1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_ARIA_C)
17
18 #include "mbedtls/aria.h"
19
20 #include <string.h>
21
22 #include "mbedtls/platform.h"
23
24 #if !defined(MBEDTLS_ARIA_ALT)
25
26 #include "mbedtls/platform_util.h"
27
28 /* Parameter validation macros */
29 #define ARIA_VALIDATE_RET(cond) \
30 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31 #define ARIA_VALIDATE(cond) \
32 MBEDTLS_INTERNAL_VALIDATE(cond)
33
34 /*
35 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
36 *
37 * This is submatrix P1 in [1] Appendix B.1
38 *
39 * Common compilers fail to translate this to minimal number of instructions,
40 * so let's provide asm versions for common platforms with C fallback.
41 */
42 #if defined(MBEDTLS_HAVE_ASM)
43 #if defined(__arm__) /* rev16 available from v6 up */
44 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45 #if defined(__GNUC__) && \
46 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
47 __ARM_ARCH >= 6
aria_p1(uint32_t x)48 static inline uint32_t aria_p1(uint32_t x)
49 {
50 uint32_t r;
51 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52 return r;
53 }
54 #define ARIA_P1 aria_p1
55 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
56 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p1(uint32_t x)57 static inline uint32_t aria_p1(uint32_t x)
58 {
59 uint32_t r;
60 __asm("rev16 r, x");
61 return r;
62 }
63 #define ARIA_P1 aria_p1
64 #endif
65 #endif /* arm */
66 #if defined(__GNUC__) && \
67 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
68 /* I couldn't find an Intel equivalent of rev16, so two instructions */
69 #define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
70 #endif /* x86 gnuc */
71 #endif /* MBEDTLS_HAVE_ASM && GNUC */
72 #if !defined(ARIA_P1)
73 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
74 #endif
75
76 /*
77 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78 *
79 * This is submatrix P2 in [1] Appendix B.1
80 *
81 * Common compilers will translate this to a single instruction.
82 */
83 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
84
85 /*
86 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87 *
88 * This is submatrix P3 in [1] Appendix B.1
89 *
90 * Some compilers fail to translate this to a single instruction,
91 * so let's provide asm versions for common platforms with C fallback.
92 */
93 #if defined(MBEDTLS_HAVE_ASM)
94 #if defined(__arm__) /* rev available from v6 up */
95 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
96 #if defined(__GNUC__) && \
97 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
98 __ARM_ARCH >= 6
aria_p3(uint32_t x)99 static inline uint32_t aria_p3(uint32_t x)
100 {
101 uint32_t r;
102 __asm("rev %0, %1" : "=l" (r) : "l" (x));
103 return r;
104 }
105 #define ARIA_P3 aria_p3
106 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
107 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p3(uint32_t x)108 static inline uint32_t aria_p3(uint32_t x)
109 {
110 uint32_t r;
111 __asm("rev r, x");
112 return r;
113 }
114 #define ARIA_P3 aria_p3
115 #endif
116 #endif /* arm */
117 #if defined(__GNUC__) && \
118 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
aria_p3(uint32_t x)119 static inline uint32_t aria_p3(uint32_t x)
120 {
121 __asm("bswap %0" : "=r" (x) : "0" (x));
122 return x;
123 }
124 #define ARIA_P3 aria_p3
125 #endif /* x86 gnuc */
126 #endif /* MBEDTLS_HAVE_ASM && GNUC */
127 #if !defined(ARIA_P3)
128 #define ARIA_P3(x) ARIA_P2(ARIA_P1(x))
129 #endif
130
131 /*
132 * ARIA Affine Transform
133 * (a, b, c, d) = state in/out
134 *
135 * If we denote the first byte of input by 0, ..., the last byte by f,
136 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
137 *
138 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
139 * rearrangements on adjacent pairs, output is:
140 *
141 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
142 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
143 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
144 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
145 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
146 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
147 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
148 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
149 *
150 * Note: another presentation of the A transform can be found as the first
151 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
152 * The implementation below uses only P1 and P2 as they are sufficient.
