1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 /*
48 * This implementation is based on the following standards:
49 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
50 * [2] https://tools.ietf.org/html/rfc5794
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_ARIA_C)
60
61 #include "mbedtls/aria.h"
62
63 #include <string.h>
64
65 #if defined(MBEDTLS_SELF_TEST)
66 #if defined(MBEDTLS_PLATFORM_C)
67 #include "mbedtls/platform.h"
68 #else
69 #include <stdio.h>
70 #define mbedtls_printf printf
71 #endif /* MBEDTLS_PLATFORM_C */
72 #endif /* MBEDTLS_SELF_TEST */
73
74 #if !defined(MBEDTLS_ARIA_ALT)
75
76 #include "mbedtls/platform_util.h"
77
78 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
79 !defined(inline) && !defined(__cplusplus)
80 #define inline __inline
81 #endif
82
83 /* Parameter validation macros */
84 #define ARIA_VALIDATE_RET( cond ) \
85 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
86 #define ARIA_VALIDATE( cond ) \
87 MBEDTLS_INTERNAL_VALIDATE( cond )
88
89 /*
90 * 32-bit integer manipulation macros (little endian)
91 */
92 #ifndef GET_UINT32_LE
93 #define GET_UINT32_LE( n, b, i ) \
94 { \
95 (n) = ( (uint32_t) (b)[(i) ] ) \
96 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
97 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
98 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
99 }
100 #endif
101
102 #ifndef PUT_UINT32_LE
103 #define PUT_UINT32_LE( n, b, i ) \
104 { \
105 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
106 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
107 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
108 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
109 }
110 #endif
111
112 /*
113 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
114 *
115 * This is submatrix P1 in [1] Appendix B.1
116 *
117 * Common compilers fail to translate this to minimal number of instructions,
118 * so let's provide asm versions for common platforms with C fallback.
119 */
120 #if defined(MBEDTLS_HAVE_ASM)
121 #if defined(__arm__) /* rev16 available from v6 up */
122 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
123 #if defined(__GNUC__) && \
124 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
125 __ARM_ARCH >= 6
aria_p1(uint32_t x)126 static inline uint32_t aria_p1( uint32_t x )
127 {
128 uint32_t r;
129 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
130 return( r );
131 }
132 #define ARIA_P1 aria_p1
133 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
134 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)135 static inline uint32_t aria_p1( uint32_t x )
136 {
137 uint32_t r;
138 __asm( "rev16 r, x" );
139 return( r );
140 }
141 #define ARIA_P1 aria_p1
142 #endif
143 #endif /* arm */
144 #if defined(__GNUC__) && \
145 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
146 /* I couldn't find an Intel equivalent of rev16, so two instructions */
147 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
148 #endif /* x86 gnuc */
149 #endif /* MBEDTLS_HAVE_ASM && GNUC */
150 #if !defined(ARIA_P1)
151 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
152 #endif
153
154 /*
155 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
156 *
157 * This is submatrix P2 in [1] Appendix B.1
158 *
159 * Common compilers will translate this to a single instruction.
160 */
161 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
162
163 /*
164 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
165 *
166 * This is submatrix P3 in [1] Appendix B.1
167 *
168 * Some compilers fail to translate this to a single instruction,
169 * so let's provide asm versions for common platforms with C fallback.
170 */
171 #if defined(MBEDTLS_HAVE_ASM)
172 #if defined(__arm__) /* rev available from v6 up */
173 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
174 #if defined(__GNUC__) && \
175 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
176 __ARM_ARCH >= 6
aria_p3(uint32_t x)177 static inline uint32_t aria_p3( uint32_t x )
178 {
179 uint32_t r;
180 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
181 return( r );
182 }
183 #define ARIA_P3 aria_p3
184 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
185 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)186 static inline uint32_t aria_p3( uint32_t x )
187 {
188 uint32_t r;
189 __asm( "rev r, x" );
190 return( r );
191 }
192 #define ARIA_P3 aria_p3
193 #endif
194 #endif /* arm */
195 #if defined(__GNUC__) && \
196 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)197 static inline uint32_t aria_p3( uint32_t x )
198 {
199 __asm( "bswap %0" : "=r" (x) : "0" (x) );
200 return( x );
201 }
202 #define ARIA_P3 aria_p3
203 #endif /* x86 gnuc */
204 #endif /* MBEDTLS_HAVE_ASM && GNUC */
205 #if !defined(ARIA_P3)
206 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
207 #endif
208
209 /*
210 * ARIA Affine Transform
211 * (a, b, c, d) = state in/out
212 *
213 * If we denote the first byte of input by 0, ..., the last byte by f,
214 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
215 *
216 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
217 * rearrangements on adjacent pairs, output is:
218 *
219 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
220 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
221 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
222 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
223 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
224 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
225 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
226 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
227 *
228 * Note: another presentation of the A transform can be found as the first
229 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
230 * The implementation below uses only P1 and P2 as they are sufficient.
