1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_ARIA_C)
17
18 #include "mbedtls/aria.h"
19
20 #include <string.h>
21
22 #include "mbedtls/platform.h"
23
24 #if !defined(MBEDTLS_ARIA_ALT)
25
26 #include "mbedtls/platform_util.h"
27
28 /*
29 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
30 *
31 * This is submatrix P1 in [1] Appendix B.1
32 *
33 * Common compilers fail to translate this to minimal number of instructions,
34 * so let's provide asm versions for common platforms with C fallback.
35 */
36 #if defined(MBEDTLS_HAVE_ASM)
37 #if defined(__arm__) /* rev16 available from v6 up */
38 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39 #if defined(__GNUC__) && \
40 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
41 __ARM_ARCH >= 6
aria_p1(uint32_t x)42 static inline uint32_t aria_p1(uint32_t x)
43 {
44 uint32_t r;
45 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46 return r;
47 }
48 #define ARIA_P1 aria_p1
49 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
50 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p1(uint32_t x)51 static inline uint32_t aria_p1(uint32_t x)
52 {
53 uint32_t r;
54 __asm("rev16 r, x");
55 return r;
56 }
57 #define ARIA_P1 aria_p1
58 #endif
59 #endif /* arm */
60 #if defined(__GNUC__) && \
61 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
62 /* I couldn't find an Intel equivalent of rev16, so two instructions */
63 #define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
64 #endif /* x86 gnuc */
65 #endif /* MBEDTLS_HAVE_ASM && GNUC */
66 #if !defined(ARIA_P1)
67 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
68 #endif
69
70 /*
71 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72 *
73 * This is submatrix P2 in [1] Appendix B.1
74 *
75 * Common compilers will translate this to a single instruction.
76 */
77 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
78
79 /*
80 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81 *
82 * This is submatrix P3 in [1] Appendix B.1
83 */
84 #define ARIA_P3(x) MBEDTLS_BSWAP32(x)
85
86 /*
87 * ARIA Affine Transform
88 * (a, b, c, d) = state in/out
89 *
90 * If we denote the first byte of input by 0, ..., the last byte by f,
91 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92 *
93 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
94 * rearrangements on adjacent pairs, output is:
95 *
96 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
98 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
99 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
100 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
101 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
102 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
103 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104 *
105 * Note: another presentation of the A transform can be found as the first
106 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107 * The implementation below uses only P1 and P2 as they are sufficient.
108 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)109 static inline void aria_a(uint32_t *a, uint32_t *b,
110 uint32_t *c, uint32_t *d)
111 {
112 uint32_t ta, tb, tc;
113 ta = *b; // 4567
114 *b = *a; // 0123
115 *a = ARIA_P2(ta); // 6745
116 tb = ARIA_P2(*d); // efcd
117 *d = ARIA_P1(*c); // 98ba
118 *c = ARIA_P1(tb); // fedc
119 ta ^= *d; // 4567+98ba
120 tc = ARIA_P2(*b); // 2301
121 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
122 tb ^= ARIA_P2(*d); // ba98+efcd
123 tc ^= ARIA_P1(*a); // 2301+7654
124 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
125 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
126 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
128 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129 tc = ARIA_P2(tc); // 0123+5476
130 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
131 }
132
133 /*
134 * ARIA Substitution Layer SL1 / SL2
135 * (a, b, c, d) = state in/out
136 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
137 *
138 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
140 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])141 static inline void aria_sl(uint32_t *a, uint32_t *b,
142 uint32_t *c, uint32_t *d,
143 const uint8_t sa[256], const uint8_t sb[256],
144 const uint8_t sc[256], const uint8_t sd[256])
145 {
146 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
148 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
152 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
156 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
160 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
162 }
163
164 /*
165 * S-Boxes
166 */
167 static const uint8_t aria_sb1[256] =
168 {
169 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190 0xB0, 0x54, 0xBB, 0x16
191 };
192
193 static const uint8_t aria_sb2[256] =
194 {
195 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216 0xAF, 0xBA, 0xB5, 0x81
217 };
218
219 static const uint8_t aria_is1[256] =
220 {
221 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242 0x55, 0x21, 0x0C, 0x7D
243 };
244
245 static const uint8_t aria_is2[256] =
246 {
247 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268 0x03, 0xA2, 0xAC, 0x60
269 };
270
271 /*