153 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)154 static inline void aria_a(uint32_t *a, uint32_t *b,
155 uint32_t *c, uint32_t *d)
156 {
157 uint32_t ta, tb, tc;
158 ta = *b; // 4567
159 *b = *a; // 0123
160 *a = ARIA_P2(ta); // 6745
161 tb = ARIA_P2(*d); // efcd
162 *d = ARIA_P1(*c); // 98ba
163 *c = ARIA_P1(tb); // fedc
164 ta ^= *d; // 4567+98ba
165 tc = ARIA_P2(*b); // 2301
166 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
167 tb ^= ARIA_P2(*d); // ba98+efcd
168 tc ^= ARIA_P1(*a); // 2301+7654
169 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
170 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
171 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
172 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
173 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
174 tc = ARIA_P2(tc); // 0123+5476
175 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
176 }
177
178 /*
179 * ARIA Substitution Layer SL1 / SL2
180 * (a, b, c, d) = state in/out
181 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
182 *
183 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
184 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
185 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])186 static inline void aria_sl(uint32_t *a, uint32_t *b,
187 uint32_t *c, uint32_t *d,
188 const uint8_t sa[256], const uint8_t sb[256],
189 const uint8_t sc[256], const uint8_t sd[256])
190 {
191 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
192 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
193 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
194 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
195 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
196 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
197 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
198 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
199 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
200 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
201 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
202 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
203 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
204 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
205 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
206 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
207 }
208
209 /*
210 * S-Boxes
211 */
212 static const uint8_t aria_sb1[256] =
213 {
214 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
215 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
216 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
217 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
218 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
219 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
220 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
221 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
222 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
223 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
224 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
225 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
226 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
227 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
228 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
229 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
230 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
231 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
232 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
233 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
234 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
235 0xB0, 0x54, 0xBB, 0x16
236 };
237
238 static const uint8_t aria_sb2[256] =
239 {
240 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
241 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
242 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
243 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
244 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
245 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
246 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
247 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
248 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
249 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
250 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
251 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
252 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
253 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
254 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
255 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
256 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
257 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
258 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
259 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
260 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
261 0xAF, 0xBA, 0xB5, 0x81
262 };
263
264 static const uint8_t aria_is1[256] =
265 {
266 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
267 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
268 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
269 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
270 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
271 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
272 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
273 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
274 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
275 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
276 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
277 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
278 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
279 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
280 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
281 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
282 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
283 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
284 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
285 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
286 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
287 0x55, 0x21, 0x0C, 0x7D
288 };
289
290 static const uint8_t aria_is2[256] =
291 {
292 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
293 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
294 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
295 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
296 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
297 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
298 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
299 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
300 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
301 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
302 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
303 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
304 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
305 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
306 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
307 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
308 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
309 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
310 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
311 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
312 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
313 0x03, 0xA2, 0xAC, 0x60
314 };
315
316 /*
317 * Helper for key schedule: r = FO( p, k ) ^ x
318 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])319 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
320 const uint32_t k[4], const uint32_t x[4])
321 {
322 uint32_t a, b, c, d;
323
324 a = p[0] ^ k[0];
325 b = p[1] ^ k[1];
326 c = p[2] ^ k[2];
327 d = p[3] ^ k[3];
328
329 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
330 aria_a(&a, &b, &c, &d);
331
332 r[0] = a ^ x[0];
333 r[1] = b ^ x[1];
334 r[2] = c ^ x[2];
335 r[3] = d ^ x[3];
336 }
337
338 /*
339 * Helper for key schedule: r = FE( p, k ) ^ x
340 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])341 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
342 const uint32_t k[4], const uint32_t x[4])
343 {
344 uint32_t a, b, c, d;
345
346 a = p[0] ^ k[0];
347 b = p[1] ^ k[1];
348 c = p[2] ^ k[2];
349 d = p[3] ^ k[3];
350
351 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
352 aria_a(&a, &b, &c, &d);
353
354 r[0] = a ^ x[0];
355 r[1] = b ^ x[1];
356 r[2] = c ^ x[2];
357 r[3] = d ^ x[3];
358 }
359
360 /*
361 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
362 *
363 * We chose to store bytes into 32-bit words in little-endian format (see
364 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
365 * bytes here.
