1[256] =
289 {
290     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
291     0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
292     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
293     0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
294     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
295     0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
296     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
297     0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
298     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
299     0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
300     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
301     0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
302     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
303     0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
304     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
305     0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
306     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
307     0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
308     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
309     0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
310     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
311     0x55, 0x21, 0x0C, 0x7D
312 };
313 
314 static const uint8_t aria_is2[256] =
315 {
316     0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
317     0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
318     0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
319     0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
320     0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
321     0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
322     0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
323     0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
324     0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
325     0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
326     0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
327     0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
328     0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
329     0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
330     0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
331     0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
332     0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
333     0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
334     0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
335     0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
336     0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
337     0x03, 0xA2, 0xAC, 0x60
338 };
339 
340 /*
341  * Helper for key schedule: r = FO( p, k ) ^ x
342  */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])343 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
344                          const uint32_t k[4], const uint32_t x[4] )
345 {
346     uint32_t a, b, c, d;
347 
348     a = p[0] ^ k[0];
349     b = p[1] ^ k[1];
350     c = p[2] ^ k[2];
351     d = p[3] ^ k[3];
352 
353     aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
354     aria_a( &a, &b, &c, &d );
355 
356     r[0] = a ^ x[0];
357     r[1] = b ^ x[1];
358     r[2] = c ^ x[2];
359     r[3] = d ^ x[3];
360 }
361 
362 /*
363  * Helper for key schedule: r = FE( p, k ) ^ x
364  */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])365 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
366                          const uint32_t k[4], const uint32_t x[4] )
367 {
368     uint32_t a, b, c, d;
369 
370     a = p[0] ^ k[0];
371     b = p[1] ^ k[1];
372     c = p[2] ^ k[2];
373     d = p[3] ^ k[3];
374 
375     aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
376     aria_a( &a, &b, &c, &d );
377 
378     r[0] = a ^ x[0];
379     r[1] = b ^ x[1];
380     r[2] = c ^ x[2];
381     r[3] = d ^ x[3];
382 }
383 
384 /*
385  * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
386  *
387  * We chose to store bytes into 32-bit words in little-endian format (see
388  * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
389  * bytes here.
390  */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)391 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
392                          const uint32_t b[4], uint8_t n )
393 {
394     uint8_t i, j;
395     uint32_t t, u;
396 
397     const uint8_t n1 = n % 32;              // bit offset
398     const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
399 
400     j = ( n / 32 ) % 4;                     // initial word offset
401     t = ARIA_P3( b[j] );                    // big endian
402     for( i = 0; i < 4; i++ )
403     {
404         j = ( j + 1 ) % 4;                  // get next word, big endian
405         u = ARIA_P3( b[j] );
406         t <<= n1;                           // rotate
407         t |= u >> n2;
408         t = ARIA_P3( t );                   // back to little endian
409         r[i] = a[i] ^ t;                    // store
410         t = u;                              // move to next word
411     }
412 }
413 
414 /*
415  * Set encryption key
416  */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)417 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
418                              const unsigned char *key, unsigned int keybits )
419 {
420     /* round constant masks */
421     const uint32_t rc[3][4] =
422     {
423         {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
424         {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
425         {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
426     };
427 
428     int i;
429     uint32_t w[4][4], *w2;
430     ARIA_VALIDATE_RET( ctx != NULL );
431     ARIA_VALIDATE_RET( key != NULL );
432 
433     if( keybits != 128 && keybits != 192 && keybits != 256 )
