1 /*
2  *  ARIA implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 /*
21  * This implementation is based on the following standards:
22  * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23  * [2] https://tools.ietf.org/html/rfc5794
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_ARIA_C)
29 
30 #include "mbedtls/aria.h"
31 
32 #include <string.h>
33 
34 #if defined(MBEDTLS_SELF_TEST)
35 #if defined(MBEDTLS_PLATFORM_C)
36 #include "mbedtls/platform.h"
37 #else
38 #include <stdio.h>
39 #define mbedtls_printf printf
40 #endif /* MBEDTLS_PLATFORM_C */
41 #endif /* MBEDTLS_SELF_TEST */
42 
43 #if !defined(MBEDTLS_ARIA_ALT)
44 
45 #include "mbedtls/platform_util.h"
46 
47 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
48     !defined(inline) && !defined(__cplusplus)
49 #define inline __inline
50 #endif
51 
52 /* Parameter validation macros */
53 #define ARIA_VALIDATE_RET( cond )                                       \
54     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
55 #define ARIA_VALIDATE( cond )                                           \
56     MBEDTLS_INTERNAL_VALIDATE( cond )
57 
58 /*
59  * 32-bit integer manipulation macros (little endian)
60  */
61 #ifndef GET_UINT32_LE
62 #define GET_UINT32_LE( n, b, i )                \
63 {                                               \
64     (n) = ( (uint32_t) (b)[(i)    ]       )     \
65         | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
66         | ( (uint32_t) (b)[(i) + 2] << 16 )     \
67         | ( (uint32_t) (b)[(i) + 3] << 24 );    \
68 }
69 #endif
70 
71 #ifndef PUT_UINT32_LE
72 #define PUT_UINT32_LE( n, b, i )                                \
73 {                                                               \
74     (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
75     (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
76     (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
77     (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
78 }
79 #endif
80 
81 /*
82  * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
83  *
84  * This is submatrix P1 in [1] Appendix B.1
85  *
86  * Common compilers fail to translate this to minimal number of instructions,
87  * so let's provide asm versions for common platforms with C fallback.
88  */
89 #if defined(MBEDTLS_HAVE_ASM)
90 #if defined(__arm__) /* rev16 available from v6 up */
91 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
92 #if defined(__GNUC__) && \
93     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
94     __ARM_ARCH >= 6
aria_p1(uint32_t x)95 static inline uint32_t aria_p1( uint32_t x )
96 {
97     uint32_t r;
98     __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
99     return( r );
100 }
101 #define ARIA_P1 aria_p1
102 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
103     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p1(uint32_t x)104 static inline uint32_t aria_p1( uint32_t x )
105 {
106     uint32_t r;
107     __asm( "rev16 r, x" );
108     return( r );
109 }
110 #define ARIA_P1 aria_p1
111 #endif
112 #endif /* arm */
113 #if defined(__GNUC__) && \
114     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
115 /* I couldn't find an Intel equivalent of rev16, so two instructions */
116 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
117 #endif /* x86 gnuc */
118 #endif /* MBEDTLS_HAVE_ASM && GNUC */
119 #if !defined(ARIA_P1)
120 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
121 #endif
122 
123 /*
124  * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
125  *
126  * This is submatrix P2 in [1] Appendix B.1
127  *
128  * Common compilers will translate this to a single instruction.
129  */
130 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
131 
132 /*
133  * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
134  *
135  * This is submatrix P3 in [1] Appendix B.1
136  *
137  * Some compilers fail to translate this to a single instruction,
138  * so let's provide asm versions for common platforms with C fallback.