272 * Helper for key schedule: r = FO( p, k ) ^ x
273 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])274 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275 const uint32_t k[4], const uint32_t x[4])
276 {
277 uint32_t a, b, c, d;
278
279 a = p[0] ^ k[0];
280 b = p[1] ^ k[1];
281 c = p[2] ^ k[2];
282 d = p[3] ^ k[3];
283
284 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285 aria_a(&a, &b, &c, &d);
286
287 r[0] = a ^ x[0];
288 r[1] = b ^ x[1];
289 r[2] = c ^ x[2];
290 r[3] = d ^ x[3];
291 }
292
293 /*
294 * Helper for key schedule: r = FE( p, k ) ^ x
295 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])296 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297 const uint32_t k[4], const uint32_t x[4])
298 {
299 uint32_t a, b, c, d;
300
301 a = p[0] ^ k[0];
302 b = p[1] ^ k[1];
303 c = p[2] ^ k[2];
304 d = p[3] ^ k[3];
305
306 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307 aria_a(&a, &b, &c, &d);
308
309 r[0] = a ^ x[0];
310 r[1] = b ^ x[1];
311 r[2] = c ^ x[2];
312 r[3] = d ^ x[3];
313 }
314
315 /*
316 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317 *
318 * We chose to store bytes into 32-bit words in little-endian format (see
319 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320 * bytes here.
321 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)322 static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323 const uint32_t b[4], uint8_t n)
324 {
325 uint8_t i, j;
326 uint32_t t, u;
327
328 const uint8_t n1 = n % 32; // bit offset
329 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
330
331 j = (n / 32) % 4; // initial word offset
332 t = ARIA_P3(b[j]); // big endian
333 for (i = 0; i < 4; i++) {
334 j = (j + 1) % 4; // get next word, big endian
335 u = ARIA_P3(b[j]);
336 t <<= n1; // rotate
337 t |= u >> n2;
338 t = ARIA_P3(t); // back to little endian
339 r[i] = a[i] ^ t; // store
340 t = u; // move to next word
341 }
342 }
343
344 /*
345 * Set encryption key
346 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)347 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348 const unsigned char *key, unsigned int keybits)
349 {
350 /* round constant masks */
351 const uint32_t rc[3][4] =
352 {
353 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
354 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
355 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
356 };
357
358 int i;
359 uint32_t w[4][4], *w2;
360
361 if (keybits != 128 && keybits != 192 && keybits != 256) {
362 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363 }
364
365 /* Copy key to W0 (and potential remainder to W1) */
366 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
367 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
368 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
369 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
370
371 memset(w[1], 0, 16);
372 if (keybits >= 192) {
373 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
374 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
375 }
376 if (keybits == 256) {
377 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
378 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
379 }
380
381 i = (keybits - 128) >> 6; // index: 0, 1, 2
382 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
383
384 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
385 i = i < 2 ? i + 1 : 0;
386 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
387 i = i < 2 ? i + 1 : 0;
388 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
389
390 for (i = 0; i < 4; i++) { // create round keys
391 w2 = w[(i + 1) & 3];
392 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
394 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
395 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
396 }
397 aria_rot128(ctx->rk[16], w[0], w[1], 19);
398
399 /* w holds enough info to reconstruct the round keys */
400 mbedtls_platform_zeroize(w, sizeof(w));
401
402 return 0;
403 }
404
405 /*
406 * Set decryption key
407 */
408 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)409 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410 const unsigned char *key, unsigned int keybits)
411 {
412 int i, j, k, ret;
413
414 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415 if (ret != 0) {
416 return ret;
417 }
418
419 /* flip the order of round keys */
420 for (i = 0, j = ctx->nr; i < j; i++, j--) {
421 for (k = 0; k < 4; k++) {
422 uint32_t t = ctx->rk[i][k];
423 ctx->rk[i][k] = ctx->rk[j][k];
424 ctx->rk[j][k] = t;
425 }
426 }
427
428 /* apply affine transform to middle keys */
429 for (i = 1; i < ctx->nr; i++) {
430 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431 &ctx->rk[i][2], &ctx->rk[i][3]);
432 }
433
434 return 0;
435 }
436 #endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
437
438 /*
439 * Encrypt a block
440 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])441 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
444 {
445 int i;
446
447 uint32_t a, b, c, d;
448
449 a = MBEDTLS_GET_UINT32_LE(input, 0);
450 b = MBEDTLS_GET_UINT32_LE(input, 4);
451 c = MBEDTLS_GET_UINT32_LE(input, 8);
452 d = MBEDTLS_GET_UINT32_LE(input, 12);
453
454 i = 0;
455 while (1) {
456 a ^= ctx->rk[i][0];
