TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e4627f34dac421f43f41b4cf2c2184cdfeb97d01 / . / library / aria.c
blob: 5e52eea91ecd7bcee4d64fad41e673915d6ae93b [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]18 */
19
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]20/*
21 * This implementation is based on the following standards:
22 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
23 * [2] https://tools.ietf.org/html/rfc5794
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]27
28#if defined(MBEDTLS_ARIA_C)
29
30#include "mbedtls/aria.h"
31
32#include <string.h>
33
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]34#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]35
36#if !defined(MBEDTLS_ARIA_ALT)
37
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]38#include "mbedtls/platform_util.h"
39
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]40/* Parameter validation macros */
41#define ARIA_VALIDATE_RET( cond ) \
42 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
43#define ARIA_VALIDATE( cond ) \
44 MBEDTLS_INTERNAL_VALIDATE( cond )
45
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]46/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]47 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]48 *
49 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]50 *
51 * Common compilers fail to translate this to minimal number of instructions,
52 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]53 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]54#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]55#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
57#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]58 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
59 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]60static inline uint32_t aria_p1( uint32_t x )
61{
62 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]63 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]64 return( r );
65}
66#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]67#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
68 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]69static inline uint32_t aria_p1( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]70{
71 uint32_t r;
72 __asm( "rev16 r, x" );
73 return( r );
74}
75#define ARIA_P1 aria_p1
76#endif
77#endif /* arm */
78#if defined(__GNUC__) && \
79 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]80/* I couldn't find an Intel equivalent of rev16, so two instructions */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]81#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]82#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]83#endif /* MBEDTLS_HAVE_ASM && GNUC */
84#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]85#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]86#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]87
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]88/*
89 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
90 *
91 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]92 *
93 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]94 */
95#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]96
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]97/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]98 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
99 *
100 * This is submatrix P3 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]101 *
102 * Some compilers fail to translate this to a single instruction,
103 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]104 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]105#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]106#if defined(__arm__) /* rev available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]107/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
108#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]109 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
110 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]111static inline uint32_t aria_p3( uint32_t x )
112{
113 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]114 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]115 return( r );
116}
117#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]118#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
119 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]120static inline uint32_t aria_p3( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]121{
122 uint32_t r;
123 __asm( "rev r, x" );
124 return( r );
125}
126#define ARIA_P3 aria_p3
127#endif
128#endif /* arm */
129#if defined(__GNUC__) && \
130 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]131static inline uint32_t aria_p3( uint32_t x )
132{
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]133 __asm( "bswap %0" : "=r" (x) : "0" (x) );
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]134 return( x );
135}
136#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]137#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]138#endif /* MBEDTLS_HAVE_ASM && GNUC */
139#if !defined(ARIA_P3)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]140#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]141#endif
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]142
143/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]144 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]145 * (a, b, c, d) = state in/out
146 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]147 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]148 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
149 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]150 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]151 * rearrangements on adjacent pairs, output is:
152 *
153 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
154 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]155 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]156 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]157 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]158 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]159 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]160 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
161 *
162 * Note: another presentation of the A transform can be found as the first
163 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
164 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]165 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]166static inline void aria_a( uint32_t *a, uint32_t *b,
167 uint32_t *c, uint32_t *d )
168{
169 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]170 ta = *b; // 4567
171 *b = *a; // 0123
172 *a = ARIA_P2( ta ); // 6745
173 tb = ARIA_P2( *d ); // efcd
174 *d = ARIA_P1( *c ); // 98ba
175 *c = ARIA_P1( tb ); // fedc
176 ta ^= *d; // 4567+98ba
177 tc = ARIA_P2( *b ); // 2301
178 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
179 tb ^= ARIA_P2( *d ); // ba98+efcd
180 tc ^= ARIA_P1( *a ); // 2301+7654
181 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
182 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
183 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
184 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
185 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
186 tc = ARIA_P2( tc ); // 0123+5476
187 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]188}
189
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]190/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]191 * ARIA Substitution Layer SL1 / SL2
192 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]193 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]194 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]195 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
