ReactOS 0.4.16-dev-340-g0540c21
aria.c
Go to the documentation of this file.
1/*
2 * ARIA implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47/*
48 * This implementation is based on the following standards:
49 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
50 * [2] https://tools.ietf.org/html/rfc5794
51 */
52
53#if !defined(MBEDTLS_CONFIG_FILE)
54#include "mbedtls/config.h"
55#else
56#include MBEDTLS_CONFIG_FILE
57#endif
58
59#if defined(MBEDTLS_ARIA_C)
60
61#include "mbedtls/aria.h"
62
63#include <string.h>
64
65#if defined(MBEDTLS_SELF_TEST)
66#if defined(MBEDTLS_PLATFORM_C)
67#include "mbedtls/platform.h"
68#else
69#include <stdio.h>
70#define mbedtls_printf printf
71#endif /* MBEDTLS_PLATFORM_C */
72#endif /* MBEDTLS_SELF_TEST */
73
74#if !defined(MBEDTLS_ARIA_ALT)
75
77
78#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
79 !defined(inline) && !defined(__cplusplus)
80#define inline __inline
81#endif
82
83/* Parameter validation macros */
84#define ARIA_VALIDATE_RET( cond ) \
85 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
86#define ARIA_VALIDATE( cond ) \
87 MBEDTLS_INTERNAL_VALIDATE( cond )
88
89/*
90 * 32-bit integer manipulation macros (little endian)
91 */
92#ifndef GET_UINT32_LE
93#define GET_UINT32_LE( n, b, i ) \
94{ \
95 (n) = ( (uint32_t) (b)[(i) ] ) \
96 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
97 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
98 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
99}
100#endif
101
102#ifndef PUT_UINT32_LE
103#define PUT_UINT32_LE( n, b, i ) \
104{ \
105 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
106 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
107 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
108 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
109}
110#endif
111
112/*
113 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
114 *
115 * This is submatrix P1 in [1] Appendix B.1
116 *
117 * Common compilers fail to translate this to minimal number of instructions,
118 * so let's provide asm versions for common platforms with C fallback.
119 */
120#if defined(MBEDTLS_HAVE_ASM)
121#if defined(__arm__) /* rev16 available from v6 up */
122/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
123#if defined(__GNUC__) && \
124 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
125 __ARM_ARCH >= 6
126static inline uint32_t aria_p1( uint32_t x )
127{
128 uint32_t r;
129 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
130 return( r );
131}
132#define ARIA_P1 aria_p1
133#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
134 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
135static inline uint32_t aria_p1( uint32_t x )
136{
137 uint32_t r;
138 __asm( "rev16 r, x" );
139 return( r );
140}
141#define ARIA_P1 aria_p1
142#endif
143#endif /* arm */
144#if defined(__GNUC__) && \
145 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
146/* I couldn't find an Intel equivalent of rev16, so two instructions */
147#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
148#endif /* x86 gnuc */
149#endif /* MBEDTLS_HAVE_ASM && GNUC */
150#if !defined(ARIA_P1)
151#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
152#endif
153
154/*
155 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
156 *
157 * This is submatrix P2 in [1] Appendix B.1
158 *
159 * Common compilers will translate this to a single instruction.
160 */
161#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
162
163/*
164 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
165 *
166 * This is submatrix P3 in [1] Appendix B.1
167 *
168 * Some compilers fail to translate this to a single instruction,
169 * so let's provide asm versions for common platforms with C fallback.
