TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ccbbb2c501d77d03c84303dbf366cc74dcc3f2fb / . / library / aria.c
blob: a5786b37ab3872269e7618286b8ff3afd58b0452 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
30#include "mbedtls/aria.h"
31
32#include <string.h>
33
34#if defined(MBEDTLS_SELF_TEST)
35#if defined(MBEDTLS_PLATFORM_C)
36#include "mbedtls/platform.h"
37#else
38#include <stdio.h>
39#define mbedtls_printf printf
40#endif /* MBEDTLS_PLATFORM_C */
41#endif /* MBEDTLS_SELF_TEST */
42
43#if !defined(MBEDTLS_ARIA_ALT)
44
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]45#include "mbedtls/platform_util.h"
46
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]47#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
48 !defined(inline) && !defined(__cplusplus)
49#define inline __inline
50#endif
51
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]52/* Parameter validation macros */
53#define ARIA_VALIDATE_RET( cond ) \
54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
55#define ARIA_VALIDATE( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE( cond )
57
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]61#ifndef GET_UINT32_LE
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]62#define GET_UINT32_LE( n, b, i ) \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]63{ \
64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
68}
69#endif
70
71#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]72#define PUT_UINT32_LE( n, b, i ) \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
78}
79#endif
80
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]81/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]82 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]83 *
84 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]85 *
86 * Common compilers fail to translate this to minimal number of instructions,
87 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]88 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]89#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]90#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]91/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
92#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]93 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
94 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]95static inline uint32_t aria_p1( uint32_t x )
96{
97 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]98 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]99 return( r );
100}
101#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]102#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
103 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]104static inline uint32_t aria_p1( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]105{
106 uint32_t r;
107 __asm( "rev16 r, x" );
108 return( r );
109}
110#define ARIA_P1 aria_p1
111#endif
112#endif /* arm */
113#if defined(__GNUC__) && \
114 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]115/* I couldn't find an Intel equivalent of rev16, so two instructions */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]116#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]117#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]118#endif /* MBEDTLS_HAVE_ASM && GNUC */
119#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]120#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]121#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]122
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]123/*
124 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
125 *
126 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]127 *
128 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]129 */
130#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]131
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]132/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]133 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
134 *
135 * This is submatrix P3 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]136 *
137 * Some compilers fail to translate this to a single instruction,
138 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]139 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]140#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]141#if defined(__arm__) /* rev available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]142/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
143#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]144 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
145 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]146static inline uint32_t aria_p3( uint32_t x )
147{
148 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]149 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]150 return( r );
151}
152#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]153#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
154 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]155static inline uint32_t aria_p3( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]156{
157 uint32_t r;
158 __asm( "rev r, x" );
159 return( r );
160}
161#define ARIA_P3 aria_p3
162#endif
163#endif /* arm */
164#if defined(__GNUC__) && \
165 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]166static inline uint32_t aria_p3( uint32_t x )
167{
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]168 __asm( "bswap %0" : "=r" (x) : "0" (x) );
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]169 return( x );
170}
171#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]172#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]173#endif /* MBEDTLS_HAVE_ASM && GNUC */
174#if !defined(ARIA_P3)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]175#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]176#endif
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]177
178/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]179 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]180 * (a, b, c, d) = state in/out
181 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]182 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]183 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
184 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]185 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]186 * rearrangements on adjacent pairs, output is:
187 *
188 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
189 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]190 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]191 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]192 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]193 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]194 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]195 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
196 *
197 * Note: another presentation of the A transform can be found as the first
198 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
199 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]200 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]201static inline void aria_a( uint32_t *a, uint32_t *b,
202 uint32_t *c, uint32_t *d )
203{
204 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]205 ta = *b; // 4567
206 *b = *a; // 0123
207 *a = ARIA_P2( ta ); // 6745
208 tb = ARIA_P2( *d ); // efcd
209 *d = ARIA_P1( *c ); // 98ba
210 *c = ARIA_P1( tb ); // fedc
211 ta ^= *d; // 4567+98ba
212 tc = ARIA_P2( *b ); // 2301
213 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
214 tb ^= ARIA_P2( *d ); // ba98+efcd
215 tc ^= ARIA_P1( *a ); // 2301+7654
216 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
217 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
218 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
219 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
220 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
221 tc = ARIA_P2( tc ); // 0123+5476
222 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]223}
224
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]225/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]226 * ARIA Substitution Layer SL1 / SL2
227 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]228 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]229 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]230 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
231 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]232 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]233static inline void aria_sl( uint32_t *a, uint32_t *b,
234 uint32_t *c, uint32_t *d,
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]235 const uint8_t sa[256], const uint8_t sb[256],
236 const uint8_t sc[256], const uint8_t sd[256] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]237{
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]238 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]239 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
240 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
241 (((uint32_t) sd[ *a >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]242 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]243 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
