1*62c56f98SSadaf Ebrahimi /*
2*62c56f98SSadaf Ebrahimi * ARIA implementation
3*62c56f98SSadaf Ebrahimi *
4*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors
5*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6*62c56f98SSadaf Ebrahimi */
7*62c56f98SSadaf Ebrahimi
8*62c56f98SSadaf Ebrahimi /*
9*62c56f98SSadaf Ebrahimi * This implementation is based on the following standards:
10*62c56f98SSadaf Ebrahimi * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
11*62c56f98SSadaf Ebrahimi * [2] https://tools.ietf.org/html/rfc5794
12*62c56f98SSadaf Ebrahimi */
13*62c56f98SSadaf Ebrahimi
14*62c56f98SSadaf Ebrahimi #include "common.h"
15*62c56f98SSadaf Ebrahimi
16*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_ARIA_C)
17*62c56f98SSadaf Ebrahimi
18*62c56f98SSadaf Ebrahimi #include "mbedtls/aria.h"
19*62c56f98SSadaf Ebrahimi
20*62c56f98SSadaf Ebrahimi #include <string.h>
21*62c56f98SSadaf Ebrahimi
22*62c56f98SSadaf Ebrahimi #include "mbedtls/platform.h"
23*62c56f98SSadaf Ebrahimi
24*62c56f98SSadaf Ebrahimi #if !defined(MBEDTLS_ARIA_ALT)
25*62c56f98SSadaf Ebrahimi
26*62c56f98SSadaf Ebrahimi #include "mbedtls/platform_util.h"
27*62c56f98SSadaf Ebrahimi
28*62c56f98SSadaf Ebrahimi /* Parameter validation macros */
29*62c56f98SSadaf Ebrahimi #define ARIA_VALIDATE_RET(cond) \
30*62c56f98SSadaf Ebrahimi MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
31*62c56f98SSadaf Ebrahimi #define ARIA_VALIDATE(cond) \
32*62c56f98SSadaf Ebrahimi MBEDTLS_INTERNAL_VALIDATE(cond)
33*62c56f98SSadaf Ebrahimi
34*62c56f98SSadaf Ebrahimi /*
35*62c56f98SSadaf Ebrahimi * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
36*62c56f98SSadaf Ebrahimi *
37*62c56f98SSadaf Ebrahimi * This is submatrix P1 in [1] Appendix B.1
38*62c56f98SSadaf Ebrahimi *
39*62c56f98SSadaf Ebrahimi * Common compilers fail to translate this to minimal number of instructions,
40*62c56f98SSadaf Ebrahimi * so let's provide asm versions for common platforms with C fallback.
41*62c56f98SSadaf Ebrahimi */
42*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_ASM)
43*62c56f98SSadaf Ebrahimi #if defined(__arm__) /* rev16 available from v6 up */
44*62c56f98SSadaf Ebrahimi /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
45*62c56f98SSadaf Ebrahimi #if defined(__GNUC__) && \
46*62c56f98SSadaf Ebrahimi (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
47*62c56f98SSadaf Ebrahimi __ARM_ARCH >= 6
aria_p1(uint32_t x)48*62c56f98SSadaf Ebrahimi static inline uint32_t aria_p1(uint32_t x)
49*62c56f98SSadaf Ebrahimi {
50*62c56f98SSadaf Ebrahimi uint32_t r;
51*62c56f98SSadaf Ebrahimi __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
52*62c56f98SSadaf Ebrahimi return r;
53*62c56f98SSadaf Ebrahimi }
54*62c56f98SSadaf Ebrahimi #define ARIA_P1 aria_p1
55*62c56f98SSadaf Ebrahimi #elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
56*62c56f98SSadaf Ebrahimi (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
aria_p1(uint32_t x)57*62c56f98SSadaf Ebrahimi static inline uint32_t aria_p1(uint32_t x)
58*62c56f98SSadaf Ebrahimi {
59*62c56f98SSadaf Ebrahimi uint32_t r;
60*62c56f98SSadaf Ebrahimi __asm("rev16 r, x");
61*62c56f98SSadaf Ebrahimi return r;
62*62c56f98SSadaf Ebrahimi }
63*62c56f98SSadaf Ebrahimi #define ARIA_P1 aria_p1
64*62c56f98SSadaf Ebrahimi #endif
65*62c56f98SSadaf Ebrahimi #endif /* arm */
66*62c56f98SSadaf Ebrahimi #if defined(__GNUC__) && \
67*62c56f98SSadaf Ebrahimi defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
68*62c56f98SSadaf Ebrahimi /* I couldn't find an Intel equivalent of rev16, so two instructions */
69*62c56f98SSadaf Ebrahimi #define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
70*62c56f98SSadaf Ebrahimi #endif /* x86 gnuc */
71*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_ASM && GNUC */
72*62c56f98SSadaf Ebrahimi #if !defined(ARIA_P1)
73*62c56f98SSadaf Ebrahimi #define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
74*62c56f98SSadaf Ebrahimi #endif
75*62c56f98SSadaf Ebrahimi
76*62c56f98SSadaf Ebrahimi /*
77*62c56f98SSadaf Ebrahimi * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
78*62c56f98SSadaf Ebrahimi *
79*62c56f98SSadaf Ebrahimi * This is submatrix P2 in [1] Appendix B.1
80*62c56f98SSadaf Ebrahimi *
81*62c56f98SSadaf Ebrahimi * Common compilers will translate this to a single instruction.
82*62c56f98SSadaf Ebrahimi */
83*62c56f98SSadaf Ebrahimi #define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
84*62c56f98SSadaf Ebrahimi
85*62c56f98SSadaf Ebrahimi /*
86*62c56f98SSadaf Ebrahimi * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
87*62c56f98SSadaf Ebrahimi *
88*62c56f98SSadaf Ebrahimi * This is submatrix P3 in [1] Appendix B.1
89*62c56f98SSadaf Ebrahimi */
90*62c56f98SSadaf Ebrahimi #define ARIA_P3(x) MBEDTLS_BSWAP32(x)
91*62c56f98SSadaf Ebrahimi
92*62c56f98SSadaf Ebrahimi /*
93*62c56f98SSadaf Ebrahimi * ARIA Affine Transform
94*62c56f98SSadaf Ebrahimi * (a, b, c, d) = state in/out
95*62c56f98SSadaf Ebrahimi *
96*62c56f98SSadaf Ebrahimi * If we denote the first byte of input by 0, ..., the last byte by f,
97*62c56f98SSadaf Ebrahimi * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
98*62c56f98SSadaf Ebrahimi *
99*62c56f98SSadaf Ebrahimi * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
100*62c56f98SSadaf Ebrahimi * rearrangements on adjacent pairs, output is:
101*62c56f98SSadaf Ebrahimi *
102*62c56f98SSadaf Ebrahimi * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
103*62c56f98SSadaf Ebrahimi * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
104*62c56f98SSadaf Ebrahimi * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
105*62c56f98SSadaf Ebrahimi * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
106*62c56f98SSadaf Ebrahimi * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
107*62c56f98SSadaf Ebrahimi * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
108*62c56f98SSadaf Ebrahimi * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
109*62c56f98SSadaf Ebrahimi * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
110*62c56f98SSadaf Ebrahimi *
111*62c56f98SSadaf Ebrahimi * Note: another presentation of the A transform can be found as the first
112*62c56f98SSadaf Ebrahimi * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
113*62c56f98SSadaf Ebrahimi * The implementation below uses only P1 and P2 as they are sufficient.
