TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ea3a6114e6fd8feada89ba550d563546aa521cc9 / . / library / aria.c
blob: a4d6c5062f3d8aaf9c79a3fe4a7acbffe9c81338 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]6 */
7
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]8/*
9 * This implementation is based on the following standards:
10 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11 * [2] https://tools.ietf.org/html/rfc5794
12 */
13
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]14#include "common.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]15
16#if defined(MBEDTLS_ARIA_C)
17
18#include "mbedtls/aria.h"
19
20#include <string.h>
21
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]22#include "mbedtls/platform.h"
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]23
24#if !defined(MBEDTLS_ARIA_ALT)
25
Manuel Pégourié-Gonnard7124fb62018-05-22 16:05:33 +0200[diff] [blame]26#include "mbedtls/platform_util.h"
27
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]28/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]29 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]30 *
31 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]32 *
33 * Common compilers fail to translate this to minimal number of instructions,
34 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]35 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]36#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]37#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]38/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
39#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]40 (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]41 __ARM_ARCH >= 6
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]43{
44 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45 __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
46 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]47}
48#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]49#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]50 (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
51static inline uint32_t aria_p1(uint32_t x)
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]52{
53 uint32_t r;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]54 __asm("rev16 r, x");
55 return r;
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]56}
57#define ARIA_P1 aria_p1
58#endif
59#endif /* arm */
60#if defined(__GNUC__) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61 defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame]62/* I couldn't find an Intel equivalent of rev16, so two instructions */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]64#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]65#endif /* MBEDTLS_HAVE_ASM && GNUC */
66#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]67#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]68#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]69
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]70/*
71 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
72 *
73 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]74 *
75 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]76 */
77#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]78
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]79/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]80 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
81 *
82 * This is submatrix P3 in [1] Appendix B.1
83 */
Dave Rodgman2d0f27d2022-11-30 11:54:34 +0000[diff] [blame]84#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]85
86/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]87 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]88 * (a, b, c, d) = state in/out
89 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]90 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]91 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
92 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]93 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]94 * rearrangements on adjacent pairs, output is:
95 *
96 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
97 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]98 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]99 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]100 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]101 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]102 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]103 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
104 *
105 * Note: another presentation of the A transform can be found as the first
106 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
107 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]108 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109static inline void aria_a(uint32_t *a, uint32_t *b,
110 uint32_t *c, uint32_t *d)
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]111{
112 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]113 ta = *b; // 4567
114 *b = *a; // 0123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]115 *a = ARIA_P2(ta); // 6745
116 tb = ARIA_P2(*d); // efcd
117 *d = ARIA_P1(*c); // 98ba
118 *c = ARIA_P1(tb); // fedc
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]119 ta ^= *d; // 4567+98ba
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 tc = ARIA_P2(*b); // 2301
121 ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
122 tb ^= ARIA_P2(*d); // ba98+efcd
123 tc ^= ARIA_P1(*a); // 2301+7654
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]124 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]125 tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
126 *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
127 ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
128 *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
129 tc = ARIA_P2(tc); // 0123+5476
130 *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]131}
132
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]133/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]134 * ARIA Substitution Layer SL1 / SL2
135 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]136 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]137 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]138 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
139 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]140 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]141static inline void aria_sl(uint32_t *a, uint32_t *b,
142 uint32_t *c, uint32_t *d,
143 const uint8_t sa[256], const uint8_t sb[256],
144 const uint8_t sc[256], const uint8_t sd[256])
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]145{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]146 *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
147 (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
148 (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
149 (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
150 *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
151 (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
152 (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
153 (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
154 *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
155 (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
156 (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
157 (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
158 *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
159 (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
160 (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
161 (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]162}
163
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]164/*
165 * S-Boxes
166 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]167static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]168{
169 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
170 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
171 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
172 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
173 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
174 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
175 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
176 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
177 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
178 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
179 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
180 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
181 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
182 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
183 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
184 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
185 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
186 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
187 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
188 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
189 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
190 0xB0, 0x54, 0xBB, 0x16
191};
192
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]193static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]194{
195 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
196 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
197 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
198 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
199 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
200 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
201 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
202 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
203 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
204 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
205 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
206 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
207 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
208 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
209 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
210 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
211 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
212 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
213 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
214 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
215 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
216 0xAF, 0xBA, 0xB5, 0x81
217};
218
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]219static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]220{
221 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
222 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
223 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
224 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
225 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
226 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
227 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
228 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
230 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
231 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
232 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
233 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
234 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
235 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
236 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
238 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
239 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
240 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
241 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
242 0x55, 0x21, 0x0C, 0x7D
243};
244
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]245static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]246{
247 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
248 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
249 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
250 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
251 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
252 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
253 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
254 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
255 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
256 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
257 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
258 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
259 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
260 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
261 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
262 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
263 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
264 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
265 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
266 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
267 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
268 0x03, 0xA2, 0xAC, 0x60
269};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]270
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]271/*
272 * Helper for key schedule: r = FO( p, k ) ^ x
273 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
275 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]276{
277 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]278
279 a = p[0] ^ k[0];
280 b = p[1] ^ k[1];
281 c = p[2] ^ k[2];
282 d = p[3] ^ k[3];
283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]284 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
285 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]286
287 r[0] = a ^ x[0];
288 r[1] = b ^ x[1];
289 r[2] = c ^ x[2];
290 r[3] = d ^ x[3];
291}
292
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]293/*
294 * Helper for key schedule: r = FE( p, k ) ^ x
295 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]296static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
297 const uint32_t k[4], const uint32_t x[4])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]298{
299 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]300
301 a = p[0] ^ k[0];
302 b = p[1] ^ k[1];
303 c = p[2] ^ k[2];
304 d = p[3] ^ k[3];
305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
307 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]308
309 r[0] = a ^ x[0];
310 r[1] = b ^ x[1];
311 r[2] = c ^ x[2];
312 r[3] = d ^ x[3];
313}
314
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]315/*
316 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
317 *
318 * We chose to store bytes into 32-bit words in little-endian format (see
Joe Subbiani394bdd62021-07-07 15:16:56 +0100[diff] [blame]319 * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
320 * bytes here.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]321 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322static void aria_rot128(uint32_t r[4], const uint32_t a[4],
323 const uint32_t b[4], uint8_t n)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]324{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]325 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]326 uint32_t t, u;
327
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]328 const uint8_t n1 = n % 32; // bit offset
329 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 j = (n / 32) % 4; // initial word offset
332 t = ARIA_P3(b[j]); // big endian
333 for (i = 0; i < 4; i++) {
334 j = (j + 1) % 4; // get next word, big endian
335 u = ARIA_P3(b[j]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]336 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]337 t |= u >> n2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]338 t = ARIA_P3(t); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]339 r[i] = a[i] ^ t; // store
340 t = u; // move to next word
341 }
342}
343
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]344/*
345 * Set encryption key
346 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]347int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
348 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]349{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]350 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]351 const uint32_t rc[3][4] =
352 {
353 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
354 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
355 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
356 };
357
358 int i;
359 uint32_t w[4][4], *w2;
360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 if (keybits != 128 && keybits != 192 && keybits != 256) {
362 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
363 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]364
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]365 /* Copy key to W0 (and potential remainder to W1) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
367 w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
368 w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
369 w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 memset(w[1], 0, 16);
372 if (keybits >= 192) {
373 w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
374 w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]375 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376 if (keybits == 256) {
377 w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
378 w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]379 }
380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 i = (keybits - 128) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]382 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]385 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]387 i = i < 2 ? i + 1 : 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 for (i = 0; i < 4; i++) { // create round keys
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]391 w2 = w[(i + 1) & 3];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]392 aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
393 aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
394 aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
395 aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]396 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 aria_rot128(ctx->rk[16], w[0], w[1], 19);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]398
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]399 /* w holds enough info to reconstruct the round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 mbedtls_platform_zeroize(w, sizeof(w));
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403}
404
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]405/*
406 * Set decryption key
407 */
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]408#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
410 const unsigned char *key, unsigned int keybits)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]411{
412 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]414 ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
415 if (ret != 0) {
416 return ret;
417 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]419 /* flip the order of round keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 for (i = 0, j = ctx->nr; i < j; i++, j--) {
421 for (k = 0; k < 4; k++) {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]422 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]423 ctx->rk[i][k] = ctx->rk[j][k];
424 ctx->rk[j][k] = t;
425 }
426 }
427
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]428 /* apply affine transform to middle keys */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 for (i = 1; i < ctx->nr; i++) {
430 aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
431 &ctx->rk[i][2], &ctx->rk[i][3]);
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]432 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]434 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]435}
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]436#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]437
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]438/*
439 * Encrypt a block
440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
442 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
443 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]444{
445 int i;
446
447 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]449 a = MBEDTLS_GET_UINT32_LE(input, 0);
450 b = MBEDTLS_GET_UINT32_LE(input, 4);
451 c = MBEDTLS_GET_UINT32_LE(input, 8);
452 d = MBEDTLS_GET_UINT32_LE(input, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]453
454 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 while (1) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]456 a ^= ctx->rk[i][0];
457 b ^= ctx->rk[i][1];
458 c ^= ctx->rk[i][2];
459 d ^= ctx->rk[i][3];
460 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]461
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
463 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]464
465 a ^= ctx->rk[i][0];
466 b ^= ctx->rk[i][1];
467 c ^= ctx->rk[i][2];
468 d ^= ctx->rk[i][3];
469 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
472 if (i >= ctx->nr) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]473 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 }
475 aria_a(&a, &b, &c, &d);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]476 }
477
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]478 /* final key mixing */
479 a ^= ctx->rk[i][0];
480 b ^= ctx->rk[i][1];
481 c ^= ctx->rk[i][2];
482 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]484 MBEDTLS_PUT_UINT32_LE(a, output, 0);
485 MBEDTLS_PUT_UINT32_LE(b, output, 4);
486 MBEDTLS_PUT_UINT32_LE(c, output, 8);
487 MBEDTLS_PUT_UINT32_LE(d, output, 12);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]489 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]490}
491
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]492/* Initialize context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]493void mbedtls_aria_init(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]494{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]495 memset(ctx, 0, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]496}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]497
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]498/* Clear context */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499void mbedtls_aria_free(mbedtls_aria_context *ctx)
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]500{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 if (ctx == NULL) {
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]502 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 }
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]506}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]507
508#if defined(MBEDTLS_CIPHER_MODE_CBC)
509/*
510 * ARIA-CBC buffer encryption/decryption
511 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]512int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
513 int mode,
514 size_t length,
515 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
516 const unsigned char *input,
517 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]518{
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]519 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame^]520
521 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
522 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
523 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525 if (length % MBEDTLS_ARIA_BLOCKSIZE) {
526 return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
527 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 if (mode == MBEDTLS_ARIA_DECRYPT) {
530 while (length > 0) {
531 memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
532 mbedtls_aria_crypt_ecb(ctx, input, output);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]536 memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]537
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]538 input += MBEDTLS_ARIA_BLOCKSIZE;
539 output += MBEDTLS_ARIA_BLOCKSIZE;
540 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]541 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 } else {
543 while (length > 0) {
544 mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]546 mbedtls_aria_crypt_ecb(ctx, output, output);
547 memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]548
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]549 input += MBEDTLS_ARIA_BLOCKSIZE;
550 output += MBEDTLS_ARIA_BLOCKSIZE;
551 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]552 }
553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]556}
557#endif /* MBEDTLS_CIPHER_MODE_CBC */
558
559#if defined(MBEDTLS_CIPHER_MODE_CFB)
560/*
561 * ARIA-CFB128 buffer encryption/decryption
562 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
564 int mode,
565 size_t length,
566 size_t *iv_off,
567 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
568 const unsigned char *input,
569 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]570{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]571 unsigned char c;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]572 size_t n;
Valerio Settiea3a6112024-01-29 10:37:14 +0100[diff] [blame^]573
574 if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
575 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
576 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]577
578 n = *iv_off;
579
580 /* An overly large value of n can lead to an unlimited
581 * buffer overflow. Therefore, guard against this
582 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]583 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
584 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
585 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]586
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]587 if (mode == MBEDTLS_ARIA_DECRYPT) {
588 while (length--) {
589 if (n == 0) {
590 mbedtls_aria_crypt_ecb(ctx, iv, iv);
591 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]592
593 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]594 *output++ = c ^ iv[n];
595 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]596
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]597 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]598 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]599 } else {
600 while (length--) {
601 if (n == 0) {
602 mbedtls_aria_crypt_ecb(ctx, iv, iv);
603 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]604
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]605 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]607 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]608 }
609 }
610
611 *iv_off = n;
612
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]613 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]614}
615#endif /* MBEDTLS_CIPHER_MODE_CFB */
616
617#if defined(MBEDTLS_CIPHER_MODE_CTR)
618/*
619 * ARIA-CTR buffer encryption/decryption
620 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
622 size_t length,
623 size_t *nc_off,
624 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
625 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
626 const unsigned char *input,
627 unsigned char *output)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]628{
629 int c, i;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]630 size_t n;
631
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]632 n = *nc_off;
633 /* An overly large value of n can lead to an unlimited
634 * buffer overflow. Therefore, guard against this
635 * outside of parameter validation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
637 return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
638 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]640 while (length--) {
641 if (n == 0) {
642 mbedtls_aria_crypt_ecb(ctx, nonce_counter,
643 stream_block);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]644
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
646 if (++nonce_counter[i - 1] != 0) {
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]647 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 }
649 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]650 }
651 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]652 *output++ = (unsigned char) (c ^ stream_block[n]);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 n = (n + 1) & 0x0F;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]655 }
656
657 *nc_off = n;
658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]659 return 0;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]660}
661#endif /* MBEDTLS_CIPHER_MODE_CTR */
662#endif /* !MBEDTLS_ARIA_ALT */
663
664#if defined(MBEDTLS_SELF_TEST)
665
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]666/*
667 * Basic ARIA ECB test vectors from RFC 5794
668 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]669static const uint8_t aria_test1_ecb_key[32] = // test key
670{
671 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
672 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
673 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
674 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
675};
676
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]677static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]678{
679 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
680 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
681};
682
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]683static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]684{
685 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
686 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
687 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
688 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
689 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
690 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
691};
692
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]693/*
694 * Mode tests from "Test Vectors for ARIA" Version 1.0
695 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
696 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]697#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]698 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]699static const uint8_t aria_test2_key[32] =
700{
701 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
702 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
703 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
704 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
705};
706
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]707static const uint8_t aria_test2_pt[48] =
708{
709 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
710 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
711 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
712 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
713 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
714 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
715};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]716#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]717
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]718#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]719static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]720{
721 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
722 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
723};
724#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]725
726#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]727static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]728{
729 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
730 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
731 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
732 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
733 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
734 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
735 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
736 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
737 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
738 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
739 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
740 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
741 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
742 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
743 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
744 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
745 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
746 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
747};
748#endif /* MBEDTLS_CIPHER_MODE_CBC */
749
750#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]751static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]752{
753 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
754 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
755 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
756 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
757 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
758 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
759 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
760 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
761 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
762 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
763 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
764 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
765 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
766 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
767 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
768 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
769 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
770 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
771};
772#endif /* MBEDTLS_CIPHER_MODE_CFB */
773
774#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]775static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]776{
777 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
778 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
779 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
780 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
781 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
782 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
783 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
784 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
785 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
