1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_ARIA_C)
17
18 #include "mbedtls/aria.h"
19
20 #include <string.h>
21
22 #include "mbedtls/platform.h"
23
24 #if !defined(MBEDTLS_ARIA_ALT)
25
26 #include "mbedtls/platform_util.h"
27
28 /* Parameter validation macros */
29 #define ARIA_VALIDATE_RET(cond) \
30 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31 #define ARIA_VALIDATE(cond) \
32 MBEDTLS_INTERNAL_VALIDATE(cond)
33
34 /*
35 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
36 *
37 * This is submatrix P1 in [1] Appendix B.1
38 *
39 * Common compilers fail to translate this to minimal number of instructions,
40 * so let's provide asm versions for common platforms with C fallback.
41 */
42 #if defined(MBEDTLS_HAVE_ASM)
43 #if defined(__arm__) /* rev16 available from v6 up */
44 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45 #if defined(__GNUC__) && \
46 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
47 __ARM_ARCH >= 6
aria_p1(uint32_t x)48 static inline uint32_t aria_p1(uint32_t x)
49 {
50 uint32_t r;
51 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52 return r;
53 }
54 #define ARIA_P1 aria_p1
55 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
56 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p1(uint32_t x)57 static inline uint32_t aria_p1(uint32_t x)
58 {
59 uint32_t r;
60 __asm("rev16 r, x");
61 return r;
62 }
63 #define ARIA_P1 aria_p1
64 #endif
65 #endif /* arm */
66 #if defined(__GNUC__) && \
67 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
68 /* I couldn't find an Intel equivalent of rev16, so two instructions */
69 #define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
70 #endif /* x86 gnuc */
71 #endif /* MBEDTLS_HAVE_ASM && GNUC */
72 #if !defined(ARIA_P1)
73 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
74 #endif
75
76 /*
77 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78 *
79 * This is submatrix P2 in [1] Appendix B.1
80 *
81 * Common compilers will translate this to a single instruction.
82 */
83 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
84
85 /*
86 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87 *
88 * This is submatrix P3 in [1] Appendix B.1
89 */
90 #define ARIA_P3(x) MBEDTLS_BSWAP32(x)
91
92 /*
93 * ARIA Affine Transform
94 * (a, b, c, d) = state in/out
95 *
96 * If we denote the first byte of input by 0, ..., the last byte by f,
97 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
98 *
99 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
100 * rearrangements on adjacent pairs, output is:
101 *
102 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
103 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
104 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
105 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
106 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
107 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
108 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
109 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
110 *
111 * Note: another presentation of the A transform can be found as the first
112 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
113 * The implementation below uses only P1 and P2 as they are sufficient.
114 */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)115 static inline void aria_a(uint32_t *a, uint32_t *b,
116 uint32_t *c, uint32_t *d)
117 {
118 uint32_t ta, tb, tc;
119 ta = *b; // 4567
120 *b = *a; // 0123
121 *a = ARIA_P2(ta); // 6745
122 tb = ARIA_P2(*d); // efcd
123 *d = ARIA_P1(*c); // 98ba
124 *c = ARIA_P1(tb); // fedc
125 ta ^= *d; // 4567+98ba
126 tc = ARIA_P2(*b); // 2301
127 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
128 tb ^= ARIA_P2(*d); // ba98+efcd
129 tc ^= ARIA_P1(*a); // 2301+7654
130 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
131 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
132 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
133 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
134 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
135 tc = ARIA_P2(tc); // 0123+5476
136 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
137 }
138
139 /*
140 * ARIA Substitution Layer SL1 / SL2
141 * (a, b, c, d) = state in/out
142 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
143 *
144 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
145 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
146 */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])147 static inline void aria_sl(uint32_t *a, uint32_t *b,
148 uint32_t *c, uint32_t *d,
149 const uint8_t sa[256], const uint8_t sb[256],
150 const uint8_t sc[256], const uint8_t sd[256])
151 {
152 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
153 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
154 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
155 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
156 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
157 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
158 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
159 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
160 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
161 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
162 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
163 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
164 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
168 }
169
170 /*
171 * S-Boxes
172 */
173 static const uint8_t aria_sb1[256] =
174 {
175 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
176 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
177 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
178 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
179 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
180 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