114*62c56f98SSadaf Ebrahimi */
aria_a(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d)115*62c56f98SSadaf Ebrahimi static inline void aria_a(uint32_t *a, uint32_t *b,
116*62c56f98SSadaf Ebrahimi uint32_t *c, uint32_t *d)
117*62c56f98SSadaf Ebrahimi {
118*62c56f98SSadaf Ebrahimi uint32_t ta, tb, tc;
119*62c56f98SSadaf Ebrahimi ta = *b; // 4567
120*62c56f98SSadaf Ebrahimi *b = *a; // 0123
121*62c56f98SSadaf Ebrahimi *a = ARIA_P2(ta); // 6745
122*62c56f98SSadaf Ebrahimi tb = ARIA_P2(*d); // efcd
123*62c56f98SSadaf Ebrahimi *d = ARIA_P1(*c); // 98ba
124*62c56f98SSadaf Ebrahimi *c = ARIA_P1(tb); // fedc
125*62c56f98SSadaf Ebrahimi ta ^= *d; // 4567+98ba
126*62c56f98SSadaf Ebrahimi tc = ARIA_P2(*b); // 2301
127*62c56f98SSadaf Ebrahimi ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
128*62c56f98SSadaf Ebrahimi tb ^= ARIA_P2(*d); // ba98+efcd
129*62c56f98SSadaf Ebrahimi tc ^= ARIA_P1(*a); // 2301+7654
130*62c56f98SSadaf Ebrahimi *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
131*62c56f98SSadaf Ebrahimi tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
132*62c56f98SSadaf Ebrahimi *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
133*62c56f98SSadaf Ebrahimi ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
134*62c56f98SSadaf Ebrahimi *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
135*62c56f98SSadaf Ebrahimi tc = ARIA_P2(tc); // 0123+5476
136*62c56f98SSadaf Ebrahimi *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
137*62c56f98SSadaf Ebrahimi }
138*62c56f98SSadaf Ebrahimi
139*62c56f98SSadaf Ebrahimi /*
140*62c56f98SSadaf Ebrahimi * ARIA Substitution Layer SL1 / SL2
141*62c56f98SSadaf Ebrahimi * (a, b, c, d) = state in/out
142*62c56f98SSadaf Ebrahimi * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
143*62c56f98SSadaf Ebrahimi *
144*62c56f98SSadaf Ebrahimi * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
145*62c56f98SSadaf Ebrahimi * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
146*62c56f98SSadaf Ebrahimi */
aria_sl(uint32_t * a,uint32_t * b,uint32_t * c,uint32_t * d,const uint8_t sa[256],const uint8_t sb[256],const uint8_t sc[256],const uint8_t sd[256])147*62c56f98SSadaf Ebrahimi static inline void aria_sl(uint32_t *a, uint32_t *b,
148*62c56f98SSadaf Ebrahimi uint32_t *c, uint32_t *d,
149*62c56f98SSadaf Ebrahimi const uint8_t sa[256], const uint8_t sb[256],
150*62c56f98SSadaf Ebrahimi const uint8_t sc[256], const uint8_t sd[256])
151*62c56f98SSadaf Ebrahimi {
152*62c56f98SSadaf Ebrahimi *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
153*62c56f98SSadaf Ebrahimi (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
154*62c56f98SSadaf Ebrahimi (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
155*62c56f98SSadaf Ebrahimi (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
156*62c56f98SSadaf Ebrahimi *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
157*62c56f98SSadaf Ebrahimi (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
158*62c56f98SSadaf Ebrahimi (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
159*62c56f98SSadaf Ebrahimi (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
160*62c56f98SSadaf Ebrahimi *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
161*62c56f98SSadaf Ebrahimi (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
162*62c56f98SSadaf Ebrahimi (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
163*62c56f98SSadaf Ebrahimi (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
164*62c56f98SSadaf Ebrahimi *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
165*62c56f98SSadaf Ebrahimi (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
166*62c56f98SSadaf Ebrahimi (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
167*62c56f98SSadaf Ebrahimi (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
168*62c56f98SSadaf Ebrahimi }
169*62c56f98SSadaf Ebrahimi
170*62c56f98SSadaf Ebrahimi /*
171*62c56f98SSadaf Ebrahimi * S-Boxes
172*62c56f98SSadaf Ebrahimi */
173*62c56f98SSadaf Ebrahimi static const uint8_t aria_sb1[256] =
174*62c56f98SSadaf Ebrahimi {
175*62c56f98SSadaf Ebrahimi 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
176*62c56f98SSadaf Ebrahimi 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
177*62c56f98SSadaf Ebrahimi 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
178*62c56f98SSadaf Ebrahimi 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
179*62c56f98SSadaf Ebrahimi 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
180*62c56f98SSadaf Ebrahimi 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
181*62c56f98SSadaf Ebrahimi 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
182*62c56f98SSadaf Ebrahimi 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
183*62c56f98SSadaf Ebrahimi 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
184*62c56f98SSadaf Ebrahimi 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
185*62c56f98SSadaf Ebrahimi 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
186*62c56f98SSadaf Ebrahimi 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
187*62c56f98SSadaf Ebrahimi 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
188*62c56f98SSadaf Ebrahimi 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
189*62c56f98SSadaf Ebrahimi 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
190*62c56f98SSadaf Ebrahimi 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
191*62c56f98SSadaf Ebrahimi 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
192*62c56f98SSadaf Ebrahimi 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
193*62c56f98SSadaf Ebrahimi 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
194*62c56f98SSadaf Ebrahimi 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
195*62c56f98SSadaf Ebrahimi 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
196*62c56f98SSadaf Ebrahimi 0xB0, 0x54, 0xBB, 0x16
197*62c56f98SSadaf Ebrahimi };
198*62c56f98SSadaf Ebrahimi
199*62c56f98SSadaf Ebrahimi static const uint8_t aria_sb2[256] =
200*62c56f98SSadaf Ebrahimi {
201*62c56f98SSadaf Ebrahimi 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
202*62c56f98SSadaf Ebrahimi 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
203*62c56f98SSadaf Ebrahimi 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
204*62c56f98SSadaf Ebrahimi 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
205*62c56f98SSadaf Ebrahimi 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
206*62c56f98SSadaf Ebrahimi 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
207*62c56f98SSadaf Ebrahimi 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
208*62c56f98SSadaf Ebrahimi 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
209*62c56f98SSadaf Ebrahimi 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
210*62c56f98SSadaf Ebrahimi 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
211*62c56f98SSadaf Ebrahimi 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
212*62c56f98SSadaf Ebrahimi 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
213*62c56f98SSadaf Ebrahimi 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
214*62c56f98SSadaf Ebrahimi 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
