1 /* 2 * ARIA implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 /* 21 * This implementation is based on the following standards: 22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 23 * [2] https://tools.ietf.org/html/rfc5794 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_ARIA_C) 29 30 #include "mbedtls/aria.h" 31 32 #include <string.h> 33 34 #include "mbedtls/platform.h" 35 36 #if !defined(MBEDTLS_ARIA_ALT) 37 38 #include "mbedtls/platform_util.h" 39 40 /* Parameter validation macros */ 41 #define ARIA_VALIDATE_RET(cond) \ 42 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) 43 #define ARIA_VALIDATE(cond) \ 44 MBEDTLS_INTERNAL_VALIDATE(cond) 45 46 /* 47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 48 * 49 * This is submatrix P1 in [1] Appendix B.1 50 * 51 * Common compilers fail to translate this to minimal number of instructions, 52 * so let's provide asm versions for common platforms with C fallback. 53 */ 54 #if defined(MBEDTLS_HAVE_ASM) 55 #if defined(__arm__) /* rev16 available from v6 up */ 56 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 57 #if defined(__GNUC__) && \ 58 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \ 59 __ARM_ARCH >= 6 60 static inline uint32_t aria_p1(uint32_t x) 61 { 62 uint32_t r; 63 __asm("rev16 %0, %1" : "=l" (r) : "l" (x)); 64 return r; 65 } 66 #define ARIA_P1 aria_p1 67 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 68 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3) 69 static inline uint32_t aria_p1(uint32_t x) 70 { 71 uint32_t r; 72 __asm("rev16 r, x"); 73 return r; 74 } 75 #define ARIA_P1 aria_p1 76 #endif 77 #endif /* arm */ 78 #if defined(__GNUC__) && \ 79 defined(__i386__) || defined(__amd64__) || defined(__x86_64__) 80 /* I couldn't find an Intel equivalent of rev16, so two instructions */ 81 #define ARIA_P1(x) ARIA_P2(ARIA_P3(x)) 82 #endif /* x86 gnuc */ 83 #endif /* MBEDTLS_HAVE_ASM && GNUC */ 84 #if !defined(ARIA_P1) 85 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 86 #endif 87 88 /* 89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 90 * 91 * This is submatrix P2 in [1] Appendix B.1 92 * 93 * Common compilers will translate this to a single instruction. 94 */ 95 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 96 97 /* 98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 99 * 100 * This is submatrix P3 in [1] Appendix B.1 101 */ 102 #define ARIA_P3(x) MBEDTLS_BSWAP32(x) 103 104 /* 105 * ARIA Affine Transform 106 * (a, b, c, d) = state in/out 107 * 108 * If we denote the first byte of input by 0, ..., the last byte by f, 109 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 110 * 111 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 112 * rearrangements on adjacent pairs, output is: 113 * 114 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 115 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 116 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 117 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 118 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 119 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 120 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 121 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 122 * 123 * Note: another presentation of the A transform can be found as the first 124 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 125 * The implementation below uses only P1 and P2 as they are sufficient. 126 */ 127 static inline void aria_a(uint32_t *a, uint32_t *b, 128 uint32_t *c, uint32_t *d) 129 { 130 uint32_t ta, tb, tc; 131 ta = *b; // 4567 132 *b = *a; // 0123 133 *a = ARIA_P2(ta); // 6745 134 tb = ARIA_P2(*d); // efcd 135 *d = ARIA_P1(*c); // 98ba 136 *c = ARIA_P1(tb); // fedc 137 ta ^= *d; // 4567+98ba 138 tc = ARIA_P2(*b); // 2301 139 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc 140 tb ^= ARIA_P2(*d); // ba98+efcd 141 tc ^= ARIA_P1(*a); // 2301+7654 142 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 143 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 144 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 145 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe 146 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 147 tc = ARIA_P2(tc); // 0123+5476 148 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 149 } 150 151 /* 152 * ARIA Substitution Layer SL1 / SL2 153 * (a, b, c, d) = state in/out 154 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 155 * 156 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 157 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 158 */ 159 static inline void aria_sl(uint32_t *a, uint32_t *b, 160 uint32_t *c, uint32_t *d, 161 const uint8_t sa[256], const uint8_t sb[256], 162 const uint8_t sc[256], const uint8_t sd[256]) 163 { 164 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^ 165 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^ 166 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^ 167 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24); 168 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^ 169 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^ 170 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^ 171 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24); 172 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^ 173 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^ 174 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^ 175 