be1c0d27e038b6902b7d7e0898942ec7c44db525
[strongswan.git] / Source / charon / transforms / crypters / aes_cbc_crypter.c
1 /**
2 * @file aes_cbc_crypter.c
3 *
4 * @brief Implementation of aes_cbc_crypter_t
5 *
6 */
7
8 /*
9 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "aes_cbc_crypter.h"
25
26 #include <utils/allocator.h>
27
28
29 /*
30 * The number of key schedule words for different block and key lengths
31 * allowing for method of computation which requires the length to be a
32 * multiple of the key length. This version of AES implementation supports
33 * all three keylengths 16, 24 and 32 bytes!
34 *
35 * Nk = 4 6 8
36 * -------------
37 * Nb = 4 | 60 60 64
38 * 6 | 96 90 96
39 * 8 | 120 120 120
40 */
41 #define AES_KS_LENGTH 120
42 #define AES_RC_LENGTH 29
43
44 typedef struct private_aes_cbc_crypter_t private_aes_cbc_crypter_t;
45
46 /**
47 * @brief Class implementing the AES symmetric encryption algorithm.
48 *
49 * @ingroup crypters
50 */
51 struct private_aes_cbc_crypter_t {
52
53 /**
54 * Public part of this class.
55 */
56 aes_cbc_crypter_t public;
57
58 /**
59 * Number of words in the key input block.
60 */
61 u_int32_t aes_Nkey;
62
63 /**
64 * The number of cipher rounds.
65 */
66 u_int32_t aes_Nrnd;
67
68 /**
69 * The encryption key schedule.
70 */
71 u_int32_t aes_e_key[AES_KS_LENGTH];
72 /**
73 * The decryption key schedule.
74 */
75 u_int32_t aes_d_key[AES_KS_LENGTH];
76
77 /**
78 * the number of columns in the cipher state
79 */
80 u_int32_t aes_Ncol;
81
82 /**
83 * Blocksize of this AES cypher object
84 */
85 u_int32_t blocksize;
86
87
88 /**
89 * @brief Encrypt a chunk of data with blocksize length.
90 *
91 * No memory is allocated in here so caller is responsible to allocate memory.
92 *
93 * @param this calling crypter
94 * @param data data to encrypt
95 * @param [out]encrypted pointer where the encrypted bytes will be written to
96 * @return
97 * - SUCCESS in any case
98 */
99 status_t (*encrypt_block) (private_aes_cbc_crypter_t *this, u_int8_t *data, u_int8_t *encrypted);
100
101 /**
102 * @brief Decrypt a chunk of data with blocksize length.
103 *
104 * No memory is allocated in here so caller is responsible to allocate memory.
105 *
106 * @param this calling crypter
107 * @param data data to decrypt
108 * @param [out]encrypted pointer where the decrypted bytes will be written
109 * @return
110 * - SUCCESS in any case
111 */
112 status_t (*decrypt_block) (private_aes_cbc_crypter_t *this, u_int8_t *data, u_int8_t *decrypted);
113
114 };
115
116
117 /* ugly macro stuff */
118
119 /* CONFIGURATION OPTIONS
120 *
121 * 1. Define UNROLL for full loop unrolling in encryption and decryption.
122 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
123 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
124 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
125 * Do not enable this without understanding stack space requirements.
126 * 5. Define ARRAYS to use arrays to hold the local state block. If this
127 * is not defined, individually declared 32-bit words are used.
128 * 6. Define FAST_VARIABLE if a high speed variable block implementation
129 * is needed (essentially three separate fixed block size code sequences)
130 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
131 * version using 1 table (2 kbytes of table space) or 4 tables (8
132 * kbytes of table space) for higher speed.
133 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
134 * increase by using tables for the last rounds but with more table
135 * space (2 or 8 kbytes extra).
136 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
137 * slower version is provided.
