Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/aria.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  ARIA implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
/*
9
 * This implementation is based on the following standards:
10
 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11
 * [2] https://tools.ietf.org/html/rfc5794
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_ARIA_C)
17
18
#include "mbedtls/aria.h"
19
20
#include <string.h>
21
22
#include "mbedtls/platform.h"
23
24
#if !defined(MBEDTLS_ARIA_ALT)
25
26
#include "mbedtls/platform_util.h"
27
28
/*
29
 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
30
 *
31
 * This is submatrix P1 in [1] Appendix B.1
32
 *
33
 * Common compilers fail to translate this to minimal number of instructions,
34
 * so let's provide asm versions for common platforms with C fallback.
35
 */
36
#if defined(MBEDTLS_HAVE_ASM)
37
#if defined(__arm__) /* rev16 available from v6 up */
38
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39
#if defined(__GNUC__) && \
40
    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
41
    __ARM_ARCH >= 6
42
static inline uint32_t aria_p1(uint32_t x)
43
{
44
    uint32_t r;
45
    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46
    return r;
47
}
48
#define ARIA_P1 aria_p1
49
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
50
    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51
static inline uint32_t aria_p1(uint32_t x)
52
{
53
    uint32_t r;
54
    __asm("rev16 r, x");
55
    return r;
56
}
57
#define ARIA_P1 aria_p1
58
#endif
59
#endif /* arm */
60
#if defined(__GNUC__) && \
61
    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
62
/* I couldn't find an Intel equivalent of rev16, so two instructions */
63
0
#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
64
#endif /* x86 gnuc */
65
#endif /* MBEDTLS_HAVE_ASM && GNUC */
66
#if !defined(ARIA_P1)
67
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
68
#endif
69
70
/*
71
 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72
 *
73
 * This is submatrix P2 in [1] Appendix B.1
74
 *
75
 * Common compilers will translate this to a single instruction.
76
 */
77
0
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
78
79
/*
80
 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81
 *
82
 * This is submatrix P3 in [1] Appendix B.1
83
 */
84
0
#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
85
86
/*
87
 * ARIA Affine Transform
88
 * (a, b, c, d) = state in/out
89
 *
90
 * If we denote the first byte of input by 0, ..., the last byte by f,
91
 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92
 *
93
 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
94
 * rearrangements on adjacent pairs, output is:
95
 *
96
 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97
 *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
98
 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
99
 *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
100
 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
101
 *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
102
 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
103
 *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104
 *
105
 * Note: another presentation of the A transform can be found as the first
106
 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107
 * The implementation below uses only P1 and P2 as they are sufficient.
108
 */
109
static inline void aria_a(uint32_t *a, uint32_t *b,
110
                          uint32_t *c, uint32_t *d)
111
0
{
112
0
    uint32_t ta, tb, tc;
113
0
    ta  =  *b;                      // 4567
114
0
    *b  =  *a;                      // 0123
115
0
    *a  =  ARIA_P2(ta);             // 6745
116
0
    tb  =  ARIA_P2(*d);             // efcd
117
0
    *d  =  ARIA_P1(*c);             // 98ba
118
0
    *c  =  ARIA_P1(tb);             // fedc
119
0
    ta  ^= *d;                      // 4567+98ba
120
0
    tc  =  ARIA_P2(*b);             // 2301
121
0
    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
122
0
    tb  ^= ARIA_P2(*d);             // ba98+efcd
123
0
    tc  ^= ARIA_P1(*a);             // 2301+7654
124
0
    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
125
0
    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
126
0
    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127
0
    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
128
0
    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129
0
    tc  =  ARIA_P2(tc);             // 0123+5476
130
0
    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
131
0
}
132
133
/*
134
 * ARIA Substitution Layer SL1 / SL2
135
 * (a, b, c, d) = state in/out
136
 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
137
 *
138
 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139
 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
140
 */
141
static inline void aria_sl(uint32_t *a, uint32_t *b,
142
                           uint32_t *c, uint32_t *d,
143
                           const uint8_t sa[256], const uint8_t sb[256],
144
                           const uint8_t sc[256], const uint8_t sd[256])
145
0
{
146
0
    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
148
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150
0
    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
152
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154
0
    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
156
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158
0
    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159
0
         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
160
0
         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161
