4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_ARIA_C)
36 #include "mbedtls/aria.h"
40 #if defined(MBEDTLS_SELF_TEST)
41 #if defined(MBEDTLS_PLATFORM_C)
42 #include "mbedtls/platform.h"
45 #define mbedtls_printf printf
46 #endif /* MBEDTLS_PLATFORM_C */
47 #endif /* MBEDTLS_SELF_TEST */
49 #if !defined(MBEDTLS_ARIA_ALT)
51 #include "mbedtls/platform_util.h"
53 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
54 !defined(inline) && !defined(__cplusplus)
55 #define inline __inline
58 /* Parameter validation macros */
59 #define ARIA_VALIDATE_RET( cond ) \
60 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
61 #define ARIA_VALIDATE( cond ) \
62 MBEDTLS_INTERNAL_VALIDATE( cond )
65 * 32-bit integer manipulation macros (little endian)
68 #define GET_UINT32_LE( n, b, i ) \
70 (n) = ( (uint32_t) (b)[(i) ] ) \
71 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
72 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
73 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
78 #define PUT_UINT32_LE( n, b, i ) \
80 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
81 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
82 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
83 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
88 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
90 * This is submatrix P1 in [1] Appendix B.1
92 * Common compilers fail to translate this to minimal number of instructions,
93 * so let's provide asm versions for common platforms with C fallback.
95 #if defined(MBEDTLS_HAVE_ASM)
96 #if defined(__arm__) /* rev16 available from v6 up */
97 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
98 #if defined(__GNUC__) && \
99 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
101 static inline uint32_t aria_p1( uint32_t x )
104 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
107 #define ARIA_P1 aria_p1
108 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
109 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
110 static inline uint32_t aria_p1( uint32_t x )
113 __asm( "rev16 r, x" );
116 #define ARIA_P1 aria_p1
119 #if defined(__GNUC__) && \
120 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
121 /* I couldn't find an Intel equivalent of rev16, so two instructions */
122 #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
123 #endif /* x86 gnuc */
124 #endif /* MBEDTLS_HAVE_ASM && GNUC */
125 #if !defined(ARIA_P1)
126 #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
130 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
132 * This is submatrix P2 in [1] Appendix B.1
134 * Common compilers will translate this to a single instruction.
136 #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
139 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
141 * This is submatrix P3 in [1] Appendix B.1
143 * Some compilers fail to translate this to a single instruction,
144 * so let's provide asm versions for common platforms with C fallback.
146 #if defined(MBEDTLS_HAVE_ASM)
147 #if defined(__arm__) /* rev available from v6 up */
148 /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
149 #if defined(__GNUC__) && \
150 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
152 static inline uint32_t aria_p3( uint32_t x )
155 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
158 #define ARIA_P3 aria_p3
159 #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
160 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
161 static inline uint32_t aria_p3( uint32_t x )
167 #define ARIA_P3 aria_p3
170 #if defined(__GNUC__) && \
171 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
172 static inline uint32_t aria_p3( uint32_t x )
174 __asm( "bswap %0" : "=r" (x) : "0" (x) );
177 #define ARIA_P3 aria_p3
178 #endif /* x86 gnuc */
179 #endif /* MBEDTLS_HAVE_ASM && GNUC */
180 #if !defined(ARIA_P3)
181 #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
185 * ARIA Affine Transform
186 * (a, b, c, d) = state in/out
188 * If we denote the first byte of input by 0, ..., the last byte by f,
189 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
191 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
192 * rearrangements on adjacent pairs, output is:
194 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
195 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
196 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
197 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
198 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
199 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
200 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
201 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
203 * Note: another presentation of the A transform can be found as the first
204 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
205 * The implementation below uses only P1 and P2 as they are sufficient.