244 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
245 (((uint32_t) sd[ *b >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]246 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]247 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
248 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
249 (((uint32_t) sd[ *c >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]250 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]251 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
252 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
253 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]254}
255
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]256/*
257 * S-Boxes
258 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]259static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]260{
261 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
262 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
263 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
264 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
265 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
266 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
267 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
268 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
269 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
270 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
271 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
272 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
273 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
274 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
275 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
276 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
277 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
278 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
279 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
280 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
281 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
282 0xB0, 0x54, 0xBB, 0x16
283};
284
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]285static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286{
287 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
288 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
289 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
290 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
291 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
292 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
293 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
294 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
295 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
296 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
297 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
298 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
299 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
300 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
301 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
302 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
303 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
304 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
305 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
306 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
307 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
308 0xAF, 0xBA, 0xB5, 0x81
309};
310
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]311static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]312{
313 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
314 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
315 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
316 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
317 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
318 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
319 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
320 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
321 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
322 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
323 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
324 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
325 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
326 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
327 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
328 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
329 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
330 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
331 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
332 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
333 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
334 0x55, 0x21, 0x0C, 0x7D
335};
336
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]337static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]338{
339 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
340 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
341 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
342 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
343 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
344 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
345 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
346 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
347 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
348 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
349 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
350 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
351 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
352 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
353 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
354 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
355 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
356 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
357 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
358 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
359 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
360 0x03, 0xA2, 0xAC, 0x60
361};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]362
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]363/*
364 * Helper for key schedule: r = FO( p, k ) ^ x
365 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]366static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
367 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]368{
369 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]370
371 a = p[0] ^ k[0];
372 b = p[1] ^ k[1];
373 c = p[2] ^ k[2];
374 d = p[3] ^ k[3];
375
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]376 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
377 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]378
379 r[0] = a ^ x[0];
380 r[1] = b ^ x[1];
381 r[2] = c ^ x[2];
382 r[3] = d ^ x[3];
383}
384
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]385/*
386 * Helper for key schedule: r = FE( p, k ) ^ x
387 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]388static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
389 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]390{
391 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]392
393 a = p[0] ^ k[0];
394 b = p[1] ^ k[1];
395 c = p[2] ^ k[2];
396 d = p[3] ^ k[3];
397
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]398 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
399 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]400
401 r[0] = a ^ x[0];
402 r[1] = b ^ x[1];
403 r[2] = c ^ x[2];
404 r[3] = d ^ x[3];
405}
406
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]407/*
408 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
409 *
410 * We chose to store bytes into 32-bit words in little-endian format (see
411 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
412 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]413static void aria_rot128( uint32_t r[4], const uint32_t a[4],
414 const uint32_t b[4], uint8_t n )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]415{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]416 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]417 uint32_t t, u;
418
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]419 const uint8_t n1 = n % 32; // bit offset
420 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]421
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]422 j = ( n / 32 ) % 4; // initial word offset
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]423 t = ARIA_P3( b[j] ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]424 for( i = 0; i < 4; i++ )
425 {
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]426 j = ( j + 1 ) % 4; // get next word, big endian
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]427 u = ARIA_P3( b[j] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]428 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]429 t |= u >> n2;
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]430 t = ARIA_P3( t ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]431 r[i] = a[i] ^ t; // store
432 t = u; // move to next word
