Coverage Report

Created: 2024-11-21 07:03

/src/mbedtls/library/aria.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  ARIA implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
/*
9
 * This implementation is based on the following standards:
10
 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11
 * [2] https://tools.ietf.org/html/rfc5794
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_ARIA_C)
17
18
#include "mbedtls/aria.h"
19
20
#include <string.h>
21
22
#include "mbedtls/platform.h"
23
24
#if !defined(MBEDTLS_ARIA_ALT)
25
26
#include "mbedtls/platform_util.h"
27
28
/*
29
 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
30
 *
31
 * This is submatrix P1 in [1] Appendix B.1
32
 *
33
 * Common compilers fail to translate this to minimal number of instructions,
34
 * so let's provide asm versions for common platforms with C fallback.
35
 */
36
#if defined(MBEDTLS_HAVE_ASM)
37
#if defined(__arm__) /* rev16 available from v6 up */
38
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39
#if defined(__GNUC__) && \
40
    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
41
    __ARM_ARCH >= 6
42
static inline uint32_t aria_p1(uint32_t x)
43
{
44
    uint32_t r;
45
    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46
    return r;
47
}
48
#define ARIA_P1 aria_p1
49
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
50
    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51
static inline uint32_t aria_p1(uint32_t x)
52
{
53
    uint32_t r;
54
    __asm("rev16 r, x");
55
    return r;
56
}
57
#define ARIA_P1 aria_p1
58
#endif
59
#endif /* arm */
60
#if defined(__GNUC__) && \
61
    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
62
/* I couldn't find an Intel equivalent of rev16, so two instructions */
63
142k
#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
64
#endif /* x86 gnuc */
65
#endif /* MBEDTLS_HAVE_ASM && GNUC */
66
#if !defined(ARIA_P1)
67
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
68
#endif
69
70
/*
71
 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72
 *
73
 * This is submatrix P2 in [1] Appendix B.1
74
 *
75
 * Common compilers will translate this to a single instruction.
76
 */
77
285k
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
78
79
/*
80
 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81
 *
82
 * This is submatrix P3 in [1] Appendix B.1
83
 */
84
13.0k
#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
85
86
/*
87
 * ARIA Affine Transform
88
 * (a, b, c, d) = state in/out
89
 *
90
 * If we denote the first byte of input by 0, ..., the last byte by f,
91
 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92
 *
93
 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
94
 * rearrangements on adjacent pairs, output is:
95
 *
96
 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97
 *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
98
 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
99
 *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
100
 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
101
 *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
102
 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
103
 *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104
 *
105
 * Note: another presentation of the A transform can be found as the first
106
 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107
 * The implementation below uses only P1 and P2 as they are sufficient.
108
 */
109
static inline void aria_a(uint32_t *a, uint32_t *b,
110
                          uint32_t *c, uint32_t *d)
111
20.4k
{
112
20.4k
    uint32_t ta, tb, tc;
113
20.4k
    ta  =  *b;                      // 4567
114
20.4k
    *b  =  *a;                      // 0123
115
20.4k
    *a  =  ARIA_P2(ta);             // 6745
116
20.4k
    tb  =  ARIA_P2(*d);             // efcd
117
20.4k
    *d  =  ARIA_P1(*c);             // 98ba
118
20.4k
    *c  =  ARIA_P1(tb);             // fedc
119
20.4k
    ta  ^= *d;                      // 4567+98ba
120
20.4k
    tc  =  ARIA_P2(*b);             // 2301
121
20.4k
    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
122
20.4k
    tb  ^= ARIA_P2(*d);             // ba98+efcd
123
20.4k
    tc  ^= ARIA_P1(*a);             // 2301+7654
124
20.4k
    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
125
20.4k
    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
126
20.4k
    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127
20.4k
    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
128
20.4k
    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129
20.4k
    tc  =  ARIA_P2(tc);             // 0123+5476
130
20.4k
    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
131
20.4k
}
132
133
/*
134
 * ARIA Substitution Layer SL1 / SL2
135
 * (a, b, c, d) = state in/out
136
 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
137
 *
138
 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139
 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
140
 */
141
static inline void aria_sl(uint32_t *a, uint32_t *b,
142
                           uint32_t *c, uint32_t *d,
143
                           const uint8_t sa[256], const uint8_t sb[256],
144
                           const uint8_t sc[256], const uint8_t sd[256])
145
22.1k
{
146
22.1k
    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147
22.1k
         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
148
22.1k
         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149
22.1k
         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150
22.1k
    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151
22.1k
         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
152
22.1k
         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153
22.1k
         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154
22.1k
    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155
22.1k
         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
156
22.1k
         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157
