1
#pragma clang diagnostic ignored "-Wunknown-warning-option"
2
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
3
#pragma clang diagnostic ignored "-Wsign-conversion"
5
#pragma GCC diagnostic ignored "-Wconversion"
7
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
8
#pragma clang diagnostic ignored "-Wsign-conversion"
10
#pragma GCC diagnostic ignored "-Wconversion"
12
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
13
#pragma clang diagnostic ignored "-Wsign-conversion"
17
* Copyright The Mbed TLS Contributors
18
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
20
* This file is provided under the Apache License 2.0, or the
21
* GNU General Public License v2.0 or later.
26
* Licensed under the Apache License, Version 2.0 (the "License"); you may
27
* not use this file except in compliance with the License.
28
* You may obtain a copy of the License at
30
* http://www.apache.org/licenses/LICENSE-2.0
32
* Unless required by applicable law or agreed to in writing, software
33
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
34
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
35
* See the License for the specific language governing permissions and
36
* limitations under the License.
41
* GNU General Public License v2.0 or later:
43
* This program is free software; you can redistribute it and/or modify
44
* it under the terms of the GNU General Public License as published by
45
* the Free Software Foundation; either version 2 of the License, or
46
* (at your option) any later version.
48
* This program is distributed in the hope that it will be useful,
49
* but WITHOUT ANY WARRANTY; without even the implied warranty of
50
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
51
* GNU General Public License for more details.
53
* You should have received a copy of the GNU General Public License along
54
* with this program; if not, write to the Free Software Foundation, Inc.,
55
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
61
* This implementation is based on the following standards:
62
* [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
63
* [2] https://tools.ietf.org/html/rfc5794
66
#if !defined(MBEDTLS_CONFIG_FILE)
67
#include "mbedtls/config.h"
69
#include MBEDTLS_CONFIG_FILE
72
#if defined(MBEDTLS_ARIA_C)
74
#include "mbedtls/aria.h"
78
#if defined(MBEDTLS_SELF_TEST)
79
#if defined(MBEDTLS_PLATFORM_C)
80
#include "mbedtls/platform.h"
83
#define mbedtls_printf printf
84
#endif /* MBEDTLS_PLATFORM_C */
85
#endif /* MBEDTLS_SELF_TEST */
87
#if !defined(MBEDTLS_ARIA_ALT)
89
#include "mbedtls/platform_util.h"
91
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
92
!defined(inline) && !defined(__cplusplus)
93
#define inline __inline
96
/* Parameter validation macros */
97
#define ARIA_VALIDATE_RET( cond ) \
98
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
99
#define ARIA_VALIDATE( cond ) \
100
MBEDTLS_INTERNAL_VALIDATE( cond )
103
* 32-bit integer manipulation macros (little endian)
105
#ifndef GET_UINT32_LE
106
#define GET_UINT32_LE( n, b, i ) \
108
(n) = ( (uint32_t) (b)[(i) ] ) \
109
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
110
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
111
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
115
#ifndef PUT_UINT32_LE
116
#define PUT_UINT32_LE( n, b, i ) \
118
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
119
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
120
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
121
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
126
* modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
128
* This is submatrix P1 in [1] Appendix B.1
130
* Common compilers fail to translate this to minimal number of instructions,
131
* so let's provide asm versions for common platforms with C fallback.
133
#if defined(MBEDTLS_HAVE_ASM)
134
#if defined(__arm__) /* rev16 available from v6 up */
135
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
136
#if defined(__GNUC__) && \
137
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
139
static inline uint32_t aria_p1( uint32_t x )
142
__asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
145
#define ARIA_P1 aria_p1
146
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
147
( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
148
static inline uint32_t aria_p1( uint32_t x )
151
__asm( "rev16 r, x" );
154
#define ARIA_P1 aria_p1
157
#if defined(__GNUC__) && \
158
defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
159
/* I couldn't find an Intel equivalent of rev16, so two instructions */
160
#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
161
#endif /* x86 gnuc */
162
#endif /* MBEDTLS_HAVE_ASM && GNUC */
163
#if !defined(ARIA_P1)
164
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
168
* modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
170
* This is submatrix P2 in [1] Appendix B.1
172
* Common compilers will translate this to a single instruction.
174
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
177
* modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
179
* This is submatrix P3 in [1] Appendix B.1
181
* Some compilers fail to translate this to a single instruction,
182
* so let's provide asm versions for common platforms with C fallback.