196 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]197 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]198static inline void aria_sl( uint32_t *a, uint32_t *b,
199 uint32_t *c, uint32_t *d,
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]200 const uint8_t sa[256], const uint8_t sb[256],
201 const uint8_t sc[256], const uint8_t sd[256] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]202{
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]203 *a = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *a ) ] ) ^
204 (((uint32_t) sb[ MBEDTLS_BYTE_1( *a ) ]) << 8) ^
205 (((uint32_t) sc[ MBEDTLS_BYTE_2( *a ) ]) << 16) ^
Joe Subbiani10000372021-07-14 11:59:48 +0100[diff] [blame]206 (((uint32_t) sd[ MBEDTLS_BYTE_3( *a ) ]) << 24);
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]207 *b = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *b ) ] ) ^
208 (((uint32_t) sb[ MBEDTLS_BYTE_1( *b ) ]) << 8) ^
209 (((uint32_t) sc[ MBEDTLS_BYTE_2( *b ) ]) << 16) ^
Joe Subbiani10000372021-07-14 11:59:48 +0100[diff] [blame]210 (((uint32_t) sd[ MBEDTLS_BYTE_3( *b ) ]) << 24);
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]211 *c = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *c ) ] ) ^
212 (((uint32_t) sb[ MBEDTLS_BYTE_1( *c ) ]) << 8) ^
213 (((uint32_t) sc[ MBEDTLS_BYTE_2( *c ) ]) << 16) ^
Joe Subbiani10000372021-07-14 11:59:48 +0100[diff] [blame]214 (((uint32_t) sd[ MBEDTLS_BYTE_3( *c ) ]) << 24);
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]215 *d = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *d ) ] ) ^
216 (((uint32_t) sb[ MBEDTLS_BYTE_1( *d ) ]) << 8) ^
217 (((uint32_t) sc[ MBEDTLS_BYTE_2( *d ) ]) << 16) ^
Joe Subbiani10000372021-07-14 11:59:48 +0100[diff] [blame]218 (((uint32_t) sd[ MBEDTLS_BYTE_3( *d ) ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]219}
220
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]221/*
222 * S-Boxes
223 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]224static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]225{
226 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
227 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
228 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
229 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
230 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
231 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
232 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
233 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
234 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
235 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
236 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
237 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
238 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
239 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
240 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
241 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
242 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
243 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
244 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
245 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
246 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
247 0xB0, 0x54, 0xBB, 0x16
248};
249
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]250static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]251{
252 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
253 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
254 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
255 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
256 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
257 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
258 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
259 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
260 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
261 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
262 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
263 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
264 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
265 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
266 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
267 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
268 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
269 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
270 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
271 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
272 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
273 0xAF, 0xBA, 0xB5, 0x81
274};
275
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]276static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]277{
278 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
279 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
280 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
281 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
282 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
283 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
284 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
285 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
286 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
287 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
288 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
289 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
290 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
291 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
292 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
293 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
294 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
295 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
296 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
297 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
298 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
299 0x55, 0x21, 0x0C, 0x7D
300};
301
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]302static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]303{
304 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
305 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
306 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
307 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
308 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
309 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
310 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
311 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
312 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
313 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
314 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
315 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
316 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
317 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
318 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
319 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
320 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
321 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
322 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
323 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
324 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
325 0x03, 0xA2, 0xAC, 0x60
326};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]327
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]328/*
329 * Helper for key schedule: r = FO( p, k ) ^ x
330 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]331static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
332 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]333{
334 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]335
