TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c0eabdc63657f784dee45167b010534cd3924cfa / . / library / aria.c
blob: 32bd8cc2556342675f70a27c47865d07296a7944 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]30# include "mbedtls/aria.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]31
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]32# include <string.h>
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]33
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]34# if defined(MBEDTLS_SELF_TEST)
35# if defined(MBEDTLS_PLATFORM_C)
36# include "mbedtls/platform.h"
37# else
38# include <stdio.h>
39# define mbedtls_printf printf
40# endif /* MBEDTLS_PLATFORM_C */
41# endif /* MBEDTLS_SELF_TEST */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]42
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]43# if !defined(MBEDTLS_ARIA_ALT)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]44
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]45# include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]46
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]47# if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
48 !defined(inline) && !defined(__cplusplus)
49# define inline __inline
50# endif
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]51
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]52/* Parameter validation macros */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]53# define ARIA_VALIDATE_RET(cond) \
54 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
55# define ARIA_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]56
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]57/*
58 * 32-bit integer manipulation macros (little endian)
59 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]60# ifndef GET_UINT32_LE
61# define GET_UINT32_LE(n, b, i) \
62 { \
63 (n) = ((uint32_t)(b)[(i)]) | \
64 ((uint32_t)(b)[(i) + 1] << 8) | \
65 ((uint32_t)(b)[(i) + 2] << 16) | \
66 ((uint32_t)(b)[(i) + 3] << 24); \
67 }
68# endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]69
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]70# ifndef PUT_UINT32_LE
71# define PUT_UINT32_LE(n, b, i) \
72 { \
73 (b)[(i)] = (unsigned char)(((n)) & 0xFF); \
74 (b)[(i) + 1] = (unsigned char)(((n) >> 8) & 0xFF); \
75 (b)[(i) + 2] = (unsigned char)(((n) >> 16) & 0xFF); \
76 (b)[(i) + 3] = (unsigned char)(((n) >> 24) & 0xFF); \
77 }
78# endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]79
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]80/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]81 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]82 *
83 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]84 *
85 * Common compilers fail to translate this to minimal number of instructions,
86 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]87 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]88# if defined(MBEDTLS_HAVE_ASM)
89# if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]90/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]91# if defined(__GNUC__) && \
92 (!defined(__ARMCC_VERSION) || \
93 __ARMCC_VERSION >= 6000000) && \
94 __ARM_ARCH >= 6
95static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]96{
97 uint32_t r;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]98 __asm("rev16 %0, %1" : "=l"(r) : "l"(x));
99 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]100}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]101# define ARIA_P1 aria_p1
102# elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
103 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
104static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]105{
106 uint32_t r;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]107 __asm("rev16 r, x");
108 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]109}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]110# define ARIA_P1 aria_p1
111# endif
112# endif /* arm */
113# if defined(__GNUC__) && defined(__i386__) || \
114 defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]115/* I couldn't find an Intel equivalent of rev16, so two instructions */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]116# define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
117# endif /* x86 gnuc */
118# endif /* MBEDTLS_HAVE_ASM && GNUC */
119# if !defined(ARIA_P1)
120# define ARIA_P1(x) \
121 ((((x) >> 8) & 0x00FF00FF) ^ (((x)&0x00FF00FF) << 8))
122# endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]123
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]124/*
125 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
126 *
127 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]128 *
129 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]130 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]131# define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]132
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]133/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]134 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
135 *
136 * This is submatrix P3 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]137 *
138 * Some compilers fail to translate this to a single instruction,
139 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]140 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]141# if defined(MBEDTLS_HAVE_ASM)
142# if defined(__arm__) /* rev available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]143/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]144# if defined(__GNUC__) && \
145 (!defined(__ARMCC_VERSION) || \
146 __ARMCC_VERSION >= 6000000) && \
147 __ARM_ARCH >= 6
148static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]149{
150 uint32_t r;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]151 __asm("rev %0, %1" : "=l"(r) : "l"(x));
152 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]153}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]154# define ARIA_P3 aria_p3
155# elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
156 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
157static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]158{
159 uint32_t r;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]160 __asm("rev r, x");
161 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]162}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]163# define ARIA_P3 aria_p3
164# endif
165# endif /* arm */
166# if defined(__GNUC__) && defined(__i386__) || \
167 defined(__amd64__) || defined(__x86_64__)
168static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]169{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]170 __asm("bswap %0" : "=r"(x) : "0"(x));
171 return x;
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]172}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]173# define ARIA_P3 aria_p3
174# endif /* x86 gnuc */
175# endif /* MBEDTLS_HAVE_ASM && GNUC */
176# if !defined(ARIA_P3)
177# define ARIA_P3(x) ARIA_P2(ARIA_P1(x))
178# endif
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]179
180/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]181 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]182 * (a, b, c, d) = state in/out
