TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7ff7965561863346218d0ec5dfa50d58893f7903 / . / library / aria.c
blob: c9441057c68785bc919f08a18ab04294e942fca7 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman7ff79652023-11-03 12:04:52 +0000[diff] [blame^]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]26#include "mbedtls/platform_util.h"
27
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]28/* Parameter validation macros */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]29#define ARIA_VALIDATE_RET(cond) \
30 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31#define ARIA_VALIDATE(cond) \
32 MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]33
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]34/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]35 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]36 *
37 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]38 *
39 * Common compilers fail to translate this to minimal number of instructions,
40 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]41 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]42#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]43#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]44/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45#if defined(__GNUC__) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]46 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]47 __ARM_ARCH >= 6
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]48static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]49{
50 uint32_t r;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]51 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]53}
54#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]55#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]56 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
57static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]58{
59 uint32_t r;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]60 __asm("rev16 r, x");
61 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]62}
63#define ARIA_P1 aria_p1
64#endif
65#endif /* arm */
66#if defined(__GNUC__) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]67 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]68/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]69#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]70#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]71#endif /* MBEDTLS_HAVE_ASM && GNUC */
72#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]73#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]74#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]75
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]76/*
77 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78 *
79 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]80 *
81 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]82 */
83#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]84
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]85/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]86 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87 *
88 * This is submatrix P3 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]89 *
90 * Some compilers fail to translate this to a single instruction,
91 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]92 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]93#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]94#if defined(__arm__) /* rev available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]95/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
96#if defined(__GNUC__) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]97 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]98 __ARM_ARCH >= 6
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]99static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]100{
101 uint32_t r;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]102 __asm("rev %0, %1" : "=l" (r) : "l" (x));
103 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]104}
105#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]106#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]107 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
108static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]109{
110 uint32_t r;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]111 __asm("rev r, x");
112 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]113}
114#define ARIA_P3 aria_p3
115#endif
116#endif /* arm */
117#if defined(__GNUC__) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]118 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
119static inline uint32_t aria_p3(uint32_t x)
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]120{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]121 __asm("bswap %0" : "=r" (x) : "0" (x));
122 return x;
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]123}
124#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]125#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]126#endif /* MBEDTLS_HAVE_ASM && GNUC */
127#if !defined(ARIA_P3)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]128#define ARIA_P3(x) ARIA_P2(ARIA_P1(x))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]129#endif
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]130
131/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]132 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]133 * (a, b, c, d) = state in/out
134 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]135 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]136 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
137 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]138 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]139 * rearrangements on adjacent pairs, output is:
140 *
141 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
142 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]143 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]144 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]145 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]146 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]147 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]148 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
149 *
150 * Note: another presentation of the A transform can be found as the first
151 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
152 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]153 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]154static inline void aria_a(uint32_t *a, uint32_t *b,
155 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]156{
157 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]158 ta = *b; // 4567
159 *b = *a; // 0123
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]160 *a = ARIA_P2(ta); // 6745
161 tb = ARIA_P2(*d); // efcd
162 *d = ARIA_P1(*c); // 98ba
163 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]164 ta ^= *d; // 4567+98ba
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]165 tc = ARIA_P2(*b); // 2301
166 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
167 tb ^= ARIA_P2(*d); // ba98+efcd
168 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]169 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]170 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
171 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
172 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
173 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
174 tc = ARIA_P2(tc); // 0123+5476
175 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]176}
177
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]178/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]179 * ARIA Substitution Layer SL1 / SL2
180 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]181 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]182 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]183 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
184 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]185 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]186static inline void aria_sl(uint32_t *a, uint32_t *b,
187 uint32_t *c, uint32_t *d,
188 const uint8_t sa[256], const uint8_t sb[256],
189 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]190{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]191 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
192 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
193 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
194 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
195 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
196 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
197 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
198 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
199 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
200 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
201 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
202 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
203 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
204 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
205 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
206 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]207}
208
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]209/*
210 * S-Boxes
