1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_ARIA_C)
29
30 #include "mbedtls/aria.h"
31
32 #include <string.h>
33
34 #if defined(MBEDTLS_SELF_TEST)
35 #if defined(MBEDTLS_PLATFORM_C)
36 #include "mbedtls/platform.h"
37 #else
38 #include <stdio.h>
39 #define mbedtls_printf printf
40 #endif /* MBEDTLS_PLATFORM_C */
41 #endif /* MBEDTLS_SELF_TEST */
42
43 #if !defined(MBEDTLS_ARIA_ALT)
44
45 #include "mbedtls/platform_util.h"
46
47 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
48 !defined(inline) && !defined(__cplusplus)
49 #define inline __inline
50 #endif
51
52 /* Parameter validation macros */
53 #define ARIA_VALIDATE_RET( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
55 #define ARIA_VALIDATE( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE( cond )
57
58 /*
59 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
60 *
61 * This is submatrix P1 in [1] Appendix B.1
62 *
63 * Common compilers fail to translate this to minimal number of instructions,
64 * so let's provide asm versions for common platforms with C fallback.
65 */
66 #if defined(MBEDTLS_HAVE_ASM)
67 #if defined(__arm__) /* rev16 available from v6 up */
68 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
69 #if defined(__GNUC__) && \
70 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
71 __ARM_ARCH >= 6
aria_p1(uint32_t x)72 static inline uint32_t aria_p1( uint32_t x )
73 {
74 uint32_t r;
75 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
76 return( r );
77 }
78 #define ARIA_P1 aria_p1
79 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
80 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)81 static inline uint32_t aria_p1( uint32_t x )
82 {
83 uint32_t r;
84 __asm( "rev16 r, x" );
85 return( r );
86 }
87 #define ARIA_P1 aria_p1
88 #endif
89 #endif /* arm */
90 #if defined(__GNUC__) && \
91 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
92 /* I couldn't find an Intel equivalent of rev16, so two instructions */
93 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
94 #endif /* x86 gnuc */
95 #endif /* MBEDTLS_HAVE_ASM && GNUC */
96 #if !defined(ARIA_P1)
97 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
98 #endif
99
100 /*
101 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
102 *
103 * This is submatrix P2 in [1] Appendix B.1
104 *
105 * Common compilers will translate this to a single instruction.
106 */
107 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
108
109 /*
110 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
111 *
112 * This is submatrix P3 in [1] Appendix B.1
113 *
114 * Some compilers fail to translate this to a single instruction,
115 * so let's provide asm versions for common platforms with C fallback.
116 */
117 #if defined(MBEDTLS_HAVE_ASM)
118 #if defined(__arm__) /* rev available from v6 up */
119 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
120 #if defined(__GNUC__) && \
121 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
122 __ARM_ARCH >= 6
aria_p3(uint32_t x)123 static inline uint32_t aria_p3( uint32_t x )
124 {
125 uint32_t r;
126 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
127 return( r );
128 }
129 #define ARIA_P3 aria_p3
130 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
131 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)132 static inline uint32_t aria_p3( uint32_t x )
133 {
134 uint32_t r;
135 __asm( "rev r, x" );
136 return( r );
137 }
138 #define ARIA_P3 aria_p3
139 #endif
140 #endif /* arm */
141 #if defined(__GNUC__) && \
142 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)143 static inline uint32_t aria_p3( uint32_t x )
144 {
145 __asm( "bswap %0" : "=r" (x) : "0" (x) );
146 return( x );
147 }
148 #define ARIA_P3 aria_p3
149 #endif /* x86 gnuc */
150 #endif /* MBEDTLS_HAVE_ASM && GNUC */
151 #if !defined(ARIA_P3)
152 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
153 #endif
154
155 /*
156 * ARIA Affine Transform
157 * (a, b, c, d) = state in/out
158 *
159 * If we denote the first byte of input by 0, ..., the last byte by f,
160 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
161 *
162 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
163 * rearrangements on adjacent pairs, output is:
164 *
165 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
166 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
167 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
168 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
169 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
170 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
171 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
172 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
173 *
174 * Note: another presentation of the A transform can be found as the first
175 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
176 * The implementation below uses only P1 and P2 as they are sufficient.
