TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / c83e56cc451898ceec91cb63273d2bc5db6fb79a / . / tf-psa-crypto / drivers / builtin / src / aria.c
blob: f1958ee7db1f7a09ff42573a4466b92007545405 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]24#include "mbedtls/platform_util.h"
25
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]26/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]27 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]28 *
29 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]30 *
31 * Common compilers fail to translate this to minimal number of instructions,
32 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]33 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]34#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]35#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]36/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
37#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]38 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]39 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]40static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]41{
42 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]43 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
44 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]45}
46#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]47#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
49static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]50{
51 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 __asm("rev16 r, x");
53 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]54}
55#define ARIA_P1 aria_p1
56#endif
57#endif /* arm */
58#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]59 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]60/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]62#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]63#endif /* MBEDTLS_HAVE_ASM && GNUC */
64#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]65#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]66#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]67
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]68/*
69 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
70 *
71 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]72 *
73 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]74 */
75#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]76
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]77/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]78 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
79 *
80 * This is submatrix P3 in [1] Appendix B.1
81 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]82#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]83
84/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]85 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]86 * (a, b, c, d) = state in/out
87 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]88 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]89 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
90 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]91 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]92 * rearrangements on adjacent pairs, output is:
93 *
94 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
95 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]96 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]97 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]98 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]99 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]100 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]101 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
102 *
103 * Note: another presentation of the A transform can be found as the first
104 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
105 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]106 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107static inline void aria_a(uint32_t *a, uint32_t *b,
108 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]109{
110 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]111 ta = *b; // 4567
112 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]113 *a = ARIA_P2(ta); // 6745
114 tb = ARIA_P2(*d); // efcd
115 *d = ARIA_P1(*c); // 98ba
116 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]117 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 tc = ARIA_P2(*b); // 2301
119 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
120 tb ^= ARIA_P2(*d); // ba98+efcd
121 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]122 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]123 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
124 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
125 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
126 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
127 tc = ARIA_P2(tc); // 0123+5476
128 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]129}
130
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]131/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]132 * ARIA Substitution Layer SL1 / SL2
133 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]134 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]135 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]136 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
137 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]138 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]139static inline void aria_sl(uint32_t *a, uint32_t *b,
140 uint32_t *c, uint32_t *d,
141 const uint8_t sa[256], const uint8_t sb[256],
142 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]143{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]144 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
145 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
146 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
147 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
148 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
149 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
150 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
151 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
152 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
153 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
154 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
155 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
156 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
157 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
158 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
159 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]160}
161
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]162/*
163 * S-Boxes
164 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]165static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]166{
167 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
168 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
169 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
170 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
171 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
172 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
173 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
174 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
175 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
176 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
177 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
178 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
179 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
180 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
181 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
182 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
183 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
184 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
185 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
186 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
187 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
188 0xB0, 0x54, 0xBB, 0x16
189};
190
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]191static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]192{
193 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
194 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
195 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
196 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
197 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
198 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
199 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
200 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
201 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
202 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
203 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
204 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
205 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
206 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
207 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
208 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
209 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
210 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
211 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
212 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
213 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
214 0xAF, 0xBA, 0xB5, 0x81
215};
216
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]217static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]218{
219 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
220 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
221 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
222 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
224 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
225 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
226 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