0
         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
162
0
}
163
164
/*
165
 * S-Boxes
166
 */
167
static const uint8_t aria_sb1[256] =
168
{
169
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170
    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172
    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174
    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176
    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178
    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180
    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182
    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184
    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186
    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188
    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190
    0xB0, 0x54, 0xBB, 0x16
191
};
192
193
static const uint8_t aria_sb2[256] =
194
{
195
    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196
    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197
    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198
    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199
    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200
    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201
    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202
    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203
    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204
    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205
    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206
    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207
    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208
    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209
    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210
    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211
    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212
    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213
    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214
    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215
    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216
    0xAF, 0xBA, 0xB5, 0x81
217
};
218
219
static const uint8_t aria_is1[256] =
220
{
221
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222
    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224
    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226
    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228
    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230
    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232
    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234
    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236
    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238
    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240
    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242
    0x55, 0x21, 0x0C, 0x7D
243
};
244
245
static const uint8_t aria_is2[256] =
246
{
247
    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248
    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249
    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250
    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251
    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252
    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253
    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254
    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255
    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256
    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257
    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258
    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259
    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260
    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261
    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262
    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263
    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264
    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265
    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266
    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267
    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268
    0x03, 0xA2, 0xAC, 0x60
269
};
270
271
/*
272
 * Helper for key schedule: r = FO( p, k ) ^ x
273
 */
274
static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275
                        const uint32_t k[4], const uint32_t x[4])
276
0
{
277
0
    uint32_t a, b, c, d;
278
279
0
    a = p[0] ^ k[0];
280
0
    b = p[1] ^ k[1];
281
0
    c = p[2] ^ k[2];
282
0
    d = p[3] ^ k[3];
283
284
0
    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285
0
    aria_a(&a, &b, &c, &d);
286
287
0
    r[0] = a ^ x[0];
288
0
    r[1] = b ^ x[1];
289
0
    r[2] = c ^ x[2];
290
0
    r[3] = d ^ x[3];
291
0
}
292
293
/*
294
 * Helper for key schedule: r = FE( p, k ) ^ x
295
 */
296
static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297
                        const uint32_t k[4], const uint32_t x[4])
298
0
{
299
0
    uint32_t a, b, c, d;
300
301
0
    a = p[0] ^ k[0];
302
0
    b = p[1] ^ k[1];
303
0
    c = p[2] ^ k[2];
304
0
    d = p[3] ^ k[3];
305
306
0
    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307
0
    aria_a(&a, &b, &c, &d);
308
309
0
    r[0] = a ^ x[0];
310
0
    r[1] = b ^ x[1];
311
0
    r[2] = c ^ x[2];
312
0
    r[3] = d ^ x[3];
313
0
}
314
315
/*
316
 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317
 *
318
 * We chose to store bytes into 32-bit words in little-endian format (see
319
 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320
 * bytes here.