177 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)178 static inline void aria_a( uint32_t *a, uint32_t *b,
179 uint32_t *c, uint32_t *d )
180 {
181 uint32_t ta, tb, tc;
182 ta = *b; // 4567
183 *b = *a; // 0123
184 *a = ARIA_P2( ta ); // 6745
185 tb = ARIA_P2( *d ); // efcd
186 *d = ARIA_P1( *c ); // 98ba
187 *c = ARIA_P1( tb ); // fedc
188 ta ^= *d; // 4567+98ba
189 tc = ARIA_P2( *b ); // 2301
190 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
191 tb ^= ARIA_P2( *d ); // ba98+efcd
192 tc ^= ARIA_P1( *a ); // 2301+7654
193 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
194 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
195 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
196 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
197 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
198 tc = ARIA_P2( tc ); // 0123+5476
199 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
200 }
201
202 /*
203 * ARIA Substitution Layer SL1 / SL2
204 * (a, b, c, d) = state in/out
205 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
206 *
207 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
208 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
209 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])210 static inline void aria_sl( uint32_t *a, uint32_t *b,
211 uint32_t *c, uint32_t *d,
212 const uint8_t sa[256], const uint8_t sb[256],
213 const uint8_t sc[256], const uint8_t sd[256] )
214 {
215 *a = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *a ) ] ) ^
216 (((uint32_t) sb[ MBEDTLS_BYTE_1( *a ) ]) << 8) ^
217 (((uint32_t) sc[ MBEDTLS_BYTE_2( *a ) ]) << 16) ^
218 (((uint32_t) sd[ MBEDTLS_BYTE_3( *a ) ]) << 24);
219 *b = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *b ) ] ) ^
220 (((uint32_t) sb[ MBEDTLS_BYTE_1( *b ) ]) << 8) ^
221 (((uint32_t) sc[ MBEDTLS_BYTE_2( *b ) ]) << 16) ^
222 (((uint32_t) sd[ MBEDTLS_BYTE_3( *b ) ]) << 24);
223 *c = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *c ) ] ) ^
224 (((uint32_t) sb[ MBEDTLS_BYTE_1( *c ) ]) << 8) ^
225 (((uint32_t) sc[ MBEDTLS_BYTE_2( *c ) ]) << 16) ^
226 (((uint32_t) sd[ MBEDTLS_BYTE_3( *c ) ]) << 24);
227 *d = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *d ) ] ) ^
228 (((uint32_t) sb[ MBEDTLS_BYTE_1( *d ) ]) << 8) ^
229 (((uint32_t) sc[ MBEDTLS_BYTE_2( *d ) ]) << 16) ^
230 (((uint32_t) sd[ MBEDTLS_BYTE_3( *d ) ]) << 24);
231 }
232
233 /*
234 * S-Boxes
235 */
236 static const uint8_t aria_sb1[256] =
237 {
238 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
239 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
240 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
241 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
242 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
243 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
244 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
245 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
246 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
247 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
248 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
249 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
250 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
251 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
252 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
253 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
254 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
255 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
256 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
257 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
258 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
259 0xB0, 0x54, 0xBB, 0x16
260 };
261
262 static const uint8_t aria_sb2[256] =
263 {
264 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
265 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
266 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
267 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
268 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
269 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
270 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
271 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
272 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
273 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
274 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
275 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
276 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
277 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
278 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
279 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
280 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
281 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
282 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
283 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
284 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
285 0xAF, 0xBA, 0xB5, 0x81
286 };
287
