1
#pragma GCC system_header
5
* \brief ARIA block cipher
7
* The ARIA algorithm is a symmetric block cipher that can encrypt and
8
* decrypt information. It is defined by the Korean Agency for
9
* Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
10
* Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
11
* and also described by the IETF in <em>RFC 5794</em>.
14
* Copyright The Mbed TLS Contributors
15
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
17
* This file is provided under the Apache License 2.0, or the
18
* GNU General Public License v2.0 or later.
23
* Licensed under the Apache License, Version 2.0 (the "License"); you may
24
* not use this file except in compliance with the License.
25
* You may obtain a copy of the License at
27
* http://www.apache.org/licenses/LICENSE-2.0
29
* Unless required by applicable law or agreed to in writing, software
30
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
31
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
32
* See the License for the specific language governing permissions and
33
* limitations under the License.
38
* GNU General Public License v2.0 or later:
40
* This program is free software; you can redistribute it and/or modify
41
* it under the terms of the GNU General Public License as published by
42
* the Free Software Foundation; either version 2 of the License, or
43
* (at your option) any later version.
45
* This program is distributed in the hope that it will be useful,
46
* but WITHOUT ANY WARRANTY; without even the implied warranty of
47
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
48
* GNU General Public License for more details.
50
* You should have received a copy of the GNU General Public License along
51
* with this program; if not, write to the Free Software Foundation, Inc.,
52
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
57
#ifndef MBEDTLS_ARIA_H
58
#define MBEDTLS_ARIA_H
60
#if !defined(MBEDTLS_CONFIG_FILE)
63
#include MBEDTLS_CONFIG_FILE
69
#include "platform_util.h"
71
#define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */
72
#define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */
74
#define MBEDTLS_ARIA_BLOCKSIZE 16 /**< ARIA block size in bytes. */
75
#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */
76
#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
78
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
79
#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
80
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
81
#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
83
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
85
/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
87
#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */
89
/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
90
#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */
96
#if !defined(MBEDTLS_ARIA_ALT)
97
// Regular implementation
101
* \brief The ARIA context-type definition.
103
typedef struct mbedtls_aria_context
105
unsigned char nr; /*!< The number of rounds (12, 14 or 16) */
106
/*! The ARIA round keys. */
107
uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
109
mbedtls_aria_context;
111
#else /* MBEDTLS_ARIA_ALT */
112
#include "aria_alt.h"
113
#endif /* MBEDTLS_ARIA_ALT */
116
* \brief This function initializes the specified ARIA context.
118
* It must be the first API called before using
121
* \param ctx The ARIA context to initialize. This must not be \c NULL.
123
void mbedtls_aria_init( mbedtls_aria_context *ctx );
126
* \brief This function releases and clears the specified ARIA context.
128
* \param ctx The ARIA context to clear. This may be \c NULL, in which
129
* case this function returns immediately. If it is not \c NULL,
130
* it must point to an initialized ARIA context.
132
void mbedtls_aria_free( mbedtls_aria_context *ctx );
135
* \brief This function sets the encryption key.
137
* \param ctx The ARIA context to which the key should be bound.
138
* This must be initialized.
139
* \param key The encryption key. This must be a readable buffer
140
* of size \p keybits Bits.
141
* \param keybits The size of \p key in Bits. Valid options are:
142
* <ul><li>128 bits</li>
144
* <li>256 bits</li></ul>
146
* \return \c 0 on success.
147
* \return A negative error code on failure.
149
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
150
const unsigned char *key,
151
unsigned int keybits );
154
* \brief This function sets the decryption key.
156
* \param ctx The ARIA context to which the key should be bound.
157
* This must be initialized.
158
* \param key The decryption key. This must be a readable buffer
159
* of size \p keybits Bits.
160
* \param keybits The size of data passed. Valid options are:
161
* <ul><li>128 bits</li>
163
* <li>256 bits</li></ul>
165
* \return \c 0 on success.
166
* \return A negative error code on failure.
168
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
169
const unsigned char *key,
170
unsigned int keybits );
173
* \brief This function performs an ARIA single-block encryption or
174
* decryption operation.
