Coverage Report

Created: 2022-01-14 08:07

/src/botan/src/lib/block/aria/aria.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* ARIA
3
* Adapted for Botan by Jeffrey Walton, public domain
4
*
5
* Further changes
6
* (C) 2017,2020 Jack Lloyd
7
*
8
* Botan is released under the Simplified BSD License (see license.txt)
9
*
10
* This ARIA implementation is based on the 32-bit implementation by Aaram Yun from the
11
* National Security Research Institute, KOREA. Aaram Yun's implementation is based on
12
* the 8-bit implementation by Jin Hong. The source files are available in ARIA.zip from
13
* the Korea Internet & Security Agency website.
14
* <A HREF="https://tools.ietf.org/html/rfc5794">RFC 5794, A Description of the ARIA Encryption Algorithm</A>,
15
* <A HREF="http://seed.kisa.or.kr/iwt/ko/bbs/EgovReferenceList.do?bbsId=BBSMSTR_000000000002">Korea
16
* Internet & Security Agency homepage</A>
17
*/
18
19
#include <botan/internal/aria.h>
20
#include <botan/internal/loadstor.h>
21
#include <botan/internal/rotate.h>
22
#include <botan/internal/cpuid.h>
23
24
namespace Botan {
25
26
namespace {
27
28
namespace ARIA_F {
29
30
alignas(256) const uint8_t S1[256] = {
31
   0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67,
32
   0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59,
33
   0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7,
34
   0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1,
35
   0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05,
36
   0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83,
37
   0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29,
38
   0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
39
   0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA,
40
   0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C,
41
   0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC,
42
   0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
43
   0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19,
44
   0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE,
45
   0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49,
46
   0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
47
   0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4,
48
   0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6,
49
   0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70,
50
   0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9,
51
   0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E,
52
   0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1,
53
   0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0,
54
   0x54, 0xBB, 0x16 };
55
56
alignas(256) const uint8_t S2[256] = {
57
   0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A,
58
   0x46, 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97,
59
   0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D,
60
   0x06, 0x41, 0x6B, 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE,
61
   0x63, 0xDF, 0xE7, 0xBB, 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85,
62
   0xE4, 0x3A, 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F,
63
   0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95, 0xF9,
64
   0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28,
65
   0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53, 0xFF, 0x87, 0x0E,
66
   0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA,
67
   0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07,
68
   0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
69
   0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13,
70
   0xDC, 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02,
71
   0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9,
