Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
8774 | rgimad | 1 | /* |
2 | * ARIA implementation |
||
3 | * |
||
4 | * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved |
||
5 | * SPDX-License-Identifier: GPL-2.0 |
||
6 | * |
||
7 | * This program is free software; you can redistribute it and/or modify |
||
8 | * it under the terms of the GNU General Public License as published by |
||
9 | * the Free Software Foundation; either version 2 of the License, or |
||
10 | * (at your option) any later version. |
||
11 | * |
||
12 | * This program is distributed in the hope that it will be useful, |
||
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
15 | * GNU General Public License for more details. |
||
16 | * |
||
17 | * You should have received a copy of the GNU General Public License along |
||
18 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
20 | * |
||
21 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
22 | */ |
||
23 | |||
24 | /* |
||
25 | * This implementation is based on the following standards: |
||
26 | * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf |
||
27 | * [2] https://tools.ietf.org/html/rfc5794 |
||
28 | */ |
||
29 | |||
30 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
31 | #include "mbedtls/config.h" |
||
32 | #else |
||
33 | #include MBEDTLS_CONFIG_FILE |
||
34 | #endif |
||
35 | |||
36 | #if defined(MBEDTLS_ARIA_C) |
||
37 | |||
38 | #include "mbedtls/aria.h" |
||
39 | |||
40 | #include |
||
41 | |||
42 | #if defined(MBEDTLS_SELF_TEST) |
||
43 | #if defined(MBEDTLS_PLATFORM_C) |
||
44 | #include "mbedtls/platform.h" |
||
45 | #else |
||
46 | #include |
||
47 | #define mbedtls_printf printf |
||
48 | #endif /* MBEDTLS_PLATFORM_C */ |
||
49 | #endif /* MBEDTLS_SELF_TEST */ |
||
50 | |||
51 | #if !defined(MBEDTLS_ARIA_ALT) |
||
52 | |||
53 | #include "mbedtls/platform_util.h" |
||
54 | |||
55 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ |
||
56 | !defined(inline) && !defined(__cplusplus) |
||
57 | #define inline __inline |
||
58 | #endif |
||
59 | |||
60 | /* Parameter validation macros */ |
||
61 | #define ARIA_VALIDATE_RET( cond ) \ |
||
62 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) |
||
63 | #define ARIA_VALIDATE( cond ) \ |
||
64 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
65 | |||
66 | /* |
||
67 | * 32-bit integer manipulation macros (little endian) |
||
68 | */ |
||
69 | #ifndef GET_UINT32_LE |
||
70 | #define GET_UINT32_LE( n, b, i ) \ |
||
71 | { \ |
||
72 | (n) = ( (uint32_t) (b)[(i) ] ) \ |
||
73 | | ( (uint32_t) (b)[(i) + 1] << 8 ) \ |
||
74 | | ( (uint32_t) (b)[(i) + 2] << 16 ) \ |
||
75 | | ( (uint32_t) (b)[(i) + 3] << 24 ); \ |
||
76 | } |
||
77 | #endif |
||
78 | |||
79 | #ifndef PUT_UINT32_LE |
||
80 | #define PUT_UINT32_LE( n, b, i ) \ |
||
81 | { \ |
||
82 | (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ |
||
83 | (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ |
||
84 | (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ |
||
85 | (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ |
||
86 | } |
||
87 | #endif |
||
88 | |||
89 | /* |
||
90 | * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes |
||
91 | * |
||
92 | * This is submatrix P1 in [1] Appendix B.1 |
||
93 | * |
||
94 | * Common compilers fail to translate this to minimal number of instructions, |
||
95 | * so let's provide asm versions for common platforms with C fallback. |
||
96 | */ |
||
97 | #if defined(MBEDTLS_HAVE_ASM) |
||
98 | #if defined(__arm__) /* rev16 available from v6 up */ |
||
99 | /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ |
||
100 | #if defined(__GNUC__) && \ |
||
101 | ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ |
||
102 | __ARM_ARCH >= 6 |
||
103 | static inline uint32_t aria_p1( uint32_t x ) |
||
104 | { |
||
105 | uint32_t r; |
||
106 | __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) ); |
||
107 | return( r ); |
||
108 | } |
||
109 | #define ARIA_P1 aria_p1 |
||
110 | #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ |
||
111 | ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) |
||
112 | static inline uint32_t aria_p1( uint32_t x ) |
||
113 | { |
||
114 | uint32_t r; |
||
115 | __asm( "rev16 r, x" ); |
||
116 | return( r ); |
||
117 | } |
||
118 | #define ARIA_P1 aria_p1 |
||
119 | #endif |
||
120 | #endif /* arm */ |
||
121 | #if defined(__GNUC__) && \ |
||
122 | defined(__i386__) || defined(__amd64__) || defined( __x86_64__) |
||
123 | /* I couldn't find an Intel equivalent of rev16, so two instructions */ |
||
124 | #define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) ) |
||
125 | #endif /* x86 gnuc */ |
||
126 | #endif /* MBEDTLS_HAVE_ASM && GNUC */ |
||
127 | #if !defined(ARIA_P1) |
||
128 | #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8)) |
||
129 | #endif |
||
130 | |||
131 | /* |
||
132 | * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits |
||
133 | * |
||
134 | * This is submatrix P2 in [1] Appendix B.1 |
||
135 | * |
||
136 | * Common compilers will translate this to a single instruction. |
||
137 | */ |
||
138 | #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16)) |
||
139 | |||
140 | /* |
||
141 | * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness |
||
142 | * |
||
143 | * This is submatrix P3 in [1] Appendix B.1 |
||
144 | * |
||
145 | * Some compilers fail to translate this to a single instruction, |
||
146 | * so let's provide asm versions for common platforms with C fallback. |
||
147 | */ |
||