22.1k
         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158
22.1k
    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159
22.1k
         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
160
22.1k
         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161
22.1k
         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
162
22.1k
}
163
164
/*
165
 * S-Boxes
166
 */
167
static const uint8_t aria_sb1[256] =
168
{
169
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170
    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172
    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174
    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176
    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178
    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180
    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182
    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184
    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186
    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188
    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190
    0xB0, 0x54, 0xBB, 0x16
191
};
192
193
static const uint8_t aria_sb2[256] =
194
{
195
    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196
    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197
    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198
    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199
    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200
    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201
    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202
    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203
    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204
    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205
    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206
    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207
    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208
    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209
    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210
    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211
    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212
    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213
    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214
    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215
    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216
    0xAF, 0xBA, 0xB5, 0x81
217
};
218
219
static const uint8_t aria_is1[256] =
220
{
221
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222
    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224
    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226
    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228
    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230
    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232
    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234
    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236
    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238
    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240
    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242
    0x55, 0x21, 0x0C, 0x7D
243
};
244
245
static const uint8_t aria_is2[256] =
246
{
247
    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248
    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249
    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250
    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251
    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252
    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253
    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254
    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255
    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256
    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257
    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258
    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259
    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260
    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261
    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262
    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263
    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264
    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265
    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266
    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267
    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268
    0x03, 0xA2, 0xAC, 0x60
269
};
270
271
/*
272
 * Helper for key schedule: r = FO( p, k ) ^ x
273
 */
274
static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275
                        const uint32_t k[4], const uint32_t x[4])
276
170
{
277
170
    uint32_t a, b, c, d;
278
279
170
    a = p[0] ^ k[0];
280
170
    b = p[1] ^ k[1];
281
170
    c = p[2] ^ k[2];
282
170
    d = p[3] ^ k[3];
283
284
170
    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285
170
    aria_a(&a, &b, &c, &d);
286
287
170
    r[0] = a ^ x[0];
288
170
    r[1] = b ^ x[1];
289
170
    r[2] = c ^ x[2];
290
170
    r[3] = d ^ x[3];
291
170
}
292
293
/*
294
 * Helper for key schedule: r = FE( p, k ) ^ x
295
 */
296
static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297
                        const uint32_t k[4], const uint32_t x[4])
298
85
{
299
85
    uint32_t a, b, c, d;
300
301
85
    a = p[0] ^ k[0];
302
85
    b = p[1] ^ k[1];
303
85
    c = p[2] ^ k[2];
304
85
    d = p[3] ^ k[3];
305
306
85
    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307
85
    aria_a(&a, &b, &c, &d);
308
309
85
    r[0] = a ^ x[0];
310
85
    r[1] = b ^ x[1];
311
85
    r[2] = c ^ x[2];
312
85
    r[3] = d ^ x[3];
313
85
}
314
315
/*
316
 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317
 *
318
 * We chose to store bytes into 32-bit words in little-endian format (see
319
 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320
 * bytes here.
