1 /* SPDX-License-Identifier: Apache-2.0 */ 2 /* 3 * ARIA implementation 4 * 5 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 /* 23 * This implementation is based on the following standards: 24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 25 * [2] https://tools.ietf.org/html/rfc5794 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_ARIA_C) 35 36 #include "mbedtls/aria.h" 37 38 #include <string.h> 39 40 #if defined(MBEDTLS_SELF_TEST) 41 #if defined(MBEDTLS_PLATFORM_C) 42 #include "mbedtls/platform.h" 43 #else 44 #include <stdio.h> 45 #define mbedtls_printf printf 46 #endif /* MBEDTLS_PLATFORM_C */ 47 #endif /* MBEDTLS_SELF_TEST */ 48 49 #if !defined(MBEDTLS_ARIA_ALT) 50 51 #include "mbedtls/platform_util.h" 52 53 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 54 !defined(inline) && !defined(__cplusplus) 55 #define inline __inline 56 #endif 57 58 /* Parameter validation macros */ 59 #define ARIA_VALIDATE_RET( cond ) \ 60 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) 61 #define ARIA_VALIDATE( cond ) \ 62 MBEDTLS_INTERNAL_VALIDATE( cond ) 63 64 /* 65 * 32-bit integer manipulation macros (little endian) 66 */ 67 #ifndef GET_UINT32_LE 68 #define GET_UINT32_LE( n, b, i ) \ 69 { \ 70 (n) = ( (uint32_t) (b)[(i) ] ) \ 71 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 72 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 73 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 74 } 75 #endif 76 77 #ifndef PUT_UINT32_LE 78 #define PUT_UINT32_LE( n, b, i ) \ 79 { \ 80 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 81 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 82 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 83 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 84 } 85 #endif 86 87 /* 88 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 89 * 90 * This is submatrix P1 in [1] Appendix B.1 91 * 92 * Common compilers fail to translate this to minimal number of instructions, 93 * so let's provide asm versions for common platforms with C fallback. 94 */ 95 #if defined(MBEDTLS_HAVE_ASM) 96 #if defined(__arm__) /* rev16 available from v6 up */ 97 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 98 #if defined(__GNUC__) && \ 99 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 100 __ARM_ARCH >= 6 101 static inline uint32_t aria_p1( uint32_t x ) 102 { 103 uint32_t r; 104 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); 105 return( r ); 106 } 107 #define ARIA_P1 aria_p1 108 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 109 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 110 static inline uint32_t aria_p1( uint32_t x ) 111 { 112 uint32_t r; 113 __asm( "rev16 r, x" ); 114 return( r ); 115 } 116 #define ARIA_P1 aria_p1 117 #endif 118 #endif /* arm */ 119 #if defined(__GNUC__) && \ 120 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 121 /* I couldn't find an Intel equivalent of rev16, so two instructions */ 122 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) 123 #endif /* x86 gnuc */ 124 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 125 #if !defined(ARIA_P1) 126 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 127 #endif 128 129 /* 130 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 131 * 132 * This is submatrix P2 in [1] Appendix B.1 133 * 134 * Common compilers will translate this to a single instruction. 135 */ 136 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 137 138 /* 139 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 140 * 141 * This is submatrix P3 in [1] Appendix B.1 142 * 143 * Some compilers fail to translate this to a single instruction, 144 * so let's provide asm versions for common platforms with C fallback. 145 */ 146 #if defined(MBEDTLS_HAVE_ASM) 147 #if defined(__arm__) /* rev available from v6 up */ 148 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 149 #if defined(__GNUC__) && \ 150 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 151 __ARM_ARCH >= 6 152 static inline uint32_t aria_p3( uint32_t x ) 153 { 154 uint32_t r; 155 __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); 156 return( r ); 157 } 158 #define ARIA_P3 aria_p3 159 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 160 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 161 static inline uint32_t aria_p3( uint32_t x ) 162 { 163 uint32_t r; 164 __asm( "rev r, x" ); 165 return( r ); 166 } 167 #define ARIA_P3 aria_p3 168 #endif 169 #endif /* arm */ 170 #if defined(__GNUC__) && \ 171 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 172 static inline uint32_t aria_p3( uint32_t x ) 173 { 174 __asm( "bswap %0" : "=r" (x) : "0" (x) ); 175 return( x ); 176 } 177 #define ARIA_P3 aria_p3 178 #endif /* x86 gnuc */ 179 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 180 #if !defined(ARIA_P3) 181 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) 182 #endif 183 184 /* 185 * ARIA Affine Transform 186 * (a, b, c, d) = state in/out 187 * 188 * If we denote the first byte of input by 0, ..., the last byte by f, 189 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 190 * 191 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 192 * rearrangements on adjacent pairs, output is: 193 * 194 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 195 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 196 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 197 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 198 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 199 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 200 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 201 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 202 * 203 * Note: another presentation of the A transform can be found as the first 204 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 205 * The implementation below uses only P1 and P2 as they are sufficient. 