176
* It performs encryption or decryption (depending on whether
177
* the key was set for encryption on decryption) on the input
178
* data buffer defined in the \p input parameter.
180
* mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
181
* mbedtls_aria_setkey_dec() must be called before the first
182
* call to this API with the same context.
184
* \param ctx The ARIA context to use for encryption or decryption.
185
* This must be initialized and bound to a key.
186
* \param input The 16-Byte buffer holding the input data.
187
* \param output The 16-Byte buffer holding the output data.
189
* \return \c 0 on success.
190
* \return A negative error code on failure.
192
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
193
const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
194
unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
196
#if defined(MBEDTLS_CIPHER_MODE_CBC)
198
* \brief This function performs an ARIA-CBC encryption or decryption operation
201
* It performs the operation defined in the \p mode
202
* parameter (encrypt/decrypt), on the input data buffer defined in
203
* the \p input parameter.
205
* It can be called as many times as needed, until all the input
206
* data is processed. mbedtls_aria_init(), and either
207
* mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
208
* before the first call to this API with the same context.
210
* \note This function operates on aligned blocks, that is, the input size
211
* must be a multiple of the ARIA block size of 16 Bytes.
213
* \note Upon exit, the content of the IV is updated so that you can
214
* call the same function again on the next
215
* block(s) of data and get the same result as if it was
216
* encrypted in one call. This allows a "streaming" usage.
217
* If you need to retain the contents of the IV, you should
218
* either save it manually or use the cipher module instead.
221
* \param ctx The ARIA context to use for encryption or decryption.
222
* This must be initialized and bound to a key.
223
* \param mode The mode of operation. This must be either
224
* #MBEDTLS_ARIA_ENCRYPT for encryption, or
225
* #MBEDTLS_ARIA_DECRYPT for decryption.
226
* \param length The length of the input data in Bytes. This must be a
227
* multiple of the block size (16 Bytes).
228
* \param iv Initialization vector (updated after use).
229
* This must be a readable buffer of size 16 Bytes.
230
* \param input The buffer holding the input data. This must
231
* be a readable buffer of length \p length Bytes.
232
* \param output The buffer holding the output data. This must
233
* be a writable buffer of length \p length Bytes.
235
* \return \c 0 on success.
236
* \return A negative error code on failure.
238
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
241
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
242
const unsigned char *input,
243
unsigned char *output );
244
#endif /* MBEDTLS_CIPHER_MODE_CBC */
246
#if defined(MBEDTLS_CIPHER_MODE_CFB)
248
* \brief This function performs an ARIA-CFB128 encryption or decryption
251
* It performs the operation defined in the \p mode
252
* parameter (encrypt or decrypt), on the input data buffer
253
* defined in the \p input parameter.
255
* For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
256
* regardless of whether you are performing an encryption or decryption
257
* operation, that is, regardless of the \p mode parameter. This is
258
* because CFB mode uses the same key schedule for encryption and
261
* \note Upon exit, the content of the IV is updated so that you can
262
* call the same function again on the next
263
* block(s) of data and get the same result as if it was
264
* encrypted in one call. This allows a "streaming" usage.
265
* If you need to retain the contents of the
266
* IV, you must either save it manually or use the cipher
270
* \param ctx The ARIA context to use for encryption or decryption.
271
* This must be initialized and bound to a key.
272
* \param mode The mode of operation. This must be either
273
* #MBEDTLS_ARIA_ENCRYPT for encryption, or
274
* #MBEDTLS_ARIA_DECRYPT for decryption.
275
* \param length The length of the input data \p input in Bytes.
276
* \param iv_off The offset in IV (updated after use).
277
* This must not be larger than 15.
278
* \param iv The initialization vector (updated after use).
279
* This must be a readable buffer of size 16 Bytes.
280
* \param input The buffer holding the input data. This must
281
* be a readable buffer of length \p length Bytes.
282
* \param output The buffer holding the output data. This must
283
* be a writable buffer of length \p length Bytes.
