1/* 2 * ARIA implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8/* 9 * This implementation is based on the following standards: 10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf 11 * [2] https://tools.ietf.org/html/rfc5794 12 */ 13 14#include "common.h" 15 16#if defined(MBEDTLS_ARIA_C) 17 18#include "mbedtls/aria.h" 19 20#include <string.h> 21 22#include "mbedtls/platform.h" 23 24#if !defined(MBEDTLS_ARIA_ALT) 25 26#include "mbedtls/platform_util.h" 27 28/* 29 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes 30 * 31 * This is submatrix P1 in [1] Appendix B.1 32 * 33 * Common compilers fail to translate this to minimal number of instructions, 34 * so let's provide asm versions for common platforms with C fallback. 35 */ 36#if defined(MBEDTLS_HAVE_ASM) 37#if defined(__arm__) /* rev16 available from v6 up */ 38/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ 39#if defined(__GNUC__) && \ 40 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \ 41 __ARM_ARCH >= 6 42static inline uint32_t aria_p1(uint32_t x) 43{ 44 uint32_t r; 45 __asm("rev16 %0, %1" : "=l" (r) : "l" (x)); 46 return r; 47} 48#define ARIA_P1 aria_p1 49#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ 50 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3) 51static inline uint32_t aria_p1(uint32_t x) 52{ 53 uint32_t r; 54 __asm("rev16 r, x"); 55 return r; 56} 57#define ARIA_P1 aria_p1 58#endif 59#endif /* arm */ 60#if defined(__GNUC__) && \ 61 defined(__i386__) || defined(__amd64__) || defined(__x86_64__) 62/* I couldn't find an Intel equivalent of rev16, so two instructions */ 63#define ARIA_P1(x) ARIA_P2(ARIA_P3(x)) 64#endif /* x86 gnuc */ 65#endif /* MBEDTLS_HAVE_ASM && GNUC */ 66#if !defined(ARIA_P1) 67#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) 68#endif 69 70/* 71 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits 72 * 73 * This is submatrix P2 in [1] Appendix B.1 74 * 75 * Common compilers will translate this to a single instruction. 76 */ 77#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) 78 79/* 80 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness 81 * 82 * This is submatrix P3 in [1] Appendix B.1 83 */ 84#define ARIA_P3(x) MBEDTLS_BSWAP32(x) 85 86/* 87 * ARIA Affine Transform 88 * (a, b, c, d) = state in/out 89 * 90 * If we denote the first byte of input by 0, ..., the last byte by f, 91 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. 92 * 93 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple 94 * rearrangements on adjacent pairs, output is: 95 * 96 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe 97 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd 98 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd 99 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc 100 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe 101 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc 102 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef 103 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef 104 * 105 * Note: another presentation of the A transform can be found as the first 106 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. 107 * The implementation below uses only P1 and P2 as they are sufficient. 108 */ 109static inline void aria_a(uint32_t *a, uint32_t *b, 110 uint32_t *c, uint32_t *d) 111{ 112 uint32_t ta, tb, tc; 113 ta = *b; // 4567 114 *b = *a; // 0123 115 *a = ARIA_P2(ta); // 6745 116 tb = ARIA_P2(*d); // efcd 117 *d = ARIA_P1(*c); // 98ba 118 *c = ARIA_P1(tb); // fedc 119 ta ^= *d; // 4567+98ba 120 tc = ARIA_P2(*b); // 2301 121 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc 122 tb ^= ARIA_P2(*d); // ba98+efcd 123 tc ^= ARIA_P1(*a); // 2301+7654 124 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT 125 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc 126 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT 127 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe 128 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT 129 tc = ARIA_P2(tc); // 0123+5476 130 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT 131} 132 133/* 134 * ARIA Substitution Layer SL1 / SL2 135 * (a, b, c, d) = state in/out 136 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) 137 * 138 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 139 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 140 */ 141static inline void aria_sl(uint32_t *a, uint32_t *b, 142 uint32_t *c, uint32_t *d, 143 const uint8_t sa[256], const uint8_t sb[256], 144 const uint8_t sc[256], const uint8_t sd[256]) 145{ 146 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^ 147 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^ 148 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^ 149 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24); 150 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^ 151 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^ 152 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^ 153 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24); 154 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^ 155 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^ 156 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^ 157 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24); 