- aes encryption working but code not cleaned
[strongswan.git] / Source / charon / transforms / crypters / aes_cbc_crypter.c
1 /**
2 * @file aes_cbc_crypter.c
3 *
4 * @brief Implementation of aes_cbc_crypter_t
5 *
6 */
7
8 /*
9 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "aes_cbc_crypter.h"
25
26 #include <utils/allocator.h>
27
28
29 /*
30 * The number of key schedule words for different block and key lengths
31 * allowing for method of computation which requires the length to be a
32 * multiple of the key length. This version of AES implementation supports
33 * all three keylengths 16, 24 and 32 bytes!
34 *
35 * Nk = 4 6 8
36 * -------------
37 * Nb = 4 | 60 60 64
38 * 6 | 96 90 96
39 * 8 | 120 120 120
40 */
41 #define AES_KS_LENGTH 120
42 #define AES_RC_LENGTH 29
43
44 typedef struct private_aes_cbc_crypter_t private_aes_cbc_crypter_t;
45
46 /**
47 * @brief Class implementing the AES symmetric encryption algorithm.
48 *
49 * @ingroup crypters
50 */
51 struct private_aes_cbc_crypter_t {
52
53 /**
54 * Public part of this class.
55 */
56 aes_cbc_crypter_t public;
57
58 /**
59 * Number of words in the key input block.
60 */
61 u_int32_t aes_Nkey;
62
63 /**
64 * The number of cipher rounds.
65 */
66 u_int32_t aes_Nrnd;
67
68 /**
69 * The encryption key schedule.
70 */
71 u_int32_t aes_e_key[AES_KS_LENGTH];
72 /**
73 * The decryption key schedule.
74 */
75 u_int32_t aes_d_key[AES_KS_LENGTH];
76
77 /**
78 * the number of columns in the cipher state
79 */
80 u_int32_t aes_Ncol;
81
82 /**
83 * Blocksize of this AES cypher object
84 */
85 u_int32_t blocksize;
86
87
88 };
89
90
91 /* ugly macro stuff */
92 /*******************************/
93
94 // CONFIGURATION OPTIONS (see also aes.h)
95 //
96 // 1. Define UNROLL for full loop unrolling in encryption and decryption.
97 // 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
98 // 3. Define FIXED_TABLES for compiled rather than dynamic tables.
99 // 4. Define FF_TABLES to use tables for field multiplies and inverses.
100 // Do not enable this without understanding stack space requirements.
101 // 5. Define ARRAYS to use arrays to hold the local state block. If this
102 // is not defined, individually declared 32-bit words are used.
103 // 6. Define FAST_VARIABLE if a high speed variable block implementation
104 // is needed (essentially three separate fixed block size code sequences)
105 // 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
106 // version using 1 table (2 kbytes of table space) or 4 tables (8
107 // kbytes of table space) for higher speed.
108 // 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
109 // increase by using tables for the last rounds but with more table
110 // space (2 or 8 kbytes extra).
111 // 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
112 // slower version is provided.
113 // 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
114 // or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
115
116 #define UNROLL
117 //#define PARTIAL_UNROLL
118
119 #define FIXED_TABLES
120 //#define FF_TABLES
121 //#define ARRAYS
122 #define FAST_VARIABLE
123
124 //#define ONE_TABLE
125 #define FOUR_TABLES
126
127 //#define ONE_LR_TABLE
128 #define FOUR_LR_TABLES
129
130 //#define ONE_IM_TABLE
131 #define FOUR_IM_TABLES
132
133 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
134 #error both UNROLL and PARTIAL_UNROLL are defined
135 #endif
136
137 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
138 #error both ONE_TABLE and FOUR_TABLES are defined
139 #endif
140
141 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
142 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
143 #endif
144
145 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
146 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
147 #endif
148
149 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
150 #error an illegal block size has been specified
151 #endif
152
153 // upr(x,n): rotates bytes within words by n positions, moving bytes
154 // to higher index positions with wrap around into low positions
155 // ups(x,n): moves bytes by n positions to higher index positions in
156 // words but without wrap around
157 // bval(x,n): extracts a byte from a word
158
159 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
160 #define ups(x,n) ((x) << 8 * (n))
161 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
162 #define bytes2word(b0, b1, b2, b3) \
163 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
164
165
166 /* little endian processor without data alignment restrictions: AES_LE_OK */
167 /* original code: i386 */
168 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
169 #define AES_LE_OK 1
170 /* added (tested): alpha --jjo */
171 #elif defined(__alpha__)|| defined (__alpha)
172 #define AES_LE_OK 1
173 /* added (tested): ia64 --jjo */
174 #elif defined(__ia64__)|| defined (__ia64)
175 #define AES_LE_OK 1
176 #endif
177
178 #ifdef AES_LE_OK
179 /* little endian processor without data alignment restrictions */
180 #define word_in(x) *(u_int32_t*)(x)
181 #define const_word_in(x) *(const u_int32_t*)(x)
182 #define word_out(x,v) *(u_int32_t*)(x) = (v)
183 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
184 #else
185 /* slower but generic big endian or with data alignment restrictions */
186 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
187 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
188 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
189 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
190 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
191 #endif
192
193 // Disable at least some poor combinations of options
194
195 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
196 #define FIXED_TABLES
197 #undef UNROLL
198 #undef ONE_LR_TABLE
199 #undef FOUR_LR_TABLES
200 #undef ONE_IM_TABLE
201 #undef FOUR_IM_TABLES
202 #elif !defined(FOUR_TABLES)
203 #ifdef FOUR_LR_TABLES
204 #undef FOUR_LR_TABLES
205 #define ONE_LR_TABLE
206 #endif
207 #ifdef FOUR_IM_TABLES
208 #undef FOUR_IM_TABLES
209 #define ONE_IM_TABLE
210 #endif
211 #elif !defined(AES_BLOCK_SIZE)
212 #if defined(UNROLL)
213 #define PARTIAL_UNROLL
214 #undef UNROLL
215 #endif
216 #endif
217
218 // the finite field modular polynomial and elements
219
220 #define ff_poly 0x011b
221 #define ff_hi 0x80
222
223 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
224
225 #define m1 0x80808080
226 #define m2 0x7f7f7f7f
227 #define m3 0x0000001b
228 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
229
230 // The following defines provide alternative definitions of FFmulX that might
231 // give improved performance if a fast 32-bit multiply is not available. Note
232 // that a temporary variable u needs to be defined where FFmulX is used.