181 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
182 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
183 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
184 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
185 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
186 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
187 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
188 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
189 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
190 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
191 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
192 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
193 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
194 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
195 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
196 0xB0, 0x54, 0xBB, 0x16
197 };
198
199 static const uint8_t aria_sb2[256] =
200 {
201 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
202 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
203 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
204 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
205 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
206 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
207 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
208 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
209 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
210 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
211 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
212 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
213 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
214 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
215 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
216 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
217 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
218 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
219 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
220 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
221 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
222 0xAF, 0xBA, 0xB5, 0x81
223 };
224
225 static const uint8_t aria_is1[256] =
226 {
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
228 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
229 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
230 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
232 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
233 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
234 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
236 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
237 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
238 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
239 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
240 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
241 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
242 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
243 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
244 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
245 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
246 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
248 0x55, 0x21, 0x0C, 0x7D
249 };
250
251 static const uint8_t aria_is2[256] =
252 {
253 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
254 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
255 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
256 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
257 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
258 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
259 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
260 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
261 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
262 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
263 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
264 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
265 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
266 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
267 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
268 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
269 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
270 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
271 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
272 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
273 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
274 0x03, 0xA2, 0xAC, 0x60
275 };
276
277 /*
278 * Helper for key schedule: r = FO( p, k ) ^ x
279 */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])280 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
281 const uint32_t k[4], const uint32_t x[4])
282 {
283 uint32_t a, b, c, d;
284
285 a = p[0] ^ k[0];
286 b = p[1] ^ k[1];
287 c = p[2] ^ k[2];
288 d = p[3] ^ k[3];
289
290 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
291 aria_a(&a, &b, &c, &d);
292
293 r[0] = a ^ x[0];
294 r[1] = b ^ x[1];
295 r[2] = c ^ x[2];
296 r[3] = d ^ x[3];
297 }
298
299 /*
300 * Helper for key schedule: r = FE( p, k ) ^ x
301 */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])302 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
303 const uint32_t k[4], const uint32_t x[4])
304 {
305 uint32_t a, b, c, d;
306
307 a = p[0] ^ k[0];
308 b = p[1] ^ k[1];
309 c = p[2] ^ k[2];
310 d = p[3] ^ k[3];
311
312 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
313 aria_a(&a, &b, &c, &d);
314
315 r[0] = a ^ x[0];
316 r[1] = b ^ x[1];
317 r[2] = c ^ x[2];
318 r[3] = d ^ x[3];
319 }
320
321 /*
322 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
323 *
324 * We chose to store bytes into 32-bit words in little-endian format (see
325 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
326 * bytes here.
