TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a45a399a6b7418118fd441b4240b583ae3b60a32 / . / library / aria.c
blob: 2c365982c1f1aaa3990e6555bb454bac22522984 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]26#include "mbedtls/platform_util.h"
27
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]28/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]29 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]30 *
31 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]32 *
33 * Common compilers fail to translate this to minimal number of instructions,
34 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]35 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]36#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]37#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]38/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]40 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]41 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]43{
44 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]47}
48#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]49#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]50 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]52{
53 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 __asm("rev16 r, x");
55 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56}
57#define ARIA_P1 aria_p1
58#endif
59#endif /* arm */
60#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]62/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]64#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]65#endif /* MBEDTLS_HAVE_ASM && GNUC */
66#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]67#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]68#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]69
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]70/*
71 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72 *
73 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]74 *
75 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]76 */
77#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]78
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]79/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]80 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81 *
82 * This is submatrix P3 in [1] Appendix B.1
83 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]84#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]85
86/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]87 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]88 * (a, b, c, d) = state in/out
89 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]90 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]91 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]93 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]94 * rearrangements on adjacent pairs, output is:
95 *
96 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]98 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]99 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]100 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]101 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]102 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]103 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104 *
105 * Note: another presentation of the A transform can be found as the first
106 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]108 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109static inline void aria_a(uint32_t *a, uint32_t *b,
110 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]111{
112 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]113 ta = *b; // 4567
114 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]115 *a = ARIA_P2(ta); // 6745
116 tb = ARIA_P2(*d); // efcd
117 *d = ARIA_P1(*c); // 98ba
118 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 tc = ARIA_P2(*b); // 2301
121 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
122 tb ^= ARIA_P2(*d); // ba98+efcd
123 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]124 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]125 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
126 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
128 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129 tc = ARIA_P2(tc); // 0123+5476
130 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]131}
132
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]133/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]134 * ARIA Substitution Layer SL1 / SL2
135 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]136 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]137 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]138 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]140 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141static inline void aria_sl(uint32_t *a, uint32_t *b,
142 uint32_t *c, uint32_t *d,
143 const uint8_t sa[256], const uint8_t sb[256],
144 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]145{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
148 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
152 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
156 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
160 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]162}
163
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]164/*
165 * S-Boxes
166 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]167static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]168{
169 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190 0xB0, 0x54, 0xBB, 0x16
191};
192
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]193static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]194{
195 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216 0xAF, 0xBA, 0xB5, 0x81
217};
218
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]219static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]220{
221 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242 0x55, 0x21, 0x0C, 0x7D
243};
244
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]245static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]246{
247 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268 0x03, 0xA2, 0xAC, 0x60
269};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]270
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]271/*
272 * Helper for key schedule: r = FO( p, k ) ^ x
273 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276{
277 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278
279 a = p[0] ^ k[0];
280 b = p[1] ^ k[1];
281 c = p[2] ^ k[2];
282 d = p[3] ^ k[3];
283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]284 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286
287 r[0] = a ^ x[0];
288 r[1] = b ^ x[1];
289 r[2] = c ^ x[2];
290 r[3] = d ^ x[3];
291}
292
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]293/*
294 * Helper for key schedule: r = FE( p, k ) ^ x
295 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]296static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]298{
299 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]300
301 a = p[0] ^ k[0];
302 b = p[1] ^ k[1];
303 c = p[2] ^ k[2];
304 d = p[3] ^ k[3];
305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]308
309 r[0] = a ^ x[0];
310 r[1] = b ^ x[1];
311 r[2] = c ^ x[2];
312 r[3] = d ^ x[3];
313}
314
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]315/*
316 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317 *
318 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]319 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]321 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]324{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]325 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]326 uint32_t t, u;
327
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]328 const uint8_t n1 = n % 32; // bit offset
329 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 j = (n / 32) % 4; // initial word offset
332 t = ARIA_P3(b[j]); // big endian
333 for (i = 0; i < 4; i++) {
334 j = (j + 1) % 4; // get next word, big endian
335 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]337 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]338 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]339 r[i] = a[i] ^ t; // store
340 t = u; // move to next word
341 }
342}
343
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]344/*
345 * Set encryption key
346 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]347int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]349{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]350 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]351 const uint32_t rc[3][4] =
352 {
353 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
354 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
355 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
356 };
357
358 int i;
359 uint32_t w[4][4], *w2;
360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 if (keybits != 128 && keybits != 192 && keybits != 256) {
362 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]364
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]365 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
367 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
368 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
369 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 memset(w[1], 0, 16);
372 if (keybits >= 192) {
373 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
374 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]375 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376 if (keybits == 256) {
377 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
378 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]379 }
380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]382 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]385 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]391 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]392 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
394 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
395 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]398
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]399 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403}
404
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]405/*
406 * Set decryption key
407 */
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]408#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411{
412 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]414 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415 if (ret != 0) {
416 return ret;
417 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]419 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 for (i = 0, j = ctx->nr; i < j; i++, j--) {
421 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]422 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423 ctx->rk[i][k] = ctx->rk[j][k];
424 ctx->rk[j][k] = t;
425 }
426 }
427
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]428 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 for (i = 1; i < ctx->nr; i++) {