184
#if defined(MBEDTLS_HAVE_ASM)
185
#if defined(__arm__) /* rev available from v6 up */
186
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
187
#if defined(__GNUC__) && \
188
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
190
static inline uint32_t aria_p3( uint32_t x )
193
__asm( "rev %0, %1" : "=l" (r) : "l" (x) );
196
#define ARIA_P3 aria_p3
197
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
198
( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
199
static inline uint32_t aria_p3( uint32_t x )
205
#define ARIA_P3 aria_p3
208
#if defined(__GNUC__) && \
209
defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
210
static inline uint32_t aria_p3( uint32_t x )
212
__asm( "bswap %0" : "=r" (x) : "0" (x) );
215
#define ARIA_P3 aria_p3
216
#endif /* x86 gnuc */
217
#endif /* MBEDTLS_HAVE_ASM && GNUC */
218
#if !defined(ARIA_P3)
219
#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
223
* ARIA Affine Transform
224
* (a, b, c, d) = state in/out
226
* If we denote the first byte of input by 0, ..., the last byte by f,
227
* then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
229
* Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
230
* rearrangements on adjacent pairs, output is:
232
* a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
233
* = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
234
* b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
235
* = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
236
* c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
237
* = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
238
* d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
239
* = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
241
* Note: another presentation of the A transform can be found as the first
242
* half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
243
* The implementation below uses only P1 and P2 as they are sufficient.
245
static inline void aria_a( uint32_t *a, uint32_t *b,
246
uint32_t *c, uint32_t *d )
251
*a = ARIA_P2( ta ); // 6745
252
tb = ARIA_P2( *d ); // efcd
253
*d = ARIA_P1( *c ); // 98ba
254
*c = ARIA_P1( tb ); // fedc
255
ta ^= *d; // 4567+98ba
256
tc = ARIA_P2( *b ); // 2301
257
ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
258
tb ^= ARIA_P2( *d ); // ba98+efcd
259
tc ^= ARIA_P1( *a ); // 2301+7654
260
*b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
261
tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
262
*a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
263
ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
264
*d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
265
tc = ARIA_P2( tc ); // 0123+5476
266
*c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
270
* ARIA Substitution Layer SL1 / SL2
271
* (a, b, c, d) = state in/out
272
* (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
274
* By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
275
* By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
277
static inline void aria_sl( uint32_t *a, uint32_t *b,
278
uint32_t *c, uint32_t *d,
279
const uint8_t sa[256], const uint8_t sb[256],
280
const uint8_t sc[256], const uint8_t sd[256] )
282
*a = ( (uint32_t) sa[ *a & 0xFF] ) ^
283
(((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
284
(((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
285
(((uint32_t) sd[ *a >> 24 ]) << 24);
286
*b = ( (uint32_t) sa[ *b & 0xFF] ) ^
287
(((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
288
(((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
289
(((uint32_t) sd[ *b >> 24 ]) << 24);
290
*c = ( (uint32_t) sa[ *c & 0xFF] ) ^
291
(((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
292
(((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
293
(((uint32_t) sd[ *c >> 24 ]) << 24);
294
*d = ( (uint32_t) sa[ *d & 0xFF] ) ^
295
(((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
296
(((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
297
(((uint32_t) sd[ *d >> 24 ]) << 24);
303
static const uint8_t aria_sb1[256] =
305
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
306
0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
307
0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
308
0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
309
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
310
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
311
0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
312
0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
313
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
314
0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
315
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
316
0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
317
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
318
0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
319
0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
320
0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
321
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
322
0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
323
0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
324
0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
325
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
326
0xB0, 0x54, 0xBB, 0x16
329
static const uint8_t aria_sb2[256] =
331
0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
332
0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
333
0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
334
0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
335
0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
336
0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
337
0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
338
0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
339
0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
340
0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
341
0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
342
0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
343
0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
344
0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
345
0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
346
0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
347
0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
348
0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
349
0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
350
0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
351
0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
352
0xAF, 0xBA, 0xB5, 0x81
355
static const uint8_t aria_is1[256] =
357
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
358
0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
359
0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
360
0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
361
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
362
0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
363
0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
364
0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
365
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
366
0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
367
0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
368
0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
369
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
370
0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
371
0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
372
0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
373
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
374
0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
375
0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
376
0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
377
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
378
0x55, 0x21, 0x0C, 0x7D
381
static const uint8_t aria_is2[256] =
383
0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
384
0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
385
0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
386
0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
387
0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
388
0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
389
0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
390
0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
391
0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
392
0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
393
0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
394
0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
395
0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
396
0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
397
0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
398
0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
399
0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
400
0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
401
0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
402
0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
403
0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
404
0x03, 0xA2, 0xAC, 0x60
408
* Helper for key schedule: r = FO( p, k ) ^ x
410
static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
411
const uint32_t k[4], const uint32_t x[4] )
420
aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
421
aria_a( &a, &b, &c, &d );
430
* Helper for key schedule: r = FE( p, k ) ^ x
432
static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
433
const uint32_t k[4], const uint32_t x[4] )
442
aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
443
aria_a( &a, &b, &c, &d );
452
* Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
454
* We chose to store bytes into 32-bit words in little-endian format (see
455
* GET/PUT_UINT32_LE) so we need to reverse bytes here.
