1 /* 2 * ARIA implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 /* 21 * This implementation is based on the following standards: 22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 23 * [2] https://tools.ietf.org/html/rfc5794 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_ARIA_C) 29 30 #include "mbedtls/aria.h" 31 32 #include <string.h> 33 34 #if defined(MBEDTLS_SELF_TEST) 35 #if defined(MBEDTLS_PLATFORM_C) 36 #include "mbedtls/platform.h" 37 #else 38 #include <stdio.h> 39 #define mbedtls_printf printf 40 #endif /* MBEDTLS_PLATFORM_C */ 41 #endif /* MBEDTLS_SELF_TEST */ 42 43 #if !defined(MBEDTLS_ARIA_ALT) 44 45 #include "mbedtls/platform_util.h" 46 47 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 48 !defined(inline) && !defined(__cplusplus) 49 #define inline __inline 50 #endif 51 52 /* Parameter validation macros */ 53 #define ARIA_VALIDATE_RET( cond ) \ 54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) 55 #define ARIA_VALIDATE( cond ) \ 56 MBEDTLS_INTERNAL_VALIDATE( cond ) 57 58 /* 59 * 32-bit integer manipulation macros (little endian) 60 */ 61 #ifndef GET_UINT32_LE 62 #define GET_UINT32_LE( n, b, i ) \ 63 { \ 64 (n) = ( (uint32_t) (b)[(i) ] ) \ 65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 68 } 69 #endif 70 71 #ifndef PUT_UINT32_LE 72 #define PUT_UINT32_LE( n, b, i ) \ 73 { \ 74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 78 } 79 #endif 80 81 /* 82 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 83 * 84 * This is submatrix P1 in [1] Appendix B.1 85 * 86 * Common compilers fail to translate this to minimal number of instructions, 87 * so let's provide asm versions for common platforms with C fallback. 88 */ 89 #if defined(MBEDTLS_HAVE_ASM) 90 #if defined(__arm__) /* rev16 available from v6 up */ 91 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 92 #if defined(__GNUC__) && \ 93 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 94 __ARM_ARCH >= 6 95 static inline uint32_t aria_p1( uint32_t x ) 96 { 97 uint32_t r; 98 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); 99 return( r ); 100 } 101 #define ARIA_P1 aria_p1 102 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 103 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 104 static inline uint32_t aria_p1( uint32_t x ) 105 { 106 uint32_t r; 107 __asm( "rev16 r, x" ); 108 return( r ); 109 } 110 #define ARIA_P1 aria_p1 111 #endif 112 #endif /* arm */ 113 #if defined(__GNUC__) && \ 114 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 115 /* I couldn't find an Intel equivalent of rev16, so two instructions */ 116 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) 117 #endif /* x86 gnuc */ 118 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 119 #if !defined(ARIA_P1) 120 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 121 #endif 122 123 /* 124 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 125 * 126 * This is submatrix P2 in [1] Appendix B.1 127 * 128 * Common compilers will translate this to a single instruction. 129 */ 130 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 131 132 /* 133 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 134 * 135 * This is submatrix P3 in [1] Appendix B.1 136 * 137 * Some compilers fail to translate this to a single instruction, 138 * so let's provide asm versions for common platforms with C fallback. 139 */ 140 #if defined(MBEDTLS_HAVE_ASM) 141 #if defined(__arm__) /* rev available from v6 up */ 142 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 143 #if defined(__GNUC__) && \ 144 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ 145 __ARM_ARCH >= 6 146 static inline uint32_t aria_p3( uint32_t x ) 147 { 148 uint32_t r; 149 __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); 150 return( r ); 151 } 152 #define ARIA_P3 aria_p3 153 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 154 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) 155 static inline uint32_t aria_p3( uint32_t x ) 156 { 157 uint32_t r; 158 __asm( "rev r, x" ); 159 return( r ); 160 } 161 #define ARIA_P3 aria_p3 162 #endif 163 #endif /* arm */ 164 #if defined(__GNUC__) && \ 165 defined(__i386__) || defined(__amd64__) || defined( __x86_64__) 166 static inline uint32_t aria_p3( uint32_t x ) 167 { 168 __asm( "bswap %0" : "=r" (x) : "0" (x) ); 169 return( x ); 170 } 171 #define ARIA_P3 aria_p3 172 #endif /* x86 gnuc */ 173 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 174 #if !defined(ARIA_P3) 175 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) 176 #endif 177 178 /* 179 * ARIA Affine Transform 180 * (a, b, c, d) = state in/out 181 * 182 * If we denote the first byte of input by 0, ..., the last byte by f, 183 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 184 * 185 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 186 * rearrangements on adjacent pairs, output is: 187 * 188 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 189 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 190 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 191 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 192 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 193 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 194 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 195 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 196 * 197 * Note: another presentation of the A transform can be found as the first 198 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 199 * The implementation below uses only P1 and P2 as they are sufficient. 