148 | #if defined(MBEDTLS_HAVE_ASM) |
||
149 | #if defined(__arm__) /* rev available from v6 up */ |
||
150 | /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ |
||
151 | #if defined(__GNUC__) && \ |
||
152 | ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \ |
||
153 | __ARM_ARCH >= 6 |
||
154 | static inline uint32_t aria_p3( uint32_t x ) |
||
155 | { |
||
156 | uint32_t r; |
||
157 | __asm( "rev %0, %1" : "=l" (r) : "l" (x) ); |
||
158 | return( r ); |
||
159 | } |
||
160 | #define ARIA_P3 aria_p3 |
||
161 | #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \ |
||
162 | ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 ) |
||
163 | static inline uint32_t aria_p3( uint32_t x ) |
||
164 | { |
||
165 | uint32_t r; |
||
166 | __asm( "rev r, x" ); |
||
167 | return( r ); |
||
168 | } |
||
169 | #define ARIA_P3 aria_p3 |
||
170 | #endif |
||
171 | #endif /* arm */ |
||
172 | #if defined(__GNUC__) && \ |
||
173 | defined(__i386__) || defined(__amd64__) || defined( __x86_64__) |
||
174 | static inline uint32_t aria_p3( uint32_t x ) |
||
175 | { |
||
176 | __asm( "bswap %0" : "=r" (x) : "0" (x) ); |
||
177 | return( x ); |
||
178 | } |
||
179 | #define ARIA_P3 aria_p3 |
||
180 | #endif /* x86 gnuc */ |
||
181 | #endif /* MBEDTLS_HAVE_ASM && GNUC */ |
||
182 | #if !defined(ARIA_P3) |
||
183 | #define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) ) |
||
184 | #endif |
||
185 | |||
186 | /* |
||
187 | * ARIA Affine Transform |
||
188 | * (a, b, c, d) = state in/out |
||
189 | * |
||
190 | * If we denote the first byte of input by 0, ..., the last byte by f, |
||
191 | * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef. |
||
192 | * |
||
193 | * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple |
||
194 | * rearrangements on adjacent pairs, output is: |
||
195 | * |
||
196 | * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe |
||
197 | * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd |
||
198 | * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd |
||
199 | * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc |
||
200 | * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe |
||
201 | * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc |
||
202 | * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef |
||
203 | * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef |
||
204 | * |
||
205 | * Note: another presentation of the A transform can be found as the first |
||
206 | * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4. |
||
207 | * The implementation below uses only P1 and P2 as they are sufficient. |
||
208 | */ |
||
209 | static inline void aria_a( uint32_t *a, uint32_t *b, |
||
210 | uint32_t *c, uint32_t *d ) |
||
211 | { |
||
212 | uint32_t ta, tb, tc; |
||
213 | ta = *b; // 4567 |
||
214 | *b = *a; // 0123 |
||
215 | *a = ARIA_P2( ta ); // 6745 |
||
216 | tb = ARIA_P2( *d ); // efcd |
||
217 | *d = ARIA_P1( *c ); // 98ba |
||
218 | *c = ARIA_P1( tb ); // fedc |
||
219 | ta ^= *d; // 4567+98ba |
||
220 | tc = ARIA_P2( *b ); // 2301 |
||
221 | ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc |
||
222 | tb ^= ARIA_P2( *d ); // ba98+efcd |
||
223 | tc ^= ARIA_P1( *a ); // 2301+7654 |
||
224 | *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT |
||
225 | tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc |
||
226 | *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT |
||
227 | ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe |
||
228 | *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT |
||
229 | tc = ARIA_P2( tc ); // 0123+5476 |
||
230 | *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT |
||
231 | } |
||
232 | |||
233 | /* |
||
234 | * ARIA Substitution Layer SL1 / SL2 |
||
235 | * (a, b, c, d) = state in/out |
||
236 | * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below) |
||
237 | * |
||
238 | * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1 |
||
239 | * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2 |
||
240 | */ |
||
241 | static inline void aria_sl( uint32_t *a, uint32_t *b, |
||
242 | uint32_t *c, uint32_t *d, |
||
243 | const uint8_t sa[256], const uint8_t sb[256], |
||
244 | const uint8_t sc[256], const uint8_t sd[256] ) |
||
245 | { |
||
246 | *a = ( (uint32_t) sa[ *a & 0xFF] ) ^ |
||
247 | (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^ |
||
248 | (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^ |
||
249 | (((uint32_t) sd[ *a >> 24 ]) << 24); |
||
250 | *b = ( (uint32_t) sa[ *b & 0xFF] ) ^ |
||
251 | (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^ |
||
252 | (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^ |
||
253 | (((uint32_t) sd[ *b >> 24 ]) << 24); |
||
254 | *c = ( (uint32_t) sa[ *c & 0xFF] ) ^ |
||
255 | (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^ |
||
256 | (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^ |
||
257 | (((uint32_t) sd[ *c >> 24 ]) << 24); |
||
258 | *d = ( (uint32_t) sa[ *d & 0xFF] ) ^ |
||
259 | (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^ |
||
260 | (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^ |
||
261 | (((uint32_t) sd[ *d >> 24 ]) << 24); |
||
262 | } |
||
263 | |||
264 | /* |
||
265 | * S-Boxes |
||
266 | */ |
||
267 | static const uint8_t aria_sb1[256] = |
||
268 | { |
||
269 | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, |
||
270 | 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
||
271 | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, |
||
272 | 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
