blob: 19172f8475ed01f293a79a37055a1d2548f9fbb1 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +00001/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +010022/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000028#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +010051/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
54}
55
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +010056/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000059
60#ifndef GET_UINT32_LE
61#define GET_UINT32_LE(n,b,i) \
62{ \
63 (n) = ( (uint32_t) (b)[(i) ] ) \
64 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
67}
68#endif
69
70#ifndef PUT_UINT32_LE
71#define PUT_UINT32_LE(n,b,i) \
72{ \
73 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
74 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
75 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
76 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
77}
78#endif
79
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010080/*
81 * modify byte order ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
82 *
83 * This is submatrix P1 in [1] Appendix B.1
84 */
85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000086
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010087/*
88 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
89 *
90 * This is submatrix P2 in [1] Appendix B.1
91 */
92#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000093
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +010094/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +010095 * ARIA Affine Transform
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +010096 * (ra, rb, rc, rd) = state in/out
97 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +010098static inline void aria_a( uint32_t *a, uint32_t *b,
99 uint32_t *c, uint32_t *d )
100{
101 uint32_t ta, tb, tc;
102 ta = *b;
103 *b = *a;
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100104 *a = ARIA_P2( ta );
105 tb = ARIA_P2( *d );
106 *d = ARIA_P1( *c );
107 *c = ARIA_P1( tb );
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100108 ta ^= *d;
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100109 tc = ARIA_P2( *b );
110 ta = ARIA_P1( ta ) ^ tc ^ *c;
111 tb ^= ARIA_P2( *d );
112 tc ^= ARIA_P1( *a );
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100113 *b ^= ta ^ tb;
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100114 tb = ARIA_P2( tb ) ^ ta;
115 *a ^= ARIA_P1( tb );
116 ta = ARIA_P2( ta );
117 *d ^= ARIA_P1( ta ) ^ tc;
118 tc = ARIA_P2( tc );
119 *c ^= ARIA_P1( tc ) ^ ta;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000120}
121
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100122/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100123 * ARIA Substitution Layer SL1 / SL2
124 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100125 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100126 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100127 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
128 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100129 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100130static inline void aria_sl( uint32_t *a, uint32_t *b,
131 uint32_t *c, uint32_t *d,
132 const uint8_t sa[0x100], const uint8_t sb[0x100],
133 const uint8_t sc[0x100], const uint8_t sd[0x100] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100134{
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100135 *a = ( (uint32_t) sa[ *a & 0xFF]) ^
136 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
137 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
138 (((uint32_t) sd[ *a >> 24 ]) << 24);
139 *b = ( (uint32_t) sa[ *b & 0xFF]) ^
140 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
141 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
142 (((uint32_t) sd[ *b >> 24 ]) << 24);
143 *c = ( (uint32_t) sa[ *c & 0xFF]) ^
144 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
145 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
146 (((uint32_t) sd[ *c >> 24 ]) << 24);
147 *d = ( (uint32_t) sa[ *d & 0xFF]) ^
148 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
149 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
150 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000151}
152
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100153/*
154 * S-Boxes
155 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000156static const uint8_t aria_sb1[0x100] =
157{
158 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
159 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
160 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
161 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
162 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
163 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
164 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
165 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
166 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
167 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
168 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
169 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
170 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
171 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
172 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
173 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
174 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
175 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
176 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
177 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
178 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
179 0xB0, 0x54, 0xBB, 0x16
180};
181
182static const uint8_t aria_sb2[0x100] =
183{
184 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
185 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
186 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
187 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
188 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
189 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
190 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
191 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
192 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
193 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
194 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
195 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
196 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
197 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
198 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
199 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
200 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