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24); 176 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^ 177 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^ 178 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^ 179 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24); 180 } 181 182 /* 183 * S-Boxes 184 */ 185 static const uint8_t aria_sb1[256] = 186 { 187 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 188 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 189 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 190 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 191 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 192 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 193 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 194 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 195 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 196 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 197 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 198 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 199 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 200 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 201 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 202 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 203 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 204 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 205 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 206 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 207 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 208 0xB0, 0x54, 0xBB, 0x16 209 }; 210 211 static const uint8_t aria_sb2[256] = 212 { 213 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 214 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 215 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 216 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 217 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 218 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 219 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 220 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 221 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 222 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 223 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 224 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 225 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 226 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 227 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 228 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 229 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 230 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 231 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 232 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 233 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 234 0xAF, 0xBA, 0xB5, 0x81 235 }; 236 237 static const uint8_t aria_is1[256] = 238 { 239 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 240 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 241 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 242 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 243 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 244 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 245 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 246 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 247 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 248 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 249 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 250 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 251 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 252 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 253 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 254 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 256 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 258 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 259 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 260 0x55, 0x21, 0x0C, 0x7D 261 }; 262 263 static const uint8_t aria_is2[256] = 264 { 265 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 266 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 267 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 268 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 269 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 270 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 271 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 272 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 273 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 274 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 275 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 276 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 277 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 278 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 279 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 280 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 281 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 282 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 283 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 284 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 285 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 286 0x03, 0xA2, 0xAC, 0x60 287 }; 288 289 /* 290 * Helper for