2 * ARIA implementation
\r
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
\r
5 * SPDX-License-Identifier: Apache-2.0
\r
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
8 * not use this file except in compliance with the License.
\r
9 * You may obtain a copy of the License at
\r
11 * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * Unless required by applicable law or agreed to in writing, software
\r
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * See the License for the specific language governing permissions and
\r
17 * limitations under the License.
\r
19 * This file is part of mbed TLS (https://tls.mbed.org)
\r
23 * This implementation is based on the following standards:
\r
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
\r
25 * [2] https://tools.ietf.org/html/rfc5794
\r
28 #if !defined(MBEDTLS_CONFIG_FILE)
\r
29 #include "mbedtls/config.h"
\r
31 #include MBEDTLS_CONFIG_FILE
\r
34 #if defined(MBEDTLS_ARIA_C)
\r
36 #include "mbedtls/aria.h"
\r
40 #if defined(MBEDTLS_SELF_TEST)
\r
41 #if defined(MBEDTLS_PLATFORM_C)
\r
42 #include "mbedtls/platform.h"
\r
45 #define mbedtls_printf printf
\r
46 #endif /* MBEDTLS_PLATFORM_C */
\r
47 #endif /* MBEDTLS_SELF_TEST */
\r
49 #if !defined(MBEDTLS_ARIA_ALT)
\r
51 #include "mbedtls/platform_util.h"
\r
53 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
\r
54 !defined(inline) && !defined(__cplusplus)
\r
55 #define inline __inline
\r
58 /* Parameter validation macros */
\r
59 #define ARIA_VALIDATE_RET( cond ) \
\r
60 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
\r
61 #define ARIA_VALIDATE( cond ) \
\r
62 MBEDTLS_INTERNAL_VALIDATE( cond )
\r
65 * 32-bit integer manipulation macros (little endian)
\r
67 #ifndef GET_UINT32_LE
\r
68 #define GET_UINT32_LE( n, b, i ) \
\r
70 (n) = ( (uint32_t) (b)[(i) ] ) \
\r
71 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
\r
72 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
\r
73 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
\r
77 #ifndef PUT_UINT32_LE
\r
78 #define PUT_UINT32_LE( n, b, i ) \
\r
80 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
\r
81 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
\r
82 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
\r
83 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
\r
88 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
\r
90 * This is submatrix P1 in [1] Appendix B.1
\r
92 * Common compilers fail to translate this to minimal number of instructions,
\r
93 * so let's provide asm versions for common platforms with C fallback.
\r
95 #if defined(MBEDTLS_HAVE_ASM)
\r
96 #if defined(__arm__) /* rev16 available from v6 up */
\r
97 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
\r
98 #if defined(__GNUC__) && \
\r
99 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
\r
101 static inline uint32_t aria_p1( uint32_t x )
\r
104 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
\r
107 #define ARIA_P1 aria_p1
\r
108 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
\r
109 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
\r
110 static inline uint32_t aria_p1( uint32_t x )
\r
113 __asm( "rev16 r, x" );
\r
116 #define ARIA_P1 aria_p1
\r
119 #if defined(__GNUC__) && \
\r
120 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
\r
121 /* I couldn't find an Intel equivalent of rev16, so two instructions */
\r
122 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
\r
123 #endif /* x86 gnuc */
\r
124 #endif /* MBEDTLS_HAVE_ASM && GNUC */
\r
125 #if !defined(ARIA_P1)
\r
126 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
\r
130 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
\r
132 * This is submatrix P2 in [1] Appendix B.1
\r
134 * Common compilers will translate this to a single instruction.
\r
136 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
\r
139 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
\r
141 * This is submatrix P3 in [1] Appendix B.1
\r
143 * Some compilers fail to translate this to a single instruction,
\r
144 * so let's provide asm versions for common platforms with C fallback.
