TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 981ec147448829de901b75d1756867506ee42a1a / . / library / aria.c
blob: ba1257875c7e2fbc02de82767c3c878252b98ca8 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]26#include "mbedtls/platform_util.h"
27
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]28/* Parameter validation macros */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]29#define ARIA_VALIDATE_RET(cond) \
30 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31#define ARIA_VALIDATE(cond) \
32 MBEDTLS_INTERNAL_VALIDATE(cond)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]33
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]34/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]35 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]36 *
37 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]38 *
39 * Common compilers fail to translate this to minimal number of instructions,
40 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]41 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]42#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]43#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]44/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]47 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]49{
50 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]51 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]53}
54#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]55#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]56 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
57static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]58{
59 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60 __asm("rev16 r, x");
61 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]62}
63#define ARIA_P1 aria_p1
64#endif
65#endif /* arm */
66#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]68/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]69#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]70#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]71#endif /* MBEDTLS_HAVE_ASM && GNUC */
72#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]73#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]74#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]75
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]76/*
77 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78 *
79 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]80 *
81 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]82 */
83#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]84
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]85/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]86 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87 *
88 * This is submatrix P3 in [1] Appendix B.1
89 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]90#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]91
92/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]93 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]94 * (a, b, c, d) = state in/out
95 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]96 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]97 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
98 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]99 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]100 * rearrangements on adjacent pairs, output is:
101 *
102 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
103 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]104 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]105 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]106 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]107 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]108 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]109 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
110 *
111 * Note: another presentation of the A transform can be found as the first
112 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
113 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]114 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]115static inline void aria_a(uint32_t *a, uint32_t *b,
116 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]117{
118 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 ta = *b; // 4567
120 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 *a = ARIA_P2(ta); // 6745
122 tb = ARIA_P2(*d); // efcd
123 *d = ARIA_P1(*c); // 98ba
124 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]125 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 tc = ARIA_P2(*b); // 2301
127 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
128 tb ^= ARIA_P2(*d); // ba98+efcd
129 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]130 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
132 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
133 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
134 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
135 tc = ARIA_P2(tc); // 0123+5476
136 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]137}
138
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]139/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]140 * ARIA Substitution Layer SL1 / SL2
141 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]142 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]143 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]144 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
145 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]146 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]147static inline void aria_sl(uint32_t *a, uint32_t *b,
148 uint32_t *c, uint32_t *d,
149 const uint8_t sa[256], const uint8_t sb[256],
150 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]151{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]152 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
153 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
154 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
155 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
156 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
157 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
158 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
159 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
160 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
161 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
162 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
163 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
164 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
165 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
166 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
167 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]168}
169
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]170/*
171 * S-Boxes
172 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]173static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]174{
175 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
176 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
177 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
178 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
179 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
180 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
181 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
182 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
183 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
184 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
185 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
186 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
187 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
188 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
189 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
190 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
191 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
192 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
193 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
194 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
195 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
196 0xB0, 0x54, 0xBB, 0x16
197};
198
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]199static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]200{
201 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
202 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
203 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
204 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
205 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
206 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
207 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
208 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
209 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
210 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
211 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
212 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
213 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
214 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
215 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
216 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
217 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
218 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
219 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
220 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
221 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
222 0xAF, 0xBA, 0xB5, 0x81
223};
224
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]225static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]226{
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
228 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
229 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
230 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
232 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
233 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
234 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
236 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
237 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
238 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
239 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
240 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
241 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