201 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
202 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
203 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
204 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
205 0xAF, 0xBA, 0xB5, 0x81
206};
207
208static const uint8_t aria_is1[0x100] =
209{
210 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
211 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
212 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
213 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
214 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
215 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
217 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
218 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
219 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
220 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
221 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
223 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
224 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
225 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
227 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
228 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
229 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
230 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
231 0x55, 0x21, 0x0C, 0x7D
232};
233
234static const uint8_t aria_is2[0x100] =
235{
236 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
237 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
238 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
239 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
240 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
241 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
242 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
243 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
244 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
245 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
246 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
247 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
248 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
249 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
250 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
251 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
252 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
253 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
254 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
255 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
256 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
257 0x03, 0xA2, 0xAC, 0x60
258};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000259
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100260/*
261 * Helper for key schedule: r = FO( p, k ) ^ x
262 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100263static void aria_fo_xor( uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000264 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
265{
266 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000267
268 a = p[0] ^ k[0];
269 b = p[1] ^ k[1];
270 c = p[2] ^ k[2];
271 d = p[3] ^ k[3];
272
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100273 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
274 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000275
276 r[0] = a ^ x[0];
277 r[1] = b ^ x[1];
278 r[2] = c ^ x[2];
279 r[3] = d ^ x[3];
280}
281
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100282/*
283 * Helper for key schedule: r = FE( p, k ) ^ x
284 */
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100285static void aria_fe_xor(uint32_t r[4],
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000286 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
287{
288 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000289
290 a = p[0] ^ k[0];
291 b = p[1] ^ k[1];
292 c = p[2] ^ k[2];
293 d = p[3] ^ k[3];
294
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100295 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
296 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000297
298 r[0] = a ^ x[0];
299 r[1] = b ^ x[1];
300 r[2] = c ^ x[2];
301 r[3] = d ^ x[3];
302}
303
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100304/*
305 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
306 *
307 * We chose to store bytes into 32-bit words in little-endian format (see
308 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
309 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000310static void aria_rot128(uint32_t r[4], const uint32_t a[4],
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100311 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000312{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100313 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000314 uint32_t t, u;
315
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100316 const uint8_t n1 = n % 32; // bit offset
317 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100318
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100319 j = (n / 32) % 4; // initial word offset
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100320 t = ARIA_P2( ARIA_P1( b[j] ) ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000321 for( i = 0; i < 4; i++ )
322 {
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100323 j = (j + 1) % 4; // get next word, big endian
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100324 u = ARIA_P2( ARIA_P1( b[j] ) );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000325 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100326 t |= u >> n2;
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100327 t = ARIA_P2( ARIA_P1( t ) ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000328 r[i] = a[i] ^ t; // store
329 t = u; // move to next word
330 }
331}
332
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100333/*
334 * Set encryption key
335 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000336int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
337 const unsigned char *key, unsigned int keybits)
338{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100339 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000340 const uint32_t rc[3][4] =
341 {
342 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
343 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
344 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
345 };
346
347 int i;
348 uint32_t w[4][4], *w2;
349
350 if (keybits != 128 && keybits != 192 && keybits != 256)
351 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
352