\r
146 #if defined(MBEDTLS_HAVE_ASM)
\r
147 #if defined(__arm__) /* rev available from v6 up */
\r
148 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
\r
149 #if defined(__GNUC__) && \
\r
150 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
\r
152 static inline uint32_t aria_p3( uint32_t x )
\r
155 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
\r
158 #define ARIA_P3 aria_p3
\r
159 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
\r
160 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
\r
161 static inline uint32_t aria_p3( uint32_t x )
\r
164 __asm( "rev r, x" );
\r
167 #define ARIA_P3 aria_p3
\r
170 #if defined(__GNUC__) && \
\r
171 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
\r
172 static inline uint32_t aria_p3( uint32_t x )
\r
174 __asm( "bswap %0" : "=r" (x) : "0" (x) );
\r
177 #define ARIA_P3 aria_p3
\r
178 #endif /* x86 gnuc */
\r
179 #endif /* MBEDTLS_HAVE_ASM && GNUC */
\r
180 #if !defined(ARIA_P3)
\r
181 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
\r
185 * ARIA Affine Transform
\r
186 * (a, b, c, d) = state in/out
\r
188 * If we denote the first byte of input by 0, ..., the last byte by f,
\r
189 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
\r
191 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
\r
192 * rearrangements on adjacent pairs, output is:
\r
194 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
\r
195 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
\r
196 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
\r
197 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
\r
198 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
\r
199 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
\r
200 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
\r
201 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
\r
203 * Note: another presentation of the A transform can be found as the first
\r
204 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
\r
205 * The implementation below uses only P1 and P2 as they are sufficient.
\r
207 static inline void aria_a( uint32_t *a, uint32_t *b,
\r
208 uint32_t *c, uint32_t *d )
\r
210 uint32_t ta, tb, tc;
\r
213 *a = ARIA_P2( ta ); // 6745
\r
214 tb = ARIA_P2( *d ); // efcd
\r
215 *d = ARIA_P1( *c ); // 98ba
\r
216 *c = ARIA_P1( tb ); // fedc
\r
217 ta ^= *d; // 4567+98ba
\r
218 tc = ARIA_P2( *b ); // 2301
\r
219 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
\r
220 tb ^= ARIA_P2( *d ); // ba98+efcd
\r
221 tc ^= ARIA_P1( *a ); // 2301+7654
\r
222 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
\r
223 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
\r
224 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
\r
225 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
\r
226 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
\r
227 tc = ARIA_P2( tc ); // 0123+5476
\r
228 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
\r
232 * ARIA Substitution Layer SL1 / SL2
\r
233 * (a, b, c, d) = state in/out
\r
234 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
\r
236 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
\r
237 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
\r
239 static inline void aria_sl( uint32_t *a, uint32_t *b,
\r
240 uint32_t *c, uint32_t *d,
\r
241 const uint8_t sa[256], const uint8_t sb[256],
\r
242 const uint8_t sc[256], const uint8_t sd[256] )
\r
244 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
\r
245 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
\r
246 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
\r
247 (((uint32_t) sd[ *a >> 24 ]) << 24);
\r
248 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
\r
249 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
\r
250 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
\r
251 (((uint32_t) sd[ *b >> 24 ]) << 24);
\r
252 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
\r
253 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
\r
254 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
\r
255 (((uint32_t) sd[ *c >> 24 ]) << 24);
\r
256 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
\r
257 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
\r
258 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
\r
259 (((uint32_t) sd[ *d >> 24 ]) << 24);
\r
265 static const uint8_t aria_sb1[256] =
\r
267 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
\r
268 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
\r
269 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
\r
270 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
\r
271 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
\r
272 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
\r
273 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
\r
274 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
\r
275 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
\r
276 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
\r
277 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
\r
278 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
\r
279 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
\r
280 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
\r
281 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
\r
282 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
\r
283 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
\r
284 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
\r
285 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
\r
286 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
\r
287 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
\r
288 0xB0, 0x54, 0xBB, 0x16
\r
291 static const uint8_t aria_sb2[256] =
\r
293 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
\r
294 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
\r
295 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
\r
296 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
\r
