TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-3.6 / . / library / aria.c
blob: d9f84cc59d7811ab98e5c84bf09086cae20f162e [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]26#include "mbedtls/platform_util.h"
27
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]28/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]29 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]30 *
31 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]32 *
33 * Common compilers fail to translate this to minimal number of instructions,
34 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]35 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]36#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]37#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]38/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]40 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]41 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]43{
44 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]47}
48#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]49#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]50 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]52{
53 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 __asm("rev16 r, x");
55 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56}
57#define ARIA_P1 aria_p1
58#endif
59#endif /* arm */
60#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]62/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]64#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]65#endif /* MBEDTLS_HAVE_ASM && GNUC */
66#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]67#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]68#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]69
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]70/*
71 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72 *
73 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]74 *
75 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]76 */
77#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]78
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]79/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]80 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81 *
82 * This is submatrix P3 in [1] Appendix B.1
83 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]84#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]85
86/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]87 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]88 * (a, b, c, d) = state in/out
89 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]90 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]91 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]93 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]94 * rearrangements on adjacent pairs, output is:
95 *
96 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]98 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]99 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]100 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]101 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]102 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]103 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104 *
105 * Note: another presentation of the A transform can be found as the first
106 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]108 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109static inline void aria_a(uint32_t *a, uint32_t *b,
110 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]111{
112 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]113 ta = *b; // 4567
114 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]115 *a = ARIA_P2(ta); // 6745
116 tb = ARIA_P2(*d); // efcd
117 *d = ARIA_P1(*c); // 98ba
118 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 tc = ARIA_P2(*b); // 2301
121 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
122 tb ^= ARIA_P2(*d); // ba98+efcd
123 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]124 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]125 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
126 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
128 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129 tc = ARIA_P2(tc); // 0123+5476
130 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]131}
132
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]133/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]134 * ARIA Substitution Layer SL1 / SL2
135 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]136 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]137 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]138 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]140 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141static inline void aria_sl(uint32_t *a, uint32_t *b,
142 uint32_t *c, uint32_t *d,
143 const uint8_t sa[256], const uint8_t sb[256],
144 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]145{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
148 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
152 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
156 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
160 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]162}
163
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]164/*
165 * S-Boxes
166 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]167static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]168{
169 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190 0xB0, 0x54, 0xBB, 0x16
191};
192
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]193static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]194{
195 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216 0xAF, 0xBA, 0xB5, 0x81
217};
218
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]219static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]220{
221 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242 0x55, 0x21, 0x0C, 0x7D
243};
244
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]245static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]246{
247 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268 0x03, 0xA2, 0xAC, 0x60
269};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]270
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]271/*
272 * Helper for key schedule: r = FO( p, k ) ^ x
273 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276{
277 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278
279 a = p[0] ^ k[0];
280 b = p[1] ^ k[1];
281 c = p[2] ^ k[2];
282 d = p[3] ^ k[3];
283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]284 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286
287 r[0] = a ^ x[0];
288 r[1] = b ^ x[1];
289 r[2] = c ^ x[2];
290 r[3] = d ^ x[3];
291}
292
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]293/*
294 * Helper for key schedule: r = FE( p, k ) ^ x
295 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]296static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]298{
299 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]300
301 a = p[0] ^ k[0];
302 b = p[1] ^ k[1];
303 c = p[2] ^ k[2];
304 d = p[3] ^ k[3];
305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]308
309 r[0] = a ^ x[0];
310 r[1] = b ^ x[1];
311 r[2] = c ^ x[2];
312 r[3] = d ^ x[3];
313}
314
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]315/*
316 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317 *
318 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]319 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]321 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]324{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]325 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]326 uint32_t t, u;
327
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]328 const uint8_t n1 = n % 32; // bit offset
329 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 j = (n / 32) % 4; // initial word offset
332 t = ARIA_P3(b[j]); // big endian
333 for (i = 0; i < 4; i++) {
334 j = (j + 1) % 4; // get next word, big endian
335 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]337 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]338 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]339 r[i] = a[i] ^ t; // store
340 t = u; // move to next word
341 }
342}
343
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]344/*
345 * Set encryption key
346 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]347int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]349{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]350 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]351 const uint32_t rc[3][4] =
352 {
353 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
354 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
355 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
356 };
357
358 int i;
359 uint32_t w[4][4], *w2;
360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 if (keybits != 128 && keybits != 192 && keybits != 256) {
362 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]364
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]365 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
367 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
368 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
369 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 memset(w[1], 0, 16);
372 if (keybits >= 192) {
373 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
374 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]375 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376 if (keybits == 256) {
377 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
378 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]379 }
380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]382 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]385 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]391 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]392 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
394 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
395 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]398
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]399 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403}
404
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]405/*
406 * Set decryption key
407 */
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]408#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411{
412 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]414 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415 if (ret != 0) {
416 return ret;