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100353 /* Copy key to W0 (and potential remainder to W1) */
354 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000355 GET_UINT32_LE( w[0][1], key, 4 );
356 GET_UINT32_LE( w[0][2], key, 8 );
357 GET_UINT32_LE( w[0][3], key, 12 );
358
359 memset(w[1], 0, 16);
360 if( keybits >= 192 )
361 {
362 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
363 GET_UINT32_LE( w[1][1], key, 20 );
364 }
365 if( keybits == 256 )
366 {
367 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
368 GET_UINT32_LE( w[1][3], key, 28 );
369 }
370
371 i = (keybits - 128) >> 6; // index: 0, 1, 2
372 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
373
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100374 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000375 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100376 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000377 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100378 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000379
380 for( i = 0; i < 4; i++ ) // create round keys
381 {
382 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100383 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
384 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
385 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
386 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000387 }
388 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
389
390 return 0;
391}
392
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100393/*
394 * Set decryption key
395 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000396int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
397 const unsigned char *key, unsigned int keybits)
398{
399 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000400
401 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
402 if( ret != 0 )
403 return ret;
404
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100405 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000406 for( i = 0, j = ctx->nr; i < j; i++, j-- )
407 {
408 for( k = 0; k < 4; k++ )
409 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100410 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000411 ctx->rk[i][k] = ctx->rk[j][k];
412 ctx->rk[j][k] = t;
413 }
414 }
415
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100416 /* apply affine transform to middle keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000417 for (i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100418 aria_a( &ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000419
420 return 0;
421}
422
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100423/*
424 * Encrypt a block
425 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000426int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
427 int mode,
428 const unsigned char input[16],
429 unsigned char output[16] )
430{
431 int i;
432
433 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000434
435 ( (void) mode );
436
437 GET_UINT32_LE( a, input, 0 );
438 GET_UINT32_LE( b, input, 4 );
439 GET_UINT32_LE( c, input, 8 );
440 GET_UINT32_LE( d, input, 12 );
441
442 i = 0;
443 while (1)
444 {
445 a ^= ctx->rk[i][0];
446 b ^= ctx->rk[i][1];
447 c ^= ctx->rk[i][2];
448 d ^= ctx->rk[i][3];
449 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100450
451 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
452 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000453
454 a ^= ctx->rk[i][0];
455 b ^= ctx->rk[i][1];
456 c ^= ctx->rk[i][2];
457 d ^= ctx->rk[i][3];
458 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100459
460 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000461 if (i >= ctx->nr)
462 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100463 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000464 }
465
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100466 /* final key mixing */
467 a ^= ctx->rk[i][0];
468 b ^= ctx->rk[i][1];
469 c ^= ctx->rk[i][2];
470 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000471
472 PUT_UINT32_LE( a, output, 0 );
473 PUT_UINT32_LE( b, output, 4 );
474 PUT_UINT32_LE( c, output, 8 );
475 PUT_UINT32_LE( d, output, 12 );
476
477 return 0;
478}
479
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100480/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000481void mbedtls_aria_init( mbedtls_aria_context *ctx )
482{
483 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
484}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000485
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100486/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000487void mbedtls_aria_free( mbedtls_aria_context *ctx )
488{
489 if( ctx == NULL )
490 return;
491
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100492 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000493}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000494
495#if defined(MBEDTLS_CIPHER_MODE_CBC)
496/*
497 * ARIA-CBC buffer encryption/decryption
498 */
499int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
500 int mode,
501 size_t length,
502 unsigned char iv[16],
503 const unsigned char *input,
504 unsigned char *output )
505{
506 int i;
507 unsigned char temp[16];
508
509 if( length % 16 )
510 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
511
512 if( mode == MBEDTLS_ARIA_DECRYPT )
513 {
514 while( length > 0 )
515 {
516 memcpy( temp, input, 16 );
517 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
518
519 for( i = 0; i < 16; i++ )
520 output[i] = (unsigned char)( output[i] ^ iv[i] );
521
522 memcpy( iv, temp, 16 );
523
524 input += 16;
525 output += 16;
526 length -= 16;
527 }
528 }
529 else
530 {
531 while( length > 0 )
532 {
533 for( i = 0; i < 16; i++ )
534 output[i] = (unsigned char)( input[i] ^ iv[i] );
535
536 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
537 memcpy( iv, output, 16 );
538
539 input += 16;
540 output += 16;
541 length -= 16;
542 }
543 }
544
545 return( 0 );
546}
547#endif /* MBEDTLS_CIPHER_MODE_CBC */
548
549#if defined(MBEDTLS_CIPHER_MODE_CFB)
550/*
551 * ARIA-CFB128 buffer encryption/decryption
552 */
553int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
554 int mode,
555 size_t length,
556 size_t *iv_off,
557 unsigned char iv[16],
558 const unsigned char *input,
559 unsigned char *output )
560{
561 int c;
562 size_t n = *iv_off;
563
564 if( mode == MBEDTLS_ARIA_DECRYPT )
565 {
566 while( length-- )
567 {
568 if( n == 0 )
569 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
570
571 c = *input++;
572 *output++ = (unsigned char)( c ^ iv[n] );
573 iv[n] = (unsigned char) c;
574
575 n = ( n + 1 ) & 0x0F;
576 }
577 }
578 else
579 {
580 while( length-- )
581 {
582 if( n == 0 )