158 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^ 159 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^ 160 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^ 161 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24); 162} 163 164/* 165 * S-Boxes 166 */ 167static const uint8_t aria_sb1[256] = 168{ 169 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 170 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 171 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 172 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 173 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 174 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 175 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 176 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 177 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 178 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 179 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 180 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 181 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 182 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 183 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 184 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 185 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 186 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 187 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 188 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 189 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 190 0xB0, 0x54, 0xBB, 0x16 191}; 192 193static const uint8_t aria_sb2[256] = 194{ 195 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 196 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 197 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 198 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 199 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 200 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 201 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 202 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 203 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 204 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 205 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 206 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 207 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 208 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 209 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 210 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, 211 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 212 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 213 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 214 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 215 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 216 0xAF, 0xBA, 0xB5, 0x81 217}; 218 219static const uint8_t aria_is1[256] = 220{ 221 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 222 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 223 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 224 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 225 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 226 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 227 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 228 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 230 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 231 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 232 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 233 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 234 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 235 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 236 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 238 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 239 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 240 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 241 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 242 0x55, 0x21, 0x0C, 0x7D 243}; 244 245static const uint8_t aria_is2[256] = 246{ 247 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 248 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 249 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 250 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 251 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 252 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 253 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 254 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 255 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 256 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 257 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 258 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 259 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 260 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 261 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 262 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, 263 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 264 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 265 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 266 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 