key schedule: r = FO( p, k ) ^ x 291 */ 292 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4], 293 const uint32_t k[4], const uint32_t x[4]) 294 { 295 uint32_t a, b, c, d; 296 297 a = p[0] ^ k[0]; 298 b = p[1] ^ k[1]; 299 c = p[2] ^ k[2]; 300 d = p[3] ^ k[3]; 301 302 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); 303 aria_a(&a, &b, &c, &d); 304 305 r[0] = a ^ x[0]; 306 r[1] = b ^ x[1]; 307 r[2] = c ^ x[2]; 308 r[3] = d ^ x[3]; 309 } 310 311 /* 312 * Helper for key schedule: r = FE( p, k ) ^ x 313 */ 314 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], 315 const uint32_t k[4], const uint32_t x[4]) 316 { 317 uint32_t a, b, c, d; 318 319 a = p[0] ^ k[0]; 320 b = p[1] ^ k[1]; 321 c = p[2] ^ k[2]; 322 d = p[3] ^ k[3]; 323 324 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); 325 aria_a(&a, &b, &c, &d); 326 327 r[0] = a ^ x[0]; 328 r[1] = b ^ x[1]; 329 r[2] = c ^ x[2]; 330 r[3] = d ^ x[3]; 331 } 332 333 /* 334 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 335 * 336 * We chose to store bytes into 32-bit words in little-endian format (see 337 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse 338 * bytes here. 339 */ 340 static void aria_rot128(uint32_t r[4], const uint32_t a[4], 341 const uint32_t b[4], uint8_t n) 342 { 343 uint8_t i, j; 344 uint32_t t, u; 345 346 const uint8_t n1 = n % 32; // bit offset 347 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 348 349 j = (n / 32) % 4; // initial word offset 350 t = ARIA_P3(b[j]); // big endian 351 for (i = 0; i < 4; i++) { 352 j = (j + 1) % 4; // get next word, big endian 353 u = ARIA_P3(b[j]); 354 t <<= n1; // rotate 355 t |= u >> n2; 356 t = ARIA_P3(t); // back to little endian 357 r[i] = a[i] ^ t; // store 358 t = u; // move to next word 359 } 360 } 361 362 /* 363 * Set encryption key 364 */ 365 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, 366 const unsigned char *key, unsigned int keybits) 367 { 368 /* round constant masks */ 369 const uint32_t rc[3][4] = 370 { 371 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 372 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 373 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 374 }; 375 376 int i; 377 uint32_t w[4][4], *w2; 378 ARIA_VALIDATE_RET(ctx != NULL); 379 ARIA_VALIDATE_RET(key != NULL); 380 381 if (keybits != 128 && keybits != 192 && keybits != 256) { 382 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 383 } 384 385 /* Copy key to W0 (and potential remainder to W1) */ 386 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0); 387 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4); 388 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8); 389 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12); 390 391 memset(w[1], 0, 16); 392 if (keybits >= 192) { 393 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key 394 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20); 395 } 396 if (keybits == 256) { 397 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key 398 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28); 399 } 400 401 i = (keybits - 128) >> 6; // index: 0, 1, 2 402 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 403 404 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR 405 i = i < 2 ? i + 1 : 0; 406 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0 407 i = i < 2 ? i + 1 : 0; 408 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1 409 410 for (i = 0; i < 4; i++) { // create round keys 411 w2 = w[(i + 1) & 3]; 412 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19); 413 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31); 414 aria_rot128(ctx->rk[i + 8], w[i], w2, 61); 415 aria_rot128(ctx->rk[i + 12], w[i], w2, 31); 416 } 417 aria_rot128(ctx->rk[16], w[0], w[1], 19); 418 419 /* w holds enough info to reconstruct the round keys */ 420 mbedtls_platform_zeroize(w, sizeof(w)); 421 422 return 0; 423 } 424 425 /* 426 * Set decryption key 427 */ 428 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, 429 const unsigned char *key, unsigned int keybits) 430 { 431 int i, j, k, ret; 432 ARIA_VALIDATE_RET(ctx != NULL); 433 ARIA_VALIDATE_RET(key != NULL); 434 435 ret = mbedtls_aria_setkey_enc(ctx, key, keybits); 436 if (ret != 0) { 437 return ret; 438 } 439 440 /* flip the order of round keys */ 441 for (i = 0, j = ctx->nr; i < j; i++, j--) { 442 for (k = 0; k < 4; k++) { 443 uint32_t t = ctx->rk[i][k]; 444 ctx->rk[i][k] = ctx->rk[j][k]; 445 ctx->rk[j][k] = t; 446 } 447 } 448 449 /* apply affine transform to middle keys */ 450 for (i = 1; i < ctx->nr; i++) { 451 aria_a(&ctx->rk[i][0], &ctx->rk[i][1], 452 &ctx->rk[i][2], &ctx->rk[i][3]); 453 } 454 455 return 0; 456 } 457 458 /* 459 * Encrypt a block 460 */ 461 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, 462 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 463 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) 464 { 465 int i; 466 467 uint32_t a, b, c, d; 468 ARIA_VALIDATE_RET(ctx != NULL); 469 ARIA_VALIDATE_RET(input != NULL); 470 ARIA_VALIDATE_RET(output != NULL); 471 472 a = MBEDTLS_GET_UINT32_LE(input, 0); 473 b = MBEDTLS_GET_UINT32_LE(input, 4); 474 c = MBEDTLS_GET_UINT32_LE(input, 8); 475 d = MBEDTLS_GET_UINT32_LE(input, 12); 476 477 i = 0; 478 while (1) { 479 a ^= ctx->rk[i][0]; 480 b ^= ctx->rk[i][1]; 481 c ^= ctx->rk[i][2]; 482 d ^= ctx->rk[i][3]; 483 i++; 484 485 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); 486 aria_a(&a, &b, &c, &d); 487 