1 /*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24 /*
25 * This implementation is based on the following standards:
26 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
27 * [2] https://tools.ietf.org/html/rfc5794
28 */
29
30 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include "mbedtls/config.h"
32 #else
33 #include MBEDTLS_CONFIG_FILE
34 #endif
35
36 #if defined(MBEDTLS_ARIA_C)
37
38 #include "mbedtls/aria.h"
39
40 #include <string.h>
41
42 #if defined(MBEDTLS_SELF_TEST)
43 #if defined(MBEDTLS_PLATFORM_C)
44 #include "mbedtls/platform.h"
45 #else
46 #include <stdio.h>
47 #define mbedtls_printf printf
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
50
51 #if !defined(MBEDTLS_ARIA_ALT)
52
53 #include "mbedtls/platform_util.h"
54
55 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
56 !defined(inline) && !defined(__cplusplus)
57 #define inline __inline
58 #endif
59
60 /*
61 * 32-bit integer manipulation macros (little endian)
62 */
63 #ifndef GET_UINT32_LE
64 #define GET_UINT32_LE( n, b, i ) \
65 { \
66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
70 }
71 #endif
72
73 #ifndef PUT_UINT32_LE
74 #define PUT_UINT32_LE( n, b, i ) \
75 { \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
80 }
81 #endif
82
83 /*
84 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
85 *
86 * This is submatrix P1 in [1] Appendix B.1
87 *
88 * Common compilers fail to translate this to minimal number of instructions,
89 * so let's provide asm versions for common platforms with C fallback.
90 */
91 #if defined(MBEDTLS_HAVE_ASM)
92 #if defined(__arm__) /* rev16 available from v6 up */
93 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
94 #if defined(__GNUC__) && \
95 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
96 __ARM_ARCH >= 6
aria_p1(uint32_t x)97 static inline uint32_t aria_p1( uint32_t x )
98 {
99 uint32_t r;
100 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
101 return( r );
102 }
103 #define ARIA_P1 aria_p1
104 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
105 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)106 static inline uint32_t aria_p1( uint32_t x )
107 {
108 uint32_t r;
109 __asm( "rev16 r, x" );
110 return( r );
111 }
112 #define ARIA_P1 aria_p1
113 #endif
114 #endif /* arm */
115 #if defined(__GNUC__) && \
116 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
117 /* I couldn't find an Intel equivalent of rev16, so two instructions */
118 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
119 #endif /* x86 gnuc */
120 #endif /* MBEDTLS_HAVE_ASM && GNUC */
121 #if !defined(ARIA_P1)
122 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
123 #endif
124
125 /*
126 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
127 *
128 * This is submatrix P2 in [1] Appendix B.1
129 *
130 * Common compilers will translate this to a single instruction.
131 */
132 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
133
134 /*
135 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
136 *
137 * This is submatrix P3 in [1] Appendix B.1
138 *
139 * Some compilers fail to translate this to a single instruction,
140 * so let's provide asm versions for common platforms with C fallback.
141 */
142 #if defined(MBEDTLS_HAVE_ASM)
143 #if defined(__arm__) /* rev available from v6 up */
144 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
145 #if defined(__GNUC__) && \
146 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
147 __ARM_ARCH >= 6
aria_p3(uint32_t x)148 static inline uint32_t aria_p3( uint32_t x )
149 {
150 uint32_t r;
151 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
152 return( r );
153 }
154 #define ARIA_P3 aria_p3
155 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
156 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)157 static inline uint32_t aria_p3( uint32_t x )
158 {
159 uint32_t r;
160 __asm( "rev r, x" );
161 return( r );
162 }
163 #define ARIA_P3 aria_p3
164 #endif
165 #endif /* arm */
166 #if defined(__GNUC__) && \
167 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)168 static inline uint32_t aria_p3( uint32_t x )
169 {
170 __asm( "bswap %0" : "=r" (x) : "0" (x) );
171 return( x );
172 }
173 #define ARIA_P3 aria_p3
174 #endif /* x86 gnuc */
175 #endif /* MBEDTLS_HAVE_ASM && GNUC */
176 #if !defined(ARIA_P3)
177 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
178 #endif
179
180 /*
181 * ARIA Affine Transform
182 * (a, b, c, d) = state in/out
183 *
184 * If we denote the first byte of input by 0, ..., the last byte by f,
185 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
186 *
187 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
188 * rearrangements on adjacent pairs, output is:
189 *
190 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
191 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
192 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
193 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
194 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
195 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
196 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
197 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
198 *
199 * Note: another presentation of the A transform can be found as the first
200 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
201 * The implementation below uses only P1 and P2 as they are sufficient.