285
* \return \c 0 on success.
286
* \return A negative error code on failure.
288
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
292
unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
293
const unsigned char *input,
294
unsigned char *output );
295
#endif /* MBEDTLS_CIPHER_MODE_CFB */
297
#if defined(MBEDTLS_CIPHER_MODE_CTR)
299
* \brief This function performs an ARIA-CTR encryption or decryption
302
* This function performs the operation defined in the \p mode
303
* parameter (encrypt/decrypt), on the input data buffer
304
* defined in the \p input parameter.
306
* Due to the nature of CTR, you must use the same key schedule
307
* for both encryption and decryption operations. Therefore, you
308
* must use the context initialized with mbedtls_aria_setkey_enc()
309
* for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
311
* \warning You must never reuse a nonce value with the same key. Doing so
312
* would void the encryption for the two messages encrypted with
313
* the same nonce and key.
315
* There are two common strategies for managing nonces with CTR:
317
* 1. You can handle everything as a single message processed over
318
* successive calls to this function. In that case, you want to
319
* set \p nonce_counter and \p nc_off to 0 for the first call, and
320
* then preserve the values of \p nonce_counter, \p nc_off and \p
321
* stream_block across calls to this function as they will be
322
* updated by this function.
324
* With this strategy, you must not encrypt more than 2**128
325
* blocks of data with the same key.
327
* 2. You can encrypt separate messages by dividing the \p
328
* nonce_counter buffer in two areas: the first one used for a
329
* per-message nonce, handled by yourself, and the second one
330
* updated by this function internally.
332
* For example, you might reserve the first 12 bytes for the
333
* per-message nonce, and the last 4 bytes for internal use. In that
334
* case, before calling this function on a new message you need to
335
* set the first 12 bytes of \p nonce_counter to your chosen nonce
336
* value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
337
* stream_block to be ignored). That way, you can encrypt at most
338
* 2**96 messages of up to 2**32 blocks each with the same key.
340
* The per-message nonce (or information sufficient to reconstruct
341
* it) needs to be communicated with the ciphertext and must be unique.
342
* The recommended way to ensure uniqueness is to use a message
343
* counter. An alternative is to generate random nonces, but this
344
* limits the number of messages that can be securely encrypted:
345
* for example, with 96-bit random nonces, you should not encrypt
346
* more than 2**32 messages with the same key.
348
* Note that for both stategies, sizes are measured in blocks and
349
* that an ARIA block is 16 bytes.
351
* \warning Upon return, \p stream_block contains sensitive data. Its
352
* content must not be written to insecure storage and should be
353
* securely discarded as soon as it's no longer needed.
355
* \param ctx The ARIA context to use for encryption or decryption.
356
* This must be initialized and bound to a key.
357
* \param length The length of the input data \p input in Bytes.
358
* \param nc_off The offset in Bytes in the current \p stream_block,
359
* for resuming within the current cipher stream. The
360
* offset pointer should be \c 0 at the start of a
361
* stream. This must not be larger than \c 15 Bytes.
362
* \param nonce_counter The 128-bit nonce and counter. This must point to
363
* a read/write buffer of length \c 16 bytes.
364
* \param stream_block The saved stream block for resuming. This must
365
* point to a read/write buffer of length \c 16 bytes.
366
* This is overwritten by the function.
367
* \param input The buffer holding the input data. This must
368
* be a readable buffer of length \p length Bytes.
369
* \param output The buffer holding the output data. This must
370
* be a writable buffer of length \p length Bytes.
372
* \return \c 0 on success.
373
* \return A negative error code on failure.
375
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
378
unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
379
unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
380
const unsigned char *input,
381
unsigned char *output );
382
#endif /* MBEDTLS_CIPHER_MODE_CTR */
384
#if defined(MBEDTLS_SELF_TEST)
386
* \brief Checkup routine.
388
* \return \c 0 on success, or \c 1 on failure.
390
int mbedtls_aria_self_test( int verbose );
391
#endif /* MBEDTLS_SELF_TEST */
added
removed
mbedtls2/aria.h