336 a = p[0] ^ k[0];
337 b = p[1] ^ k[1];
338 c = p[2] ^ k[2];
339 d = p[3] ^ k[3];
340
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]341 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
342 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]343
344 r[0] = a ^ x[0];
345 r[1] = b ^ x[1];
346 r[2] = c ^ x[2];
347 r[3] = d ^ x[3];
348}
349
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]350/*
351 * Helper for key schedule: r = FE( p, k ) ^ x
352 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]353static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
354 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]355{
356 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]357
358 a = p[0] ^ k[0];
359 b = p[1] ^ k[1];
360 c = p[2] ^ k[2];
361 d = p[3] ^ k[3];
362
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]363 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
364 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]365
366 r[0] = a ^ x[0];
367 r[1] = b ^ x[1];
368 r[2] = c ^ x[2];
369 r[3] = d ^ x[3];
370}
371
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]372/*
373 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
374 *
375 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani266476d2021-07-07 15:16:56 +0100[diff] [blame]376 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
377 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]378 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]379static void aria_rot128( uint32_t r[4], const uint32_t a[4],
380 const uint32_t b[4], uint8_t n )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]381{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]382 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]383 uint32_t t, u;
384
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]385 const uint8_t n1 = n % 32; // bit offset
386 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]387
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]388 j = ( n / 32 ) % 4; // initial word offset
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]389 t = ARIA_P3( b[j] ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]390 for( i = 0; i < 4; i++ )
391 {
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]392 j = ( j + 1 ) % 4; // get next word, big endian
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]393 u = ARIA_P3( b[j] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]394 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]395 t |= u >> n2;
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]396 t = ARIA_P3( t ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]397 r[i] = a[i] ^ t; // store
398 t = u; // move to next word
399 }
400}
401
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]402/*
403 * Set encryption key
404 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]405int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
406 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]407{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]408 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]409 const uint32_t rc[3][4] =
410 {
411 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
412 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
413 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
414 };
415
416 int i;
417 uint32_t w[4][4], *w2;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]418 ARIA_VALIDATE_RET( ctx != NULL );
419 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]420
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]421 if( keybits != 128 && keybits != 192 && keybits != 256 )
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]422 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]424 /* Copy key to W0 (and potential remainder to W1) */
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]425 w[0][0] = MBEDTLS_GET_UINT32_LE( key, 0 );
426 w[0][1] = MBEDTLS_GET_UINT32_LE( key, 4 );
427 w[0][2] = MBEDTLS_GET_UINT32_LE( key, 8 );
428 w[0][3] = MBEDTLS_GET_UINT32_LE( key, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]429
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]430 memset( w[1], 0, 16 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]431 if( keybits >= 192 )
432 {
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]433 w[1][0] = MBEDTLS_GET_UINT32_LE( key, 16 ); // 192 bit key
434 w[1][1] = MBEDTLS_GET_UINT32_LE( key, 20 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435 }
436 if( keybits == 256 )
437 {
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]438 w[1][2] = MBEDTLS_GET_UINT32_LE( key, 24 ); // 256 bit key
439 w[1][3] = MBEDTLS_GET_UINT32_LE( key, 28 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]440 }
441
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]442 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
444
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]445 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]446 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]447 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]449 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]450
451 for( i = 0; i < 4; i++ ) // create round keys
452 {
453 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]454 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
455 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
456 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
457 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]458 }
459 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
460
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]461 /* w holds enough info to reconstruct the round keys */
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]462 mbedtls_platform_zeroize( w, sizeof( w ) );
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]463
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]464 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]465}
466
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]467/*
468 * Set decryption key
469 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]470int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
471 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]472{
473 int i, j, k, ret;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]474 ARIA_VALIDATE_RET( ctx != NULL );
475 ARIA_VALIDATE_RET( key != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476
477 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
478 if( ret != 0 )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]479 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]480
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]481 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]482 for( i = 0, j = ctx->nr; i < j; i++, j-- )
483 {
484 for( k = 0; k < 4; k++ )
485 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]486 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]487 ctx->rk[i][k] = ctx->rk[j][k];
488 ctx->rk[j][k] = t;
489 }
490 }
491
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]492 /* apply affine transform to middle keys */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]493 for( i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]494 {
495 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
496 &ctx->rk[i][2], &ctx->rk[i][3] );
497 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]498
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]499 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]500}
501
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]502/*
503 * Encrypt a block
504 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]505int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]506 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
507 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]508{
509 int i;
510