321
 */
322
static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323
                        const uint32_t b[4], uint8_t n)
324
1.44k
{
325
1.44k
    uint8_t i, j;
326
1.44k
    uint32_t t, u;
327
328
1.44k
    const uint8_t n1 = n % 32;              // bit offset
329
1.44k
    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
330
331
1.44k
    j = (n / 32) % 4;                       // initial word offset
332
1.44k
    t = ARIA_P3(b[j]);                      // big endian
333
7.22k
    for (i = 0; i < 4; i++) {
334
5.78k
        j = (j + 1) % 4;                    // get next word, big endian
335
5.78k
        u = ARIA_P3(b[j]);
336
5.78k
        t <<= n1;                           // rotate
337
5.78k
        t |= u >> n2;
338
5.78k
        t = ARIA_P3(t);                     // back to little endian
339
5.78k
        r[i] = a[i] ^ t;                    // store
340
5.78k
        t = u;                              // move to next word
341
5.78k
    }
342
1.44k
}
343
344
/*
345
 * Set encryption key
346
 */
347
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348
                            const unsigned char *key, unsigned int keybits)
349
85
{
350
    /* round constant masks */
351
85
    const uint32_t rc[3][4] =
352
85
    {
353
85
        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
354
85
        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
355
85
        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
356
85
    };
357
358
85
    int i;
359
85
    uint32_t w[4][4], *w2;
360
361
85
    if (keybits != 128 && keybits != 192 && keybits != 256) {
362
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363
0
    }
364
365
    /* Copy key to W0 (and potential remainder to W1) */
366
85
    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
367
85
    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
368
85
    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
369
85
    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
370
371
85
    memset(w[1], 0, 16);
372
85
    if (keybits >= 192) {
373
26
        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
374
26
        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
375
26
    }
376
85
    if (keybits == 256) {
377
10
        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
378
10
        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
379
10
    }
380
381
85
    i = (keybits - 128) >> 6;               // index: 0, 1, 2
382
85
    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
383
384
85
    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
385
85
    i = i < 2 ? i + 1 : 0;
386
85
    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
387
85
    i = i < 2 ? i + 1 : 0;
388
85
    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
389
390
425
    for (i = 0; i < 4; i++) {               // create round keys
391
340
        w2 = w[(i + 1) & 3];
392
340
        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393
340
        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
394
340
        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
395
340
        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
396
340
    }
397
85
    aria_rot128(ctx->rk[16], w[0], w[1], 19);
398
399
    /* w holds enough info to reconstruct the round keys */
400
85
    mbedtls_platform_zeroize(w, sizeof(w));
401
402
85
    return 0;
403
85
}
404
405
/*
406
 * Set decryption key
407
 */
408
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
409
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410
                            const unsigned char *key, unsigned int keybits)
411
7
{
412
7
    int i, j, k, ret;
413
414
7
    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415
7
    if (ret != 0) {
416
0
        return ret;
417
0
    }
418
419
    /* flip the order of round keys */
420
54
    for (i = 0, j = ctx->nr; i < j; i++, j--) {
421
235
        for (k = 0; k < 4; k++) {
422
188
            uint32_t t = ctx->rk[i][k];
423
188
            ctx->rk[i][k] = ctx->rk[j][k];
424
188
            ctx->rk[j][k] = t;
425
188
        }
426
47
    }
427
428
    /* apply affine transform to middle keys */
429
94
    for (i = 1; i < ctx->nr; i++) {
430
87
        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431
87
               &ctx->rk[i][2], &ctx->rk[i][3]);
432
87
    }
433
434
7
    return 0;
435
7
}
436
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
437
438
/*
439
 * Encrypt a block
440
 */
441
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442
                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443
                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
444
1.81k
{
445
1.81k
    int i;
446
447
1.81k
    uint32_t a, b, c, d;
448
449
1.81k
    a = MBEDTLS_GET_UINT32_LE(input,  0);
450
1.81k
    b = MBEDTLS_GET_UINT32_LE(input,  4);
451
1.81k
    c = MBEDTLS_GET_UINT32_LE(input,  8);
452
1.81k
    d = MBEDTLS_GET_UINT32_LE(input, 12);
453
454
1.81k
    i = 0;
455
10.9k
    while (1) {
456
10.9k
        a ^= ctx->rk[i][0];
457
10.9k
        b ^= ctx->rk[i][1];
458
10.9k
        c ^= ctx->rk[i][2];
459
10.9k
        d ^= ctx->rk[i][3];
460
10.9k
        i++;
461
462
10.9k
        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463
10.9k
        aria_a(&a, &b, &c, &d);
464
465
10.9k
        a ^= ctx->rk[i][0];
466
10.9k
        b ^= ctx->rk[i][1];
467
10.9k
        c ^= ctx->rk[i][2];
468
10.9k
        d ^= ctx->rk[i][3];
469
10.9k
        i++;
470
471
10.9k
        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472
10.9k
        if (i >= ctx->nr) {
473
1.81k
            break;
474
1.81k
        }
475
9.12k
        aria_a(&a, &b, &c, &d);
476
9.12k
    }
477
478
    /* final key mixing */
479
1.81k
    a ^= ctx->rk[i][0];
480
1.81k
    b ^= ctx->rk[i][1];
481
1.81k
    c ^= ctx->rk[i][2];
482
1.81k
    d ^= ctx->rk[i][3];
483
484
1.81k
    MBEDTLS_PUT_UINT32_LE(a, output,  0);
485
1.81k
    MBEDTLS_PUT_UINT32_LE(b, output,  4);
486
1.81k
    MBEDTLS_PUT_UINT32_LE(c, output,  8);