288 static const uint8_t aria_is1[256] =
289 {
290 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
291 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
292 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
293 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
294 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
295 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
296 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
297 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
298 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
299 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
300 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
301 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
302 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
303 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
304 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
305 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
306 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
307 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
308 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
309 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
310 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
311 0x55, 0x21, 0x0C, 0x7D
312 };
313
314 static const uint8_t aria_is2[256] =
315 {
316 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
317 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
318 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
319 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
320 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
321 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
322 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
323 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
324 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
325 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
326 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
327 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
328 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
329 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
330 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
331 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
332 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
333 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
334 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
335 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
336 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
337 0x03, 0xA2, 0xAC, 0x60
338 };
339
340 /*
341 * Helper for key schedule: r = FO( p, k ) ^ x
342 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])343 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
344 const uint32_t k[4], const uint32_t x[4] )
345 {
346 uint32_t a, b, c, d;
347
348 a = p[0] ^ k[0];
349 b = p[1] ^ k[1];
350 c = p[2] ^ k[2];
351 d = p[3] ^ k[3];
352
353 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
354 aria_a( &a, &b, &c, &d );
355
356 r[0] = a ^ x[0];
357 r[1] = b ^ x[1];
358 r[2] = c ^ x[2];
359 r[3] = d ^ x[3];
360 }
361
362 /*
363 * Helper for key schedule: r = FE( p, k ) ^ x
364 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])365 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
366 const uint32_t k[4], const uint32_t x[4] )
367 {
368 uint32_t a, b, c, d;
369
370 a = p[0] ^ k[0];
371 b = p[1] ^ k[1];
372 c = p[2] ^ k[2];
373 d = p[3] ^ k[3];
374
375 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
376 aria_a( &a, &b, &c, &d );
377
378 r[0] = a ^ x[0];
379 r[1] = b ^ x[1];
380 r[2] = c ^ x[2];
381 r[3] = d ^ x[3];
382 }
383
384 /*
385 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
386 *
387 * We chose to store bytes into 32-bit words in little-endian format (see
388 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
389 * bytes here.
390 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)391 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
392 const uint32_t b[4], uint8_t n )
393 {
394 uint8_t i, j;
395 uint32_t t, u;
396
397 const uint8_t n1 = n % 32; // bit offset
398 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
399
400 j = ( n / 32 ) % 4; // initial word offset
401 t = ARIA_P3( b[j] ); // big endian
402 for( i = 0; i < 4; i++ )
403 {
404 j = ( j + 1 ) % 4; // get next word, big endian
405 u = ARIA_P3( b[j] );
406 t <<= n1; // rotate
407 t |= u >> n2;
408 t = ARIA_P3( t ); // back to little endian
409 r[i] = a[i] ^ t; // store
410 t = u; // move to next word
411 }
412 }
413
414 /*
415 * Set encryption key
416 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)417 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
418 const unsigned char *key, unsigned int keybits )
419 {
420 /* round constant masks */
421 const uint32_t rc[3][4] =
422 {
423 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
424 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
425 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
426 };
427
428 int i;