433 }
434}
435
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]436/*
437 * Set encryption key
438 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]439int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
440 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]441{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]442 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443 const uint32_t rc[3][4] =
444 {
445 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
446 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
447 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
448 };
449
450 int i;
451 uint32_t w[4][4], *w2;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]452 ARIA_VALIDATE_RET( ctx != NULL );
453 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]454
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]455 if( keybits != 128 && keybits != 192 && keybits != 256 )
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]456 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]457
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]458 /* Copy key to W0 (and potential remainder to W1) */
459 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]460 GET_UINT32_LE( w[0][1], key, 4 );
461 GET_UINT32_LE( w[0][2], key, 8 );
462 GET_UINT32_LE( w[0][3], key, 12 );
463
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]464 memset( w[1], 0, 16 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]465 if( keybits >= 192 )
466 {
467 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
468 GET_UINT32_LE( w[1][1], key, 20 );
469 }
470 if( keybits == 256 )
471 {
472 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
473 GET_UINT32_LE( w[1][3], key, 28 );
474 }
475
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]476 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]477 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
478
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]479 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]480 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]481 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]482 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]483 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]484
485 for( i = 0; i < 4; i++ ) // create round keys
486 {
487 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]488 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
489 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
490 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
491 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]492 }
493 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
494
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]495 /* w holds enough info to reconstruct the round keys */
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]496 mbedtls_platform_zeroize( w, sizeof( w ) );
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]497
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]498 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]499}
500
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]501/*
502 * Set decryption key
503 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]504int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
505 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]506{
507 int i, j, k, ret;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]508 ARIA_VALIDATE_RET( ctx != NULL );
509 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]510
511 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
512 if( ret != 0 )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]513 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]514
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]515 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]516 for( i = 0, j = ctx->nr; i < j; i++, j-- )
517 {
518 for( k = 0; k < 4; k++ )
519 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]520 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]521 ctx->rk[i][k] = ctx->rk[j][k];
522 ctx->rk[j][k] = t;
523 }
524 }
525
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]526 /* apply affine transform to middle keys */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]527 for( i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]528 {
529 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
530 &ctx->rk[i][2], &ctx->rk[i][3] );
531 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]532
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]533 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]534}
535
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]536/*
537 * Encrypt a block
538 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]539int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]540 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
541 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]542{
543 int i;
544
545 uint32_t a, b, c, d;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]546 ARIA_VALIDATE_RET( ctx != NULL );
547 ARIA_VALIDATE_RET( input != NULL );
548 ARIA_VALIDATE_RET( output != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]549
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]550 GET_UINT32_LE( a, input, 0 );
551 GET_UINT32_LE( b, input, 4 );
552 GET_UINT32_LE( c, input, 8 );
553 GET_UINT32_LE( d, input, 12 );
554
555 i = 0;
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]556 while( 1 )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]557 {
558 a ^= ctx->rk[i][0];
559 b ^= ctx->rk[i][1];
560 c ^= ctx->rk[i][2];
561 d ^= ctx->rk[i][3];
562 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]563
564 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
565 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]566
567 a ^= ctx->rk[i][0];
568 b ^= ctx->rk[i][1];
569 c ^= ctx->rk[i][2];
570 d ^= ctx->rk[i][3];
571 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]572
573 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]574 if( i >= ctx->nr )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]575 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]576 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]577 }
578
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]579 /* final key mixing */
580 a ^= ctx->rk[i][0];
581 b ^= ctx->rk[i][1];
582 c ^= ctx->rk[i][2];
583 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]584
585 PUT_UINT32_LE( a, output, 0 );
586 PUT_UINT32_LE( b, output, 4 );
587 PUT_UINT32_LE( c, output, 8 );
588 PUT_UINT32_LE( d, output, 12 );
589
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]590 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]591}
592
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]593/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]594void mbedtls_aria_init( mbedtls_aria_context *ctx )
595{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]596 ARIA_VALIDATE( ctx != NULL );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]597 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
598}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]599
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]600/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]601void mbedtls_aria_free( mbedtls_aria_context *ctx )
602{
603 if( ctx == NULL )
604 return;
605
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]606 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]607}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]608
609#if defined(MBEDTLS_CIPHER_MODE_CBC)
610/*
611 * ARIA-CBC buffer encryption/decryption
612 */
613int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]614 int mode,
615 size_t length,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]616 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]617 const unsigned char *input,
618 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]619{
620 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]621 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]622
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]623 ARIA_VALIDATE_RET( ctx != NULL );
624 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
625 mode == MBEDTLS_ARIA_DECRYPT );
626 ARIA_VALIDATE_RET( length == 0 || input != NULL );
627 ARIA_VALIDATE_RET( length == 0 || output != NULL );
628 ARIA_VALIDATE_RET( iv != NULL );
629
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]630 if( length % MBEDTLS_ARIA_BLOCKSIZE )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]631 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
632
633 if( mode == MBEDTLS_ARIA_DECRYPT )
634 {
635 while( length > 0 )
636 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]637 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]638 mbedtls_aria_crypt_ecb( ctx, input, output );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]639
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]640 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]641 output[i] = (unsigned char)( output[i] ^ iv[i] );
642
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]643 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]644
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]645 input += MBEDTLS_ARIA_BLOCKSIZE;