321
 */
322
static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323
                        const uint32_t b[4], uint8_t n)
324
0
{
325
0
    uint8_t i, j;
326
0
    uint32_t t, u;
327
328
0
    const uint8_t n1 = n % 32;              // bit offset
329
0
    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
330
331
0
    j = (n / 32) % 4;                       // initial word offset
332
0
    t = ARIA_P3(b[j]);                      // big endian
333
0
    for (i = 0; i < 4; i++) {
334
0
        j = (j + 1) % 4;                    // get next word, big endian
335
0
        u = ARIA_P3(b[j]);
336
0
        t <<= n1;                           // rotate
337
0
        t |= u >> n2;
338
0
        t = ARIA_P3(t);                     // back to little endian
339
0
        r[i] = a[i] ^ t;                    // store
340
0
        t = u;                              // move to next word
341
0
    }
342
0
}
343
344
/*
345
 * Set encryption key
346
 */
347
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348
                            const unsigned char *key, unsigned int keybits)
349
0
{
350
    /* round constant masks */
351
0
    const uint32_t rc[3][4] =
352
0
    {
353
0
        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
354
0
        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
355
0
        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
356
0
    };
357
358
0
    int i;
359
0
    uint32_t w[4][4], *w2;
360
361
0
    if (keybits != 128 && keybits != 192 && keybits != 256) {
362
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363
0
    }
364
365
    /* Copy key to W0 (and potential remainder to W1) */
366
0
    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
367
0
    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
368
0
    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
369
0
    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
370
371
0
    memset(w[1], 0, 16);
372
0
    if (keybits >= 192) {
373
0
        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
374
0
        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
375
0
    }
376
0
    if (keybits == 256) {
377
0
        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
378
0
        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
379
0
    }
380
381
0
    i = (keybits - 128) >> 6;               // index: 0, 1, 2
382
0
    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
383
384
0
    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
385
0
    i = i < 2 ? i + 1 : 0;
386
0
    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
387
0
    i = i < 2 ? i + 1 : 0;
388
0
    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
389
390
0
    for (i = 0; i < 4; i++) {               // create round keys
391
0
        w2 = w[(i + 1) & 3];
392
0
        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393
0
        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
394
0
        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
395
0
        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
396
0
    }
397
0
    aria_rot128(ctx->rk[16], w[0], w[1], 19);
398
399
    /* w holds enough info to reconstruct the round keys */
400
0
    mbedtls_platform_zeroize(w, sizeof(w));
401
402
0
    return 0;
403
0
}
404
405
/*
406
 * Set decryption key
407
 */
408
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
409
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410
                            const unsigned char *key, unsigned int keybits)
411
0
{
412
0
    int i, j, k, ret;
413
414
0
    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415
0
    if (ret != 0) {
416
0
        return ret;
417
0
    }
418
419
    /* flip the order of round keys */
420
0
    for (i = 0, j = ctx->nr; i < j; i++, j--) {
421
0
        for (k = 0; k < 4; k++) {
422
0
            uint32_t t = ctx->rk[i][k];
423
0
            ctx->rk[i][k] = ctx->rk[j][k];
424
0
            ctx->rk[j][k] = t;
425
0
        }
426
0
    }
427
428
    /* apply affine transform to middle keys */
429
0
    for (i = 1; i < ctx->nr; i++) {
430
0
        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431
0
               &ctx->rk[i][2], &ctx->rk[i][3]);
432
0
    }
433
434
0
    return 0;
435
0
}
436
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
437
438
/*
439
 * Encrypt a block
440
 */
441
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442
                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443
                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
444
0
{
445
0
    int i;
446
447
0
    uint32_t a, b, c, d;
448
449
0
    a = MBEDTLS_GET_UINT32_LE(input,  0);
450
0
    b = MBEDTLS_GET_UINT32_LE(input,  4);
451
0
    c = MBEDTLS_GET_UINT32_LE(input,  8);
452
0
    d = MBEDTLS_GET_UINT32_LE(input, 12);
453
454
0
    i = 0;
455
0
    while (1) {
456
0
        a ^= ctx->rk[i][0];
457
0
        b ^= ctx->rk[i][1];
458
0
        c ^= ctx->rk[i][2];
459
0
        d ^= ctx->rk[i][3];
460
0
        i++;
461
462
0
        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463
0
        aria_a(&a, &b, &c, &d);
464
465
0
        a ^= ctx->rk[i][0];
466
0
        b ^= ctx->rk[i][1];
467
0
        c ^= ctx->rk[i][2];
468
0
        d ^= ctx->rk[i][3];
469
0
        i++;
470
471
0
        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472
0
        if (i >= ctx->nr) {
473
0
            break;
474
0
        }
475
0
        aria_a(&a, &b, &c, &d);
476
0
    }
477
478
    /* final key mixing */
479
0
    a ^= ctx->rk[i][0];
480
0
    b ^= ctx->rk[i][1];
481
0
    c ^= ctx->rk[i][2];
482
0
    d ^= ctx->rk[i][3];
483
484
0
    MBEDTLS_PUT_UINT32_LE(a, output,  0);
485
0
    MBEDTLS_PUT_UINT32_LE(b, output,  4);
486
0
    MBEDTLS_PUT_UINT32_LE(c, output,  8);
487
0
    MBEDTLS_PUT_UINT32_LE(d, output, 12);
488
489
0
    return 0;
490
0
}
491
492
/* Initialize context */
493
void mbedtls_aria_init(mbedtls_aria_context *ctx)
494
0
{
495
0