366 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)367 static void aria_rot128(uint32_t r[4], const uint32_t a[4],
368 const uint32_t b[4], uint8_t n)
369 {
370 uint8_t i, j;
371 uint32_t t, u;
372
373 const uint8_t n1 = n % 32; // bit offset
374 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
375
376 j = (n / 32) % 4; // initial word offset
377 t = ARIA_P3(b[j]); // big endian
378 for (i = 0; i < 4; i++) {
379 j = (j + 1) % 4; // get next word, big endian
380 u = ARIA_P3(b[j]);
381 t <<= n1; // rotate
382 t |= u >> n2;
383 t = ARIA_P3(t); // back to little endian
384 r[i] = a[i] ^ t; // store
385 t = u; // move to next word
386 }
387 }
388
389 /*
390 * Set encryption key
391 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)392 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
393 const unsigned char *key, unsigned int keybits)
394 {
395 /* round constant masks */
396 const uint32_t rc[3][4] =
397 {
398 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
399 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
400 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
401 };
402
403 int i;
404 uint32_t w[4][4], *w2;
405 ARIA_VALIDATE_RET(ctx != NULL);
406 ARIA_VALIDATE_RET(key != NULL);
407
408 if (keybits != 128 && keybits != 192 && keybits != 256) {
409 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
410 }
411
412 /* Copy key to W0 (and potential remainder to W1) */
413 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
414 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
415 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
416 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
417
418 memset(w[1], 0, 16);
419 if (keybits >= 192) {
420 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
421 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
422 }
423 if (keybits == 256) {
424 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
425 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
426 }
427
428 i = (keybits - 128) >> 6; // index: 0, 1, 2
429 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
430
431 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
432 i = i < 2 ? i + 1 : 0;
433 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
434 i = i < 2 ? i + 1 : 0;
435 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
436
437 for (i = 0; i < 4; i++) { // create round keys
438 w2 = w[(i + 1) & 3];
439 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
440 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
441 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
442 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
443 }
444 aria_rot128(ctx->rk[16], w[0], w[1], 19);
445
446 /* w holds enough info to reconstruct the round keys */
447 mbedtls_platform_zeroize(w, sizeof(w));
448
449 return 0;
450 }
451
452 /*
453 * Set decryption key
454 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)455 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
456 const unsigned char *key, unsigned int keybits)
457 {
458 int i, j, k, ret;
459 ARIA_VALIDATE_RET(ctx != NULL);
460 ARIA_VALIDATE_RET(key != NULL);
461
462 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
463 if (ret != 0) {
464 return ret;
465 }
466
467 /* flip the order of round keys */
468 for (i = 0, j = ctx->nr; i < j; i++, j--) {
469 for (k = 0; k < 4; k++) {
470 uint32_t t = ctx->rk[i][k];
471 ctx->rk[i][k] = ctx->rk[j][k];
472 ctx->rk[j][k] = t;
473 }
474 }
475
476 /* apply affine transform to middle keys */
477 for (i = 1; i < ctx->nr; i++) {
478 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
479 &ctx->rk[i][2], &ctx->rk[i][3]);
480 }
481
482 return 0;
483 }
484
485 /*
486 * Encrypt a block
487 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])488 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
489 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
490 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
491 {
492 int i;
493
494 uint32_t a, b, c, d;
495 ARIA_VALIDATE_RET(ctx != NULL);
496 ARIA_VALIDATE_RET(input != NULL);
497 ARIA_VALIDATE_RET(output != NULL);
498
499 a = MBEDTLS_GET_UINT32_LE(input, 0);
500 b = MBEDTLS_GET_UINT32_LE(input, 4);
501 c = MBEDTLS_GET_UINT32_LE(input, 8);
502 d = MBEDTLS_GET_UINT32_LE(input, 12);
503
504 i = 0;
505 while (1) {
506 a ^= ctx->rk[i][0];
507 b ^= ctx->rk[i][1];
508 c ^= ctx->rk[i][2];
509 d ^= ctx->rk[i][3];
510 i++;
511
512 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
513 aria_a(&a, &b, &c, &d);
514
515 a ^= ctx->rk[i][0];
516 b ^= ctx->rk[i][1];
517 c ^= ctx->rk[i][2];
518 d ^= ctx->rk[i][3];
519 i++;
520
521 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
522 if (i >= ctx->nr) {
523 break;
524 }
525 aria_a(&a, &b, &c, &d);
526 }
527
528 /* final key mixing */
529 a ^= ctx->rk[i][0];
530 b ^= ctx->rk[i][1];
531 c ^= ctx->rk[i][2];
532 d ^= ctx->rk[i][3];
533
534 MBEDTLS_PUT_UINT32_LE(a, output, 0);
535 MBEDTLS_PUT_UINT32_LE(b, output, 4);
536 MBEDTLS_PUT_UINT32_LE(c, output, 8);
537 MBEDTLS_PUT_UINT32_LE(d, output, 12);
538
539 return 0;
540 }
541
542 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)543 void mbedtls_aria_init(mbedtls_aria_context *ctx)
544 {
545 ARIA_VALIDATE(ctx != NULL);
546 memset(ctx, 0, sizeof(mbedtls_aria_context));