327 */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)328 static void aria_rot128(uint32_t r[4], const uint32_t a[4],
329 const uint32_t b[4], uint8_t n)
330 {
331 uint8_t i, j;
332 uint32_t t, u;
333
334 const uint8_t n1 = n % 32; // bit offset
335 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
336
337 j = (n / 32) % 4; // initial word offset
338 t = ARIA_P3(b[j]); // big endian
339 for (i = 0; i < 4; i++) {
340 j = (j + 1) % 4; // get next word, big endian
341 u = ARIA_P3(b[j]);
342 t <<= n1; // rotate
343 t |= u >> n2;
344 t = ARIA_P3(t); // back to little endian
345 r[i] = a[i] ^ t; // store
346 t = u; // move to next word
347 }
348 }
349
350 /*
351 * Set encryption key
352 */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)353 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
354 const unsigned char *key, unsigned int keybits)
355 {
356 /* round constant masks */
357 const uint32_t rc[3][4] =
358 {
359 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
360 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
361 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
362 };
363
364 int i;
365 uint32_t w[4][4], *w2;
366 ARIA_VALIDATE_RET(ctx != NULL);
367 ARIA_VALIDATE_RET(key != NULL);
368
369 if (keybits != 128 && keybits != 192 && keybits != 256) {
370 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
371 }
372
373 /* Copy key to W0 (and potential remainder to W1) */
374 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
375 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
376 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
377 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
378
379 memset(w[1], 0, 16);
380 if (keybits >= 192) {
381 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
382 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
383 }
384 if (keybits == 256) {
385 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
386 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
387 }
388
389 i = (keybits - 128) >> 6; // index: 0, 1, 2
390 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
391
392 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
393 i = i < 2 ? i + 1 : 0;
394 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
395 i = i < 2 ? i + 1 : 0;
396 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
397
398 for (i = 0; i < 4; i++) { // create round keys
399 w2 = w[(i + 1) & 3];
400 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
401 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
402 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
403 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
404 }
405 aria_rot128(ctx->rk[16], w[0], w[1], 19);
406
407 /* w holds enough info to reconstruct the round keys */
408 mbedtls_platform_zeroize(w, sizeof(w));
409
410 return 0;
411 }
412
413 /*
414 * Set decryption key
415 */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)416 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
417 const unsigned char *key, unsigned int keybits)
418 {
419 int i, j, k, ret;
420 ARIA_VALIDATE_RET(ctx != NULL);
421 ARIA_VALIDATE_RET(key != NULL);
422
423 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
424 if (ret != 0) {
425 return ret;
426 }
427
428 /* flip the order of round keys */
429 for (i = 0, j = ctx->nr; i < j; i++, j--) {
430 for (k = 0; k < 4; k++) {
431 uint32_t t = ctx->rk[i][k];
432 ctx->rk[i][k] = ctx->rk[j][k];
433 ctx->rk[j][k] = t;
434 }
435 }
436
437 /* apply affine transform to middle keys */
438 for (i = 1; i < ctx->nr; i++) {
439 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
440 &ctx->rk[i][2], &ctx->rk[i][3]);
441 }
442
443 return 0;
444 }
445
446 /*
447 * Encrypt a block
448 */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])449 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
450 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
451 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
452 {
453 int i;
454
455 uint32_t a, b, c, d;
456 ARIA_VALIDATE_RET(ctx != NULL);
457 ARIA_VALIDATE_RET(input != NULL);
458 ARIA_VALIDATE_RET(output != NULL);
459
460 a = MBEDTLS_GET_UINT32_LE(input, 0);
461 b = MBEDTLS_GET_UINT32_LE(input, 4);
462 c = MBEDTLS_GET_UINT32_LE(input, 8);
463 d = MBEDTLS_GET_UINT32_LE(input, 12);
464
465 i = 0;
466 while (1) {
467 a ^= ctx->rk[i][0];
468 b ^= ctx->rk[i][1];
469 c ^= ctx->rk[i][2];
470 d ^= ctx->rk[i][3];
471 i++;
472
473 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
474 aria_a(&a, &b, &c, &d);
475
476 a ^= ctx->rk[i][0];
477 b ^= ctx->rk[i][1];
478 c ^= ctx->rk[i][2];
479 d ^= ctx->rk[i][3];
480 i++;
481
482 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
483 if (i >= ctx->nr) {
484 break;
485 }
486 aria_a(&a, &b, &c, &d);
487 }
488
489 /* final key mixing */
490 a ^= ctx->rk[i][0];
491 b ^= ctx->rk[i][1];
492 c ^= ctx->rk[i][2];
493 d ^= ctx->rk[i][3];
494
495 MBEDTLS_PUT_UINT32_LE(a, output, 0);
496 MBEDTLS_PUT_UINT32_LE(b, output, 4);
497 MBEDTLS_PUT_UINT32_LE(c, output, 8);
498 MBEDTLS_PUT_UINT32_LE(d, output, 12);
499
500 return 0;
501 }
502
503 /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)504 void mbedtls_aria_init(mbedtls_aria_context *ctx)
505 {