    memset(ctx, 0, sizeof(mbedtls_aria_context));
496
0
}
497
498
/* Clear context */
499
void mbedtls_aria_free(mbedtls_aria_context *ctx)
500
0
{
501
0
    if (ctx == NULL) {
502
0
        return;
503
0
    }
504
505
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
506
0
}
507
508
#if defined(MBEDTLS_CIPHER_MODE_CBC)
509
/*
510
 * ARIA-CBC buffer encryption/decryption
511
 */
512
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513
                           int mode,
514
                           size_t length,
515
                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516
                           const unsigned char *input,
517
                           unsigned char *output)
518
0
{
519
0
    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
520
521
0
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523
0
    }
524
525
0
    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526
0
        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527
0
    }
528
529
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
530
0
        while (length > 0) {
531
0
            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532
0
            mbedtls_aria_crypt_ecb(ctx, input, output);
533
534
0
            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
535
536
0
            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
537
538
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
539
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
540
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
541
0
        }
542
0
    } else {
543
0
        while (length > 0) {
544
0
            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
545
546
0
            mbedtls_aria_crypt_ecb(ctx, output, output);
547
0
            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
548
549
0
            input  += MBEDTLS_ARIA_BLOCKSIZE;
550
0
            output += MBEDTLS_ARIA_BLOCKSIZE;
551
0
            length -= MBEDTLS_ARIA_BLOCKSIZE;
552
0
        }
553
0
    }
554
555
0
    return 0;
556
0
}
557
#endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559
#if defined(MBEDTLS_CIPHER_MODE_CFB)
560
/*
561
 * ARIA-CFB128 buffer encryption/decryption
562
 */
563
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564
                              int mode,
565
                              size_t length,
566
                              size_t *iv_off,
567
                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568
                              const unsigned char *input,
569
                              unsigned char *output)
570
0
{
571
0
    unsigned char c;
572
0
    size_t n;
573
574
0
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576
0
    }
577
578
0
    n = *iv_off;
579
580
    /* An overly large value of n can lead to an unlimited
581
     * buffer overflow. */
582
0
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
583
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
584
0
    }
585
586
0
    if (mode == MBEDTLS_ARIA_DECRYPT) {
587
0
        while (length--) {
588
0
            if (n == 0) {
589
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
590
0
            }
591
592
0
            c = *input++;
593
0
            *output++ = c ^ iv[n];
594
0
            iv[n] = c;
595
596
0
            n = (n + 1) & 0x0F;
597
0
        }
598
0
    } else {
599
0
        while (length--) {
600
0
            if (n == 0) {
601
0
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
602
0
            }
603
604
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
605
606
0
            n = (n + 1) & 0x0F;
607
0
        }
608
0
    }
609
610
0
    *iv_off = n;
611
612
0
    return 0;
613
0
}
614
#endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616
#if defined(MBEDTLS_CIPHER_MODE_CTR)
617
/*
618
 * ARIA-CTR buffer encryption/decryption
619
 */
620
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
621
                           size_t length,
622
                           size_t *nc_off,
623
                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
624
                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
625
                           const unsigned char *input,
626
                           unsigned char *output)
627
0
{
628
0
    int c, i;
629
0
    size_t n;
630
631
0
    n = *nc_off;
632
    /* An overly large value of n can lead to an unlimited
633
     * buffer overflow. */
634
0
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
635
0
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
636
0
    }
637
638
0
    while (length--) {
639
0
        if (n == 0) {
640
0
            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
641
0
                                   stream_block);
642
643
0
            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
644
0
                if (++nonce_counter[i - 1] != 0) {
645
0
                    break;
646
0
                }
647
0
            }
648
0
        }
649
0
        c = *input++;
650
0
        *output++ = (unsigned char) (c ^ stream_block[n]);
651
652
0
        n = (n + 1) & 0x0F;
653
0
    }
654
655
0
    *nc_off = n;
656
657
0
    return 0;
658
0
}
659
#endif /* MBEDTLS_CIPHER_MODE_CTR */
660
#endif /* !MBEDTLS_ARIA_ALT */
661
662
#if defined(MBEDTLS_SELF_TEST)
663
664
/*
665
 * Basic ARIA ECB test vectors from RFC 5794
666
 */
667
static const uint8_t aria_test1_ecb_key[32] =           // test key
668
{
669
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
670
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
671
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
672
    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
673
};
674
675
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
676
{
677
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
678
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
679
};
680
681
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
682
{
683