242 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
243 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
244 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
245 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
246 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
248 0x55, 0x21, 0x0C, 0x7D
249};
250
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]251static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]252{
253 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
254 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
255 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
256 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
257 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
258 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
259 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
260 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
261 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
262 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
263 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
264 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
265 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
266 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
267 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
268 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
269 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
270 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
271 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
272 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
273 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
274 0x03, 0xA2, 0xAC, 0x60
275};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]277/*
278 * Helper for key schedule: r = FO( p, k ) ^ x
279 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]280static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
281 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]282{
283 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]284
285 a = p[0] ^ k[0];
286 b = p[1] ^ k[1];
287 c = p[2] ^ k[2];
288 d = p[3] ^ k[3];
289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]290 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
291 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]292
293 r[0] = a ^ x[0];
294 r[1] = b ^ x[1];
295 r[2] = c ^ x[2];
296 r[3] = d ^ x[3];
297}
298
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]299/*
300 * Helper for key schedule: r = FE( p, k ) ^ x
301 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
303 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]304{
305 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]306
307 a = p[0] ^ k[0];
308 b = p[1] ^ k[1];
309 c = p[2] ^ k[2];
310 d = p[3] ^ k[3];
311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
313 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]314
315 r[0] = a ^ x[0];
316 r[1] = b ^ x[1];
317 r[2] = c ^ x[2];
318 r[3] = d ^ x[3];
319}
320
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]321/*
322 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
323 *
324 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]325 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
326 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]327 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328static void aria_rot128(uint32_t r[4], const uint32_t a[4],
329 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]330{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]331 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]332 uint32_t t, u;
333
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]334 const uint8_t n1 = n % 32; // bit offset
335 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 j = (n / 32) % 4; // initial word offset
338 t = ARIA_P3(b[j]); // big endian
339 for (i = 0; i < 4; i++) {
340 j = (j + 1) % 4; // get next word, big endian
341 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]342 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]343 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]345 r[i] = a[i] ^ t; // store
346 t = u; // move to next word
347 }
348}
349
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]350/*
351 * Set encryption key
352 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
354 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]355{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]356 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]357 const uint32_t rc[3][4] =
358 {
359 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
360 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
361 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
362 };
363
364 int i;
365 uint32_t w[4][4], *w2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 ARIA_VALIDATE_RET(ctx != NULL);
367 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]369 if (keybits != 128 && keybits != 192 && keybits != 256) {
370 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
371 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]372
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]373 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]374 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
375 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
376 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
377 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 memset(w[1], 0, 16);
380 if (keybits >= 192) {
381 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
382 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]383 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 if (keybits == 256) {
385 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
386 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387 }
388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]390 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
391
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]392 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]393 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]394 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]395 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]396 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]397
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]398 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]399 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
401 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
402 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
403 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]404 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]405 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]406
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]407 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]410 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411}
412
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]413/*
414 * Set decryption key
415 */
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]416#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]417int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
418 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]419{
420 int i, j, k, ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]421 ARIA_VALIDATE_RET(ctx != NULL);
422 ARIA_VALIDATE_RET(key != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
425 if (ret != 0) {
426 return ret;
427 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]428
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]429 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]430 for (i = 0, j = ctx->nr; i < j; i++, j--) {
431 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]432 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433 ctx->rk[i][k] = ctx->rk[j][k];
434 ctx->rk[j][k] = t;
435 }
436 }
437
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]438 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 for (i = 1; i < ctx->nr; i++) {
440 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
441 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]442 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]443
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]444 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]445}
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]446#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]447
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]448/*
449 * Encrypt a block
450 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]451int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
452 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
453 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]454{
455 int i;
456
457 uint32_t a, b, c, d;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 ARIA_VALIDATE_RET(ctx != NULL);
459 ARIA_VALIDATE_RET(input != NULL);
460 ARIA_VALIDATE_RET(output != NULL);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]461
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 a = MBEDTLS_GET_UINT32_LE(input, 0);
463 b = MBEDTLS_GET_UINT32_LE(input, 4);
464 c = MBEDTLS_GET_UINT32_LE(input, 8);
465 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]466
467 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]468 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]469 a ^= ctx->rk[i][0];
470 b ^= ctx->rk[i][1];
471 c ^= ctx->rk[i][2];
472 d ^= ctx->rk[i][3];
473 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]475 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
476 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]477
478 a ^= ctx->rk[i][0];
479 b ^= ctx->rk[i][1];
480 c ^= ctx->rk[i][2];
481 d ^= ctx->rk[i][3];
482 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]484 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
485 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]486 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 }
488 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]489 }
490
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]491 /* final key mixing */
492 a ^= ctx->rk[i][0];
493 b ^= ctx->rk[i][1];
494 c ^= ctx->rk[i][2];
495 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]496
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]497 MBEDTLS_PUT_UINT32_LE(a, output, 0);
498 MBEDTLS_PUT_UINT32_LE(b, output, 4);
499 MBEDTLS_PUT_UINT32_LE(c, output, 8);
500 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]503}
504
