1 /*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24 /*
25 * This implementation is based on the following standards:
26 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
27 * [2] https://tools.ietf.org/html/rfc5794
28 */
29
30 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include "mbedtls/config.h"
32 #else
33 #include MBEDTLS_CONFIG_FILE
34 #endif
35
36 #if defined(MBEDTLS_ARIA_C)
37
38 #include "mbedtls/aria.h"
39
40 #include <string.h>
41
42 #if defined(MBEDTLS_SELF_TEST)
43 #if defined(MBEDTLS_PLATFORM_C)
44 #include "mbedtls/platform.h"
45 #else
46 #include <stdio.h>
47 #define mbedtls_printf printf
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
50
51 #if !defined(MBEDTLS_ARIA_ALT)
52
53 #include "mbedtls/platform_util.h"
54
55 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
56 !defined(inline) && !defined(__cplusplus)
57 #define inline __inline
58 #endif
59
60 /* Parameter validation macros */
61 #define ARIA_VALIDATE_RET( cond ) \
62 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
63 #define ARIA_VALIDATE( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE( cond )
65
66 /*
67 * 32-bit integer manipulation macros (little endian)
68 */
69 #ifndef GET_UINT32_LE
70 #define GET_UINT32_LE( n, b, i ) \
71 { \
72 (n) = ( (uint32_t) (b)[(i) ] ) \
73 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
74 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
75 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
76 }
77 #endif
78
79 #ifndef PUT_UINT32_LE
80 #define PUT_UINT32_LE( n, b, i ) \
81 { \
82 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
83 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
84 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
85 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
86 }
87 #endif
88
89 /*
90 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
91 *
92 * This is submatrix P1 in [1] Appendix B.1
93 *
94 * Common compilers fail to translate this to minimal number of instructions,
95 * so let's provide asm versions for common platforms with C fallback.
96 */
97 #if defined(MBEDTLS_HAVE_ASM)
98 #if defined(__arm__) /* rev16 available from v6 up */
99 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
100 #if defined(__GNUC__) && \
101 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
102 __ARM_ARCH >= 6
aria_p1(uint32_t x)103 static inline uint32_t aria_p1( uint32_t x )
104 {
105 uint32_t r;
106 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
107 return( r );
108 }
109 #define ARIA_P1 aria_p1
110 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
111 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)112 static inline uint32_t aria_p1( uint32_t x )
113 {
114 uint32_t r;
115 __asm( "rev16 r, x" );
116 return( r );
117 }
118 #define ARIA_P1 aria_p1
119 #endif
120 #endif /* arm */
121 #if defined(__GNUC__) && \
122 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
123 /* I couldn't find an Intel equivalent of rev16, so two instructions */
124 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
125 #endif /* x86 gnuc */
126 #endif /* MBEDTLS_HAVE_ASM && GNUC */
127 #if !defined(ARIA_P1)
128 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
129 #endif
130
131 /*
132 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
133 *
134 * This is submatrix P2 in [1] Appendix B.1
135 *
136 * Common compilers will translate this to a single instruction.
137 */
138 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
139
140 /*
141 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
142 *
143 * This is submatrix P3 in [1] Appendix B.1
144 *
145 * Some compilers fail to translate this to a single instruction,
146 * so let's provide asm versions for common platforms with C fallback.
147 */
148 #if defined(MBEDTLS_HAVE_ASM)
149 #if defined(__arm__) /* rev available from v6 up */
150 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
151 #if defined(__GNUC__) && \
152 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
153 __ARM_ARCH >= 6
aria_p3(uint32_t x)154 static inline uint32_t aria_p3( uint32_t x )
155 {
156 uint32_t r;
157 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
158 return( r );
159 }
160 #define ARIA_P3 aria_p3
161 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
162 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)163 static inline uint32_t aria_p3( uint32_t x )
164 {
165 uint32_t r;
166 __asm( "rev r, x" );
167 return( r );
168 }
169 #define ARIA_P3 aria_p3
170 #endif
171 #endif /* arm */
172 #if defined(__GNUC__) && \
173 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)174 static inline uint32_t aria_p3( uint32_t x )
175 {
176 __asm( "bswap %0" : "=r" (x) : "0" (x) );
177 return( x );
178 }
179 #define ARIA_P3 aria_p3
180 #endif /* x86 gnuc */
181 #endif /* MBEDTLS_HAVE_ASM && GNUC */
182 #if !defined(ARIA_P3)
183 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
184 #endif
185
186 /*
187 * ARIA Affine Transform
188 * (a, b, c, d) = state in/out
189 *
190 * If we denote the first byte of input by 0, ..., the last byte by f,
191 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
192 *
193 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
194 * rearrangements on adjacent pairs, output is:
195 *
196 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
197 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
198 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
199 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
200 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
201 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
202 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
203 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
204 *
205 * Note: another presentation of the A transform can be found as the first
206 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
207 * The implementation below uses only P1 and P2 as they are sufficient.