488 a ^= ctx->rk[i][0]; 489 b ^= ctx->rk[i][1]; 490 c ^= ctx->rk[i][2]; 491 d ^= ctx->rk[i][3]; 492 i++; 493 494 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); 495 if (i >= ctx->nr) { 496 break; 497 } 498 aria_a(&a, &b, &c, &d); 499 } 500 501 /* final key mixing */ 502 a ^= ctx->rk[i][0]; 503 b ^= ctx->rk[i][1]; 504 c ^= ctx->rk[i][2]; 505 d ^= ctx->rk[i][3]; 506 507 MBEDTLS_PUT_UINT32_LE(a, output, 0); 508 MBEDTLS_PUT_UINT32_LE(b, output, 4); 509 MBEDTLS_PUT_UINT32_LE(c, output, 8); 510 MBEDTLS_PUT_UINT32_LE(d, output, 12); 511 512 return 0; 513 } 514 515 /* Initialize context */ 516 void mbedtls_aria_init(mbedtls_aria_context *ctx) 517 { 518 ARIA_VALIDATE(ctx != NULL); 519 memset(ctx, 0, sizeof(mbedtls_aria_context)); 520 } 521 522 /* Clear context */ 523 void mbedtls_aria_free(mbedtls_aria_context *ctx) 524 { 525 if (ctx == NULL) { 526 return; 527 } 528 529 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context)); 530 } 531 532 #if defined(MBEDTLS_CIPHER_MODE_CBC) 533 /* 534 * ARIA-CBC buffer encryption/decryption 535 */ 536 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, 537 int mode, 538 size_t length, 539 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 540 const unsigned char *input, 541 unsigned char *output) 542 { 543 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 544 545 ARIA_VALIDATE_RET(ctx != NULL); 546 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || 547 mode == MBEDTLS_ARIA_DECRYPT); 548 ARIA_VALIDATE_RET(length == 0 || input != NULL); 549 ARIA_VALIDATE_RET(length == 0 || output != NULL); 550 ARIA_VALIDATE_RET(iv != NULL); 551 552 if (length % MBEDTLS_ARIA_BLOCKSIZE) { 553 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; 554 } 555 556 if (mode == MBEDTLS_ARIA_DECRYPT) { 557 while (length > 0) { 558 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE); 559 mbedtls_aria_crypt_ecb(ctx, input, output); 560 561 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE); 562 563 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE); 564 565 input += MBEDTLS_ARIA_BLOCKSIZE; 566 output += MBEDTLS_ARIA_BLOCKSIZE; 567 length -= MBEDTLS_ARIA_BLOCKSIZE; 568 } 569 } else { 570 while (length > 0) { 571 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE); 572 573 mbedtls_aria_crypt_ecb(ctx, output, output); 574 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE); 575 576 input += MBEDTLS_ARIA_BLOCKSIZE; 577 output += MBEDTLS_ARIA_BLOCKSIZE; 578 length -= MBEDTLS_ARIA_BLOCKSIZE; 579 } 580 } 581 582 return 0; 583 } 584 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 585 586 #if defined(MBEDTLS_CIPHER_MODE_CFB) 587 /* 588 * ARIA-CFB128 buffer encryption/decryption 589 */ 590 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, 591 int mode, 592 size_t length, 593 size_t *iv_off, 594 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 595 const unsigned char *input, 596 unsigned char *output) 597 { 598 unsigned char c; 599 size_t n; 600 601 ARIA_VALIDATE_RET(ctx != NULL); 602 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT || 603 mode == MBEDTLS_ARIA_DECRYPT); 604 ARIA_VALIDATE_RET(length == 0 || input != NULL); 605 ARIA_VALIDATE_RET(length == 0 || output != NULL); 606 ARIA_VALIDATE_RET(iv != NULL); 607 ARIA_VALIDATE_RET(iv_off != NULL); 608 609 n = *iv_off; 610 611 /* An overly large value of n can lead to an unlimited 612 * buffer overflow. Therefore, guard against this 613 * outside of parameter validation. */ 614 if (n >= MBEDTLS_ARIA_BLOCKSIZE) { 615 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 616 } 617 618 if (mode == MBEDTLS_ARIA_DECRYPT) { 619 while (length--) { 620 if (n == 0) { 621 mbedtls_aria_crypt_ecb(ctx, iv, iv); 622 } 623 624 c = *input++; 625 *output++ = c ^ iv[n]; 626 iv[n] = c; 627 628 n = (n + 1) & 0x0F; 629 } 630 } else { 631 while (length--) { 632 if (n == 0) { 633 mbedtls_aria_crypt_ecb(ctx, iv, iv); 634 } 635 636 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); 637 638 n = (n + 1) & 0x0F; 639 } 640 } 641 642 *iv_off = n; 643 644 return 0; 645 } 646 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 647 648 #if defined(MBEDTLS_CIPHER_MODE_CTR) 649 /* 650 * ARIA-CTR buffer encryption/decryption 651 */ 652 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, 653 size_t length, 654 size_t *nc_off, 655 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 656 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 657 const unsigned char *input, 658 unsigned char *output) 659 { 660 int c, i; 661 size_t n; 662 663 ARIA_VALIDATE_RET(ctx != NULL); 664 ARIA_VALIDATE_RET(length == 0 || input != NULL); 665 ARIA_VALIDATE_RET(length == 0 || output != NULL); 666 ARIA_VALIDATE_RET(nonce_counter != NULL); 667 ARIA_VALIDATE_RET(stream_block != NULL); 668 ARIA_VALIDATE_RET(nc_off != NULL); 669 670 n = *nc_off; 671 /* An overly large value of n can lead to an unlimited 672 * buffer overflow. Therefore, guard against this 673 * outside of parameter validation. */ 674 if (n >= MBEDTLS_ARIA_BLOCKSIZE) { 675 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 676 } 677 678 while (length--) { 679 if (n == 0) { 680 mbedtls_aria_crypt_ecb(ctx, nonce_counter, 681 stream_block); 682 683 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) { 684 if (++nonce_counter[i - 1] != 0) { 685 break; 686 } 687 } 688 } 689 c = *input++; 690 *output++ = (unsigned char) (c ^ stream_block[n]); 691 692 n = (n + 1) & 0x0F; 693 } 694 695 *nc_off = n; 696 697 return 0; 698 } 699 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 700 #endif /* !MBEDTLS_ARIA_ALT */ 701 702 #if defined(MBEDTLS_SELF_TEST) 703 704 /* 705 * Basic ARIA ECB test vectors from RFC 5794 706 */ 707 static const uint8_t aria_test1_ecb_key[32] = // test key 708 { 709 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 710 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 711 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 712 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 713 }; 714 715 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 716 { 717 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 718 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 719 }; 720 721 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 722 { 723 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 724 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 725 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 726 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 727 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 728 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 729 }; 730 731 /* 732 * Mode tests from "Test Vectors for ARIA" Version 1.0 733 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 734 */ 735 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 736 defined(MBEDTLS_CIPHER_MODE_CTR)) 737 static const uint8_t aria_test2_key[32] = 738 { 739 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 740 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 741 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 742 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 743 }; 744 745 static const uint8_t aria_test2_pt[48] = 746 { 747 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 748 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 749 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 750 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 751 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 752 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 753 }; 754 #endif 755 756 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 757 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 758 { 759 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 760 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 761 }; 762 #endif 763 764 #if defined(MBEDTLS_CIPHER_MODE_CBC) 765 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 766 { 767 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 768 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 769 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 770 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 771 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 772 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 773 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 774 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 775 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 776 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 777 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 778 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 779 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 780 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 781 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 782 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 783 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 784 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 785 }; 786 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 787 788 #if defined(MBEDTLS_CIPHER_MODE_CFB) 789 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 790 { 791 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 792 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 793 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 794 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 795 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 796 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 797 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 798 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 799 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 800 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 801 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 802 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 803 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 804 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 805 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 806 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 807 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 808 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 809 }; 810 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 811 812 #if defined(MBEDTLS_CIPHER_MODE_CTR) 813 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 814 { 815 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 816 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 817 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 818 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 819 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 820 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 821 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 822 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 823 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 824 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 