207 static inline void aria_a( uint32_t *a, uint32_t *b,
208 uint32_t *c, uint32_t *d )
213 *a = ARIA_P2( ta ); // 6745
214 tb = ARIA_P2( *d ); // efcd
215 *d = ARIA_P1( *c ); // 98ba
216 *c = ARIA_P1( tb ); // fedc
217 ta ^= *d; // 4567+98ba
218 tc = ARIA_P2( *b ); // 2301
219 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
220 tb ^= ARIA_P2( *d ); // ba98+efcd
221 tc ^= ARIA_P1( *a ); // 2301+7654
222 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
223 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
224 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
225 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
226 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
227 tc = ARIA_P2( tc ); // 0123+5476
228 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
232 * ARIA Substitution Layer SL1 / SL2
233 * (a, b, c, d) = state in/out
234 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
236 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
237 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
239 static inline void aria_sl( uint32_t *a, uint32_t *b,
240 uint32_t *c, uint32_t *d,
241 const uint8_t sa[256], const uint8_t sb[256],
242 const uint8_t sc[256], const uint8_t sd[256] )
244 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
245 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
246 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
247 (((uint32_t) sd[ *a >> 24 ]) << 24);
248 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
249 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
250 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
251 (((uint32_t) sd[ *b >> 24 ]) << 24);
252 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
253 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
254 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
255 (((uint32_t) sd[ *c >> 24 ]) << 24);
256 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
257 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
258 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
259 (((uint32_t) sd[ *d >> 24 ]) << 24);
265 static const uint8_t aria_sb1[256] =
267 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
268 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
269 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
270 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
271 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
272 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
273 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
274 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
275 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
276 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
277 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
278 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
279 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
280 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
281 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
282 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
283 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
284 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
285 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
286 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
287 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
288 0xB0, 0x54, 0xBB, 0x16
291 static const uint8_t aria_sb2[256] =
293 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
294 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
295 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
296 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
297 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
298 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
299 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
300 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
301 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
302 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
303 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
304 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
305 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
306 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
307 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
308 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
309 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
310 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
311 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
312 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
313 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
314 0xAF, 0xBA, 0xB5, 0x81
317 static const uint8_t aria_is1[256] =
319 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
320 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
321 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
322 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
323 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
324 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
325 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
326 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
327 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
328 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
329 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
330 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
331 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
332 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
333 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
334 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
335 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
336 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
337 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
338 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
339 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
340 0x55, 0x21, 0x0C, 0x7D
343 static const uint8_t aria_is2[256] =
345 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
346 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
347 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
348 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
349 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
350 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
351 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