170 */
171#if defined(MBEDTLS_HAVE_ASM)
172#if defined(__arm__) /* rev available from v6 up */
173/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
174#if defined(__GNUC__) && \
175 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
176 __ARM_ARCH >= 6
177static inline uint32_t aria_p3( uint32_t x )
178{
179 uint32_t r;
180 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
181 return( r );
182}
183#define ARIA_P3 aria_p3
184#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
185 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
186static inline uint32_t aria_p3( uint32_t x )
187{
188 uint32_t r;
189 __asm( "rev r, x" );
190 return( r );
191}
192#define ARIA_P3 aria_p3
193#endif
194#endif /* arm */
195#if defined(__GNUC__) && \
196 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
197static inline uint32_t aria_p3( uint32_t x )
198{
199 __asm( "bswap %0" : "=r" (x) : "0" (x) );
200 return( x );
201}
202#define ARIA_P3 aria_p3
203#endif /* x86 gnuc */
204#endif /* MBEDTLS_HAVE_ASM && GNUC */
205#if !defined(ARIA_P3)
206#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
207#endif
208
209/*
210 * ARIA Affine Transform
211 * (a, b, c, d) = state in/out
212 *
213 * If we denote the first byte of input by 0, ..., the last byte by f,
214 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
215 *
216 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
217 * rearrangements on adjacent pairs, output is:
218 *
219 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
220 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
221 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
222 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
223 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
224 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
225 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
226 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
227 *
228 * Note: another presentation of the A transform can be found as the first
229 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
230 * The implementation below uses only P1 and P2 as they are sufficient.
231 */
232static inline void aria_a( uint32_t *a, uint32_t *b,
233 uint32_t *c, uint32_t *d )
234{
235 uint32_t ta, tb, tc;
236 ta = *b; // 4567
237 *b = *a; // 0123
238 *a = ARIA_P2( ta ); // 6745
239 tb = ARIA_P2( *d ); // efcd
240 *d = ARIA_P1( *c ); // 98ba
241 *c = ARIA_P1( tb ); // fedc
242 ta ^= *d; // 4567+98ba
243 tc = ARIA_P2( *b ); // 2301
244 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
245 tb ^= ARIA_P2( *d ); // ba98+efcd
246 tc ^= ARIA_P1( *a ); // 2301+7654
247 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
248 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
249 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
250 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
251 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
252 tc = ARIA_P2( tc ); // 0123+5476
253 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
254}
255
256/*
257 * ARIA Substitution Layer SL1 / SL2
258 * (a, b, c, d) = state in/out
259 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
260 *
261 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
262 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
263 */
264static inline void aria_sl( uint32_t *a, uint32_t *b,
265 uint32_t *c, uint32_t *d,
266 const uint8_t sa[256], const uint8_t sb[256],
267 const uint8_t sc[256], const uint8_t sd[256] )
268{
269 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
270 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
271 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
272 (((uint32_t) sd[ *a >> 24 ]) << 24);
273 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
274 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
275 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
276 (((uint32_t) sd[ *b >> 24 ]) << 24);
277 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
278 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
279 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
280 (((uint32_t) sd[ *c >> 24 ]) << 24);
281 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
282 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
283 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
284 (((uint32_t) sd[ *d >> 24 ]) << 24);
285}
286
287/*
288 * S-Boxes
289 */
290static const uint8_t aria_sb1[256] =
291{
292 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
293 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
294 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
295 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
296 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
297 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
298 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
299 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
300 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
301 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
302 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
303 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
304 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
305 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
306 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
307 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
308 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
309 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
310 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
311 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
312 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
313 0xB0, 0x54, 0xBB, 0x16
314};
315
316static const uint8_t aria_sb2[256] =
317{
318 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
319 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
320 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
321 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
