CoCalc -- aria.c

GitHub Repository: godotengine/godot
Path: blob/master/thirdparty/mbedtls/library/aria.c
⁹⁹⁰³ views
1
/*
2
 *  ARIA implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7

8
/*
9
 * This implementation is based on the following standards:
10
 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11
 * [2] https://tools.ietf.org/html/rfc5794
12
 */
13

14
#include "common.h"
15

16
#if defined(MBEDTLS_ARIA_C)
17

18
#include "mbedtls/aria.h"
19

20
#include <string.h>
21

22
#include "mbedtls/platform.h"
23

24
#if !defined(MBEDTLS_ARIA_ALT)
25

26
#include "mbedtls/platform_util.h"
27

28
/*
29
 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
30
 *
31
 * This is submatrix P1 in [1] Appendix B.1
32
 *
33
 * Common compilers fail to translate this to minimal number of instructions,
34
 * so let's provide asm versions for common platforms with C fallback.
35
 */
36
#if defined(MBEDTLS_HAVE_ASM)
37
#if defined(__arm__) /* rev16 available from v6 up */
38
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39
#if defined(__GNUC__) && \
40
    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
41
    __ARM_ARCH >= 6
42
static inline uint32_t aria_p1(uint32_t x)
43
{
44
    uint32_t r;
45
    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46
    return r;
47
}
48
#define ARIA_P1 aria_p1
49
#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
50
    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51
static inline uint32_t aria_p1(uint32_t x)
52
{
53
    uint32_t r;
54
    __asm("rev16 r, x");
55
    return r;
56
}
57
#define ARIA_P1 aria_p1
58
#endif
59
#endif /* arm */
60
#if defined(__GNUC__) && \
61
    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
62
/* I couldn't find an Intel equivalent of rev16, so two instructions */
63
#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
64
#endif /* x86 gnuc */
65
#endif /* MBEDTLS_HAVE_ASM && GNUC */
66
#if !defined(ARIA_P1)
67
#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
68
#endif
69

70
/*
71
 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72
 *
73
 * This is submatrix P2 in [1] Appendix B.1
74
 *
75
 * Common compilers will translate this to a single instruction.
76
 */
77
#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
78

79
/*
80
 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81
 *
82
 * This is submatrix P3 in [1] Appendix B.1
83
 */
84
#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
85

86
/*
87
 * ARIA Affine Transform
88
 * (a, b, c, d) = state in/out
89
 *
90
 * If we denote the first byte of input by 0, ..., the last byte by f,
91
 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92
 *
93
 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
94
 * rearrangements on adjacent pairs, output is:
95
 *
96
 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97
 *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
98
 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
99
 *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
100
 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
101
 *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
102
 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
103
 *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104
 *
105
 * Note: another presentation of the A transform can be found as the first
106
 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107
 * The implementation below uses only P1 and P2 as they are sufficient.
108
 */
109
static inline void aria_a(uint32_t *a, uint32_t *b,
110
                          uint32_t *c, uint32_t *d)
111
{
112
    uint32_t ta, tb, tc;
113
    ta  =  *b;                      // 4567
114
    *b  =  *a;                      // 0123
115
    *a  =  ARIA_P2(ta);             // 6745
116
    tb  =  ARIA_P2(*d);             // efcd
117
    *d  =  ARIA_P1(*c);             // 98ba
118
    *c  =  ARIA_P1(tb);             // fedc
119
    ta  ^= *d;                      // 4567+98ba
120
    tc  =  ARIA_P2(*b);             // 2301
121
    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
122
    tb  ^= ARIA_P2(*d);             // ba98+efcd
123
    tc  ^= ARIA_P1(*a);             // 2301+7654
124
    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
125
    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
126
    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127
    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
128
    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129
    tc  =  ARIA_P2(tc);             // 0123+5476
130
    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
131
}
132

133
/*
134
 * ARIA Substitution Layer SL1 / SL2
135
 * (a, b, c, d) = state in/out
136
 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
137
 *
138
 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139
 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
140
 */
141
static inline void aria_sl(uint32_t *a, uint32_t *b,
142
                           uint32_t *c, uint32_t *d,
143
                           const uint8_t sa[256], const uint8_t sb[256],
144
                           const uint8_t sc[256], const uint8_t sd[256])
145
{
146
    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147
         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
148
         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149
         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150
    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151
         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
152
         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153
         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154
    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155
         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
156
         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157
         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158
    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159
         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
160
         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161
         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
162
}
163