139  */
140 #if defined(MBEDTLS_HAVE_ASM)
141 #if defined(__arm__) /* rev available from v6 up */
142 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
143 #if defined(__GNUC__) && \
144     ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
145     __ARM_ARCH >= 6
aria_p3(uint32_t x)146 static inline uint32_t aria_p3( uint32_t x )
147 {
148     uint32_t r;
149     __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
150     return( r );
151 }
152 #define ARIA_P3 aria_p3
153 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
154     ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
aria_p3(uint32_t x)155 static inline uint32_t aria_p3( uint32_t x )
156 {
157     uint32_t r;
158     __asm( "rev r, x" );
159     return( r );
160 }
161 #define ARIA_P3 aria_p3
162 #endif
163 #endif /* arm */
164 #if defined(__GNUC__) && \
165     defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
aria_p3(uint32_t x)166 static inline uint32_t aria_p3( uint32_t x )
167 {
168     __asm( "bswap %0" : "=r" (x) : "0" (x) );
169     return( x );
170 }
171 #define ARIA_P3 aria_p3
172 #endif /* x86 gnuc */
173 #endif /* MBEDTLS_HAVE_ASM && GNUC */
174 #if !defined(ARIA_P3)
175 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
176 #endif
177 
178 /*
179  * ARIA Affine Transform
180  * (a, b, c, d) = state in/out
181  *
182  * If we denote the first byte of input by 0, ..., the last byte by f,
183  * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
184  *
185  * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
186  * rearrangements on adjacent pairs, output is:
187  *
188  * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
189  *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
190  * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
191  *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
192  * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
193  *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
194  * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
195  *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
196  *
197  * Note: another presentation of the A transform can be found as the first
198  * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
199  * The implementation below uses only P1 and P2 as they are sufficient.
200  */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)201 static inline void aria_a( uint32_t *a, uint32_t *b,
202                            uint32_t *c, uint32_t *d )
203 {
204     uint32_t ta, tb, tc;
205     ta  =  *b;                      // 4567
206     *b  =  *a;                      // 0123
207     *a  =  ARIA_P2( ta );           // 6745
208     tb  =  ARIA_P2( *d );           // efcd
209     *d  =  ARIA_P1( *c );           // 98ba
210     *c  =  ARIA_P1( tb );           // fedc
211     ta  ^= *d;                      // 4567+98ba
212     tc  =  ARIA_P2( *b );           // 2301
213     ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
214     tb  ^= ARIA_P2( *d );           // ba98+efcd
215     tc  ^= ARIA_P1( *a );           // 2301+7654
216     *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
217     tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
218     *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
219     ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
220     *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
221     tc  =  ARIA_P2( tc );           // 0123+5476
222     *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
223 }
224 
225 /*
226  * ARIA Substitution Layer SL1 / SL2
227  * (a, b, c, d) = state in/out
228  * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
229  *
230  * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
231  * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
232  */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])233 static inline void aria_sl( uint32_t *a, uint32_t *b,
234                             uint32_t *c, uint32_t *d,
235                             const uint8_t sa[256], const uint8_t sb[256],
236                             const uint8_t sc[256], const uint8_t sd[256] )
237 {
238     *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
239          (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
240          (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
241          (((uint32_t) sd[ *a >> 24        ]) << 24);
242     *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
243          (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
244          (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
245          (((uint32_t) sd[ *b >> 24        ]) << 24);
246     *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
247          (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
248          (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
249          (((uint32_t) sd[ *c >> 24        ]) << 24);
250     *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
251          (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
252          (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
253          (((uint32_t) sd[ *d >> 24        ]) << 24);
254 }
255 
256 /*
257  * S-Boxes
258  */
259 static const uint8_t aria_sb1[256] =
260 {
261     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
262     0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
263     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
264     0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
265     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
266     0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
267     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
268     0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
269     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
270     0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
271     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
272     0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
273     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
274     0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
275     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
276     0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