322 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
323 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
324 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
325 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
326 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
327 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
328 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
329 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
330 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
331 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
332 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
333 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
334 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
335 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
336 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
337 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
338 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
339 0xAF, 0xBA, 0xB5, 0x81
340};
341
342static const uint8_t aria_is1[256] =
343{
344 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
345 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
346 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
347 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
348 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
349 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
350 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
351 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
352 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
353 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
354 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
355 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
356 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
357 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
358 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
359 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
360 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
361 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
362 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
363 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
364 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
365 0x55, 0x21, 0x0C, 0x7D
366};
367
368static const uint8_t aria_is2[256] =
369{
370 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
371 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
372 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
373 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
374 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
375 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
376 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
377 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
378 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
379 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
380 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
381 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
382 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
383 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
384 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
385 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
386 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
387 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
388 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
389 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
390 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
391 0x03, 0xA2, 0xAC, 0x60
392};
393
394/*
395 * Helper for key schedule: r = FO( p, k ) ^ x
396 */
397static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
398 const uint32_t k[4], const uint32_t x[4] )
399{
400 uint32_t a, b, c, d;
401
402 a = p[0] ^ k[0];
403 b = p[1] ^ k[1];
404 c = p[2] ^ k[2];
405 d = p[3] ^ k[3];
406
407 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
408 aria_a( &a, &b, &c, &d );
409
410 r[0] = a ^ x[0];
411 r[1] = b ^ x[1];
412 r[2] = c ^ x[2];
413 r[3] = d ^ x[3];
414}
415
416/*
417 * Helper for key schedule: r = FE( p, k ) ^ x
418 */
419static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
420 const uint32_t k[4], const uint32_t x[4] )
421{
422 uint32_t a, b, c, d;
423
424 a = p[0] ^ k[0];
425 b = p[1] ^ k[1];
426 c = p[2] ^ k[2];
427 d = p[3] ^ k[3];
428
429 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
430 aria_a( &a, &b, &c, &d );
431
432 r[0] = a ^ x[0];
433 r[1] = b ^ x[1];
434 r[2] = c ^ x[2];
435 r[3] = d ^ x[3];
436}
437
438/*
439 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
440 *
441 * We chose to store bytes into 32-bit words in little-endian format (see
442 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
443 */
444static void aria_rot128( uint32_t r[4], const uint32_t a[4],
445 const uint32_t b[4], uint8_t n )
446{
447 uint8_t i, j;
448 uint32_t t, u;
449
450 const uint8_t n1 = n % 32; // bit offset
451 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
452
453 j = ( n / 32 ) % 4; // initial word offset
454 t = ARIA_P3( b[j] ); // big endian
455 for( i = 0; i < 4; i++ )
456 {
457 j = ( j + 1 ) % 4; // get next word, big endian
458 u = ARIA_P3( b[j] );
459 t <<= n1; // rotate
460 t |= u >> n2;
461 t = ARIA_P3( t ); // back to little endian
462 r[i] = a[i] ^ t; // store
463 t = u; // move to next word
464 }
465}
466
467/*
468 * Set encryption key
469 */
471 const unsigned char *key, unsigned int keybits )
472{
473 /* round constant masks */
474 const uint32_t rc[3][4] =
475 {
476 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
477 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
478 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
479 };
480
481 int i;
482 uint32_t w[4][4], *w2;
483 ARIA_VALIDATE_RET( ctx != NULL );
484 ARIA_VALIDATE_RET( key != NULL );
485
486 if( keybits != 128 && keybits != 192 && keybits != 256 )
488