583 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
584
585 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
586
587 n = ( n + 1 ) & 0x0F;
588 }
589 }
590
591 *iv_off = n;
592
593 return( 0 );
594}
595#endif /* MBEDTLS_CIPHER_MODE_CFB */
596
597#if defined(MBEDTLS_CIPHER_MODE_CTR)
598/*
599 * ARIA-CTR buffer encryption/decryption
600 */
601int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
602 size_t length,
603 size_t *nc_off,
604 unsigned char nonce_counter[16],
605 unsigned char stream_block[16],
606 const unsigned char *input,
607 unsigned char *output )
608{
609 int c, i;
610 size_t n = *nc_off;
611
612 while( length-- )
613 {
614 if( n == 0 ) {
615 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
616 stream_block );
617
618 for( i = 16; i > 0; i-- )
619 if( ++nonce_counter[i - 1] != 0 )
620 break;
621 }
622 c = *input++;
623 *output++ = (unsigned char)( c ^ stream_block[n] );
624
625 n = ( n + 1 ) & 0x0F;
626 }
627
628 *nc_off = n;
629
630 return( 0 );
631}
632#endif /* MBEDTLS_CIPHER_MODE_CTR */
633#endif /* !MBEDTLS_ARIA_ALT */
634
635#if defined(MBEDTLS_SELF_TEST)
636
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100637/*
638 * Basic ARIA ECB test vectors from RFC 5794
639 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000640static const uint8_t aria_test1_ecb_key[32] = // test key
641{
642 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
643 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
644 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
645 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
646};
647
648static const uint8_t aria_test1_ecb_pt[16] = // plaintext
649{
650 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
651 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
652};
653
654static const uint8_t aria_test1_ecb_ct[3][16] = // ciphertext
655{
656 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
657 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
658 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
659 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
660 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
661 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
662};
663
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100664/*
665 * Mode tests from "Test Vectors for ARIA" Version 1.0
666 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
667 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000668#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000669 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000670static const uint8_t aria_test2_key[32] =
671{
672 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
673 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
674 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
675 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
676};
677
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000678static const uint8_t aria_test2_pt[48] =
679{
680 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
681 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
682 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
683 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
684 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
685 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
686};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000687#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000688
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000689#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
690static const uint8_t aria_test2_iv[16] =
691{
692 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
693 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
694};
695#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000696
697#if defined(MBEDTLS_CIPHER_MODE_CBC)
698static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertxt
699{
700 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
701 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
702 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
703 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
704 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
705 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
706 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
707 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
708 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
709 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
710 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
711 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
712 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
713 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
714 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
715 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
716 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
717 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
718};
719#endif /* MBEDTLS_CIPHER_MODE_CBC */
720
721#if defined(MBEDTLS_CIPHER_MODE_CFB)
722static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertxt
723{
724 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
725 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
726 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
727 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
728 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
729 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
730 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
731 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
732 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
733 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
734 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
735 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
736 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
737 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
738 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
739 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
740 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
741 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
742};
743#endif /* MBEDTLS_CIPHER_MODE_CFB */
744
745#if defined(MBEDTLS_CIPHER_MODE_CTR)
746static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertxt
747{
748 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
749 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
750 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
751 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
752 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
753 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
754 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