267 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 268 0x03, 0xA2, 0xAC, 0x60 269}; 270 271/* 272 * Helper for key schedule: r = FO( p, k ) ^ x 273 */ 274static void aria_fo_xor(uint32_t r[4], const uint32_t p[4], 275 const uint32_t k[4], const uint32_t x[4]) 276{ 277 uint32_t a, b, c, d; 278 279 a = p[0] ^ k[0]; 280 b = p[1] ^ k[1]; 281 c = p[2] ^ k[2]; 282 d = p[3] ^ k[3]; 283 284 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); 285 aria_a(&a, &b, &c, &d); 286 287 r[0] = a ^ x[0]; 288 r[1] = b ^ x[1]; 289 r[2] = c ^ x[2]; 290 r[3] = d ^ x[3]; 291} 292 293/* 294 * Helper for key schedule: r = FE( p, k ) ^ x 295 */ 296static void aria_fe_xor(uint32_t r[4], const uint32_t p[4], 297 const uint32_t k[4], const uint32_t x[4]) 298{ 299 uint32_t a, b, c, d; 300 301 a = p[0] ^ k[0]; 302 b = p[1] ^ k[1]; 303 c = p[2] ^ k[2]; 304 d = p[3] ^ k[3]; 305 306 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); 307 aria_a(&a, &b, &c, &d); 308 309 r[0] = a ^ x[0]; 310 r[1] = b ^ x[1]; 311 r[2] = c ^ x[2]; 312 r[3] = d ^ x[3]; 313} 314 315/* 316 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. 317 * 318 * We chose to store bytes into 32-bit words in little-endian format (see 319 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse 320 * bytes here. 321 */ 322static void aria_rot128(uint32_t r[4], const uint32_t a[4], 323 const uint32_t b[4], uint8_t n) 324{ 325 uint8_t i, j; 326 uint32_t t, u; 327 328 const uint8_t n1 = n % 32; // bit offset 329 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset 330 331 j = (n / 32) % 4; // initial word offset 332 t = ARIA_P3(b[j]); // big endian 333 for (i = 0; i < 4; i++) { 334 j = (j + 1) % 4; // get next word, big endian 335 u = ARIA_P3(b[j]); 336 t <<= n1; // rotate 337 t |= u >> n2; 338 t = ARIA_P3(t); // back to little endian 339 r[i] = a[i] ^ t; // store 340 t = u; // move to next word 341 } 342} 343 344/* 345 * Set encryption key 346 */ 347int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, 348 const unsigned char *key, unsigned int keybits) 349{ 350 /* round constant masks */ 351 const uint32_t rc[3][4] = 352 { 353 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, 354 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, 355 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } 356 }; 357 358 int i; 359 uint32_t w[4][4], *w2; 360 361 if (keybits != 128 && keybits != 192 && keybits != 256) { 362 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 363 } 364 365 /* Copy key to W0 (and potential remainder to W1) */ 366 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0); 367 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4); 368 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8); 369 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12); 370 371 memset(w[1], 0, 16); 372 if (keybits >= 192) { 373 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key 374 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20); 375 } 376 if (keybits == 256) { 377 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key 378 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28); 379 } 380 381 i = (keybits - 128) >> 6; // index: 0, 1, 2 382 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 383 384 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR 385 i = i < 2 ? i + 1 : 0; 386 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0 387 i = i < 2 ? i + 1 : 0; 388 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1 389 390 for (i = 0; i < 4; i++) { // create round keys 391 w2 = w[(i + 1) & 3]; 392 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19); 393 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31); 394 aria_rot128(ctx->rk[i + 8], w[i], w2, 61); 395 aria_rot128(ctx->rk[i + 12], w[i], w2, 31); 396 } 397 aria_rot128(ctx->rk[16], w[0], w[1], 19); 398 399 /* w holds enough info to reconstruct the round keys */ 400 mbedtls_platform_zeroize(w, sizeof(w)); 401 402 return 0; 403} 404 405/* 406 * Set decryption key 407 */ 408#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 409int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, 410 const unsigned char *key, unsigned int keybits) 411{ 412 int i, j, k, ret; 413 414 ret = mbedtls_aria_setkey_enc(ctx, key, keybits); 415 if (ret != 0) { 416 return ret; 417 } 418 419 /* flip the order of round keys */ 420 for (i = 0, j = ctx->nr; i < j; i++, j--) { 421 for (k = 0; k < 4; k++) { 422 uint32_t t = ctx->rk[i][k]; 423 ctx->rk[i][k] = ctx->rk[j][k]; 424 ctx->rk[j][k] = t; 425 } 426 } 427 428 /* apply affine transform to middle keys */ 429 for (i = 1; i < ctx->nr; i++) { 430 aria_a(&ctx->rk[i][0], &ctx->rk[i][1], 431 &ctx->rk[i][2], &ctx->rk[i][3]); 432 } 433 434 return 0; 435} 436#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ 437 438/* 439 * Encrypt a block 440 */ 441int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, 442 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], 443 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) 444{ 445 int i; 446 447 uint32_t a, b, c, d; 448 449 a = MBEDTLS_GET_UINT32_LE(input, 0); 450 b = MBEDTLS_GET_UINT32_LE(input, 4); 451 c = MBEDTLS_GET_UINT32_LE(input, 8); 452 d = MBEDTLS_GET_UINT32_LE(input, 12); 453 454 i = 0; 455 while (1) { 456 a ^= ctx->rk[i][0]; 457 b ^= ctx->rk[i][1]; 458 c ^= ctx->rk[i][2]; 459 d ^= ctx->rk[i][3]; 460 i++; 461 462 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2); 463 aria_a(&a, &b, &c, &d); 464 465 a ^= ctx->rk[i][0]; 466 b ^= ctx->rk[i][1]; 467 c ^= ctx->rk[i][2]; 468 d ^= ctx->rk[i][3]; 469 i++; 470 471 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2); 472 if (i >= ctx->nr) { 473 break; 474 } 475 aria_a(&a, &b, &c, &d); 476 } 477 478 /* final key mixing */ 479 a ^= ctx->rk[i][0]; 480 b ^= ctx->rk[i][1]; 481 c ^= ctx->rk[i][2]; 482 d ^= ctx->rk[i][3]; 483 484 MBEDTLS_PUT_UINT32_LE(a, output, 0); 485 MBEDTLS_PUT_UINT32_LE(b, output, 4); 486 MBEDTLS_PUT_UINT32_LE(c, output, 8); 487 MBEDTLS_PUT_UINT32_LE(d, output, 12); 488 489 return 0; 490} 491 492/* Initialize context */ 493void mbedtls_aria_init(mbedtls_aria_context *ctx) 494{ 495 memset(ctx, 0, sizeof(mbedtls_aria_context)); 496} 497 498/* Clear context */ 499void mbedtls_aria_free(mbedtls_aria_context *ctx) 500{ 501 if (ctx == NULL) { 502 return; 503 } 504 505 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context)); 506} 507 508#if defined(MBEDTLS_CIPHER_MODE_CBC) 509/* 510 * ARIA-CBC buffer encryption/decryption 511 */ 512int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, 513 int mode, 514 size_t length, 515 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 516 const unsigned char *input, 517 unsigned char *output) 518{ 519 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; 520 521 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { 522 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 523 } 524 525 if (length % MBEDTLS_ARIA_BLOCKSIZE) { 526 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH; 527 } 528 529 if (mode == MBEDTLS_ARIA_DECRYPT) { 530 while (length > 0) { 531 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE); 532 mbedtls_aria_crypt_ecb(ctx, input, output); 533 534 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE); 535 536 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE); 537 538 input += MBEDTLS_ARIA_BLOCKSIZE; 539 output += MBEDTLS_ARIA_BLOCKSIZE; 540 length -= MBEDTLS_ARIA_BLOCKSIZE; 541 } 542 } else { 543 while (length > 0) { 544 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE); 545 546 mbedtls_aria_crypt_ecb(ctx, output, output); 547 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE); 548 549 input += MBEDTLS_ARIA_BLOCKSIZE; 550 output += MBEDTLS_ARIA_BLOCKSIZE; 551 length -= MBEDTLS_ARIA_BLOCKSIZE; 552 } 553 } 554 555 return 0; 556} 557#endif /* MBEDTLS_CIPHER_MODE_CBC */ 558 559#if defined(MBEDTLS_CIPHER_MODE_CFB) 560/* 561 * ARIA-CFB128 buffer encryption/decryption 562 */ 563int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, 564 int mode, 565 size_t length, 566 size_t *iv_off, 567 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], 568 const unsigned char *input, 569 unsigned char *output) 570{ 571 unsigned char c; 572 size_t n; 573 574 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) { 575 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 576 } 577 578 n = *iv_off; 579 580 /* An overly large value of n can lead to an unlimited 581 * buffer overflow. */ 582 if (n >= MBEDTLS_ARIA_BLOCKSIZE) { 583 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 584 } 585 586 if (mode == MBEDTLS_ARIA_DECRYPT) { 587 while (length--) { 588 if (n == 0) { 589 mbedtls_aria_crypt_ecb(ctx, iv, iv); 590 } 591 592 c = *input++; 593 *output++ = c ^ iv[n]; 594 iv[n] = c; 595 596 n = (n + 1) & 0x0F; 597 } 598 } else { 599 while (length--) { 600 if (n == 0) { 601 mbedtls_aria_crypt_ecb(ctx, iv, iv); 602 } 603 604 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); 605 606 n = (n + 1) & 0x0F; 607 } 608 } 609 610 *iv_off = n; 611 612 return 0; 613} 614#endif /* MBEDTLS_CIPHER_MODE_CFB */ 615 616#if defined(MBEDTLS_CIPHER_MODE_CTR) 617/* 618 * ARIA-CTR buffer encryption/decryption 619 */ 620int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, 621 size_t length, 622 size_t *nc_off, 623 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], 624 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], 625 const unsigned char *input, 626 unsigned char *output) 627{ 628 int c, i; 629 size_t n; 630 631 n = *nc_off; 632 /* An overly large value of n can lead to an unlimited 633 * buffer overflow. */ 634 if (n >= MBEDTLS_ARIA_BLOCKSIZE) { 635 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA; 636 } 637 638 while (length--) { 639 if (n == 0) { 640 mbedtls_aria_crypt_ecb(ctx, nonce_counter, 641 stream_block); 642 643 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) { 644 if (++nonce_counter[i - 1] != 0) { 645 break; 646 } 647 } 648 } 649 c = *input++; 650 *output++ = (unsigned char) (c ^ stream_block[n]); 651 652 n = (n + 1) & 0x0F; 653 } 654 655 *nc_off = n; 656 657 return 0; 658} 659#endif /* MBEDTLS_CIPHER_MODE_CTR */ 660#endif /* !MBEDTLS_ARIA_ALT */ 661 662#if defined(MBEDTLS_SELF_TEST) 663 664/* 665 * Basic ARIA ECB test vectors from RFC 5794 666 */ 667static const uint8_t aria_test1_ecb_key[32] = // test key 668{ 669 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit 670 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 671 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit 672 