489 /* Copy key to W0 (and potential remainder to W1) */
490 GET_UINT32_LE( w[0][0], key, 0 );
491 GET_UINT32_LE( w[0][1], key, 4 );
492 GET_UINT32_LE( w[0][2], key, 8 );
493 GET_UINT32_LE( w[0][3], key, 12 );
494
495 memset( w[1], 0, 16 );
496 if( keybits >= 192 )
497 {
498 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
499 GET_UINT32_LE( w[1][1], key, 20 );
500 }
501 if( keybits == 256 )
502 {
503 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
504 GET_UINT32_LE( w[1][3], key, 28 );
505 }
506
507 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
508 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
509
510 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
511 i = i < 2 ? i + 1 : 0;
512 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
513 i = i < 2 ? i + 1 : 0;
514 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
515
516 for( i = 0; i < 4; i++ ) // create round keys
517 {
518 w2 = w[(i + 1) & 3];
519 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
520 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
521 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
522 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
523 }
524 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
525
526 /* w holds enough info to reconstruct the round keys */
527 mbedtls_platform_zeroize( w, sizeof( w ) );
528
529 return( 0 );
530}
531
532/*
533 * Set decryption key
534 */
536 const unsigned char *key, unsigned int keybits )
537{
538 int i, j, k, ret;
539 ARIA_VALIDATE_RET( ctx != NULL );
540 ARIA_VALIDATE_RET( key != NULL );
541
542 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
543 if( ret != 0 )
544 return( ret );
545
546 /* flip the order of round keys */
547 for( i = 0, j = ctx->nr; i < j; i++, j-- )
548 {
549 for( k = 0; k < 4; k++ )
550 {
551 uint32_t t = ctx->rk[i][k];
552 ctx->rk[i][k] = ctx->rk[j][k];
553 ctx->rk[j][k] = t;
554 }
555 }
556
557 /* apply affine transform to middle keys */
558 for( i = 1; i < ctx->nr; i++ )
559 {
560 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
561 &ctx->rk[i][2], &ctx->rk[i][3] );
562 }
563
564 return( 0 );
565}
566
567/*
568 * Encrypt a block
569 */
571 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
572 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
573{
574 int i;
575
576 uint32_t a, b, c, d;
577 ARIA_VALIDATE_RET( ctx != NULL );
578 ARIA_VALIDATE_RET( input != NULL );
579 ARIA_VALIDATE_RET( output != NULL );
580
581 GET_UINT32_LE( a, input, 0 );
582 GET_UINT32_LE( b, input, 4 );
583 GET_UINT32_LE( c, input, 8 );
584 GET_UINT32_LE( d, input, 12 );
585
586 i = 0;
587 while( 1 )
588 {
589 a ^= ctx->rk[i][0];
590 b ^= ctx->rk[i][1];
591 c ^= ctx->rk[i][2];
592 d ^= ctx->rk[i][3];
593 i++;
594
595 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
596 aria_a( &a, &b, &c, &d );
597
598 a ^= ctx->rk[i][0];
599 b ^= ctx->rk[i][1];
600 c ^= ctx->rk[i][2];
601 d ^= ctx->rk[i][3];
602 i++;
603
604 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
605 if( i >= ctx->nr )
606 break;
607 aria_a( &a, &b, &c, &d );
608 }
609
610 /* final key mixing */
611 a ^= ctx->rk[i][0];
612 b ^= ctx->rk[i][1];
613 c ^= ctx->rk[i][2];
614 d ^= ctx->rk[i][3];
615
616 PUT_UINT32_LE( a, output, 0 );
617 PUT_UINT32_LE( b, output, 4 );
618 PUT_UINT32_LE( c, output, 8 );
619 PUT_UINT32_LE( d, output, 12 );
620
621 return( 0 );
622}
623
624/* Initialize context */
626{
627 ARIA_VALIDATE( ctx != NULL );
628 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
629}
630
631/* Clear context */
633{
634 if( ctx == NULL )
635 return;
636
638}
639
640#if defined(MBEDTLS_CIPHER_MODE_CBC)
641/*
642 * ARIA-CBC buffer encryption/decryption
643 */
645 int mode,
646 size_t length,
647 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
648 const unsigned char *input,
649 unsigned char *output )
650{
651 int i;
652 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
653
654 ARIA_VALIDATE_RET( ctx != NULL );
655 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
657 ARIA_VALIDATE_RET( length == 0 || input != NULL );
658 ARIA_VALIDATE_RET( length == 0 || output != NULL );
659 ARIA_VALIDATE_RET( iv != NULL );
660
663
665 {
666 while( length > 0 )
667 {
669 mbedtls_aria_crypt_ecb( ctx, input, output );
670
671 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
672 output[i] = (unsigned char)( output[i] ^ iv[i] );
673
675
677 output += MBEDTLS_ARIA_BLOCKSIZE;
679 }
680 }
681 else
682 {
683 while( length > 0 )
684 {
685 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
686 output[i] = (unsigned char)( input[i] ^ iv[i] );
687
688 mbedtls_aria_crypt_ecb( ctx, output, output );
689 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
690
692 output += MBEDTLS_ARIA_BLOCKSIZE;
694 }
695 }
696
697 return( 0 );
698}
699#endif /* MBEDTLS_CIPHER_MODE_CBC */
700
701#if defined(MBEDTLS_CIPHER_MODE_CFB)
702/*
703 * ARIA-CFB128 buffer encryption/decryption
704 */
706 int mode,
707 size_t length,
708 size_t *iv_off,
709 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
710 const unsigned char *input,
711 unsigned char *output )
712{
713 unsigned char c;
714 size_t n;
715
716 ARIA_VALIDATE_RET( ctx != NULL );
717 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
719 ARIA_VALIDATE_RET( length == 0 || input != NULL );
720 ARIA_VALIDATE_RET( length == 0 || output != NULL );
721 ARIA_VALIDATE_RET( iv != NULL );
722 ARIA_VALIDATE_RET( iv_off != NULL );
723
724 n = *iv_off;
725
726 /* An overly large value of n can lead to an unlimited
727 * buffer overflow. Therefore, guard against this
728 * outside of parameter validation. */
731
733 {
734 while( length-- )
735 {
736 if( n == 0 )
737 mbedtls_aria_crypt_ecb( ctx, iv, iv );
738
739 c = *input++;
740 *output++ = c ^ iv[n];
741 iv[n] = c;
742
743 n = ( n + 1 ) & 0x0F;
744 }
745 }
746 else
747 {
748 while( length-- )
749 {
750 if( n == 0 )
751 mbedtls_aria_crypt_ecb( ctx, iv, iv );
752
753 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
