aria.c 38 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
/*
 *  ARIA implementation
 *
 *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

22 23 24 25 26 27
/*
 * This implementation is based on the following standards:
 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
 * [2] https://tools.ietf.org/html/rfc5794
 */

28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_ARIA_C)

#include "mbedtls/aria.h"

#include <string.h>

#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */

#if !defined(MBEDTLS_ARIA_ALT)

51 52
#include "mbedtls/platform_util.h"

53 54 55 56 57
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
#define inline __inline
#endif

58 59 60 61 62 63
/* Parameter validation macros */
#define ARIA_VALIDATE_RET( cond )                                       \
    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
#define ARIA_VALIDATE( cond )                                           \
    MBEDTLS_INTERNAL_VALIDATE( cond )

64 65 66
/*
 * 32-bit integer manipulation macros (little endian)
 */
67
#ifndef GET_UINT32_LE
68
#define GET_UINT32_LE( n, b, i )                \
69 70 71 72 73 74 75 76 77
{                                               \
    (n) = ( (uint32_t) (b)[(i)    ]       )     \
        | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
        | ( (uint32_t) (b)[(i) + 2] << 16 )     \
        | ( (uint32_t) (b)[(i) + 3] << 24 );    \
}
#endif

#ifndef PUT_UINT32_LE
78
#define PUT_UINT32_LE( n, b, i )                                \
79 80 81 82 83 84 85 86
{                                                               \
    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
}
#endif

87
/*
88
 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
89 90
 *
 * This is submatrix P1 in [1] Appendix B.1
91 92 93
 *
 * Common compilers fail to translate this to minimal number of instructions,
 * so let's provide asm versions for common platforms with C fallback.
94
 */
95
#if defined(MBEDTLS_HAVE_ASM)
96
#if defined(__arm__) /* rev16 available from v6 up */
97 98
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
#if defined(__GNUC__) && \
99 100
    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
    __ARM_ARCH >= 6
101 102 103
static inline uint32_t aria_p1( uint32_t x )
{
    uint32_t r;
104
    __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
105 106 107
    return( r );
}
#define ARIA_P1 aria_p1
108 109
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
110
static inline uint32_t aria_p1( uint32_t x )
111 112 113 114 115 116 117 118 119 120
{
    uint32_t r;
    __asm( "rev16 r, x" );
    return( r );
}
#define ARIA_P1 aria_p1
#endif
#endif /* arm */
#if defined(__GNUC__) && \
    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
121
/* I couldn't find an Intel equivalent of rev16, so two instructions */
122
#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
123
#endif /* x86 gnuc */
124 125
#endif /* MBEDTLS_HAVE_ASM && GNUC */
#if !defined(ARIA_P1)
126
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
127
#endif
128

129 130 131 132
/*
 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
 *
 * This is submatrix P2 in [1] Appendix B.1
133 134
 *
 * Common compilers will translate this to a single instruction.
135 136
 */
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
137

138 139 140 141
/*
 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
 *
 * This is submatrix P3 in [1] Appendix B.1
142 143 144
 *
 * Some compilers fail to translate this to a single instruction,
 * so let's provide asm versions for common platforms with C fallback.
145
 */
146
#if defined(MBEDTLS_HAVE_ASM)
147
#if defined(__arm__) /* rev available from v6 up */
148 149
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
#if defined(__GNUC__) && \
150 151
    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
    __ARM_ARCH >= 6
152 153 154
static inline uint32_t aria_p3( uint32_t x )
{
    uint32_t r;
155
    __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
156 157 158
    return( r );
}
#define ARIA_P3 aria_p3
159 160
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
161
static inline uint32_t aria_p3( uint32_t x )
162 163 164 165 166 167 168 169 170 171
{
    uint32_t r;
    __asm( "rev r, x" );
    return( r );
}
#define ARIA_P3 aria_p3
#endif
#endif /* arm */
#if defined(__GNUC__) && \
    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
172 173
static inline uint32_t aria_p3( uint32_t x )
{
174
    __asm( "bswap %0" : "=r" (x) : "0" (x) );
175 176 177
    return( x );
}
#define ARIA_P3 aria_p3
178
#endif /* x86 gnuc */
179 180
#endif /* MBEDTLS_HAVE_ASM && GNUC */
#if !defined(ARIA_P3)
181
#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
182
#endif
183