487
1.81k
    MBEDTLS_PUT_UINT32_LE(d, output, 12);
488
489
1.81k
    return 0;
490
1.81k
}
491
492
/* Initialize context */
493
void mbedtls_aria_init(mbedtls_aria_context *ctx)
494
150
{
495
150
    memset(ctx, 0, sizeof(mbedtls_aria_context));
496
150
}
497
498
/* Clear context */
499
void mbedtls_aria_free(mbedtls_aria_context *ctx)
500
150
{
501
150
    if (ctx == NULL) {
502
0
        return;
503
0
    }
504
505
150
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
506
150
}
507
508
#if defined(MBEDTLS_CIPHER_MODE_CBC)
509
/*
510
 * ARIA-CBC buffer encryption/decryption
511
 */
512
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513
                           int mode,
514
                           size_t length,
515
                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516
                           const unsigned char *input,
517
                           unsigned char *output)
518
0
{
519
0
    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
520
521
0
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523
0
    }
524
525
0
    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526
0
        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527
0
    }
528
529
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
530
0
        while (length > 0) {
531
0
            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532
0
            mbedtls_aria_crypt_ecb(ctx, input, output);
533
534
0
            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
535
536
0
            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
537
538
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
539
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
540
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
541
0
        }
542
0
    } else {
543
0
        while (length > 0) {
544
0
            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
545
546
0
            mbedtls_aria_crypt_ecb(ctx, output, output);
547
0
            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
548
549
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
550
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
551
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
552
0
        }
553
0
    }
554
555
0
    return 0;
556
0
}
557
#endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559
#if defined(MBEDTLS_CIPHER_MODE_CFB)
560
/*
561
 * ARIA-CFB128 buffer encryption/decryption
562
 */
563
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564
                              int mode,
565
                              size_t length,
566
                              size_t *iv_off,
567
                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568
                              const unsigned char *input,
569
                              unsigned char *output)
570
0
{
571
0
    unsigned char c;
572
0
    size_t n;
573
574
0
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576
0
    }
577
578
0
    n = *iv_off;
579
580
    /* An overly large value of n can lead to an unlimited
581
     * buffer overflow. */
582
0
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
583
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
584
0
    }
585
586
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
587
0
        while (length--) {
588
0
            if (n == 0) {
589
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
590
0
            }
591
592
0
            c = *input++;
593
0
            *output++ = c ^ iv[n];
594
0
            iv[n] = c;
595
596
0
            n = (n + 1) & 0x0F;
597
0
        }
598
0
    } else {
599
0
        while (length--) {
600
0
            if (n == 0) {
601
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
602
0
            }
603
604
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
605
606
0
            n = (n + 1) & 0x0F;
607
0
        }
608
0
    }
609
610
0
    *iv_off = n;
611
612
0
    return 0;
613
0
}
614
#endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616
#if defined(MBEDTLS_CIPHER_MODE_CTR)
617
/*
618
 * ARIA-CTR buffer encryption/decryption
619
 */
620
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
621
                           size_t length,
622
                           size_t *nc_off,
623
                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
624
                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
625
                           const unsigned char *input,
626
                           unsigned char *output)
627
8
{
628
8
    int c, i;
629
8
    size_t n;
630
631
8
    n = *nc_off;
632
    /* An overly large value of n can lead to an unlimited
633
     * buffer overflow. */
634
8
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
635
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
636
0
    }
637
638
383
    while (length--) {
639
375
        if (n == 0) {
640
24
            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
641
24
                                   stream_block);
642
643
24
            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
644
24
                if (++nonce_counter[i - 1] != 0) {
645
24
                    break;
646
24
                }
647
24
            }
648
24
        }
649
375
        c = *input++;
650
375
        *output++ = (unsigned char) (c ^ stream_block[n]);
651
652
375
        n = (n + 1) & 0x0F;
653
375
    }
654
655
8
    *nc_off = n;
656
657
8
    return 0;
658
8
}
659
#endif /* MBEDTLS_CIPHER_MODE_CTR */
660
#endif /* !MBEDTLS_ARIA_ALT */
661
662
#if defined(MBEDTLS_SELF_TEST)
663
664
/*
665
 * Basic ARIA ECB test vectors from RFC 5794
666
 */
667
static const uint8_t aria_test1_ecb_key[32] =           // test key
668
{
669
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
670
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
671
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
672
    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
673
};
674
675
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
676
{
677
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