506 ARIA_VALIDATE(ctx != NULL);
507 memset(ctx, 0, sizeof(mbedtls_aria_context));
508 }
509
510 /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)511 void mbedtls_aria_free(mbedtls_aria_context *ctx)
512 {
513 if (ctx == NULL) {
514 return;
515 }
516
517 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
518 }
519
520 #if defined(MBEDTLS_CIPHER_MODE_CBC)
521 /*
522 * ARIA-CBC buffer encryption/decryption
523 */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)524 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
525 int mode,
526 size_t length,
527 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
528 const unsigned char *input,
529 unsigned char *output)
530 {
531 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
532
533 ARIA_VALIDATE_RET(ctx != NULL);
534 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
535 mode == MBEDTLS_ARIA_DECRYPT);
536 ARIA_VALIDATE_RET(length == 0 || input != NULL);
537 ARIA_VALIDATE_RET(length == 0 || output != NULL);
538 ARIA_VALIDATE_RET(iv != NULL);
539
540 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
541 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
542 }
543
544 if (mode == MBEDTLS_ARIA_DECRYPT) {
545 while (length > 0) {
546 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
547 mbedtls_aria_crypt_ecb(ctx, input, output);
548
549 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
550
551 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
552
553 input += MBEDTLS_ARIA_BLOCKSIZE;
554 output += MBEDTLS_ARIA_BLOCKSIZE;
555 length -= MBEDTLS_ARIA_BLOCKSIZE;
556 }
557 } else {
558 while (length > 0) {
559 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
560
561 mbedtls_aria_crypt_ecb(ctx, output, output);
562 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
563
564 input += MBEDTLS_ARIA_BLOCKSIZE;
565 output += MBEDTLS_ARIA_BLOCKSIZE;
566 length -= MBEDTLS_ARIA_BLOCKSIZE;
567 }
568 }
569
570 return 0;
571 }
572 #endif /* MBEDTLS_CIPHER_MODE_CBC */
573
574 #if defined(MBEDTLS_CIPHER_MODE_CFB)
575 /*
576 * ARIA-CFB128 buffer encryption/decryption
577 */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)578 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
579 int mode,
580 size_t length,
581 size_t *iv_off,
582 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
583 const unsigned char *input,
584 unsigned char *output)
585 {
586 unsigned char c;
587 size_t n;
588
589 ARIA_VALIDATE_RET(ctx != NULL);
590 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
591 mode == MBEDTLS_ARIA_DECRYPT);
592 ARIA_VALIDATE_RET(length == 0 || input != NULL);
593 ARIA_VALIDATE_RET(length == 0 || output != NULL);
594 ARIA_VALIDATE_RET(iv != NULL);
595 ARIA_VALIDATE_RET(iv_off != NULL);
596
597 n = *iv_off;
598
599 /* An overly large value of n can lead to an unlimited
600 * buffer overflow. Therefore, guard against this
601 * outside of parameter validation. */
602 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
603 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
604 }
605
606 if (mode == MBEDTLS_ARIA_DECRYPT) {
607 while (length--) {
608 if (n == 0) {
609 mbedtls_aria_crypt_ecb(ctx, iv, iv);
610 }
611
612 c = *input++;
613 *output++ = c ^ iv[n];
614 iv[n] = c;
615
616 n = (n + 1) & 0x0F;
617 }
618 } else {
619 while (length--) {
620 if (n == 0) {
621 mbedtls_aria_crypt_ecb(ctx, iv, iv);
622 }
623
624 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
625
626 n = (n + 1) & 0x0F;
627 }
628 }
629
630 *iv_off = n;
631
632 return 0;
633 }
634 #endif /* MBEDTLS_CIPHER_MODE_CFB */
635
636 #if defined(MBEDTLS_CIPHER_MODE_CTR)
637 /*
638 * ARIA-CTR buffer encryption/decryption
639 */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)640 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
641 size_t length,
642 size_t *nc_off,
643 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
644 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
645 const unsigned char *input,
646 unsigned char *output)
647 {
648 int c, i;
649 size_t n;
650
651 ARIA_VALIDATE_RET(ctx != NULL);
652 ARIA_VALIDATE_RET(length == 0 || input != NULL);
653 ARIA_VALIDATE_RET(length == 0 || output != NULL);
654 ARIA_VALIDATE_RET(nonce_counter != NULL);
655 ARIA_VALIDATE_RET(stream_block != NULL);
656 ARIA_VALIDATE_RET(nc_off != NULL);
657
658 n = *nc_off;
659 /* An overly large value of n can lead to an unlimited
660 * buffer overflow. Therefore, guard against this
661 * outside of parameter validation. */
662 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
663 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
664 }
665
666 while (length--) {
667 if (n == 0) {
668 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
669 stream_block);
670
671 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
672 if (++nonce_counter[i - 1] != 0) {
673 break;
674 }
675 }
676 }
677 c = *input++;
678 *output++ = (unsigned char) (c ^ stream_block[n]);
679
680 n = (n + 1) & 0x0F;
681 }
682
683 *nc_off = n;
684
685 return 0;
686 }
687 #endif /* MBEDTLS_CIPHER_MODE_CTR */
688 #endif /* !MBEDTLS_ARIA_ALT */
689
690 #if defined(MBEDTLS_SELF_TEST)
691
692 /*
693 * Basic ARIA ECB test vectors from RFC 5794
694 */
695 static const uint8_t aria_test1_ecb_key[32] = // test key