184
/*
185
 * ARIA Affine Transform
186 187
 * (a, b, c, d) = state in/out
 *
188
 * If we denote the first byte of input by 0, ..., the last byte by f,
189 190
 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
 *
191
 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
192 193 194 195
 * rearrangements on adjacent pairs, output is:
 *
 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
 *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
196
 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
197
 *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
198
 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
199
 *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
200
 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
201 202 203 204 205
 *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
 *
 * Note: another presentation of the A transform can be found as the first
 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
 * The implementation below uses only P1 and P2 as they are sufficient.
206
 */
207 208 209 210
static inline void aria_a( uint32_t *a, uint32_t *b,
                           uint32_t *c, uint32_t *d )
{
    uint32_t ta, tb, tc;
211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228
    ta  =  *b;                      // 4567
    *b  =  *a;                      // 0123
    *a  =  ARIA_P2( ta );           // 6745
    tb  =  ARIA_P2( *d );           // efcd
    *d  =  ARIA_P1( *c );           // 98ba
    *c  =  ARIA_P1( tb );           // fedc
    ta  ^= *d;                      // 4567+98ba
    tc  =  ARIA_P2( *b );           // 2301
    ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
    tb  ^= ARIA_P2( *d );           // ba98+efcd
    tc  ^= ARIA_P1( *a );           // 2301+7654
    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
    tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
    *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
    ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
    *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
    tc  =  ARIA_P2( tc );           // 0123+5476
    *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
229 230
}

231
/*
232 233
 * ARIA Substitution Layer SL1 / SL2
 * (a, b, c, d) = state in/out
234 235
 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
 *
236 237
 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
238
 */
239 240
static inline void aria_sl( uint32_t *a, uint32_t *b,
                            uint32_t *c, uint32_t *d,
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
241 242
                            const uint8_t sa[256], const uint8_t sb[256],
                            const uint8_t sc[256], const uint8_t sd[256] )
243
{
244
    *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
245 246 247
         (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
         (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
         (((uint32_t) sd[ *a >> 24        ]) << 24);
248
    *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
249 250 251
         (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
         (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
         (((uint32_t) sd[ *b >> 24        ]) << 24);
252
    *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
253 254 255
         (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
         (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
         (((uint32_t) sd[ *c >> 24        ]) << 24);
256
    *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
257 258 259
         (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
         (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
         (((uint32_t) sd[ *d >> 24        ]) << 24);
260 261
}

262 263 264
/*
 * S-Boxes
 */
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
265
static const uint8_t aria_sb1[256] =
266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290
{
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
    0xB0, 0x54, 0xBB, 0x16
};

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
291
static const uint8_t aria_sb2[256] =
292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316
{
    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
    0xAF, 0xBA, 0xB5, 0x81
};

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
317
static const uint8_t aria_is1[256] =
318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
{
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
    0x55, 0x21, 0x0C, 0x7D
};

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
343
static const uint8_t aria_is2[256] =
344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368
{
    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
    0x03, 0xA2, 0xAC, 0x60
};

369 370 371
/*
 * Helper for key schedule: r = FO( p, k ) ^ x
 */
372 373
static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
                         const uint32_t k[4], const uint32_t x[4] )
374 375 376 377 378 379 380 381
{
    uint32_t a, b, c, d;

    a = p[0] ^ k[0];
    b = p[1] ^ k[1];
    c = p[2] ^ k[2];
    d = p[3] ^ k[3];

382 383
    aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
    aria_a( &a, &b, &c, &d );
384 385 386 387 388 389 390

    r[0] = a ^ x[0];
    r[1] = b ^ x[1];
    r[2] = c ^ x[2];
    r[3] = d ^ x[3];
}

391 392 393
/*
 * Helper for key schedule: r = FE( p, k ) ^ x
 */
394 395
static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
                         const uint32_t k[4], const uint32_t x[4] )
396 397 398 399 400 401 402 403
{
    uint32_t a, b, c, d;

    a = p[0] ^ k[0];
    b = p[1] ^ k[1];
    c = p[2] ^ k[2];
    d = p[3] ^ k[3];

404 405
    aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
    aria_a( &a, &b, &c, &d );
406 407 408 409 410 411 412

    r[0] = a ^ x[0];
    r[1] = b ^ x[1];
    r[2] = c ^ x[2];
    r[3] = d ^ x[3];
}

413 414 415 416 417 418
/*
 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
 *
 * We chose to store bytes into 32-bit words in little-endian format (see
 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
 */
419 420
static void aria_rot128( uint32_t r[4], const uint32_t a[4],
                         const uint32_t b[4], uint8_t n )
421
{
422
    uint8_t i, j;
423 424
    uint32_t t, u;

425 426
    const uint8_t n1 = n % 32;              // bit offset
    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
427