72
   0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43,
73
   0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3,
74
   0x8A, 0xD5, 0x79, 0x86, 0xA8, 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6,
75
   0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA, 0xE6,
76
   0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A,
77
   0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33, 0x7D, 0x5A, 0x52,
78
   0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 0xED, 0x14,
79
   0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF,
80
   0xBA, 0xB5, 0x81 };
81
82
alignas(256) const uint8_t X1[256] = {
83
   0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3,
84
   0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F,
85
   0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54,
86
   0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B,
87
   0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24,
88
   0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8,
89
   0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D,
90
   0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
91
   0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB,
92
   0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3,
93
   0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1,
94
   0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
95
   0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6,
96
   0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9,
97
   0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D,
98
   0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
99
   0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0,
100
   0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07,
101
   0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60,
102
   0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F,
103
   0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5,
104
   0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B,
105
   0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55,
106
   0x21, 0x0C, 0x7D };
107
108
alignas(256) const uint8_t X2[256] = {
109
   0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB,
110
   0xE1, 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0,
111
   0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81,
112
   0x65, 0xF5, 0x89, 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17,
113
   0xD4, 0x40, 0x1A, 0x4D, 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64,
114
   0x6A, 0x53, 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22,
115
   0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3, 0x35,
116
   0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93,
117
   0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE, 0x7A, 0xE8, 0x08,
118
   0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF,
119
   0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49,
120
   0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
121
   0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69,
122
   0x9A, 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26,
123
   0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D,
124
   0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC,
125
   0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD,
126
   0x2F, 0x18, 0x83, 0x16, 0xA5, 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9,
127
   0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45, 0xB2,
128
   0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59,
129
   0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94, 0x37, 0x9F, 0xD0,
130
   0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 0x25, 0x8A,