    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
684
      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
685
    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
686
      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
687
    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
688
      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
689
};
690
691
/*
692
 * Mode tests from "Test Vectors for ARIA"  Version 1.0
693
 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
694
 */
695
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
696
    defined(MBEDTLS_CIPHER_MODE_CTR))
697
static const uint8_t aria_test2_key[32] =
698
{
699
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
700
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
701
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
702
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
703
};
704
705
static const uint8_t aria_test2_pt[48] =
706
{
707
    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
708
    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
709
    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
710
    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
711
    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
712
    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
713
};
714
#endif
715
716
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
717
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
718
{
719
    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
720
    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
721
};
722
#endif
723
724
#if defined(MBEDTLS_CIPHER_MODE_CBC)
725
static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
726
{
727
    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
728
      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
729
      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
730
      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
731
      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
732
      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
733
    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
734
      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
735
      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
736
      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
737
      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
738
      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
739
    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
740
      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
741
      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
742
      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
743
      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
744
      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
745
};
746
#endif /* MBEDTLS_CIPHER_MODE_CBC */
747
748
#if defined(MBEDTLS_CIPHER_MODE_CFB)
749
static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
750
{
751
    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
752
      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
753
      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
754
      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
755
      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
756
      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
757
    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
758
      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
759
      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
760
      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
761
      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
762
      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
763
    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
764
      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
765
      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
766
      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
767
      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
768
      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
769
};
770
#endif /* MBEDTLS_CIPHER_MODE_CFB */
771
772
#if defined(MBEDTLS_CIPHER_MODE_CTR)
773
static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
774
{
775
    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
776
      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
777
      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
778
      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
779
      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
780
      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
781
    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
782
      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
783
      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
784
      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
785
      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
786
      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
787
    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
788
      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
789
      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
790
      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
791
      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
792
      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
793
};
794
#endif /* MBEDTLS_CIPHER_MODE_CFB */
795
796
#define ARIA_SELF_TEST_ASSERT(cond)                   \
797
0
    do {                                            \
798
0
        if (cond) {                                \
799
0
            if (verbose)                           \
800
0
            mbedtls_printf("failed\n");       \
801
0
            goto exit;                              \
802
0
        } else {                                    \
803
0
            if (verbose)                           \