208 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)209 static inline void aria_a( uint32_t *a, uint32_t *b,
210 uint32_t *c, uint32_t *d )
211 {
212 uint32_t ta, tb, tc;
213 ta = *b; // 4567
214 *b = *a; // 0123
215 *a = ARIA_P2( ta ); // 6745
216 tb = ARIA_P2( *d ); // efcd
217 *d = ARIA_P1( *c ); // 98ba
218 *c = ARIA_P1( tb ); // fedc
219 ta ^= *d; // 4567+98ba
220 tc = ARIA_P2( *b ); // 2301
221 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
222 tb ^= ARIA_P2( *d ); // ba98+efcd
223 tc ^= ARIA_P1( *a ); // 2301+7654
224 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
225 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
226 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
227 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
228 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
229 tc = ARIA_P2( tc ); // 0123+5476
230 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
231 }
232
233 /*
234 * ARIA Substitution Layer SL1 / SL2
235 * (a, b, c, d) = state in/out
236 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
237 *
238 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
239 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
240 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])241 static inline void aria_sl( uint32_t *a, uint32_t *b,
242 uint32_t *c, uint32_t *d,
243 const uint8_t sa[256], const uint8_t sb[256],
244 const uint8_t sc[256], const uint8_t sd[256] )
245 {
246 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
247 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
248 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
249 (((uint32_t) sd[ *a >> 24 ]) << 24);
250 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
251 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
252 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
253 (((uint32_t) sd[ *b >> 24 ]) << 24);
254 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
255 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
256 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
257 (((uint32_t) sd[ *c >> 24 ]) << 24);
258 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
259 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
260 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
261 (((uint32_t) sd[ *d >> 24 ]) << 24);
262 }
263
264 /*
265 * S-Boxes
266 */
267 static const uint8_t aria_sb1[256] =
268 {
269 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
270 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
271 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
272 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
273 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
274 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
275 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
276 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
277 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
278 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
279 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
280 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
281 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
282 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
283 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
284 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
285 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
286 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
287 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
288 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
289 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
290 0xB0, 0x54, 0xBB, 0x16
291 };
292
293 static const uint8_t aria_sb2[256] =
294 {
295 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
296 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
297 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
298 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
299 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
300 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
301 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
302 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
303 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
304 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
305 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
306 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
307 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
308 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
309 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
310 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
311 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
312 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
313 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
314 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
315 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
316 0xAF, 0xBA, 0xB5, 0x81
317 };
318
319 static const uint8_t aria_is1[256] =
320 {
321 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
322 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
323 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
324 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
325 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
326 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
327 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
328 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
329 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
330 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
331 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
332 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
333 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
334 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
335 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
336 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
337 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