547 }
548
549 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)550 void mbedtls_aria_free(mbedtls_aria_context *ctx)
551 {
552 if (ctx == NULL) {
553 return;
554 }
555
556 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
557 }
558
559 #if defined(MBEDTLS_CIPHER_MODE_CBC)
560 /*
561 * ARIA-CBC buffer encryption/decryption
562 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)563 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
567 const unsigned char *input,
568 unsigned char *output)
569 {
570 int i;
571 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
572
573 ARIA_VALIDATE_RET(ctx != NULL);
574 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
575 mode == MBEDTLS_ARIA_DECRYPT);
576 ARIA_VALIDATE_RET(length == 0 || input != NULL);
577 ARIA_VALIDATE_RET(length == 0 || output != NULL);
578 ARIA_VALIDATE_RET(iv != NULL);
579
580 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
581 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
582 }
583
584 if (mode == MBEDTLS_ARIA_DECRYPT) {
585 while (length > 0) {
586 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
587 mbedtls_aria_crypt_ecb(ctx, input, output);
588
589 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++) {
590 output[i] = (unsigned char) (output[i] ^ iv[i]);
591 }
592
593 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
594
595 input += MBEDTLS_ARIA_BLOCKSIZE;
596 output += MBEDTLS_ARIA_BLOCKSIZE;
597 length -= MBEDTLS_ARIA_BLOCKSIZE;
598 }
599 } else {
600 while (length > 0) {
601 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++) {
602 output[i] = (unsigned char) (input[i] ^ iv[i]);
603 }
604
605 mbedtls_aria_crypt_ecb(ctx, output, output);
606 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
607
608 input += MBEDTLS_ARIA_BLOCKSIZE;
609 output += MBEDTLS_ARIA_BLOCKSIZE;
610 length -= MBEDTLS_ARIA_BLOCKSIZE;
611 }
612 }
613
614 return 0;
615 }
616 #endif /* MBEDTLS_CIPHER_MODE_CBC */
617
618 #if defined(MBEDTLS_CIPHER_MODE_CFB)
619 /*
620 * ARIA-CFB128 buffer encryption/decryption
621 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)622 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
623 int mode,
624 size_t length,
625 size_t *iv_off,
626 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
627 const unsigned char *input,
628 unsigned char *output)
629 {
630 unsigned char c;
631 size_t n;
632
633 ARIA_VALIDATE_RET(ctx != NULL);
634 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
635 mode == MBEDTLS_ARIA_DECRYPT);
636 ARIA_VALIDATE_RET(length == 0 || input != NULL);
637 ARIA_VALIDATE_RET(length == 0 || output != NULL);
638 ARIA_VALIDATE_RET(iv != NULL);
639 ARIA_VALIDATE_RET(iv_off != NULL);
640
641 n = *iv_off;
642
643 /* An overly large value of n can lead to an unlimited
644 * buffer overflow. Therefore, guard against this
645 * outside of parameter validation. */
646 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
647 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
648 }
649
650 if (mode == MBEDTLS_ARIA_DECRYPT) {
651 while (length--) {
652 if (n == 0) {
653 mbedtls_aria_crypt_ecb(ctx, iv, iv);
654 }
655
656 c = *input++;
657 *output++ = c ^ iv[n];
658 iv[n] = c;
659
660 n = (n + 1) & 0x0F;
661 }
662 } else {
663 while (length--) {
664 if (n == 0) {
665 mbedtls_aria_crypt_ecb(ctx, iv, iv);
666 }
667
668 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
669
670 n = (n + 1) & 0x0F;
671 }
672 }
673
674 *iv_off = n;
675
676 return 0;
677 }
678 #endif /* MBEDTLS_CIPHER_MODE_CFB */
679
680 #if defined(MBEDTLS_CIPHER_MODE_CTR)
681 /*
682 * ARIA-CTR buffer encryption/decryption
683 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)684 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
685 size_t length,
686 size_t *nc_off,
687 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
688 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
689 const unsigned char *input,
690 unsigned char *output)
691 {
692 int c, i;
693 size_t n;
694
695 ARIA_VALIDATE_RET(ctx != NULL);
696 ARIA_VALIDATE_RET(length == 0 || input != NULL);
697 ARIA_VALIDATE_RET(length == 0 || output != NULL);
698 ARIA_VALIDATE_RET(nonce_counter != NULL);
699 ARIA_VALIDATE_RET(stream_block != NULL);
700 ARIA_VALIDATE_RET(nc_off != NULL);
701
702 n = *nc_off;
703 /* An overly large value of n can lead to an unlimited
704 * buffer overflow. Therefore, guard against this
705 * outside of parameter validation. */
706 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
707 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
708 }
709
710 while (length--) {
711 if (n == 0) {
712 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
713 stream_block);
714
715 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
716 if (++nonce_counter[i - 1] != 0) {
717 break;
718 }
719 }
720 }
721 c = *input++;
722 *output++ = (unsigned char) (c ^ stream_block[n]);
723
724 n = (n + 1) & 0x0F;
725 }
726
727 *nc_off = n;
728
729 return 0;
730 }
731 #endif /* MBEDTLS_CIPHER_MODE_CTR */
732 #endif /* !MBEDTLS_ARIA_ALT */
733
734 #if defined(MBEDTLS_SELF_TEST)
735
736 /*
737 * Basic ARIA ECB test vectors from RFC 5794
738 */
739 static const uint8_t aria_test1_ecb_key[32] = // test key
740 {
741 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