200 */ 201 static inline void aria_a( uint32_t *a, uint32_t *b, 202 uint32_t *c, uint32_t *d ) 203 { 204 uint32_t ta, tb, tc; 205 ta = *b; // 4567 206 *b = *a; // 0123 207 *a = ARIA_P2( ta ); // 6745 208 tb = ARIA_P2( *d ); // efcd 209 *d = ARIA_P1( *c ); // 98ba 210 *c = ARIA_P1( tb ); // fedc 211 ta ^= *d; // 4567+98ba 212 tc = ARIA_P2( *b ); // 2301 213 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc 214 tb ^= ARIA_P2( *d ); // ba98+efcd 215 tc ^= ARIA_P1( *a ); // 2301+7654 216 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 217 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 218 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 219 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe 220 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 221 tc = ARIA_P2( tc ); // 0123+5476 222 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 223 } 224 225 /* 226 * ARIA Substitution Layer SL1 / SL2 227 * (a, b, c, d) = state in/out 228 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 229 * 230 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 231 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 232 */ 233 static inline void aria_sl( uint32_t *a, uint32_t *b, 234 uint32_t *c, uint32_t *d, 235 const uint8_t sa[256], const uint8_t sb[256], 236 const uint8_t sc[256], const uint8_t sd[256] ) 237 { 238 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ 239 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ 240 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ 241 (((uint32_t) sd[ *a >> 24 ]) << 24); 242 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ 243 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ 244 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ 245 (((uint32_t) sd[ *b >> 24 ]) << 24); 246 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ 247 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ 248 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ 249 (((uint32_t) sd[ *c >> 24 ]) << 24); 250 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ 251 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ 252 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ 253 (((uint32_t) sd[ *d >> 24 ]) << 24); 254 } 255 256 /* 257 * S-Boxes 258 */ 259 static const uint8_t aria_sb1[256] = 260 { 261 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 262 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 263 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 264 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 265 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 266 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 267 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 268 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 269 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 270 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 271 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 272 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 273 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 274 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 275 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 276 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 277 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 278 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 279 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 280 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 281 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 282 0xB0, 0x54, 0xBB, 0x16 283 }; 284 285 static const uint8_t aria_sb2[256] = 286 { 287 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 288 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 289 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 290 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 291 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 292 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 293 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 294 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 295 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 296 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 297 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 298 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 299 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 300 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 301 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 302 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 303 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 304 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 305 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 306 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 307 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 308 0xAF, 0xBA, 0xB5, 0x81 309 }; 310 311 static const uint8_t aria_is1[256] = 312 { 313 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 314 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 315 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 316 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 317 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 318 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 319 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 320 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 321 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 322 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 323 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 324 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 325 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 326 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 327 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 328 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 329 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 330 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 331 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 332 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 333 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 334 0x55, 0x21, 0x0C, 0x7D 335 }; 336 