457
static void aria_rot128( uint32_t r[4], const uint32_t a[4],
458
const uint32_t b[4], uint8_t n )
463
const uint8_t n1 = n % 32; // bit offset
464
const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
466
j = ( n / 32 ) % 4; // initial word offset
467
t = ARIA_P3( b[j] ); // big endian
468
for( i = 0; i < 4; i++ )
470
j = ( j + 1 ) % 4; // get next word, big endian
474
t = ARIA_P3( t ); // back to little endian
475
r[i] = a[i] ^ t; // store
476
t = u; // move to next word
483
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
484
const unsigned char *key, unsigned int keybits )
486
/* round constant masks */
487
const uint32_t rc[3][4] =
489
{ 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
490
{ 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
491
{ 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
495
uint32_t w[4][4], *w2;
496
ARIA_VALIDATE_RET( ctx != NULL );
497
ARIA_VALIDATE_RET( key != NULL );
499
if( keybits != 128 && keybits != 192 && keybits != 256 )
500
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
502
/* Copy key to W0 (and potential remainder to W1) */
503
GET_UINT32_LE( w[0][0], key, 0 );
504
GET_UINT32_LE( w[0][1], key, 4 );
505
GET_UINT32_LE( w[0][2], key, 8 );
506
GET_UINT32_LE( w[0][3], key, 12 );
508
memset( w[1], 0, 16 );
511
GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
512
GET_UINT32_LE( w[1][1], key, 20 );
516
GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
517
GET_UINT32_LE( w[1][3], key, 28 );
520
i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
521
ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
523
aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
524
i = i < 2 ? i + 1 : 0;
525
aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
526
i = i < 2 ? i + 1 : 0;
527
aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
529
for( i = 0; i < 4; i++ ) // create round keys
532
aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
533
aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
534
aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
535
aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
537
aria_rot128( ctx->rk[16], w[0], w[1], 19 );
539
/* w holds enough info to reconstruct the round keys */
540
mbedtls_platform_zeroize( w, sizeof( w ) );
548
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
549
const unsigned char *key, unsigned int keybits )
552
ARIA_VALIDATE_RET( ctx != NULL );
553
ARIA_VALIDATE_RET( key != NULL );
555
ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
559
/* flip the order of round keys */
560
for( i = 0, j = ctx->nr; i < j; i++, j-- )
562
for( k = 0; k < 4; k++ )
564
uint32_t t = ctx->rk[i][k];
565
ctx->rk[i][k] = ctx->rk[j][k];
570
/* apply affine transform to middle keys */
571
for( i = 1; i < ctx->nr; i++ )
573
aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
574
&ctx->rk[i][2], &ctx->rk[i][3] );
583
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
584
const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
585
unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
590
ARIA_VALIDATE_RET( ctx != NULL );
591
ARIA_VALIDATE_RET( input != NULL );
592
ARIA_VALIDATE_RET( output != NULL );
594
GET_UINT32_LE( a, input, 0 );
595
GET_UINT32_LE( b, input, 4 );
596
GET_UINT32_LE( c, input, 8 );
597
GET_UINT32_LE( d, input, 12 );
608
aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
609
aria_a( &a, &b, &c, &d );
617
aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
620
aria_a( &a, &b, &c, &d );
623
/* final key mixing */
629
PUT_UINT32_LE( a, output, 0 );
630
PUT_UINT32_LE( b, output, 4 );
631
PUT_UINT32_LE( c, output, 8 );
632
PUT_UINT32_LE( d, output, 12 );
637
/* Initialize context */
638
void mbedtls_aria_init( mbedtls_aria_context *ctx )
640
ARIA_VALIDATE( ctx != NULL );
641
memset( ctx, 0, sizeof( mbedtls_aria_context ) );
645
void mbedtls_aria_free( mbedtls_aria_context *ctx )
650
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
653
#if defined(MBEDTLS_CIPHER_MODE_CBC)
655
* ARIA-CBC buffer encryption/decryption
657
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
660
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
661
const unsigned char *input,
662
unsigned char *output )
665
unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
667
ARIA_VALIDATE_RET( ctx != NULL );
668
ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
669
mode == MBEDTLS_ARIA_DECRYPT );
670
ARIA_VALIDATE_RET( length == 0 || input != NULL );
671
ARIA_VALIDATE_RET( length == 0 || output != NULL );
672
ARIA_VALIDATE_RET( iv != NULL );
674
if( length % MBEDTLS_ARIA_BLOCKSIZE )
675
return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
677
if( mode == MBEDTLS_ARIA_DECRYPT )
681
memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
682
mbedtls_aria_crypt_ecb( ctx, input, output );
684
for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
685
output[i] = (unsigned char)( output[i] ^ iv[i] );
687
memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
689
input += MBEDTLS_ARIA_BLOCKSIZE;
690
output += MBEDTLS_ARIA_BLOCKSIZE;
691
length -= MBEDTLS_ARIA_BLOCKSIZE;
698
for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
699
output[i] = (unsigned char)( input[i] ^ iv[i] );
701
mbedtls_aria_crypt_ecb( ctx, output, output );
702
memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
704
input += MBEDTLS_ARIA_BLOCKSIZE;
705
output += MBEDTLS_ARIA_BLOCKSIZE;
706
length -= MBEDTLS_ARIA_BLOCKSIZE;
712
#endif /* MBEDTLS_CIPHER_MODE_CBC */
714
#if defined(MBEDTLS_CIPHER_MODE_CFB)
716
* ARIA-CFB128 buffer encryption/decryption
718
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
722
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
723
const unsigned char *input,
724
unsigned char *output )
729
ARIA_VALIDATE_RET( ctx != NULL );
730
ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
731
mode == MBEDTLS_ARIA_DECRYPT );
732
ARIA_VALIDATE_RET( length == 0 || input != NULL );
733
