1 /* 2 * ARIA implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 */ 46 47 /* 48 * This implementation is based on the following standards: 49 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 50 * [2] https://tools.ietf.org/html/rfc5794 51 */ 52 53 #if !defined(MBEDTLS_CONFIG_FILE) 54 #include "mbedtls/config.h" 55 #else 56 #include MBEDTLS_CONFIG_FILE 57 #endif 58 59 #if defined(MBEDTLS_ARIA_C) 60 61 #include "mbedtls/aria.h" 62 63 #include <string.h> 64 65 #if defined(MBEDTLS_SELF_TEST) 66 #if defined(MBEDTLS_PLATFORM_C) 67 #include "mbedtls/platform.h" 68 #else 69 #include <stdio.h> 70 #define mbedtls_printf printf 71 #endif /* MBEDTLS_PLATFORM_C */ 72 #endif /* MBEDTLS_SELF_TEST */ 73 74 #if !defined(MBEDTLS_ARIA_ALT) 75 76 #include "mbedtls/platform_util.h" 77 78 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 79 !defined(inline) && !defined(__cplusplus) 80 #define inline __inline 81 #endif 82 83 /* Parameter validation macros */ 84 #define ARIA_VALIDATE_RET( cond ) \ 85 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) 86 #define ARIA_VALIDATE( cond ) \ 87 MBEDTLS_INTERNAL_VALIDATE( cond ) 88 89 /* 90 * 32-bit integer manipulation macros (little endian) 91 */ 92 #ifndef GET_UINT32_LE 93 #define GET_UINT32_LE( n, b, i ) \ 94 { \ 95 (n) = ( (uint32_t) (b)[(i) ] ) \ 96 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 97 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 98 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 99 } 100 #endif 101 102 #ifndef PUT_UINT32_LE 103 #define PUT_UINT32_LE( n, b, i ) \ 104 { \ 105 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 106 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 107 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 108 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 109 } 110 #endif 111 112 /* 113 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 114 * 115 * This is submatrix P1 in [1] Appendix B.1 116 * 117 * Common compilers fail to translate this to minimal number of instructions, 118 * so let's provide asm versions for common platforms with C fallback. 119 */ 120 #if defined(MBEDTLS_HAVE_ASM) 121 #if defined(__arm__) /* rev16 available from v6 up */ 122 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 123 #if defined(__GNUC__) && \ 124 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 125 __ARM_ARCH >= 6 126 static inline uint32_t aria_p1( uint32_t x ) 127 { 128 uint32_t r; 129 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); 130 return( r ); 131 } 132 #define ARIA_P1 aria_p1 133 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 134 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 135 static inline uint32_t aria_p1( uint32_t x ) 136 { 137 uint32_t r; 138 __asm( "rev16 r, x" ); 139 return( r ); 140 } 141 #define ARIA_P1 aria_p1 142 #endif 143 #endif /* arm */ 144 #if defined(__GNUC__) && \ 145 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 146 /* I couldn't find an Intel equivalent of rev16, so two instructions */ 147 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) 148 #endif /* x86 gnuc */ 149 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 150 #if !defined(ARIA_P1) 151 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 152 #endif 153 154 /* 155 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 156 * 157 * This is submatrix P2 in [1] Appendix B.1 158 * 159 * Common compilers will translate this to a single instruction. 160 */ 161 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 162 163 /* 164 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 165 * 166 * This is submatrix P3 in [1] Appendix B.1 167 * 168 * Some compilers fail to translate this to a single instruction, 169 * so let's provide asm versions for common platforms with C fallback. 170 */ 171 #if defined(MBEDTLS_HAVE_ASM) 172 #if defined(__arm__) /* rev available from v6 up */ 173 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 174 #if defined(__GNUC__) && \ 175 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 176 __ARM_ARCH >= 6 177 static inline uint32_t aria_p3( uint32_t x ) 178 { 179 uint32_t r; 180 __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); 181 return( r ); 182 } 183 #define ARIA_P3 aria_p3 184 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 185 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 186 static inline uint32_t aria_p3( uint32_t x ) 187 { 188 uint32_t r; 189 __asm( "rev r, x" ); 190 return( r ); 191 } 192 #define ARIA_P3 aria_p3 193 #endif 194 #endif /* arm */ 195 #if defined(__GNUC__) && \ 196 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 197 static inline uint32_t aria_p3( uint32_t x ) 198 { 199 __asm( "bswap %0" : "=r" (x) : "0" (x) ); 200 return( x ); 201 } 202 #define ARIA_P3 aria_p3 203 #endif /* x86 gnuc */ 204 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 205 #if !defined(ARIA_P3) 206 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) 207 #endif 208 209 /* 210 * ARIA Affine Transform 211 * (a, b, c, d) = state in/out 212 * 213 * If we denote the first byte of input by 0, ..., the last byte by f, 214 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 215 * 216 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 217 * rearrangements on adjacent pairs, output is: 218 * 219 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 220 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 221 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 222 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 223 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 224 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 225 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 226 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 227 * 228 * Note: another presentation of the A transform can be found as the first 229 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 230 * The implementation below uses only P1 and P2 as they are sufficient. 