786 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
787 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
788 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
789 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
790 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
791 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
792 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
793 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
794 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
795};
796#endif /* MBEDTLS_CIPHER_MODE_CFB */
797
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]798#define ARIA_SELF_TEST_ASSERT(cond) \
799 do { \
800 if (cond) { \
801 if (verbose) \
802 mbedtls_printf("failed\n"); \
803 goto exit; \
804 } else { \
805 if (verbose) \
806 mbedtls_printf("passed\n"); \
807 } \
808 } while (0)
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]809
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]810/*
811 * Checkup routine
812 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813int mbedtls_aria_self_test(int verbose)
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]814{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]815 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]816 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]817 mbedtls_aria_context ctx;
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]818 int ret = 1;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]819
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]820#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
821 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]822#endif
823
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]824#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]825 defined(MBEDTLS_CIPHER_MODE_CFB) || \
826 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]827 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]828#endif
829
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]830 mbedtls_aria_init(&ctx);
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]831
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]832 /*
833 * Test set 1
834 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]835 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]836 /* test ECB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]837 if (verbose) {
838 mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
839 }
840 mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
841 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]842 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]843 memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
844 != 0);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]845
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]846 /* test ECB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847 if (verbose) {
848 mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]849#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]850 mbedtls_printf("skipped\n");
851#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 }
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]853
Yanray Wangb67b4742023-10-31 17:10:32 +0800[diff] [blame]854#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]855 mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
856 mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
David Horstmann9b0eb902022-10-25 10:23:34 +0100[diff] [blame]857 ARIA_SELF_TEST_ASSERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]858 memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
859 != 0);
Yanray Wang9141ad12023-08-24 14:53:16 +0800[diff] [blame]860#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]861 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]862 if (verbose) {
863 mbedtls_printf("\n");
864 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]865
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]866 /*
867 * Test set 2
868 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]869#if defined(MBEDTLS_CIPHER_MODE_CBC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]870 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]871 /* Test CBC encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 if (verbose) {
873 mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
874 }
875 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
876 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
877 memset(buf, 0x55, sizeof(buf));
878 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
879 aria_test2_pt, buf);
880 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
881 != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]882
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]883 /* Test CBC decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]884 if (verbose) {
885 mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
886 }
887 mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
888 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
889 memset(buf, 0xAA, sizeof(buf));
890 mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
891 aria_test2_cbc_ct[i], buf);
892 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]893 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 if (verbose) {
895 mbedtls_printf("\n");
896 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]897
898#endif /* MBEDTLS_CIPHER_MODE_CBC */
899
900#if defined(MBEDTLS_CIPHER_MODE_CFB)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]901 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]902 /* Test CFB encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]903 if (verbose) {
904 mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
905 }
906 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
907 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
908 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]909 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]910 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
911 aria_test2_pt, buf);
912 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]913
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]914 /* Test CFB decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]915 if (verbose) {
916 mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
917 }
918 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
919 memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
920 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]921 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
923 iv, aria_test2_cfb_ct[i], buf);
924 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]925 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]926 if (verbose) {
927 mbedtls_printf("\n");
928 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]929#endif /* MBEDTLS_CIPHER_MODE_CFB */
930
931#if defined(MBEDTLS_CIPHER_MODE_CTR)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]932 for (i = 0; i < 3; i++) {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]933 /* Test CTR encryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 if (verbose) {
935 mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
936 }
937 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
938 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
939 memset(buf, 0x55, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]940 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]941 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
942 aria_test2_pt, buf);
943 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]944
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]945 /* Test CTR decryption */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]946 if (verbose) {
947 mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
948 }
949 mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
950 memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
951 memset(buf, 0xAA, sizeof(buf));
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]952 j = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]953 mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
954 aria_test2_ctr_ct[i], buf);
955 ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]956 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]957 if (verbose) {
958 mbedtls_printf("\n");
959 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]960#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]961
Gilles Peskinebe89fea2021-05-25 09:17:22 +0200[diff] [blame]962 ret = 0;
963
964exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 mbedtls_aria_free(&ctx);
966 return ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]967}
968
969#endif /* MBEDTLS_SELF_TEST */
970
971#endif /* MBEDTLS_ARIA_C */