1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_ARIA_C)
29
30 #include "mbedtls/aria.h"
31
32 #include <string.h>
33
34 #include "mbedtls/platform.h"
35
36 #if !defined(MBEDTLS_ARIA_ALT)
37
38 #include "mbedtls/platform_util.h"
39
40 /* Parameter validation macros */
41 #define ARIA_VALIDATE_RET(cond) \
42 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
43 #define ARIA_VALIDATE(cond) \
44 MBEDTLS_INTERNAL_VALIDATE(cond)
45
46 /*
47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
48 *
49 * This is submatrix P1 in [1] Appendix B.1
50 *
51 * Common compilers fail to translate this to minimal number of instructions,
52 * so let's provide asm versions for common platforms with C fallback.
53 */
54 #if defined(MBEDTLS_HAVE_ASM)
55 #if defined(__arm__) /* rev16 available from v6 up */
56 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57 #if defined(__GNUC__) && \
58 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
59 __ARM_ARCH >= 6
aria_p1(uint32_t x)60 static inline uint32_t aria_p1(uint32_t x)
61 {
62 uint32_t r;
63 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
64 return r;
65 }
66 #define ARIA_P1 aria_p1
67 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
68 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p1(uint32_t x)69 static inline uint32_t aria_p1(uint32_t x)
70 {
71 uint32_t r;
72 __asm("rev16 r, x");
73 return r;
74 }
75 #define ARIA_P1 aria_p1
76 #endif
77 #endif /* arm */
78 #if defined(__GNUC__) && \
79 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
80 /* I couldn't find an Intel equivalent of rev16, so two instructions */
81 #define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
82 #endif /* x86 gnuc */
83 #endif /* MBEDTLS_HAVE_ASM && GNUC */
84 #if !defined(ARIA_P1)
85 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
86 #endif
87
88 /*
89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90 *
91 * This is submatrix P2 in [1] Appendix B.1
92 *
93 * Common compilers will translate this to a single instruction.
94 */
95 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
96
97 /*
98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99 *
100 * This is submatrix P3 in [1] Appendix B.1
101 */
102 #define ARIA_P3(x) MBEDTLS_BSWAP32(x)
103
104 /*
105 * ARIA Affine Transform
106 * (a, b, c, d) = state in/out
107 *
108 * If we denote the first byte of input by 0, ..., the last byte by f,
109 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
110 *
111 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
112 * rearrangements on adjacent pairs, output is:
113 *
114 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
115 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
116 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
117 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
118 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
119 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
120 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
121 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
122 *
123 * Note: another presentation of the A transform can be found as the first
124 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
125 * The implementation below uses only P1 and P2 as they are sufficient.
126 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)127 static inline void aria_a(uint32_t *a, uint32_t *b,
128 uint32_t *c, uint32_t *d)
129 {
130 uint32_t ta, tb, tc;
131 ta = *b; // 4567
132 *b = *a; // 0123
133 *a = ARIA_P2(ta); // 6745
134 tb = ARIA_P2(*d); // efcd
135 *d = ARIA_P1(*c); // 98ba
136 *c = ARIA_P1(tb); // fedc
137 ta ^= *d; // 4567+98ba
138 tc = ARIA_P2(*b); // 2301
139 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
140 tb ^= ARIA_P2(*d); // ba98+efcd
141 tc ^= ARIA_P1(*a); // 2301+7654
142 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
143 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
144 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
145 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
146 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
147 tc = ARIA_P2(tc); // 0123+5476
148 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
149 }
150
151 /*
152 * ARIA Substitution Layer SL1 / SL2
153 * (a, b, c, d) = state in/out
154 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
155 *
156 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
157 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
158 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])159 static inline void aria_sl(uint32_t *a, uint32_t *b,
160 uint32_t *c, uint32_t *d,
161 const uint8_t sa[256], const uint8_t sb[256],
162 const uint8_t sc[256], const uint8_t sd[256])
163 {
164 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
168 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
169 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
170 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
171 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
172 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
173 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
174 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
175 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
176 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
177 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
178 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
179 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
180 }
181
182 /*
183 * S-Boxes
184 */
185 static const uint8_t aria_sb1[256] =
186 {
187 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
188 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
189 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
190 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
191 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
192 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
193 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
194 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
195 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
196 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
197 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
198 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
199 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
200 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
201 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
202 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
203 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