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]505/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]506void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]507{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]508 ARIA_VALIDATE(ctx != NULL);
509 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]510}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]511
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]512/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]513void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]514{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]516 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]517 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]518
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]519 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]520}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]521
522#if defined(MBEDTLS_CIPHER_MODE_CBC)
523/*
524 * ARIA-CBC buffer encryption/decryption
525 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]526int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
527 int mode,
528 size_t length,
529 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
530 const unsigned char *input,
531 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]532{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]533 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]534
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]535 ARIA_VALIDATE_RET(ctx != NULL);
536 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
537 mode == MBEDTLS_ARIA_DECRYPT);
538 ARIA_VALIDATE_RET(length == 0 || input != NULL);
539 ARIA_VALIDATE_RET(length == 0 || output != NULL);
540 ARIA_VALIDATE_RET(iv != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
543 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
544 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]546 if (mode == MBEDTLS_ARIA_DECRYPT) {
547 while (length > 0) {
548 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
549 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]551 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]552
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]553 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]554
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]555 input += MBEDTLS_ARIA_BLOCKSIZE;
556 output += MBEDTLS_ARIA_BLOCKSIZE;
557 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]558 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]559 } else {
560 while (length > 0) {
561 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 mbedtls_aria_crypt_ecb(ctx, output, output);
564 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]565
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]566 input += MBEDTLS_ARIA_BLOCKSIZE;
567 output += MBEDTLS_ARIA_BLOCKSIZE;
568 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]569 }
570 }
571
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]572 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]573}
574#endif /* MBEDTLS_CIPHER_MODE_CBC */
575
576#if defined(MBEDTLS_CIPHER_MODE_CFB)
577/*
578 * ARIA-CFB128 buffer encryption/decryption
579 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
581 int mode,
582 size_t length,
583 size_t *iv_off,
584 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
585 const unsigned char *input,
586 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]587{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]588 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]589 size_t n;
590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]591 ARIA_VALIDATE_RET(ctx != NULL);
592 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
593 mode == MBEDTLS_ARIA_DECRYPT);
594 ARIA_VALIDATE_RET(length == 0 || input != NULL);
595 ARIA_VALIDATE_RET(length == 0 || output != NULL);
596 ARIA_VALIDATE_RET(iv != NULL);
597 ARIA_VALIDATE_RET(iv_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]598
599 n = *iv_off;
600
601 /* An overly large value of n can lead to an unlimited
602 * buffer overflow. Therefore, guard against this
603 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
605 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
606 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]608 if (mode == MBEDTLS_ARIA_DECRYPT) {
609 while (length--) {
610 if (n == 0) {
611 mbedtls_aria_crypt_ecb(ctx, iv, iv);
612 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]613
614 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]615 *output++ = c ^ iv[n];
616 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]619 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 } else {
621 while (length--) {
622 if (n == 0) {
623 mbedtls_aria_crypt_ecb(ctx, iv, iv);
624 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]625
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]626 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]627
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]628 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]629 }
630 }
631
632 *iv_off = n;
633
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]635}
636#endif /* MBEDTLS_CIPHER_MODE_CFB */
637
638#if defined(MBEDTLS_CIPHER_MODE_CTR)
639/*
640 * ARIA-CTR buffer encryption/decryption
641 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
643 size_t length,
644 size_t *nc_off,
645 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
646 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
647 const unsigned char *input,
648 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]649{
650 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]651 size_t n;
652
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]653 ARIA_VALIDATE_RET(ctx != NULL);
654 ARIA_VALIDATE_RET(length == 0 || input != NULL);
655 ARIA_VALIDATE_RET(length == 0 || output != NULL);
656 ARIA_VALIDATE_RET(nonce_counter != NULL);
657 ARIA_VALIDATE_RET(stream_block != NULL);
658 ARIA_VALIDATE_RET(nc_off != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]659
660 n = *nc_off;
661 /* An overly large value of n can lead to an unlimited
662 * buffer overflow. Therefore, guard against this
663 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
665 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
666 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]667
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]668 while (length--) {
669 if (n == 0) {
670 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
671 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]673 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
674 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]675 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
677 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]678 }
679 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]680 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]681
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]683 }
684
685 *nc_off = n;
686
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]687 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]688}
689#endif /* MBEDTLS_CIPHER_MODE_CTR */
690#endif /* !MBEDTLS_ARIA_ALT */
691
692#if defined(MBEDTLS_SELF_TEST)
693
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]694/*
695 * Basic ARIA ECB test vectors from RFC 5794
696 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]697static const uint8_t aria_test1_ecb_key[32] = // test key
698{
699 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
700 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
701 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
702 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
703};
704
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]705static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]706{
707 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
708 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
709};
710
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]711static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]712{
713 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
714 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
715 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
716 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
717 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
718 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
719};
720
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]721/*
722 * Mode tests from "Test Vectors for ARIA" Version 1.0
723 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
724 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]725#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]726 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]727static const uint8_t aria_test2_key[32] =
728{
729 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
730 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
731 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
732 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
733};
734
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]735static const uint8_t aria_test2_pt[48] =
736{
737 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
738 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
739 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
740 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
741 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
742 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
743};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]744#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]745
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]746#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]747static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]748{
749 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
750 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
751};
752#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]753
754#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]755static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]756{
757 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
758 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
759 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
760 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
761 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
762 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
763 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