233
234 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
235 // #define m4 0x1b1b1b1b
236 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
237
238 // perform column mix operation on four bytes in parallel
239
240 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
241
242 #if defined(FIXED_TABLES)
243
244 // the S-Box table
245
246 static const unsigned char s_box[256] =
247 {
248 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
249 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
250 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
251 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
252 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
253 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
254 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
255 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
256 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
257 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
258 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
259 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
260 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
261 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
262 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
263 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
264 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
265 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
266 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
267 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
268 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
269 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
270 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
271 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
272 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
273 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
274 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
275 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
276 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
277 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
278 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
279 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
280 };
281
282 // the inverse S-Box table
283
284 static const unsigned char inv_s_box[256] =
285 {
286 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
287 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
288 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
289 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
290 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
291 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
292 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
293 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
294 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
295 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
296 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
297 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
298 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
299 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
300 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
301 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
302 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
303 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
304 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
305 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
306 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
307 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
308 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
309 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
310 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
311 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
312 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
313 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
314 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
315 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
316 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
317 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
318 };
319
320 #define w0(p) 0x000000##p
321
322 // Number of elements required in this table for different
323 // block and key lengths is:
324 //
325 // Nk = 4 6 8
326 // ----------
327 // Nb = 4 | 10 8 7
328 // 6 | 19 12 11
329 // 8 | 29 19 14
330 //
331 // this table can be a table of bytes if the key schedule
332 // code is adjusted accordingly
333
334 static const u_int32_t rcon_tab[29] =
335 {
336 w0(01), w0(02), w0(04), w0(08),
337 w0(10), w0(20), w0(40), w0(80),
338 w0(1b), w0(36), w0(6c), w0(d8),
339 w0(ab), w0(4d), w0(9a), w0(2f),
340 w0(5e), w0(bc), w0(63), w0(c6),
341 w0(97), w0(35), w0(6a), w0(d4),
342 w0(b3), w0(7d), w0(fa), w0(ef),
343 w0(c5)
344 };
345
346 #undef w0
347
348 #define r0(p,q,r,s) 0x##p##q##r##s
349 #define r1(p,q,r,s) 0x##q##r##s##p
350 #define r2(p,q,r,s) 0x##r##s##p##q
351 #define r3(p,q,r,s) 0x##s##p##q##r
352 #define w0(p) 0x000000##p
353 #define w1(p) 0x0000##p##00
354 #define w2(p) 0x00##p##0000
355 #define w3(p) 0x##p##000000
356
357 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
358
359 // data for forward tables (other than last round)
360
361 #define f_table \
362 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
363 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
364 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
365 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
366 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
367 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
368 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
369 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
370 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
371 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
372 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
373 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
374 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
375 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
376 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
377 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
378 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
379 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
380 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
381 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
382 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
383 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
384 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
385 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
386 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
387 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
388 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
389 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
390 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
391 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
392 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
393 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
394 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
395 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
396 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
397 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
398 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
399 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
400 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
401 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
402 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
403 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
404 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
405 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
406 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
407 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
408 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
409 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
410 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
411 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
412 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
413 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
414 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
415 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
416 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
417 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
418 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
419 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
420 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
421 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
422 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
423 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
424 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
425 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
426
427 // data for inverse tables (other than last round)
428
429 #define i_table \
430 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
431 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
432 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
433 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
434 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
435 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
436 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
437 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
438 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
439 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
440 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
441 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
442 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
443 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
444 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
445 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
446 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
447 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
448 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
449 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
450 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
451 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
452 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
453 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
454 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
455 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
456 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
457 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
458 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
459 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
460 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
461 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
462 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
463 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
464 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
465 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
466 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
467 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
468 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
469 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
470 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
471 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
472 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
473 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
474 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
475 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
476 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
477 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
478 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
479 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
480 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
481 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
482 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
483 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
484 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
485 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
486 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
487 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
488 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
489 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
490 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
491 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
492 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
493 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
494
495 // generate the required tables in the desired endian format
496
497 #undef r
498 #define r r0
499
500 #if defined(ONE_TABLE)
501 static const u_int32_t ft_tab[256] =
502 { f_table };
503 #elif defined(FOUR_TABLES)
504 static const u_int32_t ft_tab[4][256] =
505 { { f_table },
506 #undef r
507 #define r r1
508 { f_table },
509 #undef r
510 #define r r2
511 { f_table },
512 #undef r
513 #define r r3
514 { f_table }
515 };
516 #endif
517
518 #undef r
519 #define r r0
520 #if defined(ONE_TABLE)
521 static const u_int32_t it_tab[256] =
522 { i_table };
523 #elif defined(FOUR_TABLES)
524 static const u_int32_t it_tab[4][256] =
525 { { i_table },
526 #undef r
527 #define r r1
528 { i_table },
529 #undef r
530 #define r r2
531 { i_table },
532 #undef r
533 #define r r3
534 { i_table }
535 };
536 #endif
537
538 #endif
539
540 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
541
542 // data for inverse tables (last round)
543
544 #define li_table \
545 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
546 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
547 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
548 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
549 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
550 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
551 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
552 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
553 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
554 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
555 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
556 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
557 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
558 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
559 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
560 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
561 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
562 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
563 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
564 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
565 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
566 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
567 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
568 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
569 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
570 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
571 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
572 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
573 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
574 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
575 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
576 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
577
578 // generate the required tables in the desired endian format
579
580 #undef r
581 #define r(p,q,r,s) w0(q)
582 #if defined(ONE_LR_TABLE)
583 static const u_int32_t fl_tab[256] =
584 { f_table };
585 #elif defined(FOUR_LR_TABLES)
586 static const u_int32_t fl_tab[4][256] =
587 { { f_table },
588 #undef r
589 #define r(p,q,r,s) w1(q)
590 { f_table },
591 #undef r
592 #define r(p,q,r,s) w2(q)
593 { f_table },
594 #undef r
595 #define r(p,q,r,s) w3(q)
596 { f_table }
597 };
598 #endif
599
600 #undef w
601 #define w w0
602 #if defined(ONE_LR_TABLE)
603 static const u_int32_t il_tab[256] =
604 { li_table };
605 #elif defined(FOUR_LR_TABLES)
606 static const u_int32_t il_tab[4][256] =
607 { { li_table },
608 #undef w
609 #define w w1
610 { li_table },
611 #undef w
612 #define w w2
613 { li_table },
614 #undef w
615 #define w w3
616 { li_table }
617 };
618 #endif
619
620 #endif
621
622 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
623
624 #define m_table \
625 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
626 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
627 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
628 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
629 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
630 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
631 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
632 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
633 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
634 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
635 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
636 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
637 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
638 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
639 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
640 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
641 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
642 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
643 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
644 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
645 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
646 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
647 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
648 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
649 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
650 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
651 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
652 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
653 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
654 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
655 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
656 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
657 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
658 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
659 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
660 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
661 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
662 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
663 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
664 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
665 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
666 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
667 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
668 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
669 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
670 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
671 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
672 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
673 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
674 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
675 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
676 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
677 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
678 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
679 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
680 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
681 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
682 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
683 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
684 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
685 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
686 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
687 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
688 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
689
690 #undef r
691 #define r r0
692
693 #if defined(ONE_IM_TABLE)
694 static const u_int32_t im_tab[256] =
695 { m_table };
696 #elif defined(FOUR_IM_TABLES)
697 static const u_int32_t im_tab[4][256] =
698 { { m_table },
699 #undef r
700 #define r r1
701 { m_table },
702 #undef r
703 #define r r2
704 { m_table },
705 #undef r
706 #define r r3
707 { m_table }
708 };
709 #endif
710
711 #endif
712
713 #else
714
715 static int tab_gen = 0;
716
717 static unsigned char s_box[256]; // the S box
718 static unsigned char inv_s_box[256]; // the inverse S box
719 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
720
721 #if defined(ONE_TABLE)
722 static u_int32_t ft_tab[256];
723 static u_int32_t it_tab[256];
724 #elif defined(FOUR_TABLES)
725 static u_int32_t ft_tab[4][256];
726 static u_int32_t it_tab[4][256];
727 #endif
728
729 #if defined(ONE_LR_TABLE)
730 static u_int32_t fl_tab[256];
731 static u_int32_t il_tab[256];
732 #elif defined(FOUR_LR_TABLES)
733 static u_int32_t fl_tab[4][256];
734 static u_int32_t il_tab[4][256];
735 #endif
736
737 #if defined(ONE_IM_TABLE)
738 static u_int32_t im_tab[256];
739 #elif defined(FOUR_IM_TABLES)
740 static u_int32_t im_tab[4][256];
741 #endif
742
743 // Generate the tables for the dynamic table option
744
745 #if !defined(FF_TABLES)
746
747 // It will generally be sensible to use tables to compute finite
748 // field multiplies and inverses but where memory is scarse this
749 // code might sometimes be better.