211 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]212static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]213{
214 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
215 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
216 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
217 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
218 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
219 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
220 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
221 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
222 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
223 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
224 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
225 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
226 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
227 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
228 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
229 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
230 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
231 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
232 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
233 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
234 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
235 0xB0, 0x54, 0xBB, 0x16
236};
237
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]238static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]239{
240 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
241 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
242 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
243 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
244 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
245 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
246 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
247 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
248 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
249 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
250 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
251 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
252 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
253 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
254 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
255 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
256 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
257 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
258 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
259 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
260 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
261 0xAF, 0xBA, 0xB5, 0x81
262};
263
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]264static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]265{
266 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
267 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
268 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
269 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
270 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
271 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
272 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
273 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
274 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
275 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
276 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
277 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
278 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
279 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
280 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
281 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
282 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
283 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
284 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
285 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
286 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
287 0x55, 0x21, 0x0C, 0x7D
288};
289
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]290static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]291{
292 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
293 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
294 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
295 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
296 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
297 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
298 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
299 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
300 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
301 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
302 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
303 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
304 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
305 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
306 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
307 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
308 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
309 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
310 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
311 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
312 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
313 0x03, 0xA2, 0xAC, 0x60
314};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]315
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]316/*
317 * Helper for key schedule: r = FO( p, k ) ^ x
318 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]319static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
320 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]321{
322 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]323
324 a = p[0] ^ k[0];
325 b = p[1] ^ k[1];
326 c = p[2] ^ k[2];
327 d = p[3] ^ k[3];
328
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]329 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
330 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]331
332 r[0] = a ^ x[0];
333 r[1] = b ^ x[1];
334 r[2] = c ^ x[2];
335 r[3] = d ^ x[3];
336}
337
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]338/*
339 * Helper for key schedule: r = FE( p, k ) ^ x
340 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]341static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
342 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]343{
344 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]345
346 a = p[0] ^ k[0];
347 b = p[1] ^ k[1];
348 c = p[2] ^ k[2];
349 d = p[3] ^ k[3];
350
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]351 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
352 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]353
354 r[0] = a ^ x[0];
355 r[1] = b ^ x[1];
356 r[2] = c ^ x[2];
357 r[3] = d ^ x[3];
358}
359
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]360/*
361 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
362 *
363 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani266476d2021-07-07 15:16:56 +0100[diff] [blame]364 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
365 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]366 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]367static void aria_rot128(uint32_t r[4], const uint32_t a[4],
368 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]369{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]370 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]371 uint32_t t, u;
372
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]373 const uint8_t n1 = n % 32; // bit offset
374 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]375
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]376 j = (n / 32) % 4; // initial word offset
377 t = ARIA_P3(b[j]); // big endian
378 for (i = 0; i < 4; i++) {
379 j = (j + 1) % 4; // get next word, big endian
380 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]381 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]382 t |= u >> n2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]383 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]384 r[i] = a[i] ^ t; // store
385 t = u; // move to next word
386 }
387}
388
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]389/*
390 * Set encryption key
391 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]392int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
393 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]394{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]395 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 const uint32_t rc[3][4] =
397 {
398 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
399 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
400 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
401 };
402
403 int i;
404 uint32_t w[4][4], *w2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]405 ARIA_VALIDATE_RET(ctx != NULL);
406 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]407
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]408 if (keybits != 128 && keybits != 192 && keybits != 256) {
409 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
410 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]412 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]413 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