678
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
679
};
680
681
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
682
{
683
    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
684
      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
685
    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
686
      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
687
    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
688
      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
689
};
690
691
/*
692
 * Mode tests from "Test Vectors for ARIA"  Version 1.0
693
 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
694
 */
695
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
696
    defined(MBEDTLS_CIPHER_MODE_CTR))
697
static const uint8_t aria_test2_key[32] =
698
{
699
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
700
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
701
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
702
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
703
};
704
705
static const uint8_t aria_test2_pt[48] =
706
{
707
    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
708
    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
709
    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
710
    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
711
    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
712
    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
713
};
714
#endif
715
716
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
717
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
718
{
719
    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
720
    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
721
};
722
#endif
723
724
#if defined(MBEDTLS_CIPHER_MODE_CBC)
725
static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
726
{
727
    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
728
      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
729
      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
730
      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
731
      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
732
      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
733
    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
734
      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
735
      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
736
      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
737
      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
738
      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
739
    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
740
      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
741
      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
742
      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
743
      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
744
      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
745
};
746
#endif /* MBEDTLS_CIPHER_MODE_CBC */
747
748
#if defined(MBEDTLS_CIPHER_MODE_CFB)
749
static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
750
{
751
    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
752
      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
753
      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
754
      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
755
      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
756
      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
757
    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
758
      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
759
      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
760
      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
761
      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
762
      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
763
    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
764
      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
765
      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
766
      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
767
      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
768
      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
769
};
770
#endif /* MBEDTLS_CIPHER_MODE_CFB */
771
772
#if defined(MBEDTLS_CIPHER_MODE_CTR)
773
static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
774
{
775
    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
776
      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
777
      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
778
      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
779
      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
780
      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
781
    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
782
      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
783
      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
784
      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
785
      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
786
      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
787
    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
788
      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
789
      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
790
      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
791
      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
792
      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
793
};
794
#endif /* MBEDTLS_CIPHER_MODE_CFB */
795
796
#define ARIA_SELF_TEST_ASSERT(cond)                   \
797
0
    do {                                            \
798
0
        if (cond) {                                \
799
0
            if (verbose)                           \
800
0
            mbedtls_printf("failed\n");       \
801
0
            goto exit;                              \
802
0
