TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 16fbd46d245d634778b9df729e3909d6bfd9a79b / . / lib / libmbedtls / mbedtls / library / aria.c
blob: 0980362253cee83021d2795ae5873fdf64595de1 [file] [log] [blame]
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1/*
2 * ARIA implementation
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]18 */
19
20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]26#include "common.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
30#include "mbedtls/aria.h"
31
32#include <string.h>
33
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]34#include "mbedtls/platform.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]35
36#if !defined(MBEDTLS_ARIA_ALT)
37
38#include "mbedtls/platform_util.h"
39
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]40/* Parameter validation macros */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]41#define ARIA_VALIDATE_RET(cond) \
42 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
43#define ARIA_VALIDATE(cond) \
44 MBEDTLS_INTERNAL_VALIDATE(cond)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]45
46/*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
48 *
49 * This is submatrix P1 in [1] Appendix B.1
50 *
51 * Common compilers fail to translate this to minimal number of instructions,
52 * so let's provide asm versions for common platforms with C fallback.
53 */
54#if defined(MBEDTLS_HAVE_ASM)
55#if defined(__arm__) /* rev16 available from v6 up */
56/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57#if defined(__GNUC__) && \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]58 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]59 __ARM_ARCH >= 6
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]60static inline uint32_t aria_p1(uint32_t x)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]61{
62 uint32_t r;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]63 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
64 return r;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]65}
66#define ARIA_P1 aria_p1
67#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]68 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
69static inline uint32_t aria_p1(uint32_t x)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]70{
71 uint32_t r;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]72 __asm("rev16 r, x");
73 return r;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]74}
75#define ARIA_P1 aria_p1
76#endif
77#endif /* arm */
78#if defined(__GNUC__) && \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]79 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]80/* I couldn't find an Intel equivalent of rev16, so two instructions */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]81#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]82#endif /* x86 gnuc */
83#endif /* MBEDTLS_HAVE_ASM && GNUC */
84#if !defined(ARIA_P1)
85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
86#endif
87
88/*
89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90 *
91 * This is submatrix P2 in [1] Appendix B.1
92 *
93 * Common compilers will translate this to a single instruction.
94 */
95#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
96
97/*
98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99 *
100 * This is submatrix P3 in [1] Appendix B.1
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]101 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]102#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]103
104/*
105 * ARIA Affine Transform
106 * (a, b, c, d) = state in/out
107 *
108 * If we denote the first byte of input by 0, ..., the last byte by f,
109 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
110 *
111 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
112 * rearrangements on adjacent pairs, output is:
113 *
114 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
115 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
116 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
117 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
118 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
119 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
120 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
121 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
122 *
123 * Note: another presentation of the A transform can be found as the first
124 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
125 * The implementation below uses only P1 and P2 as they are sufficient.
126 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]127static inline void aria_a(uint32_t *a, uint32_t *b,
128 uint32_t *c, uint32_t *d)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]129{
130 uint32_t ta, tb, tc;
131 ta = *b; // 4567
132 *b = *a; // 0123
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]133 *a = ARIA_P2(ta); // 6745
134 tb = ARIA_P2(*d); // efcd
135 *d = ARIA_P1(*c); // 98ba
136 *c = ARIA_P1(tb); // fedc
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]137 ta ^= *d; // 4567+98ba
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]138 tc = ARIA_P2(*b); // 2301
139 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
140 tb ^= ARIA_P2(*d); // ba98+efcd
141 tc ^= ARIA_P1(*a); // 2301+7654
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]142 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]143 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
144 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
145 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
146 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
147 tc = ARIA_P2(tc); // 0123+5476
148 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]149}
150
151/*
152 * ARIA Substitution Layer SL1 / SL2
153 * (a, b, c, d) = state in/out
154 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
155 *
156 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
157 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
158 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]159static inline void aria_sl(uint32_t *a, uint32_t *b,
160 uint32_t *c, uint32_t *d,
161 const uint8_t sa[256], const uint8_t sb[256],
162 const uint8_t sc[256], const uint8_t sd[256])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]163{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]164 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
168 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
169 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
170 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
171 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
172 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
173 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
174 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
175 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
176 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
177 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
178 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
179 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]180}
181
182/*
183 * S-Boxes
184 */
185static const uint8_t aria_sb1[256] =
186{
187 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
188 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
189 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
190 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
191 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
192 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
193 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
194 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
195 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
196 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
197 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
198 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
199 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
200 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
201 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
202 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
203 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
204 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
205 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
206 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
207 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
208 0xB0, 0x54, 0xBB, 0x16
209};
210
211static const uint8_t aria_sb2[256] =
212{
213 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