231 */ 232 static inline void aria_a( uint32_t *a, uint32_t *b, 233 uint32_t *c, uint32_t *d ) 234 { 235 uint32_t ta, tb, tc; 236 ta = *b; // 4567 237 *b = *a; // 0123 238 *a = ARIA_P2( ta ); // 6745 239 tb = ARIA_P2( *d ); // efcd 240 *d = ARIA_P1( *c ); // 98ba 241 *c = ARIA_P1( tb ); // fedc 242 ta ^= *d; // 4567+98ba 243 tc = ARIA_P2( *b ); // 2301 244 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc 245 tb ^= ARIA_P2( *d ); // ba98+efcd 246 tc ^= ARIA_P1( *a ); // 2301+7654 247 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 248 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 249 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 250 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe 251 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 252 tc = ARIA_P2( tc ); // 0123+5476 253 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 254 } 255 256 /* 257 * ARIA Substitution Layer SL1 / SL2 258 * (a, b, c, d) = state in/out 259 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 260 * 261 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 262 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 263 */ 264 static inline void aria_sl( uint32_t *a, uint32_t *b, 265 uint32_t *c, uint32_t *d, 266 const uint8_t sa[256], const uint8_t sb[256], 267 const uint8_t sc[256], const uint8_t sd[256] ) 268 { 269 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ 270 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ 271 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ 272 (((uint32_t) sd[ *a >> 24 ]) << 24); 273 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ 274 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ 275 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ 276 (((uint32_t) sd[ *b >> 24 ]) << 24); 277 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ 278 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ 279 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ 280 (((uint32_t) sd[ *c >> 24 ]) << 24); 281 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ 282 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ 283 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ 284 (((uint32_t) sd[ *d >> 24 ]) << 24); 285 } 286 287 /* 288 * S-Boxes 289 */ 290 static const uint8_t aria_sb1[256] = 291 { 292 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 293 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 294 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 295 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 296 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 297 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 298 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 299 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 300 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 301 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 302 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 303 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 304 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 305 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 306 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 307 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 308 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 309 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 310 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 311 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 312 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 313 0xB0, 0x54, 0xBB, 0x16 314 }; 315 316 static const uint8_t aria_sb2[256] = 317 { 318 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 319 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 320 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 321 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 322 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 323 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 324 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 325 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 326 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 327 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 328 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 329 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 330 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 331 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 332 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 333 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 334 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 335 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 336 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 337 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 338 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 339 0xAF, 0xBA, 0xB5, 0x81 340 }; 341 342 static const uint8_t aria_is1[256] = 343 { 344 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 345 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 346 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 347 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 348 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 349 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 350 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 351 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 352 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 353 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 354 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 355 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 356 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 357 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 358 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 359 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 360 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 361 