202 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)203 static inline void aria_a( uint32_t *a, uint32_t *b,
204 uint32_t *c, uint32_t *d )
205 {
206 uint32_t ta, tb, tc;
207 ta = *b; // 4567
208 *b = *a; // 0123
209 *a = ARIA_P2( ta ); // 6745
210 tb = ARIA_P2( *d ); // efcd
211 *d = ARIA_P1( *c ); // 98ba
212 *c = ARIA_P1( tb ); // fedc
213 ta ^= *d; // 4567+98ba
214 tc = ARIA_P2( *b ); // 2301
215 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
216 tb ^= ARIA_P2( *d ); // ba98+efcd
217 tc ^= ARIA_P1( *a ); // 2301+7654
218 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
219 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
220 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
221 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
222 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
223 tc = ARIA_P2( tc ); // 0123+5476
224 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
225 }
226
227 /*
228 * ARIA Substitution Layer SL1 / SL2
229 * (a, b, c, d) = state in/out
230 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
231 *
232 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
233 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
234 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])235 static inline void aria_sl( uint32_t *a, uint32_t *b,
236 uint32_t *c, uint32_t *d,
237 const uint8_t sa[256], const uint8_t sb[256],
238 const uint8_t sc[256], const uint8_t sd[256] )
239 {
240 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
241 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
242 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
243 (((uint32_t) sd[ *a >> 24 ]) << 24);
244 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
245 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
246 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
247 (((uint32_t) sd[ *b >> 24 ]) << 24);
248 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
249 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
250 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
251 (((uint32_t) sd[ *c >> 24 ]) << 24);
252 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
253 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
254 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
255 (((uint32_t) sd[ *d >> 24 ]) << 24);
256 }
257
258 /*
259 * S-Boxes
260 */
261 static const uint8_t aria_sb1[256] =
262 {
263 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
264 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
265 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
266 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
267 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
268 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
269 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
270 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
271 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
272 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
273 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
274 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
275 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
276 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
277 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
278 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
279 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
280 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
281 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
282 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
283 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
284 0xB0, 0x54, 0xBB, 0x16
285 };
286
287 static const uint8_t aria_sb2[256] =
288 {
289 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
290 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
291 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
292 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
293 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
294 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
295 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
296 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
297 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
298 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
299 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
300 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
301 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
302 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
303 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
304 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
305 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
306 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
307 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
308 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
309 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
310 0xAF, 0xBA, 0xB5, 0x81
311 };
312
313 static const uint8_t aria_is1[256] =
314 {
315 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
316 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
317 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
318 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
319 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
320 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
321 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
322 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
323 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
324 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