214 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
215 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
216 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
217 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
218 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
219 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
220 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
221 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
222 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
223 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
224 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
225 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
226 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
227 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
228 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
229 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
230 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
231 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
232 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
233 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
234 0xAF, 0xBA, 0xB5, 0x81
235};
236
237static const uint8_t aria_is1[256] =
238{
239 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
240 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
241 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
242 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
243 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
244 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
245 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
246 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
247 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
248 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
249 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
250 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
251 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
252 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
253 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
254 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
256 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
258 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
259 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
260 0x55, 0x21, 0x0C, 0x7D
261};
262
263static const uint8_t aria_is2[256] =
264{
265 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
266 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
267 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
268 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
269 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
270 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
271 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
272 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
273 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
274 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
275 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
276 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
277 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
278 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
279 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
280 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
281 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
282 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
283 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
284 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
285 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
286 0x03, 0xA2, 0xAC, 0x60
287};
288
289/*
290 * Helper for key schedule: r = FO( p, k ) ^ x
291 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]292static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
293 const uint32_t k[4], const uint32_t x[4])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]294{
295 uint32_t a, b, c, d;
296
297 a = p[0] ^ k[0];
298 b = p[1] ^ k[1];
299 c = p[2] ^ k[2];
300 d = p[3] ^ k[3];
301
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]302 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
303 aria_a(&a, &b, &c, &d);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]304
305 r[0] = a ^ x[0];
306 r[1] = b ^ x[1];
307 r[2] = c ^ x[2];
308 r[3] = d ^ x[3];
309}
310
311/*
312 * Helper for key schedule: r = FE( p, k ) ^ x
313 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]314static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
315 const uint32_t k[4], const uint32_t x[4])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]316{
317 uint32_t a, b, c, d;
318
319 a = p[0] ^ k[0];
320 b = p[1] ^ k[1];
321 c = p[2] ^ k[2];
322 d = p[3] ^ k[3];
323
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]324 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
325 aria_a(&a, &b, &c, &d);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]326
327 r[0] = a ^ x[0];
328 r[1] = b ^ x[1];
329 r[2] = c ^ x[2];
330 r[3] = d ^ x[3];
331}
332
333/*
334 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
335 *
336 * We chose to store bytes into 32-bit words in little-endian format (see
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]337 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
338 * bytes here.
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]339 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]340static void aria_rot128(uint32_t r[4], const uint32_t a[4],
341 const uint32_t b[4], uint8_t n)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]342{
343 uint8_t i, j;
344 uint32_t t, u;
345
346 const uint8_t n1 = n % 32; // bit offset
347 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
348
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]349 j = (n / 32) % 4; // initial word offset
350 t = ARIA_P3(b[j]); // big endian
351 for (i = 0; i < 4; i++) {
352 j = (j + 1) % 4; // get next word, big endian
353 u = ARIA_P3(b[j]);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]354 t <<= n1; // rotate
355 t |= u >> n2;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]356 t = ARIA_P3(t); // back to little endian
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]357 r[i] = a[i] ^ t; // store
358 t = u; // move to next word
359 }
360}
361
362/*
363 * Set encryption key
364 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]365int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
366 const unsigned char *key, unsigned int keybits)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]367{
368 /* round constant masks */
369 const uint32_t rc[3][4] =
370 {
371 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
372 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
373 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
374 };
375
376 int i;
377 uint32_t w[4][4], *w2;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]378 ARIA_VALIDATE_RET(ctx != NULL);
379 ARIA_VALIDATE_RET(key != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]380
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]381 if (keybits != 128 && keybits != 192 && keybits != 256) {
382 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
383 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]384
385 /* Copy key to W0 (and potential remainder to W1) */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]386 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
387 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
388 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
389 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]390
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]391 memset(w[1], 0, 16);
392 if (keybits >= 192) {
393 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
394 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]395 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]396 if (keybits == 256) {
397 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
398 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]399 }
400
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]401 i = (keybits - 128) >> 6; // index: 0, 1, 2
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]402 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
403
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]404 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]405 i = i < 2 ? i + 1 : 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]406 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]407 i = i < 2 ? i + 1 : 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]408 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]409
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]410 for (i = 0; i < 4; i++) { // create round keys
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]411 w2 = w[(i + 1) & 3];
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]412 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
413 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
414 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
415 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]416 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]417 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]418
419 /* w holds enough info to reconstruct the round keys */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]420 mbedtls_platform_zeroize(w, sizeof(w));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]421
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]422 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]423}
424
425/*
426 * Set decryption key
427 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]428int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
429 const unsigned char *key, unsigned int keybits)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]430{
431 int i, j, k, ret;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]432 ARIA_VALIDATE_RET(ctx != NULL);
433 ARIA_VALIDATE_RET(key != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]434
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]435 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
436 if (ret != 0) {
437 return ret;
438 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]439
440 /* flip the order of round keys */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]441 for (i = 0, j = ctx->nr; i < j; i++, j--) {
442 for (k = 0; k < 4; k++) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]443 uint32_t t = ctx->rk[i][k];
444 ctx->rk[i][k] = ctx->rk[j][k];
445 ctx->rk[j][k] = t;
446 }
447 }
448
449 /* apply affine transform to middle keys */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]450 for (i = 1; i < ctx->nr; i++) {
451 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
452 &ctx->rk[i][2], &ctx->rk[i][3]);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]453 }
454
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]455 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]456}
457
458/*
459 * Encrypt a block
460 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]461int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
462 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
463 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]464{
465 int i;
466
467 uint32_t a, b, c, d;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]468 ARIA_VALIDATE_RET(ctx != NULL);
469 ARIA_VALIDATE_RET(input != NULL);
470 ARIA_VALIDATE_RET(output != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]471
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]472 a = MBEDTLS_GET_UINT32_LE(input, 0);
473 b = MBEDTLS_GET_UINT32_LE(input, 4);
474 c = MBEDTLS_GET_UINT32_LE(input, 8);
475 d = MBEDTLS_GET_UINT32_LE(input, 12);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]476
477 i = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]478 while (1) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
483 i++;
484
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]485 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
486 aria_a(&a, &b, &c, &d);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]487
488 a ^= ctx->rk[i][0];
489 b ^= ctx->rk[i][1];
490 c ^= ctx->rk[i][2];
491 d ^= ctx->rk[i][3];
492 i++;
493
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]494 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
495 if (i >= ctx->nr) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]496 break;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]497 }
498 aria_a(&a, &b, &c, &d);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]499 }
500
501 /* final key mixing */
502 a ^= ctx->rk[i][0];
503 b ^= ctx->rk[i][1];
504 c ^= ctx->rk[i][2];
505 d ^= ctx->rk[i][3];
506
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]507 MBEDTLS_PUT_UINT32_LE(a, output, 0);
508 MBEDTLS_PUT_UINT32_LE(b, output, 4);
509 MBEDTLS_PUT_UINT32_LE(c, output, 8);
510 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]511
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]512 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]513}
514
515/* Initialize context */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]516void mbedtls_aria_init(mbedtls_aria_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]517{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]518 ARIA_VALIDATE(ctx != NULL);
519 memset(ctx, 0, sizeof(mbedtls_aria_context));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]520}
521
522/* Clear context */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]523void mbedtls_aria_free(mbedtls_aria_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]524{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]525 if (ctx == NULL) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]526 return;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]527 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]528
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]529 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]530}
531
532#if defined(MBEDTLS_CIPHER_MODE_CBC)
533/*
534 * ARIA-CBC buffer encryption/decryption
535 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]536int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
537 int mode,
538 size_t length,
539 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
540 const unsigned char *input,
541 unsigned char *output)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]542{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]543 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
544
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]545 ARIA_VALIDATE_RET(ctx != NULL);
546 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
547 mode == MBEDTLS_ARIA_DECRYPT);
548 ARIA_VALIDATE_RET(length == 0 || input != NULL);
549 ARIA_VALIDATE_RET(length == 0 || output != NULL);
550 ARIA_VALIDATE_RET(iv != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]551
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]552 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
553 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
554 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]555
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]556 if (mode == MBEDTLS_ARIA_DECRYPT) {
557 while (length > 0) {
558 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
559 mbedtls_aria_crypt_ecb(ctx, input, output);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]560
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]561 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]562
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]563 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]564
565 input += MBEDTLS_ARIA_BLOCKSIZE;
566 output += MBEDTLS_ARIA_BLOCKSIZE;
567 length -= MBEDTLS_ARIA_BLOCKSIZE;
568 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]569 } else {
570 while (length > 0) {
571 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]572
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]573 mbedtls_aria_crypt_ecb(ctx, output, output);
574 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]575
576 input += MBEDTLS_ARIA_BLOCKSIZE;
577 output += MBEDTLS_ARIA_BLOCKSIZE;
578 length -= MBEDTLS_ARIA_BLOCKSIZE;
579 }
580 }
581
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]582 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]583}
584#endif /* MBEDTLS_CIPHER_MODE_CBC */
585
586#if defined(MBEDTLS_CIPHER_MODE_CFB)
587/*
588 * ARIA-CFB128 buffer encryption/decryption
589 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]590int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
591 int mode,
592 size_t length,
593 size_t *iv_off,
594 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
595 const unsigned char *input,
596 unsigned char *output)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]597{
598 unsigned char c;
599 size_t n;
600
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]601 ARIA_VALIDATE_RET(ctx != NULL);
602 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
603 mode == MBEDTLS_ARIA_DECRYPT);
604 ARIA_VALIDATE_RET(length == 0 || input != NULL);