434         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
435 
436     /* Copy key to W0 (and potential remainder to W1) */
437     w[0][0] = MBEDTLS_GET_UINT32_LE( key,  0 );
438     w[0][1] = MBEDTLS_GET_UINT32_LE( key,  4 );
439     w[0][2] = MBEDTLS_GET_UINT32_LE( key,  8 );
440     w[0][3] = MBEDTLS_GET_UINT32_LE( key, 12 );
441 
442     memset( w[1], 0, 16 );
443     if( keybits >= 192 )
444     {
445         w[1][0] = MBEDTLS_GET_UINT32_LE( key, 16 );  // 192 bit key
446         w[1][1] = MBEDTLS_GET_UINT32_LE( key, 20 );
447     }
448     if( keybits == 256 )
449     {
450         w[1][2] = MBEDTLS_GET_UINT32_LE( key, 24 );  // 256 bit key
451         w[1][3] = MBEDTLS_GET_UINT32_LE( key, 28 );
452     }
453 
454     i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
455     ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
456 
457     aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
458     i = i < 2 ? i + 1 : 0;
459     aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
460     i = i < 2 ? i + 1 : 0;
461     aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
462 
463     for( i = 0; i < 4; i++ )                // create round keys
464     {
465         w2 = w[(i + 1) & 3];
466         aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
467         aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
468         aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
469         aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
470     }
471     aria_rot128( ctx->rk[16], w[0], w[1], 19 );
472 
473     /* w holds enough info to reconstruct the round keys */
474     mbedtls_platform_zeroize( w, sizeof( w ) );
475 
476     return( 0 );
477 }
478 
479 /*
480  * Set decryption key
481  */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)482 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
483                              const unsigned char *key, unsigned int keybits )
484 {
485     int i, j, k, ret;
486     ARIA_VALIDATE_RET( ctx != NULL );
487     ARIA_VALIDATE_RET( key != NULL );
488 
489     ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
490     if( ret != 0 )
491         return( ret );
492 
493     /* flip the order of round keys */
494     for( i = 0, j = ctx->nr; i < j; i++, j-- )
495     {
496         for( k = 0; k < 4; k++ )
497         {
498             uint32_t t = ctx->rk[i][k];
499             ctx->rk[i][k] = ctx->rk[j][k];
500             ctx->rk[j][k] = t;
501         }
502     }
503 
504     /* apply affine transform to middle keys */
505     for( i = 1; i < ctx->nr; i++ )
506     {
507         aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
508                 &ctx->rk[i][2], &ctx->rk[i][3] );
509     }
510 
511     return( 0 );
512 }
513 
514 /*
515  * Encrypt a block
516  */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])517 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
518                             const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
519                             unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
520 {
521     int i;
522 
523     uint32_t a, b, c, d;
524     ARIA_VALIDATE_RET( ctx != NULL );
525     ARIA_VALIDATE_RET( input != NULL );
526     ARIA_VALIDATE_RET( output != NULL );
527 
528     a = MBEDTLS_GET_UINT32_LE( input,  0 );
529     b = MBEDTLS_GET_UINT32_LE( input,  4 );
530     c = MBEDTLS_GET_UINT32_LE( input,  8 );
531     d = MBEDTLS_GET_UINT32_LE( input, 12 );
532 
533     i = 0;
534     while( 1 )
535     {
536         a ^= ctx->rk[i][0];
537         b ^= ctx->rk[i][1];
538         c ^= ctx->rk[i][2];
539         d ^= ctx->rk[i][3];
540         i++;
541 
542         aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
543         aria_a( &a, &b, &c, &d );
544 
545         a ^= ctx->rk[i][0];
546         b ^= ctx->rk[i][1];
547         c ^= ctx->rk[i][2];
548         d ^= ctx->rk[i][3];
549         i++;
550 
551         aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
552         if( i >= ctx->nr )
553             break;
554         aria_a( &a, &b, &c, &d );
555     }
556 
557     /* final key mixing */
558     a ^= ctx->rk[i][0];
559     b ^= ctx->rk[i][1];
560     c ^= ctx->rk[i][2];
561     d ^= ctx->rk[i][3];
562 
563     MBEDTLS_PUT_UINT32_LE( a, output,  0 );
564     MBEDTLS_PUT_UINT32_LE( b, output,  4 );
565     MBEDTLS_PUT_UINT32_LE( c, output,  8 );
566     MBEDTLS_PUT_UINT32_LE( d, output, 12 );
567 
568     return( 0 );
569 }
570 
571 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)572 void mbedtls_aria_init( mbedtls_aria_context *ctx )
573 {
574     ARIA_VALIDATE( ctx != NULL );
575     memset( ctx, 0, sizeof( mbedtls_aria_context ) );
576 }
577 
578 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)579 void mbedtls_aria_free( mbedtls_aria_context *ctx )
580 {
581     if( ctx == NULL )
582         return;
583 
584     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
585 }
586 
587 #if defined(MBEDTLS_CIPHER_MODE_CBC)
588 /*
589  * ARIA-CBC buffer encryption/decryption
590  */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)591 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
592                             int mode,
593                             size_t length,
594                             unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
595                             const unsigned char *input,
596                             unsigned char *output )
597 {
598     int i;
599     unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
600 
601     ARIA_VALIDATE_RET( ctx != NULL );
602     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
603                        mode == MBEDTLS_ARIA_DECRYPT );
604     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
605     ARIA_VALIDATE_RET( length == 0 || output != NULL );
606     ARIA_VALIDATE_RET( iv != NULL );
607 
608     if( length % MBEDTLS_ARIA_BLOCKSIZE )
