search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / common / mbedtls / aria.c
blob119ba02fbd5ad223ba9e9c5e0b0a639a4c0b7640
1 /*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_ARIA_C)
29
30 #include "mbedtls/aria.h"
31
32 #include <string.h>
33
34 #if defined(MBEDTLS_SELF_TEST)
35 #if defined(MBEDTLS_PLATFORM_C)
36 #include "mbedtls/platform.h"
37 #else
38 #include <stdio.h>
39 #define mbedtls_printf printf
40 #endif /* MBEDTLS_PLATFORM_C */
41 #endif /* MBEDTLS_SELF_TEST */
42
43 #if !defined(MBEDTLS_ARIA_ALT)
44
45 #include "mbedtls/platform_util.h"
46
47 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
48 !defined(inline) && !defined(__cplusplus)
49 #define inline __inline
50 #endif
51
52 /* Parameter validation macros */
53 #define ARIA_VALIDATE_RET( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
55 #define ARIA_VALIDATE( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE( cond )
57
58 /*
59 * 32-bit integer manipulation macros (little endian)
60 */
61 #ifndef GET_UINT32_LE
62 #define GET_UINT32_LE( n, b, i ) \
63 { \
64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
68 }
69 #endif
70
71 #ifndef PUT_UINT32_LE
72 #define PUT_UINT32_LE( n, b, i ) \
73 { \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
78 }
79 #endif
80
81 /*
82 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
83 *
84 * This is submatrix P1 in [1] Appendix B.1
85 *
86 * Common compilers fail to translate this to minimal number of instructions,
87 * so let's provide asm versions for common platforms with C fallback.
88 */
89 #if defined(MBEDTLS_HAVE_ASM)
90 #if defined(__arm__) /* rev16 available from v6 up */
91 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
92 #if defined(__GNUC__) && \
93 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
94 __ARM_ARCH >= 6
95 static inline uint32_t aria_p1(uint32_t x) {
96 uint32_t r;
97 __asm("rev16 %0, %1" : "=l"(r) : "l"(x));
98 return (r);
99 }
100 #define ARIA_P1 aria_p1
101 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
102 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
103 static inline uint32_t aria_p1(uint32_t x) {
104 uint32_t r;
105 __asm("rev16 r, x");
106 return (r);
107 }
108 #define ARIA_P1 aria_p1
109 #endif
110 #endif /* arm */
111 #if defined(__GNUC__) && \
112 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
113 /* I couldn't find an Intel equivalent of rev16, so two instructions */
114 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
115 #endif /* x86 gnuc */
116 #endif /* MBEDTLS_HAVE_ASM && GNUC */
117 #if !defined(ARIA_P1)
118 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
119 #endif
120
121 /*
122 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
123 *
124 * This is submatrix P2 in [1] Appendix B.1
125 *
126 * Common compilers will translate this to a single instruction.
127 */
128 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
129
130 /*
131 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
132 *
133 * This is submatrix P3 in [1] Appendix B.1
134 *
135 * Some compilers fail to translate this to a single instruction,
136 * so let's provide asm versions for common platforms with C fallback.