429 uint32_t w[4][4], *w2;
430 ARIA_VALIDATE_RET( ctx != NULL );
431 ARIA_VALIDATE_RET( key != NULL );
432
433 if( keybits != 128 && keybits != 192 && keybits != 256 )
434 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
435
436 /* Copy key to W0 (and potential remainder to W1) */
437 w[0][0] = MBEDTLS_GET_UINT32_LE( key, 0 );
438 w[0][1] = MBEDTLS_GET_UINT32_LE( key, 4 );
439 w[0][2] = MBEDTLS_GET_UINT32_LE( key, 8 );
440 w[0][3] = MBEDTLS_GET_UINT32_LE( key, 12 );
441
442 memset( w[1], 0, 16 );
443 if( keybits >= 192 )
444 {
445 w[1][0] = MBEDTLS_GET_UINT32_LE( key, 16 ); // 192 bit key
446 w[1][1] = MBEDTLS_GET_UINT32_LE( key, 20 );
447 }
448 if( keybits == 256 )
449 {
450 w[1][2] = MBEDTLS_GET_UINT32_LE( key, 24 ); // 256 bit key
451 w[1][3] = MBEDTLS_GET_UINT32_LE( key, 28 );
452 }
453
454 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
455 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
456
457 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
458 i = i < 2 ? i + 1 : 0;
459 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
460 i = i < 2 ? i + 1 : 0;
461 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
462
463 for( i = 0; i < 4; i++ ) // create round keys
464 {
465 w2 = w[(i + 1) & 3];
466 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
467 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
468 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
469 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
470 }
471 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
472
473 /* w holds enough info to reconstruct the round keys */
474 mbedtls_platform_zeroize( w, sizeof( w ) );
475
476 return( 0 );
477 }
478
479 /*
480 * Set decryption key
481 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)482 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
483 const unsigned char *key, unsigned int keybits )
484 {
485 int i, j, k, ret;
486 ARIA_VALIDATE_RET( ctx != NULL );
487 ARIA_VALIDATE_RET( key != NULL );
488
489 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
490 if( ret != 0 )
491 return( ret );
492
493 /* flip the order of round keys */
494 for( i = 0, j = ctx->nr; i < j; i++, j-- )
495 {
496 for( k = 0; k < 4; k++ )
497 {
498 uint32_t t = ctx->rk[i][k];
499 ctx->rk[i][k] = ctx->rk[j][k];
500 ctx->rk[j][k] = t;
501 }
502 }
503
504 /* apply affine transform to middle keys */
505 for( i = 1; i < ctx->nr; i++ )
506 {
507 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
508 &ctx->rk[i][2], &ctx->rk[i][3] );
509 }
510
511 return( 0 );
512 }
513
514 /*
515 * Encrypt a block
516 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])517 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
518 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
519 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
520 {
521 int i;
522
523 uint32_t a, b, c, d;
524 ARIA_VALIDATE_RET( ctx != NULL );
525 ARIA_VALIDATE_RET( input != NULL );
526 ARIA_VALIDATE_RET( output != NULL );
527
528 a = MBEDTLS_GET_UINT32_LE( input, 0 );
529 b = MBEDTLS_GET_UINT32_LE( input, 4 );
530 c = MBEDTLS_GET_UINT32_LE( input, 8 );
531 d = MBEDTLS_GET_UINT32_LE( input, 12 );
532
533 i = 0;
534 while( 1 )
535 {
536 a ^= ctx->rk[i][0];
537 b ^= ctx->rk[i][1];
538 c ^= ctx->rk[i][2];
539 d ^= ctx->rk[i][3];
540 i++;
541
542 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
543 aria_a( &a, &b, &c, &d );
544
545 a ^= ctx->rk[i][0];
546 b ^= ctx->rk[i][1];
547 c ^= ctx->rk[i][2];
548 d ^= ctx->rk[i][3];
549 i++;
550
551 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
552 if( i >= ctx->nr )
553 break;
554 aria_a( &a, &b, &c, &d );
555 }
556
557 /* final key mixing */
558 a ^= ctx->rk[i][0];
559 b ^= ctx->rk[i][1];
560 c ^= ctx->rk[i][2];
561 d ^= ctx->rk[i][3];
562
563 MBEDTLS_PUT_UINT32_LE( a, output, 0 );
564 MBEDTLS_PUT_UINT32_LE( b, output, 4 );
565 MBEDTLS_PUT_UINT32_LE( c, output, 8 );
566 MBEDTLS_PUT_UINT32_LE( d, output, 12 );
567
568 return( 0 );
569 }
570
571 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)572 void mbedtls_aria_init( mbedtls_aria_context *ctx )
573 {
574 ARIA_VALIDATE( ctx != NULL );
575 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
576 }
577
578 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)579 void mbedtls_aria_free( mbedtls_aria_context *ctx )
580 {
581 if( ctx == NULL )
582 return;
583
584 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
585 }
586
587 #if defined(MBEDTLS_CIPHER_MODE_CBC)
588 /*
589 * ARIA-CBC buffer encryption/decryption
590 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)591 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
592 int mode,
593 size_t length,
594 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
595 const unsigned char *input,
596 unsigned char *output )
597 {
598 int i;
599 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
600
601 ARIA_VALIDATE_RET( ctx != NULL );
602 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
603 mode == MBEDTLS_ARIA_DECRYPT );
604 ARIA_VALIDATE_RET( length == 0 || input != NULL );