414 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
415 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
416 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]417
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]418 memset(w[1], 0, 16);
419 if (keybits >= 192) {
420 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
421 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]422 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]423 if (keybits == 256) {
424 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
425 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]426 }
427
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]428 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]429 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
430
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]431 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]432 i = i < 2 ? i + 1 : 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]433 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]434 i = i < 2 ? i + 1 : 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]435 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]436
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]437 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]438 w2 = w[(i + 1) & 3];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]439 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
440 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
441 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
442 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]444 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]446 /* w holds enough info to reconstruct the round keys */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]447 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]448
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]449 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]450}
451
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]452/*
453 * Set decryption key
454 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]455int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
456 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]457{
458 int i, j, k, ret;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]459 ARIA_VALIDATE_RET(ctx != NULL);
460 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]461
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]462 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
463 if (ret != 0) {
464 return ret;
465 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]466
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]467 /* flip the order of round keys */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]468 for (i = 0, j = ctx->nr; i < j; i++, j--) {
469 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]470 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]471 ctx->rk[i][k] = ctx->rk[j][k];
472 ctx->rk[j][k] = t;
473 }
474 }
475
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]476 /* apply affine transform to middle keys */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]477 for (i = 1; i < ctx->nr; i++) {
478 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
479 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]480 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]481
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]482 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483}
484
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]485/*
486 * Encrypt a block
487 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]488int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
489 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
490 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]491{
492 int i;
493
494 uint32_t a, b, c, d;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]495 ARIA_VALIDATE_RET(ctx != NULL);
496 ARIA_VALIDATE_RET(input != NULL);
497 ARIA_VALIDATE_RET(output != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]498
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]499 a = MBEDTLS_GET_UINT32_LE(input, 0);
500 b = MBEDTLS_GET_UINT32_LE(input, 4);
501 c = MBEDTLS_GET_UINT32_LE(input, 8);
502 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]503
504 i = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]505 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]506 a ^= ctx->rk[i][0];
507 b ^= ctx->rk[i][1];
508 c ^= ctx->rk[i][2];
509 d ^= ctx->rk[i][3];
510 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]511
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]512 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
513 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]514
515 a ^= ctx->rk[i][0];
516 b ^= ctx->rk[i][1];
517 c ^= ctx->rk[i][2];
518 d ^= ctx->rk[i][3];
519 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]520
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]521 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
522 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]523 break;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]524 }
525 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]526 }
527
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]528 /* final key mixing */
529 a ^= ctx->rk[i][0];
530 b ^= ctx->rk[i][1];
531 c ^= ctx->rk[i][2];
532 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]534 MBEDTLS_PUT_UINT32_LE(a, output, 0);
535 MBEDTLS_PUT_UINT32_LE(b, output, 4);
536 MBEDTLS_PUT_UINT32_LE(c, output, 8);
537 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]538
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]539 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]540}
541
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]542/* Initialize context */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]543void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]544{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]545 ARIA_VALIDATE(ctx != NULL);
546 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]547}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]548
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]549/* Clear context */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]550void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]551{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]552 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]553 return;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]554 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]555
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]556 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]557}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]558
559#if defined(MBEDTLS_CIPHER_MODE_CBC)
560/*
561 * ARIA-CBC buffer encryption/decryption
562 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]563int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
567 const unsigned char *input,
568 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]569{
570 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]571 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]572
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]573 ARIA_VALIDATE_RET(ctx != NULL);
574 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
575 mode == MBEDTLS_ARIA_DECRYPT);
576 ARIA_VALIDATE_RET(length == 0 || input != NULL);
577 ARIA_VALIDATE_RET(length == 0 || output != NULL);
578 ARIA_VALIDATE_RET(iv != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]579
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]580 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
581 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
582 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]583
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]584 if (mode == MBEDTLS_ARIA_DECRYPT) {
585 while (length > 0) {
586 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
587 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]588
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]589 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++) {
590 output[i] = (unsigned char) (output[i] ^ iv[i]);
591 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]592
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]593 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]594
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]595 input += MBEDTLS_ARIA_BLOCKSIZE;
596 output += MBEDTLS_ARIA_BLOCKSIZE;
597 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]598 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]599 } else {
600 while (length > 0) {
601 for (i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++) {
602 output[i] = (unsigned char) (input[i] ^ iv[i]);
603 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]604
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]605 mbedtls_aria_crypt_ecb(ctx, output, output);
606 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]607
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]608 input += MBEDTLS_ARIA_BLOCKSIZE;
609 output += MBEDTLS_ARIA_BLOCKSIZE;
610 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]611 }
612 }
613
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]614 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]615}
616#endif /* MBEDTLS_CIPHER_MODE_CBC */
617
618#if defined(MBEDTLS_CIPHER_MODE_CFB)
619/*