511 uint32_t a, b, c, d;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]512 ARIA_VALIDATE_RET( ctx != NULL );
513 ARIA_VALIDATE_RET( input != NULL );
514 ARIA_VALIDATE_RET( output != NULL );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]515
Joe Subbiani9231d5f2021-07-07 16:56:29 +0100[diff] [blame]516 a = MBEDTLS_GET_UINT32_LE( input, 0 );
517 b = MBEDTLS_GET_UINT32_LE( input, 4 );
518 c = MBEDTLS_GET_UINT32_LE( input, 8 );
519 d = MBEDTLS_GET_UINT32_LE( input, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]520
521 i = 0;
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]522 while( 1 )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]523 {
524 a ^= ctx->rk[i][0];
525 b ^= ctx->rk[i][1];
526 c ^= ctx->rk[i][2];
527 d ^= ctx->rk[i][3];
528 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]529
530 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
531 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]532
533 a ^= ctx->rk[i][0];
534 b ^= ctx->rk[i][1];
535 c ^= ctx->rk[i][2];
536 d ^= ctx->rk[i][3];
537 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]538
539 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]540 if( i >= ctx->nr )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]541 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]542 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]543 }
544
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]545 /* final key mixing */
546 a ^= ctx->rk[i][0];
547 b ^= ctx->rk[i][1];
548 c ^= ctx->rk[i][2];
549 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]550
Joe Subbiani2bbafda2021-06-24 13:00:03 +0100[diff] [blame]551 MBEDTLS_PUT_UINT32_LE( a, output, 0 );
552 MBEDTLS_PUT_UINT32_LE( b, output, 4 );
553 MBEDTLS_PUT_UINT32_LE( c, output, 8 );
554 MBEDTLS_PUT_UINT32_LE( d, output, 12 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]555
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]556 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]557}
558
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]559/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]560void mbedtls_aria_init( mbedtls_aria_context *ctx )
561{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]562 ARIA_VALIDATE( ctx != NULL );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]563 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
564}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]565
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]566/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]567void mbedtls_aria_free( mbedtls_aria_context *ctx )
568{
569 if( ctx == NULL )
570 return;
571
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]572 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]573}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]574
575#if defined(MBEDTLS_CIPHER_MODE_CBC)
576/*
577 * ARIA-CBC buffer encryption/decryption
578 */
579int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]580 int mode,
581 size_t length,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]582 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]583 const unsigned char *input,
584 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]585{
586 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]587 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]588
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]589 ARIA_VALIDATE_RET( ctx != NULL );
590 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
591 mode == MBEDTLS_ARIA_DECRYPT );
592 ARIA_VALIDATE_RET( length == 0 || input != NULL );
593 ARIA_VALIDATE_RET( length == 0 || output != NULL );
594 ARIA_VALIDATE_RET( iv != NULL );
595
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]596 if( length % MBEDTLS_ARIA_BLOCKSIZE )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]597 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
598
599 if( mode == MBEDTLS_ARIA_DECRYPT )
600 {
601 while( length > 0 )
602 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]603 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]604 mbedtls_aria_crypt_ecb( ctx, input, output );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]605
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]606 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]607 output[i] = (unsigned char)( output[i] ^ iv[i] );
608
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]609 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]610
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]611 input += MBEDTLS_ARIA_BLOCKSIZE;
612 output += MBEDTLS_ARIA_BLOCKSIZE;
613 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]614 }
615 }
616 else
617 {
618 while( length > 0 )
619 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]620 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]621 output[i] = (unsigned char)( input[i] ^ iv[i] );
622
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]623 mbedtls_aria_crypt_ecb( ctx, output, output );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]624 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]625
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]626 input += MBEDTLS_ARIA_BLOCKSIZE;
627 output += MBEDTLS_ARIA_BLOCKSIZE;
628 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]629 }
630 }
631
632 return( 0 );
633}
634#endif /* MBEDTLS_CIPHER_MODE_CBC */
635
636#if defined(MBEDTLS_CIPHER_MODE_CFB)
637/*
638 * ARIA-CFB128 buffer encryption/decryption
639 */
640int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]641 int mode,
642 size_t length,
643 size_t *iv_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]644 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]645 const unsigned char *input,
646 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]647{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]648 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]649 size_t n;
650
651 ARIA_VALIDATE_RET( ctx != NULL );
652 ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
653 mode == MBEDTLS_ARIA_DECRYPT );
654 ARIA_VALIDATE_RET( length == 0 || input != NULL );
655 ARIA_VALIDATE_RET( length == 0 || output != NULL );
656 ARIA_VALIDATE_RET( iv != NULL );
657 ARIA_VALIDATE_RET( iv_off != NULL );
658
659 n = *iv_off;
660
661 /* An overly large value of n can lead to an unlimited
662 * buffer overflow. Therefore, guard against this
663 * outside of parameter validation. */
664 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
665 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]666
667 if( mode == MBEDTLS_ARIA_DECRYPT )
668 {
669 while( length-- )
670 {
671 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]672 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]673
674 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]675 *output++ = c ^ iv[n];
676 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]677
678 n = ( n + 1 ) & 0x0F;
679 }
680 }
681 else
682 {
683 while( length-- )
684 {
685 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]686 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]687
688 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
689
690 n = ( n + 1 ) & 0x0F;
691 }
692 }
693
694 *iv_off = n;
695
696 return( 0 );
697}
698#endif /* MBEDTLS_CIPHER_MODE_CFB */
699
700#if defined(MBEDTLS_CIPHER_MODE_CTR)
701/*
702 * ARIA-CTR buffer encryption/decryption
703 */
704int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]705 size_t length,
706 size_t *nc_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]707 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
708 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]709 const unsigned char *input,
710 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]711{
712 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]713 size_t n;
714
715 ARIA_VALIDATE_RET( ctx != NULL );
