TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9141ad12239f98fdbb866aad25bd12a2bdffe861 / . / library / aria.c
blob: 0bd489e6855158b046a8d14d10cc5602364328e5 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
30#include "mbedtls/aria.h"
31
32#include <string.h>
33
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]34#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]35
36#if !defined(MBEDTLS_ARIA_ALT)
37
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]38#include "mbedtls/platform_util.h"
39
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]40/* Parameter validation macros */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]41#define ARIA_VALIDATE_RET(cond) \
42 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
43#define ARIA_VALIDATE(cond) \
44 MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]45
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]46/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]48 *
49 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]50 *
51 * Common compilers fail to translate this to minimal number of instructions,
52 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]53 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]54#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]55#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]58 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]59 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]61{
62 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
64 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]65}
66#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]67#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
69static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]70{
71 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]72 __asm("rev16 r, x");
73 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]74}
75#define ARIA_P1 aria_p1
76#endif
77#endif /* arm */
78#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]79 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]80/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]81#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]82#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]83#endif /* MBEDTLS_HAVE_ASM && GNUC */
84#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]86#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]87
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]88/*
89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90 *
91 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]92 *
93 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]94 */
95#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]96
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]97/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99 *
100 * This is submatrix P3 in [1] Appendix B.1
101 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]102#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]103
104/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]105 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]106 * (a, b, c, d) = state in/out
107 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]108 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]109 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
110 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]111 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]112 * rearrangements on adjacent pairs, output is:
113 *
114 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
115 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]116 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]117 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]118 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]120 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]121 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
122 *
123 * Note: another presentation of the A transform can be found as the first
124 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
125 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]126 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static inline void aria_a(uint32_t *a, uint32_t *b,
128 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]129{
130 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]131 ta = *b; // 4567
132 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]133 *a = ARIA_P2(ta); // 6745
134 tb = ARIA_P2(*d); // efcd
135 *d = ARIA_P1(*c); // 98ba
136 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]137 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138 tc = ARIA_P2(*b); // 2301
139 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
140 tb ^= ARIA_P2(*d); // ba98+efcd
141 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]142 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]143 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
144 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
145 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
146 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
147 tc = ARIA_P2(tc); // 0123+5476
148 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]149}
150
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]151/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]152 * ARIA Substitution Layer SL1 / SL2
153 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]154 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]155 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]156 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
157 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]158 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]159static inline void aria_sl(uint32_t *a, uint32_t *b,
160 uint32_t *c, uint32_t *d,
161 const uint8_t sa[256], const uint8_t sb[256],
162 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]163{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]164 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
168 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
169 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
170 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
171 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
172 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
173 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
174 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
175 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
176 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
177 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
178 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
179 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]180}
181
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]182/*
183 * S-Boxes
184 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]185static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]186{
187 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
188 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
189 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
190 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
191 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
192 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
193 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
194 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
195 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
196 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
197 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
198 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
199 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
200 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
201 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
202 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
203 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
204 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
205 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
206 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
207 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
208 0xB0, 0x54, 0xBB, 0x16
209};
210
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]211static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]212{
213 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
214 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
215 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
216 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
217 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
218 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
219 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
220 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
221 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
222 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
223 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
224 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
225 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
226 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
227 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
228 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
229 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
230 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
231 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
232 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
233 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
234 0xAF, 0xBA, 0xB5, 0x81
235};
236
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]237static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]238{
239 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
240 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
241 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
242 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
243 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
244 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
245 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
246 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
247 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
248 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
249 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
250 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
251 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