137 */
138 #if defined(MBEDTLS_HAVE_ASM)
139 #if defined(__arm__) /* rev available from v6 up */
140 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
141 #if defined(__GNUC__) && \
142 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
143 __ARM_ARCH >= 6
144 static inline uint32_t aria_p3(uint32_t x) {
145 uint32_t r;
146 __asm("rev %0, %1" : "=l"(r) : "l"(x));
147 return (r);
148 }
149 #define ARIA_P3 aria_p3
150 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
151 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
152 static inline uint32_t aria_p3(uint32_t x) {
153 uint32_t r;
154 __asm("rev r, x");
155 return (r);
156 }
157 #define ARIA_P3 aria_p3
158 #endif
159 #endif /* arm */
160 #if defined(__GNUC__) && \
161 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
162 static inline uint32_t aria_p3(uint32_t x) {
163 __asm("bswap %0" : "=r"(x) : "0"(x));
164 return (x);
165 }
166 #define ARIA_P3 aria_p3
167 #endif /* x86 gnuc */
168 #endif /* MBEDTLS_HAVE_ASM && GNUC */
169 #if !defined(ARIA_P3)
170 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
171 #endif
172
173 /*
174 * ARIA Affine Transform
175 * (a, b, c, d) = state in/out
176 *
177 * If we denote the first byte of input by 0, ..., the last byte by f,
178 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
179 *
180 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
181 * rearrangements on adjacent pairs, output is:
182 *
183 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
184 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
185 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
186 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
187 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
188 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
189 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
190 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
191 *
192 * Note: another presentation of the A transform can be found as the first
193 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
194 * The implementation below uses only P1 and P2 as they are sufficient.
195 */
196 static inline void aria_a(uint32_t *a, uint32_t *b,
197 uint32_t *c, uint32_t *d) {
198 uint32_t ta, tb, tc;
199 ta = *b; // 4567
200 *b = *a; // 0123
201 *a = ARIA_P2(ta); // 6745
202 tb = ARIA_P2(*d); // efcd
203 *d = ARIA_P1(*c); // 98ba
204 *c = ARIA_P1(tb); // fedc
205 ta ^= *d; // 4567+98ba
206 tc = ARIA_P2(*b); // 2301
207 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
208 tb ^= ARIA_P2(*d); // ba98+efcd
209 tc ^= ARIA_P1(*a); // 2301+7654
210 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
211 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
212 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
213 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
214 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
215 tc = ARIA_P2(tc); // 0123+5476
216 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
217 }
218
219 /*
220 * ARIA Substitution Layer SL1 / SL2
221 * (a, b, c, d) = state in/out
222 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
223 *
224 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
225 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
226 */
227 static inline void aria_sl(uint32_t *a, uint32_t *b,
228 uint32_t *c, uint32_t *d,
229 const uint8_t sa[256], const uint8_t sb[256],
230 const uint8_t sc[256], const uint8_t sd[256]) {
231 *a = ((uint32_t) sa[ *a & 0xFF]) ^
232 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
233 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
234 (((uint32_t) sd[ *a >> 24 ]) << 24);
235 *b = ((uint32_t) sa[ *b & 0xFF]) ^
236 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
237 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
238 (((uint32_t) sd[ *b >> 24 ]) << 24);
239 *c = ((uint32_t) sa[ *c & 0xFF]) ^
240 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
241 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
242 (((uint32_t) sd[ *c >> 24 ]) << 24);
243 *d = ((uint32_t) sa[ *d & 0xFF]) ^
244 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
245 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
246 (((uint32_t) sd[ *d >> 24 ]) << 24);
247 }
248
249 /*
250 * S-Boxes
251 */
252 static const uint8_t aria_sb1[256] = {
253 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
254 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
255 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
256 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
257 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
258 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
259 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
260 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
261 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
262 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
263 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
264 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
265 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
266 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
267 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