138 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
139 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
140 */
141
142 #define UNROLL
143 //#define PARTIAL_UNROLL
144
145 #define FIXED_TABLES
146 //#define FF_TABLES
147 //#define ARRAYS
148 #define FAST_VARIABLE
149
150 //#define ONE_TABLE
151 #define FOUR_TABLES
152
153 //#define ONE_LR_TABLE
154 #define FOUR_LR_TABLES
155
156 //#define ONE_IM_TABLE
157 #define FOUR_IM_TABLES
158
159 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
160 #error both UNROLL and PARTIAL_UNROLL are defined
161 #endif
162
163 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
164 #error both ONE_TABLE and FOUR_TABLES are defined
165 #endif
166
167 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
168 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
169 #endif
170
171 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
172 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
173 #endif
174
175
176 /**
177 * Rotates bytes within words by n positions, moving bytes
178 * to higher index positions with wrap around into low positions.
179 */
180 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
181
182 /**
183 * Moves bytes by n positions to higher index positions in
184 * words but without wrap around.
185 */
186 #define ups(x,n) ((x) << 8 * (n))
187
188 /**
189 * Extracts a byte from a word.
190 */
191 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
192
193 /**
194 * Creates a word value from 4 byte values.
195 */
196 #define bytes2word(b0, b1, b2, b3) \
197 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
198
199
200 /* little endian processor without data alignment restrictions: AES_LE_OK */
201 /* original code: i386 */
202 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
203 #define AES_LE_OK 1
204 /* added (tested): alpha --jjo */
205 #elif defined(__alpha__)|| defined (__alpha)
206 #define AES_LE_OK 1
207 /* added (tested): ia64 --jjo */
208 #elif defined(__ia64__)|| defined (__ia64)
209 #define AES_LE_OK 1
210 #endif
211
212 #ifdef AES_LE_OK
213 /* little endian processor without data alignment restrictions */
214 #define word_in(x) *(u_int32_t*)(x)
215 #define const_word_in(x) *(const u_int32_t*)(x)
216 #define word_out(x,v) *(u_int32_t*)(x) = (v)
217 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
218 #else
219 /* slower but generic big endian or with data alignment restrictions */
220 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
221 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
222 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
223 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
224 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
225 #endif
226
227 // Disable at least some poor combinations of options
228
229 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
230 #define FIXED_TABLES
231 #undef UNROLL
232 #undef ONE_LR_TABLE
233 #undef FOUR_LR_TABLES
234 #undef ONE_IM_TABLE
235 #undef FOUR_IM_TABLES
236 #elif !defined(FOUR_TABLES)
237 #ifdef FOUR_LR_TABLES
238 #undef FOUR_LR_TABLES
239 #define ONE_LR_TABLE
240 #endif
241 #ifdef FOUR_IM_TABLES
242 #undef FOUR_IM_TABLES
243 #define ONE_IM_TABLE
244 #endif
245 #elif !defined(AES_BLOCK_SIZE)
246 #if defined(UNROLL)
247 #define PARTIAL_UNROLL
248 #undef UNROLL
249 #endif
250 #endif
251
252 /**
253 * The finite field modular polynomial and elements.
254 */
255 #define ff_poly 0x011b
256 #define ff_hi 0x80
257
258
259 /**
260 * Multiply four bytes in GF(2^8) by 'x' {02} in parallel.
261 */
262 #define m1 0x80808080
263 #define m2 0x7f7f7f7f
264 #define m3 0x0000001b
265 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
266
267 /* The following defines provide alternative definitions of FFmulX that might
268 * give improved performance if a fast 32-bit multiply is not available. Note
269 * that a temporary variable u needs to be defined where FFmulX is used.
270
271 * #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
272 * #define m4 0x1b1b1b1b
273 * #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
274 */
275
276 /**
277 * Prform column mix operation on four bytes in parallel.
278 */
279 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
280
281 #if defined(FIXED_TABLES)
282
283 /**
284 * The S-Box table.