215*62c56f98SSadaf Ebrahimi 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
216*62c56f98SSadaf Ebrahimi 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
217*62c56f98SSadaf Ebrahimi 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
218*62c56f98SSadaf Ebrahimi 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
219*62c56f98SSadaf Ebrahimi 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
220*62c56f98SSadaf Ebrahimi 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
221*62c56f98SSadaf Ebrahimi 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
222*62c56f98SSadaf Ebrahimi 0xAF, 0xBA, 0xB5, 0x81
223*62c56f98SSadaf Ebrahimi };
224*62c56f98SSadaf Ebrahimi
225*62c56f98SSadaf Ebrahimi static const uint8_t aria_is1[256] =
226*62c56f98SSadaf Ebrahimi {
227*62c56f98SSadaf Ebrahimi 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
228*62c56f98SSadaf Ebrahimi 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
229*62c56f98SSadaf Ebrahimi 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
230*62c56f98SSadaf Ebrahimi 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231*62c56f98SSadaf Ebrahimi 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
232*62c56f98SSadaf Ebrahimi 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
233*62c56f98SSadaf Ebrahimi 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
234*62c56f98SSadaf Ebrahimi 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235*62c56f98SSadaf Ebrahimi 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
236*62c56f98SSadaf Ebrahimi 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
237*62c56f98SSadaf Ebrahimi 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
238*62c56f98SSadaf Ebrahimi 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
239*62c56f98SSadaf Ebrahimi 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
240*62c56f98SSadaf Ebrahimi 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
241*62c56f98SSadaf Ebrahimi 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
242*62c56f98SSadaf Ebrahimi 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
243*62c56f98SSadaf Ebrahimi 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
244*62c56f98SSadaf Ebrahimi 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
245*62c56f98SSadaf Ebrahimi 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
246*62c56f98SSadaf Ebrahimi 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247*62c56f98SSadaf Ebrahimi 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
248*62c56f98SSadaf Ebrahimi 0x55, 0x21, 0x0C, 0x7D
249*62c56f98SSadaf Ebrahimi };
250*62c56f98SSadaf Ebrahimi
251*62c56f98SSadaf Ebrahimi static const uint8_t aria_is2[256] =
252*62c56f98SSadaf Ebrahimi {
253*62c56f98SSadaf Ebrahimi 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
254*62c56f98SSadaf Ebrahimi 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
255*62c56f98SSadaf Ebrahimi 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
256*62c56f98SSadaf Ebrahimi 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
257*62c56f98SSadaf Ebrahimi 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
258*62c56f98SSadaf Ebrahimi 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
259*62c56f98SSadaf Ebrahimi 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
260*62c56f98SSadaf Ebrahimi 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
261*62c56f98SSadaf Ebrahimi 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
262*62c56f98SSadaf Ebrahimi 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
263*62c56f98SSadaf Ebrahimi 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
264*62c56f98SSadaf Ebrahimi 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
265*62c56f98SSadaf Ebrahimi 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
266*62c56f98SSadaf Ebrahimi 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
267*62c56f98SSadaf Ebrahimi 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
268*62c56f98SSadaf Ebrahimi 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
269*62c56f98SSadaf Ebrahimi 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
270*62c56f98SSadaf Ebrahimi 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
271*62c56f98SSadaf Ebrahimi 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
272*62c56f98SSadaf Ebrahimi 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
273*62c56f98SSadaf Ebrahimi 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
274*62c56f98SSadaf Ebrahimi 0x03, 0xA2, 0xAC, 0x60
275*62c56f98SSadaf Ebrahimi };
276*62c56f98SSadaf Ebrahimi
277*62c56f98SSadaf Ebrahimi /*
278*62c56f98SSadaf Ebrahimi * Helper for key schedule: r = FO( p, k ) ^ x
279*62c56f98SSadaf Ebrahimi */
aria_fo_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])280*62c56f98SSadaf Ebrahimi static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
281*62c56f98SSadaf Ebrahimi const uint32_t k[4], const uint32_t x[4])
282*62c56f98SSadaf Ebrahimi {
283*62c56f98SSadaf Ebrahimi uint32_t a, b, c, d;
284*62c56f98SSadaf Ebrahimi
285*62c56f98SSadaf Ebrahimi a = p[0] ^ k[0];
286*62c56f98SSadaf Ebrahimi b = p[1] ^ k[1];
287*62c56f98SSadaf Ebrahimi c = p[2] ^ k[2];
288*62c56f98SSadaf Ebrahimi d = p[3] ^ k[3];
289*62c56f98SSadaf Ebrahimi
290*62c56f98SSadaf Ebrahimi aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
291*62c56f98SSadaf Ebrahimi aria_a(&a, &b, &c, &d);
292*62c56f98SSadaf Ebrahimi
293*62c56f98SSadaf Ebrahimi r[0] = a ^ x[0];
294*62c56f98SSadaf Ebrahimi r[1] = b ^ x[1];
295*62c56f98SSadaf Ebrahimi r[2] = c ^ x[2];
296*62c56f98SSadaf Ebrahimi r[3] = d ^ x[3];
297*62c56f98SSadaf Ebrahimi }
298*62c56f98SSadaf Ebrahimi
299*62c56f98SSadaf Ebrahimi /*
300*62c56f98SSadaf Ebrahimi * Helper for key schedule: r = FE( p, k ) ^ x
301*62c56f98SSadaf Ebrahimi */
aria_fe_xor(uint32_t r[4],const uint32_t p[4],const uint32_t k[4],const uint32_t x[4])302*62c56f98SSadaf Ebrahimi static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
303*62c56f98SSadaf Ebrahimi const uint32_t k[4], const uint32_t x[4])
304*62c56f98SSadaf Ebrahimi {
305*62c56f98SSadaf Ebrahimi uint32_t a, b, c, d;
306*62c56f98SSadaf Ebrahimi
307*62c56f98SSadaf Ebrahimi a = p[0] ^ k[0];
308*62c56f98SSadaf Ebrahimi b = p[1] ^ k[1];
309*62c56f98SSadaf Ebrahimi c = p[2] ^ k[2];
310*62c56f98SSadaf Ebrahimi d = p[3] ^ k[3];
311*62c56f98SSadaf Ebrahimi
312*62c56f98SSadaf Ebrahimi aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
313*62c56f98SSadaf Ebrahimi aria_a(&a, &b, &c, &d);
314*62c56f98SSadaf Ebrahimi
315*62c56f98SSadaf Ebrahimi r[0] = a ^ x[0];
316*62c56f98SSadaf Ebrahimi r[1] = b ^ x[1];
317*62c56f98SSadaf Ebrahimi r[2] = c ^ x[2];
318*62c56f98SSadaf Ebrahimi r[3] = d ^ x[3];
319*62c56f98SSadaf Ebrahimi }
320*62c56f98SSadaf Ebrahimi
321*62c56f98SSadaf Ebrahimi /*
322*62c56f98SSadaf Ebrahimi * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
323*62c56f98SSadaf Ebrahimi *
324*62c56f98SSadaf Ebrahimi * We chose to store bytes into 32-bit words in little-endian format (see
325*62c56f98SSadaf Ebrahimi * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
326*62c56f98SSadaf Ebrahimi * bytes here.
327*62c56f98SSadaf Ebrahimi */
aria_rot128(uint32_t r[4],const uint32_t a[4],const uint32_t b[4],uint8_t n)328*62c56f98SSadaf Ebrahimi static void aria_rot128(uint32_t r[4], const uint32_t a[4],
329*62c56f98SSadaf Ebrahimi const uint32_t b[4], uint8_t n)
330*62c56f98SSadaf Ebrahimi {
331*62c56f98SSadaf Ebrahimi uint8_t i, j;
332*62c56f98SSadaf Ebrahimi uint32_t t, u;
333*62c56f98SSadaf Ebrahimi
334*62c56f98SSadaf Ebrahimi const uint8_t n1 = n % 32; // bit offset
335*62c56f98SSadaf Ebrahimi const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
336*62c56f98SSadaf Ebrahimi
337*62c56f98SSadaf Ebrahimi j = (n / 32) % 4; // initial word offset
338*62c56f98SSadaf Ebrahimi t = ARIA_P3(b[j]); // big endian
339*62c56f98SSadaf Ebrahimi for (i = 0; i < 4; i++) {
340*62c56f98SSadaf Ebrahimi j = (j + 1) % 4; // get next word, big endian
341*62c56f98SSadaf Ebrahimi u = ARIA_P3(b[j]);
342*62c56f98SSadaf Ebrahimi t <<= n1; // rotate
343*62c56f98SSadaf Ebrahimi t |= u >> n2;
344*62c56f98SSadaf Ebrahimi t = ARIA_P3(t); // back to little endian
345*62c56f98SSadaf Ebrahimi r[i] = a[i] ^ t; // store
346*62c56f98SSadaf Ebrahimi t = u; // move to next word
347*62c56f98SSadaf Ebrahimi }
348*62c56f98SSadaf Ebrahimi }
349*62c56f98SSadaf Ebrahimi
350*62c56f98SSadaf Ebrahimi /*
351*62c56f98SSadaf Ebrahimi * Set encryption key
352*62c56f98SSadaf Ebrahimi */
mbedtls_aria_setkey_enc(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)353*62c56f98SSadaf Ebrahimi int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
354*62c56f98SSadaf Ebrahimi const unsigned char *key, unsigned int keybits)
355*62c56f98SSadaf Ebrahimi {
356*62c56f98SSadaf Ebrahimi /* round constant masks */
357*62c56f98SSadaf Ebrahimi const uint32_t rc[3][4] =
358*62c56f98SSadaf Ebrahimi {
359*62c56f98SSadaf Ebrahimi { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
360*62c56f98SSadaf Ebrahimi { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
361*62c56f98SSadaf Ebrahimi { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
362*62c56f98SSadaf Ebrahimi };
363*62c56f98SSadaf Ebrahimi
364*62c56f98SSadaf Ebrahimi int i;
365*62c56f98SSadaf Ebrahimi uint32_t w[4][4], *w2;
366*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
367*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(key != NULL);
368*62c56f98SSadaf Ebrahimi
369*62c56f98SSadaf Ebrahimi if (keybits != 128 && keybits != 192 && keybits != 256) {
370*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
371*62c56f98SSadaf Ebrahimi }
372*62c56f98SSadaf Ebrahimi
373*62c56f98SSadaf Ebrahimi /* Copy key to W0 (and potential remainder to W1) */
374*62c56f98SSadaf Ebrahimi w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
375*62c56f98SSadaf Ebrahimi w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
376*62c56f98SSadaf Ebrahimi w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
377*62c56f98SSadaf Ebrahimi w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
378*62c56f98SSadaf Ebrahimi
379*62c56f98SSadaf Ebrahimi memset(w[1], 0, 16);
380*62c56f98SSadaf Ebrahimi if (keybits >= 192) {
381*62c56f98SSadaf Ebrahimi w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
382*62c56f98SSadaf Ebrahimi w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
383*62c56f98SSadaf Ebrahimi }
384*62c56f98SSadaf Ebrahimi if (keybits == 256) {
385*62c56f98SSadaf Ebrahimi w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
386*62c56f98SSadaf Ebrahimi w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
387*62c56f98SSadaf Ebrahimi }
388*62c56f98SSadaf Ebrahimi
389*62c56f98SSadaf Ebrahimi i = (keybits - 128) >> 6; // index: 0, 1, 2
390*62c56f98SSadaf Ebrahimi ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
391*62c56f98SSadaf Ebrahimi
392*62c56f98SSadaf Ebrahimi aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
393*62c56f98SSadaf Ebrahimi i = i < 2 ? i + 1 : 0;
394*62c56f98SSadaf Ebrahimi aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
395*62c56f98SSadaf Ebrahimi i = i < 2 ? i + 1 : 0;
396*62c56f98SSadaf Ebrahimi aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
397*62c56f98SSadaf Ebrahimi
398*62c56f98SSadaf Ebrahimi for (i = 0; i < 4; i++) { // create round keys
399*62c56f98SSadaf Ebrahimi w2 = w[(i + 1) & 3];
400*62c56f98SSadaf Ebrahimi aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
401*62c56f98SSadaf Ebrahimi aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
402*62c56f98SSadaf Ebrahimi aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
403*62c56f98SSadaf Ebrahimi aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
404*62c56f98SSadaf Ebrahimi }
405*62c56f98SSadaf Ebrahimi aria_rot128(ctx->rk[16], w[0], w[1], 19);
406*62c56f98SSadaf Ebrahimi
407*62c56f98SSadaf Ebrahimi /* w holds enough info to reconstruct the round keys */
408*62c56f98SSadaf Ebrahimi mbedtls_platform_zeroize(w, sizeof(w));
409*62c56f98SSadaf Ebrahimi
410*62c56f98SSadaf Ebrahimi return 0;
411*62c56f98SSadaf Ebrahimi }
412*62c56f98SSadaf Ebrahimi
413*62c56f98SSadaf Ebrahimi /*
414*62c56f98SSadaf Ebrahimi * Set decryption key
415*62c56f98SSadaf Ebrahimi */
mbedtls_aria_setkey_dec(mbedtls_aria_context * ctx,const unsigned char * key,unsigned int keybits)416*62c56f98SSadaf Ebrahimi int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
417*62c56f98SSadaf Ebrahimi const unsigned char *key, unsigned int keybits)
418*62c56f98SSadaf Ebrahimi {
419*62c56f98SSadaf Ebrahimi int i, j, k, ret;
420*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
421*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(key != NULL);
422*62c56f98SSadaf Ebrahimi
423*62c56f98SSadaf Ebrahimi ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
424*62c56f98SSadaf Ebrahimi if (ret != 0) {
425*62c56f98SSadaf Ebrahimi return ret;
426*62c56f98SSadaf Ebrahimi }
427*62c56f98SSadaf Ebrahimi
428*62c56f98SSadaf Ebrahimi /* flip the order of round keys */
429*62c56f98SSadaf Ebrahimi for (i = 0, j = ctx->nr; i < j; i++, j--) {
430*62c56f98SSadaf Ebrahimi for (k = 0; k < 4; k++) {
431*62c56f98SSadaf Ebrahimi uint32_t t = ctx->rk[i][k];
432*62c56f98SSadaf Ebrahimi ctx->rk[i][k] = ctx->rk[j][k];
433*62c56f98SSadaf Ebrahimi ctx->rk[j][k] = t;
434*62c56f98SSadaf Ebrahimi }
435*62c56f98SSadaf Ebrahimi }
436*62c56f98SSadaf Ebrahimi
437*62c56f98SSadaf Ebrahimi /* apply affine transform to middle keys */
438*62c56f98SSadaf Ebrahimi for (i = 1; i < ctx->nr; i++) {
439*62c56f98SSadaf Ebrahimi aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
440*62c56f98SSadaf Ebrahimi &ctx->rk[i][2], &ctx->rk[i][3]);
441*62c56f98SSadaf Ebrahimi }
442*62c56f98SSadaf Ebrahimi
443*62c56f98SSadaf Ebrahimi return 0;
444*62c56f98SSadaf Ebrahimi }
445*62c56f98SSadaf Ebrahimi
446*62c56f98SSadaf Ebrahimi /*
447*62c56f98SSadaf Ebrahimi * Encrypt a block
448*62c56f98SSadaf Ebrahimi */
mbedtls_aria_crypt_ecb(mbedtls_aria_context * ctx,const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])449*62c56f98SSadaf Ebrahimi int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
450*62c56f98SSadaf Ebrahimi const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
451*62c56f98SSadaf Ebrahimi unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
452*62c56f98SSadaf Ebrahimi {
453*62c56f98SSadaf Ebrahimi int i;
454*62c56f98SSadaf Ebrahimi
455*62c56f98SSadaf Ebrahimi uint32_t a, b, c, d;
456*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