605 ARIA_VALIDATE_RET( length == 0 || output != NULL );
606 ARIA_VALIDATE_RET( iv != NULL );
607
608 if( length % MBEDTLS_ARIA_BLOCKSIZE )
609 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
610
611 if( mode == MBEDTLS_ARIA_DECRYPT )
612 {
613 while( length > 0 )
614 {
615 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
616 mbedtls_aria_crypt_ecb( ctx, input, output );
617
618 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
619 output[i] = (unsigned char)( output[i] ^ iv[i] );
620
621 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
622
623 input += MBEDTLS_ARIA_BLOCKSIZE;
624 output += MBEDTLS_ARIA_BLOCKSIZE;
625 length -= MBEDTLS_ARIA_BLOCKSIZE;
626 }
627 }
628 else
629 {
630 while( length > 0 )
631 {
632 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
633 output[i] = (unsigned char)( input[i] ^ iv[i] );
634
635 mbedtls_aria_crypt_ecb( ctx, output, output );
636 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
637
638 input += MBEDTLS_ARIA_BLOCKSIZE;
639 output += MBEDTLS_ARIA_BLOCKSIZE;
640 length -= MBEDTLS_ARIA_BLOCKSIZE;
641 }
642 }
643
644 return( 0 );
645 }
646 #endif /* MBEDTLS_CIPHER_MODE_CBC */
647
648 #if defined(MBEDTLS_CIPHER_MODE_CFB)
649 /*
650 * ARIA-CFB128 buffer encryption/decryption
651 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)652 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
653 int mode,
654 size_t length,
655 size_t *iv_off,
656 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
657 const unsigned char *input,
658 unsigned char *output )
659 {
660 unsigned char c;
661 size_t n;
662
663 ARIA_VALIDATE_RET( ctx != NULL );
664 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
665 mode == MBEDTLS_ARIA_DECRYPT );
666 ARIA_VALIDATE_RET( length == 0 || input != NULL );
667 ARIA_VALIDATE_RET( length == 0 || output != NULL );
668 ARIA_VALIDATE_RET( iv != NULL );
669 ARIA_VALIDATE_RET( iv_off != NULL );
670
671 n = *iv_off;
672
673 /* An overly large value of n can lead to an unlimited
674 * buffer overflow. Therefore, guard against this
675 * outside of parameter validation. */
676 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
677 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
678
679 if( mode == MBEDTLS_ARIA_DECRYPT )
680 {
681 while( length-- )
682 {
683 if( n == 0 )
684 mbedtls_aria_crypt_ecb( ctx, iv, iv );
685
686 c = *input++;
687 *output++ = c ^ iv[n];
688 iv[n] = c;
689
690 n = ( n + 1 ) & 0x0F;
691 }
692 }
693 else
694 {
695 while( length-- )
696 {
697 if( n == 0 )
698 mbedtls_aria_crypt_ecb( ctx, iv, iv );
699
700 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
701
702 n = ( n + 1 ) & 0x0F;
703 }
704 }
705
706 *iv_off = n;
707
708 return( 0 );
709 }
710 #endif /* MBEDTLS_CIPHER_MODE_CFB */
711
712 #if defined(MBEDTLS_CIPHER_MODE_CTR)
713 /*
714 * ARIA-CTR buffer encryption/decryption
715 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)716 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
717 size_t length,
718 size_t *nc_off,
719 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
720 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
721 const unsigned char *input,
722 unsigned char *output )
723 {
724 int c, i;
725 size_t n;
726
727 ARIA_VALIDATE_RET( ctx != NULL );
728 ARIA_VALIDATE_RET( length == 0 || input != NULL );
729 ARIA_VALIDATE_RET( length == 0 || output != NULL );
730 ARIA_VALIDATE_RET( nonce_counter != NULL );
731 ARIA_VALIDATE_RET( stream_block != NULL );
732 ARIA_VALIDATE_RET( nc_off != NULL );
733
734 n = *nc_off;
735 /* An overly large value of n can lead to an unlimited
736 * buffer overflow. Therefore, guard against this
737 * outside of parameter validation. */
738 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
739 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
740
741 while( length-- )
742 {
743 if( n == 0 ) {
744 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
745 stream_block );
746
747 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
748 if( ++nonce_counter[i - 1] != 0 )
749 break;
750 }
751 c = *input++;
752 *output++ = (unsigned char)( c ^ stream_block[n] );
753
754 n = ( n + 1 ) & 0x0F;
755 }
756
757 *nc_off = n;
758
759 return( 0 );
760 }
761 #endif /* MBEDTLS_CIPHER_MODE_CTR */
762 #endif /* !MBEDTLS_ARIA_ALT */
763
764 #if defined(MBEDTLS_SELF_TEST)
765
766 /*
767 * Basic ARIA ECB test vectors from RFC 5794
768 */
769 static const uint8_t aria_test1_ecb_key[32] = // test key
770 {
771 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
772 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
773 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
774 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
775 };
776
777 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
778 {
779 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
780 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
781 };
782
783 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
784 {
785 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
786 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