646 output += MBEDTLS_ARIA_BLOCKSIZE;
647 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]648 }
649 }
650 else
651 {
652 while( length > 0 )
653 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]654 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]655 output[i] = (unsigned char)( input[i] ^ iv[i] );
656
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]657 mbedtls_aria_crypt_ecb( ctx, output, output );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]658 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]659
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]660 input += MBEDTLS_ARIA_BLOCKSIZE;
661 output += MBEDTLS_ARIA_BLOCKSIZE;
662 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]663 }
664 }
665
666 return( 0 );
667}
668#endif /* MBEDTLS_CIPHER_MODE_CBC */
669
670#if defined(MBEDTLS_CIPHER_MODE_CFB)
671/*
672 * ARIA-CFB128 buffer encryption/decryption
673 */
674int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]675 int mode,
676 size_t length,
677 size_t *iv_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]678 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]679 const unsigned char *input,
680 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]681{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]682 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]683 size_t n;
684
685 ARIA_VALIDATE_RET( ctx != NULL );
686 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
687 mode == MBEDTLS_ARIA_DECRYPT );
688 ARIA_VALIDATE_RET( length == 0 || input != NULL );
689 ARIA_VALIDATE_RET( length == 0 || output != NULL );
690 ARIA_VALIDATE_RET( iv != NULL );
691 ARIA_VALIDATE_RET( iv_off != NULL );
692
693 n = *iv_off;
694
695 /* An overly large value of n can lead to an unlimited
696 * buffer overflow. Therefore, guard against this
697 * outside of parameter validation. */
698 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
699 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]700
701 if( mode == MBEDTLS_ARIA_DECRYPT )
702 {
703 while( length-- )
704 {
705 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]706 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]707
708 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]709 *output++ = c ^ iv[n];
710 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]711
712 n = ( n + 1 ) & 0x0F;
713 }
714 }
715 else
716 {
717 while( length-- )
718 {
719 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]720 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]721
722 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
723
724 n = ( n + 1 ) & 0x0F;
725 }
726 }
727
728 *iv_off = n;
729
730 return( 0 );
731}
732#endif /* MBEDTLS_CIPHER_MODE_CFB */
733
734#if defined(MBEDTLS_CIPHER_MODE_CTR)
735/*
736 * ARIA-CTR buffer encryption/decryption
737 */
738int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]739 size_t length,
740 size_t *nc_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]741 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
742 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]743 const unsigned char *input,
744 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]745{
746 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]747 size_t n;
748
749 ARIA_VALIDATE_RET( ctx != NULL );
750 ARIA_VALIDATE_RET( length == 0 || input != NULL );
751 ARIA_VALIDATE_RET( length == 0 || output != NULL );
752 ARIA_VALIDATE_RET( nonce_counter != NULL );
753 ARIA_VALIDATE_RET( stream_block != NULL );
754 ARIA_VALIDATE_RET( nc_off != NULL );
755
756 n = *nc_off;
757 /* An overly large value of n can lead to an unlimited
758 * buffer overflow. Therefore, guard against this
759 * outside of parameter validation. */
760 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
761 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]762
763 while( length-- )
764 {
765 if( n == 0 ) {
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]766 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]767 stream_block );
768
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]769 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]770 if( ++nonce_counter[i - 1] != 0 )
771 break;
772 }
773 c = *input++;
774 *output++ = (unsigned char)( c ^ stream_block[n] );
775
776 n = ( n + 1 ) & 0x0F;
777 }
778
779 *nc_off = n;
780
781 return( 0 );
782}
783#endif /* MBEDTLS_CIPHER_MODE_CTR */
784#endif /* !MBEDTLS_ARIA_ALT */
785
786#if defined(MBEDTLS_SELF_TEST)
787
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]788/*
789 * Basic ARIA ECB test vectors from RFC 5794
790 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]791static const uint8_t aria_test1_ecb_key[32] = // test key
792{
793 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
794 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
795 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
796 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
797};
798
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]799static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]800{
801 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
802 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
803};
804
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]805static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]806{
807 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
808 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
809 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
810 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
811 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
812 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
813};
814
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]815/*
816 * Mode tests from "Test Vectors for ARIA" Version 1.0
817 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
818 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]819#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]820 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]821static const uint8_t aria_test2_key[32] =
822{
823 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
824 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
825 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
826 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
827};
828
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]829static const uint8_t aria_test2_pt[48] =
830{
831 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
832 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
833 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
834 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
835 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
836 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
837};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]838#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]839
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]840#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]841static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]842{
843 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
844 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
845};
846#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]847
848#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]849static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]850{
851 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
852 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
853 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
854 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
855 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
856 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
857 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
858 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
859 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
860 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
861 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
862 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
863 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
864 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
865 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
866 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
867 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
868 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
869};
870#endif /* MBEDTLS_CIPHER_MODE_CBC */
871
872#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]873static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]874{
875 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
876 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
877 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
878 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
879 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
880 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
881 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
882 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
883 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
884 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
885 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