742 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
743 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
744 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
745 };
746
747 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
748 {
749 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
750 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
751 };
752
753 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
754 {
755 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
756 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
757 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
758 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
759 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
760 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
761 };
762
763 /*
764 * Mode tests from "Test Vectors for ARIA" Version 1.0
765 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
766 */
767 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
768 defined(MBEDTLS_CIPHER_MODE_CTR))
769 static const uint8_t aria_test2_key[32] =
770 {
771 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
772 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
773 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
774 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
775 };
776
777 static const uint8_t aria_test2_pt[48] =
778 {
779 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
780 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
781 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
782 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
783 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
784 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
785 };
786 #endif
787
788 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
789 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
790 {
791 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
792 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
793 };
794 #endif
795
796 #if defined(MBEDTLS_CIPHER_MODE_CBC)
797 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
798 {
799 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
800 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
801 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
802 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
803 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
804 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
805 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
806 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
807 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
808 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
809 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
810 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
811 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
812 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
813 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
814 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
815 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
816 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
817 };
818 #endif /* MBEDTLS_CIPHER_MODE_CBC */
819
820 #if defined(MBEDTLS_CIPHER_MODE_CFB)
821 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
822 {
823 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
824 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
825 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
826 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
827 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
828 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
829 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
830 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
831 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
832 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
833 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
834 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
835 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
836 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
837 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
838 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
839 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
840 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
841 };
842 #endif /* MBEDTLS_CIPHER_MODE_CFB */
843
844 #if defined(MBEDTLS_CIPHER_MODE_CTR)
845 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
846 {
847 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
848 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
849 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
850 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
851 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
852 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
853 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
854 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
855 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
856 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
857 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
858 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