204 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
205 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
206 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
207 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
208 0xB0, 0x54, 0xBB, 0x16
209 };
210
211 static const uint8_t aria_sb2[256] =
212 {
213 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
214 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
215 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
216 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
217 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
218 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
219 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
220 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
221 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
222 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
223 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
224 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
225 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
226 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
227 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
228 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
229 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
230 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
231 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
232 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
233 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
234 0xAF, 0xBA, 0xB5, 0x81
235 };
236
237 static const uint8_t aria_is1[256] =
238 {
239 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
240 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
241 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
242 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
243 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
244 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
245 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
246 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
247 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
248 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
249 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
250 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
251 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
252 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
253 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
254 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
256 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
258 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
259 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
260 0x55, 0x21, 0x0C, 0x7D
261 };
262
263 static const uint8_t aria_is2[256] =
264 {
265 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
266 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
267 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
268 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
269 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
270 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
271 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
272 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
273 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
274 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
275 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
276 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
277 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
278 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
279 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
280 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
281 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
282 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
283 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
284 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
285 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
286 0x03, 0xA2, 0xAC, 0x60
287 };
288
289 /*
290 * Helper for key schedule: r = FO( p, k ) ^ x
291 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])292 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
293 const uint32_t k[4], const uint32_t x[4])
294 {
295 uint32_t a, b, c, d;
296
297 a = p[0] ^ k[0];
298 b = p[1] ^ k[1];
299 c = p[2] ^ k[2];
300 d = p[3] ^ k[3];
301
302 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
303 aria_a(&a, &b, &c, &d);
304
305 r[0] = a ^ x[0];
306 r[1] = b ^ x[1];
307 r[2] = c ^ x[2];
308 r[3] = d ^ x[3];
309 }
310
311 /*
312 * Helper for key schedule: r = FE( p, k ) ^ x
313 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])314 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
315 const uint32_t k[4], const uint32_t x[4])
316 {
317 uint32_t a, b, c, d;
318
319 a = p[0] ^ k[0];
320 b = p[1] ^ k[1];
321 c = p[2] ^ k[2];
322 d = p[3] ^ k[3];
323
324 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
325 aria_a(&a, &b, &c, &d);
326
327 r[0] = a ^ x[0];
328 r[1] = b ^ x[1];
329 r[2] = c ^ x[2];
330 r[3] = d ^ x[3];
331 }
332
333 /*
334 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
335 *
336 * We chose to store bytes into 32-bit words in little-endian format (see
337 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
338 * bytes here.
339 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)340 static void aria_rot128(uint32_t r[4], const uint32_t a[4],
341 const uint32_t b[4], uint8_t n)
342 {
343 uint8_t i, j;
344 uint32_t t, u;
345
346 const uint8_t n1 = n % 32; // bit offset
347 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
348
349 j = (n / 32) % 4; // initial word offset
350 t = ARIA_P3(b[j]); // big endian
351 for (i = 0; i < 4; i++) {
352 j = (j + 1) % 4; // get next word, big endian
353 u = ARIA_P3(b[j]);
354 t <<= n1; // rotate
355 t |= u >> n2;
356 t = ARIA_P3(t); // back to little endian
357 r[i] = a[i] ^ t; // store
358 t = u; // move to next word
359 }
360 }
361
362 /*
363 * Set encryption key
364 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)365 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
366 const unsigned char *key, unsigned int keybits)
367 {
368 /* round constant masks */
369 const uint32_t rc[3][4] =
370 {
371 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
372 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
373 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
374 };
375
376 int i;
377 uint32_t w[4][4], *w2;