337 static const uint8_t aria_is2[256] = 338 { 339 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 340 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 341 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 342 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 343 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 344 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 345 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 346 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 347 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 348 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 349 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 350 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 351 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 352 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 353 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 354 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 355 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 356 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 357 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 358 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 359 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 360 0x03, 0xA2, 0xAC, 0x60 361 }; 362 363 /* 364 * Helper for key schedule: r = FO( p, k ) ^ x 365 */ 366 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], 367 const uint32_t k[4], const uint32_t x[4] ) 368 { 369 uint32_t a, b, c, d; 370 371 a = p[0] ^ k[0]; 372 b = p[1] ^ k[1]; 373 c = p[2] ^ k[2]; 374 d = p[3] ^ k[3]; 375 376 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 377 aria_a( &a, &b, &c, &d ); 378 379 r[0] = a ^ x[0]; 380 r[1] = b ^ x[1]; 381 r[2] = c ^ x[2]; 382 r[3] = d ^ x[3]; 383 } 384 385 /* 386 * Helper for key schedule: r = FE( p, k ) ^ x 387 */ 388 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], 389 const uint32_t k[4], const uint32_t x[4] ) 390 { 391 uint32_t a, b, c, d; 392 393 a = p[0] ^ k[0]; 394 b = p[1] ^ k[1]; 395 c = p[2] ^ k[2]; 396 d = p[3] ^ k[3]; 397 398 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 399 aria_a( &a, &b, &c, &d ); 400 401 r[0] = a ^ x[0]; 402 r[1] = b ^ x[1]; 403 r[2] = c ^ x[2]; 404 r[3] = d ^ x[3]; 405 } 406 407 /* 408 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 409 * 410 * We chose to store bytes into 32-bit words in little-endian format (see 411 * GET/PUT_UINT32_LE) so we need to reverse bytes here. 412 */ 413 static void aria_rot128( uint32_t r[4], const uint32_t a[4], 414 const uint32_t b[4], uint8_t n ) 415 { 416 uint8_t i, j; 417 uint32_t t, u; 418 419 const uint8_t n1 = n % 32; // bit offset 420 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 421 422 j = ( n / 32 ) % 4; // initial word offset 423 t = ARIA_P3( b[j] ); // big endian 424 for( i = 0; i < 4; i++ ) 425 { 426 j = ( j + 1 ) % 4; // get next word, big endian 427 u = ARIA_P3( b[j] ); 428 t <<= n1; // rotate 429 t |= u >> n2; 430 t = ARIA_P3( t ); // back to little endian 431 r[i] = a[i] ^ t; // store 432 t = u; // move to next word 433 } 434 } 435 436 /* 437 * Set encryption key 438 */ 439 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, 440 const unsigned char *key, unsigned int keybits ) 441 { 442 /* round constant masks */ 443 const uint32_t rc[3][4] = 444 { 445 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 446 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 447 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 448 }; 449 450 int i; 451 uint32_t w[4][4], *w2; 452 ARIA_VALIDATE_RET( ctx != NULL ); 453 ARIA_VALIDATE_RET( key != NULL ); 454 455 if( keybits != 128 && keybits != 192 && keybits != 256 ) 456 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 457 458 /* Copy key to W0 (and potential remainder to W1) */ 459 GET_UINT32_LE( w[0][0], key, 0 ); 460 GET_UINT32_LE( w[0][1], key, 4 ); 461 GET_UINT32_LE( w[0][2], key, 8 ); 462 GET_UINT32_LE( w[0][3], key, 12 ); 463 464 memset( w[1], 0, 16 ); 465 if( keybits >= 192 ) 466 { 467 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key 468 GET_UINT32_LE( w[1][1], key, 20 ); 469 } 470 if( keybits == 256 ) 471 { 472 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key 473 GET_UINT32_LE( w[1][3], key, 28 ); 474 } 475 476 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 477 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 478 479 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR 480 i = i < 2 ? i + 1 : 0; 481 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 482 i = i < 2 ? i + 1 : 0; 483 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 484 485 for( i = 0; i < 4; i++ ) // create round keys 486 { 487 w2 = w[(i + 1) & 3]; 488 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 ); 489 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 ); 490 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 ); 491 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 ); 492 } 493 aria_rot128( ctx->rk[16], w[0], w[1], 19 ); 494 495 /* w holds enough info to reconstruct the round keys */ 496 mbedtls_platform_zeroize( w, sizeof( w ) ); 497 498 return( 0 ); 499 } 500 501 /* 502 * Set decryption key 503 */ 504 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, 505 const unsigned char *key, unsigned int keybits ) 506 { 507 int i, j, k, ret; 508 ARIA_VALIDATE_RET( ctx != NULL ); 509 ARIA_VALIDATE_RET( key != NULL ); 510 511 ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); 512 if( ret != 0 ) 513 return( ret ); 514 515 /* flip the order of round keys */ 516 for( i = 0, j = ctx->nr; i < j; i++, j-- ) 517 { 518 for( k = 0; k < 4; k++ ) 519 { 520 uint32_t t = ctx->rk[i][k]; 521 ctx->rk[i][k] = ctx->rk[j][k]; 522 ctx->rk[j][k] = t; 523 } 524 } 525 526 /* apply affine transform to middle keys */ 527 for( i = 1; i < ctx->nr; i++ ) 528 { 529 