231 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)232 static inline void aria_a( uint32_t *a, uint32_t *b,
233 uint32_t *c, uint32_t *d )
234 {
235 uint32_t ta, tb, tc;
236 ta = *b; // 4567
237 *b = *a; // 0123
238 *a = ARIA_P2( ta ); // 6745
239 tb = ARIA_P2( *d ); // efcd
240 *d = ARIA_P1( *c ); // 98ba
241 *c = ARIA_P1( tb ); // fedc
242 ta ^= *d; // 4567+98ba
243 tc = ARIA_P2( *b ); // 2301
244 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
245 tb ^= ARIA_P2( *d ); // ba98+efcd
246 tc ^= ARIA_P1( *a ); // 2301+7654
247 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
248 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
249 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
250 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
251 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
252 tc = ARIA_P2( tc ); // 0123+5476
253 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
254 }
255
256 /*
257 * ARIA Substitution Layer SL1 / SL2
258 * (a, b, c, d) = state in/out
259 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
260 *
261 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
262 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
263 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])264 static inline void aria_sl( uint32_t *a, uint32_t *b,
265 uint32_t *c, uint32_t *d,
266 const uint8_t sa[256], const uint8_t sb[256],
267 const uint8_t sc[256], const uint8_t sd[256] )
268 {
269 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
270 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
271 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
272 (((uint32_t) sd[ *a >> 24 ]) << 24);
273 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
274 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
275 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
276 (((uint32_t) sd[ *b >> 24 ]) << 24);
277 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
278 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
279 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
280 (((uint32_t) sd[ *c >> 24 ]) << 24);
281 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
282 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
283 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
284 (((uint32_t) sd[ *d >> 24 ]) << 24);
285 }
286
287 /*
288 * S-Boxes
289 */
290 static const uint8_t aria_sb1[256] =
291 {
292 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
293 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
294 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
295 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
296 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
297 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
298 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
299 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
300 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
301 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
302 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
303 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
304 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
305 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
306 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
307 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
308 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
309 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
310 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
311 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
312 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
313 0xB0, 0x54, 0xBB, 0x16
314 };
315
316 static const uint8_t aria_sb2[256] =
317 {
318 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
319 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
320 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
321 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
322 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
323 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
324 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
325 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
326 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
327 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
328 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
329 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
330 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
331 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
332 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
333 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
334 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
335 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
336 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
337 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
338 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
339 0xAF, 0xBA, 0xB5, 0x81
340 };
341
342 static const uint8_t aria_is1[256] =
343 {
344 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
345 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
346 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
347 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
348 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
349 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
350 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
351 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
352 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
353 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
354 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
355 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
356 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
357 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
358 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
359 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
360 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