277     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
278     0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
279     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
280     0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
281     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
282     0xB0, 0x54, 0xBB, 0x16
283 };
284 
285 static const uint8_t aria_sb2[256] =
286 {
287     0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
288     0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
289     0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
290     0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
291     0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
292     0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
293     0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
294     0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
295     0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
296     0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
297     0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
298     0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
299     0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
300     0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
301     0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
302     0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
303     0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
304     0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
305     0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
306     0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
307     0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
308     0xAF, 0xBA, 0xB5, 0x81
309 };
310 
311 static const uint8_t aria_is1[256] =
312 {
313     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
314     0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
315     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
316     0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
317     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
318     0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
319     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
320     0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
321     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
322     0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
323     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
324     0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
325     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
326     0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
327     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
328     0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
329     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
330     0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
331     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
332     0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
333     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
334     0x55, 0x21, 0x0C, 0x7D
335 };
336 
337 static const uint8_t aria_is2[256] =
338 {
339     0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
340     0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
341     0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
342     0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
343     0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
344     0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
345     0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
346     0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
347     0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
348     0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
349     0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
350     0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
351     0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
352     0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
353     0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
354     0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
355     0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
356     0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
357     0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
358     0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
359     0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
360     0x03, 0xA2, 0xAC, 0x60
361 };
362 
363 /*
364  * Helper for key schedule: r = FO( p, k ) ^ x
365  */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])366 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
367                          const uint32_t k[4], const uint32_t x[4] )
368 {
369     uint32_t a, b, c, d;
370 
371     a = p[0] ^ k[0];
372     b = p[1] ^ k[1];
373     c = p[2] ^ k[2];
374     d = p[3] ^ k[3];
375 
376     aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
377     aria_a( &a, &b, &c, &d );
378 
379     r[0] = a ^ x[0];
380     r[1] = b ^ x[1];
381     r[2] = c ^ x[2];
382     r[3] = d ^ x[3];
383 }
384 
385 /*
386  * Helper for key schedule: r = FE( p, k ) ^ x
387  */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])388 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
389                          const uint32_t k[4], const uint32_t x[4] )
390 {
391     uint32_t a, b, c, d;
392 
393     a = p[0] ^ k[0];
394     b = p[1] ^ k[1];
395     c = p[2] ^ k[2];
396     d = p[3] ^ k[3];
397 
398     aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
399     aria_a( &a, &b, &c, &d );
400 
401     r[0] = a ^ x[0];
402     r[1] = b ^ x[1];
403     r[2] = c ^ x[2];
404     r[3] = d ^ x[3];
405 }
406 
407 /*
408  * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
409  *
410  * We chose to store bytes into 32-bit words in little-endian format (see
411  * GET/PUT_UINT32_LE) so we need to reverse bytes here.
412  */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)413 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
414                          const uint32_t b[4], uint8_t n )
415 {
416     uint8_t i, j;
417     uint32_t t, u;
418 