206 */ 207 static inline void aria_a( uint32_t *a, uint32_t *b, 208 uint32_t *c, uint32_t *d ) 209 { 210 uint32_t ta, tb, tc; 211 ta = *b; // 4567 212 *b = *a; // 0123 213 *a = ARIA_P2( ta ); // 6745 214 tb = ARIA_P2( *d ); // efcd 215 *d = ARIA_P1( *c ); // 98ba 216 *c = ARIA_P1( tb ); // fedc 217 ta ^= *d; // 4567+98ba 218 tc = ARIA_P2( *b ); // 2301 219 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc 220 tb ^= ARIA_P2( *d ); // ba98+efcd 221 tc ^= ARIA_P1( *a ); // 2301+7654 222 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 223 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 224 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 225 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe 226 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 227 tc = ARIA_P2( tc ); // 0123+5476 228 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 229 } 230 231 /* 232 * ARIA Substitution Layer SL1 / SL2 233 * (a, b, c, d) = state in/out 234 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 235 * 236 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 237 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 238 */ 239 static inline void aria_sl( uint32_t *a, uint32_t *b, 240 uint32_t *c, uint32_t *d, 241 const uint8_t sa[256], const uint8_t sb[256], 242 const uint8_t sc[256], const uint8_t sd[256] ) 243 { 244 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ 245 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ 246 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ 247 (((uint32_t) sd[ *a >> 24 ]) << 24); 248 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ 249 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ 250 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ 251 (((uint32_t) sd[ *b >> 24 ]) << 24); 252 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ 253 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ 254 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ 255 (((uint32_t) sd[ *c >> 24 ]) << 24); 256 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ 257 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ 258 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ 259 (((uint32_t) sd[ *d >> 24 ]) << 24); 260 } 261 262 /* 263 * S-Boxes 264 */ 265 static const uint8_t aria_sb1[256] = 266 { 267 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 268 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 269 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 270 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 271 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 272 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 273 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 274 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 275 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 276 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 277 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 278 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 279 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 280 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 281 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 282 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 283 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 284 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 285 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 286 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 287 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 288 0xB0, 0x54, 0xBB, 0x16 289 }; 290 291 static const uint8_t aria_sb2[256] = 292 { 293 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 294 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 295 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 296 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 297 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 298 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 299 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 300 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 301 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 302 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 303 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 304 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 305 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 306 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 307 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 308 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 309 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 310 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 311 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 312 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 313 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 314 0xAF, 0xBA, 0xB5, 0x81 315 }; 316 317 static const uint8_t aria_is1[256] = 318 { 319 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 320 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 321 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 322 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 323 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 324 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 325 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 326 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 327 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 328 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 329 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 330 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 331 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 332 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 333 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 334 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 335 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 336 