131
   0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03,
132
   0xA2, 0xAC, 0x60 };
133
134
inline uint32_t ARIA_F1(uint32_t X)
135
46.7k
   {
136
46.7k
   const uint32_t M1 = 0x00010101;
137
46.7k
   const uint32_t M2 = 0x01000101;
138
46.7k
   const uint32_t M3 = 0x01010001;
139
46.7k
   const uint32_t M4 = 0x01010100;
140
141
46.7k
   return (S1[get_byte<0>(X)] * M1) ^
142
46.7k
          (S2[get_byte<1>(X)] * M2) ^
143
46.7k
          (X1[get_byte<2>(X)] * M3) ^
144
46.7k
          (X2[get_byte<3>(X)] * M4);
145
46.7k
   }
146
147
inline uint32_t ARIA_F2(uint32_t X)
148
40.3k
   {
149
40.3k
   const uint32_t M1 = 0x00010101;
150
40.3k
   const uint32_t M2 = 0x01000101;
151
40.3k
   const uint32_t M3 = 0x01010001;
152
40.3k
   const uint32_t M4 = 0x01010100;
153
154
40.3k
   return (X1[get_byte<0>(X)] * M3) ^
155
40.3k
          (X2[get_byte<1>(X)] * M4) ^
156
40.3k
          (S1[get_byte<2>(X)] * M1) ^
157
40.3k
          (S2[get_byte<3>(X)] * M2);
158
40.3k
   }
159
160
inline void ARIA_FO(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3)
161
11.6k
   {
162
11.6k
   T0 = ARIA_F1(T0);
163
11.6k
   T1 = ARIA_F1(T1);
164
11.6k
   T2 = ARIA_F1(T2);
165
11.6k
   T3 = ARIA_F1(T3);
166
167
11.6k
   T1 ^= T2;
168
11.6k
   T2 ^= T3; T0 ^= T1;
169
11.6k
   T3 ^= T1; T2 ^= T0;
170
11.6k
   T1 ^= T2;
171
172
11.6k
   T1 = ((T1 << 8) & 0xFF00FF00) | ((T1 >> 8) & 0x00FF00FF);
173
11.6k
   T2 = rotr<16>(T2);
174
11.6k
   T3 = reverse_bytes(T3);
175
176
11.6k
   T1 ^= T2;
177
11.6k
   T2 ^= T3; T0 ^= T1;
178
11.6k
   T3 ^= T1; T2 ^= T0;
179
11.6k
   T1 ^= T2;
180
11.6k
   }
181
182
inline void ARIA_FE(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3)
183
10.0k
   {
184
10.0k
   T0 = ARIA_F2(T0);
185
10.0k
   T1 = ARIA_F2(T1);
186
10.0k
   T2 = ARIA_F2(T2);
187
10.0k
   T3 = ARIA_F2(T3);
188
189
10.0k
   T1 ^= T2;
190
10.0k
   T2 ^= T3; T0 ^= T1;
191
10.0k
   T3 ^= T1; T2 ^= T0;
192
10.0k
   T1 ^= T2;
193
194
10.0k
   T3 = ((T3 << 8) & 0xFF00FF00) | ((T3 >> 8) & 0x00FF00FF);
195
10.0k
   T0 = rotr<16>(T0);
196
10.0k
   T1 = reverse_bytes(T1);
197
198
10.0k
   T1 ^= T2;
199
10.0k
   T2 ^= T3; T0 ^= T1;
200
10.0k
   T3 ^= T1; T2 ^= T0;
201
10.0k
   T1 ^= T2;
202
10.0k
   }
203
204
/*
205
* ARIA encryption and decryption
206
*/
207
void transform(const uint8_t in[], uint8_t out[], size_t blocks,
208
               const secure_vector<uint32_t>& KS)
209
394
   {
210
   /*
211
   * Hit every cache line of S1, S2, X1, X2
212
   *
213
   * The initializer of Z ensures Z == 0xFFFFFFFF for any cache line size
214
   * size that is a power of 2 and <= 512
215
   */
216
394
   const size_t cache_line_size = CPUID::cache_line_size();
217
218
394
   volatile uint32_t Z = 0x9C1DADCF;
219
1.97k
   for(size_t i = 0; i < 256; i += cache_line_size)
220
1.57k
      {
221
1.57k
      Z |= make_uint32(S1[i], S2[i], X1[i], X2[i]);
222
1.57k
      }
223
224
394
   const size_t ROUNDS = (KS.size() / 4) - 1;
225
226
1.97k
   for(size_t i = 0; i != blocks; ++i)
227
1.57k
      {
228
1.57k
      uint32_t t0, t1, t2, t3;
229
1.57k
      load_be(in + 16*i, t0, t1, t2, t3);
230
231
1.57k
      t0 &= Z;
232
233
13.1k
      for(size_t r = 0; r < ROUNDS; r += 2)
234
11.6k
         {
235
11.6k
         t0 ^= KS[4*r];
236
11.6k
         t1 ^= KS[4*r+1];
237
11.6k
         t2 ^= KS[4*r+2];
238
11.6k
         t3 ^= KS[4*r+3];
239
11.6k
         ARIA_FO(t0,t1,t2,t3);
240
241
11.6k
         t0 ^= KS[4*r+4];
242
11.6k
         t1 ^= KS[4*r+5];
243
11.6k
         t2 ^= KS[4*r+6];
244
11.6k
         t3 ^= KS[4*r+7];
245
246
11.6k
         if(r != ROUNDS-2)
247
10.0k
            ARIA_FE(t0,t1,t2,t3);
248
11.6k
         }
249
250
1.57k
      out[16*i+ 0] = X1[get_byte<0>(t0)] ^ get_byte<0>(KS[4*ROUNDS]);