227 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
228 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
229 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
230 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
231 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
232 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
233 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
234 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
235 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
236 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
237 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
238 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
239 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
240 0x55, 0x21, 0x0C, 0x7D
241};
242
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]243static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]244{
245 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
246 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
247 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
248 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
249 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
250 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
251 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
252 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
253 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
254 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
255 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
256 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
257 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
258 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
259 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
260 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
261 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
262 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
263 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
264 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
265 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
266 0x03, 0xA2, 0xAC, 0x60
267};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]268
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]269/*
270 * Helper for key schedule: r = FO( p, k ) ^ x
271 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]272static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
273 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]274{
275 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276
277 a = p[0] ^ k[0];
278 b = p[1] ^ k[1];
279 c = p[2] ^ k[2];
280 d = p[3] ^ k[3];
281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
283 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]284
285 r[0] = a ^ x[0];
286 r[1] = b ^ x[1];
287 r[2] = c ^ x[2];
288 r[3] = d ^ x[3];
289}
290
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]291/*
292 * Helper for key schedule: r = FE( p, k ) ^ x
293 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
295 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]296{
297 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]298
299 a = p[0] ^ k[0];
300 b = p[1] ^ k[1];
301 c = p[2] ^ k[2];
302 d = p[3] ^ k[3];
303
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]304 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
305 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]306
307 r[0] = a ^ x[0];
308 r[1] = b ^ x[1];
309 r[2] = c ^ x[2];
310 r[3] = d ^ x[3];
311}
312
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]313/*
314 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
315 *
316 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]317 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
318 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]319 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]320static void aria_rot128(uint32_t r[4], const uint32_t a[4],
321 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]322{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]323 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]324 uint32_t t, u;
325
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]326 const uint8_t n1 = n % 32; // bit offset
327 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 j = (n / 32) % 4; // initial word offset
330 t = ARIA_P3(b[j]); // big endian
331 for (i = 0; i < 4; i++) {
332 j = (j + 1) % 4; // get next word, big endian
333 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]334 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]335 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]336 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]337 r[i] = a[i] ^ t; // store
338 t = u; // move to next word
339 }
340}
341
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]342/*
343 * Set encryption key
344 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
346 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]347{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]348 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]349 const uint32_t rc[3][4] =
350 {
351 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
352 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
353 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
354 };
355
356 int i;
357 uint32_t w[4][4], *w2;
358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 if (keybits != 128 && keybits != 192 && keybits != 256) {
360 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
361 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]362
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]363 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]364 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
365 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
366 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
367 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]369 memset(w[1], 0, 16);
370 if (keybits >= 192) {
371 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
372 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]373 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]374 if (keybits == 256) {
375 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
376 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]377 }
378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]380 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]382 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]383 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]385 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]389 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
391 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
392 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
393 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]394 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]397 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]398 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]401}
402
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]403/*
404 * Set decryption key
405 */
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]406#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]407int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
408 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]409{
410 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
413 if (ret != 0) {
414 return ret;
415 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]416
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]417 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418 for (i = 0, j = ctx->nr; i < j; i++, j--) {
419 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]420 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]421 ctx->rk[i][k] = ctx->rk[j][k];
422 ctx->rk[j][k] = t;
423 }
424 }
425
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]426 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]427 for (i = 1; i < ctx->nr; i++) {
428 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
429 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]430 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]431
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433}
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]434#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]436/*
437 * Encrypt a block
438 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
440 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
441 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]442{
443 int i;
444
445 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447 a = MBEDTLS_GET_UINT32_LE(input, 0);
448 b = MBEDTLS_GET_UINT32_LE(input, 4);
449 c = MBEDTLS_GET_UINT32_LE(input, 8);
450 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]451
452 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]453 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]454 a ^= ctx->rk[i][0];
455 b ^= ctx->rk[i][1];
456 c ^= ctx->rk[i][2];
457 d ^= ctx->rk[i][3];
458 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
461 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]462
463 a ^= ctx->rk[i][0];
464 b ^= ctx->rk[i][1];
465 c ^= ctx->rk[i][2];
466 d ^= ctx->rk[i][3];
467 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]468
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]469 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
470 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]471 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]472 }
473 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]474 }
475
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]476 /* final key mixing */
477 a ^= ctx->rk[i][0];
478 b ^= ctx->rk[i][1];
479 c ^= ctx->rk[i][2];
480 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]481
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]482 MBEDTLS_PUT_UINT32_LE(a, output, 0);
483 MBEDTLS_PUT_UINT32_LE(b, output, 4);
484 MBEDTLS_PUT_UINT32_LE(c, output, 8);
485 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]488}
489