338 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
339 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
340 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
341 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
342 0x55, 0x21, 0x0C, 0x7D
343 };
344
345 static const uint8_t aria_is2[256] =
346 {
347 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
348 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
349 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
350 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
351 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
352 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
353 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
354 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
355 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
356 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
357 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
358 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
359 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
360 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
361 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
362 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
363 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
364 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
365 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
366 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
367 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
368 0x03, 0xA2, 0xAC, 0x60
369 };
370
371 /*
372 * Helper for key schedule: r = FO( p, k ) ^ x
373 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])374 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
375 const uint32_t k[4], const uint32_t x[4] )
376 {
377 uint32_t a, b, c, d;
378
379 a = p[0] ^ k[0];
380 b = p[1] ^ k[1];
381 c = p[2] ^ k[2];
382 d = p[3] ^ k[3];
383
384 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
385 aria_a( &a, &b, &c, &d );
386
387 r[0] = a ^ x[0];
388 r[1] = b ^ x[1];
389 r[2] = c ^ x[2];
390 r[3] = d ^ x[3];
391 }
392
393 /*
394 * Helper for key schedule: r = FE( p, k ) ^ x
395 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])396 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
397 const uint32_t k[4], const uint32_t x[4] )
398 {
399 uint32_t a, b, c, d;
400
401 a = p[0] ^ k[0];
402 b = p[1] ^ k[1];
403 c = p[2] ^ k[2];
404 d = p[3] ^ k[3];
405
406 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
407 aria_a( &a, &b, &c, &d );
408
409 r[0] = a ^ x[0];
410 r[1] = b ^ x[1];
411 r[2] = c ^ x[2];
412 r[3] = d ^ x[3];
413 }
414
415 /*
416 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
417 *
418 * We chose to store bytes into 32-bit words in little-endian format (see
419 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
420 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)421 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
422 const uint32_t b[4], uint8_t n )
423 {
424 uint8_t i, j;
425 uint32_t t, u;
426
427 const uint8_t n1 = n % 32; // bit offset
428 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
429
430 j = ( n / 32 ) % 4; // initial word offset
431 t = ARIA_P3( b[j] ); // big endian
432 for( i = 0; i < 4; i++ )
433 {
434 j = ( j + 1 ) % 4; // get next word, big endian
435 u = ARIA_P3( b[j] );
436 t <<= n1; // rotate
437 t |= u >> n2;
438 t = ARIA_P3( t ); // back to little endian
439 r[i] = a[i] ^ t; // store
440 t = u; // move to next word
441 }
442 }
443
444 /*
445 * Set encryption key
446 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)447 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
448 const unsigned char *key, unsigned int keybits )
449 {
450 /* round constant masks */
451 const uint32_t rc[3][4] =
452 {
453 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
454 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
455 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
456 };
457
458 int i;
459 uint32_t w[4][4], *w2;
460 ARIA_VALIDATE_RET( ctx != NULL );
461 ARIA_VALIDATE_RET( key != NULL );
462
463 if( keybits != 128 && keybits != 192 && keybits != 256 )
464 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
465
466 /* Copy key to W0 (and potential remainder to W1) */
467 GET_UINT32_LE( w[0][0], key, 0 );
468 GET_UINT32_LE( w[0][1], key, 4 );
469 GET_UINT32_LE( w[0][2], key, 8 );
470 GET_UINT32_LE( w[0][3], key, 12 );
471
472 memset( w[1], 0, 16 );
473 if( keybits >= 192 )
474 {
475 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
476 GET_UINT32_LE( w[1][1], key, 20 );
477 }
478 if( keybits == 256 )
479 {
480 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
481 GET_UINT32_LE( w[1][3], key, 28 );
482 }
483
484 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
485 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
486
487 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
488 i = i < 2 ? i + 1 : 0;
489 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
490 i = i < 2 ? i + 1 : 0;
491 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
492
493 for( i = 0; i < 4; i++ ) // create round keys
494 {
495 w2 = w[(i + 1) & 3];
496 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
497 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
498 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
499 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
500 }
501 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
502
503 /* w holds enough info to reconstruct the round keys */
504 mbedtls_platform_zeroize( w, sizeof( w ) );
505
506 return( 0 );
507 }
508
509 /*
510 * Set decryption key
511 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)512 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
513 const unsigned char *key, unsigned int keybits )
514 {
515 int i, j, k, ret;
516 ARIA_VALIDATE_RET( ctx != NULL );
517 ARIA_VALIDATE_RET( key != NULL );
518
519 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
520 if( ret != 0 )