378 ARIA_VALIDATE_RET(ctx != NULL);
379 ARIA_VALIDATE_RET(key != NULL);
380
381 if (keybits != 128 && keybits != 192 && keybits != 256) {
382 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
383 }
384
385 /* Copy key to W0 (and potential remainder to W1) */
386 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
387 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
388 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
389 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
390
391 memset(w[1], 0, 16);
392 if (keybits >= 192) {
393 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
394 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
395 }
396 if (keybits == 256) {
397 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
398 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
399 }
400
401 i = (keybits - 128) >> 6; // index: 0, 1, 2
402 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
403
404 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
405 i = i < 2 ? i + 1 : 0;
406 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
407 i = i < 2 ? i + 1 : 0;
408 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
409
410 for (i = 0; i < 4; i++) { // create round keys
411 w2 = w[(i + 1) & 3];
412 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
413 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
414 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
415 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
416 }
417 aria_rot128(ctx->rk[16], w[0], w[1], 19);
418
419 /* w holds enough info to reconstruct the round keys */
420 mbedtls_platform_zeroize(w, sizeof(w));
421
422 return 0;
423 }
424
425 /*
426 * Set decryption key
427 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)428 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
429 const unsigned char *key, unsigned int keybits)
430 {
431 int i, j, k, ret;
432 ARIA_VALIDATE_RET(ctx != NULL);
433 ARIA_VALIDATE_RET(key != NULL);
434
435 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
436 if (ret != 0) {
437 return ret;
438 }
439
440 /* flip the order of round keys */
441 for (i = 0, j = ctx->nr; i < j; i++, j--) {
442 for (k = 0; k < 4; k++) {
443 uint32_t t = ctx->rk[i][k];
444 ctx->rk[i][k] = ctx->rk[j][k];
445 ctx->rk[j][k] = t;
446 }
447 }
448
449 /* apply affine transform to middle keys */
450 for (i = 1; i < ctx->nr; i++) {
451 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
452 &ctx->rk[i][2], &ctx->rk[i][3]);
453 }
454
455 return 0;
456 }
457
458 /*
459 * Encrypt a block
460 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])461 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
462 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
463 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
464 {
465 int i;
466
467 uint32_t a, b, c, d;
468 ARIA_VALIDATE_RET(ctx != NULL);
469 ARIA_VALIDATE_RET(input != NULL);
470 ARIA_VALIDATE_RET(output != NULL);
471
472 a = MBEDTLS_GET_UINT32_LE(input, 0);
473 b = MBEDTLS_GET_UINT32_LE(input, 4);
474 c = MBEDTLS_GET_UINT32_LE(input, 8);
475 d = MBEDTLS_GET_UINT32_LE(input, 12);
476
477 i = 0;
478 while (1) {
479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
483 i++;
484
485 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
486 aria_a(&a, &b, &c, &d);
487
488 a ^= ctx->rk[i][0];
489 b ^= ctx->rk[i][1];
490 c ^= ctx->rk[i][2];
491 d ^= ctx->rk[i][3];
492 i++;
493
494 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
495 if (i >= ctx->nr) {
496 break;
497 }
498 aria_a(&a, &b, &c, &d);
499 }
500
501 /* final key mixing */
502 a ^= ctx->rk[i][0];
503 b ^= ctx->rk[i][1];
504 c ^= ctx->rk[i][2];
505 d ^= ctx->rk[i][3];
506
507 MBEDTLS_PUT_UINT32_LE(a, output, 0);
508 MBEDTLS_PUT_UINT32_LE(b, output, 4);
509 MBEDTLS_PUT_UINT32_LE(c, output, 8);
510 MBEDTLS_PUT_UINT32_LE(d, output, 12);
511
512 return 0;
513 }
514
515 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)516 void mbedtls_aria_init(mbedtls_aria_context *ctx)
517 {
518 ARIA_VALIDATE(ctx != NULL);
519 memset(ctx, 0, sizeof(mbedtls_aria_context));
520 }
521
522 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)523 void mbedtls_aria_free(mbedtls_aria_context *ctx)
524 {
525 if (ctx == NULL) {
526 return;
527 }
528
529 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
530 }
531
532 #if defined(MBEDTLS_CIPHER_MODE_CBC)
533 /*
534 * ARIA-CBC buffer encryption/decryption
535 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)536 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
537 int mode,
538 size_t length,
539 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
540 const unsigned char *input,
541 unsigned char *output)
542 {
543 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
544
545 ARIA_VALIDATE_RET(ctx != NULL);
546 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
547 mode == MBEDTLS_ARIA_DECRYPT);
548 ARIA_VALIDATE_RET(length == 0 || input != NULL);
549 ARIA_VALIDATE_RET(length == 0 || output != NULL);
550 ARIA_VALIDATE_RET(iv != NULL);
551
552 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
553 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
554 }
555
556 if (mode == MBEDTLS_ARIA_DECRYPT) {
557 while (length > 0) {
558 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
559 mbedtls_aria_crypt_ecb(ctx, input, output);
560
561 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
562
563 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
564
565 input += MBEDTLS_ARIA_BLOCKSIZE;
566 output += MBEDTLS_ARIA_BLOCKSIZE;
567 length -= MBEDTLS_ARIA_BLOCKSIZE;
568 }
569 } else {
570 while (length > 0) {
571 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
572
573 mbedtls_aria_crypt_ecb(ctx, output, output);
574 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
575
576 input += MBEDTLS_ARIA_BLOCKSIZE;
577 output += MBEDTLS_ARIA_BLOCKSIZE;
578 length -= MBEDTLS_ARIA_BLOCKSIZE;
579 }
580 }
581
582 return 0;
583 }
584 #endif /* MBEDTLS_CIPHER_MODE_CBC */
585
586 #if defined(MBEDTLS_CIPHER_MODE_CFB)
587 /*
588 * ARIA-CFB128 buffer encryption/decryption
589 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)590 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
591 int mode,
592 size_t length,
593 size_t *iv_off,
594 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
595 const unsigned char *input,
596 unsigned char *output)
597 {
598 unsigned char c;
599 size_t n;
600
601 ARIA_VALIDATE_RET(ctx != NULL);
602 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
603 mode == MBEDTLS_ARIA_DECRYPT);