252 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
253 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
254 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
256 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
258 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
259 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
260 0x55, 0x21, 0x0C, 0x7D
261};
262
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]263static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]264{
265 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
266 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
267 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
268 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
269 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
270 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
271 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
272 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
273 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
274 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
275 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
276 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
277 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
278 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
279 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
280 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
281 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
282 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
283 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
284 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
285 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
286 0x03, 0xA2, 0xAC, 0x60
287};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]288
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]289/*
290 * Helper for key schedule: r = FO( p, k ) ^ x
291 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]292static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
293 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]294{
295 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]296
297 a = p[0] ^ k[0];
298 b = p[1] ^ k[1];
299 c = p[2] ^ k[2];
300 d = p[3] ^ k[3];
301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
303 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]304
305 r[0] = a ^ x[0];
306 r[1] = b ^ x[1];
307 r[2] = c ^ x[2];
308 r[3] = d ^ x[3];
309}
310
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]311/*
312 * Helper for key schedule: r = FE( p, k ) ^ x
313 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]314static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
315 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]316{
317 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]318
319 a = p[0] ^ k[0];
320 b = p[1] ^ k[1];
321 c = p[2] ^ k[2];
322 d = p[3] ^ k[3];
323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
325 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]326
327 r[0] = a ^ x[0];
328 r[1] = b ^ x[1];
329 r[2] = c ^ x[2];
330 r[3] = d ^ x[3];
331}
332
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]333/*
334 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
335 *
336 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]337 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
338 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]339 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]340static void aria_rot128(uint32_t r[4], const uint32_t a[4],
341 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]342{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]343 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]344 uint32_t t, u;
345
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]346 const uint8_t n1 = n % 32; // bit offset
347 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]349 j = (n / 32) % 4; // initial word offset
350 t = ARIA_P3(b[j]); // big endian
351 for (i = 0; i < 4; i++) {
352 j = (j + 1) % 4; // get next word, big endian
353 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]354 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]355 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]356 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]357 r[i] = a[i] ^ t; // store
358 t = u; // move to next word
359 }
360}
361
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]362/*
363 * Set encryption key
364 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]365int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
366 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]367{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]368 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]369 const uint32_t rc[3][4] =
370 {
371 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
372 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
373 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
374 };
375
376 int i;
377 uint32_t w[4][4], *w2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]378 ARIA_VALIDATE_RET(ctx != NULL);
379 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 if (keybits != 128 && keybits != 192 && keybits != 256) {
382 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
383 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]384
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]385 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
387 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
388 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
389 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]391 memset(w[1], 0, 16);
392 if (keybits >= 192) {
393 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
394 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]395 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]396 if (keybits == 256) {
397 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
398 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]399 }
400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]401 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]402 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]404 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]405 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]407 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]410 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
413 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
414 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
415 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]416 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]417 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]419 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]421
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423}
424
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]425/*
426 * Set decryption key
427 */
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame^]428#if !defined(MBEDTLS_CIPHER_ENCRYPT_ONLY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
430 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]431{
432 int i, j, k, ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]433 ARIA_VALIDATE_RET(ctx != NULL);
434 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]436 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
437 if (ret != 0) {
438 return ret;
439 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]440
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]441 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]442 for (i = 0, j = ctx->nr; i < j; i++, j--) {
443 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]444 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445 ctx->rk[i][k] = ctx->rk[j][k];
446 ctx->rk[j][k] = t;
447 }
448 }
449
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]450 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]451 for (i = 1; i < ctx->nr; i++) {
452 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
453 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]454 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]456 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]457}
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame^]458#endif /* !MBEDTLS_CIPHER_ENCRYPT_ONLY */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]459
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]460/*
461 * Encrypt a block
462 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]463int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
464 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
465 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]466{
467 int i;
468
469 uint32_t a, b, c, d;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470 ARIA_VALIDATE_RET(ctx != NULL);
471 ARIA_VALIDATE_RET(input != NULL);
472 ARIA_VALIDATE_RET(output != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 a = MBEDTLS_GET_UINT32_LE(input, 0);
475 b = MBEDTLS_GET_UINT32_LE(input, 4);
476 c = MBEDTLS_GET_UINT32_LE(input, 8);
477 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]478
479 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]480 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]481 a ^= ctx->rk[i][0];
482 b ^= ctx->rk[i][1];
483 c ^= ctx->rk[i][2];
484 d ^= ctx->rk[i][3];
485 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
488 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]489
490 a ^= ctx->rk[i][0];
491 b ^= ctx->rk[i][1];
492 c ^= ctx->rk[i][2];
493 d ^= ctx->rk[i][3];
494 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
497 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]498 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499 }
500 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]501 }
502
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]503 /* final key mixing */
504 a ^= ctx->rk[i][0];
505 b ^= ctx->rk[i][1];
506 c ^= ctx->rk[i][2];
507 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 MBEDTLS_PUT_UINT32_LE(a, output, 0);
510 MBEDTLS_PUT_UINT32_LE(b, output, 4);
511 MBEDTLS_PUT_UINT32_LE(c, output, 8);
512 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]513
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]514 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]515}
516
