Skip to content

Commit

Permalink
Fix ARIA when XOR'ing final block (GH weidai11#1235)
Browse files Browse the repository at this point in the history
This is another mystery to me. I do not know why unrolling the XOR into building of outBlock fixes this problem.
  • Loading branch information
noloader committed Sep 30, 2023
1 parent 5250ab2 commit dde8e9f
Showing 1 changed file with 72 additions and 36 deletions.
108 changes: 72 additions & 36 deletions aria.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -268,48 +268,84 @@ void ARIA::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, b
rk = ARIA_KXL(rk, t); ARIA_FO(t); rk = ARIA_KXL(rk, t);

#if (CRYPTOPP_LITTLE_ENDIAN)
if (xorBlock)
{
outBlock[ 0] = (byte)(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 3];
outBlock[ 1] = (byte)(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 2];
outBlock[ 2] = (byte)(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 1];
outBlock[ 3] = (byte)(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 0];
outBlock[ 4] = (byte)(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 7];
outBlock[ 5] = (byte)(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 6];
outBlock[ 6] = (byte)(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 5];
outBlock[ 7] = (byte)(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 4];
outBlock[ 8] = (byte)(X1[ARIA_BRF(t[2],3)] ) ^ rk[11];
outBlock[ 9] = (byte)(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[10];
outBlock[10] = (byte)(S1[ARIA_BRF(t[2],1)] ) ^ rk[ 9];
outBlock[11] = (byte)(S2[ARIA_BRF(t[2],0)] ) ^ rk[ 8];
outBlock[12] = (byte)(X1[ARIA_BRF(t[3],3)] ) ^ rk[15];
outBlock[13] = (byte)(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[14];
outBlock[14] = (byte)(S1[ARIA_BRF(t[3],1)] ) ^ rk[13];
outBlock[15] = (byte)(S2[ARIA_BRF(t[3],0)] ) ^ rk[12];
outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 3] ^ xorBlock[ 0];
outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 2] ^ xorBlock[ 1];
outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 1] ^ xorBlock[ 2];
outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 0] ^ xorBlock[ 3];
outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 7] ^ xorBlock[ 4];
outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 6] ^ xorBlock[ 5];
outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 5] ^ xorBlock[ 6];
outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 4] ^ xorBlock[ 7];
outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)] ) ^ rk[11] ^ xorBlock[ 8];
outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[10] ^ xorBlock[ 9];
outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)] ) ^ rk[ 9] ^ xorBlock[10];
outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)] ) ^ rk[ 8] ^ xorBlock[11];
outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)] ) ^ rk[15] ^ xorBlock[12];
outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[14] ^ xorBlock[13];
outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)] ) ^ rk[13] ^ xorBlock[14];
outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)] ) ^ rk[12] ^ xorBlock[15];
}
else
{
outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 3];
outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 2];
outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 1];
outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 0];
outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 7];
outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 6];
outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 5];
outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 4];
outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)] ) ^ rk[11];
outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[10];
outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)] ) ^ rk[ 9];
outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)] ) ^ rk[ 8];
outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)] ) ^ rk[15];
outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[14];
outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)] ) ^ rk[13];
outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)] ) ^ rk[12];
}
#else
if (xorBlock)
{
outBlock[ 0] = (byte)(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 0];
outBlock[ 1] = (byte)(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 1];
outBlock[ 2] = (byte)(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 2];
outBlock[ 3] = (byte)(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 3];
outBlock[ 4] = (byte)(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 4];
outBlock[ 5] = (byte)(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 5];
outBlock[ 6] = (byte)(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 6];
outBlock[ 7] = (byte)(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 7];
outBlock[ 8] = (byte)(X1[ARIA_BRF(t[2],3)] ) ^ rk[ 8];
outBlock[ 9] = (byte)(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[ 9];
outBlock[10] = (byte)(S1[ARIA_BRF(t[2],1)] ) ^ rk[10];
outBlock[11] = (byte)(S2[ARIA_BRF(t[2],0)] ) ^ rk[11];
outBlock[12] = (byte)(X1[ARIA_BRF(t[3],3)] ) ^ rk[12];
outBlock[13] = (byte)(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[13];
outBlock[14] = (byte)(S1[ARIA_BRF(t[3],1)] ) ^ rk[14];
outBlock[15] = (byte)(S2[ARIA_BRF(t[3],0)] ) ^ rk[15];
outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 0] ^ xorBlock[ 0];
outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 1] ^ xorBlock[ 1];
outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 2] ^ xorBlock[ 2];
outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 3] ^ xorBlock[ 3];
outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 4] ^ xorBlock[ 4];
outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 5] ^ xorBlock[ 5];
outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 6] ^ xorBlock[ 6];
outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 7] ^ xorBlock[ 7];
outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)] ) ^ rk[ 8] ^ xorBlock[ 8];
outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[ 9] ^ xorBlock[ 9];
outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)] ) ^ rk[10] ^ xorBlock[10];
outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)] ) ^ rk[11] ^ xorBlock[11];
outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)] ) ^ rk[12] ^ xorBlock[12];
outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[13] ^ xorBlock[13];
outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)] ) ^ rk[14] ^ xorBlock[14];
outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)] ) ^ rk[15] ^ xorBlock[15];
}
else
{
outBlock[ 0] = static_cast<byte>(X1[ARIA_BRF(t[0],3)] ) ^ rk[ 0];
outBlock[ 1] = static_cast<byte>(X2[ARIA_BRF(t[0],2)]>>8) ^ rk[ 1];
outBlock[ 2] = static_cast<byte>(S1[ARIA_BRF(t[0],1)] ) ^ rk[ 2];
outBlock[ 3] = static_cast<byte>(S2[ARIA_BRF(t[0],0)] ) ^ rk[ 3];
outBlock[ 4] = static_cast<byte>(X1[ARIA_BRF(t[1],3)] ) ^ rk[ 4];
outBlock[ 5] = static_cast<byte>(X2[ARIA_BRF(t[1],2)]>>8) ^ rk[ 5];
outBlock[ 6] = static_cast<byte>(S1[ARIA_BRF(t[1],1)] ) ^ rk[ 6];
outBlock[ 7] = static_cast<byte>(S2[ARIA_BRF(t[1],0)] ) ^ rk[ 7];
outBlock[ 8] = static_cast<byte>(X1[ARIA_BRF(t[2],3)] ) ^ rk[ 8];
outBlock[ 9] = static_cast<byte>(X2[ARIA_BRF(t[2],2)]>>8) ^ rk[ 9];
outBlock[10] = static_cast<byte>(S1[ARIA_BRF(t[2],1)] ) ^ rk[10];
outBlock[11] = static_cast<byte>(S2[ARIA_BRF(t[2],0)] ) ^ rk[11];
outBlock[12] = static_cast<byte>(X1[ARIA_BRF(t[3],3)] ) ^ rk[12];
outBlock[13] = static_cast<byte>(X2[ARIA_BRF(t[3],2)]>>8) ^ rk[13];
outBlock[14] = static_cast<byte>(S1[ARIA_BRF(t[3],1)] ) ^ rk[14];
outBlock[15] = static_cast<byte>(S2[ARIA_BRF(t[3],0)] ) ^ rk[15];
}
#endif // CRYPTOPP_LITTLE_ENDIAN

if (xorBlock != NULLPTR)
for (unsigned int n=0; n<ARIA::BLOCKSIZE; ++n)
outBlock[n] ^= xorBlock[n];
}

NAMESPACE_END

0 comments on commit dde8e9f

Please sign in to comment.