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], 530 &ctx->rk[i][2], &ctx->rk[i][3] ); 531 } 532 533 return( 0 ); 534 } 535 536 /* 537 * Encrypt a block 538 */ 539 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, 540 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 541 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) 542 { 543 int i; 544 545 uint32_t a, b, c, d; 546 ARIA_VALIDATE_RET( ctx != NULL ); 547 ARIA_VALIDATE_RET( input != NULL ); 548 ARIA_VALIDATE_RET( output != NULL ); 549 550 GET_UINT32_LE( a, input, 0 ); 551 GET_UINT32_LE( b, input, 4 ); 552 GET_UINT32_LE( c, input, 8 ); 553 GET_UINT32_LE( d, input, 12 ); 554 555 i = 0; 556 while( 1 ) 557 { 558 a ^= ctx->rk[i][0]; 559 b ^= ctx->rk[i][1]; 560 c ^= ctx->rk[i][2]; 561 d ^= ctx->rk[i][3]; 562 i++; 563 564 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); 565 aria_a( &a, &b, &c, &d ); 566 567 a ^= ctx->rk[i][0]; 568 b ^= ctx->rk[i][1]; 569 c ^= ctx->rk[i][2]; 570 d ^= ctx->rk[i][3]; 571 i++; 572 573 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); 574 if( i >= ctx->nr ) 575 break; 576 aria_a( &a, &b, &c, &d ); 577 } 578 579 /* final key mixing */ 580 a ^= ctx->rk[i][0]; 581 b ^= ctx->rk[i][1]; 582 c ^= ctx->rk[i][2]; 583 d ^= ctx->rk[i][3]; 584 585 PUT_UINT32_LE( a, output, 0 ); 586 PUT_UINT32_LE( b, output, 4 ); 587 PUT_UINT32_LE( c, output, 8 ); 588 PUT_UINT32_LE( d, output, 12 ); 589 590 return( 0 ); 591 } 592 593 /* Initialize context */ 594 void mbedtls_aria_init( mbedtls_aria_context *ctx ) 595 { 596 ARIA_VALIDATE( ctx != NULL ); 597 memset( ctx, 0, sizeof( mbedtls_aria_context ) ); 598 } 599 600 /* Clear context */ 601 void mbedtls_aria_free( mbedtls_aria_context *ctx ) 602 { 603 if( ctx == NULL ) 604 return; 605 606 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); 607 } 608 609 #if defined(MBEDTLS_CIPHER_MODE_CBC) 610 /* 611 * ARIA-CBC buffer encryption/decryption 612 */ 613 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, 614 int mode, 615 size_t length, 616 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 617 const unsigned char *input, 618 unsigned char *output ) 619 { 620 int i; 621 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 622 623 ARIA_VALIDATE_RET( ctx != NULL ); 624 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 625 mode == MBEDTLS_ARIA_DECRYPT ); 626 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 627 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 628 ARIA_VALIDATE_RET( iv != NULL ); 629 630 if( length % MBEDTLS_ARIA_BLOCKSIZE ) 631 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); 632 633 if( mode == MBEDTLS_ARIA_DECRYPT ) 634 { 635 while( length > 0 ) 636 { 637 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); 638 mbedtls_aria_crypt_ecb( ctx, input, output ); 639 640 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 641 output[i] = (unsigned char)( output[i] ^ iv[i] ); 642 643 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); 644 645 input += MBEDTLS_ARIA_BLOCKSIZE; 646 output += MBEDTLS_ARIA_BLOCKSIZE; 647 length -= MBEDTLS_ARIA_BLOCKSIZE; 648 } 649 } 650 else 651 { 652 while( length > 0 ) 653 { 654 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) 655 output[i] = (unsigned char)( input[i] ^ iv[i] ); 656 657 mbedtls_aria_crypt_ecb( ctx, output, output ); 658 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); 659 660 input += MBEDTLS_ARIA_BLOCKSIZE; 661 output += MBEDTLS_ARIA_BLOCKSIZE; 662 length -= MBEDTLS_ARIA_BLOCKSIZE; 663 } 664 } 665 666 return( 0 ); 667 } 668 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 669 670 #if defined(MBEDTLS_CIPHER_MODE_CFB) 671 /* 672 * ARIA-CFB128 buffer encryption/decryption 673 */ 674 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, 675 int mode, 676 size_t length, 677 size_t *iv_off, 678 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 679 const unsigned char *input, 680 unsigned char *output ) 681 { 682 unsigned char c; 683 size_t n; 684 685 ARIA_VALIDATE_RET( ctx != NULL ); 686 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || 687 mode == MBEDTLS_ARIA_DECRYPT ); 688 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 689 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 690 ARIA_VALIDATE_RET( iv != NULL ); 691 ARIA_VALIDATE_RET( iv_off != NULL ); 692 693 n = *iv_off; 694 695 /* An overly large value of n can lead to an unlimited 696 * buffer overflow. Therefore, guard against this 697 * outside of parameter validation. */ 698 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 699 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 700 701 if( mode == MBEDTLS_ARIA_DECRYPT ) 702 { 703 while( length-- ) 704 { 705 if( n == 0 ) 706 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 707 708 c = *input++; 709 *output++ = c ^ iv[n]; 710 iv[n] = c; 711 712 n = ( n + 1 ) & 0x0F; 713 } 714 } 715 else 716 { 717 while( length-- ) 718 { 719 if( n == 0 ) 720 mbedtls_aria_crypt_ecb( ctx, iv, iv ); 721 722 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 723 724 n = ( n + 1 ) & 0x0F; 725 } 726 } 727 728 *iv_off = n; 729 730 return( 0 ); 731 } 732 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 733 734 #if defined(MBEDTLS_CIPHER_MODE_CTR) 735 /* 736 * ARIA-CTR buffer encryption/decryption 737 */ 738 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, 739 size_t length, 740 size_t *nc_off, 741 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 742 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 743 const unsigned char *input, 744 unsigned char *output ) 745 { 746 int c, i; 747 size_t n; 748 749 ARIA_VALIDATE_RET( ctx != NULL ); 750 ARIA_VALIDATE_RET( length == 0 || input != NULL ); 751 ARIA_VALIDATE_RET( length == 0 || output != NULL ); 752 ARIA_VALIDATE_RET( nonce_counter != NULL ); 753 ARIA_VALIDATE_RET( stream_block != NULL ); 754 ARIA_VALIDATE_RET( nc_off != NULL ); 755 756 n = *nc_off; 