164
/*
165
 * S-Boxes
166
 */
167
static const uint8_t aria_sb1[256] =
168
{
169
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170
    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172
    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174
    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176
    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178
    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180
    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182
    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184
    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186
    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188
    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190
    0xB0, 0x54, 0xBB, 0x16
191
};
192

193
static const uint8_t aria_sb2[256] =
194
{
195
    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196
    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197
    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198
    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199
    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200
    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201
    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202
    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203
    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204
    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205
    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206
    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207
    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208
    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209
    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210
    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211
    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212
    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213
    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214
    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215
    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216
    0xAF, 0xBA, 0xB5, 0x81
217
};
218

219
static const uint8_t aria_is1[256] =
220
{
221
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222
    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224
    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226
    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228
    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230
    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232
    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234
    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236
    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238
    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240
    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242
    0x55, 0x21, 0x0C, 0x7D
243
};
244

245
static const uint8_t aria_is2[256] =
246
{
247
    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248
    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249
    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250
    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251
    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252
    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253
    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254
    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255
    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256
    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257
    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258
    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259
    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260
    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261
    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262
    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263
    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264
    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265
    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266
    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267
    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268
    0x03, 0xA2, 0xAC, 0x60
269
};
270

271
/*
272
 * Helper for key schedule: r = FO( p, k ) ^ x
273
 */
274
static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275
                        const uint32_t k[4], const uint32_t x[4])
276
{
277
    uint32_t a, b, c, d;
278

279
    a = p[0] ^ k[0];
280
    b = p[1] ^ k[1];
281
    c = p[2] ^ k[2];
282
    d = p[3] ^ k[3];
283

284
    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285
    aria_a(&a, &b, &c, &d);
286

287
    r[0] = a ^ x[0];
288
    r[1] = b ^ x[1];
289
    r[2] = c ^ x[2];
290
    r[3] = d ^ x[3];
291
}
292

293
/*
294
 * Helper for key schedule: r = FE( p, k ) ^ x
295
 */
296
static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297
                        const uint32_t k[4], const uint32_t x[4])
298
{
299
    uint32_t a, b, c, d;
300

301
    a = p[0] ^ k[0];
302
    b = p[1] ^ k[1];
303
    c = p[2] ^ k[2];
304
    d = p[3] ^ k[3];
305

306
    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307
    aria_a(&a, &b, &c, &d);
308

309
    r[0] = a ^ x[0];
310
    r[1] = b ^ x[1];
311
    r[2] = c ^ x[2];
312
    r[3] = d ^ x[3];
313
}
314

315
/*
316
 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317
 *
318
 * We chose to store bytes into 32-bit words in little-endian format (see
319
 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320
 * bytes here.
321
 */
322
static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323
                        const uint32_t b[4], uint8_t n)
324
{
325
    uint8_t i, j;
326
    uint32_t t, u;
327

328
    const uint8_t n1 = n % 32;              // bit offset
329
    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
330

331
    j = (n / 32) % 4;                       // initial word offset
332
    t = ARIA_P3(b[j]);                      // big endian
333
    for (i = 0; i < 4; i++) {
334
        j = (j + 1) % 4;                    // get next word, big endian
335
        u = ARIA_P3(b[j]);
336
        t <<= n1;                           // rotate
337
        t |= u >> n2;
338
        t = ARIA_P3(t);                     // back to little endian
339
        r[i] = a[i] ^ t;                    // store
340
        t = u;                              // move to next word
341
    }
342
}
343

344
/*
345
 * Set encryption key
346
 */
347
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348
                            const unsigned char *key, unsigned int keybits)
349
{
350
    /* round constant masks */
351
    const uint32_t rc[3][4] =
352
    {
353
        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
354
        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
355
        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
356
    };
357

358
    int i;
359
    uint32_t w[4][4], *w2;
360

361
    if (keybits != 128 && keybits != 192 && keybits != 256) {
362
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363
    }
364

365
    /* Copy key to W0 (and potential remainder to W1) */
366
    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
367
    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
368
    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
369
    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
370

371
    memset(w[1], 0, 16);
372
    if (keybits >= 192) {
373
        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
374
        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
375
    }
376
    if (keybits == 256) {
377
        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
378
        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
379
    }
380

381
    i = (keybits - 128) >> 6;               // index: 0, 1, 2
382
    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
383

384
    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
385
    i = i < 2 ? i + 1 : 0;
386
    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
387
    i = i < 2 ? i + 1 : 0;
388
    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
389

390
    for (i = 0; i < 4; i++) {               // create round keys
391
        w2 = w[(i + 1) & 3];
392
        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393
        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
394
        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
395
        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
396
    }
397
    aria_rot128(ctx->rk[16], w[0], w[1], 19);
398