419     const uint8_t n1 = n % 32;              // bit offset
420     const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
421 
422     j = ( n / 32 ) % 4;                     // initial word offset
423     t = ARIA_P3( b[j] );                    // big endian
424     for( i = 0; i < 4; i++ )
425     {
426         j = ( j + 1 ) % 4;                  // get next word, big endian
427         u = ARIA_P3( b[j] );
428         t <<= n1;                           // rotate
429         t |= u >> n2;
430         t = ARIA_P3( t );                   // back to little endian
431         r[i] = a[i] ^ t;                    // store
432         t = u;                              // move to next word
433     }
434 }
435 
436 /*
437  * Set encryption key
438  */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)439 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
440                              const unsigned char *key, unsigned int keybits )
441 {
442     /* round constant masks */
443     const uint32_t rc[3][4] =
444     {
445         {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
446         {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
447         {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
448     };
449 
450     int i;
451     uint32_t w[4][4], *w2;
452     ARIA_VALIDATE_RET( ctx != NULL );
453     ARIA_VALIDATE_RET( key != NULL );
454 
455     if( keybits != 128 && keybits != 192 && keybits != 256 )
456         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
457 
458     /* Copy key to W0 (and potential remainder to W1) */
459     GET_UINT32_LE( w[0][0], key,  0 );
460     GET_UINT32_LE( w[0][1], key,  4 );
461     GET_UINT32_LE( w[0][2], key,  8 );
462     GET_UINT32_LE( w[0][3], key, 12 );
463 
464     memset( w[1], 0, 16 );
465     if( keybits >= 192 )
466     {
467         GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
468         GET_UINT32_LE( w[1][1], key, 20 );
469     }
470     if( keybits == 256 )
471     {
472         GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
473         GET_UINT32_LE( w[1][3], key, 28 );
474     }
475 
476     i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
477     ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
478 
479     aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
480     i = i < 2 ? i + 1 : 0;
481     aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
482     i = i < 2 ? i + 1 : 0;
483     aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
484 
485     for( i = 0; i < 4; i++ )                // create round keys
486     {
487         w2 = w[(i + 1) & 3];
488         aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
489         aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
490         aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
491         aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
492     }
493     aria_rot128( ctx->rk[16], w[0], w[1], 19 );
494 
495     /* w holds enough info to reconstruct the round keys */
496     mbedtls_platform_zeroize( w, sizeof( w ) );
497 
498     return( 0 );
499 }
500 
501 /*
502  * Set decryption key
503  */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)504 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
505                              const unsigned char *key, unsigned int keybits )
506 {
507     int i, j, k, ret;
508     ARIA_VALIDATE_RET( ctx != NULL );
509     ARIA_VALIDATE_RET( key != NULL );
510 
511     ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
512     if( ret != 0 )
513         return( ret );
514 
515     /* flip the order of round keys */
516     for( i = 0, j = ctx->nr; i < j; i++, j-- )
517     {
518         for( k = 0; k < 4; k++ )
519         {
520             uint32_t t = ctx->rk[i][k];
521             ctx->rk[i][k] = ctx->rk[j][k];
522             ctx->rk[j][k] = t;
523         }
524     }
525 
526     /* apply affine transform to middle keys */
527     for( i = 1; i < ctx->nr; i++ )
528     {
529         aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
530                 &ctx->rk[i][2], &ctx->rk[i][3] );
531     }
532 
533     return( 0 );
534 }
535 
536 /*
537  * Encrypt a block
538  */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])539 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
540                             const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
541                             unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
542 {
543     int i;
544 
545     uint32_t a, b, c, d;
546     ARIA_VALIDATE_RET( ctx != NULL );
547     ARIA_VALIDATE_RET( input != NULL );
548     ARIA_VALIDATE_RET( output != NULL );
549 
550     GET_UINT32_LE( a, input,  0 );
551     GET_UINT32_LE( b, input,  4 );
552     GET_UINT32_LE( c, input,  8 );
553     GET_UINT32_LE( d, input, 12 );
554 
555     i = 0;
556     while( 1 )
557     {
558         a ^= ctx->rk[i][0];
559         b ^= ctx->rk[i][1];
560         c ^= ctx->rk[i][2];
561         d ^= ctx->rk[i][3];
562         i++;
563 
564         aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
565         aria_a( &a, &b, &c, &d );
566 
567         a ^= ctx->rk[i][0];
568         b ^= ctx->rk[i][1];
569         c ^= ctx->rk[i][2];
570         d ^= ctx->rk[i][3];
571         i++;
572 
573         aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
574         if( i >= ctx->nr )
575             break;
576         aria_a( &a, &b, &c, &d );
577     }
578 
579     /* final key mixing */
580     a ^= ctx->rk[i][0];
581     b ^= ctx->rk[i][1];
582     c ^= ctx->rk[i][2];
583     d ^= ctx->rk[i][3];
584 
585     PUT_UINT32_LE( a, output,  0 );
586     PUT_UINT32_LE( b, output,  4 );
587     PUT_UINT32_LE( c, output,  8 );
588     PUT_UINT32_LE( d, output, 12 );
589 
590     return( 0 );
591 }
592 
593 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)594 void mbedtls_aria_init( mbedtls_aria_context *ctx )
595 {
596     ARIA_VALIDATE( ctx != NULL );
597     memset( ctx, 0, sizeof( mbedtls_aria_context ) );
598 }
599 
600 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)601 void mbedtls_aria_free( mbedtls_aria_context *ctx )
602 {
603     if( ctx == NULL )
604         return;
605 
606     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