754
755 n = ( n + 1 ) & 0x0F;
756 }
757 }
758
759 *iv_off = n;
760
761 return( 0 );
762}
763#endif /* MBEDTLS_CIPHER_MODE_CFB */
764
765#if defined(MBEDTLS_CIPHER_MODE_CTR)
766/*
767 * ARIA-CTR buffer encryption/decryption
768 */
770 size_t length,
771 size_t *nc_off,
772 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
773 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
774 const unsigned char *input,
775 unsigned char *output )
776{
777 int c, i;
778 size_t n;
779
780 ARIA_VALIDATE_RET( ctx != NULL );
781 ARIA_VALIDATE_RET( length == 0 || input != NULL );
782 ARIA_VALIDATE_RET( length == 0 || output != NULL );
783 ARIA_VALIDATE_RET( nonce_counter != NULL );
784 ARIA_VALIDATE_RET( stream_block != NULL );
785 ARIA_VALIDATE_RET( nc_off != NULL );
786
787 n = *nc_off;
788 /* An overly large value of n can lead to an unlimited
789 * buffer overflow. Therefore, guard against this
790 * outside of parameter validation. */
793
794 while( length-- )
795 {
796 if( n == 0 ) {
797 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
798 stream_block );
799
800 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
801 if( ++nonce_counter[i - 1] != 0 )
802 break;
803 }
804 c = *input++;
805 *output++ = (unsigned char)( c ^ stream_block[n] );
806
807 n = ( n + 1 ) & 0x0F;
808 }
809
810 *nc_off = n;
811
812 return( 0 );
813}
814#endif /* MBEDTLS_CIPHER_MODE_CTR */
815#endif /* !MBEDTLS_ARIA_ALT */
816
817#if defined(MBEDTLS_SELF_TEST)
818
819/*
820 * Basic ARIA ECB test vectors from RFC 5794
821 */
822static const uint8_t aria_test1_ecb_key[32] = // test key
823{
824 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
825 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
826 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
827 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
828};
829
830static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
831{
832 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
833 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
834};
835
836static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
837{
838 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
839 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
840 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
841 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
842 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
843 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
844};
845
846/*
847 * Mode tests from "Test Vectors for ARIA" Version 1.0
848 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
849 */
850#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
851 defined(MBEDTLS_CIPHER_MODE_CTR))
852static const uint8_t aria_test2_key[32] =
853{
854 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
855 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
856 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
857 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
858};
859
860static const uint8_t aria_test2_pt[48] =
861{
862 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
863 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
864 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
865 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
866 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
867 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
868};
869#endif
870
871#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
872static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
873{
874 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
875 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
876};
877#endif
878
879#if defined(MBEDTLS_CIPHER_MODE_CBC)
880static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
881{
882 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
883 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
884 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
885 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
886 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
887 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
888 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
889 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
890 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
891 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
892 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
893 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
894 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
895 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
896 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
897 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
898 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
899 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
900};
901#endif /* MBEDTLS_CIPHER_MODE_CBC */
902
903#if defined(MBEDTLS_CIPHER_MODE_CFB)
904static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
905{
906 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
907 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
908 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
909 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
910 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
911 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
912 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
913 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
914 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
915 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
916 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
917 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
918 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
919 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
920 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
921 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
922 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