609         return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
610 
611     if( mode == MBEDTLS_ARIA_DECRYPT )
612     {
613         while( length > 0 )
614         {
615             memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
616             mbedtls_aria_crypt_ecb( ctx, input, output );
617 
618             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
619                 output[i] = (unsigned char)( output[i] ^ iv[i] );
620 
621             memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
622 
623             input  += MBEDTLS_ARIA_BLOCKSIZE;
624             output += MBEDTLS_ARIA_BLOCKSIZE;
625             length -= MBEDTLS_ARIA_BLOCKSIZE;
626         }
627     }
628     else
629     {
630         while( length > 0 )
631         {
632             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
633                 output[i] = (unsigned char)( input[i] ^ iv[i] );
634 
635             mbedtls_aria_crypt_ecb( ctx, output, output );
636             memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
637 
638             input  += MBEDTLS_ARIA_BLOCKSIZE;
639             output += MBEDTLS_ARIA_BLOCKSIZE;
640             length -= MBEDTLS_ARIA_BLOCKSIZE;
641         }
642     }
643 
644     return( 0 );
645 }
646 #endif /* MBEDTLS_CIPHER_MODE_CBC */
647 
648 #if defined(MBEDTLS_CIPHER_MODE_CFB)
649 /*
650  * ARIA-CFB128 buffer encryption/decryption
651  */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)652 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
653                                int mode,
654                                size_t length,
655                                size_t *iv_off,
656                                unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
657                                const unsigned char *input,
658                                unsigned char *output )
659 {
660     unsigned char c;
661     size_t n;
662 
663     ARIA_VALIDATE_RET( ctx != NULL );
664     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
665                        mode == MBEDTLS_ARIA_DECRYPT );
666     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
667     ARIA_VALIDATE_RET( length == 0 || output != NULL );
668     ARIA_VALIDATE_RET( iv != NULL );
669     ARIA_VALIDATE_RET( iv_off != NULL );
670 
671     n = *iv_off;
672 
673     /* An overly large value of n can lead to an unlimited
674      * buffer overflow. Therefore, guard against this
675      * outside of parameter validation. */
676     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
677         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
678 
679     if( mode == MBEDTLS_ARIA_DECRYPT )
680     {
681         while( length-- )
682         {
683             if( n == 0 )
684                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
685 
686             c = *input++;
687             *output++ = c ^ iv[n];
688             iv[n] = c;
689 
690             n = ( n + 1 ) & 0x0F;
691         }
692     }
693     else
694     {
695         while( length-- )
696         {
697             if( n == 0 )
698                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
699 
700             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
701 
702             n = ( n + 1 ) & 0x0F;
703         }
704     }
705 
706     *iv_off = n;
707 
708     return( 0 );
709 }
710 #endif /* MBEDTLS_CIPHER_MODE_CFB */
711 
712 #if defined(MBEDTLS_CIPHER_MODE_CTR)
713 /*
714  * ARIA-CTR buffer encryption/decryption
715  */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)716 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
717                             size_t length,
718                             size_t *nc_off,
719                             unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
720                             unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
721                             const unsigned char *input,
722                             unsigned char *output )
723 {
724     int c, i;
725     size_t n;
726 
727     ARIA_VALIDATE_RET( ctx != NULL );
728     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
729     ARIA_VALIDATE_RET( length == 0 || output != NULL );
730     ARIA_VALIDATE_RET( nonce_counter != NULL );
731     ARIA_VALIDATE_RET( stream_block  != NULL );
732     ARIA_VALIDATE_RET( nc_off != NULL );
733 
734     n = *nc_off;
735     /* An overly large value of n can lead to an unlimited
736      * buffer overflow. Therefore, guard against this
737      * outside of parameter validation. */
738     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
739         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
740 
741     while( length-- )
742     {
743         if( n == 0 ) {
744             mbedtls_aria_crypt_ecb( ctx, nonce_counter,
745                                 stream_block );
746 
747             for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
748                 if( ++nonce_counter[i - 1] != 0 )
749                     break;
750         }
751         c = *input++;
752         *output++ = (unsigned char)( c ^ stream_block[n] );
753 
754         n = ( n + 1 ) & 0x0F;
755     }
756 
757     *nc_off = n;
758 
759     return( 0 );
760 }
761 #endif /* MBEDTLS_CIPHER_MODE_CTR */
762 #endif /* !MBEDTLS_ARIA_ALT */
763 
764 #if defined(MBEDTLS_SELF_TEST)
765 
766 /*
767  * Basic ARIA ECB test vectors from RFC 5794
768  */
769 static const uint8_t aria_test1_ecb_key[32] =           // test key
770 {
771     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
772     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
773     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
774     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
775 };
776 
777 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
778 {
779     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
780     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