251
1.57k
      out[16*i+ 1] = X2[get_byte<1>(t0)] ^ get_byte<1>(KS[4*ROUNDS]);
252
1.57k
      out[16*i+ 2] = S1[get_byte<2>(t0)] ^ get_byte<2>(KS[4*ROUNDS]);
253
1.57k
      out[16*i+ 3] = S2[get_byte<3>(t0)] ^ get_byte<3>(KS[4*ROUNDS]);
254
1.57k
      out[16*i+ 4] = X1[get_byte<0>(t1)] ^ get_byte<0>(KS[4*ROUNDS+1]);
255
1.57k
      out[16*i+ 5] = X2[get_byte<1>(t1)] ^ get_byte<1>(KS[4*ROUNDS+1]);
256
1.57k
      out[16*i+ 6] = S1[get_byte<2>(t1)] ^ get_byte<2>(KS[4*ROUNDS+1]);
257
1.57k
      out[16*i+ 7] = S2[get_byte<3>(t1)] ^ get_byte<3>(KS[4*ROUNDS+1]);
258
1.57k
      out[16*i+ 8] = X1[get_byte<0>(t2)] ^ get_byte<0>(KS[4*ROUNDS+2]);
259
1.57k
      out[16*i+ 9] = X2[get_byte<1>(t2)] ^ get_byte<1>(KS[4*ROUNDS+2]);
260
1.57k
      out[16*i+10] = S1[get_byte<2>(t2)] ^ get_byte<2>(KS[4*ROUNDS+2]);
261
1.57k
      out[16*i+11] = S2[get_byte<3>(t2)] ^ get_byte<3>(KS[4*ROUNDS+2]);
262
1.57k
      out[16*i+12] = X1[get_byte<0>(t3)] ^ get_byte<0>(KS[4*ROUNDS+3]);
263
1.57k
      out[16*i+13] = X2[get_byte<1>(t3)] ^ get_byte<1>(KS[4*ROUNDS+3]);
264
1.57k
      out[16*i+14] = S1[get_byte<2>(t3)] ^ get_byte<2>(KS[4*ROUNDS+3]);
265
1.57k
      out[16*i+15] = S2[get_byte<3>(t3)] ^ get_byte<3>(KS[4*ROUNDS+3]);
266
1.57k
      }
267
394
   }
268
269
// n-bit right shift of Y XORed to X
270
template<size_t N>
271
inline void ARIA_ROL128(const uint32_t X[4], const uint32_t Y[4], uint32_t KS[4])
272
607
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
607
   static const size_t Q = 4 - (N / 32);
275
607
   static const size_t R = N % 32;
276
607
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
607
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
607
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
607
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
607
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
607
   }
aria.cpp:void Botan::(anonymous namespace)::ARIA_F::ARIA_ROL128<19ul>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
272
156
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
156
   static const size_t Q = 4 - (N / 32);
275
156
   static const size_t R = N % 32;
276
156
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
156
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
156
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
156
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
156
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
156
   }
aria.cpp:void Botan::(anonymous namespace)::ARIA_F::ARIA_ROL128<31ul>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
272
156
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
156
   static const size_t Q = 4 - (N / 32);
275
156
   static const size_t R = N % 32;
276
156
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
156
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
156
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
156
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
156
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
156
   }
aria.cpp:void Botan::(anonymous namespace)::ARIA_F::ARIA_ROL128<67ul>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
272
156
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
156
   static const size_t Q = 4 - (N / 32);
275
156
   static const size_t R = N % 32;
276
156
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
156
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
156
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
156
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
156
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
156
   }
aria.cpp:void Botan::(anonymous namespace)::ARIA_F::ARIA_ROL128<97ul>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
272
114