804
0
            mbedtls_printf("passed\n");       \
805
0
        }                                           \
806
0
    } while (0)
807
808
/*
809
 * Checkup routine
810
 */
811
int mbedtls_aria_self_test(int verbose)
812
0
{
813
0
    int i;
814
0
    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
815
0
    mbedtls_aria_context ctx;
816
0
    int ret = 1;
817
818
0
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
819
0
    size_t j;
820
0
#endif
821
822
0
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
823
0
    defined(MBEDTLS_CIPHER_MODE_CFB) || \
824
0
    defined(MBEDTLS_CIPHER_MODE_CTR))
825
0
    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
826
0
#endif
827
828
0
    mbedtls_aria_init(&ctx);
829
830
    /*
831
     * Test set 1
832
     */
833
0
    for (i = 0; i < 3; i++) {
834
        /* test ECB encryption */
835
0
        if (verbose) {
836
0
            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
837
0
        }
838
0
        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
839
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
840
0
        ARIA_SELF_TEST_ASSERT(
841
0
            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
842
0
            != 0);
843
844
        /* test ECB decryption */
845
0
        if (verbose) {
846
0
            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
847
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
848
            mbedtls_printf("skipped\n");
849
#endif
850
0
        }
851
852
0
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
853
0
        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
854
0
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
855
0
        ARIA_SELF_TEST_ASSERT(
856
0
            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
857
0
            != 0);
858
0
#endif
859
0
    }
860
0
    if (verbose) {
861
0
        mbedtls_printf("\n");
862
0
    }
863
864
    /*
865
     * Test set 2
866
     */
867
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
868
0
    for (i = 0; i < 3; i++) {
869
        /* Test CBC encryption */
870
0
        if (verbose) {
871
0
            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
872
0
        }
873
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
874
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
875
0
        memset(buf, 0x55, sizeof(buf));
876
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
877
0
                               aria_test2_pt, buf);
878
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
879
0
                              != 0);
880
881
        /* Test CBC decryption */
882
0
        if (verbose) {
883
0
            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
884
0
        }
885
0
        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
886
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
887
0
        memset(buf, 0xAA, sizeof(buf));
888
0
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
889
0
                               aria_test2_cbc_ct[i], buf);
890
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
891
0
    }
892
0
    if (verbose) {
893
0
        mbedtls_printf("\n");
894
0
    }
895
896
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
897
898
0
#if defined(MBEDTLS_CIPHER_MODE_CFB)
899
0
    for (i = 0; i < 3; i++) {
900
        /* Test CFB encryption */
901
0
        if (verbose) {
902
0
            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
903
0
        }
904
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
905
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
906
0
        memset(buf, 0x55, sizeof(buf));
907
0
        j = 0;
908
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
909
0
                                  aria_test2_pt, buf);
910
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
911
912
        /* Test CFB decryption */
913
0
        if (verbose) {
914
0
            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
915
0
        }
916
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
917
0
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
918
0
        memset(buf, 0xAA, sizeof(buf));
919
0
        j = 0;
920
0
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
921
0
                                  iv, aria_test2_cfb_ct[i], buf);
922
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
923
0
    }
924
0
    if (verbose) {
925
0
        mbedtls_printf("\n");
926
0
    }
927
0
#endif /* MBEDTLS_CIPHER_MODE_CFB */
928
929
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
930
0
    for (i = 0; i < 3; i++) {
931
        /* Test CTR encryption */
932
0
        if (verbose) {
933
0
            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
934
0
        }
935
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
936
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
937
0
        memset(buf, 0x55, sizeof(buf));
938
0
        j = 0;
939
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
940
0
                               aria_test2_pt, buf);
941
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
942
943
        /* Test CTR decryption */
944
0
        if (verbose) {
945
0
            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
946
0
        }
947
0
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
948
0
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
949
0
        memset(buf, 0xAA, sizeof(buf));
950
0
        j = 0;
951
0
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
952
0
                               aria_test2_ctr_ct[i], buf);
953
0
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
954
0
    }
955
0
    if (verbose) {
956
0
        mbedtls_printf("\n");
957
0
    }
958
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
959
960
0
    ret = 0;
961
962
0
exit:
963
0
    mbedtls_aria_free(&ctx);
964
0
    return ret;
965
0
}
966
967
#endif /* MBEDTLS_SELF_TEST */
968
969
#endif /* MBEDTLS_ARIA_C */