268 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
269 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
270 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
271 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
272 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
273 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
274 0xB0, 0x54, 0xBB, 0x16
275 };
276
277 static const uint8_t aria_sb2[256] = {
278 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
279 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
280 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
281 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
282 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
283 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
284 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
285 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
286 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
287 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
288 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
289 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
290 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
291 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
292 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
293 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
294 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
295 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
296 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
297 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
298 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
299 0xAF, 0xBA, 0xB5, 0x81
300 };
301
302 static const uint8_t aria_is1[256] = {
303 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
304 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
305 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
306 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
307 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
308 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
309 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
310 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
311 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
312 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
313 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
314 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
315 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
316 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
317 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
318 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
319 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
320 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
321 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
322 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
323 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
324 0x55, 0x21, 0x0C, 0x7D
325 };
326
327 static const uint8_t aria_is2[256] = {
328 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
329 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
330 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
331 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
332 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
333 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
334 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
335 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
336 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
337 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
338 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
339 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
340 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
341 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
342 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
343 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
344 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
345 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
346 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
347 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
348 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
349 0x03, 0xA2, 0xAC, 0x60
350 };
351
352 /*
353 * Helper for key schedule: r = FO( p, k ) ^ x
354 */
355 static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
356 const uint32_t k[4], const uint32_t x[4]) {
357 uint32_t a, b, c, d;
358
359 a = p[0] ^ k[0];
360 b = p[1] ^ k[1];
361 c = p[2] ^ k[2];
362 d = p[3] ^ k[3];
363
364 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
365 aria_a(&a, &b, &c, &d);
366
367 r[0] = a ^ x[0];
368 r[1] = b ^ x[1];
369 r[2] = c ^ x[2];
370 r[3] = d ^ x[3];
371 }
372
373 /*
374 * Helper for key schedule: r = FE( p, k ) ^ x
375 */
376 static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
377 const uint32_t k[4], const uint32_t x[4]) {
378 uint32_t a, b, c, d;
379
380 a = p[0] ^ k[0];
381 b = p[1] ^ k[1];
382 c = p[2] ^ k[2];
383 d = p[3] ^ k[3];
384
385 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
386 aria_a(&a, &b, &c, &d);
387
388 r[0] = a ^ x[0];