605 ARIA_VALIDATE_RET(length == 0 || output != NULL);
606 ARIA_VALIDATE_RET(iv != NULL);
607 ARIA_VALIDATE_RET(iv_off != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]608
609 n = *iv_off;
610
611 /* An overly large value of n can lead to an unlimited
612 * buffer overflow. Therefore, guard against this
613 * outside of parameter validation. */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]614 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
615 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
616 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]617
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]618 if (mode == MBEDTLS_ARIA_DECRYPT) {
619 while (length--) {
620 if (n == 0) {
621 mbedtls_aria_crypt_ecb(ctx, iv, iv);
622 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]623
624 c = *input++;
625 *output++ = c ^ iv[n];
626 iv[n] = c;
627
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]628 n = (n + 1) & 0x0F;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]629 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]630 } else {
631 while (length--) {
632 if (n == 0) {
633 mbedtls_aria_crypt_ecb(ctx, iv, iv);
634 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]635
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]636 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]637
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]638 n = (n + 1) & 0x0F;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]639 }
640 }
641
642 *iv_off = n;
643
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]644 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]645}
646#endif /* MBEDTLS_CIPHER_MODE_CFB */
647
648#if defined(MBEDTLS_CIPHER_MODE_CTR)
649/*
650 * ARIA-CTR buffer encryption/decryption
651 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]652int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
653 size_t length,
654 size_t *nc_off,
655 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
656 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
657 const unsigned char *input,
658 unsigned char *output)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]659{
660 int c, i;
661 size_t n;
662
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]663 ARIA_VALIDATE_RET(ctx != NULL);
664 ARIA_VALIDATE_RET(length == 0 || input != NULL);
665 ARIA_VALIDATE_RET(length == 0 || output != NULL);
666 ARIA_VALIDATE_RET(nonce_counter != NULL);
667 ARIA_VALIDATE_RET(stream_block != NULL);
668 ARIA_VALIDATE_RET(nc_off != NULL);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]669
670 n = *nc_off;
671 /* An overly large value of n can lead to an unlimited
672 * buffer overflow. Therefore, guard against this
673 * outside of parameter validation. */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]674 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
675 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
676 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]677
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]678 while (length--) {
679 if (n == 0) {
680 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
681 stream_block);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]682
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]683 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
684 if (++nonce_counter[i - 1] != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]685 break;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]686 }
687 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]688 }
689 c = *input++;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]690 *output++ = (unsigned char) (c ^ stream_block[n]);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]691
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]692 n = (n + 1) & 0x0F;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]693 }
694
695 *nc_off = n;
696
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]697 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]698}
699#endif /* MBEDTLS_CIPHER_MODE_CTR */
700#endif /* !MBEDTLS_ARIA_ALT */
701
702#if defined(MBEDTLS_SELF_TEST)
703
704/*
705 * Basic ARIA ECB test vectors from RFC 5794
706 */
707static const uint8_t aria_test1_ecb_key[32] = // test key
708{
709 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
710 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
711 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
712 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
713};
714
715static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
716{
717 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
718 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
719};
720
721static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
722{
723 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
724 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
725 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
726 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
727 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
728 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
729};
730
731/*
732 * Mode tests from "Test Vectors for ARIA" Version 1.0
733 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
734 */
735#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
736 defined(MBEDTLS_CIPHER_MODE_CTR))
737static const uint8_t aria_test2_key[32] =
738{
739 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
740 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
741 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
742 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
743};
744
745static const uint8_t aria_test2_pt[48] =
746{
747 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
748 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
749 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
750 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
751 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
752 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
753};
754#endif
755
756#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
757static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
758{
759 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
760 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
761};
762#endif
763
764#if defined(MBEDTLS_CIPHER_MODE_CBC)
765static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
766{
767 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
768 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
769 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
770 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
771 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
772 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
773 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
774 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
775 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
776 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
777 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
778 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
779 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
780 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
781 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
782 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
783 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
784 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
785};
786#endif /* MBEDTLS_CIPHER_MODE_CBC */
787
788#if defined(MBEDTLS_CIPHER_MODE_CFB)
789static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
790{
791 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
792 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
793 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
794 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
795 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
796 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
797 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
798 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
799 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
800 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
801 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
802 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
803 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
804 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
805 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
806 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
