1
/**
2
 * \file aria.h
3
 *
4
 * \brief ARIA block cipher
5
 *
6
 *        The ARIA algorithm is a symmetric block cipher that can encrypt and
7
 *        decrypt information. It is defined by the Korean Agency for
8
 *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
9
 *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
10
 *        and also described by the IETF in <em>RFC 5794</em>.
11
 */
12
/*
13
 *  Copyright The Mbed TLS Contributors
14
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
15
 */
16

17
#ifndef MBEDTLS_ARIA_H
18
#define MBEDTLS_ARIA_H
19
#include "mbedtls/private_access.h"
20

21
#include "mbedtls/build_info.h"
22

23
#include <stddef.h>
24
#include <stdint.h>
25

26
#include "mbedtls/platform_util.h"
27

28
#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
29
#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
30

31
#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
32
#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maximum number of rounds in ARIA. */
33
#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
34

35
/** Bad input data. */
36
#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C
37

38
/** Invalid data input length. */
39
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E
40

41
#ifdef __cplusplus
42
extern "C" {
43
#endif
44

45
#if !defined(MBEDTLS_ARIA_ALT)
46
// Regular implementation
47
//
48

49
/**
50
 * \brief The ARIA context-type definition.
51
 */
52
typedef struct mbedtls_aria_context {
53
    unsigned char MBEDTLS_PRIVATE(nr);           /*!< The number of rounds (12, 14 or 16) */
54
    /*! The ARIA round keys. */
55
    uint32_t MBEDTLS_PRIVATE(rk)[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
56
}
57
mbedtls_aria_context;
58

59
#else  /* MBEDTLS_ARIA_ALT */
60
#include "aria_alt.h"
61
#endif /* MBEDTLS_ARIA_ALT */
62

63
/**
64
 * \brief          This function initializes the specified ARIA context.
65
 *
66
 *                 It must be the first API called before using
67
 *                 the context.
68
 *
69
 * \param ctx      The ARIA context to initialize. This must not be \c NULL.
70
 */
71
void mbedtls_aria_init(mbedtls_aria_context *ctx);
72

73
/**
74
 * \brief          This function releases and clears the specified ARIA context.
75
 *
76
 * \param ctx      The ARIA context to clear. This may be \c NULL, in which
77
 *                 case this function returns immediately. If it is not \c NULL,
78
 *                 it must point to an initialized ARIA context.
79
 */
80
void mbedtls_aria_free(mbedtls_aria_context *ctx);
81

82
/**
83
 * \brief          This function sets the encryption key.
84
 *
85
 * \param ctx      The ARIA context to which the key should be bound.
86
 *                 This must be initialized.
87
 * \param key      The encryption key. This must be a readable buffer
88
 *                 of size \p keybits Bits.
89
 * \param keybits  The size of \p key in Bits. Valid options are:
90
 *                 <ul><li>128 bits</li>
91
 *                 <li>192 bits</li>
92
 *                 <li>256 bits</li></ul>
93
 *
94
 * \return         \c 0 on success.
95
 * \return         A negative error code on failure.
96
 */
97
int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
98
                            const unsigned char *key,
99
                            unsigned int keybits);
100

101
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
102
/**
103
 * \brief          This function sets the decryption key.
104
 *
105
 * \param ctx      The ARIA context to which the key should be bound.
106
 *                 This must be initialized.
107
 * \param key      The decryption key. This must be a readable buffer
108
 *                 of size \p keybits Bits.
109
 * \param keybits  The size of data passed. Valid options are:
110
 *                 <ul><li>128 bits</li>
111
 *                 <li>192 bits</li>
112
 *                 <li>256 bits</li></ul>
113
 *
114
 * \return         \c 0 on success.
115
 * \return         A negative error code on failure.
116
 */
117
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
118
                            const unsigned char *key,
119
                            unsigned int keybits);
120
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
121

122
/**
123
 * \brief          This function performs an ARIA single-block encryption or
124
 *                 decryption operation.
125
 *
126
 *                 It performs encryption or decryption (depending on whether
127
 *                 the key was set for encryption on decryption) on the input
128
 *                 data buffer defined in the \p input parameter.
129
 *
130
 *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
131
 *                 mbedtls_aria_setkey_dec() must be called before the first
132
 *                 call to this API with the same context.
133
 *
134
 * \param ctx      The ARIA context to use for encryption or decryption.
135
 *                 This must be initialized and bound to a key.
136
 * \param input    The 16-Byte buffer holding the input data.
137
 * \param output   The 16-Byte buffer holding the output data.
138