389 r[1] = b ^ x[1];
390 r[2] = c ^ x[2];
391 r[3] = d ^ x[3];
392 }
393
394 /*
395 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
396 *
397 * We chose to store bytes into 32-bit words in little-endian format (see
398 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
399 */
400 static void aria_rot128(uint32_t r[4], const uint32_t a[4],
401 const uint32_t b[4], uint8_t n) {
402 uint8_t i, j;
403 uint32_t t, u;
404
405 const uint8_t n1 = n % 32; // bit offset
406 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
407
408 j = (n / 32) % 4; // initial word offset
409 t = ARIA_P3(b[j]); // big endian
410 for (i = 0; i < 4; i++) {
411 j = (j + 1) % 4; // get next word, big endian
412 u = ARIA_P3(b[j]);
413 t <<= n1; // rotate
414 t |= u >> n2;
415 t = ARIA_P3(t); // back to little endian
416 r[i] = a[i] ^ t; // store
417 t = u; // move to next word
418 }
419 }
420
421 /*
422 * Set encryption key
423 */
424 int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
425 const unsigned char *key, unsigned int keybits) {
426 /* round constant masks */
427 const uint32_t rc[3][4] = {
428 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
429 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
430 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
431 };
432
433 int i;
434 uint32_t w[4][4], *w2;
435 ARIA_VALIDATE_RET(ctx != NULL);
436 ARIA_VALIDATE_RET(key != NULL);
437
438 if (keybits != 128 && keybits != 192 && keybits != 256)
439 return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
440
441 /* Copy key to W0 (and potential remainder to W1) */
442 GET_UINT32_LE(w[0][0], key, 0);
443 GET_UINT32_LE(w[0][1], key, 4);
444 GET_UINT32_LE(w[0][2], key, 8);
445 GET_UINT32_LE(w[0][3], key, 12);
446
447 memset(w[1], 0, 16);
448 if (keybits >= 192) {
449 GET_UINT32_LE(w[1][0], key, 16); // 192 bit key
450 GET_UINT32_LE(w[1][1], key, 20);
451 }
452 if (keybits == 256) {
453 GET_UINT32_LE(w[1][2], key, 24); // 256 bit key
454 GET_UINT32_LE(w[1][3], key, 28);
455 }
456
457 i = (keybits - 128) >> 6; // index: 0, 1, 2
458 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
459
460 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
461 i = i < 2 ? i + 1 : 0;
462 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
463 i = i < 2 ? i + 1 : 0;
464 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
465
466 for (i = 0; i < 4; i++) { // create round keys
467 w2 = w[(i + 1) & 3];
468 aria_rot128(ctx->rk[i ], w[i], w2, 128 - 19);
469 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
470 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
471 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
472 }
473 aria_rot128(ctx->rk[16], w[0], w[1], 19);
474
475 /* w holds enough info to reconstruct the round keys */
476 mbedtls_platform_zeroize(w, sizeof(w));
477
478 return (0);
479 }
480
481 /*
482 * Set decryption key
483 */
484 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
485 const unsigned char *key, unsigned int keybits) {
486 int i, j, k, ret;
487 ARIA_VALIDATE_RET(ctx != NULL);
488 ARIA_VALIDATE_RET(key != NULL);
489
490 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
491 if (ret != 0)
492 return (ret);
493
494 /* flip the order of round keys */
495 for (i = 0, j = ctx->nr; i < j; i++, j--) {
496 for (k = 0; k < 4; k++) {
497 uint32_t t = ctx->rk[i][k];
498 ctx->rk[i][k] = ctx->rk[j][k];
499 ctx->rk[j][k] = t;
500 }
501 }
502
503 /* apply affine transform to middle keys */
504 for (i = 1; i < ctx->nr; i++) {
505 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
506 &ctx->rk[i][2], &ctx->rk[i][3]);
507 }
508
509 return (0);
510 }
511
512 /*
513 * Encrypt a block
514 */
515 int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
516 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
517 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]) {
518 int i;
519
520 uint32_t a, b, c, d;
521 ARIA_VALIDATE_RET(ctx != NULL);
522 ARIA_VALIDATE_RET(input != NULL);
523 ARIA_VALIDATE_RET(output != NULL);
524
525 GET_UINT32_LE(a, input, 0);
526 GET_UINT32_LE(b, input, 4);
527 GET_UINT32_LE(c, input, 8);
528 GET_UINT32_LE(d, input, 12);
529
530 i = 0;
531 while (1) {
532 a ^= ctx->rk[i][0];
533 b ^= ctx->rk[i][1];
534 c ^= ctx->rk[i][2];
535 d ^= ctx->rk[i][3];
536 i++;
537
538 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
539 aria_a(&a, &b, &c, &d);
540
541 a ^= ctx->rk[i][0];
542 b ^= ctx->rk[i][1];
543 c ^= ctx->rk[i][2];
544 d ^= ctx->rk[i][3];
545 i++;
546
547 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
548 if (i >= ctx->nr)
549 break;
550 aria_a(&a, &b, &c, &d);
551 }
552
553 /* final key mixing */
554 a ^= ctx->rk[i][0];
555 b ^= ctx->rk[i][1];
556 c ^= ctx->rk[i][2];
557 d ^= ctx->rk[i][3];
558
559 PUT_UINT32_LE(a, output, 0);
560 PUT_UINT32_LE(b, output, 4);
561 PUT_UINT32_LE(c, output, 8);
562 PUT_UINT32_LE(d, output, 12);
563
564 return (0);
565 }
566
567 /* Initialize context */
568 void mbedtls_aria_init(mbedtls_aria_context *ctx) {
569 ARIA_VALIDATE(ctx != NULL);
570 memset(ctx, 0, sizeof(mbedtls_aria_context));
571 }
572
573 /* Clear context */
574 void mbedtls_aria_free(mbedtls_aria_context *ctx) {
575 if (ctx == NULL)