ARIA_VALIDATE_RET( length == 0 || output != NULL );
734
ARIA_VALIDATE_RET( iv != NULL );
735
ARIA_VALIDATE_RET( iv_off != NULL );
739
/* An overly large value of n can lead to an unlimited
740
* buffer overflow. Therefore, guard against this
741
* outside of parameter validation. */
742
if( n >= MBEDTLS_ARIA_BLOCKSIZE )
743
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
745
if( mode == MBEDTLS_ARIA_DECRYPT )
750
mbedtls_aria_crypt_ecb( ctx, iv, iv );
753
*output++ = c ^ iv[n];
756
n = ( n + 1 ) & 0x0F;
764
mbedtls_aria_crypt_ecb( ctx, iv, iv );
766
iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
768
n = ( n + 1 ) & 0x0F;
776
#endif /* MBEDTLS_CIPHER_MODE_CFB */
778
#if defined(MBEDTLS_CIPHER_MODE_CTR)
780
* ARIA-CTR buffer encryption/decryption
782
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
785
unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
786
unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
787
const unsigned char *input,
788
unsigned char *output )
793
ARIA_VALIDATE_RET( ctx != NULL );
794
ARIA_VALIDATE_RET( length == 0 || input != NULL );
795
ARIA_VALIDATE_RET( length == 0 || output != NULL );
796
ARIA_VALIDATE_RET( nonce_counter != NULL );
797
ARIA_VALIDATE_RET( stream_block != NULL );
798
ARIA_VALIDATE_RET( nc_off != NULL );
801
/* An overly large value of n can lead to an unlimited
802
* buffer overflow. Therefore, guard against this
803
* outside of parameter validation. */
804
if( n >= MBEDTLS_ARIA_BLOCKSIZE )
805
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
810
mbedtls_aria_crypt_ecb( ctx, nonce_counter,
813
for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
814
if( ++nonce_counter[i - 1] != 0 )
818
*output++ = (unsigned char)( c ^ stream_block[n] );
820
n = ( n + 1 ) & 0x0F;
827
#endif /* MBEDTLS_CIPHER_MODE_CTR */
828
#endif /* !MBEDTLS_ARIA_ALT */
830
#if defined(MBEDTLS_SELF_TEST)
833
* Basic ARIA ECB test vectors from RFC 5794
835
static const uint8_t aria_test1_ecb_key[32] = // test key
837
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
838
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
839
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
840
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
843
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
845
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
846
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
849
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
851
{ 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
852
0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
853
{ 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
854
0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
855
{ 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
856
0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
860
* Mode tests from "Test Vectors for ARIA" Version 1.0
861
* http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
863
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
864
defined(MBEDTLS_CIPHER_MODE_CTR))
865
static const uint8_t aria_test2_key[32] =
867
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
868
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
869
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
870
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
873
static const uint8_t aria_test2_pt[48] =
875
0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
876
0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
877
0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
878
0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
879
0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
880
0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
884
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
885
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
887
0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
888
0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
892
#if defined(MBEDTLS_CIPHER_MODE_CBC)
893
static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
895
{ 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
896
0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
897
0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
898
0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
899
0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
900
0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
901
{ 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
902
0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
903
0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
904
0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
905
0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
906
0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
907
{ 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
908
0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
909
0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
910
0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
911
0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
912
0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
914
#endif /* MBEDTLS_CIPHER_MODE_CBC */
916
#if defined(MBEDTLS_CIPHER_MODE_CFB)
917
static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
919
{ 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
920
0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
921
0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
922
0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
923
0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
924
0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
925
{ 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
926
0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
927
0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
928
0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
929
0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
930
0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
931