285 */
286 static const unsigned char s_box[256] =
287 {
288 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
289 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
290 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
291 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
292 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
293 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
294 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
295 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
296 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
297 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
298 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
299 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
300 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
301 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
302 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
303 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
304 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
305 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
306 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
307 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
308 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
309 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
310 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
311 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
312 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
313 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
314 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
315 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
316 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
317 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
318 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
319 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
320 };
321
322 /**
323 * The inverse S-Box table
324 */
325 static const unsigned char inv_s_box[256] =
326 {
327 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
328 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
329 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
330 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
331 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
332 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
333 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
334 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
335 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
336 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
337 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
338 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
339 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
340 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
341 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
342 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
343 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
344 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
345 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
346 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
347 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
348 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
349 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
350 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
351 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
352 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
353 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
354 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
355 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
356 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
357 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
358 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
359 };
360
361 #define w0(p) 0x000000##p
362
363 /*
364 * Number of elements required in this table for different
365 * block and key lengths is:
366 *
367 * Nk = 4 6 8
368 * ----------
369 * Nb = 4 | 10 8 7
370 * 6 | 19 12 11
371 * 8 | 29 19 14
372 *
373 * this table can be a table of bytes if the key schedule
374 * code is adjusted accordingly
375 */
376
377 static const u_int32_t rcon_tab[29] =
378 {
379 w0(01), w0(02), w0(04), w0(08),
380 w0(10), w0(20), w0(40), w0(80),
381 w0(1b), w0(36), w0(6c), w0(d8),
382 w0(ab), w0(4d), w0(9a), w0(2f),
383 w0(5e), w0(bc), w0(63), w0(c6),
384 w0(97), w0(35), w0(6a), w0(d4),
385 w0(b3), w0(7d), w0(fa), w0(ef),
386 w0(c5)
387 };
388
389 #undef w0
390
391 #define r0(p,q,r,s) 0x##p##q##r##s
392 #define r1(p,q,r,s) 0x##q##r##s##p
393 #define r2(p,q,r,s) 0x##r##s##p##q
394 #define r3(p,q,r,s) 0x##s##p##q##r
395 #define w0(p) 0x000000##p
396 #define w1(p) 0x0000##p##00
397 #define w2(p) 0x00##p##0000
398 #define w3(p) 0x##p##000000
399
400 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
401
402 /**
403 * Data for forward tables (other than last round)
404 */
405 #define f_table \
406 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
407 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
408 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
409 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
410 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
411 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
412 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
413 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
414 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
415 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
416 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
417 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
418 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
419 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
420 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
421 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
422 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
423 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
424 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
425 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
426 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
427 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
428 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
429 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
430 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
431 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
432 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
433 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
434 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
435 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
436 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
437 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
438 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
439 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
440 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
441 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
442 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
443 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
444 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
445 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
446 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
447 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
448 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
449 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
450 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
451 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
452 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
453 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
454 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
455 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
456 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
457 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
458 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
459 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
460 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
461 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
462 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
463 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
464 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
465 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
466 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
467 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
468 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
469 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
470
471 /**
472 * Ddata for inverse tables (other than last round).
473 */
474 #define i_table \
475 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
476 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
477 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
478 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
479 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
480 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
481 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
482 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
483 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
484 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
485 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
486 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
487 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
488 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
489 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
490 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
491 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
492 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
493 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
494 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
495 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
496 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
497 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
498 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
499 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
500 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
501 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
502 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
503 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
504 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