576 return;
577
578 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
579 }
580
581 #if defined(MBEDTLS_CIPHER_MODE_CBC)
582 /*
583 * ARIA-CBC buffer encryption/decryption
584 */
585 int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
586 int mode,
587 size_t length,
588 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
589 const unsigned char *input,
590 unsigned char *output) {
591 int i;
592 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
593
594 ARIA_VALIDATE_RET(ctx != NULL);
595 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
596 mode == MBEDTLS_ARIA_DECRYPT);
597 ARIA_VALIDATE_RET(length == 0 || input != NULL);
598 ARIA_VALIDATE_RET(length == 0 || output != NULL);
599 ARIA_VALIDATE_RET(iv != NULL);
600
601 if (length % MBEDTLS_ARIA_BLOCKSIZE)
602 return (MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH);
603
604 if (mode == MBEDTLS_ARIA_DECRYPT) {
605 while (length > 0) {
606 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
607 mbedtls_aria_crypt_ecb(ctx, input, output);
608
609 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
610 output[i] = (unsigned char)(output[i] ^ iv[i]);
611
612 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
613
614 input += MBEDTLS_ARIA_BLOCKSIZE;
615 output += MBEDTLS_ARIA_BLOCKSIZE;
616 length -= MBEDTLS_ARIA_BLOCKSIZE;
617 }
618 } else {
619 while (length > 0) {
620 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
621 output[i] = (unsigned char)(input[i] ^ iv[i]);
622
623 mbedtls_aria_crypt_ecb(ctx, output, output);
624 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
625
626 input += MBEDTLS_ARIA_BLOCKSIZE;
627 output += MBEDTLS_ARIA_BLOCKSIZE;
628 length -= MBEDTLS_ARIA_BLOCKSIZE;
629 }
630 }
631
632 return (0);
633 }
634 #endif /* MBEDTLS_CIPHER_MODE_CBC */
635
636 #if defined(MBEDTLS_CIPHER_MODE_CFB)
637 /*
638 * ARIA-CFB128 buffer encryption/decryption
639 */
640 int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
641 int mode,
642 size_t length,
643 size_t *iv_off,
644 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
645 const unsigned char *input,
646 unsigned char *output) {
647 unsigned char c;
648 size_t n;
649
650 ARIA_VALIDATE_RET(ctx != NULL);
651 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
652 mode == MBEDTLS_ARIA_DECRYPT);
653 ARIA_VALIDATE_RET(length == 0 || input != NULL);
654 ARIA_VALIDATE_RET(length == 0 || output != NULL);
655 ARIA_VALIDATE_RET(iv != NULL);
656 ARIA_VALIDATE_RET(iv_off != NULL);
657
658 n = *iv_off;
659
660 /* An overly large value of n can lead to an unlimited
661 * buffer overflow. Therefore, guard against this
662 * outside of parameter validation. */
663 if (n >= MBEDTLS_ARIA_BLOCKSIZE)
664 return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
665
666 if (mode == MBEDTLS_ARIA_DECRYPT) {
667 while (length--) {
668 if (n == 0)
669 mbedtls_aria_crypt_ecb(ctx, iv, iv);
670
671 c = *input++;
672 *output++ = c ^ iv[n];
673 iv[n] = c;
674
675 n = (n + 1) & 0x0F;
676 }
677 } else {
678 while (length--) {
679 if (n == 0)
680 mbedtls_aria_crypt_ecb(ctx, iv, iv);
681
682 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
683
684 n = (n + 1) & 0x0F;
685 }
686 }
687
688 *iv_off = n;
689
690 return (0);
691 }
692 #endif /* MBEDTLS_CIPHER_MODE_CFB */
693
694 #if defined(MBEDTLS_CIPHER_MODE_CTR)
695 /*
696 * ARIA-CTR buffer encryption/decryption
697 */
698 int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
699 size_t length,
700 size_t *nc_off,
701 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
702 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
703 const unsigned char *input,
704 unsigned char *output) {
705 int c, i;
706 size_t n;
707
708 ARIA_VALIDATE_RET(ctx != NULL);
709 ARIA_VALIDATE_RET(length == 0 || input != NULL);
710 ARIA_VALIDATE_RET(length == 0 || output != NULL);
711 ARIA_VALIDATE_RET(nonce_counter != NULL);
712 ARIA_VALIDATE_RET(stream_block != NULL);
713 ARIA_VALIDATE_RET(nc_off != NULL);
714
715 n = *nc_off;
716 /* An overly large value of n can lead to an unlimited
717 * buffer overflow. Therefore, guard against this
718 * outside of parameter validation. */
719 if (n >= MBEDTLS_ARIA_BLOCKSIZE)
720 return (MBEDTLS_ERR_ARIA_BAD_INPUT_DATA);
721
722 while (length--) {
723 if (n == 0) {
724 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
725 stream_block);
726
727 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--)
728 if (++nonce_counter[i - 1] != 0)
729 break;
730 }
731 c = *input++;
732 *output++ = (unsigned char)(c ^ stream_block[n]);
733
734 n = (n + 1) & 0x0F;
735 }
736
737 *nc_off = n;
738
739 return (0);
740 }
741 #endif /* MBEDTLS_CIPHER_MODE_CTR */
742 #endif /* !MBEDTLS_ARIA_ALT */
743
744 #if defined(MBEDTLS_SELF_TEST)
745
746 /*
747 * Basic ARIA ECB test vectors from RFC 5794
748 */
749 static const uint8_t aria_test1_ecb_key[32] = { // test key
750 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
751 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
752 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
753 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
754 };
755
756 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = { // plaintext