457 b ^= ctx->rk[i][1];
458 c ^= ctx->rk[i][2];
459 d ^= ctx->rk[i][3];
460 i++;
461
462 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463 aria_a(&a, &b, &c, &d);
464
465 a ^= ctx->rk[i][0];
466 b ^= ctx->rk[i][1];
467 c ^= ctx->rk[i][2];
468 d ^= ctx->rk[i][3];
469 i++;
470
471 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472 if (i >= ctx->nr) {
473 break;
474 }
475 aria_a(&a, &b, &c, &d);
476 }
477
478 /* final key mixing */
479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
483
484 MBEDTLS_PUT_UINT32_LE(a, output, 0);
485 MBEDTLS_PUT_UINT32_LE(b, output, 4);
486 MBEDTLS_PUT_UINT32_LE(c, output, 8);
487 MBEDTLS_PUT_UINT32_LE(d, output, 12);
488
489 return 0;
490 }
491
492 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)493 void mbedtls_aria_init(mbedtls_aria_context *ctx)
494 {
495 memset(ctx, 0, sizeof(mbedtls_aria_context));
496 }
497
498 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)499 void mbedtls_aria_free(mbedtls_aria_context *ctx)
500 {
501 if (ctx == NULL) {
502 return;
503 }
504
505 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
506 }
507
508 #if defined(MBEDTLS_CIPHER_MODE_CBC)
509 /*
510 * ARIA-CBC buffer encryption/decryption
511 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)512 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513 int mode,
514 size_t length,
515 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516 const unsigned char *input,
517 unsigned char *output)
518 {
519 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
520
521 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523 }
524
525 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527 }
528
529 if (mode == MBEDTLS_ARIA_DECRYPT) {
530 while (length > 0) {
531 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532 mbedtls_aria_crypt_ecb(ctx, input, output);
533
534 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
535
536 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
537
538 input += MBEDTLS_ARIA_BLOCKSIZE;
539 output += MBEDTLS_ARIA_BLOCKSIZE;
540 length -= MBEDTLS_ARIA_BLOCKSIZE;
541 }
542 } else {
543 while (length > 0) {
544 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
545
546 mbedtls_aria_crypt_ecb(ctx, output, output);
547 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
548
549 input += MBEDTLS_ARIA_BLOCKSIZE;
550 output += MBEDTLS_ARIA_BLOCKSIZE;
551 length -= MBEDTLS_ARIA_BLOCKSIZE;
552 }
553 }
554
555 return 0;
556 }
557 #endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559 #if defined(MBEDTLS_CIPHER_MODE_CFB)
560 /*
561 * ARIA-CFB128 buffer encryption/decryption
562 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)563 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 size_t *iv_off,
567 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568 const unsigned char *input,
569 unsigned char *output)
570 {
571 unsigned char c;
572 size_t n;
573
574 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576 }
577
578 n = *iv_off;
579
580 /* An overly large value of n can lead to an unlimited
581 * buffer overflow. */
582 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
583 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
584 }
585
586 if (mode == MBEDTLS_ARIA_DECRYPT) {
587 while (length--) {
588 if (n == 0) {
589 mbedtls_aria_crypt_ecb(ctx, iv, iv);
590 }
591
592 c = *input++;
593 *output++ = c ^ iv[n];
594 iv[n] = c;
595
596 n = (n + 1) & 0x0F;
597 }
598 } else {
599 while (length--) {
600 if (n == 0) {
601 mbedtls_aria_crypt_ecb(ctx, iv, iv);
602 }
603
604 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
605
606 n = (n + 1) & 0x0F;
607 }
608 }
609
610 *iv_off = n;
611
612 return 0;
613 }
614 #endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616 #if defined(MBEDTLS_CIPHER_MODE_CTR)
617 /*
618 * ARIA-CTR buffer encryption/decryption
619 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)620 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
621 size_t length,
622 size_t *nc_off,
623 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
624 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
625 const unsigned char *input,
626 unsigned char *output)
627 {
628 int c, i;
629 size_t n;
630
631 n = *nc_off;
632 /* An overly large value of n can lead to an unlimited
633 * buffer overflow. */
634 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
635 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
636 }
637
638 while (length--) {
639 if (n == 0) {
640 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
641 stream_block);
642
643 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
644 if (++nonce_counter[i - 1] != 0) {
645 break;
646 }
647 }
648 }
649 c = *input++;
650 *output++ = (unsigned char) (c ^ stream_block[n]);
651
652 n = (n + 1) & 0x0F;
653 }
654
655 *nc_off = n;
656
657 return 0;
658 }
659 #endif /* MBEDTLS_CIPHER_MODE_CTR */
660 #endif /* !MBEDTLS_ARIA_ALT */
661
662 #if defined(MBEDTLS_SELF_TEST)
663
664 /*
665 * Basic ARIA ECB test vectors from RFC 5794
666 */
667 static const uint8_t aria_test1_ecb_key[32] = // test key
668 {
669 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
670 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