297 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
\r
298 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
\r
299 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
\r
300 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
\r
301 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
\r
302 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
\r
303 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
\r
304 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
\r
305 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
\r
306 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
\r
307 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
\r
308 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
\r
309 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
\r
310 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
\r
311 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
\r
312 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
\r
313 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
\r
314 0xAF, 0xBA, 0xB5, 0x81
\r
317 static const uint8_t aria_is1[256] =
\r
319 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
\r
320 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
\r
321 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
\r
322 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
\r
323 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
\r
324 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
\r
325 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
\r
326 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
\r
327 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
\r
328 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
\r
329 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
\r
330 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
\r
331 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
\r
332 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
\r
333 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
\r
334 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
\r
335 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
\r
336 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
\r
337 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
\r
338 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
\r
339 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
\r
340 0x55, 0x21, 0x0C, 0x7D
\r
343 static const uint8_t aria_is2[256] =
\r
345 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
\r
346 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
\r
347 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
\r
348 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
\r
349 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
\r
350 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
\r
351 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
\r
352 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
\r
353 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
\r
354 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
\r
355 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
\r
356 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
\r
357 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
\r
358 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
\r
359 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
\r
360 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
\r
361 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
\r
362 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
\r
363 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
\r
364 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
\r
365 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
\r
366 0x03, 0xA2, 0xAC, 0x60
\r
370 * Helper for key schedule: r = FO( p, k ) ^ x
\r
372 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
\r
373 const uint32_t k[4], const uint32_t x[4] )
\r
375 uint32_t a, b, c, d;
\r
382 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
\r
383 aria_a( &a, &b, &c, &d );
\r
392 * Helper for key schedule: r = FE( p, k ) ^ x
\r
394 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
\r
395 const uint32_t k[4], const uint32_t x[4] )
\r
397 uint32_t a, b, c, d;
\r
404 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
\r
405 aria_a( &a, &b, &c, &d );
\r
414 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
\r
416 * We chose to store bytes into 32-bit words in little-endian format (see
\r
417 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
\r
419 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
\r
420 const uint32_t b[4], uint8_t n )
\r
425 const uint8_t n1 = n % 32; // bit offset
\r
426 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
\r
428 j = ( n / 32 ) % 4; // initial word offset
\r
429 t = ARIA_P3( b[j] ); // big endian
\r
430 for( i = 0; i < 4; i++ )
\r
432 j = ( j + 1 ) % 4; // get next word, big endian
\r
433 u = ARIA_P3( b[j] );
\r
434 t <<= n1; // rotate
\r
436 t = ARIA_P3( t ); // back to little endian
\r
437 r[i] = a[i] ^ t; // store
\r
438 t = u; // move to next word
\r
443 * Set encryption key
\r
445 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
\r
446 const unsigned char *key, unsigned int keybits )
\r
448 /* round constant masks */
\r
449 const uint32_t rc[3][4] =
\r
451 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
\r
452 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
\r
453 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
\r
457 uint32_t w[4][4], *w2;
\r
458 ARIA_VALIDATE_RET( ctx != NULL );
\r
459 ARIA_VALIDATE_RET( key != NULL );
\r
461 if( keybits != 128 && keybits != 192 && keybits != 256 )
\r
462 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
\r
464 /* Copy key to W0 (and potential remainder to W1) */
\r
465 GET_UINT32_LE( w[0][0], key, 0 );
\r
466 GET_UINT32_LE( w[0][1], key, 4 );
\r
467 GET_UINT32_LE( w[0][2], key, 8 );
\r
468 GET_UINT32_LE( w[0][3], key, 12 );
\r