757 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
758 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
759 };
760
761 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = { // ciphertext
762 {
763 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
764 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78
765 },
766 {
767 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
768 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79
769 },
770 {
771 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
772 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC
773 }
774 };
775
776 /*
777 * Mode tests from "Test Vectors for ARIA" Version 1.0
778 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
779 */
780 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
781 defined(MBEDTLS_CIPHER_MODE_CTR))
782 static const uint8_t aria_test2_key[32] = {
783 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
784 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
785 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
786 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
787 };
788
789 static const uint8_t aria_test2_pt[48] = {
790 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
791 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
792 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
793 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
794 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
795 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
796 };
797 #endif
798
799 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
800 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = {
801 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
802 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
803 };
804 #endif
805
806 #if defined(MBEDTLS_CIPHER_MODE_CBC)
807 static const uint8_t aria_test2_cbc_ct[3][48] = { // CBC ciphertext
808 {
809 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
810 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
811 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
812 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
813 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
814 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15
815 },
816 {
817 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
818 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
819 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
820 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
821 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
822 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e
823 },
824 {
825 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
826 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
827 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
828 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
829 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
830 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b
831 }
832 };
833 #endif /* MBEDTLS_CIPHER_MODE_CBC */
834
835 #if defined(MBEDTLS_CIPHER_MODE_CFB)
836 static const uint8_t aria_test2_cfb_ct[3][48] = { // CFB ciphertext
837 {
838 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
839 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
840 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
841 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
842 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
843 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b
844 },
845 {
846 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
847 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
848 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
849 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
850 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
851 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b
852 },
853 {
854 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
855 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
856 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
857 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
858 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
859 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1
860 }
861 };
862 #endif /* MBEDTLS_CIPHER_MODE_CFB */
863
864 #if defined(MBEDTLS_CIPHER_MODE_CTR)
865 static const uint8_t aria_test2_ctr_ct[3][48] = { // CTR ciphertext
866 {
867 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
868 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
869 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
870 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
871 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
872 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3
873 },
874 {
875 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
876 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
877 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
878 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
879 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
880 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf
881 },
882 {
883 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