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
114
   static const size_t Q = 4 - (N / 32);
275
114
   static const size_t R = N % 32;
276
114
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
114
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
114
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
114
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
114
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
114
   }
aria.cpp:void Botan::(anonymous namespace)::ARIA_F::ARIA_ROL128<109ul>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
272
25
   {
273
   // MSVC is not generating a "rotate immediate". Constify to help it along.
274
25
   static const size_t Q = 4 - (N / 32);
275
25
   static const size_t R = N % 32;
276
25
   static_assert(R > 0 && R < 32, "Rotation in range for type");
277
25
   KS[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
278
25
   KS[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
279
25
   KS[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
280
25
   KS[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
281
25
   }
282
283
/*
284
* ARIA Key Schedule
285
*/
286
void key_schedule(secure_vector<uint32_t>& ERK,
287
                  secure_vector<uint32_t>& DRK,
288
                  const uint8_t key[], size_t length)
289
39
   {
290
39
   const uint32_t KRK[3][4] = {
291
39
      {0x517cc1b7, 0x27220a94, 0xfe13abe8, 0xfa9a6ee0},
292
39
      {0x6db14acc, 0x9e21c820, 0xff28b1d5, 0xef5de2b0},
293
39
      {0xdb92371d, 0x2126e970, 0x03249775, 0x04e8c90e}
294
39
   };
295
296
39
   const size_t CK0 = (length / 8) - 2;
297
39
   const size_t CK1 = (CK0 + 1) % 3;
298
39
   const size_t CK2 = (CK1 + 1) % 3;
299
300
39
   uint32_t w0[4];
301
39
   uint32_t w1[4];
302
39
   uint32_t w2[4];
303
39
   uint32_t w3[4];
304
305
39
   w0[0] = load_be<uint32_t>(key,0);
306
39
   w0[1] = load_be<uint32_t>(key,1);
307
39
   w0[2] = load_be<uint32_t>(key,2);
308
39
   w0[3] = load_be<uint32_t>(key,3);
309
310
39
   w1[0] = w0[0] ^ KRK[CK0][0];
311
39
   w1[1] = w0[1] ^ KRK[CK0][1];
312
39
   w1[2] = w0[2] ^ KRK[CK0][2];
313
39
   w1[3] = w0[3] ^ KRK[CK0][3];
314
315
39
   ARIA_FO(w1[0], w1[1], w1[2], w1[3]);
316
317
39
   if(length == 24 || length == 32)
318
25
      {
319
25
      w1[0] ^= load_be<uint32_t>(key,4);
320
25
      w1[1] ^= load_be<uint32_t>(key,5);
321
25
      }
322
39
   if(length == 32)
323
25
      {
324
25
      w1[2] ^= load_be<uint32_t>(key,6);
325
25
      w1[3] ^= load_be<uint32_t>(key,7);
326
25
      }
327
328
39
   w2[0] = w1[0] ^ KRK[CK1][0];
329
39
   w2[1] = w1[1] ^ KRK[CK1][1];
330
39
   w2[2] = w1[2] ^ KRK[CK1][2];
331
39
   w2[3] = w1[3] ^ KRK[CK1][3];
332
333
39
   ARIA_FE(w2[0], w2[1], w2[2], w2[3]);
334
335
39
   w2[0] ^= w0[0];
336
39
   w2[1] ^= w0[1];
337
39
   w2[2] ^= w0[2];
338
39
   w2[3] ^= w0[3];
339
340
39
   w3[0] = w2[0] ^ KRK[CK2][0];
341
39
   w3[1] = w2[1] ^ KRK[CK2][1];
342
39
   w3[2] = w2[2] ^ KRK[CK2][2];
343
39
   w3[3] = w2[3] ^ KRK[CK2][3];
344
345
39
   ARIA_FO(w3[0], w3[1], w3[2], w3[3]);
346
347
39
   w3[0] ^= w1[0];
348
39
   w3[1] ^= w1[1];
349
39
   w3[2] ^= w1[2];
350
39
   w3[3] ^= w1[3];
351
352
39
   if(length == 16)
353
14
      ERK.resize(4*13);
354
25
   else if(length == 24)
355
0
      ERK.resize(4*15);
356
25
   else if(length == 32)
357
25
      ERK.resize(4*17);
358
359
39
   ARIA_ROL128<19>(w0, w1, &ERK[ 0]);
360
39
   ARIA_ROL128<19>(w1, w2, &ERK[ 4]);
361
39
   ARIA_ROL128<19>(w2, w3, &ERK[ 8]);
362
39
   ARIA_ROL128<19>(w3, w0, &ERK[12]);
363
39
   ARIA_ROL128<31>(w0, w1, &ERK[16]);
364
39
   ARIA_ROL128<31>(w1, w2, &ERK[20]);
365
39
   ARIA_ROL128<31>(w2, w3, &ERK[24]);
366
39
   ARIA_ROL128<31>(w3, w0, &ERK[28]);
367
39