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]517/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]519{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 ARIA_VALIDATE(ctx != NULL);
521 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]522}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]523
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]524/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]526{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]528 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]531 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]532}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
534#if defined(MBEDTLS_CIPHER_MODE_CBC)
535/*
536 * ARIA-CBC buffer encryption/decryption
537 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
539 int mode,
540 size_t length,
541 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
542 const unsigned char *input,
543 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]544{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]545 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 ARIA_VALIDATE_RET(ctx != NULL);
548 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
549 mode == MBEDTLS_ARIA_DECRYPT);
550 ARIA_VALIDATE_RET(length == 0 || input != NULL);
551 ARIA_VALIDATE_RET(length == 0 || output != NULL);
552 ARIA_VALIDATE_RET(iv != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]554 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
555 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
556 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 if (mode == MBEDTLS_ARIA_DECRYPT) {
559 while (length > 0) {
560 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
561 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]564
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]565 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]566
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]567 input += MBEDTLS_ARIA_BLOCKSIZE;
568 output += MBEDTLS_ARIA_BLOCKSIZE;
569 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]570 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 } else {
572 while (length > 0) {
573 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]574
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 mbedtls_aria_crypt_ecb(ctx, output, output);
576 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]577
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]578 input += MBEDTLS_ARIA_BLOCKSIZE;
579 output += MBEDTLS_ARIA_BLOCKSIZE;
580 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]581 }
582 }
583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]585}
586#endif /* MBEDTLS_CIPHER_MODE_CBC */
587
588#if defined(MBEDTLS_CIPHER_MODE_CFB)
589/*
590 * ARIA-CFB128 buffer encryption/decryption
591 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]592int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
593 int mode,
594 size_t length,
595 size_t *iv_off,
596 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
597 const unsigned char *input,
598 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]599{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]600 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]601 size_t n;
602
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]603 ARIA_VALIDATE_RET(ctx != NULL);
604 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
605 mode == MBEDTLS_ARIA_DECRYPT);
606 ARIA_VALIDATE_RET(length == 0 || input != NULL);
607 ARIA_VALIDATE_RET(length == 0 || output != NULL);
608 ARIA_VALIDATE_RET(iv != NULL);
609 ARIA_VALIDATE_RET(iv_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]610
611 n = *iv_off;
612
613 /* An overly large value of n can lead to an unlimited
614 * buffer overflow. Therefore, guard against this
615 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
617 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
618 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 if (mode == MBEDTLS_ARIA_DECRYPT) {
621 while (length--) {
622 if (n == 0) {
623 mbedtls_aria_crypt_ecb(ctx, iv, iv);
624 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]625
626 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]627 *output++ = c ^ iv[n];
628 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]629
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]630 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]631 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 } else {
633 while (length--) {
634 if (n == 0) {
635 mbedtls_aria_crypt_ecb(ctx, iv, iv);
636 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]637
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]638 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]640 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]641 }
642 }
643
644 *iv_off = n;
645
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]646 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]647}
648#endif /* MBEDTLS_CIPHER_MODE_CFB */
649
650#if defined(MBEDTLS_CIPHER_MODE_CTR)
651/*
652 * ARIA-CTR buffer encryption/decryption
653 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
655 size_t length,
656 size_t *nc_off,
657 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
658 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
659 const unsigned char *input,
660 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]661{
662 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]663 size_t n;
664
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]665 ARIA_VALIDATE_RET(ctx != NULL);
666 ARIA_VALIDATE_RET(length == 0 || input != NULL);
667 ARIA_VALIDATE_RET(length == 0 || output != NULL);
668 ARIA_VALIDATE_RET(nonce_counter != NULL);
669 ARIA_VALIDATE_RET(stream_block != NULL);
670 ARIA_VALIDATE_RET(nc_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]671
672 n = *nc_off;
673 /* An overly large value of n can lead to an unlimited
674 * buffer overflow. Therefore, guard against this
675 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
677 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
678 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]679
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]680 while (length--) {
681 if (n == 0) {
682 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
683 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]684
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
686 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]687 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]688 }
689 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]690 }
691 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]692 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]693
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]694 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]695 }
696
697 *nc_off = n;
698
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]699 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]700}
701#endif /* MBEDTLS_CIPHER_MODE_CTR */
702#endif /* !MBEDTLS_ARIA_ALT */
703
704#if defined(MBEDTLS_SELF_TEST)
705
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]706/*
707 * Basic ARIA ECB test vectors from RFC 5794
708 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]709static const uint8_t aria_test1_ecb_key[32] = // test key
710{
711 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
712 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
713 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
714 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
715};
716
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]717static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]718{
719 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
720 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
721};
722
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]723static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]724{
725 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
726 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
727 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
728 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
729 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
730 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
731};
732
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]733/*
734 * Mode tests from "Test Vectors for ARIA" Version 1.0
735 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
736 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]737#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]738 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]739static const uint8_t aria_test2_key[32] =
740{
741 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
742 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
743 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
744 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
745};
746
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]747static const uint8_t aria_test2_pt[48] =
748{
749 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
750 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
751 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
752 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
753 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
754 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
755};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]756#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]757
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]758#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]759static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]760{
761 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
762 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
763};
764#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]765
766#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]767static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]768{
769 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
770 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
771 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
772 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
773 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
774 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
775 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
776 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