716 ARIA_VALIDATE_RET( length == 0 || input != NULL );
717 ARIA_VALIDATE_RET( length == 0 || output != NULL );
718 ARIA_VALIDATE_RET( nonce_counter != NULL );
719 ARIA_VALIDATE_RET( stream_block != NULL );
720 ARIA_VALIDATE_RET( nc_off != NULL );
721
722 n = *nc_off;
723 /* An overly large value of n can lead to an unlimited
724 * buffer overflow. Therefore, guard against this
725 * outside of parameter validation. */
726 if( n >= MBEDTLS_ARIA_BLOCKSIZE )
727 return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]728
729 while( length-- )
730 {
731 if( n == 0 ) {
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]732 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]733 stream_block );
734
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]735 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]736 if( ++nonce_counter[i - 1] != 0 )
737 break;
738 }
739 c = *input++;
740 *output++ = (unsigned char)( c ^ stream_block[n] );
741
742 n = ( n + 1 ) & 0x0F;
743 }
744
745 *nc_off = n;
746
747 return( 0 );
748}
749#endif /* MBEDTLS_CIPHER_MODE_CTR */
750#endif /* !MBEDTLS_ARIA_ALT */
751
752#if defined(MBEDTLS_SELF_TEST)
753
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]754/*
755 * Basic ARIA ECB test vectors from RFC 5794
756 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]757static const uint8_t aria_test1_ecb_key[32] = // test key
758{
759 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
760 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
761 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
762 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
763};
764
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]765static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]766{
767 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
768 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
769};
770
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]771static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]772{
773 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
774 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
775 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
776 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
777 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
778 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
779};
780
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]781/*
782 * Mode tests from "Test Vectors for ARIA" Version 1.0
783 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
784 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]785#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]786 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]787static const uint8_t aria_test2_key[32] =
788{
789 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
790 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
791 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
792 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
793};
794
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]795static const uint8_t aria_test2_pt[48] =
796{
797 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
798 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
799 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
800 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
801 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
802 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
803};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]804#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]805
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]806#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]807static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]808{
809 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
810 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
811};
812#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]813
814#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]815static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]816{
817 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
818 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
819 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
820 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
821 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
822 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
823 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
824 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
825 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
826 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
827 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
828 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
829 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
830 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
831 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
832 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
833 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
834 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
835};
836#endif /* MBEDTLS_CIPHER_MODE_CBC */
837
838#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]839static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]840{
841 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
842 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
843 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
844 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
845 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
846 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
847 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
848 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
849 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
850 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
851 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
852 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
853 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
854 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
855 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
856 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
857 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
858 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
859};
860#endif /* MBEDTLS_CIPHER_MODE_CFB */
861
862#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]863static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]864{
865 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
866 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
867 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
868 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
869 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
870 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
871 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
872 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
873 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
874 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
875 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
876 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
877 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
878 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
879 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
880 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
881 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
882 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
883};
884#endif /* MBEDTLS_CIPHER_MODE_CFB */
885
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]886#define ARIA_SELF_TEST_ASSERT( cond ) \
David Horstmann75b1fe72022-10-06 14:32:30 +0100[diff] [blame]887 do { \
888 if( cond ) { \
889 if( verbose ) \
890 mbedtls_printf( "failed\n" ); \