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 337 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 338 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 339 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 340 0x55, 0x21, 0x0C, 0x7D 341 }; 342 343 static const uint8_t aria_is2[256] = 344 { 345 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 346 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 347 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 348 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 349 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 350 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 351 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 352 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 353 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 354 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 355 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 356 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 357 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 358 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 359 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 360 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 361 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 362 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 363 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 364 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 365 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 366 0x03, 0xA2, 0xAC, 0x60 367 }; 368 369 /* 370 * Helper for key schedule: r = FO( p, k ) ^ x 371 */ 372 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], 373 const uint32_t k[4], const uint32_t x[4] ) 374 { 375 uint32_t a, b, c, d; 376 377 a = p[0] ^ k[0]; 378 b = p[1] ^ k[1]; 379 c = p[2] ^ k[2]; 380 d = p[3] ^ k[3]; 381 382 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 383 aria_a( &a, &b, &c, &d ); 384 385 r[0] = a ^ x[0]; 386 r[1] = b ^ x[1]; 387 r[2] = c ^ x[2]; 388 r[3] = d ^ x[3]; 389 } 390 391 /* 392 * Helper for key schedule: r = FE( p, k ) ^ x 393 */ 394 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], 395 const uint32_t k[4], const uint32_t x[4] ) 396 { 397 uint32_t a, b, c, d; 398 399 a = p[0] ^ k[0]; 400 b = p[1] ^ k[1]; 401 c = p[2] ^ k[2]; 402 d = p[3] ^ k[3]; 403 404 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 405 aria_a( &a, &b, &c, &d ); 406 407 r[0] = a ^ x[0]; 408 r[1] = b ^ x[1]; 409 r[2] = c ^ x[2]; 410 r[3] = d ^ x[3]; 411 } 412 413 /* 414 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 415 * 416 * We chose to store bytes into 32-bit words in little-endian format (see 417 * GET/PUT_UINT32_LE) so we need to reverse bytes here. 418 */ 419 static void aria_rot128( uint32_t r[4], const uint32_t a[4], 420 const uint32_t b[4], uint8_t n ) 421 { 422 uint8_t i, j; 423 uint32_t t, u; 424 425 const uint8_t n1 = n % 32; // bit offset 426 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 427 428 j = ( n / 32 ) % 4; // initial word offset 429 t = ARIA_P3( b[j] ); // big endian 430 for( i = 0; i < 4; i++ ) 431 { 432 j = ( j + 1 ) % 4; // get next word, big endian 433 u = ARIA_P3( b[j] ); 434 t <<= n1; // rotate 435 t |= u >> n2; 436 t = ARIA_P3( t ); // back to little endian 437 r[i] = a[i] ^ t; // store 438 t = u; // move to next word 439 } 440 } 441 442 /* 443 * Set encryption key 444 */ 445 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, 446 const unsigned char *key, unsigned int keybits ) 447 { 448 /* round constant masks */ 449 const uint32_t rc[3][4] = 450 { 451 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 452 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 453 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 454 }; 455 456 int i; 457 uint32_t w[4][4], *w2; 458 ARIA_VALIDATE_RET( ctx != NULL ); 459 ARIA_VALIDATE_RET( key != NULL ); 460 461 if( keybits != 128 && keybits != 192 && keybits != 256 ) 462 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 463 464 /* Copy key to W0 (and potential remainder to W1) */ 465 GET_UINT32_LE( w[0][0], key, 0 ); 466 GET_UINT32_LE( w[0][1], key, 4 ); 467 GET_UINT32_LE( w[0][2], key, 8 ); 468 GET_UINT32_LE( w[0][3], key, 12 ); 469 470 memset( w[1], 0, 16 ); 471 if( keybits >= 192 ) 472 { 473 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key 474 GET_UINT32_LE( w[1][1], key, 20 ); 475 } 476 if( keybits == 256 ) 477 { 478 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key 479 GET_UINT32_LE( w[1][3], key, 28 ); 480 } 481 482 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 483 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 484 485 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR 486 i = i < 2 ? i + 1 : 0; 487 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 488 i = i < 2 ? i + 1 : 0; 489 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 490 491 for( i = 0; i < 4; i++ ) // create round keys 492 { 493 w2 = w[(i + 1) & 3]; 494 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 ); 495 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 ); 496 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 ); 497 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 ); 498 } 499 aria_rot128( ctx->rk[16], w[0], w[1], 19 ); 500 501 /* w holds enough info to reconstruct the round keys */ 502 mbedtls_platform_zeroize( w, sizeof( w ) ); 503 504 return( 0 ); 505 } 506 507 /* 508 * Set decryption key 509 */ 510 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, 511 const unsigned char *key, unsigned int keybits ) 512 { 513 int i, j, k, ret; 514 ARIA_VALIDATE_RET( ctx != NULL ); 515 ARIA_VALIDATE_RET( key != NULL ); 516 517 ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); 518 if( ret != 0 ) 519 return( ret ); 520 521 /* flip the order of round keys */ 522 for( i = 0, j = ctx->nr; i < j; i++, j-- ) 523 { 524 for( k = 0; k < 4; k++ ) 525 { 