696 {
697 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
698 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
699 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
700 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
701 };
702
703 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
704 {
705 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
706 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
707 };
708
709 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
710 {
711 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
712 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
713 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
714 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
715 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
716 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
717 };
718
719 /*
720 * Mode tests from "Test Vectors for ARIA" Version 1.0
721 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
722 */
723 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
724 defined(MBEDTLS_CIPHER_MODE_CTR))
725 static const uint8_t aria_test2_key[32] =
726 {
727 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
728 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
729 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
730 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
731 };
732
733 static const uint8_t aria_test2_pt[48] =
734 {
735 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
736 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
737 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
738 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
739 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
740 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
741 };
742 #endif
743
744 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
745 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
746 {
747 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
748 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
749 };
750 #endif
751
752 #if defined(MBEDTLS_CIPHER_MODE_CBC)
753 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
754 {
755 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
756 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
757 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
758 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
759 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
760 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
761 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
762 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
763 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
764 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
765 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
766 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
767 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
768 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
769 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
770 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
771 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
772 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
773 };
774 #endif /* MBEDTLS_CIPHER_MODE_CBC */
775
776 #if defined(MBEDTLS_CIPHER_MODE_CFB)
777 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
778 {
779 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
780 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
781 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
782 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
783 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
784 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
785 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
786 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
787 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
788 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
789 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
790 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
791 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
792 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
793 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
794 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
795 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
796 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
797 };
798 #endif /* MBEDTLS_CIPHER_MODE_CFB */
799
800 #if defined(MBEDTLS_CIPHER_MODE_CTR)
801 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
802 {
803 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
804 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
805 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
806 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
807 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
808 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
809 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
810 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
811 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
812 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