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 362 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 363 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 364 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 365 0x55, 0x21, 0x0C, 0x7D 366 }; 367 368 static const uint8_t aria_is2[256] = 369 { 370 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 371 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 372 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 373 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 374 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 375 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 376 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 377 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 378 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 379 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 380 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 381 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 382 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 383 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 384 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 385 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 386 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 387 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 388 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 389 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 390 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 391 0x03, 0xA2, 0xAC, 0x60 392 }; 393 394 /* 395 * Helper for key schedule: r = FO( p, k ) ^ x 396 */ 397 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], 398 const uint32_t k[4], const uint32_t x[4] ) 399 { 400 uint32_t a, b, c, d; 401 402 a = p[0] ^ k[0]; 403 b = p[1] ^ k[1]; 404 c = p[2] ^ k[2]; 405 d = p[3] ^ k[3]; 406 407 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 408 aria_a( &a, &b, &c, &d ); 409 410 r[0] = a ^ x[0]; 411 r[1] = b ^ x[1]; 412 r[2] = c ^ x[2]; 413 r[3] = d ^ x[3]; 414 } 415 416 /* 417 * Helper for key schedule: r = FE( p, k ) ^ x 418 */ 419 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], 420 const uint32_t k[4], const uint32_t x[4] ) 421 { 422 uint32_t a, b, c, d; 423 424 a = p[0] ^ k[0]; 425 b = p[1] ^ k[1]; 426 c = p[2] ^ k[2]; 427 d = p[3] ^ k[3]; 428 429 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 430 aria_a( &a, &b, &c, &d ); 431 432 r[0] = a ^ x[0]; 433 r[1] = b ^ x[1]; 434 r[2] = c ^ x[2]; 435 r[3] = d ^ x[3]; 436 } 437 438 /* 439 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 440 * 441 * We chose to store bytes into 32-bit words in little-endian format (see 442 * GET/PUT_UINT32_LE) so we need to reverse bytes here. 443 */ 444 static void aria_rot128( uint32_t r[4], const uint32_t a[4], 445 const uint32_t b[4], uint8_t n ) 446 { 447 uint8_t i, j; 448 uint32_t t, u; 449 450 const uint8_t n1 = n % 32; // bit offset 451 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 452 453 j = ( n / 32 ) % 4; // initial word offset 454 t = ARIA_P3( b[j] ); // big endian 455 for( i = 0; i < 4; i++ ) 456 { 457 j = ( j + 1 ) % 4; // get next word, big endian 458 u = ARIA_P3( b[j] ); 459 t <<= n1; // rotate 460 t |= u >> n2; 461 t = ARIA_P3( t ); // back to little endian 462 r[i] = a[i] ^ t; // store 463 t = u; // move to next word 464 } 465 } 466 467 /* 468 * Set encryption key 469 */ 470 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, 471 const unsigned char *key, unsigned int keybits ) 472 { 473 /* round constant masks */ 474 const uint32_t rc[3][4] = 475 { 476 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 477 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 478 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 479 }; 480 481 int i; 482 uint32_t w[4][4], *w2; 483 ARIA_VALIDATE_RET( ctx != NULL ); 484 ARIA_VALIDATE_RET( key != NULL ); 485 486 if( keybits != 128 && keybits != 192 && keybits != 256 ) 487 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 488 489 /* Copy key to W0 (and potential remainder to W1) */ 490 GET_UINT32_LE( w[0][0], key, 0 ); 491 GET_UINT32_LE( w[0][1], key, 4 ); 492 GET_UINT32_LE( w[0][2], key, 8 ); 493 GET_UINT32_LE( w[0][3], key, 12 ); 494 495 memset( w[1], 0, 16 ); 496 if( keybits >= 192 ) 497 { 498 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key 499 GET_UINT32_LE( w[1][1], key, 20 ); 500 } 501 if( keybits == 256 ) 502 { 503 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key 504 GET_UINT32_LE( w[1][3], key, 28 ); 505 } 506 507 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 508 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 509 510 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR 511 i = i < 2 ? i + 1 : 0; 512 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 513 i = i < 2 ? i + 1 : 0; 514 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 515 516 for( i = 0; i < 4; i++ ) // create round keys 517 { 518 w2 = w[(i + 1) & 3]; 519 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 ); 520 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 ); 521 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 ); 522 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 ); 523 } 524 aria_rot128( ctx->rk[16], w[0], w[1], 19 ); 525 526 /* w holds enough info to reconstruct the round keys */ 527 mbedtls_platform_zeroize( w, sizeof( w ) ); 528 529 return( 0 ); 530 } 531 532 /* 533 * Set decryption key 534 */ 535 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, 536 const unsigned char *key, unsigned int keybits ) 537 { 538 int i, j, k, ret; 539 ARIA_VALIDATE_RET( ctx != NULL ); 540 ARIA_VALIDATE_RET( key != NULL ); 541 542 ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); 543 if( ret != 0 ) 544 return( ret ); 545 546 /* flip the order of round keys */ 547 for( i = 0, j = ctx->nr; i < j; i++, j-- ) 548 { 549 for( k = 0; k < 4; k++ ) 550 { 551 uint32_t t = ctx->rk[i][k]; 552 