521 return( ret );
522
523 /* flip the order of round keys */
524 for( i = 0, j = ctx->nr; i < j; i++, j-- )
525 {
526 for( k = 0; k < 4; k++ )
527 {
528 uint32_t t = ctx->rk[i][k];
529 ctx->rk[i][k] = ctx->rk[j][k];
530 ctx->rk[j][k] = t;
531 }
532 }
533
534 /* apply affine transform to middle keys */
535 for( i = 1; i < ctx->nr; i++ )
536 {
537 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
538 &ctx->rk[i][2], &ctx->rk[i][3] );
539 }
540
541 return( 0 );
542 }
543
544 /*
545 * Encrypt a block
546 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])547 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
548 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
549 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
550 {
551 int i;
552
553 uint32_t a, b, c, d;
554 ARIA_VALIDATE_RET( ctx != NULL );
555 ARIA_VALIDATE_RET( input != NULL );
556 ARIA_VALIDATE_RET( output != NULL );
557
558 GET_UINT32_LE( a, input, 0 );
559 GET_UINT32_LE( b, input, 4 );
560 GET_UINT32_LE( c, input, 8 );
561 GET_UINT32_LE( d, input, 12 );
562
563 i = 0;
564 while( 1 )
565 {
566 a ^= ctx->rk[i][0];
567 b ^= ctx->rk[i][1];
568 c ^= ctx->rk[i][2];
569 d ^= ctx->rk[i][3];
570 i++;
571
572 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
573 aria_a( &a, &b, &c, &d );
574
575 a ^= ctx->rk[i][0];
576 b ^= ctx->rk[i][1];
577 c ^= ctx->rk[i][2];
578 d ^= ctx->rk[i][3];
579 i++;
580
581 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
582 if( i >= ctx->nr )
583 break;
584 aria_a( &a, &b, &c, &d );
585 }
586
587 /* final key mixing */
588 a ^= ctx->rk[i][0];
589 b ^= ctx->rk[i][1];
590 c ^= ctx->rk[i][2];
591 d ^= ctx->rk[i][3];
592
593 PUT_UINT32_LE( a, output, 0 );
594 PUT_UINT32_LE( b, output, 4 );
595 PUT_UINT32_LE( c, output, 8 );
596 PUT_UINT32_LE( d, output, 12 );
597
598 return( 0 );
599 }
600
601 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)602 void mbedtls_aria_init( mbedtls_aria_context *ctx )
603 {
604 ARIA_VALIDATE( ctx != NULL );
605 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
606 }
607
608 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)609 void mbedtls_aria_free( mbedtls_aria_context *ctx )
610 {
611 if( ctx == NULL )
612 return;
613
614 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
615 }
616
617 #if defined(MBEDTLS_CIPHER_MODE_CBC)
618 /*
619 * ARIA-CBC buffer encryption/decryption
620 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)621 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
622 int mode,
623 size_t length,
624 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
625 const unsigned char *input,
626 unsigned char *output )
627 {
628 int i;
629 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
630
631 ARIA_VALIDATE_RET( ctx != NULL );
632 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
633 mode == MBEDTLS_ARIA_DECRYPT );
634 ARIA_VALIDATE_RET( length == 0 || input != NULL );
635 ARIA_VALIDATE_RET( length == 0 || output != NULL );
636 ARIA_VALIDATE_RET( iv != NULL );
637
638 if( length % MBEDTLS_ARIA_BLOCKSIZE )
639 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
640
641 if( mode == MBEDTLS_ARIA_DECRYPT )
642 {
643 while( length > 0 )
644 {
645 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
646 mbedtls_aria_crypt_ecb( ctx, input, output );
647
648 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
649 output[i] = (unsigned char)( output[i] ^ iv[i] );
650
651 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
652
653 input += MBEDTLS_ARIA_BLOCKSIZE;
654 output += MBEDTLS_ARIA_BLOCKSIZE;
655 length -= MBEDTLS_ARIA_BLOCKSIZE;
656 }
657 }
658 else
659 {
660 while( length > 0 )
661 {
662 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
663 output[i] = (unsigned char)( input[i] ^ iv[i] );
664
665 mbedtls_aria_crypt_ecb( ctx, output, output );
666 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
667
668 input += MBEDTLS_ARIA_BLOCKSIZE;
669 output += MBEDTLS_ARIA_BLOCKSIZE;
670 length -= MBEDTLS_ARIA_BLOCKSIZE;
671 }
672 }
673
674 return( 0 );
675 }
676 #endif /* MBEDTLS_CIPHER_MODE_CBC */
677
678 #if defined(MBEDTLS_CIPHER_MODE_CFB)
679 /*
680 * ARIA-CFB128 buffer encryption/decryption
681 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)682 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
683 int mode,
684 size_t length,
685 size_t *iv_off,
686 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
687 const unsigned char *input,
688 unsigned char *output )
689 {
690 unsigned char c;
691 size_t n;
692
693 ARIA_VALIDATE_RET( ctx != NULL );
694 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
695 mode == MBEDTLS_ARIA_DECRYPT );
696 ARIA_VALIDATE_RET( length == 0 || input != NULL );
697 ARIA_VALIDATE_RET( length == 0 || output != NULL );
698 ARIA_VALIDATE_RET( iv != NULL );
699 ARIA_VALIDATE_RET( iv_off != NULL );
700
701 n = *iv_off;
702
703 /* An overly large value of n can lead to an unlimited
704 * buffer overflow. Therefore, guard against this
705 * outside of parameter validation. */
706 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
707 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
708
709 if( mode == MBEDTLS_ARIA_DECRYPT )
710 {
711 while( length-- )
712 {
713 if( n == 0 )
714 mbedtls_aria_crypt_ecb( ctx, iv, iv );
715
716 c = *input++;
717 *output++ = c ^ iv[n];
718 iv[n] = c;
719
720 n = ( n + 1 ) & 0x0F;
721 }
722 }
723 else
724 {
725 while( length-- )
726 {
727 if( n == 0 )
728 mbedtls_aria_crypt_ecb( ctx, iv, iv );
729
730 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
731
732 n = ( n + 1 ) & 0x0F;
733 }
734 }
735
736 *iv_off = n;
737
738 return( 0 );
739 }
740 #endif /* MBEDTLS_CIPHER_MODE_CFB */
741
742 #if defined(MBEDTLS_CIPHER_MODE_CTR)
743 /*
744 * ARIA-CTR buffer encryption/decryption
745 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)746 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
747 size_t length,
748 size_t *nc_off,
749 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