607 }
608 
609 #if defined(MBEDTLS_CIPHER_MODE_CBC)
610 /*
611  * ARIA-CBC buffer encryption/decryption
612  */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)613 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
614                             int mode,
615                             size_t length,
616                             unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
617                             const unsigned char *input,
618                             unsigned char *output )
619 {
620     int i;
621     unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
622 
623     ARIA_VALIDATE_RET( ctx != NULL );
624     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
625                        mode == MBEDTLS_ARIA_DECRYPT );
626     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
627     ARIA_VALIDATE_RET( length == 0 || output != NULL );
628     ARIA_VALIDATE_RET( iv != NULL );
629 
630     if( length % MBEDTLS_ARIA_BLOCKSIZE )
631         return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
632 
633     if( mode == MBEDTLS_ARIA_DECRYPT )
634     {
635         while( length > 0 )
636         {
637             memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
638             mbedtls_aria_crypt_ecb( ctx, input, output );
639 
640             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
641                 output[i] = (unsigned char)( output[i] ^ iv[i] );
642 
643             memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
644 
645             input  += MBEDTLS_ARIA_BLOCKSIZE;
646             output += MBEDTLS_ARIA_BLOCKSIZE;
647             length -= MBEDTLS_ARIA_BLOCKSIZE;
648         }
649     }
650     else
651     {
652         while( length > 0 )
653         {
654             for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
655                 output[i] = (unsigned char)( input[i] ^ iv[i] );
656 
657             mbedtls_aria_crypt_ecb( ctx, output, output );
658             memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
659 
660             input  += MBEDTLS_ARIA_BLOCKSIZE;
661             output += MBEDTLS_ARIA_BLOCKSIZE;
662             length -= MBEDTLS_ARIA_BLOCKSIZE;
663         }
664     }
665 
666     return( 0 );
667 }
668 #endif /* MBEDTLS_CIPHER_MODE_CBC */
669 
670 #if defined(MBEDTLS_CIPHER_MODE_CFB)
671 /*
672  * ARIA-CFB128 buffer encryption/decryption
673  */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)674 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
675                                int mode,
676                                size_t length,
677                                size_t *iv_off,
678                                unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
679                                const unsigned char *input,
680                                unsigned char *output )
681 {
682     unsigned char c;
683     size_t n;
684 
685     ARIA_VALIDATE_RET( ctx != NULL );
686     ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
687                        mode == MBEDTLS_ARIA_DECRYPT );
688     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
689     ARIA_VALIDATE_RET( length == 0 || output != NULL );
690     ARIA_VALIDATE_RET( iv != NULL );
691     ARIA_VALIDATE_RET( iv_off != NULL );
692 
693     n = *iv_off;
694 
695     /* An overly large value of n can lead to an unlimited
696      * buffer overflow. Therefore, guard against this
697      * outside of parameter validation. */
698     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
699         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
700 
701     if( mode == MBEDTLS_ARIA_DECRYPT )
702     {
703         while( length-- )
704         {
705             if( n == 0 )
706                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
707 
708             c = *input++;
709             *output++ = c ^ iv[n];
710             iv[n] = c;
711 
712             n = ( n + 1 ) & 0x0F;
713         }
714     }
715     else
716     {
717         while( length-- )
718         {
719             if( n == 0 )
720                 mbedtls_aria_crypt_ecb( ctx, iv, iv );
721 
722             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
723 
724             n = ( n + 1 ) & 0x0F;
725         }
726     }
727 
728     *iv_off = n;
729 
730     return( 0 );
731 }
732 #endif /* MBEDTLS_CIPHER_MODE_CFB */
733 
734 #if defined(MBEDTLS_CIPHER_MODE_CTR)
735 /*
736  * ARIA-CTR buffer encryption/decryption
737  */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)738 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
739                             size_t length,
740                             size_t *nc_off,
741                             unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
742                             unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
743                             const unsigned char *input,
744                             unsigned char *output )
745 {
746     int c, i;
747     size_t n;
748 
749     ARIA_VALIDATE_RET( ctx != NULL );
750     ARIA_VALIDATE_RET( length == 0 || input  != NULL );
751     ARIA_VALIDATE_RET( length == 0 || output != NULL );
752     ARIA_VALIDATE_RET( nonce_counter != NULL );
753     ARIA_VALIDATE_RET( stream_block  != NULL );
754     ARIA_VALIDATE_RET( nc_off != NULL );
755 
756     n = *nc_off;
757     /* An overly large value of n can lead to an unlimited
758      * buffer overflow. Therefore, guard against this
759      * outside of parameter validation. */
760     if( n >= MBEDTLS_ARIA_BLOCKSIZE )
761         return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
762 
763     while( length-- )
764     {
765         if( n == 0 ) {
766             mbedtls_aria_crypt_ecb( ctx, nonce_counter,
767                                 stream_block );
768 
769             for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
770                 if( ++nonce_counter[i - 1] != 0 )
771                     break;
772         }
773         c = *input++;
774         *output++ = (unsigned char)( c ^ stream_block[n] );
775 
776         n = ( n + 1 ) & 0x0F;
777     }
778 
779     *nc_off = n;
780 
781     return( 0 );
782 }
783 #endif /* MBEDTLS_CIPHER_MODE_CTR */