884 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
885 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
886 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
887 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
888 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1
889 }
890 };
891 #endif /* MBEDTLS_CIPHER_MODE_CFB */
892
893 #define ARIA_SELF_TEST_IF_FAIL \
894 { \
895 if( verbose ) \
896 mbedtls_printf( "failed\n" ); \
897 return( 1 ); \
898 } else { \
899 if( verbose ) \
900 mbedtls_printf( "passed\n" ); \
901 }
902
903 /*
904 * Checkup routine
905 */
906 int mbedtls_aria_self_test(int verbose) {
907 int i;
908 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
909 mbedtls_aria_context ctx;
910
911 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
912 size_t j;
913 #endif
914
915 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
916 defined(MBEDTLS_CIPHER_MODE_CFB) || \
917 defined(MBEDTLS_CIPHER_MODE_CTR))
918 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
919 #endif
920
921 /*
922 * Test set 1
923 */
924 for (i = 0; i < 3; i++) {
925 /* test ECB encryption */
926 if (verbose)
927 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
928 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
929 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
930 if (memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) != 0)
931 ARIA_SELF_TEST_IF_FAIL;
932
933 /* test ECB decryption */
934 if (verbose)
935 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
936 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
937 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
938 if (memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) != 0)
939 ARIA_SELF_TEST_IF_FAIL;
940 }
941 if (verbose)
942 mbedtls_printf("\n");
943
944 /*
945 * Test set 2
946 */
947 #if defined(MBEDTLS_CIPHER_MODE_CBC)
948 for (i = 0; i < 3; i++) {
949 /* Test CBC encryption */
950 if (verbose)
951 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
952 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
953 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
954 memset(buf, 0x55, sizeof(buf));
955 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
956 aria_test2_pt, buf);
957 if (memcmp(buf, aria_test2_cbc_ct[i], 48) != 0)
958 ARIA_SELF_TEST_IF_FAIL;
959
960 /* Test CBC decryption */
961 if (verbose)
962 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
963 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
964 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
965 memset(buf, 0xAA, sizeof(buf));
966 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
967 aria_test2_cbc_ct[i], buf);
968 if (memcmp(buf, aria_test2_pt, 48) != 0)
969 ARIA_SELF_TEST_IF_FAIL;
970 }
971 if (verbose)
972 mbedtls_printf("\n");
973
974 #endif /* MBEDTLS_CIPHER_MODE_CBC */
975
976 #if defined(MBEDTLS_CIPHER_MODE_CFB)
977 for (i = 0; i < 3; i++) {
978 /* Test CFB encryption */
979 if (verbose)
980 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
981 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
982 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
983 memset(buf, 0x55, sizeof(buf));
984 j = 0;
985 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
986 aria_test2_pt, buf);
987 if (memcmp(buf, aria_test2_cfb_ct[i], 48) != 0)
988 ARIA_SELF_TEST_IF_FAIL;
989
990 /* Test CFB decryption */
991 if (verbose)
992 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
993 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
994 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
995 memset(buf, 0xAA, sizeof(buf));
996 j = 0;
997 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
998 iv, aria_test2_cfb_ct[i], buf);
999 if (memcmp(buf, aria_test2_pt, 48) != 0)
1000 ARIA_SELF_TEST_IF_FAIL;
1001 }
1002 if (verbose)
1003 mbedtls_printf("\n");
1004 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1005
1006 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1007 for (i = 0; i < 3; i++) {
1008 /* Test CTR encryption */
1009 if (verbose)
1010 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
1011 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1012 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1013 memset(buf, 0x55, sizeof(buf));
1014 j = 0;
1015 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1016 aria_test2_pt, buf);
1017 if (memcmp(buf, aria_test2_ctr_ct[i], 48) != 0)
1018 ARIA_SELF_TEST_IF_FAIL;
1019
1020 /* Test CTR decryption */
1021 if (verbose)
1022 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
1023 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1024 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1025 memset(buf, 0xAA, sizeof(buf));
1026 j = 0;
1027 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1028 aria_test2_ctr_ct[i], buf);
1029 if (memcmp(buf, aria_test2_pt, 48) != 0)
1030 ARIA_SELF_TEST_IF_FAIL;
1031 }
1032 if (verbose)
1033 mbedtls_printf("\n");
1034 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1035
1036 return (0);
1037 }
1038
1039 #endif /* MBEDTLS_SELF_TEST */
1040
1041 #endif /* MBEDTLS_ARIA_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware