blob: 07a434f8f37f87b3d4453f7f0674fda8776d6298 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +00001/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +00005 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +00006 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +01008/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +020014#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000015
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000022#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000023
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +020026#include "mbedtls/platform_util.h"
27
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050028/* Parameter validation macros */
Gilles Peskine449bd832023-01-11 14:50:10 +010029#define ARIA_VALIDATE_RET(cond) \
30 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31#define ARIA_VALIDATE(cond) \
32 MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050033
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +010034/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +010035 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010036 *
37 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +010038 *
39 * Common compilers fail to translate this to minimal number of instructions,
40 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010041 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010042#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +010043#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010044/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +010046 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +010047 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +010048static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010049{
50 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +010051 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010053}
54#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +010055#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +010056 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
57static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010058{
59 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +010060 __asm("rev16 r, x");
61 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010062}
63#define ARIA_P1 aria_p1
64#endif
65#endif /* arm */
66#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +010067 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +020068/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +010069#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +010070#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +010071#endif /* MBEDTLS_HAVE_ASM && GNUC */
72#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010073#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +010074#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000075
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010076/*
77 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78 *
79 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +010080 *
81 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +010082 */
83#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +000084
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +010085/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +010086 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87 *
88 * This is submatrix P3 in [1] Appendix B.1
89 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +000090#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +010091
92/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +010093 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +010094 * (a, b, c, d) = state in/out
95 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +020096 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +010097 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
98 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +010099 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100100 * rearrangements on adjacent pairs, output is:
101 *
102 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
103 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100104 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100105 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100106 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100107 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100108 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100109 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
110 *
111 * Note: another presentation of the A transform can be found as the first
112 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
113 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100114 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100115static inline void aria_a(uint32_t *a, uint32_t *b,
116 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100117{
118 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100119 ta = *b; // 4567
120 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100121 *a = ARIA_P2(ta); // 6745
122 tb = ARIA_P2(*d); // efcd
123 *d = ARIA_P1(*c); // 98ba
124 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100125 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100126 tc = ARIA_P2(*b); // 2301
127 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
128 tb ^= ARIA_P2(*d); // ba98+efcd
129 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100130 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100131 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
132 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
133 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
134 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
135 tc = ARIA_P2(tc); // 0123+5476
136 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000137}
138
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100139/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100140 * ARIA Substitution Layer SL1 / SL2
141 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100142 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100143 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100144 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
145 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100146 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100147static inline void aria_sl(uint32_t *a, uint32_t *b,
148 uint32_t *c, uint32_t *d,
149 const uint8_t sa[256], const uint8_t sb[256],
150 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100151{
Gilles Peskine449bd832023-01-11 14:50:10 +0100152 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
153 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
154 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
155 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
156 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
157 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
158 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
159 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
160 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
161 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
162 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
163 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
164 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000168}
169
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100170/*
171 * S-Boxes
172 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200173static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000174{
175 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
176 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
177 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
178 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
179 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
180 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
181 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
182 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
183 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
184 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
185 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
186 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
187 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
188 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
189 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
190 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
191 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
192 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
193 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
194 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
195 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
196 0xB0, 0x54, 0xBB, 0x16
197};
198