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
428
    j = ( n / 32 ) % 4;                     // initial word offset
429
    t = ARIA_P3( b[j] );                    // big endian
430 431
    for( i = 0; i < 4; i++ )
    {
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
432
        j = ( j + 1 ) % 4;                  // get next word, big endian
433
        u = ARIA_P3( b[j] );
434
        t <<= n1;                           // rotate
435
        t |= u >> n2;
436
        t = ARIA_P3( t );                   // back to little endian
437 438 439 440 441
        r[i] = a[i] ^ t;                    // store
        t = u;                              // move to next word
    }
}

442 443 444
/*
 * Set encryption key
 */
445 446
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
                             const unsigned char *key, unsigned int keybits )
447
{
448
    /* round constant masks */
449 450 451 452 453 454 455 456 457
    const uint32_t rc[3][4] =
    {
        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
    };

    int i;
    uint32_t w[4][4], *w2;
458 459
    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( key != NULL );
460

461
    if( keybits != 128 && keybits != 192 && keybits != 256 )
462
        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
463

464 465
    /* Copy key to W0 (and potential remainder to W1) */
    GET_UINT32_LE( w[0][0], key,  0 );
466 467 468 469
    GET_UINT32_LE( w[0][1], key,  4 );
    GET_UINT32_LE( w[0][2], key,  8 );
    GET_UINT32_LE( w[0][3], key, 12 );

470
    memset( w[1], 0, 16 );
471 472 473 474 475 476 477 478 479 480 481
    if( keybits >= 192 )
    {
        GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
        GET_UINT32_LE( w[1][1], key, 20 );
    }
    if( keybits == 256 )
    {
        GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
        GET_UINT32_LE( w[1][3], key, 28 );
    }

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
482
    i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
483 484
    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16

485
    aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
486
    i = i < 2 ? i + 1 : 0;
487
    aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
488
    i = i < 2 ? i + 1 : 0;
489
    aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
490 491 492 493

    for( i = 0; i < 4; i++ )                // create round keys
    {
        w2 = w[(i + 1) & 3];
494 495 496 497
        aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
        aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
        aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
        aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
498 499 500
    }
    aria_rot128( ctx->rk[16], w[0], w[1], 19 );

501
    /* w holds enough info to reconstruct the round keys */
502
    mbedtls_platform_zeroize( w, sizeof( w ) );
503

504
    return( 0 );
505 506
}

507 508 509
/*
 * Set decryption key
 */
510 511
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
                             const unsigned char *key, unsigned int keybits )
512 513
{
    int i, j, k, ret;
514 515
    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( key != NULL );
516 517 518

    ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
    if( ret != 0 )
519
        return( ret );
520

521
    /* flip the order of round keys */
522 523 524 525
    for( i = 0, j = ctx->nr; i < j; i++, j-- )
    {
        for( k = 0; k < 4; k++ )
        {
526
            uint32_t t = ctx->rk[i][k];
527 528 529 530 531
            ctx->rk[i][k] = ctx->rk[j][k];
            ctx->rk[j][k] = t;
        }
    }

532
    /* apply affine transform to middle keys */
533
    for( i = 1; i < ctx->nr; i++ )
534 535 536 537
    {
        aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
                &ctx->rk[i][2], &ctx->rk[i][3] );
    }
538

539
    return( 0 );
540 541
}

542 543 544
/*
 * Encrypt a block
 */
545
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
546 547
                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
548 549 550 551
{
    int i;

    uint32_t a, b, c, d;
552 553 554
    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( input != NULL );
    ARIA_VALIDATE_RET( output != NULL );
555 556 557 558 559 560 561

    GET_UINT32_LE( a, input,  0 );
    GET_UINT32_LE( b, input,  4 );
    GET_UINT32_LE( c, input,  8 );
    GET_UINT32_LE( d, input, 12 );

    i = 0;
562
    while( 1 )
563 564 565 566 567 568
    {
        a ^= ctx->rk[i][0];
        b ^= ctx->rk[i][1];
        c ^= ctx->rk[i][2];
        d ^= ctx->rk[i][3];
        i++;
569 570 571

        aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
        aria_a( &a, &b, &c, &d );
572 573 574 575 576 577

        a ^= ctx->rk[i][0];
        b ^= ctx->rk[i][1];
        c ^= ctx->rk[i][2];
        d ^= ctx->rk[i][3];
        i++;
578 579

        aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
580
        if( i >= ctx->nr )
581
            break;
582
        aria_a( &a, &b, &c, &d );
583 584
    }

585 586 587 588 589
    /* final key mixing */
    a ^= ctx->rk[i][0];
    b ^= ctx->rk[i][1];
    c ^= ctx->rk[i][2];
    d ^= ctx->rk[i][3];
590 591 592 593 594 595

