TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2d0f27d0fcbc0f95bf7b7ed8810db178ab32a02b / . / library / aria.c
blob: 517e10a77f00b04cacb6eafb32792a1d7bf1635b [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
30#include "mbedtls/aria.h"
31
32#include <string.h>
33
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]34#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]35
36#if !defined(MBEDTLS_ARIA_ALT)
37
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]38#include "mbedtls/platform_util.h"
39
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]40/* Parameter validation macros */
41#define ARIA_VALIDATE_RET( cond ) \
42 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
43#define ARIA_VALIDATE( cond ) \
44 MBEDTLS_INTERNAL_VALIDATE( cond )
45
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]46/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]48 *
49 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]50 *
51 * Common compilers fail to translate this to minimal number of instructions,
52 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]53 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]54#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]55#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]58 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
59 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]60static inline uint32_t aria_p1( uint32_t x )
61{
62 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]63 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]64 return( r );
65}
66#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]67#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
68 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]69static inline uint32_t aria_p1( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]70{
71 uint32_t r;
72 __asm( "rev16 r, x" );
73 return( r );
74}
75#define ARIA_P1 aria_p1
76#endif
77#endif /* arm */
78#if defined(__GNUC__) && \
79 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]80/* I couldn't find an Intel equivalent of rev16, so two instructions */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]81#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]82#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]83#endif /* MBEDTLS_HAVE_ASM && GNUC */
84#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]86#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]87
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]88/*
89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90 *
91 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]92 *
93 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]94 */
95#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]96
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]97/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99 *
100 * This is submatrix P3 in [1] Appendix B.1
101 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame^]102#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]103
104/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]105 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]106 * (a, b, c, d) = state in/out
107 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]108 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]109 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
110 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]111 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]112 * rearrangements on adjacent pairs, output is:
113 *
114 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
115 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]116 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]117 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]118 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]120 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]121 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
122 *
123 * Note: another presentation of the A transform can be found as the first
124 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
125 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]126 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]127static inline void aria_a( uint32_t *a, uint32_t *b,
128 uint32_t *c, uint32_t *d )
129{
130 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]131 ta = *b; // 4567
132 *b = *a; // 0123
133 *a = ARIA_P2( ta ); // 6745
134 tb = ARIA_P2( *d ); // efcd
135 *d = ARIA_P1( *c ); // 98ba
136 *c = ARIA_P1( tb ); // fedc
137 ta ^= *d; // 4567+98ba
138 tc = ARIA_P2( *b ); // 2301
139 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
140 tb ^= ARIA_P2( *d ); // ba98+efcd
141 tc ^= ARIA_P1( *a ); // 2301+7654
142 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
143 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
144 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
145 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
146 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
147 tc = ARIA_P2( tc ); // 0123+5476
148 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]149}
150
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]151/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]152 * ARIA Substitution Layer SL1 / SL2
153 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]154 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]155 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]156 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
157 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]158 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]159static inline void aria_sl( uint32_t *a, uint32_t *b,
160 uint32_t *c, uint32_t *d,
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]161 const uint8_t sa[256], const uint8_t sb[256],
162 const uint8_t sc[256], const uint8_t sd[256] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]163{
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]164 *a = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *a ) ] ) ^
165 (((uint32_t) sb[ MBEDTLS_BYTE_1( *a ) ]) << 8) ^
166 (((uint32_t) sc[ MBEDTLS_BYTE_2( *a ) ]) << 16) ^
Joe Subbiani54550f72021-07-14 11:59:48 +0100[diff] [blame]167 (((uint32_t) sd[ MBEDTLS_BYTE_3( *a ) ]) << 24);
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]168 *b = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *b ) ] ) ^
169 (((uint32_t) sb[ MBEDTLS_BYTE_1( *b ) ]) << 8) ^
170 (((uint32_t) sc[ MBEDTLS_BYTE_2( *b ) ]) << 16) ^
Joe Subbiani54550f72021-07-14 11:59:48 +0100[diff] [blame]171 (((uint32_t) sd[ MBEDTLS_BYTE_3( *b ) ]) << 24);
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]172 *c = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *c ) ] ) ^
173 (((uint32_t) sb[ MBEDTLS_BYTE_1( *c ) ]) << 8) ^
174 (((uint32_t) sc[ MBEDTLS_BYTE_2( *c ) ]) << 16) ^
Joe Subbiani54550f72021-07-14 11:59:48 +0100[diff] [blame]175 (((uint32_t) sd[ MBEDTLS_BYTE_3( *c ) ]) << 24);
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]176 *d = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *d ) ] ) ^
177 (((uint32_t) sb[ MBEDTLS_BYTE_1( *d ) ]) << 8) ^
178 (((uint32_t) sc[ MBEDTLS_BYTE_2( *d ) ]) << 16) ^
Joe Subbiani54550f72021-07-14 11:59:48 +0100[diff] [blame]179 (((uint32_t) sd[ MBEDTLS_BYTE_3( *d ) ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]180}
181
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]182/*
183 * S-Boxes
184 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]185static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]186{
187 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
188 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
189 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
190 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
191 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
192 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
193 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
194 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
195 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
196 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
197 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
198 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
199 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
200 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
201 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
202 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
203 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
204 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
205 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
206 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
207 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
208 0xB0, 0x54, 0xBB, 0x16
209};
210
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]211static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]212{
213 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
214 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
215 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
216 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
217 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
218 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
219 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
220 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
221 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
222 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
223 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
224 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
225 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
226 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
227 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
228 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
229 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
230 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
231 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
232 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
233 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
234 0xAF, 0xBA, 0xB5, 0x81
235};
236
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]237static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]238{
239 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
240 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
241 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
242 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
243 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
244 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
245 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
246 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
247 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
248 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
249 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
250 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
251 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
252 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
253 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
254 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
256 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
258 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
259 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
260 0x55, 0x21, 0x0C, 0x7D
261};
262
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]263static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]264{
265 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
266 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
267 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
268 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
269 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
270 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
271 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
272 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
273 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
274 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
275 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
276 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
277 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
278 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
279 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
280 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
281 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
282 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
283 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
284 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
285 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
286 0x03, 0xA2, 0xAC, 0x60
287};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]288
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]289/*
290 * Helper for key schedule: r = FO( p, k ) ^ x
291 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]292static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
293 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]294{
295 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]296
297 a = p[0] ^ k[0];
298 b = p[1] ^ k[1];
299 c = p[2] ^ k[2];
300 d = p[3] ^ k[3];
301
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]302 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
303 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]304
305 r[0] = a ^ x[0];
306 r[1] = b ^ x[1];
307 r[2] = c ^ x[2];
308 r[3] = d ^ x[3];
309}
310
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]311/*
312 * Helper for key schedule: r = FE( p, k ) ^ x
313 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]314static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
315 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]316{
317 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]318
319 a = p[0] ^ k[0];
320 b = p[1] ^ k[1];
321 c = p[2] ^ k[2];
322 d = p[3] ^ k[3];
323
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]324 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
325 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]326
327 r[0] = a ^ x[0];
328 r[1] = b ^ x[1];
329 r[2] = c ^ x[2];
330 r[3] = d ^ x[3];
331}
332
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]333/*
334 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
335 *
336 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]337 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
338 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]339 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]340static void aria_rot128( uint32_t r[4], const uint32_t a[4],
341 const uint32_t b[4], uint8_t n )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]342{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]343 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]344 uint32_t t, u;
345
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]346 const uint8_t n1 = n % 32; // bit offset
347 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]348
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]349 j = ( n / 32 ) % 4; // initial word offset
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]350 t = ARIA_P3( b[j] ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]351 for( i = 0; i < 4; i++ )
352 {
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]353 j = ( j + 1 ) % 4; // get next word, big endian
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]354 u = ARIA_P3( b[j] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]355 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]356 t |= u >> n2;
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]357 t = ARIA_P3( t ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]358 r[i] = a[i] ^ t; // store
359 t = u; // move to next word
360 }
361}
362
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]363/*
364 * Set encryption key
365 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]366int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
367 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]368{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]369 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]370 const uint32_t rc[3][4] =
371 {
372 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
373 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
374 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
375 };
376
377 int i;
378 uint32_t w[4][4], *w2;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]379 ARIA_VALIDATE_RET( ctx != NULL );
380 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]381
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]382 if( keybits != 128 && keybits != 192 && keybits != 256 )
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]383 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]384
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]385 /* Copy key to W0 (and potential remainder to W1) */
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]386 w[0][0] = MBEDTLS_GET_UINT32_LE( key, 0 );
387 w[0][1] = MBEDTLS_GET_UINT32_LE( key, 4 );
388 w[0][2] = MBEDTLS_GET_UINT32_LE( key, 8 );
389 w[0][3] = MBEDTLS_GET_UINT32_LE( key, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]390
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]391 memset( w[1], 0, 16 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]392 if( keybits >= 192 )
393 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]394 w[1][0] = MBEDTLS_GET_UINT32_LE( key, 16 ); // 192 bit key
395 w[1][1] = MBEDTLS_GET_UINT32_LE( key, 20 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 }
397 if( keybits == 256 )