183 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]184 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]185 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
186 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]187 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]188 * rearrangements on adjacent pairs, output is:
189 *
190 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
191 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]192 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]193 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]194 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]195 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]196 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]197 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
198 *
199 * Note: another presentation of the A transform can be found as the first
200 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
201 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]202 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]203static inline void aria_a(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]204{
205 uint32_t ta, tb, tc;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]206 ta = *b; // 4567
207 *b = *a; // 0123
208 *a = ARIA_P2(ta); // 6745
209 tb = ARIA_P2(*d); // efcd
210 *d = ARIA_P1(*c); // 98ba
211 *c = ARIA_P1(tb); // fedc
212 ta ^= *d; // 4567+98ba
213 tc = ARIA_P2(*b); // 2301
214 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
215 tb ^= ARIA_P2(*d); // ba98+efcd
216 tc ^= ARIA_P1(*a); // 2301+7654
217 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
218 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
219 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
220 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
221 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
222 tc = ARIA_P2(tc); // 0123+5476
223 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]224}
225
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]226/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]227 * ARIA Substitution Layer SL1 / SL2
228 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]229 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]230 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]231 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
232 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]233 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]234static inline void aria_sl(uint32_t *a,
235 uint32_t *b,
236 uint32_t *c,
237 uint32_t *d,
238 const uint8_t sa[256],
239 const uint8_t sb[256],
240 const uint8_t sc[256],
241 const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]242{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]243 *a = ((uint32_t)sa[*a & 0xFF]) ^ (((uint32_t)sb[(*a >> 8) & 0xFF]) << 8) ^
244 (((uint32_t)sc[(*a >> 16) & 0xFF]) << 16) ^
245 (((uint32_t)sd[*a >> 24]) << 24);
246 *b = ((uint32_t)sa[*b & 0xFF]) ^ (((uint32_t)sb[(*b >> 8) & 0xFF]) << 8) ^
247 (((uint32_t)sc[(*b >> 16) & 0xFF]) << 16) ^
248 (((uint32_t)sd[*b >> 24]) << 24);
249 *c = ((uint32_t)sa[*c & 0xFF]) ^ (((uint32_t)sb[(*c >> 8) & 0xFF]) << 8) ^
250 (((uint32_t)sc[(*c >> 16) & 0xFF]) << 16) ^
251 (((uint32_t)sd[*c >> 24]) << 24);
252 *d = ((uint32_t)sa[*d & 0xFF]) ^ (((uint32_t)sb[(*d >> 8) & 0xFF]) << 8) ^
253 (((uint32_t)sc[(*d >> 16) & 0xFF]) << 16) ^
254 (((uint32_t)sd[*d >> 24]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]255}
256
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]257/*
258 * S-Boxes
259 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]260static const uint8_t aria_sb1[256] = {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]261 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
262 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
263 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
264 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
265 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
266 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
267 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
268 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
269 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
270 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
271 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
272 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
273 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
274 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
275 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
276 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
277 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
278 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
279 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
280 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
281 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
282 0xB0, 0x54, 0xBB, 0x16
283};
284
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]285static const uint8_t aria_sb2[256] = {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
287 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
288 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
289 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
290 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
291 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
292 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
293 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
294 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
295 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
296 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
297 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
298 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
299 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
300 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
301 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
302 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
303 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
304 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
305 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
306 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
307 0xAF, 0xBA, 0xB5, 0x81
308};
309
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]310static const uint8_t aria_is1[256] = {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]311 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
312 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
313 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
314 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
315 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
316 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
317 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
318 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
319 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
320 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
321 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
322 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