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit 673}; 674 675static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext 676{ 677 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all 678 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes 679}; 680 681static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext 682{ 683 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit 684 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, 685 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit 686 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, 687 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit 688 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } 689}; 690 691/* 692 * Mode tests from "Test Vectors for ARIA" Version 1.0 693 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf 694 */ 695#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 696 defined(MBEDTLS_CIPHER_MODE_CTR)) 697static const uint8_t aria_test2_key[32] = 698{ 699 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit 700 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit 702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit 703}; 704 705static const uint8_t aria_test2_pt[48] = 706{ 707 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all 708 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 709 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 710 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, 711 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, 712 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, 713}; 714#endif 715 716#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) 717static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = 718{ 719 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB 720 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV 721}; 722#endif 723 724#if defined(MBEDTLS_CIPHER_MODE_CBC) 725static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext 726{ 727 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key 728 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 729 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 730 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, 731 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, 732 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, 733 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key 734 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 735 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 736 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, 737 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, 738 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, 739 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key 740 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 741 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 742 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, 743 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, 744 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } 745}; 746#endif /* MBEDTLS_CIPHER_MODE_CBC */ 747 748#if defined(MBEDTLS_CIPHER_MODE_CFB) 749static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext 750{ 751 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key 752 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 753 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 754 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, 755 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, 756 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, 757 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key 758 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 759 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 760 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, 761 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, 762 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, 763 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key 764 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 765 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 766 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, 767 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, 768 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } 769}; 770#endif /* MBEDTLS_CIPHER_MODE_CFB */ 771 772#if defined(MBEDTLS_CIPHER_MODE_CTR) 773static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext 774{ 775 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key 776 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 777 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 778 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, 779 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, 780 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, 781 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key 782 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 783 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 784 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, 785 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, 786 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, 787 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key 788 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 789 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 790 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, 791 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, 792 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } 793}; 794#endif /* MBEDTLS_CIPHER_MODE_CFB */ 795 796#define ARIA_SELF_TEST_ASSERT(cond) \ 797 do { \ 798 if (cond) { \ 799 if (verbose) \ 800 mbedtls_printf("failed\n"); \ 801 goto exit; \ 802 } else { \ 803 if (verbose) \ 804 mbedtls_printf("passed\n"); \ 805 } \ 806 } while (0) 807 808/* 809 * Checkup routine 810 */ 811int mbedtls_aria_self_test(int verbose) 812{ 813 int i; 814 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; 815 mbedtls_aria_context ctx; 816 int ret = 1; 817 818#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) 819 size_t j; 820#endif 821 822#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ 823 defined(MBEDTLS_CIPHER_MODE_CFB) || \ 824 defined(MBEDTLS_CIPHER_MODE_CTR)) 825 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; 826#endif 827 828 mbedtls_aria_init(&ctx); 829 830 /* 831 * Test set 1 832 */ 833 for (i = 0; i < 3; i++) { 834 /* test ECB encryption */ 835 if (verbose) { 836 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i); 837 } 838 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i); 839 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk); 840 ARIA_SELF_TEST_ASSERT( 841 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) 842 != 0); 843 844 /* test ECB decryption */ 845 if (verbose) { 846 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i); 847#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 848 mbedtls_printf("skipped\n"); 849#endif 850 } 851 852#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 853 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i); 854 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk); 855 ARIA_SELF_TEST_ASSERT( 856 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) 857 != 0); 858#endif 859 } 860 if (verbose) { 861 mbedtls_printf("\n"); 862 } 863 864 /* 865 * Test set 2 866 */ 867#if defined(MBEDTLS_CIPHER_MODE_CBC) 868 for (i = 0; i < 3; i++) { 869 /* Test CBC encryption */ 870 if (verbose) { 871 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i); 872 } 873 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 874 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 875 memset(buf, 0x55, sizeof(buf)); 876 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, 877 aria_test2_pt, buf); 878 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48) 879 != 0); 880 881 /* Test CBC decryption */ 882 if (verbose) { 883 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i); 884 } 885 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i); 886 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 887 memset(buf, 0xAA, sizeof(buf)); 888 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, 889 aria_test2_cbc_ct[i], buf); 890 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 891 } 892 if (verbose) { 893 mbedtls_printf("\n"); 894 } 895 896#endif /* MBEDTLS_CIPHER_MODE_CBC */ 897 898#if defined(MBEDTLS_CIPHER_MODE_CFB) 899 for (i = 0; i < 3; i++) { 900 /* Test CFB encryption */ 901 if (verbose) { 902 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i); 903 } 904 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 905 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 906 memset(buf, 0x55, sizeof(buf)); 907 j = 0; 908 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, 909 aria_test2_pt, buf); 910 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0); 911 912 /* Test CFB decryption */ 913 if (verbose) { 914 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i); 915 } 916 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 917 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE); 918 memset(buf, 0xAA, sizeof(buf)); 919 j = 0; 920 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, 921 iv, aria_test2_cfb_ct[i], buf); 922 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 923 } 924 if (verbose) { 925 mbedtls_printf("\n"); 926 } 927#endif /* MBEDTLS_CIPHER_MODE_CFB */ 928 929#if defined(MBEDTLS_CIPHER_MODE_CTR) 930 for (i = 0; i < 3; i++) { 931 /* Test CTR encryption */ 932 if (verbose) { 933 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i); 934 } 935 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 936 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 937 memset(buf, 0x55, sizeof(buf)); 938 j = 0; 939 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, 940 aria_test2_pt, buf); 941 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0); 942 943 /* Test CTR decryption */ 944 if (verbose) { 945 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i); 946 } 947 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i); 948 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0 949 memset(buf, 0xAA, sizeof(buf)); 950 j = 0; 951 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, 952 aria_test2_ctr_ct[i], buf); 953 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0); 954 } 955 if (verbose) { 956 mbedtls_printf("\n"); 957 } 958#endif /* MBEDTLS_CIPHER_MODE_CTR */ 959 960 ret = 0; 961 962exit: 963 mbedtls_aria_free(&ctx); 964 return ret; 965} 966 967#endif /* MBEDTLS_SELF_TEST */ 968 969#endif /* MBEDTLS_ARIA_C */ 970