139
 * \return         \c 0 on success.
140
 * \return         A negative error code on failure.
141
 */
142
int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
143
                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
144
                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]);
145

146
#if defined(MBEDTLS_CIPHER_MODE_CBC)
147
/**
148
 * \brief  This function performs an ARIA-CBC encryption or decryption operation
149
 *         on full blocks.
150
 *
151
 *         It performs the operation defined in the \p mode
152
 *         parameter (encrypt/decrypt), on the input data buffer defined in
153
 *         the \p input parameter.
154
 *
155
 *         It can be called as many times as needed, until all the input
156
 *         data is processed. mbedtls_aria_init(), and either
157
 *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
158
 *         before the first call to this API with the same context.
159
 *
160
 * \note   This function operates on aligned blocks, that is, the input size
161
 *         must be a multiple of the ARIA block size of 16 Bytes.
162
 *
163
 * \note   Upon exit, the content of the IV is updated so that you can
164
 *         call the same function again on the next
165
 *         block(s) of data and get the same result as if it was
166
 *         encrypted in one call. This allows a "streaming" usage.
167
 *         If you need to retain the contents of the IV, you should
168
 *         either save it manually or use the cipher module instead.
169
 *
170
 *
171
 * \param ctx      The ARIA context to use for encryption or decryption.
172
 *                 This must be initialized and bound to a key.
173
 * \param mode     The mode of operation. This must be either
174
 *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
175
 *                 #MBEDTLS_ARIA_DECRYPT for decryption.
176
 * \param length   The length of the input data in Bytes. This must be a
177
 *                 multiple of the block size (16 Bytes).
178
 * \param iv       Initialization vector (updated after use).
179
 *                 This must be a readable buffer of size 16 Bytes.
180
 * \param input    The buffer holding the input data. This must
181
 *                 be a readable buffer of length \p length Bytes.
182
 * \param output   The buffer holding the output data. This must
183
 *                 be a writable buffer of length \p length Bytes.
184
 *
185
 * \return         \c 0 on success.
186
 * \return         A negative error code on failure.
187
 */
188
int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
189
                           int mode,
190
                           size_t length,
191
                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
192
                           const unsigned char *input,
193
                           unsigned char *output);
194
#endif /* MBEDTLS_CIPHER_MODE_CBC */
195

196
#if defined(MBEDTLS_CIPHER_MODE_CFB)
197
/**
198
 * \brief This function performs an ARIA-CFB128 encryption or decryption
199
 *        operation.
200
 *
201
 *        It performs the operation defined in the \p mode
202
 *        parameter (encrypt or decrypt), on the input data buffer
203
 *        defined in the \p input parameter.
204
 *
205
 *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
206
 *        regardless of whether you are performing an encryption or decryption
207
 *        operation, that is, regardless of the \p mode parameter. This is
208
 *        because CFB mode uses the same key schedule for encryption and
209
 *        decryption.
210
 *
211
 * \note  Upon exit, the content of the IV is updated so that you can
212
 *        call the same function again on the next
213
 *        block(s) of data and get the same result as if it was
214
 *        encrypted in one call. This allows a "streaming" usage.
215
 *        If you need to retain the contents of the
216
 *        IV, you must either save it manually or use the cipher
217
 *        module instead.
218
 *
219
 *
220
 * \param ctx      The ARIA context to use for encryption or decryption.
221
 *                 This must be initialized and bound to a key.
222
 * \param mode     The mode of operation. This must be either
223
 *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
224
 *                 #MBEDTLS_ARIA_DECRYPT for decryption.
225
 * \param length   The length of the input data \p input in Bytes.
226
 * \param iv_off   The offset in IV (updated after use).
227
 *                 This must not be larger than 15.
228
 * \param iv       The initialization vector (updated after use).
229
 *                 This must be a readable buffer of size 16 Bytes.
230
 * \param input    The buffer holding the input data. This must
231
 *                 be a readable buffer of length \p length Bytes.
232
 * \param output   The buffer holding the output data. This must
233
 *                 be a writable buffer of length \p length Bytes.
234
 *
235
 * \return         \c 0 on success.
236
 * \return         A negative error code on failure.
237
 */
238
int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
239
                              int mode,
240
                              size_t length,
241
                              size_t *iv_off,
242
                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
243
                              const unsigned char *input,
244
                              unsigned char *output);
245
#endif /* MBEDTLS_CIPHER_MODE_CFB */
246