323 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
324 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
325 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
326 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
327 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
328 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
329 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
330 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
331 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
332 0x55, 0x21, 0x0C, 0x7D
333};
334
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]335static const uint8_t aria_is2[256] = {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
337 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
338 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
339 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
340 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
341 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
342 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
343 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
344 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
345 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
346 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
347 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
348 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
349 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
350 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
351 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
352 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
353 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
354 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
355 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
356 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
357 0x03, 0xA2, 0xAC, 0x60
358};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]359
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]360/*
361 * Helper for key schedule: r = FO( p, k ) ^ x
362 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]363static void aria_fo_xor(uint32_t r[4],
364 const uint32_t p[4],
365 const uint32_t k[4],
366 const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]367{
368 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]369
370 a = p[0] ^ k[0];
371 b = p[1] ^ k[1];
372 c = p[2] ^ k[2];
373 d = p[3] ^ k[3];
374
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]375 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
376 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]377
378 r[0] = a ^ x[0];
379 r[1] = b ^ x[1];
380 r[2] = c ^ x[2];
381 r[3] = d ^ x[3];
382}
383
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]384/*
385 * Helper for key schedule: r = FE( p, k ) ^ x
386 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]387static void aria_fe_xor(uint32_t r[4],
388 const uint32_t p[4],
389 const uint32_t k[4],
390 const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]391{
392 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]393
394 a = p[0] ^ k[0];
395 b = p[1] ^ k[1];
396 c = p[2] ^ k[2];
397 d = p[3] ^ k[3];
398
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]399 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
400 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]401
402 r[0] = a ^ x[0];
403 r[1] = b ^ x[1];
404 r[2] = c ^ x[2];
405 r[3] = d ^ x[3];
406}
407
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]408/*
409 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
410 *
411 * We chose to store bytes into 32-bit words in little-endian format (see
412 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
413 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]414static void
415aria_rot128(uint32_t r[4], const uint32_t a[4], const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]416{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]417 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418 uint32_t t, u;
419
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]420 const uint8_t n1 = n % 32; // bit offset
421 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]422
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]423 j = (n / 32) % 4; // initial word offset
424 t = ARIA_P3(b[j]); // big endian
425 for (i = 0; i < 4; i++) {
426 j = (j + 1) % 4; // get next word, big endian
427 u = ARIA_P3(b[j]);
428 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]429 t |= u >> n2;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]430 t = ARIA_P3(t); // back to little endian
431 r[i] = a[i] ^ t; // store
432 t = u; // move to next word
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433 }
434}
435
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]436/*
437 * Set encryption key
438 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]439int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
440 const unsigned char *key,
441 unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]442{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]443 /* round constant masks */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]444 const uint32_t rc[3][4] = {
445 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
446 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
447 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448 };
449
450 int i;
451 uint32_t w[4][4], *w2;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]452 ARIA_VALIDATE_RET(ctx != NULL);
453 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]454
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]455 if (keybits != 128 && keybits != 192 && keybits != 256)
456 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]457
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]458 /* Copy key to W0 (and potential remainder to W1) */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]459 GET_UINT32_LE(w[0][0], key, 0);
460 GET_UINT32_LE(w[0][1], key, 4);
461 GET_UINT32_LE(w[0][2], key, 8);
462 GET_UINT32_LE(w[0][3], key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]463
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]464 memset(w[1], 0, 16);
465 if (keybits >= 192) {
466 GET_UINT32_LE(w[1][0], key, 16); // 192 bit key
467 GET_UINT32_LE(w[1][1], key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]468 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]469 if (keybits == 256) {
470 GET_UINT32_LE(w[1][2], key, 24); // 256 bit key
471 GET_UINT32_LE(w[1][3], key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]472 }
473
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]474 i = (keybits - 128) >> 6; // index: 0, 1, 2
475 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]477 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]478 i = i < 2 ? i + 1 : 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]479 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]480 i = i < 2 ? i + 1 : 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]481 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]482
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]483 for (i = 0; i < 4; i++) // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]484 {