399
    /* w holds enough info to reconstruct the round keys */
400
    mbedtls_platform_zeroize(w, sizeof(w));
401

402
    return 0;
403
}
404

405
/*
406
 * Set decryption key
407
 */
408
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
409
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410
                            const unsigned char *key, unsigned int keybits)
411
{
412
    int i, j, k, ret;
413

414
    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415
    if (ret != 0) {
416
        return ret;
417
    }
418

419
    /* flip the order of round keys */
420
    for (i = 0, j = ctx->nr; i < j; i++, j--) {
421
        for (k = 0; k < 4; k++) {
422
            uint32_t t = ctx->rk[i][k];
423
            ctx->rk[i][k] = ctx->rk[j][k];
424
            ctx->rk[j][k] = t;
425
        }
426
    }
427

428
    /* apply affine transform to middle keys */
429
    for (i = 1; i < ctx->nr; i++) {
430
        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431
               &ctx->rk[i][2], &ctx->rk[i][3]);
432
    }
433

434
    return 0;
435
}
436
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
437

438
/*
439
 * Encrypt a block
440
 */
441
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442
                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443
                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
444
{
445
    int i;
446

447
    uint32_t a, b, c, d;
448

449
    a = MBEDTLS_GET_UINT32_LE(input,  0);
450
    b = MBEDTLS_GET_UINT32_LE(input,  4);
451
    c = MBEDTLS_GET_UINT32_LE(input,  8);
452
    d = MBEDTLS_GET_UINT32_LE(input, 12);
453

454
    i = 0;
455
    while (1) {
456
        a ^= ctx->rk[i][0];
457
        b ^= ctx->rk[i][1];
458
        c ^= ctx->rk[i][2];
459
        d ^= ctx->rk[i][3];
460
        i++;
461

462
        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463
        aria_a(&a, &b, &c, &d);
464

465
        a ^= ctx->rk[i][0];
466
        b ^= ctx->rk[i][1];
467
        c ^= ctx->rk[i][2];
468
        d ^= ctx->rk[i][3];
469
        i++;
470

471
        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472
        if (i >= ctx->nr) {
473
            break;
474
        }
475
        aria_a(&a, &b, &c, &d);
476
    }
477

478
    /* final key mixing */
479
    a ^= ctx->rk[i][0];
480
    b ^= ctx->rk[i][1];
481
    c ^= ctx->rk[i][2];
482
    d ^= ctx->rk[i][3];
483

484
    MBEDTLS_PUT_UINT32_LE(a, output,  0);
485
    MBEDTLS_PUT_UINT32_LE(b, output,  4);
486
    MBEDTLS_PUT_UINT32_LE(c, output,  8);
487
    MBEDTLS_PUT_UINT32_LE(d, output, 12);
488

489
    return 0;
490
}
491

492
/* Initialize context */
493
void mbedtls_aria_init(mbedtls_aria_context *ctx)
494
{
495
    memset(ctx, 0, sizeof(mbedtls_aria_context));
496
}
497

498
/* Clear context */
499
void mbedtls_aria_free(mbedtls_aria_context *ctx)
500
{
501
    if (ctx == NULL) {
502
        return;
503
    }
504

505
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
506
}
507

508
#if defined(MBEDTLS_CIPHER_MODE_CBC)
509
/*
510
 * ARIA-CBC buffer encryption/decryption
511
 */
512
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513
                           int mode,
514
                           size_t length,
515
                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516
                           const unsigned char *input,
517
                           unsigned char *output)
518
{
519
    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
520

521
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523
    }
524

525
    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526
        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527
    }
528

529
    if (mode == MBEDTLS_ARIA_DECRYPT) {
530
        while (length > 0) {
531
            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532
            mbedtls_aria_crypt_ecb(ctx, input, output);
533

534
            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
535

536
            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
537

538
            input  += MBEDTLS_ARIA_BLOCKSIZE;
539
            output += MBEDTLS_ARIA_BLOCKSIZE;
540
            length -= MBEDTLS_ARIA_BLOCKSIZE;
541
        }
542
    } else {
543
        while (length > 0) {
544
            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
545

546
            mbedtls_aria_crypt_ecb(ctx, output, output);
547
            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
548

549
            input  += MBEDTLS_ARIA_BLOCKSIZE;
550
            output += MBEDTLS_ARIA_BLOCKSIZE;
551
            length -= MBEDTLS_ARIA_BLOCKSIZE;
552
        }
553
    }
554