    PUT_UINT32_LE( a, output,  0 );
    PUT_UINT32_LE( b, output,  4 );
    PUT_UINT32_LE( c, output,  8 );
    PUT_UINT32_LE( d, output, 12 );

596
    return( 0 );
597 598
}

599
/* Initialize context */
Markku-Juhani O. Saarinen's avatar
Markku-Juhani O. Saarinen committed
600 601
void mbedtls_aria_init( mbedtls_aria_context *ctx )
{
602
    ARIA_VALIDATE( ctx != NULL );
Markku-Juhani O. Saarinen's avatar
Markku-Juhani O. Saarinen committed
603 604 605
    memset( ctx, 0, sizeof( mbedtls_aria_context ) );
}

606
/* Clear context */
Markku-Juhani O. Saarinen's avatar
Markku-Juhani O. Saarinen committed
607 608 609 610
void mbedtls_aria_free( mbedtls_aria_context *ctx )
{
    if( ctx == NULL )
        return;
611

612
    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen's avatar
Markku-Juhani O. Saarinen committed
613
}
614 615 616 617 618 619

#if defined(MBEDTLS_CIPHER_MODE_CBC)
/*
 * ARIA-CBC buffer encryption/decryption
 */
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
620 621
                            int mode,
                            size_t length,
622
                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
623 624
                            const unsigned char *input,
                            unsigned char *output )
625 626
{
    int i;
627
    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
628

629 630 631 632 633 634 635
    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
                       mode == MBEDTLS_ARIA_DECRYPT );
    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
    ARIA_VALIDATE_RET( length == 0 || output != NULL );
    ARIA_VALIDATE_RET( iv != NULL );

636
    if( length % MBEDTLS_ARIA_BLOCKSIZE )
637
        return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
638 639 640 641 642

    if( mode == MBEDTLS_ARIA_DECRYPT )
    {
        while( length > 0 )
        {
643
            memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
644
            mbedtls_aria_crypt_ecb( ctx, input, output );
645

646
            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
647 648
                output[i] = (unsigned char)( output[i] ^ iv[i] );

649
            memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
650

651 652 653
            input  += MBEDTLS_ARIA_BLOCKSIZE;
            output += MBEDTLS_ARIA_BLOCKSIZE;
            length -= MBEDTLS_ARIA_BLOCKSIZE;
654 655 656 657 658 659
        }
    }
    else
    {
        while( length > 0 )
        {
660
            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
661 662
                output[i] = (unsigned char)( input[i] ^ iv[i] );

663
            mbedtls_aria_crypt_ecb( ctx, output, output );
664
            memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
665

666 667 668
            input  += MBEDTLS_ARIA_BLOCKSIZE;
            output += MBEDTLS_ARIA_BLOCKSIZE;
            length -= MBEDTLS_ARIA_BLOCKSIZE;
669 670 671 672 673 674 675 676 677 678 679 680
        }
    }

    return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */

#if defined(MBEDTLS_CIPHER_MODE_CFB)
/*
 * ARIA-CFB128 buffer encryption/decryption
 */
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
681 682 683
                               int mode,
                               size_t length,
                               size_t *iv_off,
684
                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
685 686
                               const unsigned char *input,
                               unsigned char *output )
687
{
688
    unsigned char c;
689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705
    size_t n;

    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
                       mode == MBEDTLS_ARIA_DECRYPT );
    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
    ARIA_VALIDATE_RET( length == 0 || output != NULL );
    ARIA_VALIDATE_RET( iv != NULL );
    ARIA_VALIDATE_RET( iv_off != NULL );

    n = *iv_off;

    /* An overly large value of n can lead to an unlimited
     * buffer overflow. Therefore, guard against this
     * outside of parameter validation. */
    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
706 707 708 709 710 711

    if( mode == MBEDTLS_ARIA_DECRYPT )
    {
        while( length-- )
        {
            if( n == 0 )
712
                mbedtls_aria_crypt_ecb( ctx, iv, iv );
713 714

            c = *input++;
715 716
            *output++ = c ^ iv[n];
            iv[n] = c;
717 718 719 720 721 722 723 724 725

            n = ( n + 1 ) & 0x0F;
        }
    }
    else
    {
        while( length-- )
        {
            if( n == 0 )
726
                mbedtls_aria_crypt_ecb( ctx, iv, iv );
727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744

            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );

            n = ( n + 1 ) & 0x0F;
        }
    }

    *iv_off = n;

    return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CFB */

#if defined(MBEDTLS_CIPHER_MODE_CTR)
/*
 * ARIA-CTR buffer encryption/decryption
 */
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
745 746
                            size_t length,
                            size_t *nc_off,
747 748
                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
749 750
                            const unsigned char *input,
                            unsigned char *output )
751 752
{
    int c, i;
753 754 755 756 757 758 759 760 761 762 763 764 765 766 767
    size_t n;