430 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]432 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]434 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435}
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]436#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]437
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]438/*
439 * Encrypt a block
440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]444{
445 int i;
446
447 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]449 a = MBEDTLS_GET_UINT32_LE(input, 0);
450 b = MBEDTLS_GET_UINT32_LE(input, 4);
451 c = MBEDTLS_GET_UINT32_LE(input, 8);
452 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]453
454 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]456 a ^= ctx->rk[i][0];
457 b ^= ctx->rk[i][1];
458 c ^= ctx->rk[i][2];
459 d ^= ctx->rk[i][3];
460 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]461
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]464
465 a ^= ctx->rk[i][0];
466 b ^= ctx->rk[i][1];
467 c ^= ctx->rk[i][2];
468 d ^= ctx->rk[i][3];
469 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]473 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 }
475 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476 }
477
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]478 /* final key mixing */
479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]484 MBEDTLS_PUT_UINT32_LE(a, output, 0);
485 MBEDTLS_PUT_UINT32_LE(b, output, 4);
486 MBEDTLS_PUT_UINT32_LE(c, output, 8);
487 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]489 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490}
491
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]492/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]493void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]494{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]495 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]496}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]497
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]498/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]500{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]502 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]506}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]507
508#if defined(MBEDTLS_CIPHER_MODE_CBC)
509/*
510 * ARIA-CBC buffer encryption/decryption
511 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]512int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513 int mode,
514 size_t length,
515 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516 const unsigned char *input,
517 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]518{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]519 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
521 mode == MBEDTLS_ARIA_DECRYPT);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]523 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
524 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
525 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if (mode == MBEDTLS_ARIA_DECRYPT) {
528 while (length > 0) {
529 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
530 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]532 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]535
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]536 input += MBEDTLS_ARIA_BLOCKSIZE;
537 output += MBEDTLS_ARIA_BLOCKSIZE;
538 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]539 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]540 } else {
541 while (length > 0) {
542 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]543
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]544 mbedtls_aria_crypt_ecb(ctx, output, output);
545 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]546
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]547 input += MBEDTLS_ARIA_BLOCKSIZE;
548 output += MBEDTLS_ARIA_BLOCKSIZE;
549 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]550 }
551 }
552
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]553 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]554}
555#endif /* MBEDTLS_CIPHER_MODE_CBC */
556
557#if defined(MBEDTLS_CIPHER_MODE_CFB)
558/*
559 * ARIA-CFB128 buffer encryption/decryption
560 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]561int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
562 int mode,
563 size_t length,
564 size_t *iv_off,
565 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
566 const unsigned char *input,
567 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]568{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]569 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]570 size_t n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
572 mode == MBEDTLS_ARIA_DECRYPT);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]573
574 n = *iv_off;
575
576 /* An overly large value of n can lead to an unlimited
577 * buffer overflow. Therefore, guard against this
578 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
580 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
581 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]582
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]583 if (mode == MBEDTLS_ARIA_DECRYPT) {
584 while (length--) {
585 if (n == 0) {
586 mbedtls_aria_crypt_ecb(ctx, iv, iv);
587 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]588
589 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]590 *output++ = c ^ iv[n];
591 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]592
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]593 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]594 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]595 } else {
596 while (length--) {
597 if (n == 0) {
598 mbedtls_aria_crypt_ecb(ctx, iv, iv);
599 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]600
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]601 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]602
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]603 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]604 }
605 }
606
607 *iv_off = n;
608
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]609 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]610}
611#endif /* MBEDTLS_CIPHER_MODE_CFB */
612
613#if defined(MBEDTLS_CIPHER_MODE_CTR)
614/*
615 * ARIA-CTR buffer encryption/decryption
616 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
618 size_t length,
619 size_t *nc_off,
620 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
621 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
622 const unsigned char *input,
623 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]624{
625 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]626 size_t n;
627
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]628 ARIA_VALIDATE_RET(length == 0 || input != NULL);
629 ARIA_VALIDATE_RET(length == 0 || output != NULL);
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]630
631 n = *nc_off;
632 /* An overly large value of n can lead to an unlimited
633 * buffer overflow. Therefore, guard against this
634 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]635 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
636 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
637 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]638
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]639 while (length--) {
640 if (n == 0) {
641 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
642 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]644 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
645 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]646 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 }
648 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]649 }
650 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]651 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]652
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]653 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]654 }
655
656 *nc_off = n;
657
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]659}
660#endif /* MBEDTLS_CIPHER_MODE_CTR */
661#endif /* !MBEDTLS_ARIA_ALT */
662
663#if defined(MBEDTLS_SELF_TEST)
664
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]665/*
666 * Basic ARIA ECB test vectors from RFC 5794
667 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]668static const uint8_t aria_test1_ecb_key[32] = // test key
669{
670 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
671 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
672 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
673 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
674};
675
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]676static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]677{
678 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
679 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
680};
681
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]682static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]683{
684 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
685 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
686 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
687 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
688 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
689 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
690};
691
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]692/*
693 * Mode tests from "Test Vectors for ARIA" Version 1.0
694 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
695 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]696#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]697 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]698static const uint8_t aria_test2_key[32] =
699{
700 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
701 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
702 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
703 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
704};
705
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]706static const uint8_t aria_test2_pt[48] =
707{
708 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
709 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
710 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
711 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
712 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
713 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
714};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]715#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]716
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]717#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]718static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]719{
720 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
721 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
722};
723#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]724