ctx->rk[i][k] = ctx->rk[j][k]; 553 ctx->rk[j][k] = t; 554 } 555 } 556 557 /* apply affine transform to middle keys */ 558 for( i = 1; i < ctx->nr; i++ ) 559 { 560 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], 561 &ctx->rk[i][2], &ctx->rk[i][3] ); 562 } 563 564 return( 0 ); 565 } 566 567 /* 568 * Encrypt a block 569 */ 570 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, 571 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 572 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) 573 { 574 int i; 575 576 uint32_t a, b, c, d; 577 ARIA_VALIDATE_RET( ctx != NULL ); 578 ARIA_VALIDATE_RET( input != NULL ); 579 ARIA_VALIDATE_RET( output != NULL ); 580 581 GET_UINT32_LE( a, input, 0 ); 582 GET_UINT32_LE( b, input, 4 ); 583 GET_UINT32_LE( c, input, 8 ); 584 GET_UINT32_LE( d, input, 12 ); 585 586 i = 0; 587 while( 1 ) 588 { 589 a ^= ctx->rk[i][0]; 590 b ^= ctx->rk[i][1]; 591 c ^= ctx->rk[i][2]; 592 d ^= ctx->rk[i][3]; 593 i++; 594 595 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 596 aria_a( &a, &b, &c, &d ); 597 598 a ^= ctx->rk[i][0]; 599 b ^= ctx->rk[i][1]; 600 c ^= ctx->rk[i][2]; 601 d ^= ctx->rk[i][3]; 602 i++; 603 604 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 605 if( i >= ctx->nr ) 606 break; 607 aria_a( &a, &b, &c, &d ); 608 } 609 610 /* final key mixing */ 611 a ^= ctx->rk[i][0]; 612 b ^= ctx->rk[i][1]; 613 c ^= ctx->rk[i][2]; 614 d ^= ctx->rk[i][3]; 615 616 PUT_UINT32_LE( a, output, 0 ); 617 PUT_UINT32_LE( b, output, 4 ); 618 PUT_UINT32_LE( c, output, 8 ); 619 PUT_UINT32_LE( d, output, 12 ); 620 621 return( 0 ); 622 } 623 624 /* Initialize context */ 625 void mbedtls_aria_init( mbedtls_aria_context *ctx ) 626 { 627 ARIA_VALIDATE( ctx != NULL ); 628 memset( ctx, 0, sizeof( mbedtls_aria_context ) ); 629 } 630 631 /* Clear context */ 632 void mbedtls_aria_free( mbedtls_aria_context *ctx ) 633 { 634 if( ctx == NULL ) 635 return; 636 637 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); 638 } 639 640 #if defined(MBEDTLS_CIPHER_MODE_CBC) 641 /* 642 * ARIA-CBC buffer encryption/decryption 643 */ 644 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, 645 int mode, 646 size_t length, 647 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 648 const unsigned char *input, 649 unsigned char *output ) 650 { 651 int i; 652 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 653 654 ARIA_VALIDATE_RET( ctx != NULL ); 655 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 656 mode == MBEDTLS_ARIA_DECRYPT ); 657 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 658 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 659 ARIA_VALIDATE_RET( iv != NULL ); 660 661 if( length % MBEDTLS_ARIA_BLOCKSIZE ) 662 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); 663 664 if( mode == MBEDTLS_ARIA_DECRYPT ) 665 { 666 while( length > 0 ) 667 { 668 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); 669 mbedtls_aria_crypt_ecb( ctx, input, output ); 670 671 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 672 output[i] = (unsigned char)( output[i] ^ iv[i] ); 673 674 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); 675 676 input += MBEDTLS_ARIA_BLOCKSIZE; 677 output += MBEDTLS_ARIA_BLOCKSIZE; 678 length -= MBEDTLS_ARIA_BLOCKSIZE; 679 } 680 } 681 else 682 { 683 while( length > 0 ) 684 { 685 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 686 output[i] = (unsigned char)( input[i] ^ iv[i] ); 687 688 mbedtls_aria_crypt_ecb( ctx, output, output ); 689 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); 690 691 input += MBEDTLS_ARIA_BLOCKSIZE; 692 output += MBEDTLS_ARIA_BLOCKSIZE; 693 length -= MBEDTLS_ARIA_BLOCKSIZE; 694 } 695 } 696 697 return( 0 ); 698 } 699 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 700 701 #if defined(MBEDTLS_CIPHER_MODE_CFB) 702 /* 703 * ARIA-CFB128 buffer encryption/decryption 704 */ 705 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, 706 int mode, 707 size_t length, 708 size_t *iv_off, 709 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 710 const unsigned char *input, 711 unsigned char *output ) 712 { 713 unsigned char c; 714 size_t n; 715 716 ARIA_VALIDATE_RET( ctx != NULL ); 717 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 718 mode == MBEDTLS_ARIA_DECRYPT ); 719 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 720 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 721 ARIA_VALIDATE_RET( iv != NULL ); 722 ARIA_VALIDATE_RET( iv_off != NULL ); 723 724 n = *iv_off; 725 726 /* An overly large value of n can lead to an unlimited 727 * buffer overflow. Therefore, guard against this 728 * outside of parameter validation. */ 729 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 730 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 731 732 if( mode == MBEDTLS_ARIA_DECRYPT ) 733 { 734 while( length-- ) 735 { 736 if( n == 0 ) 737 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 738 739 c = *input++; 740 *output++ = c ^ iv[n]; 741 iv[n] = c; 742 743 n = ( n + 1 ) & 0x0F; 744 } 745 } 746 else 747 { 748 while( length-- ) 749 { 750 if( n == 0 ) 751 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 752 753 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 754 755 n = ( n + 1 ) & 0x0F; 756 } 757 } 758 759 *iv_off = n; 760 761 return( 0 ); 762 } 763 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 764 765 #if defined(MBEDTLS_CIPHER_MODE_CTR) 766 /* 767 * ARIA-CTR buffer encryption/decryption 768 */ 769 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, 770 size_t length, 771 size_t *nc_off, 772 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 773 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 774 const unsigned char *input, 775 unsigned char *output ) 776 { 777 int c, i; 778 size_t n; 779 780 ARIA_VALIDATE_RET( ctx != NULL ); 781 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 782 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 783 ARIA_VALIDATE_RET( nonce_counter != NULL ); 784 ARIA_VALIDATE_RET( stream_block != NULL ); 785 ARIA_VALIDATE_RET( nc_off != NULL ); 786 787 n = *nc_off; 788 /* An overly large value of n can lead to an unlimited 789 * buffer overflow. Therefore, guard against this 790 * outside of parameter validation. */ 791 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 792 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 793 794 while( length-- ) 795 { 796 if( n == 0 ) { 797 mbedtls_aria_crypt_ecb( ctx, nonce_counter, 798 stream_block ); 799 800 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) 801 if( ++nonce_counter[i - 1] != 0 ) 802 break; 803 } 804 c = *input++; 805 *output++ = (unsigned char)( c ^ stream_block[n] ); 806 807 n = ( n + 1 ) & 0x0F; 808 } 809 810 *nc_off = n; 811 812 return( 0 ); 813 } 814 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 815 #endif /* !MBEDTLS_ARIA_ALT */ 816 817 #if defined(MBEDTLS_SELF_TEST) 818 819 /* 820 * Basic ARIA ECB test vectors from RFC 5794 821 */ 822 static const uint8_t aria_test1_ecb_key[32] = // test key 823 { 824 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 825 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 826 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 827 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 828 }; 829 830 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 831 { 832 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 833 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 834 }; 835 836 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 837 { 838 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 839 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 840 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 841 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 842 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 843 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 844 }; 845 846 /* 847 * Mode tests from "Test Vectors for ARIA" Version 1.0 848 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 849 */ 850 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 851 defined(MBEDTLS_CIPHER_MODE_CTR)) 852 static const uint8_t aria_test2_key[32] = 853 { 854 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 855 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 856 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 857 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 858 }; 859 860 static const uint8_t aria_test2_pt[48] = 861 { 862 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 863 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 864 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 865 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 866 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 867 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 868 }; 869 #endif 870 871 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 872 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 873 { 874 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 875 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 876 }; 877 #endif 878 879 #if defined(MBEDTLS_CIPHER_MODE_CBC) 880 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 881 { 882 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 883 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 884 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 885 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 886 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 887 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 888 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 889 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 890 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 891 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 892 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 893 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 894 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 895 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 896 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 897 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 898 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 899 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 900 }; 901 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 902 903 #if defined(MBEDTLS_CIPHER_MODE_CFB) 904 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 905 { 906 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 907 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 908 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 909 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 910 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 911 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 912 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 913 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 914 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 915 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 916 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 917 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 918 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 919 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 920 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 921 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 922 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 923 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 924 }; 925 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 926 927 #if defined(MBEDTLS_CIPHER_MODE_CTR) 928 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 929 { 930 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 931 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 932 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 933 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 934 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 