781 };
782 
783 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
784 {
785     { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
786       0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
787     { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
788       0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
789     { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
790       0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
791 };
792 
793 /*
794  * Mode tests from "Test Vectors for ARIA"  Version 1.0
795  * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
796  */
797 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
798     defined(MBEDTLS_CIPHER_MODE_CTR))
799 static const uint8_t aria_test2_key[32] =
800 {
801     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
802     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
803     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
804     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
805 };
806 
807 static const uint8_t aria_test2_pt[48] =
808 {
809     0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
810     0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
811     0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
812     0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
813     0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
814     0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
815 };
816 #endif
817 
818 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
819 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
820 {
821     0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
822     0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
823 };
824 #endif
825 
826 #if defined(MBEDTLS_CIPHER_MODE_CBC)
827 static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
828 {
829     { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
830       0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
831       0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
832       0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
833       0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
834       0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
835     { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
836       0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
837       0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
838       0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
839       0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
840       0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
841     { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
842       0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
843       0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
844       0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
845       0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
846       0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
847 };
848 #endif /* MBEDTLS_CIPHER_MODE_CBC */
849 
850 #if defined(MBEDTLS_CIPHER_MODE_CFB)
851 static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
852 {
853     { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
854       0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
855       0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
856       0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
857       0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
858       0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
859     { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
860       0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
861       0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
862       0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
863       0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
864       0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
865     { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
866       0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
867       0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
868       0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
869       0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
870       0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
871 };
872 #endif /* MBEDTLS_CIPHER_MODE_CFB */
873 
874 #if defined(MBEDTLS_CIPHER_MODE_CTR)
875 static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
876 {
877     { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
878       0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
879       0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
880       0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
881       0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
882       0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
883     { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
884       0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
885       0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
886       0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
887       0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
888       0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
889     { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
890       0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
891       0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
892       0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
893       0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
894       0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
895 };
896 #endif /* MBEDTLS_CIPHER_MODE_CFB */
897 
898 #define ARIA_SELF_TEST_IF_FAIL              \
899         {                                   \
900             if( verbose )                   \
901                 mbedtls_printf( "failed\n" );       \