||
273 | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, |
||
274 | 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
||
275 | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, |
||
276 | 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
||
277 | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, |
||
278 | 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
||
279 | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, |
||
280 | 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
||
281 | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, |
||
282 | 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
||
283 | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, |
||
284 | 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
||
285 | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, |
||
286 | 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
||
287 | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, |
||
288 | 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
||
289 | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, |
||
290 | 0xB0, 0x54, 0xBB, 0x16 |
||
291 | }; |
||
292 | |||
293 | static const uint8_t aria_sb2[256] = |
||
294 | { |
||
295 | 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, |
||
296 | 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, |
||
297 | 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, |
||
298 | 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, |
||
299 | 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, |
||
300 | 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, |
||
301 | 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, |
||
302 | 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, |
||
303 | 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, |
||
304 | 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, |
||
305 | 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, |
||
306 | 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, |
||
307 | 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, |
||
308 | 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, |
||
309 | 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, |
||
310 | 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8, |
||
311 | 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, |
||
312 | 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, |
||
313 | 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, |
||
314 | 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, |
||
315 | 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, |
||
316 | 0xAF, 0xBA, 0xB5, 0x81 |
||
317 | }; |
||
318 | |||
319 | static const uint8_t aria_is1[256] = |
||
320 | { |
||
321 | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, |
||
322 | 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
||
323 | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, |
||
324 | 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
||
325 | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, |
||
326 | 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
||
327 | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, |
||
328 | 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
||
329 | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, |
||
330 | 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
||
331 | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, |
||
332 | 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
||
333 | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, |
||
334 | 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
||
335 | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, |
||
336 | 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
||
337 | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, |
||
338 | 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
||
339 | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, |
||
340 | 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
||
341 | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, |
||
342 | 0x55, 0x21, 0x0C, 0x7D |
||
343 | }; |
||
344 | |||
345 | static const uint8_t aria_is2[256] = |
||
346 | { |
||
347 | 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, |
||
348 | 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, |
||
349 | 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, |
||
350 | 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, |
||
351 | 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, |
||
352 | 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, |
||
353 | 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, |
||
354 | 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, |
||
355 | 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, |
||
356 | 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, |
||
357 | 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, |
||
358 | 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, |
||
359 | 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, |
||
360 | 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, |
||
361 | 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, |
||
362 | 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5, |
||
363 | 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, |
||
364 | 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, |
||
365 | 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, |
||
366 | 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, |
||
367 | 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, |
||
368 | 0x03, 0xA2, 0xAC, 0x60 |
||
369 | }; |
||
370 | |||
371 | /* |
||
372 | * Helper for key schedule: r = FO( p, k ) ^ x |
||
373 | */ |
||
374 | static void aria_fo_xor( uint32_t r[4], const uint32_t p[4], |
||
375 | const uint32_t k[4], const uint32_t x[4] ) |
||
376 | { |
||
377 | uint32_t a, b, c, d; |
||
378 | |||
379 | a = p[0] ^ k[0]; |
||
380 | b = p[1] ^ k[1]; |
||
381 | c = p[2] ^ k[2]; |
||
382 | d = p[3] ^ k[3]; |
||
383 | |||
384 | aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); |
||
385 | aria_a( &a, &b, &c, &d ); |
||
386 | |||
387 | r[0] = a ^ x[0]; |
||
388 | r[1] = b ^ x[1]; |
||
389 | r[2] = c ^ x[2]; |
||
390 | r[3] = d ^ x[3]; |
||
391 | } |
||
392 | |||
393 | /* |
||
394 | * Helper for key schedule: r = FE( p, k ) ^ x |
||
395 | */ |
||
396 | static void aria_fe_xor( uint32_t r[4], const uint32_t p[4], |
||
397 | const uint32_t k[4], const uint32_t x[4] ) |
||
398 | { |
||
399 | uint32_t a, b, c, d; |
||
400 | |||
401 | a = p[0] ^ k[0]; |
||
402 | b = p[1] ^ k[1]; |
||
403 | c = p[2] ^ k[2]; |
||
404 | d = p[3] ^ k[3]; |
||
405 | |||
406 | aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); |
||
407 | aria_a( &a, &b, &c, &d ); |
||
408 | |||
409 | r[0] = a ^ x[0]; |
||
410 | r[1] = b ^ x[1]; |
||
411 | r[2] = c ^ x[2]; |
||
412 | r[3] = d ^ x[3]; |
||
413 | } |
||
414 | |||
415 | /* |
||
416 | * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup. |
||
417 | * |
||
418 | * We chose to store bytes into 32-bit words in little-endian format (see |
||
419 | * GET/PUT_UINT32_LE) so we need to reverse bytes here. |
||
420 | */ |
||
421 | static void aria_rot128( uint32_t r[4], const uint32_t a[4], |
||
422 | const uint32_t b[4], uint8_t n ) |
||
423 | { |
||
424 | uint8_t i, j; |
||
425 | uint32_t t, u; |
||
426 | |||
427 | const uint8_t n1 = n % 32; // bit offset |
||
428 | const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset |
||
429 | |||
430 | j = ( n / 32 ) % 4; // initial word offset |
||
431 | t = ARIA_P3( b[j] ); // big endian |
||
432 | for( i = 0; i < 4; i++ ) |
||
433 | { |
||
434 | j = ( j + 1 ) % 4; // get next word, big endian |
||
435 | u = ARIA_P3( b[j] ); |
||
436 | t <<= n1; // rotate |
||
437 | t |= u >> n2; |
||
438 | t = ARIA_P3( t ); // back to little endian |
||
439 | r[i] = a[i] ^ t; // store |
||
440 | t = u; // move to next word |
||
441 | } |
||
442 | } |
||
443 | |||
444 | /* |
||
445 | * Set encryption key |
||
446 | */ |
||
447 | int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx, |
||
448 | const unsigned char *key, unsigned int keybits ) |
||
449 | { |
||
450 | /* round constant masks */ |
||
451 | const uint32_t rc[3][4] = |
||
452 | { |
||
453 | { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA }, |
||
454 | { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF }, |
||
455 | { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 } |
||
456 | }; |
||
457 | |||
458 | int i; |
||
459 | uint32_t w[4][4], *w2; |
||
460 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
461 | ARIA_VALIDATE_RET( key != NULL ); |
||
462 | |||
463 | if( keybits != 128 && keybits != 192 && keybits != 256 ) |
||
464 | return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); |
||
465 | |||
466 | /* Copy key to W0 (and potential remainder to W1) */ |
||
467 | GET_UINT32_LE( w[0][0], key, 0 ); |
||
468 | GET_UINT32_LE( w[0][1], key, 4 ); |
||
469 | GET_UINT32_LE( w[0][2], key, 8 ); |
||
470 | GET_UINT32_LE( w[0][3], key, 12 ); |
||
471 | |||
472 | memset( w[1], 0, 16 ); |
||
473 | if( keybits >= 192 ) |
||
474 | { |
||
475 | GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key |
||
476 | GET_UINT32_LE( w[1][1], key, 20 ); |
||
477 | } |
||
478 | if( keybits == 256 ) |
||
479 | { |
||
480 | GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key |
||
481 | GET_UINT32_LE( w[1][3], key, 28 ); |
||
482 | } |
||
483 | |||
484 | i = ( keybits - 128 ) >> 6; // index: 0, 1, 2 |
||
485 | ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16 |
||
486 | |||
487 | aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR |
||
488 | i = i < 2 ? i + 1 : 0; |
||
489 | aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0 |
||
490 | i = i < 2 ? i + 1 : 0; |
||
491 | aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1 |
||
492 | |||
493 | for( i = 0; i < 4; i++ ) // create round keys |
||
494 | { |
||
495 | w2 = w[(i + 1) & 3]; |
||
496 | aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 ); |
||
497 | aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 ); |
||
498 | aria_rot128( ctx->rk[i + 8], w[i], w2, 61 ); |
||
499 | aria_rot128( ctx->rk[i + 12], w[i], w2, 31 ); |
||
500 | } |
||
501 | aria_rot128( ctx->rk[16], w[0], w[1], 19 ); |
||
502 | |||
503 | /* w holds enough info to reconstruct the round keys */ |
||
504 | mbedtls_platform_zeroize( w, sizeof( w ) ); |
||
505 | |||
506 | return( 0 ); |
||
507 | } |
||
508 | |||
509 | /* |
||
510 | * Set decryption key |
||
511 | */ |
||
512 | int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx, |
||
513 | const unsigned char *key, unsigned int keybits ) |
||
514 | { |
||
515 | int i, j, k, ret; |
||
516 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
517 | ARIA_VALIDATE_RET( key != NULL ); |
||
518 | |||
519 | ret = mbedtls_aria_setkey_enc( ctx, key, keybits ); |
||
520 | if( ret != 0 ) |
||
521 | return( ret ); |
||
522 | |||
523 | /* flip the order of round keys */ |
||
524 | for( i = 0, j = ctx->nr; i < j; i++, j-- ) |