671 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
672 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
673 };
674
675 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
676 {
677 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
678 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
679 };
680
681 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
682 {
683 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
684 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
685 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
686 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
687 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
688 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
689 };
690
691 /*
692 * Mode tests from "Test Vectors for ARIA" Version 1.0
693 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
694 */
695 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
696 defined(MBEDTLS_CIPHER_MODE_CTR))
697 static const uint8_t aria_test2_key[32] =
698 {
699 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
700 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
703 };
704
705 static const uint8_t aria_test2_pt[48] =
706 {
707 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
708 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
709 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
710 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
711 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
712 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
713 };
714 #endif
715
716 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
717 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
718 {
719 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
720 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
721 };
722 #endif
723
724 #if defined(MBEDTLS_CIPHER_MODE_CBC)
725 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
726 {
727 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
728 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
729 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
730 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
731 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
732 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
733 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
734 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
735 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
736 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
737 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
738 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
739 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
740 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
741 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
742 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
743 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
744 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
745 };
746 #endif /* MBEDTLS_CIPHER_MODE_CBC */
747
748 #if defined(MBEDTLS_CIPHER_MODE_CFB)
749 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
750 {
751 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
752 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
753 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
754 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
755 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
756 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
757 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
758 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
759 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
760 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
761 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
762 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
763 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
764 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
765 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
766 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
767 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
768 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
769 };
770 #endif /* MBEDTLS_CIPHER_MODE_CFB */
771
772 #if defined(MBEDTLS_CIPHER_MODE_CTR)
773 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
774 {
775 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
776 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
777 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
778 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
779 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
780 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
781 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
782 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
783 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
784 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
785 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
786 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
787 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
788 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
789 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