886 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
887 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
888 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
889 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
890 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
891 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
892 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
893};
894#endif /* MBEDTLS_CIPHER_MODE_CFB */
895
896#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]897static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]898{
899 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
900 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
901 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
902 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
903 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
904 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
905 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
906 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
907 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
908 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
909 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
910 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
911 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
912 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
913 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
914 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
915 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
916 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
917};
918#endif /* MBEDTLS_CIPHER_MODE_CFB */
919
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]920#define ARIA_SELF_TEST_IF_FAIL \
921 { \
922 if( verbose ) \
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]923 mbedtls_printf( "failed\n" ); \
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame^]924 goto exit; \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]925 } else { \
926 if( verbose ) \
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]927 mbedtls_printf( "passed\n" ); \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]928 }
929
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]930/*
931 * Checkup routine
932 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]933int mbedtls_aria_self_test( int verbose )
934{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]935 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]936 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]937 mbedtls_aria_context ctx;
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame^]938 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]939
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]940#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
941 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]942#endif
943
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]944#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
945 defined(MBEDTLS_CIPHER_MODE_CFB) || \
946 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]947 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]948#endif
949
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame^]950 mbedtls_aria_init( &ctx );
951
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]952 /*
953 * Test set 1
954 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]955 for( i = 0; i < 3; i++ )
956 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]957 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]958 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]959 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]960 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]961 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]962 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]963 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]964
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]965 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]966 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]967 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]968 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]969 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]970 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]971 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]972 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]973 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]974 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]975
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]976 /*
977 * Test set 2
978 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]979#if defined(MBEDTLS_CIPHER_MODE_CBC)
980 for( i = 0; i < 3; i++ )
981 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]982 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]983 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]984 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]985 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]986 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]987 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]988 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
989 aria_test2_pt, buf );
990 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
991 ARIA_SELF_TEST_IF_FAIL;
992
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]993 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]994 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]995 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]996 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]997 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]998 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]999 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
1000 aria_test2_cbc_ct[i], buf );
1001 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1002 ARIA_SELF_TEST_IF_FAIL;
1003 }
1004 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1005 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1006
1007#endif /* MBEDTLS_CIPHER_MODE_CBC */
1008
1009#if defined(MBEDTLS_CIPHER_MODE_CFB)
1010 for( i = 0; i < 3; i++ )
1011 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1012 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1013 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1014 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1015 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1016 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1017 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1018 j = 0;
1019 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
1020 aria_test2_pt, buf );
1021 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
1022 ARIA_SELF_TEST_IF_FAIL;
1023
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1024 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1025 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1026 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1027 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1028 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1029 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1030 j = 0;
1031 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1032 iv, aria_test2_cfb_ct[i], buf );
1033 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1034 ARIA_SELF_TEST_IF_FAIL;
1035 }
1036 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1037 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1038#endif /* MBEDTLS_CIPHER_MODE_CFB */
1039
1040#if defined(MBEDTLS_CIPHER_MODE_CTR)
1041 for( i = 0; i < 3; i++ )
1042 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1043 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1044 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1045 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1046 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1047 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1048 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1049 j = 0;
1050 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1051 aria_test2_pt, buf );
1052 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1053 ARIA_SELF_TEST_IF_FAIL;
1054
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1055 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1056 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1057 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1058 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1059 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1060 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1061 j = 0;
1062 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1063 aria_test2_ctr_ct[i], buf );
1064 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1065 ARIA_SELF_TEST_IF_FAIL;
1066 }
1067 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1068 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1069#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1070
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame^]1071 ret = 0;
1072
1073exit:
1074 mbedtls_aria_free( &ctx );
1075 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1076}
1077
1078#endif /* MBEDTLS_SELF_TEST */
1079
1080#endif /* MBEDTLS_ARIA_C */