923 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
924};
925#endif /* MBEDTLS_CIPHER_MODE_CFB */
926
927#if defined(MBEDTLS_CIPHER_MODE_CTR)
928static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
929{
930 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
931 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
932 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
933 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
934 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
935 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
936 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
937 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
938 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
939 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
940 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
941 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
942 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
943 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
944 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
945 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
946 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
947 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
948};
949#endif /* MBEDTLS_CIPHER_MODE_CFB */
950
951#define ARIA_SELF_TEST_IF_FAIL \
952 { \
953 if( verbose ) \
954 mbedtls_printf( "failed\n" ); \
955 goto exit; \
956 } else { \
957 if( verbose ) \
958 mbedtls_printf( "passed\n" ); \
959 }
960
961/*
962 * Checkup routine
963 */
964int mbedtls_aria_self_test( int verbose )
965{
966 int i;
969 int ret = 1;
970
971#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
972 size_t j;
973#endif
974
975#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
976 defined(MBEDTLS_CIPHER_MODE_CFB) || \
977 defined(MBEDTLS_CIPHER_MODE_CTR))
979#endif
980
982
983 /*
984 * Test set 1
985 */
986 for( i = 0; i < 3; i++ )
987 {
988 /* test ECB encryption */
989 if( verbose )
990 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
991 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
992 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
993 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
994 ARIA_SELF_TEST_IF_FAIL;
995
996 /* test ECB decryption */
997 if( verbose )
998 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
999 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
1000 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
1001 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
1002 ARIA_SELF_TEST_IF_FAIL;
1003 }
1004 if( verbose )
1005 mbedtls_printf( "\n" );
1006
1007 /*
1008 * Test set 2
1009 */
1010#if defined(MBEDTLS_CIPHER_MODE_CBC)
1011 for( i = 0; i < 3; i++ )
1012 {
1013 /* Test CBC encryption */
1014 if( verbose )
1015 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
1016 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1017 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1018 memset( buf, 0x55, sizeof( buf ) );
1020 aria_test2_pt, buf );
1021 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
1022 ARIA_SELF_TEST_IF_FAIL;
1023
1024 /* Test CBC decryption */
1025 if( verbose )
1026 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
1027 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1028 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1029 memset( buf, 0xAA, sizeof( buf ) );
1031 aria_test2_cbc_ct[i], buf );
1032 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1033 ARIA_SELF_TEST_IF_FAIL;
1034 }
1035 if( verbose )
1036 mbedtls_printf( "\n" );
1037
1038#endif /* MBEDTLS_CIPHER_MODE_CBC */
1039
1040#if defined(MBEDTLS_CIPHER_MODE_CFB)
1041 for( i = 0; i < 3; i++ )
1042 {
1043 /* Test CFB encryption */
1044 if( verbose )
1045 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
1046 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1047 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1048 memset( buf, 0x55, sizeof( buf ) );
1049 j = 0;
1051 aria_test2_pt, buf );
1052 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1053 ARIA_SELF_TEST_IF_FAIL;
1054
1055 /* Test CFB decryption */
1056 if( verbose )
1057 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1058 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1059 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1060 memset( buf, 0xAA, sizeof( buf ) );
1061 j = 0;
1063 iv, aria_test2_cfb_ct[i], buf );
1064 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1065 ARIA_SELF_TEST_IF_FAIL;
1066 }
1067 if( verbose )
1068 mbedtls_printf( "\n" );
1069#endif /* MBEDTLS_CIPHER_MODE_CFB */
1070
1071#if defined(MBEDTLS_CIPHER_MODE_CTR)
1072 for( i = 0; i < 3; i++ )
1073 {
1074 /* Test CTR encryption */
1075 if( verbose )
1076 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1077 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1078 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1079 memset( buf, 0x55, sizeof( buf ) );
1080 j = 0;
1081 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1082 aria_test2_pt, buf );
1083 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1084 ARIA_SELF_TEST_IF_FAIL;
1085
1086 /* Test CTR decryption */
1087 if( verbose )
1088 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1089 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1090 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1091 memset( buf, 0xAA, sizeof( buf ) );
1092 j = 0;
1093 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1094 aria_test2_ctr_ct[i], buf );
1095 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1096 ARIA_SELF_TEST_IF_FAIL;
1097 }
1098 if( verbose )
1099 mbedtls_printf( "\n" );
1100#endif /* MBEDTLS_CIPHER_MODE_CTR */
1101
1102 ret = 0;
1103
1104exit:
1106 return( ret );
1107}
1108
1109#endif /* MBEDTLS_SELF_TEST */
1110
1111#endif /* MBEDTLS_ARIA_C */
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
static struct sockaddr_in sa
Definition: adnsresfilter.c:69
ARIA block cipher.