417 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]419 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 for (i = 0, j = ctx->nr; i < j; i++, j--) {
421 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]422 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423 ctx->rk[i][k] = ctx->rk[j][k];
424 ctx->rk[j][k] = t;
425 }
426 }
427
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]428 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 for (i = 1; i < ctx->nr; i++) {
430 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]432 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]434 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435}
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]436#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]437
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]438/*
439 * Encrypt a block
440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]444{
445 int i;
446
447 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]449 a = MBEDTLS_GET_UINT32_LE(input, 0);
450 b = MBEDTLS_GET_UINT32_LE(input, 4);
451 c = MBEDTLS_GET_UINT32_LE(input, 8);
452 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]453
454 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]456 a ^= ctx->rk[i][0];
457 b ^= ctx->rk[i][1];
458 c ^= ctx->rk[i][2];
459 d ^= ctx->rk[i][3];
460 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]461
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]464
465 a ^= ctx->rk[i][0];
466 b ^= ctx->rk[i][1];
467 c ^= ctx->rk[i][2];
468 d ^= ctx->rk[i][3];
469 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]473 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 }
475 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476 }
477
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]478 /* final key mixing */
479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]484 MBEDTLS_PUT_UINT32_LE(a, output, 0);
485 MBEDTLS_PUT_UINT32_LE(b, output, 4);
486 MBEDTLS_PUT_UINT32_LE(c, output, 8);
487 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]489 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490}
491
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]492/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]493void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]494{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]495 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]496}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]497
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]498/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]500{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]502 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]506}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]507
508#if defined(MBEDTLS_CIPHER_MODE_CBC)
509/*
510 * ARIA-CBC buffer encryption/decryption
511 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]512int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513 int mode,
514 size_t length,
515 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516 const unsigned char *input,
517 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]518{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]519 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame]520
521 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 if (mode == MBEDTLS_ARIA_DECRYPT) {
530 while (length > 0) {
531 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]536 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]537
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]538 input += MBEDTLS_ARIA_BLOCKSIZE;
539 output += MBEDTLS_ARIA_BLOCKSIZE;
540 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]541 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 } else {
543 while (length > 0) {
544 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]546 mbedtls_aria_crypt_ecb(ctx, output, output);
547 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]548
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]549 input += MBEDTLS_ARIA_BLOCKSIZE;
550 output += MBEDTLS_ARIA_BLOCKSIZE;
551 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]552 }
553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]556}
557#endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559#if defined(MBEDTLS_CIPHER_MODE_CFB)
560/*
561 * ARIA-CFB128 buffer encryption/decryption
562 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 size_t *iv_off,
567 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568 const unsigned char *input,
569 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]570{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]571 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]572 size_t n;
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame]573
574 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]577
578 n = *iv_off;
579
580 /* An overly large value of n can lead to an unlimited
Valerio Setti779a1a52024-01-30 11:40:24 +0100[diff] [blame]581 * buffer overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
583 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
584 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]585
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]586 if (mode == MBEDTLS_ARIA_DECRYPT) {
587 while (length--) {
588 if (n == 0) {
589 mbedtls_aria_crypt_ecb(ctx, iv, iv);
590 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]591
592 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]593 *output++ = c ^ iv[n];
594 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]597 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]598 } else {
599 while (length--) {
600 if (n == 0) {
601 mbedtls_aria_crypt_ecb(ctx, iv, iv);
602 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]603
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]607 }
608 }
609
610 *iv_off = n;
611
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]612 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]613}
614#endif /* MBEDTLS_CIPHER_MODE_CFB */
615
616#if defined(MBEDTLS_CIPHER_MODE_CTR)
617/*
618 * ARIA-CTR buffer encryption/decryption
619 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
621 size_t length,
622 size_t *nc_off,
623 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
624 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
625 const unsigned char *input,
626 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]627{
628 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]629 size_t n;
630
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]631 n = *nc_off;
632 /* An overly large value of n can lead to an unlimited
Valerio Setti779a1a52024-01-30 11:40:24 +0100[diff] [blame]633 * buffer overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
635 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
636 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]637
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]638 while (length--) {
639 if (n == 0) {
640 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
641 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]643 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
644 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]645 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]646 }
647 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]648 }
649 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]651
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]652 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]653 }
654
655 *nc_off = n;
656
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]657 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]658}
659#endif /* MBEDTLS_CIPHER_MODE_CTR */
660#endif /* !MBEDTLS_ARIA_ALT */
661
662#if defined(MBEDTLS_SELF_TEST)
663
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]664/*
665 * Basic ARIA ECB test vectors from RFC 5794
666 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]667static const uint8_t aria_test1_ecb_key[32] = // test key
668{
669 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
670 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
671 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
672 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
673};
674
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]675static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]676{
677 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
678 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
679};
680
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]681static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]682{
683 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
684 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
685 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
686 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
687 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
688 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
689};
690
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]691/*
692 * Mode tests from "Test Vectors for ARIA" Version 1.0
693 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
694 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]695#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]696 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]697static const uint8_t aria_test2_key[32] =
698{
699 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
700 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
703};
704
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]705static const uint8_t aria_test2_pt[48] =
706{
707 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
708 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
709 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
710 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
711 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
712 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
713};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]714#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]715
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]716#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]717static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]718{
719 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
720 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
721};
722#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]723
724#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]725static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]726{
727 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
728 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
729 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