457*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(input != NULL);
458*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(output != NULL);
459*62c56f98SSadaf Ebrahimi
460*62c56f98SSadaf Ebrahimi a = MBEDTLS_GET_UINT32_LE(input, 0);
461*62c56f98SSadaf Ebrahimi b = MBEDTLS_GET_UINT32_LE(input, 4);
462*62c56f98SSadaf Ebrahimi c = MBEDTLS_GET_UINT32_LE(input, 8);
463*62c56f98SSadaf Ebrahimi d = MBEDTLS_GET_UINT32_LE(input, 12);
464*62c56f98SSadaf Ebrahimi
465*62c56f98SSadaf Ebrahimi i = 0;
466*62c56f98SSadaf Ebrahimi while (1) {
467*62c56f98SSadaf Ebrahimi a ^= ctx->rk[i][0];
468*62c56f98SSadaf Ebrahimi b ^= ctx->rk[i][1];
469*62c56f98SSadaf Ebrahimi c ^= ctx->rk[i][2];
470*62c56f98SSadaf Ebrahimi d ^= ctx->rk[i][3];
471*62c56f98SSadaf Ebrahimi i++;
472*62c56f98SSadaf Ebrahimi
473*62c56f98SSadaf Ebrahimi aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
474*62c56f98SSadaf Ebrahimi aria_a(&a, &b, &c, &d);
475*62c56f98SSadaf Ebrahimi
476*62c56f98SSadaf Ebrahimi a ^= ctx->rk[i][0];
477*62c56f98SSadaf Ebrahimi b ^= ctx->rk[i][1];
478*62c56f98SSadaf Ebrahimi c ^= ctx->rk[i][2];
479*62c56f98SSadaf Ebrahimi d ^= ctx->rk[i][3];
480*62c56f98SSadaf Ebrahimi i++;
481*62c56f98SSadaf Ebrahimi
482*62c56f98SSadaf Ebrahimi aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
483*62c56f98SSadaf Ebrahimi if (i >= ctx->nr) {
484*62c56f98SSadaf Ebrahimi break;
485*62c56f98SSadaf Ebrahimi }
486*62c56f98SSadaf Ebrahimi aria_a(&a, &b, &c, &d);
487*62c56f98SSadaf Ebrahimi }
488*62c56f98SSadaf Ebrahimi
489*62c56f98SSadaf Ebrahimi /* final key mixing */
490*62c56f98SSadaf Ebrahimi a ^= ctx->rk[i][0];
491*62c56f98SSadaf Ebrahimi b ^= ctx->rk[i][1];
492*62c56f98SSadaf Ebrahimi c ^= ctx->rk[i][2];
493*62c56f98SSadaf Ebrahimi d ^= ctx->rk[i][3];
494*62c56f98SSadaf Ebrahimi
495*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_LE(a, output, 0);
496*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_LE(b, output, 4);
497*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_LE(c, output, 8);
498*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_LE(d, output, 12);
499*62c56f98SSadaf Ebrahimi
500*62c56f98SSadaf Ebrahimi return 0;
501*62c56f98SSadaf Ebrahimi }
502*62c56f98SSadaf Ebrahimi
503*62c56f98SSadaf Ebrahimi /* Initialize context */
mbedtls_aria_init(mbedtls_aria_context * ctx)504*62c56f98SSadaf Ebrahimi void mbedtls_aria_init(mbedtls_aria_context *ctx)
505*62c56f98SSadaf Ebrahimi {
506*62c56f98SSadaf Ebrahimi ARIA_VALIDATE(ctx != NULL);
507*62c56f98SSadaf Ebrahimi memset(ctx, 0, sizeof(mbedtls_aria_context));
508*62c56f98SSadaf Ebrahimi }
509*62c56f98SSadaf Ebrahimi
510*62c56f98SSadaf Ebrahimi /* Clear context */
mbedtls_aria_free(mbedtls_aria_context * ctx)511*62c56f98SSadaf Ebrahimi void mbedtls_aria_free(mbedtls_aria_context *ctx)
512*62c56f98SSadaf Ebrahimi {
513*62c56f98SSadaf Ebrahimi if (ctx == NULL) {
514*62c56f98SSadaf Ebrahimi return;
515*62c56f98SSadaf Ebrahimi }
516*62c56f98SSadaf Ebrahimi
517*62c56f98SSadaf Ebrahimi mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
518*62c56f98SSadaf Ebrahimi }
519*62c56f98SSadaf Ebrahimi
520*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CBC)
521*62c56f98SSadaf Ebrahimi /*
522*62c56f98SSadaf Ebrahimi * ARIA-CBC buffer encryption/decryption
523*62c56f98SSadaf Ebrahimi */
mbedtls_aria_crypt_cbc(mbedtls_aria_context * ctx,int mode,size_t length,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)524*62c56f98SSadaf Ebrahimi int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
525*62c56f98SSadaf Ebrahimi int mode,
526*62c56f98SSadaf Ebrahimi size_t length,
527*62c56f98SSadaf Ebrahimi unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
528*62c56f98SSadaf Ebrahimi const unsigned char *input,
529*62c56f98SSadaf Ebrahimi unsigned char *output)
530*62c56f98SSadaf Ebrahimi {
531*62c56f98SSadaf Ebrahimi unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
532*62c56f98SSadaf Ebrahimi
533*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
534*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
535*62c56f98SSadaf Ebrahimi mode == MBEDTLS_ARIA_DECRYPT);
536*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || input != NULL);
537*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || output != NULL);
538*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(iv != NULL);
539*62c56f98SSadaf Ebrahimi
540*62c56f98SSadaf Ebrahimi if (length % MBEDTLS_ARIA_BLOCKSIZE) {
541*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
542*62c56f98SSadaf Ebrahimi }
543*62c56f98SSadaf Ebrahimi
544*62c56f98SSadaf Ebrahimi if (mode == MBEDTLS_ARIA_DECRYPT) {
545*62c56f98SSadaf Ebrahimi while (length > 0) {
546*62c56f98SSadaf Ebrahimi memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
547*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(ctx, input, output);
548*62c56f98SSadaf Ebrahimi
549*62c56f98SSadaf Ebrahimi mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
550*62c56f98SSadaf Ebrahimi
551*62c56f98SSadaf Ebrahimi memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
552*62c56f98SSadaf Ebrahimi
553*62c56f98SSadaf Ebrahimi input += MBEDTLS_ARIA_BLOCKSIZE;
554*62c56f98SSadaf Ebrahimi output += MBEDTLS_ARIA_BLOCKSIZE;
555*62c56f98SSadaf Ebrahimi length -= MBEDTLS_ARIA_BLOCKSIZE;
556*62c56f98SSadaf Ebrahimi }
557*62c56f98SSadaf Ebrahimi } else {
558*62c56f98SSadaf Ebrahimi while (length > 0) {
559*62c56f98SSadaf Ebrahimi mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
560*62c56f98SSadaf Ebrahimi
561*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(ctx, output, output);
562*62c56f98SSadaf Ebrahimi memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
563*62c56f98SSadaf Ebrahimi
564*62c56f98SSadaf Ebrahimi input += MBEDTLS_ARIA_BLOCKSIZE;
565*62c56f98SSadaf Ebrahimi output += MBEDTLS_ARIA_BLOCKSIZE;
566*62c56f98SSadaf Ebrahimi length -= MBEDTLS_ARIA_BLOCKSIZE;
567*62c56f98SSadaf Ebrahimi }
568*62c56f98SSadaf Ebrahimi }
569*62c56f98SSadaf Ebrahimi
570*62c56f98SSadaf Ebrahimi return 0;
571*62c56f98SSadaf Ebrahimi }
572*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CBC */
573*62c56f98SSadaf Ebrahimi
574*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CFB)
575*62c56f98SSadaf Ebrahimi /*
576*62c56f98SSadaf Ebrahimi * ARIA-CFB128 buffer encryption/decryption
577*62c56f98SSadaf Ebrahimi */
mbedtls_aria_crypt_cfb128(mbedtls_aria_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)578*62c56f98SSadaf Ebrahimi int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
579*62c56f98SSadaf Ebrahimi int mode,
580*62c56f98SSadaf Ebrahimi size_t length,
581*62c56f98SSadaf Ebrahimi size_t *iv_off,
582*62c56f98SSadaf Ebrahimi unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
583*62c56f98SSadaf Ebrahimi const unsigned char *input,
584*62c56f98SSadaf Ebrahimi unsigned char *output)
585*62c56f98SSadaf Ebrahimi {
586*62c56f98SSadaf Ebrahimi unsigned char c;
587*62c56f98SSadaf Ebrahimi size_t n;
588*62c56f98SSadaf Ebrahimi
589*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
590*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
591*62c56f98SSadaf Ebrahimi mode == MBEDTLS_ARIA_DECRYPT);
592*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || input != NULL);
593*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || output != NULL);
594*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(iv != NULL);
595*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(iv_off != NULL);