757 /* An overly large value of n can lead to an unlimited 758 * buffer overflow. Therefore, guard against this 759 * outside of parameter validation. */ 760 if( n >= MBEDTLS_ARIA_BLOCKSIZE ) 761 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); 762 763 while( length-- ) 764 { 765 if( n == 0 ) { 766 mbedtls_aria_crypt_ecb( ctx, nonce_counter, 767 stream_block ); 768 769 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) 770 if( ++nonce_counter[i - 1] != 0 ) 771 break; 772 } 773 c = *input++; 774 *output++ = (unsigned char)( c ^ stream_block[n] ); 775 776 n = ( n + 1 ) & 0x0F; 777 } 778 779 *nc_off = n; 780 781 return( 0 ); 782 } 783 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 784 #endif /* !MBEDTLS_ARIA_ALT */ 785 786 #if defined(MBEDTLS_SELF_TEST) 787 788 /* 789 * Basic ARIA ECB test vectors from RFC 5794 790 */ 791 static const uint8_t aria_test1_ecb_key[32] = // test key 792 { 793 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 794 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 795 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 796 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 797 }; 798 799 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 800 { 801 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 802 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 803 }; 804 805 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 806 { 807 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 808 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 809 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 810 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 811 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 812 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 813 }; 814 815 /* 816 * Mode tests from "Test Vectors for ARIA" Version 1.0 817 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 818 */ 819 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 820 defined(MBEDTLS_CIPHER_MODE_CTR)) 821 static const uint8_t aria_test2_key[32] = 822 { 823 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 824 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 825 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 826 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 827 }; 828 829 static const uint8_t aria_test2_pt[48] = 830 { 831 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 832 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 833 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 834 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 835 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 836 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 837 }; 838 #endif 839 840 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 841 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 842 { 843 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 844 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 845 }; 846 #endif 847 848 #if defined(MBEDTLS_CIPHER_MODE_CBC) 849 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 850 { 851 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 852 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 853 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 854 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 855 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 856 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 857 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 858 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 859 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 860 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 861 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 862 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 863 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 864 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 865 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 866 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 867 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 868 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 869 }; 870 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 871 872 #if defined(MBEDTLS_CIPHER_MODE_CFB) 873 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 874 { 875 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 876 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 877 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 878 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 879 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 880 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 881 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 882 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 883 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 884 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 885 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 886 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 887 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 888 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 889 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 890 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 891 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 892 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 893 }; 894 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 895 896 #if defined(MBEDTLS_CIPHER_MODE_CTR) 897 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 898 { 899 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 900 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 901 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 902 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 903 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 904 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 