555
    return 0;
556
}
557
#endif /* MBEDTLS_CIPHER_MODE_CBC */
558

559
#if defined(MBEDTLS_CIPHER_MODE_CFB)
560
/*
561
 * ARIA-CFB128 buffer encryption/decryption
562
 */
563
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564
                              int mode,
565
                              size_t length,
566
                              size_t *iv_off,
567
                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568
                              const unsigned char *input,
569
                              unsigned char *output)
570
{
571
    unsigned char c;
572
    size_t n;
573

574
    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576
    }
577

578
    n = *iv_off;
579

580
    /* An overly large value of n can lead to an unlimited
581
     * buffer overflow. */
582
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
583
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
584
    }
585

586
    if (mode == MBEDTLS_ARIA_DECRYPT) {
587
        while (length--) {
588
            if (n == 0) {
589
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
590
            }
591

592
            c = *input++;
593
            *output++ = c ^ iv[n];
594
            iv[n] = c;
595

596
            n = (n + 1) & 0x0F;
597
        }
598
    } else {
599
        while (length--) {
600
            if (n == 0) {
601
                mbedtls_aria_crypt_ecb(ctx, iv, iv);
602
            }
603

604
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
605

606
            n = (n + 1) & 0x0F;
607
        }
608
    }
609

610
    *iv_off = n;
611

612
    return 0;
613
}
614
#endif /* MBEDTLS_CIPHER_MODE_CFB */
615

616
#if defined(MBEDTLS_CIPHER_MODE_CTR)
617
/*
618
 * ARIA-CTR buffer encryption/decryption
619
 */
620
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
621
                           size_t length,
622
                           size_t *nc_off,
623
                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
624
                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
625
                           const unsigned char *input,
626
                           unsigned char *output)
627
{
628
    int c, i;
629
    size_t n;
630

631
    n = *nc_off;
632
    /* An overly large value of n can lead to an unlimited
633
     * buffer overflow. */
634
    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
635
        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
636
    }
637

638
    while (length--) {
639
        if (n == 0) {
640
            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
641
                                   stream_block);
642

643
            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
644
                if (++nonce_counter[i - 1] != 0) {
645
                    break;
646
                }
647
            }
648
        }
649
        c = *input++;
650
        *output++ = (unsigned char) (c ^ stream_block[n]);
651

652
        n = (n + 1) & 0x0F;
653
    }
654

655
    *nc_off = n;
656

657
    return 0;
658
}
659
#endif /* MBEDTLS_CIPHER_MODE_CTR */
660
#endif /* !MBEDTLS_ARIA_ALT */
661

662
#if defined(MBEDTLS_SELF_TEST)
663

664
/*
665
 * Basic ARIA ECB test vectors from RFC 5794
666
 */
667
static const uint8_t aria_test1_ecb_key[32] =           // test key
668
{
669
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
670
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
671
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
672
    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
673
};
674

675
static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
676
{
677
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
678
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
679
};
680

681
static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
682
{
683
    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
684
      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
685
    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
686
      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
687
    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
688
      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
689
};
690

691
/*
692
 * Mode tests from "Test Vectors for ARIA"  Version 1.0
693
 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
694
 */
695
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
696
    defined(MBEDTLS_CIPHER_MODE_CTR))
697
static const uint8_t aria_test2_key[32] =
698
{
699
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
700
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
701
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
702
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
703
};
704

705
static const uint8_t aria_test2_pt[48] =
706
{
707
    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
708
    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
709
    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
710
    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
711
    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
712
    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
713
};
714
#endif
715

716
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
717
static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
718
{
719
    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
720
    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
721
};
722
#endif
723

724
#if defined(MBEDTLS_CIPHER_MODE_CBC)
725
static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
726
{
727
    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
728
      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
729
      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
730
      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
731
      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
732
      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
733
    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
734
      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
735
      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
736
      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
737
      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
738
      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
739
    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
740
      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
741
      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
742
      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
743
      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
744
      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
745
};
746
#endif /* MBEDTLS_CIPHER_MODE_CBC */
747

748
#if defined(MBEDTLS_CIPHER_MODE_CFB)
749
static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
750
{
751
    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
752
      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
753
      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
754
      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
755
      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
756
      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
757
    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
758
      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
759
      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
760
      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
761
      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
762
      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
763
    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
764
      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
765
      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
766
      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
767
      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
768
      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
769
};
770
#endif /* MBEDTLS_CIPHER_MODE_CFB */
771

772
#if defined(MBEDTLS_CIPHER_MODE_CTR)
773
static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
774
{
775
    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
776
      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
777
      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
778
      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
779
      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
780
      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
781
    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
782
      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
783
      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
784
      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
785
      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
786
      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
787
    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
788
      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
789
      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
790
      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
791
      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
792
      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
793
};
794
#endif /* MBEDTLS_CIPHER_MODE_CFB */
795