784 #endif /* !MBEDTLS_ARIA_ALT */
785 
786 #if defined(MBEDTLS_SELF_TEST)
787 
788 /*
789  * Basic ARIA ECB test vectors from RFC 5794
790  */
791 static const uint8_t aria_test1_ecb_key[32] =           // test key
792 {
793     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
794     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
795     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
796     0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
797 };
798 
799 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
800 {
801     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
802     0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
803 };
804 
805 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
806 {
807     { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
808       0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
809     { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
810       0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
811     { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
812       0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
813 };
814 
815 /*
816  * Mode tests from "Test Vectors for ARIA"  Version 1.0
817  * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
818  */
819 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
820     defined(MBEDTLS_CIPHER_MODE_CTR))
821 static const uint8_t aria_test2_key[32] =
822 {
823     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
824     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
825     0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
826     0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
827 };
828 
829 static const uint8_t aria_test2_pt[48] =
830 {
831     0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
832     0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
833     0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
834     0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
835     0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
836     0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
837 };
838 #endif
839 
840 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
841 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
842 {
843     0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
844     0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
845 };
846 #endif
847 
848 #if defined(MBEDTLS_CIPHER_MODE_CBC)
849 static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
850 {
851     { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
852       0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
853       0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
854       0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
855       0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
856       0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
857     { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
858       0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
859       0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
860       0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
861       0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
862       0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
863     { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
864       0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
865       0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
866       0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
867       0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
868       0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
869 };
870 #endif /* MBEDTLS_CIPHER_MODE_CBC */
871 
872 #if defined(MBEDTLS_CIPHER_MODE_CFB)
873 static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
874 {
875     { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
876       0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
877       0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
878       0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
879       0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
880       0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
881     { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
882       0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
883       0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
884       0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
885       0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
886       0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
887     { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
888       0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
889       0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
890       0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
891       0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
892       0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
893 };
894 #endif /* MBEDTLS_CIPHER_MODE_CFB */
895 
896 #if defined(MBEDTLS_CIPHER_MODE_CTR)
897 static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
898 {
899     { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
900       0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
901       0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
902       0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
903       0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
904       0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
905     { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
906       0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
907       0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
908       0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
909       0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
910       0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
911     { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
912       0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
913       0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
914       0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