755 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
756 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
757 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
758 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
759 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
760 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
761 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
762 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
763 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
764 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
765 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
766};
767#endif /* MBEDTLS_CIPHER_MODE_CFB */
768
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000769#define ARIA_SELF_TEST_IF_FAIL \
770 { \
771 if( verbose ) \
772 printf( "failed\n" ); \
773 return( 1 ); \
774 } else { \
775 if( verbose ) \
776 printf( "passed\n" ); \
777 }
778
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100779/*
780 * Checkup routine
781 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000782int mbedtls_aria_self_test( int verbose )
783{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000784 int i;
785 uint8_t blk[16];
786 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000787
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000788#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
789 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000790#endif
791
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000792#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
793 defined(MBEDTLS_CIPHER_MODE_CFB) || \
794 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000795 uint8_t buf[48], iv[16];
796#endif
797
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100798 /*
799 * Test set 1
800 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000801 for( i = 0; i < 3; i++ )
802 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100803 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000804 if( verbose )
805 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000806 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000807 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000808 aria_test1_ecb_pt, blk );
809 if( memcmp( blk, aria_test1_ecb_ct[i], 16 ) != 0 )
810 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000811
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100812 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000813 if( verbose )
814 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000815 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000816 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000817 aria_test1_ecb_ct[i], blk );
818 if (memcmp( blk, aria_test1_ecb_pt, 16 ) != 0)
819 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000820 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000821 if( verbose )
822 printf("\n");
823
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100824 /*
825 * Test set 2
826 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000827#if defined(MBEDTLS_CIPHER_MODE_CBC)
828 for( i = 0; i < 3; i++ )
829 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100830 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000831 if( verbose )
832 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i);
833 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
834 memcpy( iv, aria_test2_iv, 16 );
835 memset( buf, 0x55, sizeof(buf) );
836 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
837 aria_test2_pt, buf );
838 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
839 ARIA_SELF_TEST_IF_FAIL;
840
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100841 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000842 if( verbose )
843 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i);
844 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
845 memcpy( iv, aria_test2_iv, 16 );
846 memset( buf, 0xAA, sizeof(buf) );
847 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
848 aria_test2_cbc_ct[i], buf );
849 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
850 ARIA_SELF_TEST_IF_FAIL;
851 }
852 if( verbose )
853 printf("\n");
854
855#endif /* MBEDTLS_CIPHER_MODE_CBC */
856
857#if defined(MBEDTLS_CIPHER_MODE_CFB)
858 for( i = 0; i < 3; i++ )
859 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100860 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000861 if( verbose )
862 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i);
863 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
864 memcpy( iv, aria_test2_iv, 16 );
865 memset( buf, 0x55, sizeof(buf) );
866 j = 0;
867 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
868 aria_test2_pt, buf );
869 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
870 ARIA_SELF_TEST_IF_FAIL;
871
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100872 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000873 if( verbose )
874 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i);
875 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
876 memcpy( iv, aria_test2_iv, 16 );
877 memset( buf, 0xAA, sizeof(buf) );
878 j = 0;
879 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
880 iv, aria_test2_cfb_ct[i], buf );
881 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
882 ARIA_SELF_TEST_IF_FAIL;
883 }
884 if( verbose )
885 printf("\n");
886#endif /* MBEDTLS_CIPHER_MODE_CFB */
887
888#if defined(MBEDTLS_CIPHER_MODE_CTR)
889 for( i = 0; i < 3; i++ )
890 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100891 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000892 if( verbose )
893 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i);
894 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
895 memset( iv, 0, 16 ); // IV = 0
896 memset( buf, 0x55, sizeof(buf) );
897 j = 0;
898 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
899 aria_test2_pt, buf );
900 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
901 ARIA_SELF_TEST_IF_FAIL;
902
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100903 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000904 if( verbose )
905 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i);
906 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
907 memset( iv, 0, 16 ); // IV = 0
908 memset( buf, 0xAA, sizeof(buf) );
909 j = 0;
910 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
911 aria_test2_ctr_ct[i], buf );
912 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
913 ARIA_SELF_TEST_IF_FAIL;
914 }
915 if( verbose )
916 printf("\n");
917#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000918
919 return( 0 );
920}
921
922#endif /* MBEDTLS_SELF_TEST */
923
924#endif /* MBEDTLS_ARIA_C */