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]490/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]491void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]492{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]493 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]494}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]495
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]496/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]497void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]498{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]500 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]502
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]504}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]505
506#if defined(MBEDTLS_CIPHER_MODE_CBC)
507/*
508 * ARIA-CBC buffer encryption/decryption
509 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]510int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
511 int mode,
512 size_t length,
513 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
514 const unsigned char *input,
515 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]516{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]517 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame]518
519 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
520 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
521 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]523 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
524 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
525 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if (mode == MBEDTLS_ARIA_DECRYPT) {
528 while (length > 0) {
529 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
530 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]532 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]535
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]536 input += MBEDTLS_ARIA_BLOCKSIZE;
537 output += MBEDTLS_ARIA_BLOCKSIZE;
538 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]539 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]540 } else {
541 while (length > 0) {
542 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]543
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]544 mbedtls_aria_crypt_ecb(ctx, output, output);
545 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]546
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]547 input += MBEDTLS_ARIA_BLOCKSIZE;
548 output += MBEDTLS_ARIA_BLOCKSIZE;
549 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]550 }
551 }
552
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]553 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]554}
555#endif /* MBEDTLS_CIPHER_MODE_CBC */
556
557#if defined(MBEDTLS_CIPHER_MODE_CFB)
558/*
559 * ARIA-CFB128 buffer encryption/decryption
560 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]561int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
562 int mode,
563 size_t length,
564 size_t *iv_off,
565 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
566 const unsigned char *input,
567 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]568{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]569 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]570 size_t n;
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame]571
572 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
573 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
574 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]575
576 n = *iv_off;
577
578 /* An overly large value of n can lead to an unlimited
Valerio Setti779a1a52024-01-30 11:40:24 +0100[diff] [blame]579 * buffer overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
581 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
582 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 if (mode == MBEDTLS_ARIA_DECRYPT) {
585 while (length--) {
586 if (n == 0) {
587 mbedtls_aria_crypt_ecb(ctx, iv, iv);
588 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]589
590 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]591 *output++ = c ^ iv[n];
592 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]595 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 } else {
597 while (length--) {
598 if (n == 0) {
599 mbedtls_aria_crypt_ecb(ctx, iv, iv);
600 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]603
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]605 }
606 }
607
608 *iv_off = n;
609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]611}
612#endif /* MBEDTLS_CIPHER_MODE_CFB */
613
614#if defined(MBEDTLS_CIPHER_MODE_CTR)
615/*
616 * ARIA-CTR buffer encryption/decryption
617 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
619 size_t length,
620 size_t *nc_off,
621 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
622 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
623 const unsigned char *input,
624 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]625{
626 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]627 size_t n;
628
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]629 n = *nc_off;
630 /* An overly large value of n can lead to an unlimited
Valerio Setti779a1a52024-01-30 11:40:24 +0100[diff] [blame]631 * buffer overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
633 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
634 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 while (length--) {
637 if (n == 0) {
638 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
639 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]641 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
642 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]643 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]644 }
645 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]646 }
647 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]649
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]651 }
652
653 *nc_off = n;
654
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]655 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]656}
657#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]658
659#if defined(MBEDTLS_SELF_TEST)
660
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]661/*
662 * Basic ARIA ECB test vectors from RFC 5794
663 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]664static const uint8_t aria_test1_ecb_key[32] = // test key
665{
666 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
667 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
668 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
669 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
670};
671
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]672static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]673{
674 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
675 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
676};
677
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]678static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]679{
680 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
681 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
682 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
683 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
684 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
685 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
686};
687
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]688/*
689 * Mode tests from "Test Vectors for ARIA" Version 1.0
690 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
691 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]692#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]693 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]694static const uint8_t aria_test2_key[32] =
695{
696 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
697 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
698 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
699 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
700};
701
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]702static const uint8_t aria_test2_pt[48] =
703{
704 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
705 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
706 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
707 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
708 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
709 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
710};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]711#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]712
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]713#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]714static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]715{
716 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
717 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
718};
719#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]720
721#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]722static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]723{
724 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
725 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
726 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
727 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
728 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
729 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
730 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
731 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
732 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
733 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
734 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
735 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
736 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
737 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
738 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
739 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
740 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