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx, int mode, size_t length, unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output)
This function performs an ARIA-CBC encryption or decryption operation on full blocks.
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output)
This function performs an ARIA-CFB128 encryption or decryption operation.
#define MBEDTLS_ARIA_DECRYPT
Definition: aria.h:71
void mbedtls_aria_init(mbedtls_aria_context *ctx)
This function initializes the specified ARIA context.
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
Definition: aria.h:82
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits)
This function sets the decryption key.
#define MBEDTLS_ARIA_BLOCKSIZE
Definition: aria.h:73
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx, const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
This function performs an ARIA single-block encryption or decryption operation.
void mbedtls_aria_free(mbedtls_aria_context *ctx)
This function releases and clears the specified ARIA context.
#define MBEDTLS_ARIA_ENCRYPT
Definition: aria.h:70
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx, const unsigned char *key, unsigned int keybits)
This function sets the encryption key.
#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA
Definition: aria.h:80
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], const unsigned char *input, unsigned char *output)
This function performs an ARIA-CTR encryption or decryption operation.
#define NULL
Definition: types.h:112
UINT32 uint32_t
Definition: types.h:75
unsigned char
Definition: typeof.h:29
superblock * sb
Definition: btrfs.c:4261
GLint GLint GLint GLint GLint x
Definition: gl.h:1548
GLdouble GLdouble GLdouble r
Definition: gl.h:2055
GLdouble GLdouble t
Definition: gl.h:2047
GLdouble n
Definition: glext.h:7729
GLdouble GLdouble GLint GLint GLdouble GLdouble GLint GLint GLdouble GLdouble w2
Definition: glext.h:8308
const GLfloat * tc
Definition: glext.h:8925
const GLubyte * c
Definition: glext.h:8905
GLboolean GLboolean GLboolean b
Definition: glext.h:6204
GLenum mode
Definition: glext.h:6217
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
GLuint GLsizei GLsizei * length
Definition: glext.h:6040
GLfloat GLfloat p
Definition: glext.h:8902
GLboolean GLboolean GLboolean GLboolean a
Definition: glext.h:6204
GLenum GLenum GLenum input
Definition: glext.h:9031
GLubyte GLubyte GLubyte GLubyte w
Definition: glext.h:6102
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble * u
Definition: glfuncs.h:240
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint GLint GLint j
Definition: glfuncs.h:250
#define d
Definition: ke_i.h:81
#define a
Definition: ke_i.h:78
#define c
Definition: ke_i.h:80
#define b
Definition: ke_i.h:79
#define blk
Definition: linetest.c:70
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
static const WCHAR tb[]
Definition: suminfo.c:285
static const WCHAR sd[]
Definition: suminfo.c:286
int k
Definition: mpi.c:3369
BYTE uint8_t
Definition: msvideo1.c:66
#define uint32_t
Definition: nsiface.idl:61
void mbedtls_platform_zeroize(void *buf, size_t len)
Securely zeroize a buffer.
Definition: platform_util.c:98
Common and shared functions used by multiple modules in the Mbed TLS library.
#define verbose
Definition: rosglue.h:36
int n2
Definition: dwarfget.c:147
int n1
Definition: dwarfget.c:147
static calc_node_t temp
Definition: rpn_ieee.c:38
Configuration options (set of defines)
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
#define exit(n)
Definition: config.h:202
#define memset(x, y, z)
Definition: compat.h:39
Definition: copy.c:22
The ARIA context-type definition.
Definition: aria.h:103
#define mbedtls_printf
Definition: timing.c:57
int ret