604 ARIA_VALIDATE_RET(length == 0 || input != NULL);
605 ARIA_VALIDATE_RET(length == 0 || output != NULL);
606 ARIA_VALIDATE_RET(iv != NULL);
607 ARIA_VALIDATE_RET(iv_off != NULL);
608
609 n = *iv_off;
610
611 /* An overly large value of n can lead to an unlimited
612 * buffer overflow. Therefore, guard against this
613 * outside of parameter validation. */
614 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
615 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
616 }
617
618 if (mode == MBEDTLS_ARIA_DECRYPT) {
619 while (length--) {
620 if (n == 0) {
621 mbedtls_aria_crypt_ecb(ctx, iv, iv);
622 }
623
624 c = *input++;
625 *output++ = c ^ iv[n];
626 iv[n] = c;
627
628 n = (n + 1) & 0x0F;
629 }
630 } else {
631 while (length--) {
632 if (n == 0) {
633 mbedtls_aria_crypt_ecb(ctx, iv, iv);
634 }
635
636 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
637
638 n = (n + 1) & 0x0F;
639 }
640 }
641
642 *iv_off = n;
643
644 return 0;
645 }
646 #endif /* MBEDTLS_CIPHER_MODE_CFB */
647
648 #if defined(MBEDTLS_CIPHER_MODE_CTR)
649 /*
650 * ARIA-CTR buffer encryption/decryption
651 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)652 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
653 size_t length,
654 size_t *nc_off,
655 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
656 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
657 const unsigned char *input,
658 unsigned char *output)
659 {
660 int c, i;
661 size_t n;
662
663 ARIA_VALIDATE_RET(ctx != NULL);
664 ARIA_VALIDATE_RET(length == 0 || input != NULL);
665 ARIA_VALIDATE_RET(length == 0 || output != NULL);
666 ARIA_VALIDATE_RET(nonce_counter != NULL);
667 ARIA_VALIDATE_RET(stream_block != NULL);
668 ARIA_VALIDATE_RET(nc_off != NULL);
669
670 n = *nc_off;
671 /* An overly large value of n can lead to an unlimited
672 * buffer overflow. Therefore, guard against this
673 * outside of parameter validation. */
674 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
675 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
676 }
677
678 while (length--) {
679 if (n == 0) {
680 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
681 stream_block);
682
683 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
684 if (++nonce_counter[i - 1] != 0) {
685 break;
686 }
687 }
688 }
689 c = *input++;
690 *output++ = (unsigned char) (c ^ stream_block[n]);
691
692 n = (n + 1) & 0x0F;
693 }
694
695 *nc_off = n;
696
697 return 0;
698 }
699 #endif /* MBEDTLS_CIPHER_MODE_CTR */
700 #endif /* !MBEDTLS_ARIA_ALT */
701
702 #if defined(MBEDTLS_SELF_TEST)
703
704 /*
705 * Basic ARIA ECB test vectors from RFC 5794
706 */
707 static const uint8_t aria_test1_ecb_key[32] = // test key
708 {
709 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
710 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
711 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
712 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
713 };
714
715 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
716 {
717 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
718 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
719 };
720
721 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
722 {
723 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
724 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
725 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
726 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
727 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
728 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
729 };
730
731 /*
732 * Mode tests from "Test Vectors for ARIA" Version 1.0
733 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
734 */
735 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
736 defined(MBEDTLS_CIPHER_MODE_CTR))
737 static const uint8_t aria_test2_key[32] =
738 {
739 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
740 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
741 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
742 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
743 };
744
745 static const uint8_t aria_test2_pt[48] =
746 {
747 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
748 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
749 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
750 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
751 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
752 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
753 };
754 #endif
755
756 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
757 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
758 {
759 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
760 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
761 };
762 #endif
763
764 #if defined(MBEDTLS_CIPHER_MODE_CBC)
765 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
766 {
767 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
768 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
769 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
770 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
771 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
772 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
773 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
774 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
775 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
776 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
777 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
778 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
779 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
780 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
781 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
782 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
783 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
784 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
785 };
786 #endif /* MBEDTLS_CIPHER_MODE_CBC */
787
788 #if defined(MBEDTLS_CIPHER_MODE_CFB)
789 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
790 {
791 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
792 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
793 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
794 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
795 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
796 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
797 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
798 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