787 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
788 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
789 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
790 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
791 };
792
793 /*
794 * Mode tests from "Test Vectors for ARIA" Version 1.0
795 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
796 */
797 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
798 defined(MBEDTLS_CIPHER_MODE_CTR))
799 static const uint8_t aria_test2_key[32] =
800 {
801 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
802 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
803 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
804 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
805 };
806
807 static const uint8_t aria_test2_pt[48] =
808 {
809 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
810 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
811 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
812 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
813 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
814 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
815 };
816 #endif
817
818 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
819 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
820 {
821 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
822 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
823 };
824 #endif
825
826 #if defined(MBEDTLS_CIPHER_MODE_CBC)
827 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
828 {
829 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
830 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
831 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
832 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
833 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
834 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
835 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
836 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
837 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
838 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
839 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
840 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
841 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
842 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
843 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
844 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
845 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
846 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
847 };
848 #endif /* MBEDTLS_CIPHER_MODE_CBC */
849
850 #if defined(MBEDTLS_CIPHER_MODE_CFB)
851 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
852 {
853 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
854 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
855 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
856 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
857 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
858 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
859 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
860 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
861 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
862 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
863 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
864 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
865 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
866 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
867 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
868 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
869 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
870 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
871 };
872 #endif /* MBEDTLS_CIPHER_MODE_CFB */
873
874 #if defined(MBEDTLS_CIPHER_MODE_CTR)
875 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
876 {
877 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
878 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
879 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
880 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
881 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
882 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
883 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
884 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
885 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
886 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
887 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
888 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
889 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
890 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
891 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
892 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
893 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
894 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
895 };