796
#define ARIA_SELF_TEST_ASSERT(cond)                   \
797
    do {                                            \
798
        if (cond) {                                \
799
            if (verbose)                           \
800
            mbedtls_printf("failed\n");       \
801
            goto exit;                              \
802
        } else {                                    \
803
            if (verbose)                           \
804
            mbedtls_printf("passed\n");       \
805
        }                                           \
806
    } while (0)
807

808
/*
809
 * Checkup routine
810
 */
811
int mbedtls_aria_self_test(int verbose)
812
{
813
    int i;
814
    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
815
    mbedtls_aria_context ctx;
816
    int ret = 1;
817

818
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
819
    size_t j;
820
#endif
821

822
#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
823
    defined(MBEDTLS_CIPHER_MODE_CFB) || \
824
    defined(MBEDTLS_CIPHER_MODE_CTR))
825
    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
826
#endif
827

828
    mbedtls_aria_init(&ctx);
829

830
    /*
831
     * Test set 1
832
     */
833
    for (i = 0; i < 3; i++) {
834
        /* test ECB encryption */
835
        if (verbose) {
836
            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
837
        }
838
        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
839
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
840
        ARIA_SELF_TEST_ASSERT(
841
            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
842
            != 0);
843

844
        /* test ECB decryption */
845
        if (verbose) {
846
            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
847
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
848
            mbedtls_printf("skipped\n");
849
#endif
850
        }
851

852
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
853
        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
854
        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
855
        ARIA_SELF_TEST_ASSERT(
856
            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
857
            != 0);
858
#endif
859
    }
860
    if (verbose) {
861
        mbedtls_printf("\n");
862
    }
863

864
    /*
865
     * Test set 2
866
     */
867
#if defined(MBEDTLS_CIPHER_MODE_CBC)
868
    for (i = 0; i < 3; i++) {
869
        /* Test CBC encryption */
870
        if (verbose) {
871
            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
872
        }
873
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
874
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
875
        memset(buf, 0x55, sizeof(buf));
876
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
877
                               aria_test2_pt, buf);
878
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
879
                              != 0);
880

881
        /* Test CBC decryption */
882
        if (verbose) {
883
            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
884
        }
885
        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
886
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
887
        memset(buf, 0xAA, sizeof(buf));
888
        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
889
                               aria_test2_cbc_ct[i], buf);
890
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
891
    }
892
    if (verbose) {
893
        mbedtls_printf("\n");
894
    }
895

896
#endif /* MBEDTLS_CIPHER_MODE_CBC */
897

898
#if defined(MBEDTLS_CIPHER_MODE_CFB)
899
    for (i = 0; i < 3; i++) {
900
        /* Test CFB encryption */
901
        if (verbose) {
902
            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
903
        }
904
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
905
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
906
        memset(buf, 0x55, sizeof(buf));
907
        j = 0;
908
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
909
                                  aria_test2_pt, buf);
910
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
911

912
        /* Test CFB decryption */
913
        if (verbose) {
914
            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
915
        }
916
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
917
        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
918
        memset(buf, 0xAA, sizeof(buf));
919
        j = 0;
920
        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
921
                                  iv, aria_test2_cfb_ct[i], buf);
922
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
923
    }
924
    if (verbose) {
925
        mbedtls_printf("\n");
926
    }
927
#endif /* MBEDTLS_CIPHER_MODE_CFB */
928

929
#if defined(MBEDTLS_CIPHER_MODE_CTR)
930
    for (i = 0; i < 3; i++) {
931
        /* Test CTR encryption */
932
        if (verbose) {
933
            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
934
        }
935
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
936
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
937
        memset(buf, 0x55, sizeof(buf));
938
        j = 0;
939
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
940
                               aria_test2_pt, buf);
941
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
942

943
        /* Test CTR decryption */
944
        if (verbose) {
945
            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
946
        }
947
        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
948
        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
949
        memset(buf, 0xAA, sizeof(buf));
950
        j = 0;
951
        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
952
                               aria_test2_ctr_ct[i], buf);
953
        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
954
    }
955
    if (verbose) {
956
        mbedtls_printf("\n");
957
    }
958
#endif /* MBEDTLS_CIPHER_MODE_CTR */
959

960
    ret = 0;
961

962
exit:
963
    mbedtls_aria_free(&ctx);
964
    return ret;
965
}
966

967
#endif /* MBEDTLS_SELF_TEST */
968

969
#endif /* MBEDTLS_ARIA_C */
970

971
Product

Resources

Company