596*62c56f98SSadaf Ebrahimi
597*62c56f98SSadaf Ebrahimi n = *iv_off;
598*62c56f98SSadaf Ebrahimi
599*62c56f98SSadaf Ebrahimi /* An overly large value of n can lead to an unlimited
600*62c56f98SSadaf Ebrahimi * buffer overflow. Therefore, guard against this
601*62c56f98SSadaf Ebrahimi * outside of parameter validation. */
602*62c56f98SSadaf Ebrahimi if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
603*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
604*62c56f98SSadaf Ebrahimi }
605*62c56f98SSadaf Ebrahimi
606*62c56f98SSadaf Ebrahimi if (mode == MBEDTLS_ARIA_DECRYPT) {
607*62c56f98SSadaf Ebrahimi while (length--) {
608*62c56f98SSadaf Ebrahimi if (n == 0) {
609*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(ctx, iv, iv);
610*62c56f98SSadaf Ebrahimi }
611*62c56f98SSadaf Ebrahimi
612*62c56f98SSadaf Ebrahimi c = *input++;
613*62c56f98SSadaf Ebrahimi *output++ = c ^ iv[n];
614*62c56f98SSadaf Ebrahimi iv[n] = c;
615*62c56f98SSadaf Ebrahimi
616*62c56f98SSadaf Ebrahimi n = (n + 1) & 0x0F;
617*62c56f98SSadaf Ebrahimi }
618*62c56f98SSadaf Ebrahimi } else {
619*62c56f98SSadaf Ebrahimi while (length--) {
620*62c56f98SSadaf Ebrahimi if (n == 0) {
621*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(ctx, iv, iv);
622*62c56f98SSadaf Ebrahimi }
623*62c56f98SSadaf Ebrahimi
624*62c56f98SSadaf Ebrahimi iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
625*62c56f98SSadaf Ebrahimi
626*62c56f98SSadaf Ebrahimi n = (n + 1) & 0x0F;
627*62c56f98SSadaf Ebrahimi }
628*62c56f98SSadaf Ebrahimi }
629*62c56f98SSadaf Ebrahimi
630*62c56f98SSadaf Ebrahimi *iv_off = n;
631*62c56f98SSadaf Ebrahimi
632*62c56f98SSadaf Ebrahimi return 0;
633*62c56f98SSadaf Ebrahimi }
634*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CFB */
635*62c56f98SSadaf Ebrahimi
636*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CTR)
637*62c56f98SSadaf Ebrahimi /*
638*62c56f98SSadaf Ebrahimi * ARIA-CTR buffer encryption/decryption
639*62c56f98SSadaf Ebrahimi */
mbedtls_aria_crypt_ctr(mbedtls_aria_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],const unsigned char * input,unsigned char * output)640*62c56f98SSadaf Ebrahimi int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
641*62c56f98SSadaf Ebrahimi size_t length,
642*62c56f98SSadaf Ebrahimi size_t *nc_off,
643*62c56f98SSadaf Ebrahimi unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
644*62c56f98SSadaf Ebrahimi unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
645*62c56f98SSadaf Ebrahimi const unsigned char *input,
646*62c56f98SSadaf Ebrahimi unsigned char *output)
647*62c56f98SSadaf Ebrahimi {
648*62c56f98SSadaf Ebrahimi int c, i;
649*62c56f98SSadaf Ebrahimi size_t n;
650*62c56f98SSadaf Ebrahimi
651*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(ctx != NULL);
652*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || input != NULL);
653*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(length == 0 || output != NULL);
654*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(nonce_counter != NULL);
655*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(stream_block != NULL);
656*62c56f98SSadaf Ebrahimi ARIA_VALIDATE_RET(nc_off != NULL);
657*62c56f98SSadaf Ebrahimi
658*62c56f98SSadaf Ebrahimi n = *nc_off;
659*62c56f98SSadaf Ebrahimi /* An overly large value of n can lead to an unlimited
660*62c56f98SSadaf Ebrahimi * buffer overflow. Therefore, guard against this
661*62c56f98SSadaf Ebrahimi * outside of parameter validation. */
662*62c56f98SSadaf Ebrahimi if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
663*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
664*62c56f98SSadaf Ebrahimi }
665*62c56f98SSadaf Ebrahimi
666*62c56f98SSadaf Ebrahimi while (length--) {
667*62c56f98SSadaf Ebrahimi if (n == 0) {
668*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(ctx, nonce_counter,
669*62c56f98SSadaf Ebrahimi stream_block);
670*62c56f98SSadaf Ebrahimi
671*62c56f98SSadaf Ebrahimi for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
672*62c56f98SSadaf Ebrahimi if (++nonce_counter[i - 1] != 0) {
673*62c56f98SSadaf Ebrahimi break;
674*62c56f98SSadaf Ebrahimi }
675*62c56f98SSadaf Ebrahimi }
676*62c56f98SSadaf Ebrahimi }
677*62c56f98SSadaf Ebrahimi c = *input++;
678*62c56f98SSadaf Ebrahimi *output++ = (unsigned char) (c ^ stream_block[n]);
679*62c56f98SSadaf Ebrahimi
680*62c56f98SSadaf Ebrahimi n = (n + 1) & 0x0F;
681*62c56f98SSadaf Ebrahimi }
682*62c56f98SSadaf Ebrahimi
683*62c56f98SSadaf Ebrahimi *nc_off = n;
684*62c56f98SSadaf Ebrahimi
685*62c56f98SSadaf Ebrahimi return 0;
686*62c56f98SSadaf Ebrahimi }
687*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CTR */
688*62c56f98SSadaf Ebrahimi #endif /* !MBEDTLS_ARIA_ALT */
689*62c56f98SSadaf Ebrahimi
690*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SELF_TEST)
691*62c56f98SSadaf Ebrahimi
692*62c56f98SSadaf Ebrahimi /*
693*62c56f98SSadaf Ebrahimi * Basic ARIA ECB test vectors from RFC 5794
694*62c56f98SSadaf Ebrahimi */
695*62c56f98SSadaf Ebrahimi static const uint8_t aria_test1_ecb_key[32] = // test key
696*62c56f98SSadaf Ebrahimi {
697*62c56f98SSadaf Ebrahimi 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
698*62c56f98SSadaf Ebrahimi 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
699*62c56f98SSadaf Ebrahimi 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
700*62c56f98SSadaf Ebrahimi 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
701*62c56f98SSadaf Ebrahimi };
702*62c56f98SSadaf Ebrahimi
703*62c56f98SSadaf Ebrahimi static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
704*62c56f98SSadaf Ebrahimi {
705*62c56f98SSadaf Ebrahimi 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
706*62c56f98SSadaf Ebrahimi 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
707*62c56f98SSadaf Ebrahimi };
708*62c56f98SSadaf Ebrahimi
709*62c56f98SSadaf Ebrahimi static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
710*62c56f98SSadaf Ebrahimi {
711*62c56f98SSadaf Ebrahimi { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
712*62c56f98SSadaf Ebrahimi 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
713*62c56f98SSadaf Ebrahimi { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
714*62c56f98SSadaf Ebrahimi 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
715*62c56f98SSadaf Ebrahimi { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
716*62c56f98SSadaf Ebrahimi 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
717*62c56f98SSadaf Ebrahimi };
718*62c56f98SSadaf Ebrahimi
719*62c56f98SSadaf Ebrahimi /*
720*62c56f98SSadaf Ebrahimi * Mode tests from "Test Vectors for ARIA" Version 1.0
721*62c56f98SSadaf Ebrahimi * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
722*62c56f98SSadaf Ebrahimi */
723*62c56f98SSadaf Ebrahimi #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
724*62c56f98SSadaf Ebrahimi defined(MBEDTLS_CIPHER_MODE_CTR))
725*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_key[32] =
726*62c56f98SSadaf Ebrahimi {
727*62c56f98SSadaf Ebrahimi 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
728*62c56f98SSadaf Ebrahimi 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
729*62c56f98SSadaf Ebrahimi 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
730*62c56f98SSadaf Ebrahimi 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
731*62c56f98SSadaf Ebrahimi };
732*62c56f98SSadaf Ebrahimi