||
525 | { |
||
526 | for( k = 0; k < 4; k++ ) |
||
527 | { |
||
528 | uint32_t t = ctx->rk[i][k]; |
||
529 | ctx->rk[i][k] = ctx->rk[j][k]; |
||
530 | ctx->rk[j][k] = t; |
||
531 | } |
||
532 | } |
||
533 | |||
534 | /* apply affine transform to middle keys */ |
||
535 | for( i = 1; i < ctx->nr; i++ ) |
||
536 | { |
||
537 | aria_a( &ctx->rk[i][0], &ctx->rk[i][1], |
||
538 | &ctx->rk[i][2], &ctx->rk[i][3] ); |
||
539 | } |
||
540 | |||
541 | return( 0 ); |
||
542 | } |
||
543 | |||
544 | /* |
||
545 | * Encrypt a block |
||
546 | */ |
||
547 | int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx, |
||
548 | const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE], |
||
549 | unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] ) |
||
550 | { |
||
551 | int i; |
||
552 | |||
553 | uint32_t a, b, c, d; |
||
554 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
555 | ARIA_VALIDATE_RET( input != NULL ); |
||
556 | ARIA_VALIDATE_RET( output != NULL ); |
||
557 | |||
558 | GET_UINT32_LE( a, input, 0 ); |
||
559 | GET_UINT32_LE( b, input, 4 ); |
||
560 | GET_UINT32_LE( c, input, 8 ); |
||
561 | GET_UINT32_LE( d, input, 12 ); |
||
562 | |||
563 | i = 0; |
||
564 | while( 1 ) |
||
565 | { |
||
566 | a ^= ctx->rk[i][0]; |
||
567 | b ^= ctx->rk[i][1]; |
||
568 | c ^= ctx->rk[i][2]; |
||
569 | d ^= ctx->rk[i][3]; |
||
570 | i++; |
||
571 | |||
572 | aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 ); |
||
573 | aria_a( &a, &b, &c, &d ); |
||
574 | |||
575 | a ^= ctx->rk[i][0]; |
||
576 | b ^= ctx->rk[i][1]; |
||
577 | c ^= ctx->rk[i][2]; |
||
578 | d ^= ctx->rk[i][3]; |
||
579 | i++; |
||
580 | |||
581 | aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 ); |
||
582 | if( i >= ctx->nr ) |
||
583 | break; |
||
584 | aria_a( &a, &b, &c, &d ); |
||
585 | } |
||
586 | |||
587 | /* final key mixing */ |
||
588 | a ^= ctx->rk[i][0]; |
||
589 | b ^= ctx->rk[i][1]; |
||
590 | c ^= ctx->rk[i][2]; |
||
591 | d ^= ctx->rk[i][3]; |
||
592 | |||
593 | PUT_UINT32_LE( a, output, 0 ); |
||
594 | PUT_UINT32_LE( b, output, 4 ); |
||
595 | PUT_UINT32_LE( c, output, 8 ); |
||
596 | PUT_UINT32_LE( d, output, 12 ); |
||
597 | |||
598 | return( 0 ); |
||
599 | } |
||
600 | |||
601 | /* Initialize context */ |
||
602 | void mbedtls_aria_init( mbedtls_aria_context *ctx ) |
||
603 | { |
||
604 | ARIA_VALIDATE( ctx != NULL ); |
||
605 | memset( ctx, 0, sizeof( mbedtls_aria_context ) ); |
||
606 | } |
||
607 | |||
608 | /* Clear context */ |
||
609 | void mbedtls_aria_free( mbedtls_aria_context *ctx ) |
||
610 | { |
||
611 | if( ctx == NULL ) |
||
612 | return; |
||
613 | |||
614 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) ); |
||
615 | } |
||
616 | |||
617 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
||
618 | /* |
||
619 | * ARIA-CBC buffer encryption/decryption |
||
620 | */ |
||
621 | int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx, |
||
622 | int mode, |
||
623 | size_t length, |
||
624 | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
||
625 | const unsigned char *input, |
||
626 | unsigned char *output ) |
||
627 | { |
||
628 | int i; |
||
629 | unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE]; |
||
630 | |||
631 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
632 | ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || |
||
633 | mode == MBEDTLS_ARIA_DECRYPT ); |
||
634 | ARIA_VALIDATE_RET( length == 0 || input != NULL ); |
||
635 | ARIA_VALIDATE_RET( length == 0 || output != NULL ); |
||
636 | ARIA_VALIDATE_RET( iv != NULL ); |
||
637 | |||
638 | if( length % MBEDTLS_ARIA_BLOCKSIZE ) |
||
639 | return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH ); |
||
640 | |||
641 | if( mode == MBEDTLS_ARIA_DECRYPT ) |
||
642 | { |
||
643 | while( length > 0 ) |
||
644 | { |
||
645 | memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE ); |
||
646 | mbedtls_aria_crypt_ecb( ctx, input, output ); |
||
647 | |||
648 | for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) |
||
649 | output[i] = (unsigned char)( output[i] ^ iv[i] ); |
||
650 | |||
651 | memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE ); |
||
652 | |||
653 | input += MBEDTLS_ARIA_BLOCKSIZE; |
||
654 | output += MBEDTLS_ARIA_BLOCKSIZE; |
||
655 | length -= MBEDTLS_ARIA_BLOCKSIZE; |
||
656 | } |
||
657 | } |
||
658 | else |
||
659 | { |
||
660 | while( length > 0 ) |
||
661 | { |
||
662 | for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ ) |
||
663 | output[i] = (unsigned char)( input[i] ^ iv[i] ); |
||
664 | |||
665 | mbedtls_aria_crypt_ecb( ctx, output, output ); |
||
666 | memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE ); |
||
667 | |||
668 | input += MBEDTLS_ARIA_BLOCKSIZE; |
||
669 | output += MBEDTLS_ARIA_BLOCKSIZE; |
||
670 | length -= MBEDTLS_ARIA_BLOCKSIZE; |
||
671 | } |
||
672 | } |
||
673 | |||
674 | return( 0 ); |
||
675 | } |
||
676 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
||
677 | |||
678 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
||
679 | /* |
||
680 | * ARIA-CFB128 buffer encryption/decryption |
||
681 | */ |
||
682 | int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx, |
||
683 | int mode, |
||
684 | size_t length, |
||
685 | size_t *iv_off, |
||
686 | unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE], |
||
687 | const unsigned char *input, |
||
688 | unsigned char *output ) |
||
689 | { |
||
690 | unsigned char c; |
||
691 | size_t n; |
||
692 | |||
693 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
694 | ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT || |
||
695 | mode == MBEDTLS_ARIA_DECRYPT ); |
||
696 | ARIA_VALIDATE_RET( length == 0 || input != NULL ); |
||
697 | ARIA_VALIDATE_RET( length == 0 || output != NULL ); |
||
698 | ARIA_VALIDATE_RET( iv != NULL ); |
||
699 | ARIA_VALIDATE_RET( iv_off != NULL ); |
||
700 | |||
701 | n = *iv_off; |
||
702 | |||
703 | /* An overly large value of n can lead to an unlimited |
||
704 | * buffer overflow. Therefore, guard against this |
||
705 | * outside of parameter validation. */ |
||
706 | if( n >= MBEDTLS_ARIA_BLOCKSIZE ) |
||
707 | return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); |
||
708 | |||
709 | if( mode == MBEDTLS_ARIA_DECRYPT ) |
||
710 | { |
||
711 | while( length-- ) |
||
712 | { |
||
713 | if( n == 0 ) |
||
714 | mbedtls_aria_crypt_ecb( ctx, iv, iv ); |
||
715 | |||
716 | c = *input++; |
||
717 | *output++ = c ^ iv[n]; |
||
718 | iv[n] = c; |
||
719 | |||
720 | n = ( n + 1 ) & 0x0F; |
||
721 | } |
||
722 | } |
||
723 | else |
||
724 | { |
||
725 | while( length-- ) |
||
726 | { |
||
727 | if( n == 0 ) |
||
728 | mbedtls_aria_crypt_ecb( ctx, iv, iv ); |
||
729 | |||
730 | iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); |
||
731 | |||
732 | n = ( n + 1 ) & 0x0F; |
||
733 | } |
||
734 | } |
||
735 | |||
736 | *iv_off = n; |
||
737 | |||
738 | return( 0 ); |
||
739 | } |
||
740 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
||
741 | |||
742 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
||
743 | /* |
||
744 | * ARIA-CTR buffer encryption/decryption |
||
745 | */ |
||
746 | int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx, |
||
747 | size_t length, |
||
748 | size_t *nc_off, |
||
749 | unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE], |
||
750 | unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE], |
||
751 | const unsigned char *input, |
||
752 | unsigned char *output ) |
||
753 | { |
||
754 | int c, i; |
||
755 | size_t n; |
||
756 | |||
757 | ARIA_VALIDATE_RET( ctx != NULL ); |
||
758 | ARIA_VALIDATE_RET( length == 0 || input != NULL ); |
||
759 | ARIA_VALIDATE_RET( length == 0 || output != NULL ); |
||
760 | ARIA_VALIDATE_RET( nonce_counter != NULL ); |
||
761 | ARIA_VALIDATE_RET( stream_block != NULL ); |
||
762 | ARIA_VALIDATE_RET( nc_off != NULL ); |
||
763 | |||
764 | n = *nc_off; |
||
765 | /* An overly large value of n can lead to an unlimited |
||
766 | * buffer overflow. Therefore, guard against this |
||
767 | * outside of parameter validation. */ |
||
768 | if( n >= MBEDTLS_ARIA_BLOCKSIZE ) |
||
769 | return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ); |
||
770 | |||
771 | while( length-- ) |
||
772 | { |
||
773 | if( n == 0 ) { |
||
774 | mbedtls_aria_crypt_ecb( ctx, nonce_counter, |
||
775 | stream_block ); |
||
776 | |||
777 | for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- ) |
||
778 | if( ++nonce_counter[i - 1] != 0 ) |
||
779 | break; |
||
780 | } |
||
781 | c = *input++; |
||
782 | *output++ = (unsigned char)( c ^ stream_block[n] ); |
||
783 | |||
784 | n = ( n + 1 ) & 0x0F; |
||
785 | } |
||
786 | |||
787 | *nc_off = n; |
||
788 | |||
789 | return( 0 ); |
||
790 | } |
||
791 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
||
792 | #endif /* !MBEDTLS_ARIA_ALT */ |
||
793 | |||
794 | #if defined(MBEDTLS_SELF_TEST) |
||
795 | |||
796 | /* |
||
797 | * Basic ARIA ECB test vectors from RFC 5794 |
||
798 | */ |
||
799 | static const uint8_t aria_test1_ecb_key[32] = // test key |
||
800 | { |
||
801 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit |
||
802 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
||
803 | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit |
||
804 | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit |
||
805 | }; |
||
806 | |||
807 | static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext |
||
808 | { |
||
809 | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all |
||
810 | 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes |
||
811 | }; |
||
812 | |||
813 | static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext |
||
814 | { |
||
815 | { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit |
||
816 | 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }, |
||
817 | { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit |
||
818 | 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }, |
||
819 | { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit |
||
820 | 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } |
||
821 | }; |
||
822 | |||
823 | /* |
||
824 | * Mode tests from "Test Vectors for ARIA" Version 1.0 |
||
825 | * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf |
||
826 | */ |
||
827 | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
||
828 | defined(MBEDTLS_CIPHER_MODE_CTR)) |
||
829 | static const uint8_t aria_test2_key[32] = |
||
830 | { |
||
831 | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit |
||
832 | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, |
||
833 | 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit |
||
834 | 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit |
||
835 | }; |
||
836 | |||
837 | static const uint8_t aria_test2_pt[48] = |
||
838 | { |
||
839 | 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all |
||
840 | 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, |
||
841 | 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, |
||
842 | 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd, |
||