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200199static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000200{
201 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
202 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
203 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
204 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
205 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
206 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
207 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
208 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
209 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
210 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
211 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
212 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
213 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
214 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
215 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
216 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
217 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
218 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
219 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
220 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
221 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
222 0xAF, 0xBA, 0xB5, 0x81
223};
224
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200225static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000226{
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
228 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
229 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
230 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
232 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
233 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
234 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
236 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
237 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
238 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
239 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
240 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
241 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
242 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
243 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
244 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
245 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
246 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
248 0x55, 0x21, 0x0C, 0x7D
249};
250
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200251static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000252{
253 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
254 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
255 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
256 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
257 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
258 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
259 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
260 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
261 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
262 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
263 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
264 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
265 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
266 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
267 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
268 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
269 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
270 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
271 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
272 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
273 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
274 0x03, 0xA2, 0xAC, 0x60
275};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000276
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100277/*
278 * Helper for key schedule: r = FO( p, k ) ^ x
279 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100280static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
281 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000282{
283 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000284
285 a = p[0] ^ k[0];
286 b = p[1] ^ k[1];
287 c = p[2] ^ k[2];
288 d = p[3] ^ k[3];
289
Gilles Peskine449bd832023-01-11 14:50:10 +0100290 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
291 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000292
293 r[0] = a ^ x[0];
294 r[1] = b ^ x[1];
295 r[2] = c ^ x[2];
296 r[3] = d ^ x[3];
297}
298
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100299/*
300 * Helper for key schedule: r = FE( p, k ) ^ x
301 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100302static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
303 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000304{
305 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000306
307 a = p[0] ^ k[0];
308 b = p[1] ^ k[1];
309 c = p[2] ^ k[2];
310 d = p[3] ^ k[3];
311
Gilles Peskine449bd832023-01-11 14:50:10 +0100312 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
313 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000314
315 r[0] = a ^ x[0];
316 r[1] = b ^ x[1];
317 r[2] = c ^ x[2];
318 r[3] = d ^ x[3];
319}
320
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100321/*
322 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
323 *
324 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100325 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
326 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100327 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100328static void aria_rot128(uint32_t r[4], const uint32_t a[4],
329 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000330{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100331 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000332 uint32_t t, u;
333
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100334 const uint8_t n1 = n % 32; // bit offset
335 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100336
Gilles Peskine449bd832023-01-11 14:50:10 +0100337 j = (n / 32) % 4; // initial word offset
338 t = ARIA_P3(b[j]); // big endian
339 for (i = 0; i < 4; i++) {
340 j = (j + 1) % 4; // get next word, big endian
341 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000342 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100343 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100344 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000345 r[i] = a[i] ^ t; // store
346 t = u; // move to next word
347 }
348}
349
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100350/*
351 * Set encryption key
352 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100353int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
354 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000355{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100356 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000357 const uint32_t rc[3][4] =
358 {
359 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
360 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
361 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
362 };
363
364 int i;
365 uint32_t w[4][4], *w2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100366 ARIA_VALIDATE_RET(ctx != NULL);
367 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000368
Gilles Peskine449bd832023-01-11 14:50:10 +0100369 if (keybits != 128 && keybits != 192 && keybits != 256) {
370 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
371 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000372
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100373 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100374 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
375 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
376 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
377 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000378
Gilles Peskine449bd832023-01-11 14:50:10 +0100379 memset(w[1], 0, 16);
380 if (keybits >= 192) {
381 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
382 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000383 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100384 if (keybits == 256) {
385 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
386 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000387 }
388
Gilles Peskine449bd832023-01-11 14:50:10 +0100389 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000390 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
391