470 memset( w[1], 0, 16 );
\r
471 if( keybits >= 192 )
\r
473 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
\r
474 GET_UINT32_LE( w[1][1], key, 20 );
\r
476 if( keybits == 256 )
\r
478 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
\r
479 GET_UINT32_LE( w[1][3], key, 28 );
\r
482 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
\r
483 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
\r
485 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
\r
486 i = i < 2 ? i + 1 : 0;
\r
487 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
\r
488 i = i < 2 ? i + 1 : 0;
\r
489 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
\r
491 for( i = 0; i < 4; i++ ) // create round keys
\r
493 w2 = w[(i + 1) & 3];
\r
494 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
\r
495 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
\r
496 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
\r
497 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
\r
499 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
\r
501 /* w holds enough info to reconstruct the round keys */
\r
502 mbedtls_platform_zeroize( w, sizeof( w ) );
\r
508 * Set decryption key
\r
510 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
\r
511 const unsigned char *key, unsigned int keybits )
\r
514 ARIA_VALIDATE_RET( ctx != NULL );
\r
515 ARIA_VALIDATE_RET( key != NULL );
\r
517 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
\r
521 /* flip the order of round keys */
\r
522 for( i = 0, j = ctx->nr; i < j; i++, j-- )
\r
524 for( k = 0; k < 4; k++ )
\r
526 uint32_t t = ctx->rk[i][k];
\r
527 ctx->rk[i][k] = ctx->rk[j][k];
\r
532 /* apply affine transform to middle keys */
\r
533 for( i = 1; i < ctx->nr; i++ )
\r
535 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
\r
536 &ctx->rk[i][2], &ctx->rk[i][3] );
\r
545 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
\r
546 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
\r
547 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
\r
551 uint32_t a, b, c, d;
\r
552 ARIA_VALIDATE_RET( ctx != NULL );
\r
553 ARIA_VALIDATE_RET( input != NULL );
\r
554 ARIA_VALIDATE_RET( output != NULL );
\r
556 GET_UINT32_LE( a, input, 0 );
\r
557 GET_UINT32_LE( b, input, 4 );
\r
558 GET_UINT32_LE( c, input, 8 );
\r
559 GET_UINT32_LE( d, input, 12 );
\r
564 a ^= ctx->rk[i][0];
\r
565 b ^= ctx->rk[i][1];
\r
566 c ^= ctx->rk[i][2];
\r
567 d ^= ctx->rk[i][3];
\r
570 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
\r
571 aria_a( &a, &b, &c, &d );
\r
573 a ^= ctx->rk[i][0];
\r
574 b ^= ctx->rk[i][1];
\r
575 c ^= ctx->rk[i][2];
\r
576 d ^= ctx->rk[i][3];
\r
579 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
\r
582 aria_a( &a, &b, &c, &d );
\r
585 /* final key mixing */
\r
586 a ^= ctx->rk[i][0];
\r
587 b ^= ctx->rk[i][1];
\r
588 c ^= ctx->rk[i][2];
\r
589 d ^= ctx->rk[i][3];
\r
591 PUT_UINT32_LE( a, output, 0 );
\r
592 PUT_UINT32_LE( b, output, 4 );
\r
593 PUT_UINT32_LE( c, output, 8 );
\r
594 PUT_UINT32_LE( d, output, 12 );
\r
599 /* Initialize context */
\r
600 void mbedtls_aria_init( mbedtls_aria_context *ctx )
\r
602 ARIA_VALIDATE( ctx != NULL );
\r
603 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
\r
606 /* Clear context */
\r
607 void mbedtls_aria_free( mbedtls_aria_context *ctx )
\r
612 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
\r
615 #if defined(MBEDTLS_CIPHER_MODE_CBC)
\r
617 * ARIA-CBC buffer encryption/decryption
\r
619 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
\r
622 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
\r
623 const unsigned char *input,
\r
624 unsigned char *output )
\r
627 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
\r
629 ARIA_VALIDATE_RET( ctx != NULL );
\r
630 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
\r
631 mode == MBEDTLS_ARIA_DECRYPT );
\r
632 ARIA_VALIDATE_RET( length == 0 || input != NULL );
\r
633 ARIA_VALIDATE_RET( length == 0 || output != NULL );
\r
634 ARIA_VALIDATE_RET( iv != NULL );
\r
636 if( length % MBEDTLS_ARIA_BLOCKSIZE )
\r
637 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
\r
639 if( mode == MBEDTLS_ARIA_DECRYPT )
\r
641 while( length > 0 )
\r
643 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
\r
644 mbedtls_aria_crypt_ecb( ctx, input, output );
\r
646 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
\r
647 output[i] = (unsigned char)( output[i] ^ iv[i] );
\r
649 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
\r
651 input += MBEDTLS_ARIA_BLOCKSIZE;
\r
652 output += MBEDTLS_ARIA_BLOCKSIZE;
\r
653 length -= MBEDTLS_ARIA_BLOCKSIZE;
\r
658 while( length > 0 )
\r
660 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
\r
661 output[i] = (unsigned char)( input[i] ^ iv[i] );
\r
663 mbedtls_aria_crypt_ecb( ctx, output, output );
\r
664 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
\r
666 input += MBEDTLS_ARIA_BLOCKSIZE;
\r
667 output += MBEDTLS_ARIA_BLOCKSIZE;
\r
668 length -= MBEDTLS_ARIA_BLOCKSIZE;
\r
674 #endif /* MBEDTLS_CIPHER_MODE_CBC */
\r
676 #if defined(MBEDTLS_CIPHER_MODE_CFB)
\r
678 * ARIA-CFB128 buffer encryption/decryption
\r
680 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
\r
684 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
\r
685 const unsigned char *input,
\r
686 unsigned char *output )
\r
691 ARIA_VALIDATE_RET( ctx != NULL );
\r
692 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
\r
693 mode == MBEDTLS_ARIA_DECRYPT );
\r
694 ARIA_VALIDATE_RET( length == 0 || input != NULL );
\r
695 ARIA_VALIDATE_RET( length == 0 || output != NULL );
\r
696 ARIA_VALIDATE_RET( iv != NULL );
\r
697 ARIA_VALIDATE_RET( iv_off != NULL );
\r
701 /* An overly large value of n can lead to an unlimited
\r
702 * buffer overflow. Therefore, guard against this
\r
703 * outside of parameter validation. */
\r
704 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
\r
705 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
\r
707 if( mode == MBEDTLS_ARIA_DECRYPT )
\r