398 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]399 w[1][2] = MBEDTLS_GET_UINT32_LE( key, 24 ); // 256 bit key
400 w[1][3] = MBEDTLS_GET_UINT32_LE( key, 28 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]401 }
402
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]403 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]404 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
405
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]406 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]407 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]408 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]409 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]410 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411
412 for( i = 0; i < 4; i++ ) // create round keys
413 {
414 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]415 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
416 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
417 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
418 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]419 }
420 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
421
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]422 /* w holds enough info to reconstruct the round keys */
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]423 mbedtls_platform_zeroize( w, sizeof( w ) );
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]424
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]425 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]426}
427
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]428/*
429 * Set decryption key
430 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]431int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
432 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433{
434 int i, j, k, ret;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]435 ARIA_VALIDATE_RET( ctx != NULL );
436 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]437
438 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
439 if( ret != 0 )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]440 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]441
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]442 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443 for( i = 0, j = ctx->nr; i < j; i++, j-- )
444 {
445 for( k = 0; k < 4; k++ )
446 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]447 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448 ctx->rk[i][k] = ctx->rk[j][k];
449 ctx->rk[j][k] = t;
450 }
451 }
452
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]453 /* apply affine transform to middle keys */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]454 for( i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]455 {
456 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
457 &ctx->rk[i][2], &ctx->rk[i][3] );
458 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]459
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]460 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]461}
462
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]463/*
464 * Encrypt a block
465 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]466int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]467 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
468 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]469{
470 int i;
471
472 uint32_t a, b, c, d;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]473 ARIA_VALIDATE_RET( ctx != NULL );
474 ARIA_VALIDATE_RET( input != NULL );
475 ARIA_VALIDATE_RET( output != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]477 a = MBEDTLS_GET_UINT32_LE( input, 0 );
478 b = MBEDTLS_GET_UINT32_LE( input, 4 );
479 c = MBEDTLS_GET_UINT32_LE( input, 8 );
480 d = MBEDTLS_GET_UINT32_LE( input, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]481
482 i = 0;
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]483 while( 1 )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]484 {
485 a ^= ctx->rk[i][0];
486 b ^= ctx->rk[i][1];
487 c ^= ctx->rk[i][2];
488 d ^= ctx->rk[i][3];
489 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]490
491 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
492 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]493
494 a ^= ctx->rk[i][0];
495 b ^= ctx->rk[i][1];
496 c ^= ctx->rk[i][2];
497 d ^= ctx->rk[i][3];
498 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]499
500 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]501 if( i >= ctx->nr )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]502 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]503 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]504 }
505
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]506 /* final key mixing */
507 a ^= ctx->rk[i][0];
508 b ^= ctx->rk[i][1];
509 c ^= ctx->rk[i][2];
510 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]511
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]512 MBEDTLS_PUT_UINT32_LE( a, output, 0 );
513 MBEDTLS_PUT_UINT32_LE( b, output, 4 );
514 MBEDTLS_PUT_UINT32_LE( c, output, 8 );
515 MBEDTLS_PUT_UINT32_LE( d, output, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]516
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]517 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]518}
519
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]520/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]521void mbedtls_aria_init( mbedtls_aria_context *ctx )
522{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]523 ARIA_VALIDATE( ctx != NULL );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]524 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
525}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]526
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]527/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]528void mbedtls_aria_free( mbedtls_aria_context *ctx )
529{
530 if( ctx == NULL )
531 return;
532
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]533 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]534}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]535
536#if defined(MBEDTLS_CIPHER_MODE_CBC)
537/*
538 * ARIA-CBC buffer encryption/decryption
539 */
540int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]541 int mode,
542 size_t length,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]543 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]544 const unsigned char *input,
545 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]546{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]547 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]548
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]549 ARIA_VALIDATE_RET( ctx != NULL );
550 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
551 mode == MBEDTLS_ARIA_DECRYPT );
552 ARIA_VALIDATE_RET( length == 0 || input != NULL );
553 ARIA_VALIDATE_RET( length == 0 || output != NULL );
554 ARIA_VALIDATE_RET( iv != NULL );
555
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]556 if( length % MBEDTLS_ARIA_BLOCKSIZE )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]557 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
558
559 if( mode == MBEDTLS_ARIA_DECRYPT )
560 {
561 while( length > 0 )
562 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]563 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]564 mbedtls_aria_crypt_ecb( ctx, input, output );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]565
Dave Rodgman7bb6b842022-11-22 16:18:55 +0000[diff] [blame]566 mbedtls_xor( output, output, iv, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]567
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]568 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]569
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]570 input += MBEDTLS_ARIA_BLOCKSIZE;
571 output += MBEDTLS_ARIA_BLOCKSIZE;
572 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]573 }
574 }
575 else
576 {
577 while( length > 0 )
578 {
Dave Rodgman7bb6b842022-11-22 16:18:55 +0000[diff] [blame]579 mbedtls_xor( output, input, iv, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]580
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]581 mbedtls_aria_crypt_ecb( ctx, output, output );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]582 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]583
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]584 input += MBEDTLS_ARIA_BLOCKSIZE;
585 output += MBEDTLS_ARIA_BLOCKSIZE;
586 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]587 }
588 }
589
590 return( 0 );
591}
592#endif /* MBEDTLS_CIPHER_MODE_CBC */
593
594#if defined(MBEDTLS_CIPHER_MODE_CFB)
595/*
596 * ARIA-CFB128 buffer encryption/decryption
597 */
598int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]599 int mode,
600 size_t length,