777 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
778 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
779 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
780 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
781 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
782 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
783 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
784 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
785 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
786 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
787};
788#endif /* MBEDTLS_CIPHER_MODE_CBC */
789
790#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]791static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]792{
793 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
794 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
795 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
796 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
797 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
798 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
799 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
800 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
801 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
802 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
803 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
804 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
805 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
806 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
807 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
808 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
809 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
810 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
811};
812#endif /* MBEDTLS_CIPHER_MODE_CFB */
813
814#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]815static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]816{
817 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
818 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
819 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
820 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
821 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
822 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
823 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
824 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
825 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
826 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
827 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
828 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
829 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
830 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
831 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
832 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
833 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
834 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
835};
836#endif /* MBEDTLS_CIPHER_MODE_CFB */
837
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]838#define ARIA_SELF_TEST_ASSERT(cond) \
839 do { \
840 if (cond) { \
841 if (verbose) \
842 mbedtls_printf("failed\n"); \
843 goto exit; \
844 } else { \
845 if (verbose) \
846 mbedtls_printf("passed\n"); \
847 } \
848 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]849
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]850/*
851 * Checkup routine
852 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]853int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]854{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]855 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]856 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]857 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]858 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]859
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]860#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
861 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]862#endif
863
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]864#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]865 defined(MBEDTLS_CIPHER_MODE_CFB) || \
866 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]867 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]868#endif
869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]870 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]871
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]872 /*
873 * Test set 1
874 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]875 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]876 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]877 if (verbose) {
878 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
879 }
880 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
881 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]882 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]883 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
884 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]885
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]886 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]887 if (verbose) {
888 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame^]889#if defined(MBEDTLS_CIPHER_ENCRYPT_ONLY)
890 mbedtls_printf("skipped\n");
891#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]892 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame^]893
894#if !defined(MBEDTLS_CIPHER_ENCRYPT_ONLY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
896 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]897 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
899 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame^]900#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]901 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]902 if (verbose) {
903 mbedtls_printf("\n");
904 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]905
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]906 /*
907 * Test set 2
908 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]909#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]910 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]911 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]912 if (verbose) {
913 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
914 }
915 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
916 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
917 memset(buf, 0x55, sizeof(buf));
918 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
919 aria_test2_pt, buf);
920 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
921 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]922
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]923 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 if (verbose) {
925 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
926 }
927 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
928 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
929 memset(buf, 0xAA, sizeof(buf));
930 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
931 aria_test2_cbc_ct[i], buf);
932 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]933 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 if (verbose) {
935 mbedtls_printf("\n");
936 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]937
938#endif /* MBEDTLS_CIPHER_MODE_CBC */
939
940#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]941 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]942 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]943 if (verbose) {
944 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
945 }
946 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
947 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
948 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]949 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
951 aria_test2_pt, buf);
952 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]953
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]954 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 if (verbose) {
956 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
957 }
958 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
959 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
960 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]961 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
963 iv, aria_test2_cfb_ct[i], buf);
964 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]965 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]966 if (verbose) {
967 mbedtls_printf("\n");
968 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]969#endif /* MBEDTLS_CIPHER_MODE_CFB */
970
971#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]973 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 if (verbose) {
975 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
976 }
977 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
978 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
979 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]980 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]981 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
982 aria_test2_pt, buf);
983 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]984
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]985 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 if (verbose) {
987 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
988 }
989 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
990 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
991 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]992 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
994 aria_test2_ctr_ct[i], buf);
995 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]996 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]997 if (verbose) {
998 mbedtls_printf("\n");
999 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1000#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1001
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]1002 ret = 0;
1003
1004exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1005 mbedtls_aria_free(&ctx);
1006 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1007}
1008
1009#endif /* MBEDTLS_SELF_TEST */
1010
1011#endif /* MBEDTLS_ARIA_C */