725#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]726static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]727{
728 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
729 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
730 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
731 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
732 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
733 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
734 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
735 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
736 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
737 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
738 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
739 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
740 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
741 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
742 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
743 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
744 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
745 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
746};
747#endif /* MBEDTLS_CIPHER_MODE_CBC */
748
749#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]750static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]751{
752 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
753 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
754 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
755 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
756 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
757 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
758 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
759 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
760 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
761 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
762 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
763 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
764 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
765 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
766 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
767 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
768 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
769 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
770};
771#endif /* MBEDTLS_CIPHER_MODE_CFB */
772
773#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]774static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]775{
776 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
777 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
778 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
779 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
780 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
781 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
782 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
783 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
784 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
785 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
786 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
787 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
788 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
789 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
790 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
791 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
792 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
793 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
794};
795#endif /* MBEDTLS_CIPHER_MODE_CFB */
796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]797#define ARIA_SELF_TEST_ASSERT(cond) \
798 do { \
799 if (cond) { \
800 if (verbose) \
801 mbedtls_printf("failed\n"); \
802 goto exit; \
803 } else { \
804 if (verbose) \
805 mbedtls_printf("passed\n"); \
806 } \
807 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]808
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]809/*
810 * Checkup routine
811 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]812int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]813{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]814 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]815 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]816 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]817 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]818
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]819#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
820 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]821#endif
822
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]823#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]824 defined(MBEDTLS_CIPHER_MODE_CFB) || \
825 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]826 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]827#endif
828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]829 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]830
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]831 /*
832 * Test set 1
833 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]835 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]836 if (verbose) {
837 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
838 }
839 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
840 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]841 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]842 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
843 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]844
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]845 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]846 if (verbose) {
847 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]848#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]849 mbedtls_printf("skipped\n");
850#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]851 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]852
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]853#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
855 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]856 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]857 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
858 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]859#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]860 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]861 if (verbose) {
862 mbedtls_printf("\n");
863 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]864
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]865 /*
866 * Test set 2
867 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]868#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]869 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]870 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 if (verbose) {
872 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
873 }
874 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
875 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
876 memset(buf, 0x55, sizeof(buf));
877 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
878 aria_test2_pt, buf);
879 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
880 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]881
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]882 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]883 if (verbose) {
884 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
885 }
886 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
887 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
888 memset(buf, 0xAA, sizeof(buf));
889 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
890 aria_test2_cbc_ct[i], buf);
891 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]892 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]893 if (verbose) {
894 mbedtls_printf("\n");
895 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]896
897#endif /* MBEDTLS_CIPHER_MODE_CBC */
898
899#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]900 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]901 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]902 if (verbose) {
903 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
904 }
905 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
906 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
907 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]908 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]909 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
910 aria_test2_pt, buf);
911 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]912
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]913 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]914 if (verbose) {
915 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
916 }
917 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
918 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
919 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]920 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]921 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
922 iv, aria_test2_cfb_ct[i], buf);
923 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]924 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 if (verbose) {
926 mbedtls_printf("\n");
927 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]928#endif /* MBEDTLS_CIPHER_MODE_CFB */
929
930#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]932 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]933 if (verbose) {
934 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
935 }
936 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
937 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
938 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]939 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]940 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
941 aria_test2_pt, buf);
942 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]943
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]944 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]945 if (verbose) {
946 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
947 }
948 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
949 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
950 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]951 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]952 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
953 aria_test2_ctr_ct[i], buf);
954 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]955 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]956 if (verbose) {
957 mbedtls_printf("\n");
958 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]959#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]960
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]961 ret = 0;
962
963exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]964 mbedtls_aria_free(&ctx);
965 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]966}
967
968#endif /* MBEDTLS_SELF_TEST */
969
970#endif /* MBEDTLS_ARIA_C */