750
751 // return 2 ^ (n - 1) where n is the bit number of the highest bit
752 // set in x with x in the range 1 < x < 0x00000200. This form is
753 // used so that locals within FFinv can be bytes rather than words
754
755 static unsigned char hibit(const u_int32_t x)
756 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
757
758 r |= (r >> 2);
759 r |= (r >> 4);
760 return (r + 1) >> 1;
761 }
762
763 // return the inverse of the finite field element x
764
765 static unsigned char FFinv(const unsigned char x)
766 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
767
768 if(x < 2) return x;
769
770 for(;;)
771 {
772 if(!n1) return v1;
773
774 while(n2 >= n1)
775 {
776 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
777 }
778
779 if(!n2) return v2;
780
781 while(n1 >= n2)
782 {
783 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
784 }
785 }
786 }
787
788 // define the finite field multiplies required for Rijndael
789
790 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
791 #define FFmul03(x) ((x) ^ FFmul02(x))
792 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
793 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
794 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
795 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
796
797 #else
798
799 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
800
801 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
802 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
803 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
804 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
805 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
806 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
807
808 #endif
809
810 // The forward and inverse affine transformations used in the S-box
811
812 #define fwd_affine(x) \
813 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
814
815 #define inv_affine(x) \
816 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
817
818 static void gen_tabs(void)
819 { u_int32_t i, w;
820
821 #if defined(FF_TABLES)
822
823 unsigned char pow[512], log[256];
824
825 // log and power tables for GF(2^8) finite field with
826 // 0x011b as modular polynomial - the simplest primitive
827 // root is 0x03, used here to generate the tables
828
829 i = 0; w = 1;
830 do
831 {
832 pow[i] = (unsigned char)w;
833 pow[i + 255] = (unsigned char)w;
834 log[w] = (unsigned char)i++;
835 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
836 }
837 while (w != 1);
838
839 #endif
840
841 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
842 {
843 rcon_tab[i] = bytes2word(w, 0, 0, 0);
844 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
845 }
846
847 for(i = 0; i < 256; ++i)
848 { unsigned char b;
849
850 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
851
852 w = bytes2word(b, 0, 0, 0);
853 #if defined(ONE_LR_TABLE)
854 fl_tab[i] = w;
855 #elif defined(FOUR_LR_TABLES)
856 fl_tab[0][i] = w;
857 fl_tab[1][i] = upr(w,1);
858 fl_tab[2][i] = upr(w,2);
859 fl_tab[3][i] = upr(w,3);
860 #endif
861 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
862 #if defined(ONE_TABLE)
863 ft_tab[i] = w;
864 #elif defined(FOUR_TABLES)
865 ft_tab[0][i] = w;
866 ft_tab[1][i] = upr(w,1);
867 ft_tab[2][i] = upr(w,2);
868 ft_tab[3][i] = upr(w,3);
869 #endif
870 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
871
872 w = bytes2word(b, 0, 0, 0);
873 #if defined(ONE_LR_TABLE)
874 il_tab[i] = w;
875 #elif defined(FOUR_LR_TABLES)
876 il_tab[0][i] = w;
877 il_tab[1][i] = upr(w,1);
878 il_tab[2][i] = upr(w,2);
879 il_tab[3][i] = upr(w,3);
880 #endif
881 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
882 #if defined(ONE_TABLE)
883 it_tab[i] = w;
884 #elif defined(FOUR_TABLES)
885 it_tab[0][i] = w;
886 it_tab[1][i] = upr(w,1);
887 it_tab[2][i] = upr(w,2);
888 it_tab[3][i] = upr(w,3);
889 #endif
890 #if defined(ONE_IM_TABLE)
891 im_tab[b] = w;
892 #elif defined(FOUR_IM_TABLES)
893 im_tab[0][b] = w;
894 im_tab[1][b] = upr(w,1);
895 im_tab[2][b] = upr(w,2);
896 im_tab[3][b] = upr(w,3);
897 #endif
898
899 }
900 }
901
902 #endif
903
904 #define no_table(x,box,vf,rf,c) bytes2word( \
905 box[bval(vf(x,0,c),rf(0,c))], \
906 box[bval(vf(x,1,c),rf(1,c))], \
907 box[bval(vf(x,2,c),rf(2,c))], \
908 box[bval(vf(x,3,c),rf(3,c))])
909
910 #define one_table(x,op,tab,vf,rf,c) \
911 ( tab[bval(vf(x,0,c),rf(0,c))] \
912 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
913 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
914 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
915
916 #define four_tables(x,tab,vf,rf,c) \
917 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
918 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
919 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
920 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
921
922 #define vf1(x,r,c) (x)
923 #define rf1(r,c) (r)
924 #define rf2(r,c) ((r-c)&3)
925
926 #if defined(FOUR_LR_TABLES)
927 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
928 #elif defined(ONE_LR_TABLE)
929 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
930 #else
931 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
932 #endif
933
934 #if defined(FOUR_IM_TABLES)
935 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
936 #elif defined(ONE_IM_TABLE)
937 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
938 #else
939 #define inv_mcol(x) \
940 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
941 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
942 #endif
943
944 // Subroutine to set the block size (if variable) in bytes, legal
945 // values being 16, 24 and 32.