712 mbedtls_aria_crypt_ecb( ctx, iv, iv );
\r
715 *output++ = c ^ iv[n];
\r
718 n = ( n + 1 ) & 0x0F;
\r
726 mbedtls_aria_crypt_ecb( ctx, iv, iv );
\r
728 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
\r
730 n = ( n + 1 ) & 0x0F;
\r
738 #endif /* MBEDTLS_CIPHER_MODE_CFB */
\r
740 #if defined(MBEDTLS_CIPHER_MODE_CTR)
\r
742 * ARIA-CTR buffer encryption/decryption
\r
744 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
\r
747 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
\r
748 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
\r
749 const unsigned char *input,
\r
750 unsigned char *output )
\r
755 ARIA_VALIDATE_RET( ctx != NULL );
\r
756 ARIA_VALIDATE_RET( length == 0 || input != NULL );
\r
757 ARIA_VALIDATE_RET( length == 0 || output != NULL );
\r
758 ARIA_VALIDATE_RET( nonce_counter != NULL );
\r
759 ARIA_VALIDATE_RET( stream_block != NULL );
\r
760 ARIA_VALIDATE_RET( nc_off != NULL );
\r
763 /* An overly large value of n can lead to an unlimited
\r
764 * buffer overflow. Therefore, guard against this
\r
765 * outside of parameter validation. */
\r
766 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
\r
767 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
\r
772 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
\r
775 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
\r
776 if( ++nonce_counter[i - 1] != 0 )
\r
780 *output++ = (unsigned char)( c ^ stream_block[n] );
\r
782 n = ( n + 1 ) & 0x0F;
\r
789 #endif /* MBEDTLS_CIPHER_MODE_CTR */
\r
790 #endif /* !MBEDTLS_ARIA_ALT */
\r
792 #if defined(MBEDTLS_SELF_TEST)
\r
795 * Basic ARIA ECB test vectors from RFC 5794
\r
797 static const uint8_t aria_test1_ecb_key[32] = // test key
\r
799 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
\r
800 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
\r
801 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
\r
802 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
\r
805 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
\r
807 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
\r
808 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
\r
811 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
\r
813 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
\r
814 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
\r
815 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
\r
816 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
\r
817 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
\r
818 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
\r
822 * Mode tests from "Test Vectors for ARIA" Version 1.0
\r
823 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
\r
825 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
\r
826 defined(MBEDTLS_CIPHER_MODE_CTR))
\r
827 static const uint8_t aria_test2_key[32] =
\r
829 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
\r
830 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
\r
831 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
\r
832 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
\r
835 static const uint8_t aria_test2_pt[48] =
\r
837 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
\r
838 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
\r
839 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
\r
840 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
\r
841 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
\r
842 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
\r
846 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
\r
847 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
\r
849 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
\r
850 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
\r
854 #if defined(MBEDTLS_CIPHER_MODE_CBC)
\r
855 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
\r
857 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
\r
858 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
\r
859 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
\r
860 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
\r
861 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
\r
862 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
\r
863 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
\r
864 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
\r
865 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
\r
866 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
\r
867 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
\r
868 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
\r
869 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
\r
870 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
\r
871 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
\r
872 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
\r
873 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
\r
874 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
\r
876 #endif /* MBEDTLS_CIPHER_MODE_CBC */
\r
878 #if defined(MBEDTLS_CIPHER_MODE_CFB)
\r
879 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
\r
881 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
\r
882 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
\r
883 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
\r
884 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
\r
885 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
\r
886 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
\r
887 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
\r
888 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
\r
889 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
\r
890 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
\r
891 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
\r
892 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
\r
893 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
\r
894 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
\r
895 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