601 size_t *iv_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]602 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]603 const unsigned char *input,
604 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]605{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]606 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]607 size_t n;
608
609 ARIA_VALIDATE_RET( ctx != NULL );
610 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
611 mode == MBEDTLS_ARIA_DECRYPT );
612 ARIA_VALIDATE_RET( length == 0 || input != NULL );
613 ARIA_VALIDATE_RET( length == 0 || output != NULL );
614 ARIA_VALIDATE_RET( iv != NULL );
615 ARIA_VALIDATE_RET( iv_off != NULL );
616
617 n = *iv_off;
618
619 /* An overly large value of n can lead to an unlimited
620 * buffer overflow. Therefore, guard against this
621 * outside of parameter validation. */
622 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
623 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]624
625 if( mode == MBEDTLS_ARIA_DECRYPT )
626 {
627 while( length-- )
628 {
629 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]630 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]631
632 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]633 *output++ = c ^ iv[n];
634 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]635
636 n = ( n + 1 ) & 0x0F;
637 }
638 }
639 else
640 {
641 while( length-- )
642 {
643 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]644 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]645
646 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
647
648 n = ( n + 1 ) & 0x0F;
649 }
650 }
651
652 *iv_off = n;
653
654 return( 0 );
655}
656#endif /* MBEDTLS_CIPHER_MODE_CFB */
657
658#if defined(MBEDTLS_CIPHER_MODE_CTR)
659/*
660 * ARIA-CTR buffer encryption/decryption
661 */
662int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]663 size_t length,
664 size_t *nc_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]665 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
666 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]667 const unsigned char *input,
668 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]669{
670 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]671 size_t n;
672
673 ARIA_VALIDATE_RET( ctx != NULL );
674 ARIA_VALIDATE_RET( length == 0 || input != NULL );
675 ARIA_VALIDATE_RET( length == 0 || output != NULL );
676 ARIA_VALIDATE_RET( nonce_counter != NULL );
677 ARIA_VALIDATE_RET( stream_block != NULL );
678 ARIA_VALIDATE_RET( nc_off != NULL );
679
680 n = *nc_off;
681 /* An overly large value of n can lead to an unlimited
682 * buffer overflow. Therefore, guard against this
683 * outside of parameter validation. */
684 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
685 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]686
687 while( length-- )
688 {
689 if( n == 0 ) {
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]690 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]691 stream_block );
692
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]693 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]694 if( ++nonce_counter[i - 1] != 0 )
695 break;
696 }
697 c = *input++;
698 *output++ = (unsigned char)( c ^ stream_block[n] );
699
700 n = ( n + 1 ) & 0x0F;
701 }
702
703 *nc_off = n;
704
705 return( 0 );
706}
707#endif /* MBEDTLS_CIPHER_MODE_CTR */
708#endif /* !MBEDTLS_ARIA_ALT */
709
710#if defined(MBEDTLS_SELF_TEST)
711
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]712/*
713 * Basic ARIA ECB test vectors from RFC 5794
714 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]715static const uint8_t aria_test1_ecb_key[32] = // test key
716{
717 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
718 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
719 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
720 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
721};
722
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]723static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]724{
725 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
726 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
727};
728
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]729static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]730{
731 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
732 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
733 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
734 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
735 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
736 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
737};
738
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]739/*
740 * Mode tests from "Test Vectors for ARIA" Version 1.0
741 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
742 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]743#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]744 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]745static const uint8_t aria_test2_key[32] =
746{
747 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
748 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
749 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
750 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
751};
752
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]753static const uint8_t aria_test2_pt[48] =
754{
755 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
756 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
757 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
758 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
759 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
760 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
761};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]762#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]763
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]764#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]765static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]766{
767 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
768 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
769};
770#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]771
772#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]773static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]774{
775 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
776 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
777 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
778 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
779 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
780 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
781 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
782 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
783 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
784 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
785 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
786 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
787 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
788 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
789 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
790 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
791 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
792 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
793};
794#endif /* MBEDTLS_CIPHER_MODE_CBC */
795
796#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]797static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]798{
799 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
800 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
801 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
802 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
803 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
804 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
805 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
806 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
807 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
808 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
809 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
810 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
811 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
812 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
813 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
814 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
815 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
816 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
817};
818#endif /* MBEDTLS_CIPHER_MODE_CFB */
819
820#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]821static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]822{
823 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