896 #endif /* MBEDTLS_CIPHER_MODE_CFB */
897
898 #define ARIA_SELF_TEST_IF_FAIL \
899 { \
900 if( verbose ) \
901 mbedtls_printf( "failed\n" ); \
902 goto exit; \
903 } else { \
904 if( verbose ) \
905 mbedtls_printf( "passed\n" ); \
906 }
907
908 /*
909 * Checkup routine
910 */
mbedtls_aria_self_test(int verbose)911 int mbedtls_aria_self_test( int verbose )
912 {
913 int i;
914 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
915 mbedtls_aria_context ctx;
916 int ret = 1;
917
918 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
919 size_t j;
920 #endif
921
922 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
923 defined(MBEDTLS_CIPHER_MODE_CFB) || \
924 defined(MBEDTLS_CIPHER_MODE_CTR))
925 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
926 #endif
927
928 mbedtls_aria_init( &ctx );
929
930 /*
931 * Test set 1
932 */
933 for( i = 0; i < 3; i++ )
934 {
935 /* test ECB encryption */
936 if( verbose )
937 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
938 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
939 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
940 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
941 ARIA_SELF_TEST_IF_FAIL;
942
943 /* test ECB decryption */
944 if( verbose )
945 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
946 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
947 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
948 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
949 ARIA_SELF_TEST_IF_FAIL;
950 }
951 if( verbose )
952 mbedtls_printf( "\n" );
953
954 /*
955 * Test set 2
956 */
957 #if defined(MBEDTLS_CIPHER_MODE_CBC)
958 for( i = 0; i < 3; i++ )
959 {
960 /* Test CBC encryption */
961 if( verbose )
962 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
963 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
964 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
965 memset( buf, 0x55, sizeof( buf ) );
966 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
967 aria_test2_pt, buf );
968 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
969 ARIA_SELF_TEST_IF_FAIL;
970
971 /* Test CBC decryption */
972 if( verbose )
973 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
974 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
975 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
976 memset( buf, 0xAA, sizeof( buf ) );
977 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
978 aria_test2_cbc_ct[i], buf );
979 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
980 ARIA_SELF_TEST_IF_FAIL;
981 }
982 if( verbose )
983 mbedtls_printf( "\n" );
984
985 #endif /* MBEDTLS_CIPHER_MODE_CBC */
986
987 #if defined(MBEDTLS_CIPHER_MODE_CFB)
988 for( i = 0; i < 3; i++ )
989 {
990 /* Test CFB encryption */
991 if( verbose )
992 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
993 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
994 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
995 memset( buf, 0x55, sizeof( buf ) );
996 j = 0;
997 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
998 aria_test2_pt, buf );
999 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1000 ARIA_SELF_TEST_IF_FAIL;
1001
1002 /* Test CFB decryption */
1003 if( verbose )
1004 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1005 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1006 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1007 memset( buf, 0xAA, sizeof( buf ) );
1008 j = 0;
1009 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1010 iv, aria_test2_cfb_ct[i], buf );
1011 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1012 ARIA_SELF_TEST_IF_FAIL;
1013 }
1014 if( verbose )
1015 mbedtls_printf( "\n" );
1016 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1017
1018 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1019 for( i = 0; i < 3; i++ )
1020 {
1021 /* Test CTR encryption */
1022 if( verbose )
1023 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1024 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1025 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1026 memset( buf, 0x55, sizeof( buf ) );
1027 j = 0;
1028 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1029 aria_test2_pt, buf );
1030 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1031 ARIA_SELF_TEST_IF_FAIL;
1032
1033 /* Test CTR decryption */
1034 if( verbose )
1035 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1036 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1037 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1038 memset( buf, 0xAA, sizeof( buf ) );
1039 j = 0;
1040 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1041 aria_test2_ctr_ct[i], buf );
1042 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1043 ARIA_SELF_TEST_IF_FAIL;
1044 }
1045 if( verbose )
1046 mbedtls_printf( "\n" );
1047 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1048
1049 ret = 0;
1050
1051 exit:
1052 mbedtls_aria_free( &ctx );
1053 return( ret );
1054 }
1055
1056 #endif /* MBEDTLS_SELF_TEST */
1057
1058 #endif /* MBEDTLS_ARIA_C */
1059