790 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
791 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
792 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
793 };
794 #endif /* MBEDTLS_CIPHER_MODE_CFB */
795
796 #define ARIA_SELF_TEST_ASSERT(cond) \
797 do { \
798 if (cond) { \
799 if (verbose) \
800 mbedtls_printf("failed\n"); \
801 goto exit; \
802 } else { \
803 if (verbose) \
804 mbedtls_printf("passed\n"); \
805 } \
806 } while (0)
807
808 /*
809 * Checkup routine
810 */
mbedtls_aria_self_test(int verbose)811 int mbedtls_aria_self_test(int verbose)
812 {
813 int i;
814 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
815 mbedtls_aria_context ctx;
816 int ret = 1;
817
818 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
819 size_t j;
820 #endif
821
822 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
823 defined(MBEDTLS_CIPHER_MODE_CFB) || \
824 defined(MBEDTLS_CIPHER_MODE_CTR))
825 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
826 #endif
827
828 mbedtls_aria_init(&ctx);
829
830 /*
831 * Test set 1
832 */
833 for (i = 0; i < 3; i++) {
834 /* test ECB encryption */
835 if (verbose) {
836 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
837 }
838 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
839 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
840 ARIA_SELF_TEST_ASSERT(
841 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
842 != 0);
843
844 /* test ECB decryption */
845 if (verbose) {
846 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
847 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
848 mbedtls_printf("skipped\n");
849 #endif
850 }
851
852 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
853 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
854 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
855 ARIA_SELF_TEST_ASSERT(
856 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
857 != 0);
858 #endif
859 }
860 if (verbose) {
861 mbedtls_printf("\n");
862 }
863
864 /*
865 * Test set 2
866 */
867 #if defined(MBEDTLS_CIPHER_MODE_CBC)
868 for (i = 0; i < 3; i++) {
869 /* Test CBC encryption */
870 if (verbose) {
871 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
872 }
873 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
874 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
875 memset(buf, 0x55, sizeof(buf));
876 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
877 aria_test2_pt, buf);
878 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
879 != 0);
880
881 /* Test CBC decryption */
882 if (verbose) {
883 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
884 }
885 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
886 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
887 memset(buf, 0xAA, sizeof(buf));
888 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
889 aria_test2_cbc_ct[i], buf);
890 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
891 }
892 if (verbose) {
893 mbedtls_printf("\n");
894 }
895
896 #endif /* MBEDTLS_CIPHER_MODE_CBC */
897
898 #if defined(MBEDTLS_CIPHER_MODE_CFB)
899 for (i = 0; i < 3; i++) {
900 /* Test CFB encryption */
901 if (verbose) {
902 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
903 }
904 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
905 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
906 memset(buf, 0x55, sizeof(buf));
907 j = 0;
908 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
909 aria_test2_pt, buf);
910 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
911
912 /* Test CFB decryption */
913 if (verbose) {
914 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
915 }
916 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
917 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
918 memset(buf, 0xAA, sizeof(buf));
919 j = 0;
920 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
921 iv, aria_test2_cfb_ct[i], buf);
922 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
923 }
924 if (verbose) {
925 mbedtls_printf("\n");
926 }
927 #endif /* MBEDTLS_CIPHER_MODE_CFB */
928
929 #if defined(MBEDTLS_CIPHER_MODE_CTR)
930 for (i = 0; i < 3; i++) {
931 /* Test CTR encryption */
932 if (verbose) {
933 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
934 }
935 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
936 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
937 memset(buf, 0x55, sizeof(buf));
938 j = 0;
939 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
940 aria_test2_pt, buf);
941 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
942
943 /* Test CTR decryption */
944 if (verbose) {
945 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
946 }
947 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
948 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
949 memset(buf, 0xAA, sizeof(buf));
950 j = 0;
951 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
952 aria_test2_ctr_ct[i], buf);
953 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
954 }
955 if (verbose) {
956 mbedtls_printf("\n");
957 }
958 #endif /* MBEDTLS_CIPHER_MODE_CTR */
959
960 ret = 0;
961
962 exit:
963 mbedtls_aria_free(&ctx);
964 return ret;
965 }
966
967 #endif /* MBEDTLS_SELF_TEST */
968
969 #endif /* MBEDTLS_ARIA_C */
970