620 * ARIA-CFB128 buffer encryption/decryption
621 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]622int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
623 int mode,
624 size_t length,
625 size_t *iv_off,
626 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
627 const unsigned char *input,
628 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]629{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]630 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]631 size_t n;
632
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]633 ARIA_VALIDATE_RET(ctx != NULL);
634 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
635 mode == MBEDTLS_ARIA_DECRYPT);
636 ARIA_VALIDATE_RET(length == 0 || input != NULL);
637 ARIA_VALIDATE_RET(length == 0 || output != NULL);
638 ARIA_VALIDATE_RET(iv != NULL);
639 ARIA_VALIDATE_RET(iv_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]640
641 n = *iv_off;
642
643 /* An overly large value of n can lead to an unlimited
644 * buffer overflow. Therefore, guard against this
645 * outside of parameter validation. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]646 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
647 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
648 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]649
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]650 if (mode == MBEDTLS_ARIA_DECRYPT) {
651 while (length--) {
652 if (n == 0) {
653 mbedtls_aria_crypt_ecb(ctx, iv, iv);
654 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]655
656 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]657 *output++ = c ^ iv[n];
658 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]659
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]660 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]661 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]662 } else {
663 while (length--) {
664 if (n == 0) {
665 mbedtls_aria_crypt_ecb(ctx, iv, iv);
666 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]667
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]668 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]669
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]670 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]671 }
672 }
673
674 *iv_off = n;
675
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]676 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]677}
678#endif /* MBEDTLS_CIPHER_MODE_CFB */
679
680#if defined(MBEDTLS_CIPHER_MODE_CTR)
681/*
682 * ARIA-CTR buffer encryption/decryption
683 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]684int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
685 size_t length,
686 size_t *nc_off,
687 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
688 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
689 const unsigned char *input,
690 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]691{
692 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]693 size_t n;
694
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]695 ARIA_VALIDATE_RET(ctx != NULL);
696 ARIA_VALIDATE_RET(length == 0 || input != NULL);
697 ARIA_VALIDATE_RET(length == 0 || output != NULL);
698 ARIA_VALIDATE_RET(nonce_counter != NULL);
699 ARIA_VALIDATE_RET(stream_block != NULL);
700 ARIA_VALIDATE_RET(nc_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]701
702 n = *nc_off;
703 /* An overly large value of n can lead to an unlimited
704 * buffer overflow. Therefore, guard against this
705 * outside of parameter validation. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]706 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
707 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
708 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]709
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]710 while (length--) {
711 if (n == 0) {
712 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
713 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]714
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]715 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
716 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]717 break;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]718 }
719 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]720 }
721 c = *input++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]722 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]723
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]724 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]725 }
726
727 *nc_off = n;
728
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]729 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]730}
731#endif /* MBEDTLS_CIPHER_MODE_CTR */
732#endif /* !MBEDTLS_ARIA_ALT */
733
734#if defined(MBEDTLS_SELF_TEST)
735
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]736/*
737 * Basic ARIA ECB test vectors from RFC 5794
738 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]739static const uint8_t aria_test1_ecb_key[32] = // test key
740{
741 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
742 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
743 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
744 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
745};
746
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]747static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]748{
749 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
750 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
751};
752
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]753static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]754{
755 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
756 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
757 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
758 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
759 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
760 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
761};
762
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]763/*
764 * Mode tests from "Test Vectors for ARIA" Version 1.0
765 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
766 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]767#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]768 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]769static const uint8_t aria_test2_key[32] =
770{
771 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
772 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
773 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
774 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
775};
776
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]777static const uint8_t aria_test2_pt[48] =
778{
779 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
780 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
781 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
782 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
783 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
784 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
785};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]786#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]787
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]788#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]789static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]790{
791 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
792 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
793};
794#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]795
796#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]797static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]798{
799 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
800 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
801 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
802 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
803 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
804 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
805 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
806 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
807 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
808 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
809 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
810 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
811 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
812 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
813 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
814 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
815 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
816 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
817};
818#endif /* MBEDTLS_CIPHER_MODE_CBC */
819
820#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]821static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]822{
823 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
824 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
825 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
826 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
827 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
828 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
829 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
830 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
831 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