   ARIA_ROL128<67>(w0, w1, &ERK[32]);
368
39
   ARIA_ROL128<67>(w1, w2, &ERK[36]);
369
39
   ARIA_ROL128<67>(w2, w3, &ERK[40]);
370
39
   ARIA_ROL128<67>(w3, w0, &ERK[44]);
371
39
   ARIA_ROL128<97>(w0, w1, &ERK[48]);
372
373
39
   if(length == 24 || length == 32)
374
25
      {
375
25
      ARIA_ROL128<97>(w1, w2, &ERK[52]);
376
25
      ARIA_ROL128<97>(w2, w3, &ERK[56]);
377
378
25
      if(length == 32)
379
25
         {
380
25
         ARIA_ROL128< 97>(w3, w0, &ERK[60]);
381
25
         ARIA_ROL128<109>(w0, w1, &ERK[64]);
382
25
         }
383
25
      }
384
385
   // Now create the decryption key schedule
386
39
   DRK.resize(ERK.size());
387
388
646
   for(size_t i = 0; i != DRK.size(); i += 4)
389
607
      {
390
607
      DRK[i  ] = ERK[ERK.size()-4-i];
391
607
      DRK[i+1] = ERK[ERK.size()-3-i];
392
607
      DRK[i+2] = ERK[ERK.size()-2-i];
393
607
      DRK[i+3] = ERK[ERK.size()-1-i];
394
607
      }
395
396
568
   for(size_t i = 4; i != DRK.size() - 4; i += 4)
397
529
      {
398
2.64k
      for(size_t j = 0; j != 4; ++j)
399
2.11k
         {
400
2.11k
         DRK[i+j] = rotr<8>(DRK[i+j]) ^
401
2.11k
                    rotr<16>(DRK[i+j]) ^
402
2.11k
                    rotr<24>(DRK[i+j]);
403
2.11k
         }
404
405
529
      DRK[i+1] ^= DRK[i+2]; DRK[i+2] ^= DRK[i+3];
406
529
      DRK[i+0] ^= DRK[i+1]; DRK[i+3] ^= DRK[i+1];
407
529
      DRK[i+2] ^= DRK[i+0]; DRK[i+1] ^= DRK[i+2];
408
409
529
      DRK[i+1] = ((DRK[i+1] << 8) & 0xFF00FF00) | ((DRK[i+1] >> 8) & 0x00FF00FF);
410
529
      DRK[i+2] = rotr<16>(DRK[i+2]);
411
529
      DRK[i+3] = reverse_bytes(DRK[i+3]);
412
413
529
      DRK[i+1] ^= DRK[i+2]; DRK[i+2] ^= DRK[i+3];
414
529
      DRK[i+0] ^= DRK[i+1]; DRK[i+3] ^= DRK[i+1];
415
529
      DRK[i+2] ^= DRK[i+0]; DRK[i+1] ^= DRK[i+2];
416
529
      }
417
39
   }
418
419
}
420
421
}
422
423
void ARIA_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
424
124
   {
425
124
   verify_key_set(m_ERK.size() > 0);
426
124
   ARIA_F::transform(in, out, blocks, m_ERK);
427
124
   }
428
429
void ARIA_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
430
0
   {
431
0
   verify_key_set(m_ERK.size() > 0);
432
0
   ARIA_F::transform(in, out, blocks, m_ERK);
433
0
   }
434
435
void ARIA_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
436
270
   {
437
270
   verify_key_set(m_ERK.size() > 0);
438
270
   ARIA_F::transform(in, out, blocks, m_ERK);
439
270
   }
440
441
void ARIA_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
442
0
   {
443
0
   verify_key_set(m_DRK.size() > 0);
444
0
   ARIA_F::transform(in, out, blocks, m_DRK);
445
0
   }
446
447
void ARIA_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
448
0
   {
449
0
   verify_key_set(m_DRK.size() > 0);
450
0
   ARIA_F::transform(in, out, blocks, m_DRK);
451
0
   }
452
453
void ARIA_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
454
0
   {
455
0
   verify_key_set(m_DRK.size() > 0);
456
0
   ARIA_F::transform(in, out, blocks, m_DRK);
457
0
   }
458
459
void ARIA_128::key_schedule(const uint8_t key[], size_t length)
460
14
   {
461
14
   ARIA_F::key_schedule(m_ERK, m_DRK, key, length);
462
14
   }
463
464
void ARIA_192::key_schedule(const uint8_t key[], size_t length)
465
0
   {
466
0
   ARIA_F::key_schedule(m_ERK, m_DRK, key, length);
467
0
   }
468
469
void ARIA_256::key_schedule(const uint8_t key[], size_t length)
470
25
   {
471
25
   ARIA_F::key_schedule(m_ERK, m_DRK, key, length);
472
25
   }
473
474
void ARIA_128::clear()
475
0
   {
476
0
   zap(m_ERK);
477
0
   zap(m_DRK);
478
0
   }
479
480
void ARIA_192::clear()
481
0
   {
482
0
   zap(m_ERK);
483
0
   zap(m_DRK);
484
0
   }
485
486
void ARIA_256::clear()
487
0
   {
488
0
   zap(m_ERK);
489
0
   zap(m_DRK);
490
0
   }
491
492
}