741 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
742};
743#endif /* MBEDTLS_CIPHER_MODE_CBC */
744
745#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]746static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]747{
748 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
749 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
750 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
751 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
752 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
753 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
754 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
755 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
756 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
757 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
758 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
759 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
760 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
761 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
762 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
763 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
764 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
765 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
766};
767#endif /* MBEDTLS_CIPHER_MODE_CFB */
768
769#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]770static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]771{
772 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
773 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
774 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
775 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
776 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
777 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
778 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
779 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
780 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
781 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
782 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
783 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
784 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
785 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
786 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
787 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
788 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
789 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
790};
791#endif /* MBEDTLS_CIPHER_MODE_CFB */
792
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793#define ARIA_SELF_TEST_ASSERT(cond) \
794 do { \
795 if (cond) { \
796 if (verbose) \
797 mbedtls_printf("failed\n"); \
798 goto exit; \
799 } else { \
800 if (verbose) \
801 mbedtls_printf("passed\n"); \
802 } \
803 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]804
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]805/*
806 * Checkup routine
807 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]808int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]809{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]810 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]811 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]812 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]813 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]814
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]815#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
816 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]817#endif
818
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]819#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]820 defined(MBEDTLS_CIPHER_MODE_CFB) || \
821 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]822 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]823#endif
824
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]825 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]826
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]827 /*
828 * Test set 1
829 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]830 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]831 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]832 if (verbose) {
833 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
834 }
835 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
836 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]837 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]838 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
839 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]840
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]841 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]842 if (verbose) {
843 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]844#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]845 mbedtls_printf("skipped\n");
846#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]848
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]849#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]850 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
851 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]852 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]853 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
854 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]855#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]856 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]857 if (verbose) {
858 mbedtls_printf("\n");
859 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]860
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]861 /*
862 * Test set 2
863 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]864#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]865 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]866 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]867 if (verbose) {
868 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
869 }
870 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
871 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
872 memset(buf, 0x55, sizeof(buf));
873 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
874 aria_test2_pt, buf);
875 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
876 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]877
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]878 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 if (verbose) {
880 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
881 }
882 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
883 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
884 memset(buf, 0xAA, sizeof(buf));
885 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
886 aria_test2_cbc_ct[i], buf);
887 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]888 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]889 if (verbose) {
890 mbedtls_printf("\n");
891 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]892
893#endif /* MBEDTLS_CIPHER_MODE_CBC */
894
895#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]896 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]897 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 if (verbose) {
899 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
900 }
901 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
902 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
903 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]904 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]905 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
906 aria_test2_pt, buf);
907 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]908
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]909 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]910 if (verbose) {
911 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
912 }
913 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
914 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
915 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]916 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
918 iv, aria_test2_cfb_ct[i], buf);
919 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]920 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]921 if (verbose) {
922 mbedtls_printf("\n");
923 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]924#endif /* MBEDTLS_CIPHER_MODE_CFB */
925
926#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]927 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]928 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 if (verbose) {
930 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
931 }
932 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
933 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
934 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]935 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]936 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
937 aria_test2_pt, buf);
938 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]939
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]940 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]941 if (verbose) {
942 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
943 }
944 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
945 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
946 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]947 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]948 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
949 aria_test2_ctr_ct[i], buf);
950 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]951 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]952 if (verbose) {
953 mbedtls_printf("\n");
954 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]955#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]956
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]957 ret = 0;
958
959exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]960 mbedtls_aria_free(&ctx);
961 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]962}
963
964#endif /* MBEDTLS_SELF_TEST */
965
966#endif /* MBEDTLS_ARIA_C */