733*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_pt[48] =
734*62c56f98SSadaf Ebrahimi {
735*62c56f98SSadaf Ebrahimi 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
736*62c56f98SSadaf Ebrahimi 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
737*62c56f98SSadaf Ebrahimi 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
738*62c56f98SSadaf Ebrahimi 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
739*62c56f98SSadaf Ebrahimi 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
740*62c56f98SSadaf Ebrahimi 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
741*62c56f98SSadaf Ebrahimi };
742*62c56f98SSadaf Ebrahimi #endif
743*62c56f98SSadaf Ebrahimi
744*62c56f98SSadaf Ebrahimi #if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
745*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
746*62c56f98SSadaf Ebrahimi {
747*62c56f98SSadaf Ebrahimi 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
748*62c56f98SSadaf Ebrahimi 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
749*62c56f98SSadaf Ebrahimi };
750*62c56f98SSadaf Ebrahimi #endif
751*62c56f98SSadaf Ebrahimi
752*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CBC)
753*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
754*62c56f98SSadaf Ebrahimi {
755*62c56f98SSadaf Ebrahimi { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
756*62c56f98SSadaf Ebrahimi 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
757*62c56f98SSadaf Ebrahimi 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
758*62c56f98SSadaf Ebrahimi 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
759*62c56f98SSadaf Ebrahimi 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
760*62c56f98SSadaf Ebrahimi 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
761*62c56f98SSadaf Ebrahimi { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
762*62c56f98SSadaf Ebrahimi 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
763*62c56f98SSadaf Ebrahimi 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
764*62c56f98SSadaf Ebrahimi 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
765*62c56f98SSadaf Ebrahimi 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
766*62c56f98SSadaf Ebrahimi 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
767*62c56f98SSadaf Ebrahimi { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
768*62c56f98SSadaf Ebrahimi 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
769*62c56f98SSadaf Ebrahimi 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
770*62c56f98SSadaf Ebrahimi 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
771*62c56f98SSadaf Ebrahimi 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
772*62c56f98SSadaf Ebrahimi 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
773*62c56f98SSadaf Ebrahimi };
774*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CBC */
775*62c56f98SSadaf Ebrahimi
776*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CFB)
777*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
778*62c56f98SSadaf Ebrahimi {
779*62c56f98SSadaf Ebrahimi { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
780*62c56f98SSadaf Ebrahimi 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
781*62c56f98SSadaf Ebrahimi 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
782*62c56f98SSadaf Ebrahimi 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
783*62c56f98SSadaf Ebrahimi 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
784*62c56f98SSadaf Ebrahimi 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
785*62c56f98SSadaf Ebrahimi { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
786*62c56f98SSadaf Ebrahimi 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
787*62c56f98SSadaf Ebrahimi 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
788*62c56f98SSadaf Ebrahimi 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
789*62c56f98SSadaf Ebrahimi 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
790*62c56f98SSadaf Ebrahimi 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
791*62c56f98SSadaf Ebrahimi { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
792*62c56f98SSadaf Ebrahimi 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
793*62c56f98SSadaf Ebrahimi 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
794*62c56f98SSadaf Ebrahimi 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
795*62c56f98SSadaf Ebrahimi 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
796*62c56f98SSadaf Ebrahimi 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
797*62c56f98SSadaf Ebrahimi };
798*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CFB */
799*62c56f98SSadaf Ebrahimi
800*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CTR)
801*62c56f98SSadaf Ebrahimi static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
802*62c56f98SSadaf Ebrahimi {
803*62c56f98SSadaf Ebrahimi { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
804*62c56f98SSadaf Ebrahimi 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
805*62c56f98SSadaf Ebrahimi 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
806*62c56f98SSadaf Ebrahimi 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
807*62c56f98SSadaf Ebrahimi 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
808*62c56f98SSadaf Ebrahimi 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
809*62c56f98SSadaf Ebrahimi { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
810*62c56f98SSadaf Ebrahimi 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
811*62c56f98SSadaf Ebrahimi 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
812*62c56f98SSadaf Ebrahimi 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
813*62c56f98SSadaf Ebrahimi 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
814*62c56f98SSadaf Ebrahimi 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
815*62c56f98SSadaf Ebrahimi { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
816*62c56f98SSadaf Ebrahimi 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
817*62c56f98SSadaf Ebrahimi 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
818*62c56f98SSadaf Ebrahimi 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
819*62c56f98SSadaf Ebrahimi 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
820*62c56f98SSadaf Ebrahimi 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
821*62c56f98SSadaf Ebrahimi };
822*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CFB */
823*62c56f98SSadaf Ebrahimi
824*62c56f98SSadaf Ebrahimi #define ARIA_SELF_TEST_ASSERT(cond) \
825*62c56f98SSadaf Ebrahimi do { \
826*62c56f98SSadaf Ebrahimi if (cond) { \
827*62c56f98SSadaf Ebrahimi if (verbose) \
828*62c56f98SSadaf Ebrahimi mbedtls_printf("failed\n"); \
829*62c56f98SSadaf Ebrahimi goto exit; \
830*62c56f98SSadaf Ebrahimi } else { \
831*62c56f98SSadaf Ebrahimi if (verbose) \
832*62c56f98SSadaf Ebrahimi mbedtls_printf("passed\n"); \
833*62c56f98SSadaf Ebrahimi } \
834*62c56f98SSadaf Ebrahimi } while (0)
835*62c56f98SSadaf Ebrahimi
836*62c56f98SSadaf Ebrahimi /*
837*62c56f98SSadaf Ebrahimi * Checkup routine
838*62c56f98SSadaf Ebrahimi */
mbedtls_aria_self_test(int verbose)839*62c56f98SSadaf Ebrahimi int mbedtls_aria_self_test(int verbose)
840*62c56f98SSadaf Ebrahimi {
841*62c56f98SSadaf Ebrahimi int i;
842*62c56f98SSadaf Ebrahimi uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
843*62c56f98SSadaf Ebrahimi mbedtls_aria_context ctx;
844*62c56f98SSadaf Ebrahimi int ret = 1;