485 w2 = w[(i + 1) & 3];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]486 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
487 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
488 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
489 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]491 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]492
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]493 /* w holds enough info to reconstruct the round keys */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]494 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]495
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]496 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]497}
498
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]499/*
500 * Set decryption key
501 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]502int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
503 const unsigned char *key,
504 unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]505{
506 int i, j, k, ret;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]507 ARIA_VALIDATE_RET(ctx != NULL);
508 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]509
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]510 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
511 if (ret != 0)
512 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]513
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]514 /* flip the order of round keys */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]515 for (i = 0, j = ctx->nr; i < j; i++, j--) {
516 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]517 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]518 ctx->rk[i][k] = ctx->rk[j][k];
519 ctx->rk[j][k] = t;
520 }
521 }
522
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]523 /* apply affine transform to middle keys */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]524 for (i = 1; i < ctx->nr; i++) {
525 aria_a(&ctx->rk[i][0], &ctx->rk[i][1], &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]526 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]527
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]528 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]529}
530
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]531/*
532 * Encrypt a block
533 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]534int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
535 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
536 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]537{
538 int i;
539
540 uint32_t a, b, c, d;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]541 ARIA_VALIDATE_RET(ctx != NULL);
542 ARIA_VALIDATE_RET(input != NULL);
543 ARIA_VALIDATE_RET(output != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]544
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]545 GET_UINT32_LE(a, input, 0);
546 GET_UINT32_LE(b, input, 4);
547 GET_UINT32_LE(c, input, 8);
548 GET_UINT32_LE(d, input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]549
550 i = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]551 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]552 a ^= ctx->rk[i][0];
553 b ^= ctx->rk[i][1];
554 c ^= ctx->rk[i][2];
555 d ^= ctx->rk[i][3];
556 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]557
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]558 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
559 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]560
561 a ^= ctx->rk[i][0];
562 b ^= ctx->rk[i][1];
563 c ^= ctx->rk[i][2];
564 d ^= ctx->rk[i][3];
565 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]566
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]567 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
568 if (i >= ctx->nr)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]569 break;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]570 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]571 }
572
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]573 /* final key mixing */
574 a ^= ctx->rk[i][0];
575 b ^= ctx->rk[i][1];
576 c ^= ctx->rk[i][2];
577 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]578
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]579 PUT_UINT32_LE(a, output, 0);
580 PUT_UINT32_LE(b, output, 4);
581 PUT_UINT32_LE(c, output, 8);
582 PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]583
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]584 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]585}
586
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]587/* Initialize context */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]588void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]589{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]590 ARIA_VALIDATE(ctx != NULL);
591 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]592}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]593
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]594/* Clear context */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]595void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]596{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]597 if (ctx == NULL)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]598 return;
599
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]600 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]601}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]602
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]603# if defined(MBEDTLS_CIPHER_MODE_CBC)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]604/*
605 * ARIA-CBC buffer encryption/decryption
606 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]607int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
608 int mode,
609 size_t length,
610 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
611 const unsigned char *input,
612 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]613{
614 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]615 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]616
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]617 ARIA_VALIDATE_RET(ctx != NULL);
618 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
619 mode == MBEDTLS_ARIA_DECRYPT);
620 ARIA_VALIDATE_RET(length == 0 || input != NULL);
621 ARIA_VALIDATE_RET(length == 0 || output != NULL);
622 ARIA_VALIDATE_RET(iv != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]623
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]624 if (length % MBEDTLS_ARIA_BLOCKSIZE)
625 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]626
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]627 if (mode == MBEDTLS_ARIA_DECRYPT) {
628 while (length > 0) {
629 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
630 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]631
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]632 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
633 output[i] = (unsigned char)(output[i] ^ iv[i]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]634