730 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
731 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
732 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
733 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
734 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
735 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
736 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
737 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
738 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
739 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
740 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
741 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
742 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
743 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
744 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
745};
746#endif /* MBEDTLS_CIPHER_MODE_CBC */
747
748#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]749static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]750{
751 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
752 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
753 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
754 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
755 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
756 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
757 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
758 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
759 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
760 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
761 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
762 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
763 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
764 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
765 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
766 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
767 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
768 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
769};
770#endif /* MBEDTLS_CIPHER_MODE_CFB */
771
772#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]773static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]774{
775 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
776 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
777 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
778 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
779 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
780 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
781 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
782 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
783 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
784 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
785 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
786 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
787 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
788 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
789 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
790 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
791 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
792 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
793};
794#endif /* MBEDTLS_CIPHER_MODE_CFB */
795
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]796#define ARIA_SELF_TEST_ASSERT(cond) \
797 do { \
798 if (cond) { \
799 if (verbose) \
800 mbedtls_printf("failed\n"); \
801 goto exit; \
802 } else { \
803 if (verbose) \
804 mbedtls_printf("passed\n"); \
805 } \
806 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]807
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]808/*
809 * Checkup routine
810 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]812{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]813 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]814 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]815 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]816 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]817
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]818#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
819 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]820#endif
821
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]822#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]823 defined(MBEDTLS_CIPHER_MODE_CFB) || \
824 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]825 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]826#endif
827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]829
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]830 /*
831 * Test set 1
832 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]833 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]834 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]835 if (verbose) {
836 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
837 }
838 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
839 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]840 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]841 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
842 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]843
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]844 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]845 if (verbose) {
846 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]847#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]848 mbedtls_printf("skipped\n");
849#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]850 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]851
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]852#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]853 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
854 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]855 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
857 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]858#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]859 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]860 if (verbose) {
861 mbedtls_printf("\n");
862 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]863
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]864 /*
865 * Test set 2
866 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]867#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]869 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]870 if (verbose) {
871 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
872 }
873 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
874 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
875 memset(buf, 0x55, sizeof(buf));
876 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
877 aria_test2_pt, buf);
878 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
879 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]880
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]881 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]882 if (verbose) {
883 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
884 }
885 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
886 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
887 memset(buf, 0xAA, sizeof(buf));
888 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
889 aria_test2_cbc_ct[i], buf);
890 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]891 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]892 if (verbose) {
893 mbedtls_printf("\n");
894 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]895
896#endif /* MBEDTLS_CIPHER_MODE_CBC */
897
898#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]899 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]900 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]901 if (verbose) {
902 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
903 }
904 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
905 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
906 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]907 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]908 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
909 aria_test2_pt, buf);
910 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]911
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]912 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]913 if (verbose) {
914 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
915 }
916 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
917 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
918 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]919 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]920 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
921 iv, aria_test2_cfb_ct[i], buf);
922 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]923 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 if (verbose) {
925 mbedtls_printf("\n");
926 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]927#endif /* MBEDTLS_CIPHER_MODE_CFB */
928
929#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]930 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]931 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]932 if (verbose) {
933 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
934 }
935 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
936 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
937 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]938 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
940 aria_test2_pt, buf);
941 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]942
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]943 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 if (verbose) {
945 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
946 }
947 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
948 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
949 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]950 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
952 aria_test2_ctr_ct[i], buf);
953 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]954 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 if (verbose) {
956 mbedtls_printf("\n");
957 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]958#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]959
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]960 ret = 0;
961
962exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]963 mbedtls_aria_free(&ctx);
964 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]965}
966
967#endif /* MBEDTLS_SELF_TEST */
968
969#endif /* MBEDTLS_ARIA_C */