352 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
353 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
354 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
355 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
356 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
357 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
358 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
359 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
360 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
361 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
362 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
363 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
364 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
365 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
366 0x03, 0xA2, 0xAC, 0x60
370 * Helper for key schedule: r = FO( p, k ) ^ x
372 static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
373 const uint32_t k[4], const uint32_t x[4] )
382 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
383 aria_a( &a, &b, &c, &d );
392 * Helper for key schedule: r = FE( p, k ) ^ x
394 static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
395 const uint32_t k[4], const uint32_t x[4] )
404 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
405 aria_a( &a, &b, &c, &d );
414 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
416 * We chose to store bytes into 32-bit words in little-endian format (see
417 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
419 static void aria_rot128( uint32_t r[4], const uint32_t a[4],
420 const uint32_t b[4], uint8_t n )
425 const uint8_t n1 = n % 32; // bit offset
426 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
428 j = ( n / 32 ) % 4; // initial word offset
429 t = ARIA_P3( b[j] ); // big endian
430 for( i = 0; i < 4; i++ )
432 j = ( j + 1 ) % 4; // get next word, big endian
436 t = ARIA_P3( t ); // back to little endian
437 r[i] = a[i] ^ t; // store
438 t = u; // move to next word
445 int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
446 const unsigned char *key, unsigned int keybits )
448 /* round constant masks */
449 const uint32_t rc[3][4] =
451 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
452 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
453 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
457 uint32_t w[4][4], *w2;
458 ARIA_VALIDATE_RET( ctx != NULL );
459 ARIA_VALIDATE_RET( key != NULL );
461 if( keybits != 128 && keybits != 192 && keybits != 256 )
462 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
464 /* Copy key to W0 (and potential remainder to W1) */
465 GET_UINT32_LE( w[0][0], key, 0 );
466 GET_UINT32_LE( w[0][1], key, 4 );
467 GET_UINT32_LE( w[0][2], key, 8 );
468 GET_UINT32_LE( w[0][3], key, 12 );
470 memset( w[1], 0, 16 );
473 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
474 GET_UINT32_LE( w[1][1], key, 20 );
478 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
479 GET_UINT32_LE( w[1][3], key, 28 );
482 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
483 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
485 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
486 i = i < 2 ? i + 1 : 0;
487 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
488 i = i < 2 ? i + 1 : 0;
489 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
491 for( i = 0; i < 4; i++ ) // create round keys
494 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
495 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
496 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
497 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
499 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
501 /* w holds enough info to reconstruct the round keys */
502 mbedtls_platform_zeroize( w, sizeof( w ) );
510 int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
511 const unsigned char *key, unsigned int keybits )
514 ARIA_VALIDATE_RET( ctx != NULL );
515 ARIA_VALIDATE_RET( key != NULL );
517 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
521 /* flip the order of round keys */
522 for( i = 0, j = ctx->nr; i < j; i++, j-- )
524 for( k = 0; k < 4; k++ )
526 uint32_t t = ctx->rk[i][k];
527 ctx->rk[i][k] = ctx->rk[j][k];
532 /* apply affine transform to middle keys */
533 for( i = 1; i < ctx->nr; i++ )
535 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
536 &ctx->rk[i][2], &ctx->rk[i][3] );
545 int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
546 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
547 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
552 ARIA_VALIDATE_RET( ctx != NULL );
553 ARIA_VALIDATE_RET( input != NULL );
554 ARIA_VALIDATE_RET( output != NULL );
556 GET_UINT32_LE( a, input, 0 );
557 GET_UINT32_LE( b, input, 4 );
558 GET_UINT32_LE( c, input, 8 );
559 GET_UINT32_LE( d, input, 12 );
570 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
571 aria_a( &a, &b, &c, &d );
579 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
582 aria_a( &a, &b, &c, &d );
585 /* final key mixing */
591 PUT_UINT32_LE( a, output, 0 );
592 PUT_UINT32_LE( b, output, 4 );
593 PUT_UINT32_LE( c, output, 8 );
594 PUT_UINT32_LE( d, output, 12 );
599 /* Initialize context */
600 void mbedtls_aria_init( mbedtls_aria_context *ctx )
602 ARIA_VALIDATE( ctx != NULL );
603 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
607 void mbedtls_aria_free( mbedtls_aria_context *ctx )
612 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
615 #if defined(MBEDTLS_CIPHER_MODE_CBC)
617 * ARIA-CBC buffer encryption/decryption
619 int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
622 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
623 const unsigned char *input,
624 unsigned char *output )
627 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
629 ARIA_VALIDATE_RET( ctx != NULL );
630 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
631 mode == MBEDTLS_ARIA_DECRYPT );
632 ARIA_VALIDATE_RET( length == 0 || input != NULL );
633 ARIA_VALIDATE_RET( length == 0 || output != NULL );
634 ARIA_VALIDATE_RET( iv != NULL );
636 if( length % MBEDTLS_ARIA_BLOCKSIZE )
637 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
639 if( mode == MBEDTLS_ARIA_DECRYPT )
643 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
644 mbedtls_aria_crypt_ecb( ctx, input, output );
646 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
647 output[i] = (unsigned char)( output[i] ^ iv[i] );
649 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
651 input += MBEDTLS_ARIA_BLOCKSIZE;
652 output += MBEDTLS_ARIA_BLOCKSIZE;
653 length -= MBEDTLS_ARIA_BLOCKSIZE;
660 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
661 output[i] = (unsigned char)( input[i] ^ iv[i] );
663 mbedtls_aria_crypt_ecb( ctx, output, output );
664 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
666 input += MBEDTLS_ARIA_BLOCKSIZE;
667 output += MBEDTLS_ARIA_BLOCKSIZE;
668 length -= MBEDTLS_ARIA_BLOCKSIZE;
674 #endif /* MBEDTLS_CIPHER_MODE_CBC */
676 #if defined(MBEDTLS_CIPHER_MODE_CFB)
678 * ARIA-CFB128 buffer encryption/decryption
680 int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
684 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
685 const unsigned char *input,
686 unsigned char *output )
691 ARIA_VALIDATE_RET( ctx != NULL );
692 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
693 mode == MBEDTLS_ARIA_DECRYPT );
694 ARIA_VALIDATE_RET( length == 0 || input != NULL );
695 ARIA_VALIDATE_RET( length == 0 || output != NULL );
696 ARIA_VALIDATE_RET( iv != NULL );
697 ARIA_VALIDATE_RET( iv_off != NULL );
701 /* An overly large value of n can lead to an unlimited
702 * buffer overflow. Therefore, guard against this
703 * outside of parameter validation. */
704 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
705 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
707 if( mode == MBEDTLS_ARIA_DECRYPT )
712 mbedtls_aria_crypt_ecb( ctx, iv, iv );
715 *output++ = c ^ iv[n];
718 n = ( n + 1 ) & 0x0F;
726 mbedtls_aria_crypt_ecb( ctx, iv, iv );
728 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
730 n = ( n + 1 ) & 0x0F;
738 #endif /* MBEDTLS_CIPHER_MODE_CFB */
740 #if defined(MBEDTLS_CIPHER_MODE_CTR)
742 * ARIA-CTR buffer encryption/decryption
744 int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
747 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
748 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
749 const unsigned char *input,
750 unsigned char *output )
755 ARIA_VALIDATE_RET( ctx != NULL );
756 ARIA_VALIDATE_RET( length == 0 || input != NULL );
757 ARIA_VALIDATE_RET( length == 0 || output != NULL );
758 ARIA_VALIDATE_RET( nonce_counter != NULL );
759 ARIA_VALIDATE_RET( stream_block != NULL );
760 ARIA_VALIDATE_RET( nc_off != NULL );
763 /* An overly large value of n can lead to an unlimited
764 * buffer overflow. Therefore, guard against this
765 * outside of parameter validation. */
766 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
767 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
772 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
775 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
776 if( ++nonce_counter[i - 1] != 0 )
780 *output++ = (unsigned char)( c ^ stream_block[n] );
782 n = ( n + 1 ) & 0x0F;
789 #endif /* MBEDTLS_CIPHER_MODE_CTR */
790 #endif /* !MBEDTLS_ARIA_ALT */
792 #if defined(MBEDTLS_SELF_TEST)
795 * Basic ARIA ECB test vectors from RFC 5794
797 static const uint8_t aria_test1_ecb_key[32] = // test key
799 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
800 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
801 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
802 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
805 static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
807 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
808 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
811 static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
813 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
814 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
815 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
816 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
817 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
818 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
822 * Mode tests from "Test Vectors for ARIA" Version 1.0
823 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
825 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
826 defined(MBEDTLS_CIPHER_MODE_CTR))
827 static const uint8_t aria_test2_key[32] =
829 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
830 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
831 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
832 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
835 static const uint8_t aria_test2_pt[48] =
837 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
838 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
839 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
840 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
841 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
842 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
846 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
847 static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
849 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
850 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
854 #if defined(MBEDTLS_CIPHER_MODE_CBC)
855 static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
857 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
858 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
859 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
860 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
861 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
862 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
863 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
864 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
865 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
866 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
867 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
868 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
869 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
870 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
871 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
872 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
873 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
874 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
876 #endif /* MBEDTLS_CIPHER_MODE_CBC */
878 #if defined(MBEDTLS_CIPHER_MODE_CFB)
879 static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
881 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
882 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