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]635 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]636
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]637 input += MBEDTLS_ARIA_BLOCKSIZE;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]638 output += MBEDTLS_ARIA_BLOCKSIZE;
639 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]640 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]641 } else {
642 while (length > 0) {
643 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++)
644 output[i] = (unsigned char)(input[i] ^ iv[i]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]645
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]646 mbedtls_aria_crypt_ecb(ctx, output, output);
647 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]648
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]649 input += MBEDTLS_ARIA_BLOCKSIZE;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]650 output += MBEDTLS_ARIA_BLOCKSIZE;
651 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]652 }
653 }
654
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]655 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]656}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]657# endif /* MBEDTLS_CIPHER_MODE_CBC */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]658
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]659# if defined(MBEDTLS_CIPHER_MODE_CFB)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]660/*
661 * ARIA-CFB128 buffer encryption/decryption
662 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]663int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
664 int mode,
665 size_t length,
666 size_t *iv_off,
667 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
668 const unsigned char *input,
669 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]670{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]671 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]672 size_t n;
673
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]674 ARIA_VALIDATE_RET(ctx != NULL);
675 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
676 mode == MBEDTLS_ARIA_DECRYPT);
677 ARIA_VALIDATE_RET(length == 0 || input != NULL);
678 ARIA_VALIDATE_RET(length == 0 || output != NULL);
679 ARIA_VALIDATE_RET(iv != NULL);
680 ARIA_VALIDATE_RET(iv_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]681
682 n = *iv_off;
683
684 /* An overly large value of n can lead to an unlimited
685 * buffer overflow. Therefore, guard against this
686 * outside of parameter validation. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]687 if (n >= MBEDTLS_ARIA_BLOCKSIZE)
688 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]689
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]690 if (mode == MBEDTLS_ARIA_DECRYPT) {
691 while (length--) {
692 if (n == 0)
693 mbedtls_aria_crypt_ecb(ctx, iv, iv);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]694
695 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]696 *output++ = c ^ iv[n];
697 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]698
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]699 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]700 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]701 } else {
702 while (length--) {
703 if (n == 0)
704 mbedtls_aria_crypt_ecb(ctx, iv, iv);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]705
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]706 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]707
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]708 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]709 }
710 }
711
712 *iv_off = n;
713
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]714 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]715}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]716# endif /* MBEDTLS_CIPHER_MODE_CFB */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]717
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]718# if defined(MBEDTLS_CIPHER_MODE_CTR)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]719/*
720 * ARIA-CTR buffer encryption/decryption
721 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]722int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
723 size_t length,
724 size_t *nc_off,
725 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
726 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
727 const unsigned char *input,
728 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]729{
730 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]731 size_t n;
732
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]733 ARIA_VALIDATE_RET(ctx != NULL);
734 ARIA_VALIDATE_RET(length == 0 || input != NULL);
735 ARIA_VALIDATE_RET(length == 0 || output != NULL);
736 ARIA_VALIDATE_RET(nonce_counter != NULL);
737 ARIA_VALIDATE_RET(stream_block != NULL);
738 ARIA_VALIDATE_RET(nc_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]739
740 n = *nc_off;
741 /* An overly large value of n can lead to an unlimited
742 * buffer overflow. Therefore, guard against this
743 * outside of parameter validation. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]744 if (n >= MBEDTLS_ARIA_BLOCKSIZE)
745 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]746
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]747 while (length--) {
748 if (n == 0) {
749 mbedtls_aria_crypt_ecb(ctx, nonce_counter, stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]750
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]751 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--)
752 if (++nonce_counter[i - 1] != 0)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]753 break;
754 }
755 c = *input++;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]756 *output++ = (unsigned char)(c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]757
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]758 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]759 }
760
761 *nc_off = n;
762
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]763 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]764}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]765# endif /* MBEDTLS_CIPHER_MODE_CTR */
766# endif /* !MBEDTLS_ARIA_ALT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]767
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]768# if defined(MBEDTLS_SELF_TEST)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]769
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]770/*
771 * Basic ARIA ECB test vectors from RFC 5794
772 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]773static const uint8_t aria_test1_ecb_key[32] = // test key
774 {
775 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
776 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
777 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
778 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
779 };
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]780
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]781static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
782 {
783 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
784 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
785 };
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]786
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]787static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
788 { { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
789 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
790 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
791 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
792 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
793 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC } };
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]794
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]795/*
796 * Mode tests from "Test Vectors for ARIA" Version 1.0
797 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
798 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]799# if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
800 defined(MBEDTLS_CIPHER_MODE_CFB) || \
801 defined(MBEDTLS_CIPHER_MODE_CTR))
802static const uint8_t aria_test2_key[32] = {
803 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]804 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]805 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
806 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]807};
808
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]809static const uint8_t aria_test2_pt[48] = {
810 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
811 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb, 0x11, 0x11,
812 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc, 0x11, 0x11, 0x11, 0x11,
813 0xdd, 0xdd, 0xdd, 0xdd, 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa,
814 0xaa, 0xaa, 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]815};
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]816# endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]817
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]818# if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
819 defined(MBEDTLS_CIPHER_MODE_CFB))
820static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] = {
821 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
822 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]823};
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]824# endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]825
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]826# if defined(MBEDTLS_CIPHER_MODE_CBC)
827static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
828 { { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
829 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34, 0xfa, 0xdf,
830 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64, 0x5f, 0xba, 0x75, 0x01,
831 0x8b, 0xdb, 0x15, 0x38, 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf,
832 0x7d, 0x4c, 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
833 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
834 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f, 0x4e, 0x4f,
835 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1, 0xe0, 0x96, 0x2b, 0x80,
836 0x90, 0x23, 0x86, 0xd5, 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59,
837 0xde, 0x92, 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
838 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
839 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab, 0x7b, 0x9b,
840 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef, 0xb9, 0x6e, 0x23, 0xb1,
841 0x3f, 0x0a, 0x6e, 0x52, 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0,
842 0x02, 0xc5, 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b } };
843# endif /* MBEDTLS_CIPHER_MODE_CBC */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]844
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]845# if defined(MBEDTLS_CIPHER_MODE_CFB)
846static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
847 { { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
848 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00, 0xc0, 0x7c,
849 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a, 0x5d, 0x13, 0x25, 0x00,
850 0xa6, 0x82, 0x85, 0x01, 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7,
851 0xca, 0x96, 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
852 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
853 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c, 0x4d, 0x87,
854 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94, 0x48, 0x47, 0x7c, 0x6e,
855 0xcc, 0x20, 0x13, 0x59, 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8,
856 0xc3, 0x86, 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
857 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
858 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35, 0xf2, 0x8b,
859 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70, 0xec, 0x1e, 0x0b, 0xdb,
860 0x08, 0x2b, 0x66, 0xfa, 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe,
861 0x30, 0x0c, 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 } };
862# endif /* MBEDTLS_CIPHER_MODE_CFB */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]863
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]864# if defined(MBEDTLS_CIPHER_MODE_CTR)
865static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
866 { { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
867 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1, 0x14, 0x97,
868 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1, 0x56, 0x9e, 0x91, 0xe5,
869 0xb5, 0xcc, 0xae, 0x2f, 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f,
870 0x45, 0x71, 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
871 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
872 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce, 0xf4, 0xd1,
873 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde, 0x14, 0x08, 0x2d, 0xbb,
874 0xa7, 0x56, 0x0b, 0x79, 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70,
875 0x7d, 0xce, 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
876 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
877 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2, 0xf0, 0x69,
878 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89, 0xe2, 0xa3, 0x0e, 0xa8,
879 0x6a, 0xa3, 0xc8, 0x8f, 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee,
880 0x41, 0xd7, 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 } };
881# endif /* MBEDTLS_CIPHER_MODE_CFB */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]882
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]883# define ARIA_SELF_TEST_IF_FAIL \
884 { \
885 if (verbose) \
886 mbedtls_printf("failed\n"); \
887 goto exit; \
888 } \
889 else \
890 { \
891 if (verbose) \
892 mbedtls_printf("passed\n"); \
893 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]894
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]895/*
896 * Checkup routine
897 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]898int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]899{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]900 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]901 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]902 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]903 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]904