832 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
833 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
834 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
835 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
836 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
837 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
838 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
839 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
840 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
841};
842#endif /* MBEDTLS_CIPHER_MODE_CFB */
843
844#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]845static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]846{
847 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
848 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
849 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
850 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
851 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
852 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
853 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
854 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
855 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
856 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
857 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
858 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
859 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
860 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
861 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
862 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
863 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
864 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
865};
866#endif /* MBEDTLS_CIPHER_MODE_CFB */
867
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]868#define ARIA_SELF_TEST_ASSERT(cond) \
869 do { \
870 if (cond) { \
871 if (verbose) \
872 mbedtls_printf("failed\n"); \
873 goto exit; \
874 } else { \
875 if (verbose) \
876 mbedtls_printf("passed\n"); \
877 } \
878 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]879
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]880/*
881 * Checkup routine
882 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]883int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]884{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]885 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]886 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]887 mbedtls_aria_context ctx;
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]888 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]889
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]890#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
891 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]892#endif
893
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]894#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]895 defined(MBEDTLS_CIPHER_MODE_CFB) || \
896 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]897 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]898#endif
899
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]900 mbedtls_aria_init(&ctx);
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]901
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]902 /*
903 * Test set 1
904 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]905 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]906 /* test ECB encryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]907 if (verbose) {
908 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
909 }
910 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
911 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]912 ARIA_SELF_TEST_ASSERT(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]913 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
914 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]915
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]916 /* test ECB decryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]917 if (verbose) {
918 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
919 }
920 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
921 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann94303302022-10-25 10:23:34 +0100[diff] [blame]922 ARIA_SELF_TEST_ASSERT(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]923 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
924 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]925 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]926 if (verbose) {
927 mbedtls_printf("\n");
928 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]929
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]930 /*
931 * Test set 2
932 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]933#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]934 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]935 /* Test CBC encryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]936 if (verbose) {
937 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
938 }
939 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
940 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
941 memset(buf, 0x55, sizeof(buf));
942 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
943 aria_test2_pt, buf);
944 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
945 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]946
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]947 /* Test CBC decryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]948 if (verbose) {
949 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
950 }
951 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
952 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
953 memset(buf, 0xAA, sizeof(buf));
954 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
955 aria_test2_cbc_ct[i], buf);
956 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]957 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]958 if (verbose) {
959 mbedtls_printf("\n");
960 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]961
962#endif /* MBEDTLS_CIPHER_MODE_CBC */
963
964#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]965 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]966 /* Test CFB encryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]967 if (verbose) {
968 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
969 }
970 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
971 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
972 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]973 j = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]974 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
975 aria_test2_pt, buf);
976 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]977
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]978 /* Test CFB decryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]979 if (verbose) {
980 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
981 }
982 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
983 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
984 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]985 j = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]986 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
987 iv, aria_test2_cfb_ct[i], buf);
988 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]989 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]990 if (verbose) {
991 mbedtls_printf("\n");
992 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]993#endif /* MBEDTLS_CIPHER_MODE_CFB */
994
995#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]996 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]997 /* Test CTR encryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]998 if (verbose) {
999 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
1000 }
1001 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1002 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1003 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1004 j = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1005 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1006 aria_test2_pt, buf);
1007 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1008
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1009 /* Test CTR decryption */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1010 if (verbose) {
1011 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
1012 }
1013 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
1014 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
1015 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1016 j = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1017 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
1018 aria_test2_ctr_ct[i], buf);
1019 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1020 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1021 if (verbose) {
1022 mbedtls_printf("\n");
1023 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1024#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1025
Gilles Peskineccbbb2c2021-05-25 09:17:22 +0200[diff] [blame]1026 ret = 0;
1027
1028exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1029 mbedtls_aria_free(&ctx);
1030 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1031}
1032
1033#endif /* MBEDTLS_SELF_TEST */
1034
1035#endif /* MBEDTLS_ARIA_C */