Coverage Report

Created: 2024-11-21 07:03

/src/cryptopp/aria.cpp
Line
Count
Source (jump to first uncovered line)
1
// aria.cpp - written and placed in the public domain by Jeffrey Walton
2
3
#include "pch.h"
4
#include "config.h"
5
6
#include "aria.h"
7
#include "misc.h"
8
#include "cpu.h"
9
10
NAMESPACE_BEGIN(CryptoPP)
11
NAMESPACE_BEGIN(ARIATab)
12
13
extern const word32 S1[256];
14
extern const word32 S2[256];
15
extern const word32 X1[256];
16
extern const word32 X2[256];
17
extern const word32 KRK[3][4];
18
19
NAMESPACE_END
20
NAMESPACE_END
21
22
NAMESPACE_BEGIN(CryptoPP)
23
24
using CryptoPP::ARIATab::S1;
25
using CryptoPP::ARIATab::S2;
26
using CryptoPP::ARIATab::X1;
27
using CryptoPP::ARIATab::X2;
28
using CryptoPP::ARIATab::KRK;
29
30
25.4k
inline byte ARIA_BRF(const word32 x, const int y) {
31
25.4k
  return static_cast<byte>(GETBYTE(x, y));
32
25.4k
}
33
34
// Key XOR Layer. Bumps the round key pointer.
35
1.58k
inline const byte* ARIA_KXL(const byte rk[16], word32 t[4]) {
36
1.58k
  typedef BlockGetAndPut<word32, NativeByteOrder, true, true>  NativeBlock;
37
1.58k
  NativeBlock::Put(rk, t)(t[0])(t[1])(t[2])(t[3]);
38
1.58k
  return rk+16;
39
1.58k
}
40
41
// S-Box Layer 1 + M
42
798
inline void SBL1_M(word32& T0, word32& T1, word32& T2, word32& T3) {
43
798
  T0=S1[ARIA_BRF(T0,3)]^S2[ARIA_BRF(T0,2)]^X1[ARIA_BRF(T0,1)]^X2[ARIA_BRF(T0,0)];
44
798
  T1=S1[ARIA_BRF(T1,3)]^S2[ARIA_BRF(T1,2)]^X1[ARIA_BRF(T1,1)]^X2[ARIA_BRF(T1,0)];
45
798
  T2=S1[ARIA_BRF(T2,3)]^S2[ARIA_BRF(T2,2)]^X1[ARIA_BRF(T2,1)]^X2[ARIA_BRF(T2,0)];
46
798
  T3=S1[ARIA_BRF(T3,3)]^S2[ARIA_BRF(T3,2)]^X1[ARIA_BRF(T3,1)]^X2[ARIA_BRF(T3,0)];
47
798
}
48
49
// S-Box Layer 2 + M
50
696
inline void SBL2_M(word32& T0, word32& T1, word32& T2, word32& T3) {
51
696
  T0=X1[ARIA_BRF(T0,3)]^X2[ARIA_BRF(T0,2)]^S1[ARIA_BRF(T0,1)]^S2[ARIA_BRF(T0,0)];
52
696
  T1=X1[ARIA_BRF(T1,3)]^X2[ARIA_BRF(T1,2)]^S1[ARIA_BRF(T1,1)]^S2[ARIA_BRF(T1,0)];
53
696
  T2=X1[ARIA_BRF(T2,3)]^X2[ARIA_BRF(T2,2)]^S1[ARIA_BRF(T2,1)]^S2[ARIA_BRF(T2,0)];
54
696
  T3=X1[ARIA_BRF(T3,3)]^X2[ARIA_BRF(T3,2)]^S1[ARIA_BRF(T3,1)]^S2[ARIA_BRF(T3,0)];
55
696
  }
56
57
1.50k
inline void ARIA_P(word32& T0, word32& T1, word32& T2, word32& T3) {
58
1.50k
  CRYPTOPP_UNUSED(T0);
59
1.50k
  T1 = ((T1<< 8)&0xff00ff00) ^ ((T1>> 8)&0x00ff00ff);
60
1.50k
  T2 = rotrConstant<16>(T2);
61
1.50k
  T3 = ByteReverse((T3));
62
1.50k
}
63
64
60
inline void ARIA_M(word32& X, word32& Y) {
65
60
  Y=X<<8 ^ X>>8 ^ X<<16 ^ X>>16 ^ X<<24 ^ X>>24;
66
60
}
67
68
69
3.01k
inline void ARIA_MM(word32& T0, word32& T1, word32& T2, word32& T3) {
70
3.01k
  T1^=T2; T2^=T3; T0^=T1;
71
3.01k
  T3^=T1; T2^=T0; T1^=T2;
72
3.01k
}
73
74
798
inline void ARIA_FO(word32 t[4]) {
75
798
  SBL1_M(t[0],t[1],t[2],t[3]);
76
798
  ARIA_MM(t[0],t[1],t[2],t[3]);
77
798
  ARIA_P(t[0],t[1],t[2],t[3]);
78
798
  ARIA_MM(t[0],t[1],t[2],t[3]);
79
798
}
80
81
696
inline void ARIA_FE(word32 t[4]) {
82
696
  SBL2_M(t[0],t[1],t[2],t[3]);
83
696
  ARIA_MM(t[0],t[1],t[2],t[3]);
84
696
  ARIA_P(t[2],t[3],t[0],t[1]);
85
696
  ARIA_MM(t[0],t[1],t[2],t[3]);
86
696
}
87
88
// n-bit right shift of Y XORed to X
89
template <unsigned int N>
90
inline void ARIA_GSRK(const word32 X[4], const word32 Y[4], word32 RK[4])
91
47
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
47
  static const unsigned int Q = 4-(N/32);
94
47
  static const unsigned int R = N % 32;
95
96
47
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
47
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
47
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
47
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
47
}
void CryptoPP::ARIA_GSRK<19u>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
91
12
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
12
  static const unsigned int Q = 4-(N/32);
94
12
  static const unsigned int R = N % 32;
95
96
12
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
12
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
12
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
12
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
12
}
void CryptoPP::ARIA_GSRK<31u>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
91
12
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
12
  static const unsigned int Q = 4-(N/32);
94
12
  static const unsigned int R = N % 32;
95
96
12
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
12
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
12
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
12
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
12
}
void CryptoPP::ARIA_GSRK<67u>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
91
12
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
12
  static const unsigned int Q = 4-(N/32);
94
12
  static const unsigned int R = N % 32;
95
96
12
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
12
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
12
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
12
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
12
}
void CryptoPP::ARIA_GSRK<97u>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
91
9
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
9
  static const unsigned int Q = 4-(N/32);
94
9
  static const unsigned int R = N % 32;
95
96
9
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
9
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
9
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
9
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
9
}
void CryptoPP::ARIA_GSRK<109u>(unsigned int const*, unsigned int const*, unsigned int*)
Line
Count
Source
91
2
{
92
  // MSVC is not generating a "rotate immediate". Constify to help it along.
93
2
  static const unsigned int Q = 4-(N/32);
94
2
  static const unsigned int R = N % 32;
95
96
2
  RK[0] = (X[0]) ^ ((Y[(Q  )%4])>>R) ^ ((Y[(Q+3)%4])<<(32-R));
97
2
  RK[1] = (X[1]) ^ ((Y[(Q+1)%4])>>R) ^ ((Y[(Q  )%4])<<(32-R));
98
2
  RK[2] = (X[2]) ^ ((Y[(Q+2)%4])>>R) ^ ((Y[(Q+1)%4])<<(32-R));
99
2
  RK[3] = (X[3]) ^ ((Y[(Q+3)%4])>>R) ^ ((Y[(Q+2)%4])<<(32-R));
100
2
}
101
102
void ARIA::Base::UncheckedSetKey(const byte *key, unsigned int keylen, const NameValuePairs &params)
103
3
{
104
3
  CRYPTOPP_UNUSED(params);
105
106
3
  m_rk.New(4*17);  // round keys
107
3
  m_w.New(4*24);   // w0, w1, w2, w3, t and u
108
109
3
  int Q, q, R, r;
110
111
3
  switch (keylen)
112
3
  {
113
1
  case 16:
114
1
    R = r = m_rounds = 12;
115
1
    Q = q = 0;
116
1
    break;
117
2
  case 32:
118
2
    R = r = m_rounds = 16;
119
2
    Q = q = 2;
120
2
    break;
121
0
  case 24:
122
0
    R = r = m_rounds = 14;
123
0
    Q = q = 1;
124
0
    break;
125
0
  default:
126
0
    Q = q = R = r = m_rounds = 0;
127
0
    CRYPTOPP_ASSERT(0);
128
3
  }
129
130
  // w0-w3 each has room for 4 words (16 bytes). t and u are each 4 words (16 bytes) temp areas.