843 | 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa, |
||
844 | 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb, |
||
845 | }; |
||
846 | #endif |
||
847 | |||
848 | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)) |
||
849 | static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = |
||
850 | { |
||
851 | 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB |
||
852 | 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV |
||
853 | }; |
||
854 | #endif |
||
855 | |||
856 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
||
857 | static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext |
||
858 | { |
||
859 | { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key |
||
860 | 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, |
||
861 | 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, |
||
862 | 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38, |
||
863 | 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c, |
||
864 | 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 }, |
||
865 | { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key |
||
866 | 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, |
||
867 | 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, |
||
868 | 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5, |
||
869 | 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92, |
||
870 | 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e }, |
||
871 | { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key |
||
872 | 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, |
||
873 | 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, |
||
874 | 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52, |
||
875 | 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5, |
||
876 | 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } |
||
877 | }; |
||
878 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
||
879 | |||
880 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
||
881 | static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext |
||
882 | { |
||
883 | { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key |
||
884 | 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, |
||
885 | 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, |
||
886 | 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01, |
||
887 | 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96, |
||
888 | 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b }, |
||
889 | { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key |
||
890 | 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, |
||
891 | 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, |
||
892 | 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59, |
||
893 | 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86, |
||
894 | 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b }, |
||
895 | { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key |
||
896 | 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, |
||
897 | 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, |
||
898 | 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa, |
||
899 | 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c, |
||
900 | 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } |
||
901 | }; |
||
902 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
||
903 | |||
904 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
||
905 | static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext |
||
906 | { |
||
907 | { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key |
||
908 | 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, |
||
909 | 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, |
||
910 | 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f, |
||
911 | 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71, |
||
912 | 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 }, |
||
913 | { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key |
||
914 | 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, |
||
915 | 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, |
||
916 | 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79, |
||
917 | 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce, |
||
918 | 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf }, |
||
919 | { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key |
||
920 | 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, |
||
921 | 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, |
||
922 | 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f, |
||
923 | 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7, |
||
924 | 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } |
||
925 | }; |
||
926 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
||
927 | |||
928 | #define ARIA_SELF_TEST_IF_FAIL \ |
||
929 | { \ |
||
930 | if( verbose ) \ |
||
931 | mbedtls_printf( "failed\n" ); \ |
||
932 | return( 1 ); \ |
||
933 | } else { \ |
||
934 | if( verbose ) \ |
||
935 | mbedtls_printf( "passed\n" ); \ |
||
936 | } |
||
937 | |||
938 | /* |
||
939 | * Checkup routine |
||
940 | */ |
||
941 | int mbedtls_aria_self_test( int verbose ) |
||
942 | { |
||
943 | int i; |
||
944 | uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; |
||
945 | mbedtls_aria_context ctx; |
||
946 | |||
947 | #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) |
||
948 | size_t j; |
||
949 | #endif |
||
950 | |||
951 | #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \ |
||
952 | defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
||
953 | defined(MBEDTLS_CIPHER_MODE_CTR)) |
||
954 | uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; |
||
955 | #endif |
||
956 | |||
957 | /* |
||
958 | * Test set 1 |
||
959 | */ |
||
960 | for( i = 0; i < 3; i++ ) |
||
961 | { |
||
962 | /* test ECB encryption */ |
||
963 | if( verbose ) |
||
964 | mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i ); |
||
965 | mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i ); |
||
966 | mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk ); |
||
967 | if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) |
||
968 | ARIA_SELF_TEST_IF_FAIL; |
||
969 | |||
970 | /* test ECB decryption */ |
||
971 | if( verbose ) |
||
972 | mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i ); |
||
973 | mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i ); |
||
974 | mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk ); |
||
975 | if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 ) |
||
976 | ARIA_SELF_TEST_IF_FAIL; |
||
977 | } |
||
978 | if( verbose ) |
||
979 | mbedtls_printf( "\n" ); |
||
980 | |||
981 | /* |
||
982 | * Test set 2 |
||
983 | */ |
||
984 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
||
985 | for( i = 0; i < 3; i++ ) |
||
986 | { |
||
987 | /* Test CBC encryption */ |
||
988 | if( verbose ) |
||
989 | mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i ); |
||
990 | mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); |
||
991 | memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); |
||
992 | memset( buf, 0x55, sizeof( buf ) ); |
||
993 | mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv, |
||
994 | aria_test2_pt, buf ); |
||
995 | if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 ) |
||
996 | ARIA_SELF_TEST_IF_FAIL; |
||
997 | |||
998 | /* Test CBC decryption */ |
||
999 | if( verbose ) |
||
1000 | mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i ); |
||
1001 | mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i ); |
||
1002 | memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); |
||
1003 | memset( buf, 0xAA, sizeof( buf ) ); |
||
1004 | mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv, |
||
1005 | aria_test2_cbc_ct[i], buf ); |
||
1006 | if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) |
||
1007 | ARIA_SELF_TEST_IF_FAIL; |
||
1008 | } |
||
1009 | if( verbose ) |
||
1010 | mbedtls_printf( "\n" ); |
||
1011 | |||
1012 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
||
1013 | |||
1014 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
||
1015 | for( i = 0; i < 3; i++ ) |
||
1016 | { |
||
1017 | /* Test CFB encryption */ |
||
1018 | if( verbose ) |
||
1019 | mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i ); |
||
1020 | mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); |
||
1021 | memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); |
||
1022 | memset( buf, 0x55, sizeof( buf ) ); |
||
1023 | j = 0; |
||
1024 | mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv, |
||
1025 | aria_test2_pt, buf ); |
||
1026 | if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 ) |
||
1027 | ARIA_SELF_TEST_IF_FAIL; |
||
1028 | |||
1029 | /* Test CFB decryption */ |
||
1030 | if( verbose ) |
||
1031 | mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i ); |
||
1032 | mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); |
||
1033 | memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE ); |
||
1034 | memset( buf, 0xAA, sizeof( buf ) ); |
||
1035 | j = 0; |
||
1036 | mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, |
||
1037 | iv, aria_test2_cfb_ct[i], buf ); |
||
1038 | if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) |
||
1039 | ARIA_SELF_TEST_IF_FAIL; |
||
1040 | } |
||
1041 | if( verbose ) |
||
1042 | mbedtls_printf( "\n" ); |
||
1043 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
||
1044 | |||
1045 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
||
1046 | for( i = 0; i < 3; i++ ) |
||
1047 | { |
||
1048 | /* Test CTR encryption */ |
||
1049 | if( verbose ) |
||
1050 | mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i ); |
||
1051 | mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); |
||
1052 | memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 |
||
1053 | memset( buf, 0x55, sizeof( buf ) ); |
||
1054 | j = 0; |
||
1055 | mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, |
||
1056 | aria_test2_pt, buf ); |
||
1057 | if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 ) |
||
1058 | ARIA_SELF_TEST_IF_FAIL; |
||
1059 | |||
1060 | /* Test CTR decryption */ |
||
1061 | if( verbose ) |
||
1062 | mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i ); |
||
1063 | mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i ); |
||
1064 | memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0 |
||
1065 | memset( buf, 0xAA, sizeof( buf ) ); |
||
1066 | j = 0; |
||
1067 | mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk, |
||
1068 | aria_test2_ctr_ct[i], buf ); |
||
1069 | if( memcmp( buf, aria_test2_pt, 48 ) != 0 ) |
||
1070 | ARIA_SELF_TEST_IF_FAIL; |
||
1071 | } |
||
1072 | if( verbose ) |
||
1073 | mbedtls_printf( "\n" ); |
||
1074 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
||
1075 | |||
1076 | return( 0 ); |
||
1077 | } |
||
1078 | |||
1079 | #endif /* MBEDTLS_SELF_TEST */ |
||
1080 | |||
1081 | #endif /* MBEDTLS_ARIA_C */>>>>>>>>>>>>=><=>>><><<>><>><>><>><>><>><>><>><>><>><>><>><>>><>><>>><>><>><> |