361 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
362 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
363 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
364 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
365 0x55, 0x21, 0x0C, 0x7D
366 };
367
368 static const uint8_t aria_is2[256] =
369 {
370 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
371 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
372 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
373 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
374 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
375 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
376 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
377 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
378 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
379 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
380 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
381 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
382 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
383 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
384 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
385 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
386 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
387 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
388 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
389 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
390 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
391 0x03, 0xA2, 0xAC, 0x60
392 };
393
394 /*
395 * Helper for key schedule: r = FO( p, k ) ^ x
396 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])397 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
398 const uint32_t k[4], const uint32_t x[4] )
399 {
400 uint32_t a, b, c, d;
401
402 a = p[0] ^ k[0];
403 b = p[1] ^ k[1];
404 c = p[2] ^ k[2];
405 d = p[3] ^ k[3];
406
407 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
408 aria_a( &a, &b, &c, &d );
409
410 r[0] = a ^ x[0];
411 r[1] = b ^ x[1];
412 r[2] = c ^ x[2];
413 r[3] = d ^ x[3];
414 }
415
416 /*
417 * Helper for key schedule: r = FE( p, k ) ^ x
418 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])419 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
420 const uint32_t k[4], const uint32_t x[4] )
421 {
422 uint32_t a, b, c, d;
423
424 a = p[0] ^ k[0];
425 b = p[1] ^ k[1];
426 c = p[2] ^ k[2];
427 d = p[3] ^ k[3];
428
429 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
430 aria_a( &a, &b, &c, &d );
431
432 r[0] = a ^ x[0];
433 r[1] = b ^ x[1];
434 r[2] = c ^ x[2];
435 r[3] = d ^ x[3];
436 }
437
438 /*
439 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
440 *
441 * We chose to store bytes into 32-bit words in little-endian format (see
442 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
443 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)444 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
445 const uint32_t b[4], uint8_t n )
446 {
447 uint8_t i, j;
448 uint32_t t, u;
449
450 const uint8_t n1 = n % 32; // bit offset
451 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
452
453 j = ( n / 32 ) % 4; // initial word offset
454 t = ARIA_P3( b[j] ); // big endian
455 for( i = 0; i < 4; i++ )
456 {
457 j = ( j + 1 ) % 4; // get next word, big endian
458 u = ARIA_P3( b[j] );
459 t <<= n1; // rotate
460 t |= u >> n2;
461 t = ARIA_P3( t ); // back to little endian
462 r[i] = a[i] ^ t; // store
463 t = u; // move to next word
464 }
465 }
466
467 /*
468 * Set encryption key
469 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)470 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
471 const unsigned char *key, unsigned int keybits )
472 {
473 /* round constant masks */
474 const uint32_t rc[3][4] =
475 {
476 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
477 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
478 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
479 };
480
481 int i;
482 uint32_t w[4][4], *w2;
483 ARIA_VALIDATE_RET( ctx != NULL );
484 ARIA_VALIDATE_RET( key != NULL );
485
486 if( keybits != 128 && keybits != 192 && keybits != 256 )
487 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
488
489 /* Copy key to W0 (and potential remainder to W1) */
490 GET_UINT32_LE( w[0][0], key, 0 );
491 GET_UINT32_LE( w[0][1], key, 4 );
492 GET_UINT32_LE( w[0][2], key, 8 );
493 GET_UINT32_LE( w[0][3], key, 12 );
494
495 memset( w[1], 0, 16 );
496 if( keybits >= 192 )
497 {
498 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
499 GET_UINT32_LE( w[1][1], key, 20 );
500 }
501 if( keybits == 256 )
502 {
503 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
504 GET_UINT32_LE( w[1][3], key, 28 );
505 }
506
507 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
508 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
509
510 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
511 i = i < 2 ? i + 1 : 0;
512 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
513 i = i < 2 ? i + 1 : 0;
514 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
515
516 for( i = 0; i < 4; i++ ) // create round keys
517 {
518 w2 = w[(i + 1) & 3];
519 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
520 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
521 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
522 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
523 }
524 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
525
526 /* w holds enough info to reconstruct the round keys */
527 mbedtls_platform_zeroize( w, sizeof( w ) );
528
529 return( 0 );
530 }
531
532 /*
533 * Set decryption key
534 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)535 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
536 const unsigned char *key, unsigned int keybits )
537 {
538 int i, j, k, ret;
539 ARIA_VALIDATE_RET( ctx != NULL );
540 ARIA_VALIDATE_RET( key != NULL );
541
542 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
543 if( ret != 0 )
544 return( ret );
545
546 /* flip the order of round keys */