807 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
808 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
809};
810#endif /* MBEDTLS_CIPHER_MODE_CFB */
811
812#if defined(MBEDTLS_CIPHER_MODE_CTR)
813static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
814{
815 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
816 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
817 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
818 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
819 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
820 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
821 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
822 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
823 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
824 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
825 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
826 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
827 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
828 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
829 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
830 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
831 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
832 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
833};
834#endif /* MBEDTLS_CIPHER_MODE_CFB */
835
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]836#define ARIA_SELF_TEST_ASSERT(cond) \
837 do { \
838 if (cond) { \
839 if (verbose) \
840 mbedtls_printf("failed\n"); \
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]841 goto exit; \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]842 } else { \
843 if (verbose) \
844 mbedtls_printf("passed\n"); \
845 } \
846 } while (0)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]847
848/*
849 * Checkup routine
850 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]851int mbedtls_aria_self_test(int verbose)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]852{
853 int i;
854 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
855 mbedtls_aria_context ctx;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]856 int ret = 1;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]857
858#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
859 size_t j;
860#endif
861
862#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]863 defined(MBEDTLS_CIPHER_MODE_CFB) || \
864 defined(MBEDTLS_CIPHER_MODE_CTR))
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]865 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
866#endif
867
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]868 mbedtls_aria_init(&ctx);
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]869
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]870 /*
871 * Test set 1
872 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]873 for (i = 0; i < 3; i++) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]874 /* test ECB encryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]875 if (verbose) {
876 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
877 }
878 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
879 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
880 ARIA_SELF_TEST_ASSERT(
881 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
882 != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]883
884 /* test ECB decryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]885 if (verbose) {
886 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
887 }
888 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
889 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
890 ARIA_SELF_TEST_ASSERT(
891 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
892 != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]893 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]894 if (verbose) {
895 mbedtls_printf("\n");
896 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]897
898 /*
899 * Test set 2
900 */
901#if defined(MBEDTLS_CIPHER_MODE_CBC)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]902 for (i = 0; i < 3; i++) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]903 /* Test CBC encryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]904 if (verbose) {
905 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
906 }
907 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
908 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909 memset(buf, 0x55, sizeof(buf));
910 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
911 aria_test2_pt, buf);
912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
913 != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]914
915 /* Test CBC decryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]916 if (verbose) {
917 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
918 }
919 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
920 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
921 memset(buf, 0xAA, sizeof(buf));
922 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
923 aria_test2_cbc_ct[i], buf);
924 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]925 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]926 if (verbose) {
927 mbedtls_printf("\n");
928 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]929
930#endif /* MBEDTLS_CIPHER_MODE_CBC */
931
932#if defined(MBEDTLS_CIPHER_MODE_CFB)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]933 for (i = 0; i < 3; i++) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]934 /* Test CFB encryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]935 if (verbose) {
936 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
937 }
938 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940 memset(buf, 0x55, sizeof(buf));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]941 j = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]942 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
943 aria_test2_pt, buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]945
946 /* Test CFB decryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]947 if (verbose) {
948 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
949 }
950 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
951 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
952 memset(buf, 0xAA, sizeof(buf));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]953 j = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]954 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
955 iv, aria_test2_cfb_ct[i], buf);
956 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]957 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]958 if (verbose) {
959 mbedtls_printf("\n");
960 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]961#endif /* MBEDTLS_CIPHER_MODE_CFB */
962
963#if defined(MBEDTLS_CIPHER_MODE_CTR)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]964 for (i = 0; i < 3; i++) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]965 /* Test CTR encryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]966 if (verbose) {
967 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
968 }
969 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
971 memset(buf, 0x55, sizeof(buf));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]972 j = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]973 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974 aria_test2_pt, buf);
975 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]976
977 /* Test CTR decryption */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]978 if (verbose) {
979 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
980 }
981 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
982 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
983 memset(buf, 0xAA, sizeof(buf));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]984 j = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]985 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
986 aria_test2_ctr_ct[i], buf);
987 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]988 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]989 if (verbose) {
990 mbedtls_printf("\n");
991 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]992#endif /* MBEDTLS_CIPHER_MODE_CTR */
993
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]994 ret = 0;
995
996exit:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]997 mbedtls_aria_free(&ctx);
998 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]999}
1000
1001#endif /* MBEDTLS_SELF_TEST */
1002
1003#endif /* MBEDTLS_ARIA_C */