845*62c56f98SSadaf Ebrahimi
846*62c56f98SSadaf Ebrahimi #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
847*62c56f98SSadaf Ebrahimi size_t j;
848*62c56f98SSadaf Ebrahimi #endif
849*62c56f98SSadaf Ebrahimi
850*62c56f98SSadaf Ebrahimi #if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
851*62c56f98SSadaf Ebrahimi defined(MBEDTLS_CIPHER_MODE_CFB) || \
852*62c56f98SSadaf Ebrahimi defined(MBEDTLS_CIPHER_MODE_CTR))
853*62c56f98SSadaf Ebrahimi uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
854*62c56f98SSadaf Ebrahimi #endif
855*62c56f98SSadaf Ebrahimi
856*62c56f98SSadaf Ebrahimi mbedtls_aria_init(&ctx);
857*62c56f98SSadaf Ebrahimi
858*62c56f98SSadaf Ebrahimi /*
859*62c56f98SSadaf Ebrahimi * Test set 1
860*62c56f98SSadaf Ebrahimi */
861*62c56f98SSadaf Ebrahimi for (i = 0; i < 3; i++) {
862*62c56f98SSadaf Ebrahimi /* test ECB encryption */
863*62c56f98SSadaf Ebrahimi if (verbose) {
864*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
865*62c56f98SSadaf Ebrahimi }
866*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
867*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
868*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(
869*62c56f98SSadaf Ebrahimi memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
870*62c56f98SSadaf Ebrahimi != 0);
871*62c56f98SSadaf Ebrahimi
872*62c56f98SSadaf Ebrahimi /* test ECB decryption */
873*62c56f98SSadaf Ebrahimi if (verbose) {
874*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
875*62c56f98SSadaf Ebrahimi }
876*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
877*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
878*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(
879*62c56f98SSadaf Ebrahimi memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
880*62c56f98SSadaf Ebrahimi != 0);
881*62c56f98SSadaf Ebrahimi }
882*62c56f98SSadaf Ebrahimi if (verbose) {
883*62c56f98SSadaf Ebrahimi mbedtls_printf("\n");
884*62c56f98SSadaf Ebrahimi }
885*62c56f98SSadaf Ebrahimi
886*62c56f98SSadaf Ebrahimi /*
887*62c56f98SSadaf Ebrahimi * Test set 2
888*62c56f98SSadaf Ebrahimi */
889*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CBC)
890*62c56f98SSadaf Ebrahimi for (i = 0; i < 3; i++) {
891*62c56f98SSadaf Ebrahimi /* Test CBC encryption */
892*62c56f98SSadaf Ebrahimi if (verbose) {
893*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
894*62c56f98SSadaf Ebrahimi }
895*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
896*62c56f98SSadaf Ebrahimi memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
897*62c56f98SSadaf Ebrahimi memset(buf, 0x55, sizeof(buf));
898*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
899*62c56f98SSadaf Ebrahimi aria_test2_pt, buf);
900*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
901*62c56f98SSadaf Ebrahimi != 0);
902*62c56f98SSadaf Ebrahimi
903*62c56f98SSadaf Ebrahimi /* Test CBC decryption */
904*62c56f98SSadaf Ebrahimi if (verbose) {
905*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
906*62c56f98SSadaf Ebrahimi }
907*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
908*62c56f98SSadaf Ebrahimi memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
909*62c56f98SSadaf Ebrahimi memset(buf, 0xAA, sizeof(buf));
910*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
911*62c56f98SSadaf Ebrahimi aria_test2_cbc_ct[i], buf);
912*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
913*62c56f98SSadaf Ebrahimi }
914*62c56f98SSadaf Ebrahimi if (verbose) {
915*62c56f98SSadaf Ebrahimi mbedtls_printf("\n");
916*62c56f98SSadaf Ebrahimi }
917*62c56f98SSadaf Ebrahimi
918*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CBC */
919*62c56f98SSadaf Ebrahimi
920*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CFB)
921*62c56f98SSadaf Ebrahimi for (i = 0; i < 3; i++) {
922*62c56f98SSadaf Ebrahimi /* Test CFB encryption */
923*62c56f98SSadaf Ebrahimi if (verbose) {
924*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
925*62c56f98SSadaf Ebrahimi }
926*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
927*62c56f98SSadaf Ebrahimi memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
928*62c56f98SSadaf Ebrahimi memset(buf, 0x55, sizeof(buf));
929*62c56f98SSadaf Ebrahimi j = 0;
930*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
931*62c56f98SSadaf Ebrahimi aria_test2_pt, buf);
932*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
933*62c56f98SSadaf Ebrahimi
934*62c56f98SSadaf Ebrahimi /* Test CFB decryption */
935*62c56f98SSadaf Ebrahimi if (verbose) {
936*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
937*62c56f98SSadaf Ebrahimi }
938*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
939*62c56f98SSadaf Ebrahimi memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
940*62c56f98SSadaf Ebrahimi memset(buf, 0xAA, sizeof(buf));
941*62c56f98SSadaf Ebrahimi j = 0;
942*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
943*62c56f98SSadaf Ebrahimi iv, aria_test2_cfb_ct[i], buf);
944*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
945*62c56f98SSadaf Ebrahimi }
946*62c56f98SSadaf Ebrahimi if (verbose) {
947*62c56f98SSadaf Ebrahimi mbedtls_printf("\n");
948*62c56f98SSadaf Ebrahimi }
949*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CFB */
950*62c56f98SSadaf Ebrahimi
951*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_CIPHER_MODE_CTR)
952*62c56f98SSadaf Ebrahimi for (i = 0; i < 3; i++) {
953*62c56f98SSadaf Ebrahimi /* Test CTR encryption */
954*62c56f98SSadaf Ebrahimi if (verbose) {
955*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
956*62c56f98SSadaf Ebrahimi }
957*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
958*62c56f98SSadaf Ebrahimi memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
959*62c56f98SSadaf Ebrahimi memset(buf, 0x55, sizeof(buf));
960*62c56f98SSadaf Ebrahimi j = 0;
961*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
962*62c56f98SSadaf Ebrahimi aria_test2_pt, buf);
963*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
964*62c56f98SSadaf Ebrahimi
965*62c56f98SSadaf Ebrahimi /* Test CTR decryption */
966*62c56f98SSadaf Ebrahimi if (verbose) {
967*62c56f98SSadaf Ebrahimi mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
968*62c56f98SSadaf Ebrahimi }
969*62c56f98SSadaf Ebrahimi mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
970*62c56f98SSadaf Ebrahimi memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
971*62c56f98SSadaf Ebrahimi memset(buf, 0xAA, sizeof(buf));
972*62c56f98SSadaf Ebrahimi j = 0;
973*62c56f98SSadaf Ebrahimi mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
974*62c56f98SSadaf Ebrahimi aria_test2_ctr_ct[i], buf);
975*62c56f98SSadaf Ebrahimi ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
976*62c56f98SSadaf Ebrahimi }
977*62c56f98SSadaf Ebrahimi if (verbose) {
978*62c56f98SSadaf Ebrahimi mbedtls_printf("\n");
979*62c56f98SSadaf Ebrahimi }
980*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CIPHER_MODE_CTR */
981*62c56f98SSadaf Ebrahimi
982*62c56f98SSadaf Ebrahimi ret = 0;
983*62c56f98SSadaf Ebrahimi
984*62c56f98SSadaf Ebrahimi exit:
985*62c56f98SSadaf Ebrahimi mbedtls_aria_free(&ctx);
986*62c56f98SSadaf Ebrahimi return ret;
987*62c56f98SSadaf Ebrahimi }
988*62c56f98SSadaf Ebrahimi
989*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SELF_TEST */
990*62c56f98SSadaf Ebrahimi
991*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_ARIA_C */
992