902             goto exit;                              \
903         } else {                            \
904             if( verbose )                   \
905                 mbedtls_printf( "passed\n" );       \
906         }
907 
908 /*
909  * Checkup routine
910  */
mbedtls_aria_self_test(int verbose)911 int mbedtls_aria_self_test( int verbose )
912 {
913     int i;
914     uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
915     mbedtls_aria_context ctx;
916     int ret = 1;
917 
918 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
919     size_t j;
920 #endif
921 
922 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
923      defined(MBEDTLS_CIPHER_MODE_CFB) || \
924      defined(MBEDTLS_CIPHER_MODE_CTR))
925     uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
926 #endif
927 
928     mbedtls_aria_init( &ctx );
929 
930     /*
931      * Test set 1
932      */
933     for( i = 0; i < 3; i++ )
934     {
935         /* test ECB encryption */
936         if( verbose )
937             mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
938         mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
939         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
940         if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
941             ARIA_SELF_TEST_IF_FAIL;
942 
943         /* test ECB decryption */
944         if( verbose )
945             mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
946         mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
947         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
948         if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
949             ARIA_SELF_TEST_IF_FAIL;
950     }
951     if( verbose )
952         mbedtls_printf( "\n" );
953 
954     /*
955      * Test set 2
956      */
957 #if defined(MBEDTLS_CIPHER_MODE_CBC)
958     for( i = 0; i < 3; i++ )
959     {
960         /* Test CBC encryption */
961         if( verbose )
962             mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
963         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
964         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
965         memset( buf, 0x55, sizeof( buf ) );
966         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
967             aria_test2_pt, buf );
968         if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
969             ARIA_SELF_TEST_IF_FAIL;
970 
971         /* Test CBC decryption */
972         if( verbose )
973             mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
974         mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
975         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
976         memset( buf, 0xAA, sizeof( buf ) );
977         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
978             aria_test2_cbc_ct[i], buf );
979         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
980             ARIA_SELF_TEST_IF_FAIL;
981     }
982     if( verbose )
983         mbedtls_printf( "\n" );
984 
985 #endif /* MBEDTLS_CIPHER_MODE_CBC */
986 
987 #if defined(MBEDTLS_CIPHER_MODE_CFB)
988     for( i = 0; i < 3; i++ )
989     {
990         /* Test CFB encryption */
991         if( verbose )
992             mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
993         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
994         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
995         memset( buf, 0x55, sizeof( buf ) );
996         j = 0;
997         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
998             aria_test2_pt, buf );
999         if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1000             ARIA_SELF_TEST_IF_FAIL;
1001 
1002         /* Test CFB decryption */
1003         if( verbose )
1004             mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
1005         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1006         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1007         memset( buf, 0xAA, sizeof( buf ) );
1008         j = 0;
1009         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1010             iv, aria_test2_cfb_ct[i], buf );
1011         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1012             ARIA_SELF_TEST_IF_FAIL;
1013     }
1014     if( verbose )
1015         mbedtls_printf( "\n" );
1016 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1017 
1018 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1019     for( i = 0; i < 3; i++ )
1020     {
1021         /* Test CTR encryption */
1022         if( verbose )
1023             mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
1024         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1025         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1026         memset( buf, 0x55, sizeof( buf ) );
1027         j = 0;
1028         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1029             aria_test2_pt, buf );
1030         if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1031             ARIA_SELF_TEST_IF_FAIL;
1032 
1033         /* Test CTR decryption */
1034         if( verbose )
1035             mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
1036         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1037         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1038         memset( buf, 0xAA, sizeof( buf ) );
1039         j = 0;
1040         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1041             aria_test2_ctr_ct[i], buf );
1042         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1043             ARIA_SELF_TEST_IF_FAIL;
1044     }
1045     if( verbose )
1046         mbedtls_printf( "\n" );
1047 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1048 
1049     ret = 0;
1050 
1051 exit:
1052     mbedtls_aria_free( &ctx );
1053     return( ret );
1054 }
1055 
1056 #endif /* MBEDTLS_SELF_TEST */
1057 
1058 #endif /* MBEDTLS_ARIA_C */
1059