247
#if defined(MBEDTLS_CIPHER_MODE_CTR)
248
/**
249
 * \brief      This function performs an ARIA-CTR encryption or decryption
250
 *             operation.
251
 *
252
 *             Due to the nature of CTR, you must use the same key schedule
253
 *             for both encryption and decryption operations. Therefore, you
254
 *             must use the context initialized with mbedtls_aria_setkey_enc()
255
 *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
256
 *
257
 * \warning    You must never reuse a nonce value with the same key. Doing so
258
 *             would void the encryption for the two messages encrypted with
259
 *             the same nonce and key.
260
 *
261
 *             There are two common strategies for managing nonces with CTR:
262
 *
263
 *             1. You can handle everything as a single message processed over
264
 *             successive calls to this function. In that case, you want to
265
 *             set \p nonce_counter and \p nc_off to 0 for the first call, and
266
 *             then preserve the values of \p nonce_counter, \p nc_off and \p
267
 *             stream_block across calls to this function as they will be
268
 *             updated by this function.
269
 *
270
 *             With this strategy, you must not encrypt more than 2**128
271
 *             blocks of data with the same key.
272
 *
273
 *             2. You can encrypt separate messages by dividing the \p
274
 *             nonce_counter buffer in two areas: the first one used for a
275
 *             per-message nonce, handled by yourself, and the second one
276
 *             updated by this function internally.
277
 *
278
 *             For example, you might reserve the first 12 bytes for the
279
 *             per-message nonce, and the last 4 bytes for internal use. In that
280
 *             case, before calling this function on a new message you need to
281
 *             set the first 12 bytes of \p nonce_counter to your chosen nonce
282
 *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
283
 *             stream_block to be ignored). That way, you can encrypt at most
284
 *             2**96 messages of up to 2**32 blocks each with the same key.
285
 *
286
 *             The per-message nonce (or information sufficient to reconstruct
287
 *             it) needs to be communicated with the ciphertext and must be unique.
288
 *             The recommended way to ensure uniqueness is to use a message
289
 *             counter. An alternative is to generate random nonces, but this
290
 *             limits the number of messages that can be securely encrypted:
291
 *             for example, with 96-bit random nonces, you should not encrypt
292
 *             more than 2**32 messages with the same key.
293
 *
294
 *             Note that for both strategies, sizes are measured in blocks and
295
 *             that an ARIA block is 16 bytes.
296
 *
297
 * \warning    Upon return, \p stream_block contains sensitive data. Its
298
 *             content must not be written to insecure storage and should be
299
 *             securely discarded as soon as it's no longer needed.
300
 *
301
 * \param ctx              The ARIA context to use for encryption or decryption.
302
 *                         This must be initialized and bound to a key.
303
 * \param length           The length of the input data \p input in Bytes.
304
 * \param nc_off           The offset in Bytes in the current \p stream_block,
305
 *                         for resuming within the current cipher stream. The
306
 *                         offset pointer should be \c 0 at the start of a
307
 *                         stream. This must not be larger than \c 15 Bytes.
308
 * \param nonce_counter    The 128-bit nonce and counter. This must point to
309
 *                         a read/write buffer of length \c 16 bytes.
310
 * \param stream_block     The saved stream block for resuming. This must
311
 *                         point to a read/write buffer of length \c 16 bytes.
312
 *                         This is overwritten by the function.
313
 * \param input            The buffer holding the input data. This must
314
 *                         be a readable buffer of length \p length Bytes.
315
 * \param output           The buffer holding the output data. This must
316
 *                         be a writable buffer of length \p length Bytes.
317
 *
318
 * \return                 \c 0 on success.
319
 * \return                 A negative error code on failure.
320
 */
321
int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
322
                           size_t length,
323
                           size_t *nc_off,
324
                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
325
                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
326
                           const unsigned char *input,
327
                           unsigned char *output);
328
#endif /* MBEDTLS_CIPHER_MODE_CTR */
329

330
#if defined(MBEDTLS_SELF_TEST)
331
/**
332
 * \brief          Checkup routine.
333
 *
334
 * \return         \c 0 on success, or \c 1 on failure.
335
 */
336
int mbedtls_aria_self_test(int verbose);
337
#endif /* MBEDTLS_SELF_TEST */
338

339
#ifdef __cplusplus
340
}
341
#endif
342

343
#endif /* aria.h */
344

345