891 goto exit; \
892 } else { \
893 if( verbose ) \
894 mbedtls_printf( "passed\n" ); \
895 } \
896 } while( 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]897
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]898/*
899 * Checkup routine
900 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]901int mbedtls_aria_self_test( int verbose )
902{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]903 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]904 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]905 mbedtls_aria_context ctx;
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]906 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]907
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]908#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
909 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]910#endif
911
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]912#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
913 defined(MBEDTLS_CIPHER_MODE_CFB) || \
914 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]915 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]916#endif
917
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]918 mbedtls_aria_init( &ctx );
919
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]920 /*
921 * Test set 1
922 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]923 for( i = 0; i < 3; i++ )
924 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]925 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]926 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]927 mbedtls_printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]928 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]929 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]930 ARIA_SELF_TEST_ASSERT(
David Horstmann75b1fe72022-10-06 14:32:30 +0100[diff] [blame]931 memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE )
932 != 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]933
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]934 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]935 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]936 mbedtls_printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]937 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]938 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]939 ARIA_SELF_TEST_ASSERT(
David Horstmann75b1fe72022-10-06 14:32:30 +0100[diff] [blame]940 memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE )
941 != 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]942 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]943 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]944 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]945
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]946 /*
947 * Test set 2
948 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]949#if defined(MBEDTLS_CIPHER_MODE_CBC)
950 for( i = 0; i < 3; i++ )
951 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]952 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]953 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]954 mbedtls_printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]955 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]956 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]957 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]958 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
959 aria_test2_pt, buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]960 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cbc_ct[i], 48 )
David Horstmann75b1fe72022-10-06 14:32:30 +0100[diff] [blame]961 != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]962
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]963 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]964 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]965 mbedtls_printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]966 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]967 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]968 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]969 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
970 aria_test2_cbc_ct[i], buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]971 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]972 }
973 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]974 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]975
976#endif /* MBEDTLS_CIPHER_MODE_CBC */
977
978#if defined(MBEDTLS_CIPHER_MODE_CFB)
979 for( i = 0; i < 3; i++ )
980 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]981 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]982 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]983 mbedtls_printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]984 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]985 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]986 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]987 j = 0;
988 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
989 aria_test2_pt, buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]990 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]991
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]992 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]993 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]994 mbedtls_printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]995 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]996 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]997 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]998 j = 0;
999 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
1000 iv, aria_test2_cfb_ct[i], buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]1001 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1002 }
1003 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1004 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1005#endif /* MBEDTLS_CIPHER_MODE_CFB */
1006
1007#if defined(MBEDTLS_CIPHER_MODE_CTR)
1008 for( i = 0; i < 3; i++ )
1009 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1010 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1011 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1012 mbedtls_printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1013 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1014 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1015 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1016 j = 0;
1017 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1018 aria_test2_pt, buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]1019 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1020
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1021 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1022 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1023 mbedtls_printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1024 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1025 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1026 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1027 j = 0;
1028 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1029 aria_test2_ctr_ct[i], buf );
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]1030 ARIA_SELF_TEST_ASSERT( memcmp( buf, aria_test2_pt, 48 ) != 0 );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1031 }
1032 if( verbose )
Ron Eldord1a47622018-08-13 13:49:52 +0300[diff] [blame]1033 mbedtls_printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1034#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1035
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]1036 ret = 0;
1037
1038exit:
1039 mbedtls_aria_free( &ctx );
1040 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1041}
1042
1043#endif /* MBEDTLS_SELF_TEST */
1044
1045#endif /* MBEDTLS_ARIA_C */