325 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
326 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
327 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
328 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
329 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
330 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
331 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
332 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
333 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
334 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
335 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
336 0x55, 0x21, 0x0C, 0x7D
337 };
338
339 static const uint8_t aria_is2[256] =
340 {
341 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
342 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
343 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
344 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
345 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
346 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
347 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
348 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
349 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
350 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
351 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
352 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
353 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
354 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
355 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
356 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
357 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
358 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
359 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
360 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
361 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
362 0x03, 0xA2, 0xAC, 0x60
363 };
364
365 /*
366 * Helper for key schedule: r = FO( p, k ) ^ x
367 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])368 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
369 const uint32_t k[4], const uint32_t x[4] )
370 {
371 uint32_t a, b, c, d;
372
373 a = p[0] ^ k[0];
374 b = p[1] ^ k[1];
375 c = p[2] ^ k[2];
376 d = p[3] ^ k[3];
377
378 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
379 aria_a( &a, &b, &c, &d );
380
381 r[0] = a ^ x[0];
382 r[1] = b ^ x[1];
383 r[2] = c ^ x[2];
384 r[3] = d ^ x[3];
385 }
386
387 /*
388 * Helper for key schedule: r = FE( p, k ) ^ x
389 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])390 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
391 const uint32_t k[4], const uint32_t x[4] )
392 {
393 uint32_t a, b, c, d;
394
395 a = p[0] ^ k[0];
396 b = p[1] ^ k[1];
397 c = p[2] ^ k[2];
398 d = p[3] ^ k[3];
399
400 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
401 aria_a( &a, &b, &c, &d );
402
403 r[0] = a ^ x[0];
404 r[1] = b ^ x[1];
405 r[2] = c ^ x[2];
406 r[3] = d ^ x[3];
407 }
408
409 /*
410 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
411 *
412 * We chose to store bytes into 32-bit words in little-endian format (see
413 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
414 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)415 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
416 const uint32_t b[4], uint8_t n )
417 {
418 uint8_t i, j;
419 uint32_t t, u;
420
421 const uint8_t n1 = n % 32; // bit offset
422 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
423
424 j = ( n / 32 ) % 4; // initial word offset
425 t = ARIA_P3( b[j] ); // big endian
426 for( i = 0; i < 4; i++ )
427 {
428 j = ( j + 1 ) % 4; // get next word, big endian
429 u = ARIA_P3( b[j] );
430 t <<= n1; // rotate
431 t |= u >> n2;
432 t = ARIA_P3( t ); // back to little endian
433 r[i] = a[i] ^ t; // store
434 t = u; // move to next word
435 }
436 }
437
438 /*
439 * Set encryption key
440 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)441 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
442 const unsigned char *key, unsigned int keybits )
443 {
444 /* round constant masks */
445 const uint32_t rc[3][4] =
446 {
447 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
448 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
449 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
450 };
451
452 int i;
453 uint32_t w[4][4], *w2;
454
455 if( keybits != 128 && keybits != 192 && keybits != 256 )
456 return( MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH );
457
458 /* Copy key to W0 (and potential remainder to W1) */
459 GET_UINT32_LE( w[0][0], key, 0 );
460 GET_UINT32_LE( w[0][1], key, 4 );
461 GET_UINT32_LE( w[0][2], key, 8 );
462 GET_UINT32_LE( w[0][3], key, 12 );
463
464 memset( w[1], 0, 16 );
465 if( keybits >= 192 )
466 {
467 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
468 GET_UINT32_LE( w[1][1], key, 20 );
469 }
470 if( keybits == 256 )
471 {
472 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
473 GET_UINT32_LE( w[1][3], key, 28 );
474 }
475
476 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
477 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
478
479 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
480 i = i < 2 ? i + 1 : 0;
481 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
482 i = i < 2 ? i + 1 : 0;
483 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
484
485 for( i = 0; i < 4; i++ ) // create round keys
486 {
487 w2 = w[(i + 1) & 3];
488 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
489 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
490 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
491 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
492 }
493 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
494
495 /* w holds enough info to reconstruct the round keys */
496 mbedtls_platform_zeroize( w, sizeof( w ) );
497
498 return( 0 );
499 }
500
501 /*
502 * Set decryption key
503 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)504 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
505 const unsigned char *key, unsigned int keybits )
506 {
507 int i, j, k, ret;
508
509 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
510 if( ret != 0 )
511 return( ret );
512
513 /* flip the order of round keys */
514 for( i = 0, j = ctx->nr; i < j; i++, j-- )
515 {
516 for( k = 0; k < 4; k++ )
517 {
518 uint32_t t = ctx->rk[i][k];
519 ctx->rk[i][k] = ctx->rk[j][k];
520 ctx->rk[j][k] = t;
521 }
522 }
523
524 /* apply affine transform to middle keys */
525 for( i = 1; i < ctx->nr; i++ )
526 {
527 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
528 &ctx->rk[i][2], &ctx->rk[i][3] );
529 }
530
531 return( 0 );
532 }
533
534 /*
535 * Encrypt a block
536 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])537 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
538 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
539 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
540 {
541 int i;
542
543 uint32_t a, b, c, d;
544
545 GET_UINT32_LE( a, input, 0 );
546 GET_UINT32_LE( b, input, 4 );
547 GET_UINT32_LE( c, input, 8 );
548 GET_UINT32_LE( d, input, 12 );
549
550 i = 0;
551 while( 1 )
552 {
553 a ^= ctx->rk[i][0];
554 b ^= ctx->rk[i][1];
555 c ^= ctx->rk[i][2];
556 d ^= ctx->rk[i][3];
557 i++;
558
559 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
560 aria_a( &a, &b, &c, &d );
561
562 a ^= ctx->rk[i][0];
563 b ^= ctx->rk[i][1];
564 c ^= ctx->rk[i][2];
565 d ^= ctx->rk[i][3];
566 i++;
567
568 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
569 if( i >= ctx->nr )
570 break;
571 aria_a( &a, &b, &c, &d );
572 }
573
574 /* final key mixing */
575 a ^= ctx->rk[i][0];
576 b ^= ctx->rk[i][1];
577 c ^= ctx->rk[i][2];
578 d ^= ctx->rk[i][3];
579
580 PUT_UINT32_LE( a, output, 0 );
581 PUT_UINT32_LE( b, output, 4 );
582 PUT_UINT32_LE( c, output, 8 );
583 PUT_UINT32_LE( d, output, 12 );
584
585 return( 0 );
586 }
587
588 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)589 void mbedtls_aria_init( mbedtls_aria_context *ctx )
590 {
591 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
592 }
593
594 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)595 void mbedtls_aria_free( mbedtls_aria_context *ctx )
596 {
597 if( ctx == NULL )
598 return;
599
600 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
601 }
602
603 #if defined(MBEDTLS_CIPHER_MODE_CBC)
604 /*
605 * ARIA-CBC buffer encryption/decryption
606 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)607 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
608 int mode,
609 size_t length,
610 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
611 const unsigned char *input,
612 unsigned char *output )
613 {
614 int i;
615 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
616
617 if( length % MBEDTLS_ARIA_BLOCKSIZE )
618 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
619
620 if( mode == MBEDTLS_ARIA_DECRYPT )
621 {
622 while( length > 0 )
623 {
624 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
625 mbedtls_aria_crypt_ecb( ctx, input, output );
626
627 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
628 output[i] = (unsigned char)( output[i] ^ iv[i] );
629
630 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
631
632 input += MBEDTLS_ARIA_BLOCKSIZE;
633 output += MBEDTLS_ARIA_BLOCKSIZE;
634 length -= MBEDTLS_ARIA_BLOCKSIZE;
635 }
636 }
637 else
638 {
639 while( length > 0 )
640 {
641 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
642 output[i] = (unsigned char)( input[i] ^ iv[i] );
643
644 mbedtls_aria_crypt_ecb( ctx, output, output );
645 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
646
647 input += MBEDTLS_ARIA_BLOCKSIZE;
648 output += MBEDTLS_ARIA_BLOCKSIZE;
649 length -= MBEDTLS_ARIA_BLOCKSIZE;
650 }
651 }
652
653 return( 0 );
654 }
655 #endif /* MBEDTLS_CIPHER_MODE_CBC */
656
657 #if defined(MBEDTLS_CIPHER_MODE_CFB)
658 /*
659 * ARIA-CFB128 buffer encryption/decryption
660 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)661 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
662 int mode,
663 size_t length,
664 size_t *iv_off,
665 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
666 const unsigned char *input,
667 unsigned char *output )
668 {
669 unsigned char c;
670 size_t n = *iv_off;
671
672 if( mode == MBEDTLS_ARIA_DECRYPT )
673 {
674 while( length-- )
675 {
676 if( n == 0 )
677 mbedtls_aria_crypt_ecb( ctx, iv, iv );
678
679 c = *input++;
680 *output++ = c ^ iv[n];
681 iv[n] = c;
682
683 n = ( n + 1 ) & 0x0F;
684 }
685 }
686 else
687 {
688 while( length-- )
689 {
690 if( n == 0 )
691 mbedtls_aria_crypt_ecb( ctx, iv, iv );
692
693 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
694
695 n = ( n + 1 ) & 0x0F;
696 }
697 }
698
699 *iv_off = n;
700
701 return( 0 );
702 }
703 #endif /* MBEDTLS_CIPHER_MODE_CFB */
704
705 #if defined(MBEDTLS_CIPHER_MODE_CTR)
706 /*
707 * ARIA-CTR buffer encryption/decryption
708 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)709 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
710 size_t length,
711 size_t *nc_off,
712 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
713 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
714 const unsigned char *input,
715 unsigned char *output )
716 {
717 int c, i;
718 size_t n = *nc_off;
719
720 while( length-- )
721 {
722 if( n == 0 ) {
723 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
724 stream_block );
725
726 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
727 if( ++nonce_counter[i - 1] != 0 )
728 break;
729 }
730 c = *input++;
731 *output++ = (unsigned char)( c ^ stream_block[n] );
732
733 n = ( n + 1 ) & 0x0F;
734 }
735
736 *nc_off = n;
737
738 return( 0 );
739 }
740 #endif /* MBEDTLS_CIPHER_MODE_CTR */
741 #endif /* !MBEDTLS_ARIA_ALT */
742
743 #if defined(MBEDTLS_SELF_TEST)
744
745 /*
746 * Basic ARIA ECB test vectors from RFC 5794
747 */
748 static const uint8_t aria_test1_ecb_key[32] = // test key
749 {
750 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
751 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
752 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
753 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
754 };
755
756 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
757 {
758 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
759 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
760 };
761
762 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
763 {
764 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
765 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
766 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
767 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
768 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
769 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
770 };
771
772 /*
773 * Mode tests from "Test Vectors for ARIA" Version 1.0
774 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
775 */
776 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
777 defined(MBEDTLS_CIPHER_MODE_CTR))
778 static const uint8_t aria_test2_key[32] =
779 {
780 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
781 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
782 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
783 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
784 };
785
786 static const uint8_t aria_test2_pt[48] =
787 {
788 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
789 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
790 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
791 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
792 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
793 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
794 };
795 #endif
796
797 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
798 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
799 {
800 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
801 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
802 };
803 #endif
804
805 #if defined(MBEDTLS_CIPHER_MODE_CBC)
806 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
807 {
808 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
809 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
810 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
811 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
812 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
813 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
814 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
815 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
816 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
817 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
818 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
819 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
820 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
821 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
822 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
823 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
824 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
825 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
826 };
827 #endif /* MBEDTLS_CIPHER_MODE_CBC */
828
829 #if defined(MBEDTLS_CIPHER_MODE_CFB)
830 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
831 {
832 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
833 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
834 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
835 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
836 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
837 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
838 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
839 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
840 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
841 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
842 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
843 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
844 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
845 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
846 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
847 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
848 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
849 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
850 };
851 #endif /* MBEDTLS_CIPHER_MODE_CFB */
852
853 #if defined(MBEDTLS_CIPHER_MODE_CTR)
854 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
855 {
856 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
857 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
858 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
859 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
860 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
861 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
862 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
863 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
864 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
865 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
866 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
867 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
868 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
869 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
870 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
871 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
872 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
873 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
874 };
875 #endif /* MBEDTLS_CIPHER_MODE_CFB */
876
877 #define ARIA_SELF_TEST_IF_FAIL \
878 { \
879 if( verbose ) \
880 printf( "failed\n" ); \
881 return( 1 ); \
882 } else { \
883 if( verbose ) \
884 printf( "passed\n" ); \
885 }
886
887 /*
888 * Checkup routine
889 */
mbedtls_aria_self_test(int verbose)890 int mbedtls_aria_self_test( int verbose )
891 {
892 int i;
893 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
894 mbedtls_aria_context ctx;
895
896 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
897 size_t j;
898 #endif
899
900 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
901 defined(MBEDTLS_CIPHER_MODE_CFB) || \
902 defined(MBEDTLS_CIPHER_MODE_CTR))
903 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
904 #endif
905
906 /*
907 * Test set 1
908 */
909 for( i = 0; i < 3; i++ )
910 {
911 /* test ECB encryption */
912 if( verbose )
913 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
914 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
915 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
916 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
917 ARIA_SELF_TEST_IF_FAIL;
918
919 /* test ECB decryption */
920 if( verbose )
921 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
922 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
923 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
924 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
925 ARIA_SELF_TEST_IF_FAIL;
926 }
927 if( verbose )
928 printf( "\n" );
929
930 /*
931 * Test set 2
932 */
933 #if defined(MBEDTLS_CIPHER_MODE_CBC)
934 for( i = 0; i < 3; i++ )
935 {
936 /* Test CBC encryption */
937 if( verbose )
938 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
939 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
940 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
941 memset( buf, 0x55, sizeof( buf ) );
942 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
943 aria_test2_pt, buf );
944 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
945 ARIA_SELF_TEST_IF_FAIL;
946
947 /* Test CBC decryption */
948 if( verbose )
949 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
950 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
951 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
952 memset( buf, 0xAA, sizeof( buf ) );
953 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
954 aria_test2_cbc_ct[i], buf );
955 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
956 ARIA_SELF_TEST_IF_FAIL;
957 }
958 if( verbose )
959 printf( "\n" );
960
961 #endif /* MBEDTLS_CIPHER_MODE_CBC */
962
963 #if defined(MBEDTLS_CIPHER_MODE_CFB)
964 for( i = 0; i < 3; i++ )
965 {
966 /* Test CFB encryption */
967 if( verbose )
968 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
969 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
970 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
971 memset( buf, 0x55, sizeof( buf ) );
972 j = 0;
973 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
974 aria_test2_pt, buf );
975 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
976 ARIA_SELF_TEST_IF_FAIL;
977
978 /* Test CFB decryption */
979 if( verbose )
980 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
981 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
982 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
983 memset( buf, 0xAA, sizeof( buf ) );
984 j = 0;
985 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
986 iv, aria_test2_cfb_ct[i], buf );
987 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
988 ARIA_SELF_TEST_IF_FAIL;
989 }
990 if( verbose )
991 printf( "\n" );
992 #endif /* MBEDTLS_CIPHER_MODE_CFB */
993
994 #if defined(MBEDTLS_CIPHER_MODE_CTR)
995 for( i = 0; i < 3; i++ )
996 {
997 /* Test CTR encryption */
998 if( verbose )
999 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1000 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1001 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1002 memset( buf, 0x55, sizeof( buf ) );
1003 j = 0;
1004 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1005 aria_test2_pt, buf );
1006 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1007 ARIA_SELF_TEST_IF_FAIL;
1008
1009 /* Test CTR decryption */
1010 if( verbose )
1011 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1012 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1013 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1014 memset( buf, 0xAA, sizeof( buf ) );
1015 j = 0;
1016 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1017 aria_test2_ctr_ct[i], buf );
1018 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1019 ARIA_SELF_TEST_IF_FAIL;
1020 }
1021 if( verbose )
1022 printf( "\n" );
1023 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1024
1025 return( 0 );
1026 }
1027
1028 #endif /* MBEDTLS_SELF_TEST */
1029
1030 #endif /* MBEDTLS_ARIA_C */
1031