547 for( i = 0, j = ctx->nr; i < j; i++, j-- )
548 {
549 for( k = 0; k < 4; k++ )
550 {
551 uint32_t t = ctx->rk[i][k];
552 ctx->rk[i][k] = ctx->rk[j][k];
553 ctx->rk[j][k] = t;
554 }
555 }
556
557 /* apply affine transform to middle keys */
558 for( i = 1; i < ctx->nr; i++ )
559 {
560 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
561 &ctx->rk[i][2], &ctx->rk[i][3] );
562 }
563
564 return( 0 );
565 }
566
567 /*
568 * Encrypt a block
569 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])570 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
571 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
572 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
573 {
574 int i;
575
576 uint32_t a, b, c, d;
577 ARIA_VALIDATE_RET( ctx != NULL );
578 ARIA_VALIDATE_RET( input != NULL );
579 ARIA_VALIDATE_RET( output != NULL );
580
581 GET_UINT32_LE( a, input, 0 );
582 GET_UINT32_LE( b, input, 4 );
583 GET_UINT32_LE( c, input, 8 );
584 GET_UINT32_LE( d, input, 12 );
585
586 i = 0;
587 while( 1 )
588 {
589 a ^= ctx->rk[i][0];
590 b ^= ctx->rk[i][1];
591 c ^= ctx->rk[i][2];
592 d ^= ctx->rk[i][3];
593 i++;
594
595 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
596 aria_a( &a, &b, &c, &d );
597
598 a ^= ctx->rk[i][0];
599 b ^= ctx->rk[i][1];
600 c ^= ctx->rk[i][2];
601 d ^= ctx->rk[i][3];
602 i++;
603
604 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
605 if( i >= ctx->nr )
606 break;
607 aria_a( &a, &b, &c, &d );
608 }
609
610 /* final key mixing */
611 a ^= ctx->rk[i][0];
612 b ^= ctx->rk[i][1];
613 c ^= ctx->rk[i][2];
614 d ^= ctx->rk[i][3];
615
616 PUT_UINT32_LE( a, output, 0 );
617 PUT_UINT32_LE( b, output, 4 );
618 PUT_UINT32_LE( c, output, 8 );
619 PUT_UINT32_LE( d, output, 12 );
620
621 return( 0 );
622 }
623
624 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)625 void mbedtls_aria_init( mbedtls_aria_context *ctx )
626 {
627 ARIA_VALIDATE( ctx != NULL );
628 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
629 }
630
631 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)632 void mbedtls_aria_free( mbedtls_aria_context *ctx )
633 {
634 if( ctx == NULL )
635 return;
636
637 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
638 }
639
640 #if defined(MBEDTLS_CIPHER_MODE_CBC)
641 /*
642 * ARIA-CBC buffer encryption/decryption
643 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)644 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
645 int mode,
646 size_t length,
647 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
648 const unsigned char *input,
649 unsigned char *output )
650 {
651 int i;
652 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
653
654 ARIA_VALIDATE_RET( ctx != NULL );
655 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
656 mode == MBEDTLS_ARIA_DECRYPT );
657 ARIA_VALIDATE_RET( length == 0 || input != NULL );
658 ARIA_VALIDATE_RET( length == 0 || output != NULL );
659 ARIA_VALIDATE_RET( iv != NULL );
660
661 if( length % MBEDTLS_ARIA_BLOCKSIZE )
662 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
663
664 if( mode == MBEDTLS_ARIA_DECRYPT )
665 {
666 while( length > 0 )
667 {
668 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
669 mbedtls_aria_crypt_ecb( ctx, input, output );
670
671 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
672 output[i] = (unsigned char)( output[i] ^ iv[i] );
673
674 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
675
676 input += MBEDTLS_ARIA_BLOCKSIZE;
677 output += MBEDTLS_ARIA_BLOCKSIZE;
678 length -= MBEDTLS_ARIA_BLOCKSIZE;
679 }
680 }
681 else
682 {
683 while( length > 0 )
684 {
685 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
686 output[i] = (unsigned char)( input[i] ^ iv[i] );
687
688 mbedtls_aria_crypt_ecb( ctx, output, output );
689 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
690
691 input += MBEDTLS_ARIA_BLOCKSIZE;
692 output += MBEDTLS_ARIA_BLOCKSIZE;
693 length -= MBEDTLS_ARIA_BLOCKSIZE;
694 }
695 }
696
697 return( 0 );
698 }
699 #endif /* MBEDTLS_CIPHER_MODE_CBC */
700
701 #if defined(MBEDTLS_CIPHER_MODE_CFB)
702 /*
703 * ARIA-CFB128 buffer encryption/decryption
704 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)705 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
706 int mode,
707 size_t length,
708 size_t *iv_off,
709 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
710 const unsigned char *input,
711 unsigned char *output )
712 {
713 unsigned char c;
714 size_t n;
715
716 ARIA_VALIDATE_RET( ctx != NULL );
717 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
718 mode == MBEDTLS_ARIA_DECRYPT );
719 ARIA_VALIDATE_RET( length == 0 || input != NULL );
720 ARIA_VALIDATE_RET( length == 0 || output != NULL );
721 ARIA_VALIDATE_RET( iv != NULL );
722 ARIA_VALIDATE_RET( iv_off != NULL );
723
724 n = *iv_off;
725
726 /* An overly large value of n can lead to an unlimited
727 * buffer overflow. Therefore, guard against this
728 * outside of parameter validation. */
729 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
730 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
731
732 if( mode == MBEDTLS_ARIA_DECRYPT )
733 {
734 while( length-- )
735 {
736 if( n == 0 )
737 mbedtls_aria_crypt_ecb( ctx, iv, iv );
738
739 c = *input++;
740 *output++ = c ^ iv[n];
741 iv[n] = c;
742
743 n = ( n + 1 ) & 0x0F;
744 }
745 }
746 else
747 {
748 while( length-- )
749 {
750 if( n == 0 )
751 mbedtls_aria_crypt_ecb( ctx, iv, iv );
752
753 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
754
755 n = ( n + 1 ) & 0x0F;
756 }
757 }
758
759 *iv_off = n;
760
761 return( 0 );
762 }
763 #endif /* MBEDTLS_CIPHER_MODE_CFB */
764
765 #if defined(MBEDTLS_CIPHER_MODE_CTR)
766 /*
767 * ARIA-CTR buffer encryption/decryption
768 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)769 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
770 size_t length,
771 size_t *nc_off,
772 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
773 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
774 const unsigned char *input,
775 unsigned char *output )