946
947 #if defined(AES_BLOCK_SIZE)
948 #define nc (AES_BLOCK_SIZE / 4)
949 #else
950 #define nc (cx->aes_Ncol)
951
952 void aes_set_blk(private_aes_cbc_crypter_t *cx, int n_bytes)
953 {
954 #if !defined(FIXED_TABLES)
955 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
956 #endif
957
958 switch(n_bytes) {
959 case 32: /* bytes */
960 case 256: /* bits */
961 nc = 8;
962 break;
963 case 24: /* bytes */
964 case 192: /* bits */
965 nc = 6;
966 break;
967 case 16: /* bytes */
968 case 128: /* bits */
969 default:
970 nc = 4;
971 break;
972 }
973 }
974
975 #endif
976
977 // Initialise the key schedule from the user supplied key. The key
978 // length is now specified in bytes - 16, 24 or 32 as appropriate.
979 // This corresponds to bit lengths of 128, 192 and 256 bits, and
980 // to Nk values of 4, 6 and 8 respectively.
981
982 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
983 #define cp(t,f) *t++ = *f++
984
985 #if AES_BLOCK_SIZE == 16
986 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
987 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
988 #elif AES_BLOCK_SIZE == 24
989 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
990 cp(d,s); cp(d,s)
991 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
992 mx(d,s); mx(d,s)
993 #elif AES_BLOCK_SIZE == 32
994 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
995 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
996 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
997 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
998 #else
999
1000 #define cpy(d,s) \
1001 switch(nc) \
1002 { case 8: cp(d,s); cp(d,s); \
1003 case 6: cp(d,s); cp(d,s); \
1004 case 4: cp(d,s); cp(d,s); \
1005 cp(d,s); cp(d,s); \
1006 }
1007
1008 #define mix(d,s) \
1009 switch(nc) \
1010 { case 8: mx(d,s); mx(d,s); \
1011 case 6: mx(d,s); mx(d,s); \
1012 case 4: mx(d,s); mx(d,s); \
1013 mx(d,s); mx(d,s); \
1014 }
1015
1016 #endif
1017
1018 void aes_set_key(private_aes_cbc_crypter_t *cx, const unsigned char in_key[], int n_bytes, const int f)
1019 { u_int32_t *kf, *kt, rci;
1020
1021 #if !defined(FIXED_TABLES)
1022 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1023 #endif
1024
1025 switch(n_bytes) {
1026 case 32: /* bytes */
1027 case 256: /* bits */
1028 cx->aes_Nkey = 8;
1029 break;
1030 case 24: /* bytes */
1031 case 192: /* bits */
1032 cx->aes_Nkey = 6;
1033 break;
1034 case 16: /* bytes */
1035 case 128: /* bits */
1036 default:
1037 cx->aes_Nkey = 4;
1038 break;
1039 }
1040
1041 cx->aes_Nrnd = (cx->aes_Nkey > nc ? cx->aes_Nkey : nc) + 6;
1042
1043 cx->aes_e_key[0] = const_word_in(in_key );
1044 cx->aes_e_key[1] = const_word_in(in_key + 4);
1045 cx->aes_e_key[2] = const_word_in(in_key + 8);
1046 cx->aes_e_key[3] = const_word_in(in_key + 12);
1047
1048 kf = cx->aes_e_key;
1049 kt = kf + nc * (cx->aes_Nrnd + 1) - cx->aes_Nkey;
1050 rci = 0;
1051
1052 switch(cx->aes_Nkey)
1053 {
1054 case 4: do
1055 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1056 kf[5] = kf[1] ^ kf[4];
1057 kf[6] = kf[2] ^ kf[5];
1058 kf[7] = kf[3] ^ kf[6];
1059 kf += 4;
1060 }
1061 while(kf < kt);
1062 break;
1063
1064 case 6: cx->aes_e_key[4] = const_word_in(in_key + 16);
1065 cx->aes_e_key[5] = const_word_in(in_key + 20);
1066 do
1067 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1068 kf[ 7] = kf[1] ^ kf[ 6];
1069 kf[ 8] = kf[2] ^ kf[ 7];
1070 kf[ 9] = kf[3] ^ kf[ 8];
1071 kf[10] = kf[4] ^ kf[ 9];
1072 kf[11] = kf[5] ^ kf[10];
1073 kf += 6;
1074 }
1075 while(kf < kt);
1076 break;
1077
1078 case 8: cx->aes_e_key[4] = const_word_in(in_key + 16);
1079 cx->aes_e_key[5] = const_word_in(in_key + 20);
1080 cx->aes_e_key[6] = const_word_in(in_key + 24);
1081 cx->aes_e_key[7] = const_word_in(in_key + 28);
1082 do
1083 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1084 kf[ 9] = kf[1] ^ kf[ 8];
1085 kf[10] = kf[2] ^ kf[ 9];
1086 kf[11] = kf[3] ^ kf[10];
1087 kf[12] = kf[4] ^ ls_box(kf[11],0);
1088 kf[13] = kf[5] ^ kf[12];
1089 kf[14] = kf[6] ^ kf[13];
1090 kf[15] = kf[7] ^ kf[14];
1091 kf += 8;
1092 }
1093 while (kf < kt);
1094 break;
1095 }
1096
1097 if(!f)
1098 { u_int32_t i;
1099
1100 kt = cx->aes_d_key + nc * cx->aes_Nrnd;
1101 kf = cx->aes_e_key;
1102
1103 cpy(kt, kf); kt -= 2 * nc;
1104
1105 for(i = 1; i < cx->aes_Nrnd; ++i)
1106 {
1107 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1108 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1109 u_int32_t f2, f4, f8, f9;
1110 #endif
1111 mix(kt, kf);
1112 #else
1113 cpy(kt, kf);
1114 #endif
1115 kt -= 2 * nc;
1116 }
1117
1118 cpy(kt, kf);
1119 }
1120 }
1121
1122 // y = output word, x = input word, r = row, c = column
1123 // for r = 0, 1, 2 and 3 = column accessed for row r
1124
1125 #if defined(ARRAYS)
1126 #define s(x,c) x[c]
1127 #else
1128 #define s(x,c) x##c
1129 #endif
1130
1131 // I am grateful to Frank Yellin for the following constructions
1132 // which, given the column (c) of the output state variable that
1133 // is being computed, return the input state variables which are
1134 // needed for each row (r) of the state
1135
1136 // For the fixed block size options, compilers reduce these two
1137 // expressions to fixed variable references. For variable block
1138 // size code conditional clauses will sometimes be returned
1139
1140 #define unused 77 // Sunset Strip
1141