526 uint32_t t = ctx->rk[i][k]; 527 ctx->rk[i][k] = ctx->rk[j][k]; 528 ctx->rk[j][k] = t; 529 } 530 } 531 532 /* apply affine transform to middle keys */ 533 for( i = 1; i < ctx->nr; i++ ) 534 { 535 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], 536 &ctx->rk[i][2], &ctx->rk[i][3] ); 537 } 538 539 return( 0 ); 540 } 541 542 /* 543 * Encrypt a block 544 */ 545 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, 546 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 547 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) 548 { 549 int i; 550 551 uint32_t a, b, c, d; 552 ARIA_VALIDATE_RET( ctx != NULL ); 553 ARIA_VALIDATE_RET( input != NULL ); 554 ARIA_VALIDATE_RET( output != NULL ); 555 556 GET_UINT32_LE( a, input, 0 ); 557 GET_UINT32_LE( b, input, 4 ); 558 GET_UINT32_LE( c, input, 8 ); 559 GET_UINT32_LE( d, input, 12 ); 560 561 i = 0; 562 while( 1 ) 563 { 564 a ^= ctx->rk[i][0]; 565 b ^= ctx->rk[i][1]; 566 c ^= ctx->rk[i][2]; 567 d ^= ctx->rk[i][3]; 568 i++; 569 570 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 571 aria_a( &a, &b, &c, &d ); 572 573 a ^= ctx->rk[i][0]; 574 b ^= ctx->rk[i][1]; 575 c ^= ctx->rk[i][2]; 576 d ^= ctx->rk[i][3]; 577 i++; 578 579 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 580 if( i >= ctx->nr ) 581 break; 582 aria_a( &a, &b, &c, &d ); 583 } 584 585 /* final key mixing */ 586 a ^= ctx->rk[i][0]; 587 b ^= ctx->rk[i][1]; 588 c ^= ctx->rk[i][2]; 589 d ^= ctx->rk[i][3]; 590 591 PUT_UINT32_LE( a, output, 0 ); 592 PUT_UINT32_LE( b, output, 4 ); 593 PUT_UINT32_LE( c, output, 8 ); 594 PUT_UINT32_LE( d, output, 12 ); 595 596 return( 0 ); 597 } 598 599 /* Initialize context */ 600 void mbedtls_aria_init( mbedtls_aria_context *ctx ) 601 { 602 ARIA_VALIDATE( ctx != NULL ); 603 memset( ctx, 0, sizeof( mbedtls_aria_context ) ); 604 } 605 606 /* Clear context */ 607 void mbedtls_aria_free( mbedtls_aria_context *ctx ) 608 { 609 if( ctx == NULL ) 610 return; 611 612 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); 613 } 614 615 #if defined(MBEDTLS_CIPHER_MODE_CBC) 616 /* 617 * ARIA-CBC buffer encryption/decryption 618 */ 619 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, 620 int mode, 621 size_t length, 622 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 623 const unsigned char *input, 624 unsigned char *output ) 625 { 626 int i; 627 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 628 629 ARIA_VALIDATE_RET( ctx != NULL ); 630 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 631 mode == MBEDTLS_ARIA_DECRYPT ); 632 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 633 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 634 ARIA_VALIDATE_RET( iv != NULL ); 635 636 if( length % MBEDTLS_ARIA_BLOCKSIZE ) 637 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); 638 639 if( mode == MBEDTLS_ARIA_DECRYPT ) 640 { 641 while( length > 0 ) 642 { 643 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); 644 mbedtls_aria_crypt_ecb( ctx, input, output ); 645 646 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 647 output[i] = (unsigned char)( output[i] ^ iv[i] ); 648 649 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); 650 651 input += MBEDTLS_ARIA_BLOCKSIZE; 652 output += MBEDTLS_ARIA_BLOCKSIZE; 653 length -= MBEDTLS_ARIA_BLOCKSIZE; 654 } 655 } 656 else 657 { 658 while( length > 0 ) 659 { 660 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 661 output[i] = (unsigned char)( input[i] ^ iv[i] ); 662 663 mbedtls_aria_crypt_ecb( ctx, output, output ); 664 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); 665 666 input += MBEDTLS_ARIA_BLOCKSIZE; 667 output += MBEDTLS_ARIA_BLOCKSIZE; 668 length -= MBEDTLS_ARIA_BLOCKSIZE; 669 } 670 } 671 672 return( 0 ); 673 } 674 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 675 676 #if defined(MBEDTLS_CIPHER_MODE_CFB) 677 /* 678 * ARIA-CFB128 buffer encryption/decryption 679 */ 680 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, 681 int mode, 682 size_t length, 683 size_t *iv_off, 684 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 685 const unsigned char *input, 686 unsigned char *output ) 687 { 688 unsigned char c; 689 size_t n; 690 691 ARIA_VALIDATE_RET( ctx != NULL ); 692 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 693 mode == MBEDTLS_ARIA_DECRYPT ); 694 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 695 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 696 ARIA_VALIDATE_RET( iv != NULL ); 697 ARIA_VALIDATE_RET( iv_off != NULL ); 698 699 n = *iv_off; 700 701 /* An overly large value of n can lead to an unlimited 702 * buffer overflow. Therefore, guard against this 703 * outside of parameter validation. */ 704 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 705 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 706 707 if( mode == MBEDTLS_ARIA_DECRYPT ) 708 { 709 while( length-- ) 710 { 711 if( n == 0 ) 712 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 713 714 c = *input++; 715 *output++ = c ^ iv[n]; 716 iv[n] = c; 717 718 n = ( n + 1 ) & 0x0F; 719 } 720 } 721 else 722 { 723 while( length-- ) 724 { 725 if( n == 0 ) 726 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 727 728 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 729 730 n = ( n + 1 ) & 0x0F; 731 } 732 } 733 734 *iv_off = n; 735 736 return( 0 ); 737 } 738 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 739 740 #if defined(MBEDTLS_CIPHER_MODE_CTR) 741 /* 742 * ARIA-CTR buffer encryption/decryption 743 */ 744 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, 745 size_t length, 746 size_t *nc_off, 747 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 748 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 749 const unsigned char *input, 750 unsigned char *output ) 751 { 752 int c, i; 753 size_t n; 754 755 ARIA_VALIDATE_RET( ctx != NULL ); 756 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 757 