905 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 906 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 907 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 908 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 909 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 910 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 911 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 912 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 913 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 914 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 915 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 916 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 917 }; 918 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 919 920 #define ARIA_SELF_TEST_IF_FAIL \ 921 { \ 922 if( verbose ) \ 923 mbedtls_printf( "failed\n" ); \ 924 goto exit; \ 925 } else { \ 926 if( verbose ) \ 927 mbedtls_printf( "passed\n" ); \ 928 } 929 930 /* 931 * Checkup routine 932 */ 933 int mbedtls_aria_self_test( int verbose ) 934 { 935 int i; 936 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 937 mbedtls_aria_context ctx; 938 int ret = 1; 939 940 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 941 size_t j; 942 #endif 943 944 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 945 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 946 defined(MBEDTLS_CIPHER_MODE_CTR)) 947 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 948 #endif 949 950 mbedtls_aria_init( &ctx ); 951 952 /* 953 * Test set 1 954 */ 955 for( i = 0; i < 3; i++ ) 956 { 957 /* test ECB encryption */ 958 if( verbose ) 959 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); 960 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 961 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); 962 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 963 ARIA_SELF_TEST_IF_FAIL; 964 965 /* test ECB decryption */ 966 if( verbose ) 967 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); 968 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); 969 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); 970 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) 971 ARIA_SELF_TEST_IF_FAIL; 972 } 973 if( verbose ) 974 mbedtls_printf( "\n" ); 975 976 /* 977 * Test set 2 978 */ 979 #if defined(MBEDTLS_CIPHER_MODE_CBC) 980 for( i = 0; i < 3; i++ ) 981 { 982 /* Test CBC encryption */ 983 if( verbose ) 984 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); 985 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 986 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 987 memset( buf, 0x55, sizeof( buf ) ); 988 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 989 aria_test2_pt, buf ); 990 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) 991 ARIA_SELF_TEST_IF_FAIL; 992 993 /* Test CBC decryption */ 994 if( verbose ) 995 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); 996 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); 997 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 998 memset( buf, 0xAA, sizeof( buf ) ); 999 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 1000 aria_test2_cbc_ct[i], buf ); 1001 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1002 ARIA_SELF_TEST_IF_FAIL; 1003 } 1004 if( verbose ) 1005 mbedtls_printf( "\n" ); 1006 1007 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1008 1009 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1010 for( i = 0; i < 3; i++ ) 1011 { 1012 /* Test CFB encryption */ 1013 if( verbose ) 1014 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); 1015 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1016 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1017 memset( buf, 0x55, sizeof( buf ) ); 1018 j = 0; 1019 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 1020 aria_test2_pt, buf ); 1021 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) 1022 ARIA_SELF_TEST_IF_FAIL; 1023 1024 /* Test CFB decryption */ 1025 if( verbose ) 1026 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); 1027 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1028 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); 1029 memset( buf, 0xAA, sizeof( buf ) ); 1030 j = 0; 1031 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 1032 iv, aria_test2_cfb_ct[i], buf ); 1033 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1034 ARIA_SELF_TEST_IF_FAIL; 1035 } 1036 if( verbose ) 1037 mbedtls_printf( "\n" ); 1038 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1039 1040 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1041 for( i = 0; i < 3; i++ ) 1042 { 1043 /* Test CTR encryption */ 1044 if( verbose ) 1045 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); 1046 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1047 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1048 memset( buf, 0x55, sizeof( buf ) ); 1049 j = 0; 1050 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1051 aria_test2_pt, buf ); 1052 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) 1053 ARIA_SELF_TEST_IF_FAIL; 1054 1055 /* Test CTR decryption */ 1056 if( verbose ) 1057 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); 1058 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); 1059 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 1060 memset( buf, 0xAA, sizeof( buf ) ); 1061 j = 0; 1062 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, 1063 aria_test2_ctr_ct[i], buf ); 1064 if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) 1065 ARIA_SELF_TEST_IF_FAIL; 1066 } 1067 if( verbose ) 1068 mbedtls_printf( "\n" ); 1069 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1070 1071 ret = 0; 1072 1073 exit: 1074 mbedtls_aria_free( &ctx ); 1075 return( ret ); 1076 } 1077 1078 #endif /* MBEDTLS_SELF_TEST */ 1079 1080 #endif /* MBEDTLS_ARIA_C */ 1081