859 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
860 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
861 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
862 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
863 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
864 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
865 };
866 #endif /* MBEDTLS_CIPHER_MODE_CFB */
867
868 #define ARIA_SELF_TEST_ASSERT(cond) \
869 do { \
870 if (cond) { \
871 if (verbose) \
872 mbedtls_printf("failed\n"); \
873 goto exit; \
874 } else { \
875 if (verbose) \
876 mbedtls_printf("passed\n"); \
877 } \
878 } while (0)
879
880 /*
881 * Checkup routine
882 */
mbedtls_aria_self_test(int verbose)883 int mbedtls_aria_self_test(int verbose)
884 {
885 int i;
886 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
887 mbedtls_aria_context ctx;
888 int ret = 1;
889
890 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
891 size_t j;
892 #endif
893
894 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
895 defined(MBEDTLS_CIPHER_MODE_CFB) || \
896 defined(MBEDTLS_CIPHER_MODE_CTR))
897 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
898 #endif
899
900 mbedtls_aria_init(&ctx);
901
902 /*
903 * Test set 1
904 */
905 for (i = 0; i < 3; i++) {
906 /* test ECB encryption */
907 if (verbose) {
908 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
909 }
910 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
911 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
912 ARIA_SELF_TEST_ASSERT(
913 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
914 != 0);
915
916 /* test ECB decryption */
917 if (verbose) {
918 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
919 }
920 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
921 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
922 ARIA_SELF_TEST_ASSERT(
923 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
924 != 0);
925 }
926 if (verbose) {
927 mbedtls_printf("\n");
928 }
929
930 /*
931 * Test set 2
932 */
933 #if defined(MBEDTLS_CIPHER_MODE_CBC)
934 for (i = 0; i < 3; i++) {
935 /* Test CBC encryption */
936 if (verbose) {
937 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
938 }
939 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
940 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
941 memset(buf, 0x55, sizeof(buf));
942 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
943 aria_test2_pt, buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
945 != 0);
946
947 /* Test CBC decryption */
948 if (verbose) {
949 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
950 }
951 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
952 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
953 memset(buf, 0xAA, sizeof(buf));
954 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
955 aria_test2_cbc_ct[i], buf);
956 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
957 }
958 if (verbose) {
959 mbedtls_printf("\n");
960 }
961
962 #endif /* MBEDTLS_CIPHER_MODE_CBC */
963
964 #if defined(MBEDTLS_CIPHER_MODE_CFB)
965 for (i = 0; i < 3; i++) {
966 /* Test CFB encryption */
967 if (verbose) {
968 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
969 }
970 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
971 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
972 memset(buf, 0x55, sizeof(buf));
973 j = 0;
974 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
975 aria_test2_pt, buf);
976 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
977
978 /* Test CFB decryption */
979 if (verbose) {
980 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
981 }
982 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
983 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
984 memset(buf, 0xAA, sizeof(buf));
985 j = 0;
986 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
987 iv, aria_test2_cfb_ct[i], buf);
988 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
989 }
990 if (verbose) {
991 mbedtls_printf("\n");
992 }
993 #endif /* MBEDTLS_CIPHER_MODE_CFB */
994
995 #if defined(MBEDTLS_CIPHER_MODE_CTR)
996 for (i = 0; i < 3; i++) {
997 /* Test CTR encryption */
998 if (verbose) {
999 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
1000 }
1001 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1002 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1003 memset(buf, 0x55, sizeof(buf));
1004 j = 0;
1005 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1006 aria_test2_pt, buf);
1007 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
1008
1009 /* Test CTR decryption */
1010 if (verbose) {
1011 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
1012 }
1013 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1014 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1015 memset(buf, 0xAA, sizeof(buf));
1016 j = 0;
1017 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1018 aria_test2_ctr_ct[i], buf);
1019 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
1020 }
1021 if (verbose) {
1022 mbedtls_printf("\n");
1023 }
1024 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1025
1026 ret = 0;
1027
1028 exit:
1029 mbedtls_aria_free(&ctx);
1030 return ret;
1031 }
1032
1033 #endif /* MBEDTLS_SELF_TEST */
1034
1035 #endif /* MBEDTLS_ARIA_C */
1036