\r
896 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
\r
897 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
\r
898 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
\r
900 #endif /* MBEDTLS_CIPHER_MODE_CFB */
\r
902 #if defined(MBEDTLS_CIPHER_MODE_CTR)
\r
903 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
\r
905 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
\r
906 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
\r
907 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
\r
908 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
\r
909 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
\r
910 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
\r
911 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
\r
912 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
\r
913 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
\r
914 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
\r
915 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
\r
916 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
\r
917 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
\r
918 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
\r
919 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
\r
920 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
\r
921 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
\r
922 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
\r
924 #endif /* MBEDTLS_CIPHER_MODE_CFB */
\r
926 #define ARIA_SELF_TEST_IF_FAIL \
\r
929 mbedtls_printf( "failed\n" ); \
\r
933 mbedtls_printf( "passed\n" ); \
\r
939 int mbedtls_aria_self_test( int verbose )
\r
942 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
\r
943 mbedtls_aria_context ctx;
\r
945 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
\r
949 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
\r
950 defined(MBEDTLS_CIPHER_MODE_CFB) || \
\r
951 defined(MBEDTLS_CIPHER_MODE_CTR))
\r
952 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
\r
958 for( i = 0; i < 3; i++ )
\r
960 /* test ECB encryption */
\r
962 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
\r
963 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
\r
964 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
\r
965 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
\r
966 ARIA_SELF_TEST_IF_FAIL;
\r
968 /* test ECB decryption */
\r
970 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
\r
971 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
\r
972 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
\r
973 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
\r
974 ARIA_SELF_TEST_IF_FAIL;
\r
977 mbedtls_printf( "\n" );
\r
982 #if defined(MBEDTLS_CIPHER_MODE_CBC)
\r
983 for( i = 0; i < 3; i++ )
\r
985 /* Test CBC encryption */
\r
987 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
\r
988 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
\r
989 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
\r
990 memset( buf, 0x55, sizeof( buf ) );
\r
991 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
\r
992 aria_test2_pt, buf );
\r
993 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
\r
994 ARIA_SELF_TEST_IF_FAIL;
\r
996 /* Test CBC decryption */
\r
998 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
\r
999 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
\r
1000 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
\r
1001 memset( buf, 0xAA, sizeof( buf ) );
\r
1002 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
\r
1003 aria_test2_cbc_ct[i], buf );
\r
1004 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
\r
1005 ARIA_SELF_TEST_IF_FAIL;
\r
1008 mbedtls_printf( "\n" );
\r
1010 #endif /* MBEDTLS_CIPHER_MODE_CBC */
\r
1012 #if defined(MBEDTLS_CIPHER_MODE_CFB)
\r
1013 for( i = 0; i < 3; i++ )
\r
1015 /* Test CFB encryption */
\r
1017 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
\r
1018 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
\r
1019 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
\r
1020 memset( buf, 0x55, sizeof( buf ) );
\r
1022 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
\r
1023 aria_test2_pt, buf );
\r
1024 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
\r
1025 ARIA_SELF_TEST_IF_FAIL;
\r
1027 /* Test CFB decryption */
\r
1029 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
\r
1030 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
\r
1031 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
\r
1032 memset( buf, 0xAA, sizeof( buf ) );
\r
1034 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
\r
1035 iv, aria_test2_cfb_ct[i], buf );
\r
1036 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
\r
1037 ARIA_SELF_TEST_IF_FAIL;
\r
1040 mbedtls_printf( "\n" );
\r
1041 #endif /* MBEDTLS_CIPHER_MODE_CFB */
\r
1043 #if defined(MBEDTLS_CIPHER_MODE_CTR)
\r
1044 for( i = 0; i < 3; i++ )
\r
1046 /* Test CTR encryption */
\r
1048 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
\r
1049 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
\r
1050 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
\r
1051 memset( buf, 0x55, sizeof( buf ) );
\r
1053 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
\r
1054 aria_test2_pt, buf );
\r
1055 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
\r
1056 ARIA_SELF_TEST_IF_FAIL;
\r
1058 /* Test CTR decryption */
\r
1060 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
\r
1061 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
\r
1062 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
\r
1063 memset( buf, 0xAA, sizeof( buf ) );
\r
1065 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
\r
1066 aria_test2_ctr_ct[i], buf );
\r
1067 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
\r
1068 ARIA_SELF_TEST_IF_FAIL;
\r
1071 mbedtls_printf( "\n" );
\r
1072 #endif /* MBEDTLS_CIPHER_MODE_CTR */
\r
1077 #endif /* MBEDTLS_SELF_TEST */
\r
1079 #endif /* MBEDTLS_ARIA_C */
\r