750 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
751 const unsigned char *input,
752 unsigned char *output )
753 {
754 int c, i;
755 size_t n;
756
757 ARIA_VALIDATE_RET( ctx != NULL );
758 ARIA_VALIDATE_RET( length == 0 || input != NULL );
759 ARIA_VALIDATE_RET( length == 0 || output != NULL );
760 ARIA_VALIDATE_RET( nonce_counter != NULL );
761 ARIA_VALIDATE_RET( stream_block != NULL );
762 ARIA_VALIDATE_RET( nc_off != NULL );
763
764 n = *nc_off;
765 /* An overly large value of n can lead to an unlimited
766 * buffer overflow. Therefore, guard against this
767 * outside of parameter validation. */
768 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
769 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
770
771 while( length-- )
772 {
773 if( n == 0 ) {
774 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
775 stream_block );
776
777 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
778 if( ++nonce_counter[i - 1] != 0 )
779 break;
780 }
781 c = *input++;
782 *output++ = (unsigned char)( c ^ stream_block[n] );
783
784 n = ( n + 1 ) & 0x0F;
785 }
786
787 *nc_off = n;
788
789 return( 0 );
790 }
791 #endif /* MBEDTLS_CIPHER_MODE_CTR */
792 #endif /* !MBEDTLS_ARIA_ALT */
793
794 #if defined(MBEDTLS_SELF_TEST)
795
796 /*
797 * Basic ARIA ECB test vectors from RFC 5794
798 */
799 static const uint8_t aria_test1_ecb_key[32] = // test key
800 {
801 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
802 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
803 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
804 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
805 };
806
807 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
808 {
809 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
810 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
811 };
812
813 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
814 {
815 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
816 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
817 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
818 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
819 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
820 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
821 };
822
823 /*
824 * Mode tests from "Test Vectors for ARIA" Version 1.0
825 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
826 */
827 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
828 defined(MBEDTLS_CIPHER_MODE_CTR))
829 static const uint8_t aria_test2_key[32] =
830 {
831 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
832 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
833 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
834 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
835 };
836
837 static const uint8_t aria_test2_pt[48] =
838 {
839 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
840 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
841 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
842 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
843 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
844 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
845 };
846 #endif
847
848 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
849 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
850 {
851 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
852 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
853 };
854 #endif
855
856 #if defined(MBEDTLS_CIPHER_MODE_CBC)
857 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
858 {
859 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
860 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
861 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
862 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
863 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
864 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
865 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
866 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
867 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
868 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
869 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
870 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
871 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
872 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
873 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
874 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
875 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
876 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
877 };
878 #endif /* MBEDTLS_CIPHER_MODE_CBC */
879
880 #if defined(MBEDTLS_CIPHER_MODE_CFB)
881 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
882 {
883 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
884 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
885 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
886 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
887 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
888 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
889 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
890 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
891 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
892 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
893 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
894 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
895 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
896 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
897 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
898 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
899 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
900 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
901 };
902 #endif /* MBEDTLS_CIPHER_MODE_CFB */
903
904 #if defined(MBEDTLS_CIPHER_MODE_CTR)
905 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
906 {
907 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
908 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
909 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
910 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
911 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
912 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
913 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
914 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
915 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
916 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
917 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
918 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
919 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
920 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
921 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
922 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
923 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
924 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
925 };
926 #endif /* MBEDTLS_CIPHER_MODE_CFB */
927
928 #define ARIA_SELF_TEST_IF_FAIL \
929 { \
930 if( verbose ) \
931 mbedtls_printf( "failed\n" ); \
932 return( 1 ); \
933 } else { \
934 if( verbose ) \
935 mbedtls_printf( "passed\n" ); \
936 }
937
938 /*
939 * Checkup routine
940 */
mbedtls_aria_self_test(int verbose)941 int mbedtls_aria_self_test( int verbose )
942 {
943 int i;
944 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
945 mbedtls_aria_context ctx;
946
947 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
948 size_t j;
949 #endif
950
951 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
952 defined(MBEDTLS_CIPHER_MODE_CFB) || \
953 defined(MBEDTLS_CIPHER_MODE_CTR))
954 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
955 #endif
956
957 /*
958 * Test set 1
959 */
960 for( i = 0; i < 3; i++ )
961 {
962 /* test ECB encryption */
963 if( verbose )
964 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
965 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
966 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
967 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
968 ARIA_SELF_TEST_IF_FAIL;
969
970 /* test ECB decryption */
971 if( verbose )
972 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
973 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
974 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
975 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
976 ARIA_SELF_TEST_IF_FAIL;
977 }
978 if( verbose )
979 mbedtls_printf( "\n" );
980
981 /*
982 * Test set 2
983 */
984 #if defined(MBEDTLS_CIPHER_MODE_CBC)
985 for( i = 0; i < 3; i++ )
986 {
987 /* Test CBC encryption */
988 if( verbose )
989 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
990 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
991 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
992 memset( buf, 0x55, sizeof( buf ) );
993 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
994 aria_test2_pt, buf );
995 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
996 ARIA_SELF_TEST_IF_FAIL;
997
998 /* Test CBC decryption */
999 if( verbose )
1000 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
1001 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1002 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1003 memset( buf, 0xAA, sizeof( buf ) );
1004 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1005 aria_test2_cbc_ct[i], buf );
1006 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1007 ARIA_SELF_TEST_IF_FAIL;
1008 }
1009 if( verbose )
1010 mbedtls_printf( "\n" );
1011
1012 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1013
1014 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1015 for( i = 0; i < 3; i++ )
1016 {
1017 /* Test CFB encryption */
1018 if( verbose )
1019 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
1020 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1021 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1022 memset( buf, 0x55, sizeof( buf ) );
1023 j = 0;
1024 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1025 aria_test2_pt, buf );
1026 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1027 ARIA_SELF_TEST_IF_FAIL;
1028
1029 /* Test CFB decryption */
1030 if( verbose )
1031 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1032 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1033 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1034 memset( buf, 0xAA, sizeof( buf ) );
1035 j = 0;
1036 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1037 iv, aria_test2_cfb_ct[i], buf );
1038 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1039 ARIA_SELF_TEST_IF_FAIL;
1040 }
1041 if( verbose )
1042 mbedtls_printf( "\n" );
1043 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1044
1045 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1046 for( i = 0; i < 3; i++ )
1047 {
1048 /* Test CTR encryption */
1049 if( verbose )
1050 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1051 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1052 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1053 memset( buf, 0x55, sizeof( buf ) );
1054 j = 0;
1055 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1056 aria_test2_pt, buf );
1057 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1058 ARIA_SELF_TEST_IF_FAIL;
1059
1060 /* Test CTR decryption */
1061 if( verbose )
1062 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1063 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1064 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1065 memset( buf, 0xAA, sizeof( buf ) );
1066 j = 0;
1067 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1068 aria_test2_ctr_ct[i], buf );
1069 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1070 ARIA_SELF_TEST_IF_FAIL;
1071 }
1072 if( verbose )
1073 mbedtls_printf( "\n" );
1074 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1075
1076 return( 0 );
1077 }
1078
1079 #endif /* MBEDTLS_SELF_TEST */
1080
1081 #endif /* MBEDTLS_ARIA_C */
1082