776 {
777 int c, i;
778 size_t n;
779
780 ARIA_VALIDATE_RET( ctx != NULL );
781 ARIA_VALIDATE_RET( length == 0 || input != NULL );
782 ARIA_VALIDATE_RET( length == 0 || output != NULL );
783 ARIA_VALIDATE_RET( nonce_counter != NULL );
784 ARIA_VALIDATE_RET( stream_block != NULL );
785 ARIA_VALIDATE_RET( nc_off != NULL );
786
787 n = *nc_off;
788 /* An overly large value of n can lead to an unlimited
789 * buffer overflow. Therefore, guard against this
790 * outside of parameter validation. */
791 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
792 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
793
794 while( length-- )
795 {
796 if( n == 0 ) {
797 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
798 stream_block );
799
800 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
801 if( ++nonce_counter[i - 1] != 0 )
802 break;
803 }
804 c = *input++;
805 *output++ = (unsigned char)( c ^ stream_block[n] );
806
807 n = ( n + 1 ) & 0x0F;
808 }
809
810 *nc_off = n;
811
812 return( 0 );
813 }
814 #endif /* MBEDTLS_CIPHER_MODE_CTR */
815 #endif /* !MBEDTLS_ARIA_ALT */
816
817 #if defined(MBEDTLS_SELF_TEST)
818
819 /*
820 * Basic ARIA ECB test vectors from RFC 5794
821 */
822 static const uint8_t aria_test1_ecb_key[32] = // test key
823 {
824 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
825 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
826 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
827 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
828 };
829
830 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
831 {
832 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
833 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
834 };
835
836 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
837 {
838 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
839 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
840 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
841 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
842 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
843 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
844 };
845
846 /*
847 * Mode tests from "Test Vectors for ARIA" Version 1.0
848 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
849 */
850 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
851 defined(MBEDTLS_CIPHER_MODE_CTR))
852 static const uint8_t aria_test2_key[32] =
853 {
854 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
855 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
856 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
857 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
858 };
859
860 static const uint8_t aria_test2_pt[48] =
861 {
862 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
863 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
864 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
865 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
866 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
867 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
868 };
869 #endif
870
871 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
872 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
873 {
874 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
875 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
876 };
877 #endif
878
879 #if defined(MBEDTLS_CIPHER_MODE_CBC)
880 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
881 {
882 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
883 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
884 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
885 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
886 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
887 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
888 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
889 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
890 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
891 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
892 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
893 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
894 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
895 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
896 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
897 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
898 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
899 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
900 };
901 #endif /* MBEDTLS_CIPHER_MODE_CBC */
902
903 #if defined(MBEDTLS_CIPHER_MODE_CFB)
904 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
905 {
906 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
907 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
908 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
909 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
910 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
911 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
912 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
913 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
914 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
915 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
916 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
917 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
918 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
919 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
920 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
921 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
922 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
923 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
924 };
925 #endif /* MBEDTLS_CIPHER_MODE_CFB */
926
927 #if defined(MBEDTLS_CIPHER_MODE_CTR)
928 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
929 {
930 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
931 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
932 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