1142 #define fwd_var(x,r,c) \
1143 ( r==0 ? \
1144 ( c==0 ? s(x,0) \
1145 : c==1 ? s(x,1) \
1146 : c==2 ? s(x,2) \
1147 : c==3 ? s(x,3) \
1148 : c==4 ? s(x,4) \
1149 : c==5 ? s(x,5) \
1150 : c==6 ? s(x,6) \
1151 : s(x,7)) \
1152 : r==1 ? \
1153 ( c==0 ? s(x,1) \
1154 : c==1 ? s(x,2) \
1155 : c==2 ? s(x,3) \
1156 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1157 : c==4 ? s(x,5) \
1158 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1159 : c==6 ? s(x,7) \
1160 : s(x,0)) \
1161 : r==2 ? \
1162 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1163 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1164 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1165 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1166 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1167 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1168 : c==6 ? s(x,1) \
1169 : s(x,2)) \
1170 : \
1171 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1172 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1173 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1174 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1175 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1176 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1177 : c==6 ? s(x,2) \
1178 : s(x,3)))
1179
1180 #define inv_var(x,r,c) \
1181 ( r==0 ? \
1182 ( c==0 ? s(x,0) \
1183 : c==1 ? s(x,1) \
1184 : c==2 ? s(x,2) \
1185 : c==3 ? s(x,3) \
1186 : c==4 ? s(x,4) \
1187 : c==5 ? s(x,5) \
1188 : c==6 ? s(x,6) \
1189 : s(x,7)) \
1190 : r==1 ? \
1191 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1192 : c==1 ? s(x,0) \
1193 : c==2 ? s(x,1) \
1194 : c==3 ? s(x,2) \
1195 : c==4 ? s(x,3) \
1196 : c==5 ? s(x,4) \
1197 : c==6 ? s(x,5) \
1198 : s(x,6)) \
1199 : r==2 ? \
1200 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1201 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1202 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1203 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1204 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1205 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1206 : c==6 ? s(x,3) \
1207 : s(x,4)) \
1208 : \
1209 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1210 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1211 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1212 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1213 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1214 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1215 : c==6 ? s(x,2) \
1216 : s(x,3)))
1217
1218 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1219 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1220
1221 #if defined(FOUR_TABLES)
1222 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1223 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1224 #elif defined(ONE_TABLE)
1225 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1226 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1227 #else
1228 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1229 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1230 #endif
1231
1232 #if defined(FOUR_LR_TABLES)
1233 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1234 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1235 #elif defined(ONE_LR_TABLE)
1236 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1237 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1238 #else
1239 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1240 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1241 #endif
1242
1243 #if AES_BLOCK_SIZE == 16
1244
1245 #if defined(ARRAYS)
1246 #define locals(y,x) x[4],y[4]
1247 #else
1248 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1249 // the following defines prevent the compiler requiring the declaration
1250 // of generated but unused variables in the fwd_var and inv_var macros
1251 #define b04 unused
1252 #define b05 unused
1253 #define b06 unused
1254 #define b07 unused
1255 #define b14 unused
1256 #define b15 unused
1257 #define b16 unused
1258 #define b17 unused
1259 #endif
1260 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1261 s(y,2) = s(x,2); s(y,3) = s(x,3);
1262 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1263 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1264 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1265
1266 #elif AES_BLOCK_SIZE == 24
1267
1268 #if defined(ARRAYS)
1269 #define locals(y,x) x[6],y[6]
1270 #else
1271 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1272 y##0,y##1,y##2,y##3,y##4,y##5
1273 #define b06 unused
1274 #define b07 unused
1275 #define b16 unused
1276 #define b17 unused
1277 #endif
1278 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1279 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1280 s(y,4) = s(x,4); s(y,5) = s(x,5);
1281 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1282 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1283 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1284 so(y,x,3); so(y,x,4); so(y,x,5)
1285 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1286 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1287 #else
1288
1289 #if defined(ARRAYS)
1290 #define locals(y,x) x[8],y[8]
1291 #else
1292 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1293 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1294 #endif