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 758 ARIA_VALIDATE_RET( nonce_counter != NULL ); 759 ARIA_VALIDATE_RET( stream_block != NULL ); 760 ARIA_VALIDATE_RET( nc_off != NULL ); 761 762 n = *nc_off; 763 /* An overly large value of n can lead to an unlimited 764 * buffer overflow. Therefore, guard against this 765 * outside of parameter validation. */ 766 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 767 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 768 769 while( length-- ) 770 { 771 if( n == 0 ) { 772 mbedtls_aria_crypt_ecb( ctx, nonce_counter, 773 stream_block ); 774 775 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) 776 if( ++nonce_counter[i - 1] != 0 ) 777 break; 778 } 779 c = *input++; 780 *output++ = (unsigned char)( c ^ stream_block[n] ); 781 782 n = ( n + 1 ) & 0x0F; 783 } 784 785 *nc_off = n; 786 787 return( 0 ); 788 } 789 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 790 #endif /* !MBEDTLS_ARIA_ALT */ 791 792 #if defined(MBEDTLS_SELF_TEST) 793 794 /* 795 * Basic ARIA ECB test vectors from RFC 5794 796 */ 797 static const uint8_t aria_test1_ecb_key[32] = // test key 798 { 799 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 800 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 801 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 802 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 803 }; 804 805 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 806 { 807 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 808 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 809 }; 810 811 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 812 { 813 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 814 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 815 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 816 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 817 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 818 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 819 }; 820 821 /* 822 * Mode tests from "Test Vectors for ARIA" Version 1.0 823 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 824 */ 825 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 826 defined(MBEDTLS_CIPHER_MODE_CTR)) 827 static const uint8_t aria_test2_key[32] = 828 { 829 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 830 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 831 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 832 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 833 }; 834 835 static const uint8_t aria_test2_pt[48] = 836 { 837 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 838 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 839 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 840 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 841 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 842 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 843 }; 844 #endif 845 846 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 847 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 848 { 849 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 850 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 851 }; 852 #endif 853 854 #if defined(MBEDTLS_CIPHER_MODE_CBC) 855 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 856 { 857 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 858 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 859 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 860 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 861 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 862 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 863 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 864 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 865 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 866 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 867 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 868 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 869 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 870 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 871 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 872 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 873 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 874 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 875 }; 876 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 877 878 #if defined(MBEDTLS_CIPHER_MODE_CFB) 879 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 880 { 881 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 882 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 883 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 884 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 885 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 886 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 887 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 888 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 889 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 890 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 891 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 892 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 893 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 894 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 895 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 896 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 897 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 898 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 899 }; 900 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 901 902 #if defined(MBEDTLS_CIPHER_MODE_CTR) 903 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 904 { 905 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 906 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 907 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 