    ARIA_VALIDATE_RET( ctx != NULL );
    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
    ARIA_VALIDATE_RET( length == 0 || output != NULL );
    ARIA_VALIDATE_RET( nonce_counter != NULL );
    ARIA_VALIDATE_RET( stream_block  != NULL );
    ARIA_VALIDATE_RET( nc_off != NULL );

    n = *nc_off;
    /* An overly large value of n can lead to an unlimited
     * buffer overflow. Therefore, guard against this
     * outside of parameter validation. */
    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
768 769 770 771

    while( length-- )
    {
        if( n == 0 ) {
772
            mbedtls_aria_crypt_ecb( ctx, nonce_counter,
773 774
                                stream_block );

775
            for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793
                if( ++nonce_counter[i - 1] != 0 )
                    break;
        }
        c = *input++;
        *output++ = (unsigned char)( c ^ stream_block[n] );

        n = ( n + 1 ) & 0x0F;
    }

    *nc_off = n;

    return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#endif /* !MBEDTLS_ARIA_ALT */

#if defined(MBEDTLS_SELF_TEST)

794 795 796
/*
 * Basic ARIA ECB test vectors from RFC 5794
 */
797 798 799 800 801 802 803 804
static const uint8_t aria_test1_ecb_key[32] =           // test key
{
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
};

805
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
806 807 808 809 810
{
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
};

811
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
812 813 814 815 816 817 818 819 820
{
    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
};

821 822 823 824
/*
 * Mode tests from "Test Vectors for ARIA"  Version 1.0
 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
 */
825
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843
    defined(MBEDTLS_CIPHER_MODE_CTR))
static const uint8_t aria_test2_key[32] =
{
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
};

static const uint8_t aria_test2_pt[48] =
{
    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
};
844
#endif
845

846
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
847
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
848 849 850 851 852
{
    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
};
#endif
853 854

#if defined(MBEDTLS_CIPHER_MODE_CBC)
855
static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878
{
    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
};
#endif /* MBEDTLS_CIPHER_MODE_CBC */

#if defined(MBEDTLS_CIPHER_MODE_CFB)
879
static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902
{
    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
};
#endif /* MBEDTLS_CIPHER_MODE_CFB */

#if defined(MBEDTLS_CIPHER_MODE_CTR)
903
static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928
{
    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
};
#endif /* MBEDTLS_CIPHER_MODE_CFB */

#define ARIA_SELF_TEST_IF_FAIL              \
        {                                   \
            if( verbose )                   \
929
                mbedtls_printf( "failed\n" );       \
930 931 932
            return( 1 );                    \
        } else {                            \
            if( verbose )                   \
933
                mbedtls_printf( "passed\n" );       \
934 935
        }

936 937 938
/*
 * Checkup routine
 */
939 940 941
int mbedtls_aria_self_test( int verbose )
{
    int i;
942
    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
943
    mbedtls_aria_context ctx;
944

Markku-Juhani O. Saarinen's avatar
Markku-Juhani O. Saarinen committed
945 946
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
    size_t j;
947 948
#endif

949 950 951
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
     defined(MBEDTLS_CIPHER_MODE_CFB) || \
     defined(MBEDTLS_CIPHER_MODE_CTR))
952
    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
953 954
#endif

955 956 957
    /*
     * Test set 1
     */
958 959
    for( i = 0; i < 3; i++ )
    {
960
        /* test ECB encryption */
961
        if( verbose )
962
            mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
963
        mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
964
        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
965
        if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
966
            ARIA_SELF_TEST_IF_FAIL;
967

968
        /* test ECB decryption */
969
        if( verbose )
970
            mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
971
        mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
972
        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
973
        if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
974 975 976
            ARIA_SELF_TEST_IF_FAIL;
    }
    if( verbose )
977
        mbedtls_printf( "\n" );
978

979 980 981
    /*
     * Test set 2
     */
982 983 984
#if defined(MBEDTLS_CIPHER_MODE_CBC)
    for( i = 0; i < 3; i++ )
    {
985
        /* Test CBC encryption */
986
        if( verbose )
987
            mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
988
        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
989
        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
990
        memset( buf, 0x55, sizeof( buf ) );
991 992 993 994 995
        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
            aria_test2_pt, buf );
        if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
            ARIA_SELF_TEST_IF_FAIL;

996
        /* Test CBC decryption */
997
        if( verbose )
998
            mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
999
        mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1000
        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );