Coverage Report

Created: 2024-01-20 12:33

/src/mbedtls/library/aria.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  ARIA implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0
6
 *
7
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8
 *  not use this file except in compliance with the License.
9
 *  You may obtain a copy of the License at
10
 *
11
 *  http://www.apache.org/licenses/LICENSE-2.0
12
 *
13
 *  Unless required by applicable law or agreed to in writing, software
14
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16
 *  See the License for the specific language governing permissions and
17
 *  limitations under the License.
18
 */
19
20
/*
21
 * This implementation is based on the following standards:
22
 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23
 * [2] https://tools.ietf.org/html/rfc5794
24
 */
25
26
#include "common.h"
27
28
#if defined(MBEDTLS_ARIA_C)
29
30
#include "mbedtls/aria.h"
31
32
#include <string.h>
33
34
#include "mbedtls/platform.h"
35
36
#if !defined(MBEDTLS_ARIA_ALT)
37
38
#include "mbedtls/platform_util.h"
39
40
/* Parameter validation macros */
41
#define ARIA_VALIDATE_RET(cond)                                       \
42
0
    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
43
#define ARIA_VALIDATE(cond)                                           \
44
0
    MBEDTLS_INTERNAL_VALIDATE(cond)
45
46
/*
47
 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
48
 *
49
 * This is submatrix P1 in [1] Appendix B.1
50
 *
51
 * Common compilers fail to translate this to minimal number of instructions,
52
 * so let's provide asm versions for common platforms with C fallback.
53
 */
54
#if defined(MBEDTLS_HAVE_ASM)
55
#if defined(__arm__) /* rev16 available from v6 up */
56
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57
#if defined(__GNUC__) && \
58
    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
59
    __ARM_ARCH >= 6
60
static inline uint32_t aria_p1(uint32_t x)
61
{
62
    uint32_t r;
63
    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
64
    return r;
65
}
66
#define ARIA_P1 aria_p1
67
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
68
    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
69
static inline uint32_t aria_p1(uint32_t x)
70
{
71
    uint32_t r;
72
    __asm("rev16 r, x");
73
    return r;
74
}
75
#define ARIA_P1 aria_p1
76
#endif
77
#endif /* arm */
78
#if defined(__GNUC__) && \
79
    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
80
/* I couldn't find an Intel equivalent of rev16, so two instructions */
81
0
#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
82
#endif /* x86 gnuc */
83
#endif /* MBEDTLS_HAVE_ASM && GNUC */
84
#if !defined(ARIA_P1)
85
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
86
#endif
87
88
/*
89
 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90
 *
91
 * This is submatrix P2 in [1] Appendix B.1
92
 *
93
 * Common compilers will translate this to a single instruction.
94
 */
95
0
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
96
97
/*
98
 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99
 *
100
 * This is submatrix P3 in [1] Appendix B.1
101
 */
102
0
#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
103
104
/*
105
 * ARIA Affine Transform
106
 * (a, b, c, d) = state in/out
107
 *
108
 * If we denote the first byte of input by 0, ..., the last byte by f,
109
 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
110
 *
111
 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
112
 * rearrangements on adjacent pairs, output is:
113
 *
114
 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
115
 *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
116
 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
117
 *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
118
 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
119
 *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
120
 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
121
 *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
122
 *
123
 * Note: another presentation of the A transform can be found as the first
124
 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
125
 * The implementation below uses only P1 and P2 as they are sufficient.
126
 */
127
static inline void aria_a(uint32_t *a, uint32_t *b,
128
                          uint32_t *c, uint32_t *d)
129
0
{
130
0
    uint32_t ta, tb, tc;
131
0
    ta  =  *b;                      // 4567
132
0
    *b  =  *a;                      // 0123
133
0
    *a  =  ARIA_P2(ta);             // 6745
134
0
    tb  =  ARIA_P2(*d);             // efcd
135
0
    *d  =  ARIA_P1(*c);             // 98ba
136
0
    *c  =  ARIA_P1(tb);             // fedc
137
0
    ta  ^= *d;                      // 4567+98ba
138
0
    tc  =  ARIA_P2(*b);             // 2301
139
0
    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
140
0
    tb  ^= ARIA_P2(*d);             // ba98+efcd
141
0
    tc  ^= ARIA_P1(*a);             // 2301+7654
142
0
    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
143
0
    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
144
0
    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
145
0
    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
146
0
    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
147
0
    tc  =  ARIA_P2(tc);             // 0123+5476
148
0
    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
149
0
}
150
151
/*
152
 * ARIA Substitution Layer SL1 / SL2
153
 * (a, b, c, d) = state in/out
154
 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
155
 *
156
 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
157
 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
158
 */
159
static inline void aria_sl(uint32_t *a, uint32_t *b,
160
                           uint32_t *c, uint32_t *d,
161
                           const uint8_t sa[256], const uint8_t sb[256],
162
                           const uint8_t sc[256], const uint8_t sd[256])
163
0
{
164
0
    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
165
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
166
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
167
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
168
0
    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
169
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
170
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
171
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
172
0
    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
173
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
174
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
175
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
176
0
    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
177
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
178
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
179
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
180
0
}
181
182
/*
183
 * S-Boxes
184
 */
185
static const uint8_t aria_sb1[256] =
186
{
187
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
188
    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
189
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
190
    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
191
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
192
    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
193
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
194
    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
195
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
196
    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
197
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
198
    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
199
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
200
    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
201
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
202
    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
203
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
204
    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
205
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
206
    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
207
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
208
    0xB0, 0x54, 0xBB, 0x16
209
};
210
211
static const uint8_t aria_sb2[256] =
212
{
213
    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
214
    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
215
    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
216
    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
217
    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
218
    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
219
    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
220
    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
221
    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
222
    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
223
    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
224
    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
225
    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
226
    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
227
    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
228
    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
229
    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
230
    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
231
    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
232
    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
233
    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
234
    0xAF, 0xBA, 0xB5, 0x81
235
};
236
237
static const uint8_t aria_is1[256] =
238
{
239
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
240
    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
241
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
242
    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
243
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
244
    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
245
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
246
    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
247
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
248
    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
249
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
250
    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
251
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
252
    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
253
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
254
    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
256
    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
258
    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
259
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
260
    0x55, 0x21, 0x0C, 0x7D
261
};
262
263
static const uint8_t aria_is2[256] =
264
{
265
    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
266
    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
267
    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
268
    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
269
    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
270
    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
271
    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
272
    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
273
    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
274
    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
275
    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
276
    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
277
    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
278
    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
279
    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
280
    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
281
    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
282
    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
283
    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
284
    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
285
    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
286
    0x03, 0xA2, 0xAC, 0x60
287
};
288
289
/*
290
 * Helper for key schedule: r = FO( p, k ) ^ x
291
 */
292
static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
293
                        const uint32_t k[4], const uint32_t x[4])
294
0
{
295
0
    uint32_t a, b, c, d;
296
297
0
    a = p[0] ^ k[0];
298
0
    b = p[1] ^ k[1];
299
0
    c = p[2] ^ k[2];
300
0
    d = p[3] ^ k[3];
301
302
0
    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
303
0
    aria_a(&a, &b, &c, &d);
304
305
0
    r[0] = a ^ x[0];
306
0
    r[1] = b ^ x[1];
307
0
    r[2] = c ^ x[2];
308
0
    r[3] = d ^ x[3];
309
0
}
310
311
/*
312
 * Helper for key schedule: r = FE( p, k ) ^ x
313
 */
314
static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
315
                        const uint32_t k[4], const uint32_t x[4])
316
0
{
317
0
    uint32_t a, b, c, d;
318
319
0
    a = p[0] ^ k[0];
320
0
    b = p[1] ^ k[1];
321
0
    c = p[2] ^ k[2];
322
0
    d = p[3] ^ k[3];
323
324
0
    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
325
0
    aria_a(&a, &b, &c, &d);
326
327
0
    r[0] = a ^ x[0];
328
0
    r[1] = b ^ x[1];
329
0
    r[2] = c ^ x[2];
330
0
    r[3] = d ^ x[3];
331
0
}
332
333
/*
334
 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
335
 *
336
 * We chose to store bytes into 32-bit words in little-endian format (see
337
 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
338
 * bytes here.
339
 */
340
static void aria_rot128(uint32_t r[4], const uint32_t a[4],
341
                        const uint32_t b[4], uint8_t n)
342
0
{
343
0
    uint8_t i, j;
344
0
    uint32_t t, u;
345
346
0
    const uint8_t n1 = n % 32;              // bit offset
347
0
    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
348
349
0
    j = (n / 32) % 4;                       // initial word offset
350
0
    t = ARIA_P3(b[j]);                      // big endian
351
0
    for (i = 0; i < 4; i++) {
352
0
        j = (j + 1) % 4;                    // get next word, big endian
353
0
        u = ARIA_P3(b[j]);
354
0
        t <<= n1;                           // rotate
355
0
        t |= u >> n2;
356
0
        t = ARIA_P3(t);                     // back to little endian
357
0
        r[i] = a[i] ^ t;                    // store
358
0
        t = u;                              // move to next word
359
0
    }
360
0
}
361
362
/*
363
 * Set encryption key
364
 */
365
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
366
                            const unsigned char *key, unsigned int keybits)
367
0
{
368
    /* round constant masks */
369
0
    const uint32_t rc[3][4] =
370
0
    {
371
0
        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
372
0
        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
373
0
        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
374
0
    };
375
376
0
    int i;
377
0
    uint32_t w[4][4], *w2;
378
0
    ARIA_VALIDATE_RET(ctx != NULL);
379
0
    ARIA_VALIDATE_RET(key != NULL);
380
381
0
    if (keybits != 128 && keybits != 192 && keybits != 256) {
382
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
383
0
    }
384
385
    /* Copy key to W0 (and potential remainder to W1) */
386
0
    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
387
0
    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
388
0
    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
389
0
    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
390
391
0
    memset(w[1], 0, 16);
392
0
    if (keybits >= 192) {
393
0
        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
394
0
        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
395
0
    }
396
0
    if (keybits == 256) {
397
0
        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
398
0
        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
399
0
    }
400
401
0
    i = (keybits - 128) >> 6;               // index: 0, 1, 2
402
0
    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
403
404
0
    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
405
0
    i = i < 2 ? i + 1 : 0;
406
0
    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
407
0
    i = i < 2 ? i + 1 : 0;
408
0
    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
409
410
0
    for (i = 0; i < 4; i++) {               // create round keys
411
0
        w2 = w[(i + 1) & 3];
412
0
        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
413
0
        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
414
0
        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
415
0
        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
416
0
    }
417
0
    aria_rot128(ctx->rk[16], w[0], w[1], 19);
418
419
    /* w holds enough info to reconstruct the round keys */
420
0
    mbedtls_platform_zeroize(w, sizeof(w));
421
422
0
    return 0;
423
0
}
424
425
/*
426
 * Set decryption key
427
 */
428
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
429
                            const unsigned char *key, unsigned int keybits)
430
0
{
431
0
    int i, j, k, ret;
432
0
    ARIA_VALIDATE_RET(ctx != NULL);
433
0
    ARIA_VALIDATE_RET(key != NULL);
434
435
0
    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
436
0
    if (ret != 0) {
437
0
        return ret;
438
0
    }
439
440
    /* flip the order of round keys */
441
0
    for (i = 0, j = ctx->nr; i < j; i++, j--) {
442
0
        for (k = 0; k < 4; k++) {
443
0
            uint32_t t = ctx->rk[i][k];
444
0
            ctx->rk[i][k] = ctx->rk[j][k];
445
0
            ctx->rk[j][k] = t;
446
0
        }
447
0
    }
448
449
    /* apply affine transform to middle keys */
450
0
    for (i = 1; i < ctx->nr; i++) {
451
0
        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
452
0
               &ctx->rk[i][2], &ctx->rk[i][3]);
453
0
    }
454
455
0
    return 0;
456
0
}
457
458
/*
459
 * Encrypt a block
460
 */
461
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
462
                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
463
                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
464
0
{
465
0
    int i;
466
467
0
    uint32_t a, b, c, d;
468
0
    ARIA_VALIDATE_RET(ctx != NULL);
469
0
    ARIA_VALIDATE_RET(input != NULL);
470
0
    ARIA_VALIDATE_RET(output != NULL);
471
472
0
    a = MBEDTLS_GET_UINT32_LE(input,  0);
473
0
    b = MBEDTLS_GET_UINT32_LE(input,  4);
474
0
    c = MBEDTLS_GET_UINT32_LE(input,  8);
475
0
    d = MBEDTLS_GET_UINT32_LE(input, 12);
476
477
0
    i = 0;
478
0
    while (1) {
479
0
        a ^= ctx->rk[i][0];
480
0
        b ^= ctx->rk[i][1];
481
0
        c ^= ctx->rk[i][2];
482
0
        d ^= ctx->rk[i][3];
483
0
        i++;
484
485
0
        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
486
0
        aria_a(&a, &b, &c, &d);
487
488
0
        a ^= ctx->rk[i][0];
489
0
        b ^= ctx->rk[i][1];
490
0
        c ^= ctx->rk[i][2];
491
0
        d ^= ctx->rk[i][3];
492
0
        i++;
493
494
0
        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
495
0
        if (i >= ctx->nr) {
496
0
            break;
497
0
        }
498
0
        aria_a(&a, &b, &c, &d);
499
0
    }
500
501
    /* final key mixing */
502
0
    a ^= ctx->rk[i][0];
503
0
    b ^= ctx->rk[i][1];
504
0
    c ^= ctx->rk[i][2];
505
0
    d ^= ctx->rk[i][3];
506
507
0
    MBEDTLS_PUT_UINT32_LE(a, output,  0);
508
0
    MBEDTLS_PUT_UINT32_LE(b, output,  4);
509
0
    MBEDTLS_PUT_UINT32_LE(c, output,  8);
510
0
    MBEDTLS_PUT_UINT32_LE(d, output, 12);
511
512
0
    return 0;
513
0
}
514
515
/* Initialize context */
516
void mbedtls_aria_init(mbedtls_aria_context *ctx)
517
0
{
518
0
    ARIA_VALIDATE(ctx != NULL);
519
0
    memset(ctx, 0, sizeof(mbedtls_aria_context));
520
0
}
521
522
/* Clear context */
523
void mbedtls_aria_free(mbedtls_aria_context *ctx)
524
0
{
525
0
    if (ctx == NULL) {
526
0
        return;
527
0
    }
528
529
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
530
0
}
531
532
#if defined(MBEDTLS_CIPHER_MODE_CBC)
533
/*
534
 * ARIA-CBC buffer encryption/decryption
535
 */
536
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
537
                           int mode,
538
                           size_t length,
539
                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
540
                           const unsigned char *input,
541
                           unsigned char *output)
542
0
{
543
0
    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
544
545
0
    ARIA_VALIDATE_RET(ctx != NULL);
546
0
    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
547
0
                      mode == MBEDTLS_ARIA_DECRYPT);
548
0
    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
549
0
    ARIA_VALIDATE_RET(length == 0 || output != NULL);
550
0
    ARIA_VALIDATE_RET(iv != NULL);
551
552
0
    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
553
0
        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
554
0
    }
555
556
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
557
0
        while (length > 0) {
558
0
            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
559
0
            mbedtls_aria_crypt_ecb(ctx, input, output);
560
561
0
            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
562
563
0
            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
564
565
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
566
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
567
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
568
0
        }
569
0
    } else {
570
0
        while (length > 0) {
571
0
            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
572
573
0
            mbedtls_aria_crypt_ecb(ctx, output, output);
574
0
            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
575
576
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
577
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
578
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
579
0
        }
580
0
    }
581
582
0
    return 0;
583
0
}
584
#endif /* MBEDTLS_CIPHER_MODE_CBC */
585
586
#if defined(MBEDTLS_CIPHER_MODE_CFB)
587
/*
588
 * ARIA-CFB128 buffer encryption/decryption
589
 */
590
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
591
                              int mode,
592
                              size_t length,
593
                              size_t *iv_off,
594
                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
595
                              const unsigned char *input,
596
                              unsigned char *output)
597
0
{
598
0
    unsigned char c;
599
0
    size_t n;
600
601
0
    ARIA_VALIDATE_RET(ctx != NULL);
602
0
    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
603
0
                      mode == MBEDTLS_ARIA_DECRYPT);
604
0
    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
605
0
    ARIA_VALIDATE_RET(length == 0 || output != NULL);
606
0
    ARIA_VALIDATE_RET(iv != NULL);
607
0
    ARIA_VALIDATE_RET(iv_off != NULL);
608
609
0
    n = *iv_off;
610
611
    /* An overly large value of n can lead to an unlimited
612
     * buffer overflow. Therefore, guard against this
613
     * outside of parameter validation. */
614
0
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
615
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
616
0
    }
617
618
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
619
0
        while (length--) {
620
0
            if (n == 0) {
621
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
622
0
            }
623
624
0
            c = *input++;
625
0
            *output++ = c ^ iv[n];
626
0
            iv[n] = c;
627
628
0
            n = (n + 1) & 0x0F;
629
0
        }
630
0
    } else {
631
0
        while (length--) {
632
0
            if (n == 0) {
633
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
634
0
            }
635
636
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
637
638
0
            n = (n + 1) & 0x0F;
639
0
        }
640
0
    }
641
642
0
    *iv_off = n;
643
644
0
    return 0;
645
0
}
646
#endif /* MBEDTLS_CIPHER_MODE_CFB */
647
648
#if defined(MBEDTLS_CIPHER_MODE_CTR)
649
/*
650
 * ARIA-CTR buffer encryption/decryption
651
 */
652
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
653
                           size_t length,
654
                           size_t *nc_off,
655
                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
656
                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
657
                           const unsigned char *input,
658
                           unsigned char *output)
659
0
{
660
0
    int c, i;
661
0
    size_t n;
662
663
0
    ARIA_VALIDATE_RET(ctx != NULL);
664
0
    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
665
0
    ARIA_VALIDATE_RET(length == 0 || output != NULL);
666
0
    ARIA_VALIDATE_RET(nonce_counter != NULL);
667
0
    ARIA_VALIDATE_RET(stream_block  != NULL);
668
0
    ARIA_VALIDATE_RET(nc_off != NULL);
669
670
0
    n = *nc_off;
671
    /* An overly large value of n can lead to an unlimited
672
     * buffer overflow. Therefore, guard against this
673
     * outside of parameter validation. */
674
0
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
675
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
676
0
    }
677
678
0
    while (length--) {
679
0
        if (n == 0) {
680
0
            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
681
0
                                   stream_block);
682
683
0
            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
684
0
                if (++nonce_counter[i - 1] != 0) {
685
0
                    break;
686
0
                }
687
0
            }
688
0
        }
689
0
        c = *input++;
690
0
        *output++ = (unsigned char) (c ^ stream_block[n]);
691
692
0
        n = (n + 1) & 0x0F;
693
0
    }
694
695
0
    *nc_off = n;
696
697
0
    return 0;
698
0
}
699
#endif /* MBEDTLS_CIPHER_MODE_CTR */
700
#endif /* !MBEDTLS_ARIA_ALT */
701
702
#if defined(MBEDTLS_SELF_TEST)
703
704
/*
705
 * Basic ARIA ECB test vectors from RFC 5794
706
 */
707
static const uint8_t aria_test1_ecb_key[32] =           // test key
708
{
709
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
710
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
711
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
712
    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
713
};
714
715
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
716
{
717
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
718
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
719
};
720
721
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
722
{
723
    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
724
      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
725
    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
726
      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
727
    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
728
      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
729
};
730
731
/*
732
 * Mode tests from "Test Vectors for ARIA"  Version 1.0
733
 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
734
 */
735
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
736
    defined(MBEDTLS_CIPHER_MODE_CTR))
737
static const uint8_t aria_test2_key[32] =
738
{
739
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
740
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
741
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
742
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
743
};
744
745
static const uint8_t aria_test2_pt[48] =
746
{
747
    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
748
    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
749
    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
750
    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
751
    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
752
    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
753
};
754
#endif
755
756
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
757
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
758
{
759
    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
760
    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
761
};
762
#endif
763
764
#if defined(MBEDTLS_CIPHER_MODE_CBC)
765
static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
766
{
767
    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
768
      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
769
      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
770
      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
771
      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
772
      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
773
    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
774
      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
775
      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
776
      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
777
      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
778
      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
779
    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
780
      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
781
      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
782
      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
783
      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
784
      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
785
};
786
#endif /* MBEDTLS_CIPHER_MODE_CBC */
787
788
#if defined(MBEDTLS_CIPHER_MODE_CFB)
789
static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
790
{
791
    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
792
      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
793
      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
794
      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
795
      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
796
      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
797
    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
798
      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
799
      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
800
      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
801
      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
802
      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
803
    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
804
      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
805
      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
806
      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
807
      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
808
      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
809
};
810
#endif /* MBEDTLS_CIPHER_MODE_CFB */
811
812
#if defined(MBEDTLS_CIPHER_MODE_CTR)
813
static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
814
{
815
    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
816
      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
817
      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
818
      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
819
      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
820
      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
821
    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
822
      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
823
      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
824
      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
825
      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
826
      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
827
    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
828
      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
829
      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
830
      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
831
      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
832
      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
833
};
834
#endif /* MBEDTLS_CIPHER_MODE_CFB */
835
836
#define ARIA_SELF_TEST_ASSERT(cond)                   \
837
0
    do {                                            \
838
0
        if (cond) {                                \
839
0
            if (verbose)                           \
840
0
            mbedtls_printf("failed\n");       \
841
0
            goto exit;                              \
842
0
        } else {                                    \
843
0
            if (verbose)                           \
844
0
            mbedtls_printf("passed\n");       \
845
0
        }                                           \
846
0
    } while (0)
847
848
/*
849
 * Checkup routine
850
 */
851
int mbedtls_aria_self_test(int verbose)
852
0
{
853
0
    int i;
854
0
    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
855
0
    mbedtls_aria_context ctx;
856
0
    int ret = 1;
857
858
0
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
859
0
    size_t j;
860
0
#endif
861
862
0
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
863
0
    defined(MBEDTLS_CIPHER_MODE_CFB) || \
864
0
    defined(MBEDTLS_CIPHER_MODE_CTR))
865
0
    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
866
0
#endif
867
868
0
    mbedtls_aria_init(&ctx);
869
870
    /*
871
     * Test set 1
872
     */
873
0
    for (i = 0; i < 3; i++) {
874
        /* test ECB encryption */
875
0
        if (verbose) {
876
0
            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
877
0
        }
878
0
        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
879
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
880
0
        ARIA_SELF_TEST_ASSERT(
881
0
            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
882
0
            != 0);
883
884
        /* test ECB decryption */
885
0
        if (verbose) {
886
0
            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
887
0
        }
888
0
        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
889
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
890
0
        ARIA_SELF_TEST_ASSERT(
891
0
            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
892
0
            != 0);
893
0
    }
894
0
    if (verbose) {
895
0
        mbedtls_printf("\n");
896
0
    }
897
898
    /*
899
     * Test set 2
900
     */
901
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
902
0
    for (i = 0; i < 3; i++) {
903
        /* Test CBC encryption */
904
0
        if (verbose) {
905
0
            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
906
0
        }
907
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
908
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909
0
        memset(buf, 0x55, sizeof(buf));
910
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
911
0
                               aria_test2_pt, buf);
912
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
913
0
                              != 0);
914
915
        /* Test CBC decryption */
916
0
        if (verbose) {
917
0
            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
918
0
        }
919
0
        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
920
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
921
0
        memset(buf, 0xAA, sizeof(buf));
922
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
923
0
                               aria_test2_cbc_ct[i], buf);
924
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
925
0
    }
926
0
    if (verbose) {
927
0
        mbedtls_printf("\n");
928
0
    }
929
930
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
931
932
0
#if defined(MBEDTLS_CIPHER_MODE_CFB)
933
0
    for (i = 0; i < 3; i++) {
934
        /* Test CFB encryption */
935
0
        if (verbose) {
936
0
            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
937
0
        }
938
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940
0
        memset(buf, 0x55, sizeof(buf));
941
0
        j = 0;
942
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
943
0
                                  aria_test2_pt, buf);
944
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
945
946
        /* Test CFB decryption */
947
0
        if (verbose) {
948
0
            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
949
0
        }
950
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
951
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
952
0
        memset(buf, 0xAA, sizeof(buf));
953
0
        j = 0;
954
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
955
0
                                  iv, aria_test2_cfb_ct[i], buf);
956
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
957
0
    }
958
0
    if (verbose) {
959
0
        mbedtls_printf("\n");
960
0
    }
961
0
#endif /* MBEDTLS_CIPHER_MODE_CFB */
962
963
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
964
0
    for (i = 0; i < 3; i++) {
965
        /* Test CTR encryption */
966
0
        if (verbose) {
967
0
            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
968
0
        }
969
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
971
0
        memset(buf, 0x55, sizeof(buf));
972
0
        j = 0;
973
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974
0
                               aria_test2_pt, buf);
975
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
976
977
        /* Test CTR decryption */
978
0
        if (verbose) {
979
0
            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
980
0
        }
981
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
982
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
983
0
        memset(buf, 0xAA, sizeof(buf));
984
0
        j = 0;
985
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
986
0
                               aria_test2_ctr_ct[i], buf);
987
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
988
0
    }
989
0
    if (verbose) {
990
0
        mbedtls_printf("\n");
991
0
    }
992
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
993
994
0
    ret = 0;
995
996
0
exit:
997
0
    mbedtls_aria_free(&ctx);
998
0
    return ret;
999
0
}
1000
1001
#endif /* MBEDTLS_SELF_TEST */
1002
1003
#endif /* MBEDTLS_ARIA_C */