813 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
814 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
815 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
816 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
817 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
818 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
819 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
820 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
821 };
822 #endif /* MBEDTLS_CIPHER_MODE_CFB */
823
824 #define ARIA_SELF_TEST_ASSERT(cond) \
825 do { \
826 if (cond) { \
827 if (verbose) \
828 mbedtls_printf("failed\n"); \
829 goto exit; \
830 } else { \
831 if (verbose) \
832 mbedtls_printf("passed\n"); \
833 } \
834 } while (0)
835
836 /*
837 * Checkup routine
838 */
mbedtls_aria_self_test(int verbose)839 int mbedtls_aria_self_test(int verbose)
840 {
841 int i;
842 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
843 mbedtls_aria_context ctx;
844 int ret = 1;
845
846 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
847 size_t j;
848 #endif
849
850 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
851 defined(MBEDTLS_CIPHER_MODE_CFB) || \
852 defined(MBEDTLS_CIPHER_MODE_CTR))
853 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
854 #endif
855
856 mbedtls_aria_init(&ctx);
857
858 /*
859 * Test set 1
860 */
861 for (i = 0; i < 3; i++) {
862 /* test ECB encryption */
863 if (verbose) {
864 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
865 }
866 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
867 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
868 ARIA_SELF_TEST_ASSERT(
869 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
870 != 0);
871
872 /* test ECB decryption */
873 if (verbose) {
874 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
875 }
876 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
877 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
878 ARIA_SELF_TEST_ASSERT(
879 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
880 != 0);
881 }
882 if (verbose) {
883 mbedtls_printf("\n");
884 }
885
886 /*
887 * Test set 2
888 */
889 #if defined(MBEDTLS_CIPHER_MODE_CBC)
890 for (i = 0; i < 3; i++) {
891 /* Test CBC encryption */
892 if (verbose) {
893 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
894 }
895 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
896 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
897 memset(buf, 0x55, sizeof(buf));
898 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
899 aria_test2_pt, buf);
900 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
901 != 0);
902
903 /* Test CBC decryption */
904 if (verbose) {
905 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
906 }
907 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
908 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909 memset(buf, 0xAA, sizeof(buf));
910 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
911 aria_test2_cbc_ct[i], buf);
912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
913 }
914 if (verbose) {
915 mbedtls_printf("\n");
916 }
917
918 #endif /* MBEDTLS_CIPHER_MODE_CBC */
919
920 #if defined(MBEDTLS_CIPHER_MODE_CFB)
921 for (i = 0; i < 3; i++) {
922 /* Test CFB encryption */
923 if (verbose) {
924 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
925 }
926 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
927 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
928 memset(buf, 0x55, sizeof(buf));
929 j = 0;
930 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
931 aria_test2_pt, buf);
932 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
933
934 /* Test CFB decryption */
935 if (verbose) {
936 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
937 }
938 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940 memset(buf, 0xAA, sizeof(buf));
941 j = 0;
942 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
943 iv, aria_test2_cfb_ct[i], buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
945 }
946 if (verbose) {
947 mbedtls_printf("\n");
948 }
949 #endif /* MBEDTLS_CIPHER_MODE_CFB */
950
951 #if defined(MBEDTLS_CIPHER_MODE_CTR)
952 for (i = 0; i < 3; i++) {
953 /* Test CTR encryption */
954 if (verbose) {
955 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
956 }
957 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
958 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
959 memset(buf, 0x55, sizeof(buf));
960 j = 0;
961 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
962 aria_test2_pt, buf);
963 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
964
965 /* Test CTR decryption */
966 if (verbose) {
967 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
968 }
969 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
971 memset(buf, 0xAA, sizeof(buf));
972 j = 0;
973 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974 aria_test2_ctr_ct[i], buf);
975 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
976 }
977 if (verbose) {
978 mbedtls_printf("\n");
979 }
980 #endif /* MBEDTLS_CIPHER_MODE_CTR */
981
982 ret = 0;
983
984 exit:
985 mbedtls_aria_free(&ctx);
986 return ret;
987 }
988
989 #endif /* MBEDTLS_SELF_TEST */
990
991 #endif /* MBEDTLS_ARIA_C */
992