935 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 936 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 937 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 938 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 939 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 940 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 941 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 942 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 943 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 944 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 945 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 946 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 947 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 948 }; 949 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 950 951 #define ARIA_SELF_TEST_IF_FAIL \ 952 { \ 953 if( verbose ) \ 954 mbedtls_printf( "failed\n" ); \ 955 goto exit; \ 956 } else { \ 957 if( verbose ) \ 958 mbedtls_printf( "passed\n" ); \ 959 } 960 961 /* 962 * Checkup routine 963 */ 964 int mbedtls_aria_self_test( int verbose ) 965 { 966 int i; 967 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 968 mbedtls_aria_context ctx; 969 int ret = 1; 970 971 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 972 size_t j; 973 #endif 974 975 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 976 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 977 defined(MBEDTLS_CIPHER_MODE_CTR)) 978 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 979 #endif 980 981 mbedtls_aria_init( &ctx ); 982 983 /* 984 * Test set 1 985 */ 986 for( i = 0; i < 3; i++ ) 987 { 988 /* test ECB encryption */ 989 if( verbose ) 990 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); 991 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 992 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); 993 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 994 ARIA_SELF_TEST_IF_FAIL; 995 996 /* test ECB decryption */ 997 if( verbose ) 998 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); 999 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 1000 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); 1001 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 1002 ARIA_SELF_TEST_IF_FAIL; 1003 } 1004 if( verbose ) 1005 mbedtls_printf( "\n" ); 1006 1007 /* 1008 * Test set 2 1009 */ 1010 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1011 for( i = 0; i < 3; i++ ) 1012 { 1013 /* Test CBC encryption */ 1014 if( verbose ) 1015 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); 1016 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1017 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1018 memset( buf, 0x55, sizeof( buf ) ); 1019 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 1020 aria_test2_pt, buf ); 1021 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) 1022 ARIA_SELF_TEST_IF_FAIL; 1023 1024 /* Test CBC decryption */ 1025 if( verbose ) 1026 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); 1027 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); 1028 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1029 memset( buf, 0xAA, sizeof( buf ) ); 1030 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 1031 aria_test2_cbc_ct[i], buf ); 1032 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1033 ARIA_SELF_TEST_IF_FAIL; 1034 } 1035 if( verbose ) 1036 mbedtls_printf( "\n" ); 1037 1038 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1039 1040 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1041 for( i = 0; i < 3; i++ ) 1042 { 1043 /* Test CFB encryption */ 1044 if( verbose ) 1045 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); 1046 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1047 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1048 memset( buf, 0x55, sizeof( buf ) ); 1049 j = 0; 1050 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 1051 aria_test2_pt, buf ); 1052 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) 1053 ARIA_SELF_TEST_IF_FAIL; 1054 1055 /* Test CFB decryption */ 1056 if( verbose ) 1057 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); 1058 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1059 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1060 memset( buf, 0xAA, sizeof( buf ) ); 1061 j = 0; 1062 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 1063 iv, aria_test2_cfb_ct[i], buf ); 1064 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1065 ARIA_SELF_TEST_IF_FAIL; 1066 } 1067 if( verbose ) 1068 mbedtls_printf( "\n" ); 1069 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1070 1071 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1072 for( i = 0; i < 3; i++ ) 1073 { 1074 /* Test CTR encryption */ 1075 if( verbose ) 1076 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); 1077 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1078 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1079 memset( buf, 0x55, sizeof( buf ) ); 1080 j = 0; 1081 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1082 aria_test2_pt, buf ); 1083 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) 1084 ARIA_SELF_TEST_IF_FAIL; 1085 1086 /* Test CTR decryption */ 1087 if( verbose ) 1088 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); 1089 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1090 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1091 memset( buf, 0xAA, sizeof( buf ) ); 1092 j = 0; 1093 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1094 aria_test2_ctr_ct[i], buf ); 1095 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1096 ARIA_SELF_TEST_IF_FAIL; 1097 } 1098 if( verbose ) 1099 mbedtls_printf( "\n" ); 1100 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1101 1102 ret = 0; 1103 1104 exit: 1105 mbedtls_aria_free( &ctx ); 1106 return( ret ); 1107 } 1108 1109 #endif /* MBEDTLS_SELF_TEST */ 1110 1111 #endif /* MBEDTLS_ARIA_C */ 1112