915       0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
916       0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
917 };
918 #endif /* MBEDTLS_CIPHER_MODE_CFB */
919 
920 #define ARIA_SELF_TEST_IF_FAIL              \
921         {                                   \
922             if( verbose )                   \
923                 mbedtls_printf( "failed\n" );       \
924             return( 1 );                    \
925         } else {                            \
926             if( verbose )                   \
927                 mbedtls_printf( "passed\n" );       \
928         }
929 
930 /*
931  * Checkup routine
932  */
mbedtls_aria_self_test(int verbose)933 int mbedtls_aria_self_test( int verbose )
934 {
935     int i;
936     uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
937     mbedtls_aria_context ctx;
938 
939 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
940     size_t j;
941 #endif
942 
943 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
944      defined(MBEDTLS_CIPHER_MODE_CFB) || \
945      defined(MBEDTLS_CIPHER_MODE_CTR))
946     uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
947 #endif
948 
949     /*
950      * Test set 1
951      */
952     for( i = 0; i < 3; i++ )
953     {
954         /* test ECB encryption */
955         if( verbose )
956             mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
957         mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
958         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
959         if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
960             ARIA_SELF_TEST_IF_FAIL;
961 
962         /* test ECB decryption */
963         if( verbose )
964             mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
965         mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
966         mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
967         if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
968             ARIA_SELF_TEST_IF_FAIL;
969     }
970     if( verbose )
971         mbedtls_printf( "\n" );
972 
973     /*
974      * Test set 2
975      */
976 #if defined(MBEDTLS_CIPHER_MODE_CBC)
977     for( i = 0; i < 3; i++ )
978     {
979         /* Test CBC encryption */
980         if( verbose )
981             mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
982         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
983         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
984         memset( buf, 0x55, sizeof( buf ) );
985         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
986             aria_test2_pt, buf );
987         if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
988             ARIA_SELF_TEST_IF_FAIL;
989 
990         /* Test CBC decryption */
991         if( verbose )
992             mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
993         mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
994         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
995         memset( buf, 0xAA, sizeof( buf ) );
996         mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
997             aria_test2_cbc_ct[i], buf );
998         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
999             ARIA_SELF_TEST_IF_FAIL;
1000     }
1001     if( verbose )
1002         mbedtls_printf( "\n" );
1003 
1004 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1005 
1006 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1007     for( i = 0; i < 3; i++ )
1008     {
1009         /* Test CFB encryption */
1010         if( verbose )
1011             mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
1012         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1013         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1014         memset( buf, 0x55, sizeof( buf ) );
1015         j = 0;
1016         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1017             aria_test2_pt, buf );
1018         if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1019             ARIA_SELF_TEST_IF_FAIL;
1020 
1021         /* Test CFB decryption */
1022         if( verbose )
1023             mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
1024         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1025         memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1026         memset( buf, 0xAA, sizeof( buf ) );
1027         j = 0;
1028         mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1029             iv, aria_test2_cfb_ct[i], buf );
1030         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1031             ARIA_SELF_TEST_IF_FAIL;
1032     }
1033     if( verbose )
1034         mbedtls_printf( "\n" );
1035 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1036 
1037 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1038     for( i = 0; i < 3; i++ )
1039     {
1040         /* Test CTR encryption */
1041         if( verbose )
1042             mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
1043         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1044         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1045         memset( buf, 0x55, sizeof( buf ) );
1046         j = 0;
1047         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1048             aria_test2_pt, buf );
1049         if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1050             ARIA_SELF_TEST_IF_FAIL;
1051 
1052         /* Test CTR decryption */
1053         if( verbose )
1054             mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
1055         mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1056         memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
1057         memset( buf, 0xAA, sizeof( buf ) );
1058         j = 0;
1059         mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1060             aria_test2_ctr_ct[i], buf );
1061         if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1062             ARIA_SELF_TEST_IF_FAIL;
1063     }
1064     if( verbose )
1065         mbedtls_printf( "\n" );
1066 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1067 
1068     return( 0 );
1069 }
1070 
1071 #endif /* MBEDTLS_SELF_TEST */
1072 
1073 #endif /* MBEDTLS_ARIA_C */
1074