        } else {                                    \
803
0
            if (verbose)                           \
804
0
            mbedtls_printf("passed\n");       \
805
0
        }                                           \
806
0
    } while (0)
807
808
/*
809
 * Checkup routine
810
 */
811
int mbedtls_aria_self_test(int verbose)
812
0
{
813
0
    int i;
814
0
    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
815
0
    mbedtls_aria_context ctx;
816
0
    int ret = 1;
817
818
0
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
819
0
    size_t j;
820
0
#endif
821
822
0
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
823
0
    defined(MBEDTLS_CIPHER_MODE_CFB) || \
824
0
    defined(MBEDTLS_CIPHER_MODE_CTR))
825
0
    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
826
0
#endif
827
828
0
    mbedtls_aria_init(&ctx);
829
830
    /*
831
     * Test set 1
832
     */
833
0
    for (i = 0; i < 3; i++) {
834
        /* test ECB encryption */
835
0
        if (verbose) {
836
0
            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
837
0
        }
838
0
        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
839
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
840
0
        ARIA_SELF_TEST_ASSERT(
841
0
            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
842
0
            != 0);
843
844
        /* test ECB decryption */
845
0
        if (verbose) {
846
0
            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
847
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
848
            mbedtls_printf("skipped\n");
849
#endif
850
0
        }
851
852
0
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
853
0
        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
854
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
855
0
        ARIA_SELF_TEST_ASSERT(
856
0
            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
857
0
            != 0);
858
0
#endif
859
0
    }
860
0
    if (verbose) {
861
0
        mbedtls_printf("\n");
862
0
    }
863
864
    /*
865
     * Test set 2
866
     */
867
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
868
0
    for (i = 0; i < 3; i++) {
869
        /* Test CBC encryption */
870
0
        if (verbose) {
871
0
            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
872
0
        }
873
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
874
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
875
0
        memset(buf, 0x55, sizeof(buf));
876
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
877
0
                               aria_test2_pt, buf);
878
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
879
0
                              != 0);
880
881
        /* Test CBC decryption */
882
0
        if (verbose) {
883
0
            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
884
0
        }
885
0
        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
886
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
887
0
        memset(buf, 0xAA, sizeof(buf));
888
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
889
0
                               aria_test2_cbc_ct[i], buf);
890
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
891
0
    }
892
0
    if (verbose) {
893
0
        mbedtls_printf("\n");
894
0
    }
895
896
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
897
898
0
#if defined(MBEDTLS_CIPHER_MODE_CFB)
899
0
    for (i = 0; i < 3; i++) {
900
        /* Test CFB encryption */
901
0
        if (verbose) {
902
0
            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
903
0
        }
904
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
905
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
906
0
        memset(buf, 0x55, sizeof(buf));
907
0
        j = 0;
908
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
909
0
                                  aria_test2_pt, buf);
910
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
911
912
        /* Test CFB decryption */
913
0
        if (verbose) {
914
0
            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
915
0
        }
916
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
917
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
918
0
        memset(buf, 0xAA, sizeof(buf));
919
0
        j = 0;
920
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
921
0
                                  iv, aria_test2_cfb_ct[i], buf);
922
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
923
0
    }
924
0
    if (verbose) {
925
0
        mbedtls_printf("\n");
926
0
    }
927
0
#endif /* MBEDTLS_CIPHER_MODE_CFB */
928
929
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
930
0
    for (i = 0; i < 3; i++) {
931
        /* Test CTR encryption */
932
0
        if (verbose) {
933
0
            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
934
0
        }
935
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
936
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
937
0
        memset(buf, 0x55, sizeof(buf));
938
0
        j = 0;
939
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
940
0
                               aria_test2_pt, buf);
941
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
942
943
        /* Test CTR decryption */
944
0
        if (verbose) {
945
0
            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
946
0
        }
947
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
948
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
949
0
        memset(buf, 0xAA, sizeof(buf));
950
0
        j = 0;
951
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
952
0
                               aria_test2_ctr_ct[i], buf);
953
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
954
0
    }
955
0
    if (verbose) {
956
0
        mbedtls_printf("\n");
957
0
    }
958
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
959
960
0
    ret = 0;
961
962
0
exit:
963
0
    mbedtls_aria_free(&ctx);
964
0
    return ret;
965
0
}
966
967
#endif /* MBEDTLS_SELF_TEST */
968
969
#endif /* MBEDTLS_ARIA_C */