1295 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1296 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1297 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1298 s(y,6) = s(x,6); s(y,7) = s(x,7);
1299
1300 #if AES_BLOCK_SIZE == 32
1301
1302 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1303 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1304 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1305 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1306 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1307 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1308 #else
1309
1310 #define state_in(y,x,k) \
1311 switch(nc) \
1312 { case 8: si(y,x,k,7); si(y,x,k,6); \
1313 case 6: si(y,x,k,5); si(y,x,k,4); \
1314 case 4: si(y,x,k,3); si(y,x,k,2); \
1315 si(y,x,k,1); si(y,x,k,0); \
1316 }
1317
1318 #define state_out(y,x) \
1319 switch(nc) \
1320 { case 8: so(y,x,7); so(y,x,6); \
1321 case 6: so(y,x,5); so(y,x,4); \
1322 case 4: so(y,x,3); so(y,x,2); \
1323 so(y,x,1); so(y,x,0); \
1324 }
1325
1326 #if defined(FAST_VARIABLE)
1327
1328 #define round(rm,y,x,k) \
1329 switch(nc) \
1330 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1331 rm(y,x,k,5); rm(y,x,k,4); \
1332 rm(y,x,k,3); rm(y,x,k,2); \
1333 rm(y,x,k,1); rm(y,x,k,0); \
1334 break; \
1335 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1336 rm(y,x,k,3); rm(y,x,k,2); \
1337 rm(y,x,k,1); rm(y,x,k,0); \
1338 break; \
1339 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1340 rm(y,x,k,1); rm(y,x,k,0); \
1341 break; \
1342 }
1343 #else
1344
1345 #define round(rm,y,x,k) \
1346 switch(nc) \
1347 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1348 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1349 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1350 rm(y,x,k,1); rm(y,x,k,0); \
1351 }
1352
1353 #endif
1354
1355 #endif
1356 #endif
1357
1358 void aes_encrypt(const private_aes_cbc_crypter_t *cx, const unsigned char in_blk[], unsigned char out_blk[])
1359 { u_int32_t locals(b0, b1);
1360 const u_int32_t *kp = cx->aes_e_key;
1361
1362 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1363 u_int32_t f2;
1364 #endif
1365
1366 state_in(b0, in_blk, kp); kp += nc;
1367
1368 #if defined(UNROLL)
1369
1370 switch(cx->aes_Nrnd)
1371 {
1372 case 14: round(fwd_rnd, b1, b0, kp );
1373 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1374 case 12: round(fwd_rnd, b1, b0, kp );
1375 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1376 case 10: round(fwd_rnd, b1, b0, kp );
1377 round(fwd_rnd, b0, b1, kp + nc);
1378 round(fwd_rnd, b1, b0, kp + 2 * nc);
1379 round(fwd_rnd, b0, b1, kp + 3 * nc);
1380 round(fwd_rnd, b1, b0, kp + 4 * nc);
1381 round(fwd_rnd, b0, b1, kp + 5 * nc);
1382 round(fwd_rnd, b1, b0, kp + 6 * nc);
1383 round(fwd_rnd, b0, b1, kp + 7 * nc);
1384 round(fwd_rnd, b1, b0, kp + 8 * nc);
1385 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1386 }
1387
1388 #elif defined(PARTIAL_UNROLL)
1389 { u_int32_t rnd;
1390
1391 for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
1392 {
1393 round(fwd_rnd, b1, b0, kp);
1394 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1395 }
1396
1397 round(fwd_rnd, b1, b0, kp);
1398 round(fwd_lrnd, b0, b1, kp + nc);
1399 }
1400 #else
1401 { u_int32_t rnd;
1402
1403 for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
1404 {
1405 round(fwd_rnd, b1, b0, kp);
1406 l_copy(b0, b1); kp += nc;
1407 }
1408
1409 round(fwd_lrnd, b0, b1, kp);
1410 }
1411 #endif
1412
1413 state_out(out_blk, b0);
1414 }
1415
1416 void aes_decrypt(const private_aes_cbc_crypter_t *cx, const unsigned char in_blk[], unsigned char out_blk[])
1417 { u_int32_t locals(b0, b1);
1418 const u_int32_t *kp = cx->aes_d_key;
1419
1420 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1421 u_int32_t f2, f4, f8, f9;
1422 #endif
1423
1424 state_in(b0, in_blk, kp); kp += nc;
1425
1426 #if defined(UNROLL)
1427
1428 switch(cx->aes_Nrnd)
1429 {
1430 case 14: round(inv_rnd, b1, b0, kp );
1431 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1432 case 12: round(inv_rnd, b1, b0, kp );
1433 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1434 case 10: round(inv_rnd, b1, b0, kp );
1435 round(inv_rnd, b0, b1, kp + nc);
1436 round(inv_rnd, b1, b0, kp + 2 * nc);
1437 round(inv_rnd, b0, b1, kp + 3 * nc);
1438 round(inv_rnd, b1, b0, kp + 4 * nc);
1439 round(inv_rnd, b0, b1, kp + 5 * nc);
1440 round(inv_rnd, b1, b0, kp + 6 * nc);
1441 round(inv_rnd, b0, b1, kp + 7 * nc);
1442 round(inv_rnd, b1, b0, kp + 8 * nc);
1443 round(inv_lrnd, b0, b1, kp + 9 * nc);
1444 }
1445
1446 #elif defined(PARTIAL_UNROLL)
1447 { u_int32_t rnd;
1448
1449 for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
1450 {
1451 round(inv_rnd, b1, b0, kp);
1452 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1453 }
1454
1455 round(inv_rnd, b1, b0, kp);
1456 round(inv_lrnd, b0, b1, kp + nc);
1457 }
1458 #else
1459 { u_int32_t rnd;
1460
1461 for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
1462 {
1463 round(inv_rnd, b1, b0, kp);
1464 l_copy(b0, b1); kp += nc;
1465 }
1466
1467 round(inv_lrnd, b0, b1, kp);
1468 }
1469 #endif
1470
1471 state_out(out_blk, b0);
1472 }
1473
1474
1475
1476 /* *************************/
1477
1478
1479 /**
1480 * Implementation of crypter_t.decrypt.