799 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
800 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
801 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
802 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
803 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
804 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
805 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
806 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
807 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
808 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
809 };
810 #endif /* MBEDTLS_CIPHER_MODE_CFB */
811
812 #if defined(MBEDTLS_CIPHER_MODE_CTR)
813 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
814 {
815 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
816 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
817 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
818 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
819 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
820 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
821 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
822 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
823 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
824 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
825 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
826 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
827 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
828 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
829 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
830 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
831 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
832 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
833 };
834 #endif /* MBEDTLS_CIPHER_MODE_CFB */
835
836 #define ARIA_SELF_TEST_ASSERT(cond) \
837 do { \
838 if (cond) { \
839 if (verbose) \
840 mbedtls_printf("failed\n"); \
841 goto exit; \
842 } else { \
843 if (verbose) \
844 mbedtls_printf("passed\n"); \
845 } \
846 } while (0)
847
848 /*
849 * Checkup routine
850 */
mbedtls_aria_self_test(int verbose)851 int mbedtls_aria_self_test(int verbose)
852 {
853 int i;
854 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
855 mbedtls_aria_context ctx;
856 int ret = 1;
857
858 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
859 size_t j;
860 #endif
861
862 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
863 defined(MBEDTLS_CIPHER_MODE_CFB) || \
864 defined(MBEDTLS_CIPHER_MODE_CTR))
865 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
866 #endif
867
868 mbedtls_aria_init(&ctx);
869
870 /*
871 * Test set 1
872 */
873 for (i = 0; i < 3; i++) {
874 /* test ECB encryption */
875 if (verbose) {
876 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
877 }
878 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
879 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
880 ARIA_SELF_TEST_ASSERT(
881 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
882 != 0);
883
884 /* test ECB decryption */
885 if (verbose) {
886 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
887 }
888 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
889 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
890 ARIA_SELF_TEST_ASSERT(
891 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
892 != 0);
893 }
894 if (verbose) {
895 mbedtls_printf("\n");
896 }
897
898 /*
899 * Test set 2
900 */
901 #if defined(MBEDTLS_CIPHER_MODE_CBC)
902 for (i = 0; i < 3; i++) {
903 /* Test CBC encryption */
904 if (verbose) {
905 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
906 }
907 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
908 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909 memset(buf, 0x55, sizeof(buf));
910 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
911 aria_test2_pt, buf);
912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
913 != 0);
914
915 /* Test CBC decryption */
916 if (verbose) {
917 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
918 }
919 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
920 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
921 memset(buf, 0xAA, sizeof(buf));
922 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
923 aria_test2_cbc_ct[i], buf);
924 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
925 }
926 if (verbose) {
927 mbedtls_printf("\n");
928 }
929
930 #endif /* MBEDTLS_CIPHER_MODE_CBC */
931
932 #if defined(MBEDTLS_CIPHER_MODE_CFB)
933 for (i = 0; i < 3; i++) {
934 /* Test CFB encryption */
935 if (verbose) {
936 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
937 }
938 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940 memset(buf, 0x55, sizeof(buf));
941 j = 0;
942 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
943 aria_test2_pt, buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
945
946 /* Test CFB decryption */
947 if (verbose) {
948 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
949 }
950 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
951 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
952 memset(buf, 0xAA, sizeof(buf));
953 j = 0;
954 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
955 iv, aria_test2_cfb_ct[i], buf);
956 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
957 }
958 if (verbose) {
959 mbedtls_printf("\n");
960 }
961 #endif /* MBEDTLS_CIPHER_MODE_CFB */
962
963 #if defined(MBEDTLS_CIPHER_MODE_CTR)
964 for (i = 0; i < 3; i++) {
965 /* Test CTR encryption */
966 if (verbose) {
967 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
968 }
969 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
971 memset(buf, 0x55, sizeof(buf));
972 j = 0;
973 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974 aria_test2_pt, buf);
975 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
976
977 /* Test CTR decryption */
978 if (verbose) {
979 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
980 }
981 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
982 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
983 memset(buf, 0xAA, sizeof(buf));
984 j = 0;
985 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
986 aria_test2_ctr_ct[i], buf);
987 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
988 }
989 if (verbose) {
990 mbedtls_printf("\n");
991 }
992 #endif /* MBEDTLS_CIPHER_MODE_CTR */
993
994 ret = 0;
995
996 exit:
997 mbedtls_aria_free(&ctx);
998 return ret;
999 }
1000
1001 #endif /* MBEDTLS_SELF_TEST */
1002
1003 #endif /* MBEDTLS_ARIA_C */
1004