Gilles Peskine449bd832023-01-11 14:50:10 +0100392 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000393 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100394 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000395 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100396 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000397
Gilles Peskine449bd832023-01-11 14:50:10 +0100398 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000399 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100400 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
401 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
402 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
403 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000404 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100405 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000406
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200407 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100408 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200409
Gilles Peskine449bd832023-01-11 14:50:10 +0100410 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000411}
412
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100413/*
414 * Set decryption key
415 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100416int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
417 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000418{
419 int i, j, k, ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100420 ARIA_VALIDATE_RET(ctx != NULL);
421 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000422
Gilles Peskine449bd832023-01-11 14:50:10 +0100423 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
424 if (ret != 0) {
425 return ret;
426 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000427
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100428 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100429 for (i = 0, j = ctx->nr; i < j; i++, j--) {
430 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100431 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000432 ctx->rk[i][k] = ctx->rk[j][k];
433 ctx->rk[j][k] = t;
434 }
435 }
436
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100437 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100438 for (i = 1; i < ctx->nr; i++) {
439 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
440 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100441 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000442
Gilles Peskine449bd832023-01-11 14:50:10 +0100443 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000444}
445
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100446/*
447 * Encrypt a block
448 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100449int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
450 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
451 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000452{
453 int i;
454
455 uint32_t a, b, c, d;
Gilles Peskine449bd832023-01-11 14:50:10 +0100456 ARIA_VALIDATE_RET(ctx != NULL);
457 ARIA_VALIDATE_RET(input != NULL);
458 ARIA_VALIDATE_RET(output != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000459
Gilles Peskine449bd832023-01-11 14:50:10 +0100460 a = MBEDTLS_GET_UINT32_LE(input, 0);
461 b = MBEDTLS_GET_UINT32_LE(input, 4);
462 c = MBEDTLS_GET_UINT32_LE(input, 8);
463 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000464
465 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100466 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000467 a ^= ctx->rk[i][0];
468 b ^= ctx->rk[i][1];
469 c ^= ctx->rk[i][2];
470 d ^= ctx->rk[i][3];
471 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100472
Gilles Peskine449bd832023-01-11 14:50:10 +0100473 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
474 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000475
476 a ^= ctx->rk[i][0];
477 b ^= ctx->rk[i][1];
478 c ^= ctx->rk[i][2];
479 d ^= ctx->rk[i][3];
480 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100481
Gilles Peskine449bd832023-01-11 14:50:10 +0100482 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
483 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000484 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100485 }
486 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000487 }
488
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100489 /* final key mixing */
490 a ^= ctx->rk[i][0];
491 b ^= ctx->rk[i][1];
492 c ^= ctx->rk[i][2];
493 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000494
Gilles Peskine449bd832023-01-11 14:50:10 +0100495 MBEDTLS_PUT_UINT32_LE(a, output, 0);
496 MBEDTLS_PUT_UINT32_LE(b, output, 4);
497 MBEDTLS_PUT_UINT32_LE(c, output, 8);
498 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000499
Gilles Peskine449bd832023-01-11 14:50:10 +0100500 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000501}
502
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100503/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100504void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000505{
Gilles Peskine449bd832023-01-11 14:50:10 +0100506 ARIA_VALIDATE(ctx != NULL);
507 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000508}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000509
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100510/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100511void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000512{
Gilles Peskine449bd832023-01-11 14:50:10 +0100513 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000514 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100515 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000516
Gilles Peskine449bd832023-01-11 14:50:10 +0100517 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000518}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000519
520#if defined(MBEDTLS_CIPHER_MODE_CBC)
521/*
522 * ARIA-CBC buffer encryption/decryption
523 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100524int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
525 int mode,
526 size_t length,
527 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
528 const unsigned char *input,
529 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000530{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100531 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000532
Gilles Peskine449bd832023-01-11 14:50:10 +0100533 ARIA_VALIDATE_RET(ctx != NULL);
534 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
535 mode == MBEDTLS_ARIA_DECRYPT);
536 ARIA_VALIDATE_RET(length == 0 || input != NULL);
537 ARIA_VALIDATE_RET(length == 0 || output != NULL);
538 ARIA_VALIDATE_RET(iv != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500539
Gilles Peskine449bd832023-01-11 14:50:10 +0100540 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
541 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
542 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000543
Gilles Peskine449bd832023-01-11 14:50:10 +0100544 if (mode == MBEDTLS_ARIA_DECRYPT) {
545 while (length > 0) {
546 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
547 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000548
Gilles Peskine449bd832023-01-11 14:50:10 +0100549 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000550
Gilles Peskine449bd832023-01-11 14:50:10 +0100551 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000552
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100553 input += MBEDTLS_ARIA_BLOCKSIZE;
554 output += MBEDTLS_ARIA_BLOCKSIZE;
555 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000556 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100557 } else {
558 while (length > 0) {
559 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000560
Gilles Peskine449bd832023-01-11 14:50:10 +0100561 mbedtls_aria_crypt_ecb(ctx, output, output);
562 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000563
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100564 input += MBEDTLS_ARIA_BLOCKSIZE;
565 output += MBEDTLS_ARIA_BLOCKSIZE;
566 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000567 }
568 }
569
Gilles Peskine449bd832023-01-11 14:50:10 +0100570 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000571}
572#endif /* MBEDTLS_CIPHER_MODE_CBC */
573
574#if defined(MBEDTLS_CIPHER_MODE_CFB)
575/*
576 * ARIA-CFB128 buffer encryption/decryption
577 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100578int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
579 int mode,
580 size_t length,
581 size_t *iv_off,
582 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
583 const unsigned char *input,
584 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000585{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200586 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500587 size_t n;
588
Gilles Peskine449bd832023-01-11 14:50:10 +0100589 ARIA_VALIDATE_RET(ctx != NULL);
590 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