883 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
884 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
885 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
886 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
887 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
888 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
889 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
890 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
891 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
892 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
893 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
894 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
895 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
896 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
897 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
898 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
900 #endif /* MBEDTLS_CIPHER_MODE_CFB */
902 #if defined(MBEDTLS_CIPHER_MODE_CTR)
903 static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
905 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
906 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
907 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
908 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
909 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
910 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
911 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
912 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
913 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
914 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
915 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
916 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
917 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
918 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
919 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
920 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
921 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
922 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
924 #endif /* MBEDTLS_CIPHER_MODE_CFB */
926 #define ARIA_SELF_TEST_IF_FAIL \
929 mbedtls_printf( "failed\n" ); \
933 mbedtls_printf( "passed\n" ); \
939 int mbedtls_aria_self_test( int verbose )
942 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
943 mbedtls_aria_context ctx;
945 #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
949 #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
950 defined(MBEDTLS_CIPHER_MODE_CFB) || \
951 defined(MBEDTLS_CIPHER_MODE_CTR))
952 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
958 for( i = 0; i < 3; i++ )
960 /* test ECB encryption */
962 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
963 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
964 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
965 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
966 ARIA_SELF_TEST_IF_FAIL;
968 /* test ECB decryption */
970 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
971 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
972 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
973 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
974 ARIA_SELF_TEST_IF_FAIL;
977 mbedtls_printf( "\n" );
982 #if defined(MBEDTLS_CIPHER_MODE_CBC)
983 for( i = 0; i < 3; i++ )
985 /* Test CBC encryption */
987 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
988 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
989 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
990 memset( buf, 0x55, sizeof( buf ) );
991 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
992 aria_test2_pt, buf );
993 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
994 ARIA_SELF_TEST_IF_FAIL;
996 /* Test CBC decryption */
998 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
999 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
1000 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1001 memset( buf, 0xAA, sizeof( buf ) );
1002 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1003 aria_test2_cbc_ct[i], buf );
1004 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1005 ARIA_SELF_TEST_IF_FAIL;
1008 mbedtls_printf( "\n" );
1010 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1012 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1013 for( i = 0; i < 3; i++ )
1015 /* Test CFB encryption */
1017 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
1018 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1019 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1020 memset( buf, 0x55, sizeof( buf ) );
1022 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1023 aria_test2_pt, buf );
1024 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1025 ARIA_SELF_TEST_IF_FAIL;
1027 /* Test CFB decryption */
1029 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
1030 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1031 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
1032 memset( buf, 0xAA, sizeof( buf ) );
1034 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1035 iv, aria_test2_cfb_ct[i], buf );
1036 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1037 ARIA_SELF_TEST_IF_FAIL;
1040 mbedtls_printf( "\n" );
1041 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1043 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1044 for( i = 0; i < 3; i++ )
1046 /* Test CTR encryption */
1048 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
1049 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1050 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1051 memset( buf, 0x55, sizeof( buf ) );
1053 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1054 aria_test2_pt, buf );
1055 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1056 ARIA_SELF_TEST_IF_FAIL;
1058 /* Test CTR decryption */
1060 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
1061 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
1062 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
1063 memset( buf, 0xAA, sizeof( buf ) );
1065 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1066 aria_test2_ctr_ct[i], buf );
1067 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1068 ARIA_SELF_TEST_IF_FAIL;
1071 mbedtls_printf( "\n" );
1072 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1077 #endif /* MBEDTLS_SELF_TEST */
1079 #endif /* MBEDTLS_ARIA_C */