1481 */
1482 static status_t decrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
1483 {
1484 int ret, pos;
1485 const u_int32_t *iv_i;
1486 u_int8_t *in, *out;
1487
1488 ret = data.len;
1489 if (((data.len) % 16) != 0)
1490 {
1491 /* data length must be padded to a multiple of blocksize */
1492 return INVALID_ARG;
1493 }
1494
1495 decrypted->ptr = allocator_alloc(data.len);
1496 if (decrypted->ptr == NULL)
1497 {
1498 return OUT_OF_RES;
1499 }
1500 decrypted->len = data.len;
1501
1502 in = data.ptr;
1503 out = decrypted->ptr;
1504
1505 pos=data.len-16;
1506 in+=pos;
1507 out+=pos;
1508 while(pos>=0) {
1509 aes_decrypt(this,in,out);
1510 if (pos==0)
1511 iv_i=(const u_int32_t*) (iv.ptr);
1512 else
1513 iv_i=(const u_int32_t*) (in-16);
1514 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1515 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1516 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1517 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1518 in-=16;
1519 out-=16;
1520 pos-=16;
1521 }
1522
1523 return SUCCESS;
1524 }
1525
1526
1527 /**
1528 * Implementation of crypter_t.decrypt.
1529 */
1530 static status_t encrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
1531 {
1532 int ret, pos;
1533 const u_int32_t *iv_i;
1534 u_int8_t *in, *out;
1535
1536 ret = data.len;
1537 if (((data.len) % 16) != 0)
1538 {
1539 /* data length must be padded to a multiple of blocksize */
1540 return INVALID_ARG;
1541 }
1542
1543 encrypted->ptr = allocator_alloc(data.len);
1544 if (encrypted->ptr == NULL)
1545 {
1546 return OUT_OF_RES;
1547 }
1548 encrypted->len = data.len;
1549
1550 in = data.ptr;
1551 out = encrypted->ptr;
1552
1553 pos=0;
1554 while(pos<data.len)
1555 {
1556 if (pos==0)
1557 iv_i=(const u_int32_t*) iv.ptr;
1558 else
1559 iv_i=(const u_int32_t*) (out-16);
1560 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1561 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1562 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1563 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1564 aes_encrypt(this,out,out);
1565 in+=16;
1566 out+=16;
1567 pos+=16;
1568 }
1569 return SUCCESS;
1570 }
1571
1572 /**
1573 * Implementation of crypter_t.get_block_size.
1574 */
1575 static size_t get_block_size (private_aes_cbc_crypter_t *this)
1576 {
1577 return this->blocksize;
1578 }
1579
1580 /**
1581 * Implementation of crypter_t.set_key.
1582 */
1583 static status_t set_key (private_aes_cbc_crypter_t *this, chunk_t key)
1584 {
1585 aes_set_key(this, key.ptr, key.len,0);
1586 return SUCCESS;
1587 }
1588
1589 /**
1590 * Implementation of crypter_t.destroy and aes_cbc_crypter_t.destroy.
1591 */
1592 static status_t destroy (private_aes_cbc_crypter_t *this)
1593 {
1594 allocator_free(this);
1595 return SUCCESS;
1596 }
1597
1598
1599 aes_cbc_crypter_t *aes_cbc_crypter_create(size_t blocksize)
1600 {
1601 private_aes_cbc_crypter_t *this = allocator_alloc_thing(private_aes_cbc_crypter_t);
1602 if (this == NULL)
1603 {
1604 return NULL;
1605 }
1606 #if !defined(FIXED_TABLES)
1607 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1608 #endif
1609
1610 switch(blocksize) {
1611 case 32: /* bytes */
1612 this->aes_Ncol = 8;
1613 this->blocksize = blocksize;
1614 break;
1615 case 24: /* bytes */
1616 this->aes_Ncol = 6;
1617 this->blocksize = blocksize;
1618 break;
1619 case 16: /* bytes */
1620 default:
1621 this->aes_Ncol = 4;
1622 this->blocksize = 16;
1623 break;
1624 }
1625
1626
1627 /* functions of crypter_t interface */
1628 this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1629 this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1630 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1631 this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key;
1632 this->public.crypter_interface.destroy = (status_t (*) (crypter_t *)) destroy;
1633
1634 /* public functions */
1635 this->public.destroy = (status_t (*) (aes_cbc_crypter_t *)) destroy;
1636
1637
1638 return &(this->public);
1639 }