908 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 909 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 910 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 911 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 912 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 913 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 914 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 915 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 916 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 917 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 918 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 919 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 920 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 921 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 922 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 923 }; 924 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 925 926 #define ARIA_SELF_TEST_IF_FAIL \ 927 { \ 928 if( verbose ) \ 929 mbedtls_printf( "failed\n" ); \ 930 return( 1 ); \ 931 } else { \ 932 if( verbose ) \ 933 mbedtls_printf( "passed\n" ); \ 934 } 935 936 /* 937 * Checkup routine 938 */ 939 int mbedtls_aria_self_test( int verbose ) 940 { 941 int i; 942 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 943 mbedtls_aria_context ctx; 944 945 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 946 size_t j; 947 #endif 948 949 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 950 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 951 defined(MBEDTLS_CIPHER_MODE_CTR)) 952 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 953 #endif 954 955 /* 956 * Test set 1 957 */ 958 for( i = 0; i < 3; i++ ) 959 { 960 /* test ECB encryption */ 961 if( verbose ) 962 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); 963 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 964 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); 965 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 966 ARIA_SELF_TEST_IF_FAIL; 967 968 /* test ECB decryption */ 969 if( verbose ) 970 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); 971 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 972 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); 973 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 974 ARIA_SELF_TEST_IF_FAIL; 975 } 976 if( verbose ) 977 mbedtls_printf( "\n" ); 978 979 /* 980 * Test set 2 981 */ 982 #if defined(MBEDTLS_CIPHER_MODE_CBC) 983 for( i = 0; i < 3; i++ ) 984 { 985 /* Test CBC encryption */ 986 if( verbose ) 987 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); 988 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 989 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 990 memset( buf, 0x55, sizeof( buf ) ); 991 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 992 aria_test2_pt, buf ); 993 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) 994 ARIA_SELF_TEST_IF_FAIL; 995 996 /* Test CBC decryption */ 997 if( verbose ) 998 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); 999 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); 1000 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1001 memset( buf, 0xAA, sizeof( buf ) ); 1002 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 1003 aria_test2_cbc_ct[i], buf ); 1004 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1005 ARIA_SELF_TEST_IF_FAIL; 1006 } 1007 if( verbose ) 1008 mbedtls_printf( "\n" ); 1009 1010 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1011 1012 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1013 for( i = 0; i < 3; i++ ) 1014 { 1015 /* Test CFB encryption */ 1016 if( verbose ) 1017 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); 1018 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1019 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1020 memset( buf, 0x55, sizeof( buf ) ); 1021 j = 0; 1022 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 1023 aria_test2_pt, buf ); 1024 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) 1025 ARIA_SELF_TEST_IF_FAIL; 1026 1027 /* Test CFB decryption */ 1028 if( verbose ) 1029 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); 1030 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1031 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1032 memset( buf, 0xAA, sizeof( buf ) ); 1033 j = 0; 1034 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 1035 iv, aria_test2_cfb_ct[i], buf ); 1036 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1037 ARIA_SELF_TEST_IF_FAIL; 1038 } 1039 if( verbose ) 1040 mbedtls_printf( "\n" ); 1041 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1042 1043 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1044 for( i = 0; i < 3; i++ ) 1045 { 1046 /* Test CTR encryption */ 1047 if( verbose ) 1048 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); 1049 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1050 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1051 memset( buf, 0x55, sizeof( buf ) ); 1052 j = 0; 1053 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1054 aria_test2_pt, buf ); 1055 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) 1056 ARIA_SELF_TEST_IF_FAIL; 1057 1058 /* Test CTR decryption */ 1059 if( verbose ) 1060 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); 1061 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1062 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1063 memset( buf, 0xAA, sizeof( buf ) ); 1064 j = 0; 1065 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1066 aria_test2_ctr_ct[i], buf ); 1067 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1068 ARIA_SELF_TEST_IF_FAIL; 1069 } 1070 if( verbose ) 1071 mbedtls_printf( "\n" ); 1072 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1073 1074 return( 0 ); 1075 } 1076 1077 #endif /* MBEDTLS_SELF_TEST */ 1078 1079 #endif /* MBEDTLS_ARIA_C */ 1080