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]905# if (defined(MBEDTLS_CIPHER_MODE_CFB) || \
906 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]907 size_t j;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]908# endif
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]909
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]910# if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
911 defined(MBEDTLS_CIPHER_MODE_CFB) || \
912 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]913 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]914# endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]915
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]916 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]917
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]918 /*
919 * Test set 1
920 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]921 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]922 /* test ECB encryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]923 if (verbose)
924 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
925 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
926 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
927 if (memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]928 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]929
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]930 /* test ECB decryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]931 if (verbose)
932 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
933 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
934 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
935 if (memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]936 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]937 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]938 if (verbose)
939 mbedtls_printf("\n");
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]940
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]941 /*
942 * Test set 2
943 */
944# if defined(MBEDTLS_CIPHER_MODE_CBC)
945 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]946 /* Test CBC encryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]947 if (verbose)
948 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
949 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
950 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
951 memset(buf, 0x55, sizeof(buf));
952 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
953 aria_test2_pt, buf);
954 if (memcmp(buf, aria_test2_cbc_ct[i], 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]955 ARIA_SELF_TEST_IF_FAIL;
956
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]957 /* Test CBC decryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]958 if (verbose)
959 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
960 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
961 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
962 memset(buf, 0xAA, sizeof(buf));
963 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
964 aria_test2_cbc_ct[i], buf);
965 if (memcmp(buf, aria_test2_pt, 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]966 ARIA_SELF_TEST_IF_FAIL;
967 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]968 if (verbose)
969 mbedtls_printf("\n");
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]970
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]971# endif /* MBEDTLS_CIPHER_MODE_CBC */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]972
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]973# if defined(MBEDTLS_CIPHER_MODE_CFB)
974 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]975 /* Test CFB encryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]976 if (verbose)
977 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
978 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
979 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
980 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]981 j = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]982 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
983 aria_test2_pt, buf);
984 if (memcmp(buf, aria_test2_cfb_ct[i], 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]985 ARIA_SELF_TEST_IF_FAIL;
986
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]987 /* Test CFB decryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]988 if (verbose)
989 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
990 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
991 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
992 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]993 j = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]994 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j, iv,
995 aria_test2_cfb_ct[i], buf);
996 if (memcmp(buf, aria_test2_pt, 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]997 ARIA_SELF_TEST_IF_FAIL;
998 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]999 if (verbose)
1000 mbedtls_printf("\n");
1001# endif /* MBEDTLS_CIPHER_MODE_CFB */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1002
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1003# if defined(MBEDTLS_CIPHER_MODE_CTR)
1004 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1005 /* Test CTR encryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1006 if (verbose)
1007 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
1008 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1009 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1010 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1011 j = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1012 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, aria_test2_pt, buf);
1013 if (memcmp(buf, aria_test2_ctr_ct[i], 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1014 ARIA_SELF_TEST_IF_FAIL;
1015
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1016 /* Test CTR decryption */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1017 if (verbose)
1018 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
1019 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1020 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1021 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1022 j = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1023 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk, aria_test2_ctr_ct[i],
1024 buf);
1025 if (memcmp(buf, aria_test2_pt, 48) != 0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1026 ARIA_SELF_TEST_IF_FAIL;
1027 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1028 if (verbose)
1029 mbedtls_printf("\n");
1030# endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1031
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]1032 ret = 0;
1033
1034exit:
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1035 mbedtls_aria_free(&ctx);
1036 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1037}
1038
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1039# endif /* MBEDTLS_SELF_TEST */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1040
1041#endif /* MBEDTLS_ARIA_C */