591 mode == MBEDTLS_ARIA_DECRYPT);
592 ARIA_VALIDATE_RET(length == 0 || input != NULL);
593 ARIA_VALIDATE_RET(length == 0 || output != NULL);
594 ARIA_VALIDATE_RET(iv != NULL);
595 ARIA_VALIDATE_RET(iv_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500596
597 n = *iv_off;
598
599 /* An overly large value of n can lead to an unlimited
600 * buffer overflow. Therefore, guard against this
601 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100602 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
603 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
604 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000605
Gilles Peskine449bd832023-01-11 14:50:10 +0100606 if (mode == MBEDTLS_ARIA_DECRYPT) {
607 while (length--) {
608 if (n == 0) {
609 mbedtls_aria_crypt_ecb(ctx, iv, iv);
610 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000611
612 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200613 *output++ = c ^ iv[n];
614 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000615
Gilles Peskine449bd832023-01-11 14:50:10 +0100616 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000617 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100618 } else {
619 while (length--) {
620 if (n == 0) {
621 mbedtls_aria_crypt_ecb(ctx, iv, iv);
622 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000623
Gilles Peskine449bd832023-01-11 14:50:10 +0100624 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000625
Gilles Peskine449bd832023-01-11 14:50:10 +0100626 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000627 }
628 }
629
630 *iv_off = n;
631
Gilles Peskine449bd832023-01-11 14:50:10 +0100632 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000633}
634#endif /* MBEDTLS_CIPHER_MODE_CFB */
635
636#if defined(MBEDTLS_CIPHER_MODE_CTR)
637/*
638 * ARIA-CTR buffer encryption/decryption
639 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100640int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
641 size_t length,
642 size_t *nc_off,
643 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
644 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
645 const unsigned char *input,
646 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000647{
648 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500649 size_t n;
650
Gilles Peskine449bd832023-01-11 14:50:10 +0100651 ARIA_VALIDATE_RET(ctx != NULL);
652 ARIA_VALIDATE_RET(length == 0 || input != NULL);
653 ARIA_VALIDATE_RET(length == 0 || output != NULL);
654 ARIA_VALIDATE_RET(nonce_counter != NULL);
655 ARIA_VALIDATE_RET(stream_block != NULL);
656 ARIA_VALIDATE_RET(nc_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500657
658 n = *nc_off;
659 /* An overly large value of n can lead to an unlimited
660 * buffer overflow. Therefore, guard against this
661 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100662 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
663 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
664 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000665
Gilles Peskine449bd832023-01-11 14:50:10 +0100666 while (length--) {
667 if (n == 0) {
668 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
669 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000670
Gilles Peskine449bd832023-01-11 14:50:10 +0100671 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
672 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000673 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100674 }
675 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000676 }
677 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100678 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000679
Gilles Peskine449bd832023-01-11 14:50:10 +0100680 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000681 }
682
683 *nc_off = n;
684
Gilles Peskine449bd832023-01-11 14:50:10 +0100685 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000686}
687#endif /* MBEDTLS_CIPHER_MODE_CTR */
688#endif /* !MBEDTLS_ARIA_ALT */
689
690#if defined(MBEDTLS_SELF_TEST)
691
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100692/*
693 * Basic ARIA ECB test vectors from RFC 5794
694 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000695static const uint8_t aria_test1_ecb_key[32] = // test key
696{
697 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
698 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
699 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
700 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
701};
702
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100703static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000704{
705 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
706 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
707};
708
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100709static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000710{
711 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
712 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
713 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
714 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
715 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
716 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
717};
718
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100719/*
720 * Mode tests from "Test Vectors for ARIA" Version 1.0
721 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
722 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000723#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000724 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000725static const uint8_t aria_test2_key[32] =
726{
727 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
728 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
729 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
730 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
731};
732
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000733static const uint8_t aria_test2_pt[48] =
734{
735 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
736 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
737 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
738 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
739 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
740 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
741};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000742#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000743
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000744#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100745static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000746{
747 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
748 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
749};
750#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000751
752#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100753static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000754{
755 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
756 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
757 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
758 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
759 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
760 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
761 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
762 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
763 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
764 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
765 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
766 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
767 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
768 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
769 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
770 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
771 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
772 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
773};
774#endif /* MBEDTLS_CIPHER_MODE_CBC */
775
776#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100777static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000778{
779 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
780 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
781 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
782 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
783 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
784 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
785 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
786 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
787 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
788 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
789 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
790 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