824 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
825 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
826 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
827 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
828 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
829 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
830 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
831 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
832 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
833 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
834 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
835 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
836 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
837 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
838 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
839 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
840 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
841};
842#endif /* MBEDTLS_CIPHER_MODE_CFB */
843
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]844#define ARIA_SELF_TEST_ASSERT( cond ) \
David Horstmann0763ccf2022-10-06 14:32:30 +0100[diff] [blame]845 do { \
846 if( cond ) { \
847 if( verbose ) \
848 mbedtls_printf( "failed\n" ); \
849 goto exit; \
850 } else { \
851 if( verbose ) \
852 mbedtls_printf( "passed\n" ); \
853 } \
854 } while( 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]855
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]856/*
857 * Checkup routine
858 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]859int mbedtls_aria_self_test( int verbose )
860{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]861 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]862 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]863 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]864 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]865
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]866#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
867 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]868#endif
869
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]870#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
871 defined(MBEDTLS_CIPHER_MODE_CFB) || \
872 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]873 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]874#endif
875
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]876 mbedtls_aria_init( &ctx );
877
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]878 /*
879 * Test set 1
880 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]881 for( i = 0; i < 3; i++ )
882 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]883 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]884 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]885 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]886 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]887 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]888 ARIA_SELF_TEST_ASSERT(
David Horstmann0763ccf2022-10-06 14:32:30 +0100[diff] [blame]889 memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE )
890 != 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]891
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]892 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]893 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]894 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]895 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]896 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]897 ARIA_SELF_TEST_ASSERT(
David Horstmann0763ccf2022-10-06 14:32:30 +0100[diff] [blame]898 memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE )
899 != 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]900 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]901 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]902 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]903
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]904 /*
905 * Test set 2
906 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]907#if defined(MBEDTLS_CIPHER_MODE_CBC)
908 for( i = 0; i < 3; i++ )
909 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]910 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]911 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]912 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]913 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]914 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]915 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]916 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
917 aria_test2_pt, buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]918 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cbc_ct[i], 48 )
David Horstmann0763ccf2022-10-06 14:32:30 +0100[diff] [blame]919 != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]920
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]921 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]922 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]923 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]924 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]925 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]926 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]927 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
928 aria_test2_cbc_ct[i], buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]929 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]930 }
931 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]932 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]933
934#endif /* MBEDTLS_CIPHER_MODE_CBC */
935
936#if defined(MBEDTLS_CIPHER_MODE_CFB)
937 for( i = 0; i < 3; i++ )
938 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]939 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]940 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]941 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]942 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]943 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]944 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]945 j = 0;
946 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
947 aria_test2_pt, buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]948 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]949
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]950 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]951 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]952 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]953 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]954 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]955 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]956 j = 0;
957 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
958 iv, aria_test2_cfb_ct[i], buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]959 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]960 }
961 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]962 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]963#endif /* MBEDTLS_CIPHER_MODE_CFB */
964
965#if defined(MBEDTLS_CIPHER_MODE_CTR)
966 for( i = 0; i < 3; i++ )
967 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]968 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]969 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]970 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]971 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]972 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]973 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]974 j = 0;
975 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
976 aria_test2_pt, buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]977 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]978
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]979 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]980 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]981 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]982 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]983 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]984 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]985 j = 0;
986 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
987 aria_test2_ctr_ct[i], buf );
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]988 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]989 }
990 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]991 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]992#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]993
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]994 ret = 0;
995
996exit:
997 mbedtls_aria_free( &ctx );
998 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]999}
1000
1001#endif /* MBEDTLS_SELF_TEST */
1002
1003#endif /* MBEDTLS_ARIA_C */