764 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
765 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
766 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
767 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
768 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
769 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
770 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
771 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
772 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
773 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
774 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
775};
776#endif /* MBEDTLS_CIPHER_MODE_CBC */
777
778#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]779static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]780{
781 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
782 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
783 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
784 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
785 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
786 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
787 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
788 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
789 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
790 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
791 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
792 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
793 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
794 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
795 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
796 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
797 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
798 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
799};
800#endif /* MBEDTLS_CIPHER_MODE_CFB */
801
802#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]803static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]804{
805 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
806 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
807 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
808 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
809 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
810 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
811 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
812 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
813 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
814 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
815 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
816 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
817 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
818 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
819 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
820 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
821 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
822 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
823};
824#endif /* MBEDTLS_CIPHER_MODE_CFB */
825
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]826#define ARIA_SELF_TEST_ASSERT(cond) \
827 do { \
828 if (cond) { \
829 if (verbose) \
830 mbedtls_printf("failed\n"); \
831 goto exit; \
832 } else { \
833 if (verbose) \
834 mbedtls_printf("passed\n"); \
835 } \
836 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]837
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]838/*
839 * Checkup routine
840 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]841int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]842{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]843 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]844 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]845 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]846 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]847
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]848#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
849 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]850#endif
851
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]852#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]853 defined(MBEDTLS_CIPHER_MODE_CFB) || \
854 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]855 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]856#endif
857
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]858 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]859
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]860 /*
861 * Test set 1
862 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]863 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]864 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]865 if (verbose) {
866 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
867 }
868 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
869 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]870 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
872 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]873
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]874 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]875 if (verbose) {
876 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]877#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]878 mbedtls_printf("skipped\n");
879#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]880 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]881
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]882#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]883 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
884 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]885 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]886 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
887 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]888#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]889 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]890 if (verbose) {
891 mbedtls_printf("\n");
892 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]893
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]894 /*
895 * Test set 2
896 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]897#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]899 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]900 if (verbose) {
901 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
902 }
903 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
904 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
905 memset(buf, 0x55, sizeof(buf));
906 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
907 aria_test2_pt, buf);
908 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
909 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]910
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]911 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]912 if (verbose) {
913 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
914 }
915 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
916 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
917 memset(buf, 0xAA, sizeof(buf));
918 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
919 aria_test2_cbc_ct[i], buf);
920 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]921 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 if (verbose) {
923 mbedtls_printf("\n");
924 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]925
926#endif /* MBEDTLS_CIPHER_MODE_CBC */
927
928#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]930 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 if (verbose) {
932 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
933 }
934 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
935 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
936 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]937 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]938 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
939 aria_test2_pt, buf);
940 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]941
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]942 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]943 if (verbose) {
944 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
945 }
946 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
947 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
948 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]949 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
951 iv, aria_test2_cfb_ct[i], buf);
952 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]953 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 if (verbose) {
955 mbedtls_printf("\n");
956 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]957#endif /* MBEDTLS_CIPHER_MODE_CFB */
958
959#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]960 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]961 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 if (verbose) {
963 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
964 }
965 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
966 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
967 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]968 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
970 aria_test2_pt, buf);
971 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]972
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]973 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 if (verbose) {
975 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
976 }
977 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
978 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
979 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]980 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]981 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
982 aria_test2_ctr_ct[i], buf);
983 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]984 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]985 if (verbose) {
986 mbedtls_printf("\n");
987 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]988#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]989
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]990 ret = 0;
991
992exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 mbedtls_aria_free(&ctx);
994 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]995}
996
997#endif /* MBEDTLS_SELF_TEST */
998
999#endif /* MBEDTLS_ARIA_C */