791 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
792 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
793 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
794 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
795 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
796 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
797};
798#endif /* MBEDTLS_CIPHER_MODE_CFB */
799
800#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100801static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000802{
803 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
804 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
805 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
806 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
807 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
808 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
809 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
810 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
811 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
812 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
813 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
814 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
815 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
816 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
817 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
818 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
819 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
820 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
821};
822#endif /* MBEDTLS_CIPHER_MODE_CFB */
823
Gilles Peskine449bd832023-01-11 14:50:10 +0100824#define ARIA_SELF_TEST_ASSERT(cond) \
825 do { \
826 if (cond) { \
827 if (verbose) \
828 mbedtls_printf("failed\n"); \
829 goto exit; \
830 } else { \
831 if (verbose) \
832 mbedtls_printf("passed\n"); \
833 } \
834 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000835
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100836/*
837 * Checkup routine
838 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100839int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000840{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000841 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100842 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000843 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200844 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000845
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000846#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
847 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000848#endif
849
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000850#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100851 defined(MBEDTLS_CIPHER_MODE_CFB) || \
852 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100853 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000854#endif
855
Gilles Peskine449bd832023-01-11 14:50:10 +0100856 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200857
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100858 /*
859 * Test set 1
860 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100861 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100862 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100863 if (verbose) {
864 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
865 }
866 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
867 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100868 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100869 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
870 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000871
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100872 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100873 if (verbose) {
874 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
875 }
876 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
877 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100878 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100879 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
880 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000881 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100882 if (verbose) {
883 mbedtls_printf("\n");
884 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000885
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100886 /*
887 * Test set 2
888 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000889#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100890 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100891 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100892 if (verbose) {
893 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
894 }
895 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
896 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
897 memset(buf, 0x55, sizeof(buf));
898 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
899 aria_test2_pt, buf);
900 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
901 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000902
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100903 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100904 if (verbose) {
905 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
906 }
907 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
908 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909 memset(buf, 0xAA, sizeof(buf));
910 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
911 aria_test2_cbc_ct[i], buf);
912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000913 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100914 if (verbose) {
915 mbedtls_printf("\n");
916 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000917
918#endif /* MBEDTLS_CIPHER_MODE_CBC */
919
920#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100921 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100922 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100923 if (verbose) {
924 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
925 }
926 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
927 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
928 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000929 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100930 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
931 aria_test2_pt, buf);
932 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000933
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100934 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100935 if (verbose) {
936 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
937 }
938 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000941 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100942 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
943 iv, aria_test2_cfb_ct[i], buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000945 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100946 if (verbose) {
947 mbedtls_printf("\n");
948 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000949#endif /* MBEDTLS_CIPHER_MODE_CFB */
950
951#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100952 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100953 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100954 if (verbose) {
955 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
956 }
957 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
958 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
959 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000960 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100961 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
962 aria_test2_pt, buf);
963 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000964
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100965 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100966 if (verbose) {
967 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
968 }
969 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
971 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000972 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100973 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974 aria_test2_ctr_ct[i], buf);
975 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000976 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100977 if (verbose) {
978 mbedtls_printf("\n");
979 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000980#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000981
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200982 ret = 0;
983
984exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100985 mbedtls_aria_free(&ctx);
986 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000987}
988
989#endif /* MBEDTLS_SELF_TEST */
990
991#endif /* MBEDTLS_ARIA_C */