131
  // The storage requrements for w0-w3, t and u are 96 bytes or 24 words.
132
3
  word32 *w0 = m_w.data(), *w1 = m_w.data()+4, *w2 = m_w.data()+8, *w3 = m_w.data()+12, *t = m_w.data()+16;
133
134
3
  GetBlock<word32, BigEndian, false>block(key);
135
3
  block(w0[0])(w0[1])(w0[2])(w0[3]);
136
137
3
  t[0]=w0[0]^KRK[q][0]; t[1]=w0[1]^KRK[q][1];
138
3
  t[2]=w0[2]^KRK[q][2]; t[3]=w0[3]^KRK[q][3];
139
140
3
  ARIA_FO(t);
141
142
3
  if (keylen == 32)
143
2
  {
144
2
    block(w1[0])(w1[1])(w1[2])(w1[3]);
145
2
  }
146
1
  else if (keylen == 24)
147
0
  {
148
0
    block(w1[0])(w1[1]); w1[2] = w1[3] = 0;
149
0
  }
150
1
  else
151
1
  {
152
1
    w1[0]=w1[1]=w1[2]=w1[3]=0;
153
1
  }
154
155
3
  w1[0]^=t[0]; w1[1]^=t[1]; w1[2]^=t[2]; w1[3]^=t[3];
156
3
  std::memcpy(t, w1, 16);
157
158
3
  q = (q==2) ? 0 : (q+1);
159
3
  t[0]^=KRK[q][0]; t[1]^=KRK[q][1]; t[2]^=KRK[q][2]; t[3]^=KRK[q][3];
160
161
3
  ARIA_FE(t);
162
163
3
  t[0]^=w0[0]; t[1]^=w0[1]; t[2]^=w0[2]; t[3]^=w0[3];
164
3
  std::memcpy(w2, t, 16);
165
166
3
  q = (q==2) ? 0 : (q+1);
167
3
  t[0]^=KRK[q][0]; t[1]^=KRK[q][1]; t[2]^=KRK[q][2]; t[3]^=KRK[q][3];
168
169
3
  ARIA_FO(t);
170
171
3
  w3[0]=t[0]^w1[0]; w3[1]=t[1]^w1[1]; w3[2]=t[2]^w1[2]; w3[3]=t[3]^w1[3];
172
173
3
  ARIA_GSRK<19>(w0, w1, m_rk +  0);
174
3
  ARIA_GSRK<19>(w1, w2, m_rk +  4);
175
3
  ARIA_GSRK<19>(w2, w3, m_rk +  8);
176
3
  ARIA_GSRK<19>(w3, w0, m_rk + 12);
177
3
  ARIA_GSRK<31>(w0, w1, m_rk + 16);
178
3
  ARIA_GSRK<31>(w1, w2, m_rk + 20);
179
3
  ARIA_GSRK<31>(w2, w3, m_rk + 24);
180
3
  ARIA_GSRK<31>(w3, w0, m_rk + 28);
181
3
  ARIA_GSRK<67>(w0, w1, m_rk + 32);
182
3
  ARIA_GSRK<67>(w1, w2, m_rk + 36);
183
3
  ARIA_GSRK<67>(w2, w3, m_rk + 40);
184
3
  ARIA_GSRK<67>(w3, w0, m_rk + 44);
185
3
  ARIA_GSRK<97>(w0, w1, m_rk + 48);
186
187
3
  if (keylen > 16)
188
2
  {
189
2
    ARIA_GSRK<97>(w1, w2, m_rk + 52);
190
2
    ARIA_GSRK<97>(w2, w3, m_rk + 56);
191
192
2
    if (keylen > 24)
193
2
    {
194
2
      ARIA_GSRK< 97>(w3, w0, m_rk + 60);
195
2
      ARIA_GSRK<109>(w0, w1, m_rk + 64);
196
2
    }
197
2
  }
198
199
  // Decryption operation
200
3
  if (!IsForwardTransformation())
201
1
  {
202
1
    word32 *a, *z, *s;
203
1
    r = R; q = Q;
204
205
    // s reuses w0 temp area
206
1
    a=m_rk.data(); s=m_w.data()+0; z=a+r*4;
207
1
    std::memcpy(t, a, 16); std::memcpy(a, z, 16); std::memcpy(z, t, 16);
208
209
1
    a+=4; z-=4;
210
8
    for (; a<z; a+=4, z-=4)
211
7
    {
212
7
      ARIA_M(a[0],t[0]); ARIA_M(a[1],t[1]); ARIA_M(a[2],t[2]); ARIA_M(a[3],t[3]);
213
7
      ARIA_MM(t[0],t[1],t[2],t[3]); ARIA_P(t[0],t[1],t[2],t[3]); ARIA_MM(t[0],t[1],t[2],t[3]);
214
7
      std::memcpy(s, t, 16);
215
216
7
      ARIA_M(z[0],t[0]); ARIA_M(z[1],t[1]); ARIA_M(z[2],t[2]); ARIA_M(z[3],t[3]);
217
7
      ARIA_MM(t[0],t[1],t[2],t[3]); ARIA_P(t[0],t[1],t[2],t[3]); ARIA_MM(t[0],t[1],t[2],t[3]);
218
7
      std::memcpy(a, t, 16); std::memcpy(z, s, 16);
219
7
    }
220
221
1
    ARIA_M(a[0],t[0]); ARIA_M(a[1],t[1]); ARIA_M(a[2],t[2]); ARIA_M(a[3],t[3]);
222
1
    ARIA_MM(t[0],t[1],t[2],t[3]); ARIA_P(t[0],t[1],t[2],t[3]); ARIA_MM(t[0],t[1],t[2],t[3]);
223
1
    std::memcpy(z, t, 16);
224
1
  }
225
226
  // Silence warnings
227
3
  CRYPTOPP_UNUSED(Q); CRYPTOPP_UNUSED(R);
228
3
  CRYPTOPP_UNUSED(q); CRYPTOPP_UNUSED(r);
229
3
}
230
231
void ARIA::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
232
99
{
233
99
  const byte *rk = reinterpret_cast<const byte*>(m_rk.data());
234
99
  word32 *t = const_cast<word32*>(m_w.data()+16);
235
236