825 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 826 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 827 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 828 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 829 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 830 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 831 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 832 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 833 }; 834 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 835 836 #define ARIA_SELF_TEST_ASSERT(cond) \ 837 do { \ 838 if (cond) { \ 839 if (verbose) \ 840 mbedtls_printf("failed\n"); \ 841 goto exit; \ 842 } else { \ 843 if (verbose) \ 844 mbedtls_printf("passed\n"); \ 845 } \ 846 } while (0) 847 848 /* 849 * Checkup routine 850 */ 851 int mbedtls_aria_self_test(int verbose) 852 { 853 int i; 854 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 855 mbedtls_aria_context ctx; 856 int ret = 1; 857 858 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 859 size_t j; 860 #endif 861 862 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 863 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 864 defined(MBEDTLS_CIPHER_MODE_CTR)) 865 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 866 #endif 867 868 mbedtls_aria_init(&ctx); 869 870 /* 871 * Test set 1 872 */ 873 for (i = 0; i < 3; i++) { 874 /* test ECB encryption */ 875 if (verbose) { 876 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i); 877 } 878 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i); 879 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk); 880 ARIA_SELF_TEST_ASSERT( 881 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) 882 != 0); 883 884 /* test ECB decryption */ 885 if (verbose) { 886 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i); 887 } 888 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i); 889 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk); 890 ARIA_SELF_TEST_ASSERT( 891 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) 892 != 0); 893 } 894 if (verbose) { 895 mbedtls_printf("\n"); 896 } 897 898 /* 899 * Test set 2 900 */ 901 #if defined(MBEDTLS_CIPHER_MODE_CBC) 902 for (i = 0; i < 3; i++) { 903 /* Test CBC encryption */ 904 if (verbose) { 905 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i); 906 } 907 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 908 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 909 memset(buf, 0x55, sizeof(buf)); 910 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 911 aria_test2_pt, buf); 912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48) 913 != 0); 914 915 /* Test CBC decryption */ 916 if (verbose) { 917 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i); 918 } 919 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i); 920 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 921 memset(buf, 0xAA, sizeof(buf)); 922 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 923 aria_test2_cbc_ct[i], buf); 924 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 925 } 926 if (verbose) { 927 mbedtls_printf("\n"); 928 } 929 930 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 931 932 #if defined(MBEDTLS_CIPHER_MODE_CFB) 933 for (i = 0; i < 3; i++) { 934 /* Test CFB encryption */ 935 if (verbose) { 936 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i); 937 } 938 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 939 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 940 memset(buf, 0x55, sizeof(buf)); 941 j = 0; 942 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 943 aria_test2_pt, buf); 944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0); 945 946 /* Test CFB decryption */ 947 if (verbose) { 948 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i); 949 } 950 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 951 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 952 memset(buf, 0xAA, sizeof(buf)); 953 j = 0; 954 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 955 iv, aria_test2_cfb_ct[i], buf); 956 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 957 } 958 if (verbose) { 959 mbedtls_printf("\n"); 960 } 961 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 962 963 #if defined(MBEDTLS_CIPHER_MODE_CTR) 964 for (i = 0; i < 3; i++) { 965 /* Test CTR encryption */ 966 if (verbose) { 967 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i); 968 } 969 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 970 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 971 memset(buf, 0x55, sizeof(buf)); 972 j = 0; 973 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, 974 aria_test2_pt, buf); 975 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0); 976 977 /* Test CTR decryption */ 978 if (verbose) { 979 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i); 980 } 981 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 982 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 983 memset(buf, 0xAA, sizeof(buf)); 984 j = 0; 985 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, 986 aria_test2_ctr_ct[i], buf); 987 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 988 } 989 if (verbose) { 990 mbedtls_printf("\n"); 991 } 992 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 993 994 ret = 0; 995 996 exit: 997 mbedtls_aria_free(&ctx); 998 return ret; 999 } 1000 1001 #endif /* MBEDTLS_SELF_TEST */ 1002 1003 #endif /* MBEDTLS_ARIA_C */ 1004