933 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
934 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
935 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
936 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
937 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
938 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
939 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
940 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
941 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
942 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
943 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
944 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
945 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
946 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
947 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
948 };
949 #endif /* MBEDTLS_CIPHER_MODE_CFB */
950
951 #define ARIA_SELF_TEST_IF_FAIL \
952 { \
953 if( verbose ) \
954 mbedtls_printf( "failed\n" ); \
955 goto exit; \
956 } else { \
957 if( verbose ) \
958 mbedtls_printf( "passed\n" ); \
959 }
960
961 /*
962 * Checkup routine
963 */
mbedtls_aria_self_test(int verbose)964 int mbedtls_aria_self_test( int verbose )
965 {
966 int i;
967 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
968 mbedtls_aria_context ctx;
969 int ret = 1;
970
971 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
972 size_t j;
973 #endif
974
975 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
976 defined(MBEDTLS_CIPHER_MODE_CFB) || \
977 defined(MBEDTLS_CIPHER_MODE_CTR))
978 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
979 #endif
980
981 mbedtls_aria_init( &ctx );
982
983 /*
984 * Test set 1
985 */
986 for( i = 0; i < 3; i++ )
987 {
988 /* test ECB encryption */
989 if( verbose )
990 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
991 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
992 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
993 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
994 ARIA_SELF_TEST_IF_FAIL;
995
996 /* test ECB decryption */
997 if( verbose )
998 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
999 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
1000 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
1001 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
1002 ARIA_SELF_TEST_IF_FAIL;
1003 }
1004 if( verbose )
1005 mbedtls_printf( "\n" );
1006
1007 /*
1008 * Test set 2
1009 */
1010 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1011 for( i = 0; i < 3; i++ )
1012 {
1013 /* Test CBC encryption */
1014 if( verbose )
1015 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
1016 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1017 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1018 memset( buf, 0x55, sizeof( buf ) );
1019 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
1020 aria_test2_pt, buf );
1021 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
1022 ARIA_SELF_TEST_IF_FAIL;
1023
1024 /* Test CBC decryption */
1025 if( verbose )
1026 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
1027 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1028 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1029 memset( buf, 0xAA, sizeof( buf ) );
1030 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1031 aria_test2_cbc_ct[i], buf );
1032 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1033 ARIA_SELF_TEST_IF_FAIL;
1034 }
1035 if( verbose )
1036 mbedtls_printf( "\n" );
1037
1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1039
1040 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1041 for( i = 0; i < 3; i++ )
1042 {
1043 /* Test CFB encryption */
1044 if( verbose )
1045 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
1046 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1047 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1048 memset( buf, 0x55, sizeof( buf ) );
1049 j = 0;
1050 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1051 aria_test2_pt, buf );
1052 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1053 ARIA_SELF_TEST_IF_FAIL;
1054
1055 /* Test CFB decryption */
1056 if( verbose )
1057 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1058 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1059 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1060 memset( buf, 0xAA, sizeof( buf ) );
1061 j = 0;
1062 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1063 iv, aria_test2_cfb_ct[i], buf );
1064 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1065 ARIA_SELF_TEST_IF_FAIL;
1066 }
1067 if( verbose )
1068 mbedtls_printf( "\n" );
1069 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1070
1071 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1072 for( i = 0; i < 3; i++ )
1073 {
1074 /* Test CTR encryption */
1075 if( verbose )
1076 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1077 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1078 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1079 memset( buf, 0x55, sizeof( buf ) );
1080 j = 0;
1081 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1082 aria_test2_pt, buf );
1083 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1084 ARIA_SELF_TEST_IF_FAIL;
1085
1086 /* Test CTR decryption */
1087 if( verbose )
1088 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1089 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1090 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1091 memset( buf, 0xAA, sizeof( buf ) );
1092 j = 0;
1093 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1094 aria_test2_ctr_ct[i], buf );
1095 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1096 ARIA_SELF_TEST_IF_FAIL;
1097 }
1098 if( verbose )
1099 mbedtls_printf( "\n" );
1100 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1101
1102 ret = 0;
1103
1104 exit:
1105 mbedtls_aria_free( &ctx );
1106 return( ret );
1107 }
1108
1109 #endif /* MBEDTLS_SELF_TEST */
1110
1111 #endif /* MBEDTLS_ARIA_C */
1112