  // Timing attack countermeasure. See comments in Rijndael for more details.
237
  // We used Yun's 32-bit implementation, so we use words rather than bytes.
238
99
  const int cacheLineSize = GetCacheLineSize();
239
99
  unsigned int i;
240
99
  volatile word32 _u = 0;
241
99
  word32 u = _u;
242
243
1.68k
  for (i=0; i<COUNTOF(S1); i+=cacheLineSize/(sizeof(S1[0])))
244
1.58k
    u |= *(S1+i);
245
99
  t[0] |= u;
246
247
99
  GetBlock<word32, BigEndian>block(inBlock);
248
99
  block(t[0])(t[1])(t[2])(t[3]);
249
250
99
  if (m_rounds > 12) {
251
99
    rk = ARIA_KXL(rk, t); ARIA_FO(t);
252
99
    rk = ARIA_KXL(rk, t); ARIA_FE(t);
253
99
  }
254
255
99
  if (m_rounds > 14) {
256
99
    rk = ARIA_KXL(rk, t); ARIA_FO(t);
257
99
    rk = ARIA_KXL(rk, t); ARIA_FE(t);
258
99
  }
259
260
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t); ARIA_FE(t);
261
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t); ARIA_FE(t);
262
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t); ARIA_FE(t);
263
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t); ARIA_FE(t);
264
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t); ARIA_FE(t);
265
99
  rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t);
266
267
99
#if (CRYPTOPP_LITTLE_ENDIAN)
268
99
  if (xorBlock)
269
0
  {
270
0
    outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)]   ) ^ rk[ 3] ^ xorBlock[ 0];
271
0
    outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 2] ^ xorBlock[ 1];
272
0
    outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)]   ) ^ rk[ 1] ^ xorBlock[ 2];
273
0
    outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)]   ) ^ rk[ 0] ^ xorBlock[ 3];
274
0
    outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)]   ) ^ rk[ 7] ^ xorBlock[ 4];
275
0
    outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 6] ^ xorBlock[ 5];
276
0
    outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)]   ) ^ rk[ 5] ^ xorBlock[ 6];
277
0
    outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)]   ) ^ rk[ 4] ^ xorBlock[ 7];
278
0
    outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)]   ) ^ rk[11] ^ xorBlock[ 8];
279
0
    outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[10] ^ xorBlock[ 9];
280
0
    outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)]   ) ^ rk[ 9] ^ xorBlock[10];
281
0
    outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)]   ) ^ rk[ 8] ^ xorBlock[11];
282
0
    outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)]   ) ^ rk[15] ^ xorBlock[12];
283
0
    outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[14] ^ xorBlock[13];
284
0
    outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)]   ) ^ rk[13] ^ xorBlock[14];
285
0
    outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)]   ) ^ rk[12] ^ xorBlock[15];
286
0
  }
287
99
  else
288
99
  {
289
99
    outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)]   ) ^ rk[ 3];
290
99
    outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 2];
291
99
    outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)]   ) ^ rk[ 1];
292
99
    outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)]   ) ^ rk[ 0];
293
99
    outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)]   ) ^ rk[ 7];
294
99
    outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 6];
295
99
    outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)]   ) ^ rk[ 5];
296
99
    outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)]   ) ^ rk[ 4];
297
99
    outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)]   ) ^ rk[11];
298
99
    outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[10];
299
99
    outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)]   ) ^ rk[ 9];
300
99
    outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)]   ) ^ rk[ 8];
301
99
    outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)]   ) ^ rk[15];
302
99
    outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[14];
303
99
    outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)]   ) ^ rk[13];
304
99
    outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)]   ) ^ rk[12];
305
99
  }
306
#else
307
  if (xorBlock)
308
  {
309
    outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)]   ) ^ rk[ 0] ^ xorBlock[ 0];
310
    outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 1] ^ xorBlock[ 1];
311
    outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)]   ) ^ rk[ 2] ^ xorBlock[ 2];
312
    outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)]   ) ^ rk[ 3] ^ xorBlock[ 3];
313
    outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)]   ) ^ rk[ 4] ^ xorBlock[ 4];
314
    outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 5] ^ xorBlock[ 5];
315
    outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)]   ) ^ rk[ 6] ^ xorBlock[ 6];
316
    outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)]   ) ^ rk[ 7] ^ xorBlock[ 7];
317
    outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)]   ) ^ rk[ 8] ^ xorBlock[ 8];
318
    outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[ 9] ^ xorBlock[ 9];
319
    outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)]   ) ^ rk[10] ^ xorBlock[10];
320
    outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)]   ) ^ rk[11] ^ xorBlock[11];
321
    outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)]   ) ^ rk[12] ^ xorBlock[12];
322
    outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[13] ^ xorBlock[13];
323
    outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)]   ) ^ rk[14] ^ xorBlock[14];
324
    outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)]   ) ^ rk[15] ^ xorBlock[15];
325
  }
326
  else
327
  {
328
    outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)]   ) ^ rk[ 0];
329
    outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 1];
330
    outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)]   ) ^ rk[ 2];
331
    outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)]   ) ^ rk[ 3];
332
    outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)]   ) ^ rk[ 4];
333
    outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 5];
334
    outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)]   ) ^ rk[ 6];
335
    outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)]   ) ^ rk[ 7];
336
    outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)]   ) ^ rk[ 8];
337
    outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[ 9];
338
    outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)]   ) ^ rk[10];
339
    outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)]   ) ^ rk[11];
340
    outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)]   ) ^ rk[12];
341
    outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[13];
342
    outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)]   ) ^ rk[14];
343
    outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)]   ) ^ rk[15];
344
  }
345
#endif  // CRYPTOPP_LITTLE_ENDIAN
346
99
}
347
348
NAMESPACE_END