{ 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
932
0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
933
0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
934
0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
935
0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
936
0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
938
#endif /* MBEDTLS_CIPHER_MODE_CFB */
940
#if defined(MBEDTLS_CIPHER_MODE_CTR)
941
static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
943
{ 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
944
0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
945
0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
946
0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
947
0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
948
0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
949
{ 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
950
0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
951
0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
952
0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
953
0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
954
0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
955
{ 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
956
0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
957
0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
958
0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
959
0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
960
0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
962
#endif /* MBEDTLS_CIPHER_MODE_CFB */
964
#define ARIA_SELF_TEST_IF_FAIL \
967
mbedtls_printf( "failed\n" ); \
971
mbedtls_printf( "passed\n" ); \
977
int mbedtls_aria_self_test( int verbose )
980
uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
981
mbedtls_aria_context ctx;
984
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
988
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
989
defined(MBEDTLS_CIPHER_MODE_CFB) || \
990
defined(MBEDTLS_CIPHER_MODE_CTR))
991
uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
994
mbedtls_aria_init( &ctx );
999
for( i = 0; i < 3; i++ )
1001
/* test ECB encryption */
1003
mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
1004
mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
1005
mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
1006
if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
1007
ARIA_SELF_TEST_IF_FAIL;
1009
/* test ECB decryption */
1011
mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
1012
mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
1013
mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
1014
if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
1015
ARIA_SELF_TEST_IF_FAIL;
1018
mbedtls_printf( "\n" );
1023
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1024
for( i = 0; i < 3; i++ )
1026
/* Test CBC encryption */
1028
mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
1029
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1030
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1031
memset( buf, 0x55, sizeof( buf ) );
1032
mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
1033
aria_test2_pt, buf );
1034
if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
1035
ARIA_SELF_TEST_IF_FAIL;
1037
/* Test CBC decryption */
1039
mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
1040
mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1041
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1042
memset( buf, 0xAA, sizeof( buf ) );
1043
mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1044
aria_test2_cbc_ct[i], buf );
1045
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1046
ARIA_SELF_TEST_IF_FAIL;
1049
mbedtls_printf( "\n" );
1051
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1053
#if defined(MBEDTLS_CIPHER_MODE_CFB)
1054
for( i = 0; i < 3; i++ )
1056
/* Test CFB encryption */
1058
mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
1059
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1060
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1061
memset( buf, 0x55, sizeof( buf ) );
1063
mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1064
aria_test2_pt, buf );
1065
if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1066
ARIA_SELF_TEST_IF_FAIL;
1068
/* Test CFB decryption */
1070
mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1071
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1072
memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1073
memset( buf, 0xAA, sizeof( buf ) );
1075
mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1076
iv, aria_test2_cfb_ct[i], buf );
1077
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1078
ARIA_SELF_TEST_IF_FAIL;
1081
mbedtls_printf( "\n" );
1082
#endif /* MBEDTLS_CIPHER_MODE_CFB */
1084
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1085
for( i = 0; i < 3; i++ )
1087
/* Test CTR encryption */
1089
mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1090
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1091
memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1092
memset( buf, 0x55, sizeof( buf ) );
1094
mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1095
aria_test2_pt, buf );
1096
if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1097
ARIA_SELF_TEST_IF_FAIL;
1099
/* Test CTR decryption */
1101
mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1102
mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1103
memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1104
memset( buf, 0xAA, sizeof( buf ) );
1106
mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1107
aria_test2_ctr_ct[i], buf );
1108
if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1109
ARIA_SELF_TEST_IF_FAIL;
1112
mbedtls_printf( "\n" );
1113
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1118
mbedtls_aria_free( &ctx );
1122
#endif /* MBEDTLS_SELF_TEST */
1124
#endif /* MBEDTLS_ARIA_C */
added
removed
mbedtls2/aria.c