505 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
506 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
507 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
508 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
509 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
510 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
511 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
512 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
513 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
514 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
515 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
516 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
517 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
518 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
519 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
520 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
521 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
522 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
523 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
524 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
525 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
526 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
527 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
528 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
529 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
530 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
531 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
532 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
533 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
534 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
535 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
536 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
537 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
538 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
539
540 /* generate the required tables in the desired endian format */
541
542 #undef r
543 #define r r0
544
545 #if defined(ONE_TABLE)
546 static const u_int32_t ft_tab[256] =
547 { f_table };
548 #elif defined(FOUR_TABLES)
549 static const u_int32_t ft_tab[4][256] =
550 { { f_table },
551 #undef r
552 #define r r1
553 { f_table },
554 #undef r
555 #define r r2
556 { f_table },
557 #undef r
558 #define r r3
559 { f_table }
560 };
561 #endif
562
563 #undef r
564 #define r r0
565 #if defined(ONE_TABLE)
566 static const u_int32_t it_tab[256] =
567 { i_table };
568 #elif defined(FOUR_TABLES)
569 static const u_int32_t it_tab[4][256] =
570 { { i_table },
571 #undef r
572 #define r r1
573 { i_table },
574 #undef r
575 #define r r2
576 { i_table },
577 #undef r
578 #define r r3
579 { i_table }
580 };
581 #endif
582
583 #endif
584
585 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
586
587 /**
588 * Data for inverse tables (last round)
589 */
590 #define li_table \
591 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
592 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
593 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
594 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
595 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
596 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
597 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
598 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
599 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
600 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
601 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
602 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
603 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
604 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
605 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
606 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
607 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
608 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
609 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
610 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
611 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
612 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
613 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
614 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
615 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
616 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
617 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
618 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
619 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
620 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
621 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
622 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
623
624 /* generate the required tables in the desired endian format */
625
626 #undef r
627 #define r(p,q,r,s) w0(q)
628 #if defined(ONE_LR_TABLE)
629 static const u_int32_t fl_tab[256] =
630 { f_table };
631 #elif defined(FOUR_LR_TABLES)
632 static const u_int32_t fl_tab[4][256] =
633 { { f_table },
634 #undef r
635 #define r(p,q,r,s) w1(q)
636 { f_table },
637 #undef r
638 #define r(p,q,r,s) w2(q)
639 { f_table },
640 #undef r
641 #define r(p,q,r,s) w3(q)
642 { f_table }
643 };
644 #endif
645
646 #undef w
647 #define w w0
648 #if defined(ONE_LR_TABLE)
649 static const u_int32_t il_tab[256] =
650 { li_table };
651 #elif defined(FOUR_LR_TABLES)
652 static const u_int32_t il_tab[4][256] =
653 { { li_table },
654 #undef w
655 #define w w1
656 { li_table },
657 #undef w
658 #define w w2
659 { li_table },
660 #undef w
661 #define w w3
662 { li_table }
663 };
664 #endif
665
666 #endif
667
668 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
669
670 #define m_table \
671 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
672 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
673 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
674 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
675 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
676 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
677 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
678 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
679 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
680 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
681 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
682 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
683 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
684 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
685 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
686 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
687 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
688 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
689 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
690 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
691 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
692 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
693 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
694 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
695 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
696 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
697 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
698 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
699 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
700 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
701 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
702 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
703 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
704 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
705 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
706 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
707 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
708 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
709 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
710 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
711 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
712 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
713 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
714 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
715 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
716 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
717 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
718 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
719 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
720 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
721 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
722 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
723 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
724 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
725 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
726 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
727 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
728 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
729 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
730 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
731 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
732 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
733 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
734 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
735
736 #undef r
737 #define r r0
738
739 #if defined(ONE_IM_TABLE)
740 static const u_int32_t im_tab[256] =
741 { m_table };
742 #elif defined(FOUR_IM_TABLES)
743 static const u_int32_t im_tab[4][256] =
744 { { m_table },
745 #undef r
746 #define r r1
747 { m_table },
748 #undef r
749 #define r r2
750 { m_table },
751 #undef r
752 #define r r3
753 { m_table }
754 };
755 #endif
756
757 #endif
758
759 #else
760
761 static int tab_gen = 0;
762
763 /**
764 * The S box
765 */
766 static unsigned char s_box[256];
767
768 /**
769 * The inverse S box
770 */
771 static unsigned char inv_s_box[256];
772
773 /**
774 * Table of round constants.
775 */
776 static u_int32_t rcon_tab[AES_RC_LENGTH];
777
778 #if defined(ONE_TABLE)
779 static u_int32_t ft_tab[256];
780 static u_int32_t it_tab[256];
781 #elif defined(FOUR_TABLES)
782 static u_int32_t ft_tab[4][256];
783 static u_int32_t it_tab[4][256];
784 #endif
785
786 #if defined(ONE_LR_TABLE)
787 static u_int32_t fl_tab[256];
788 static u_int32_t il_tab[256];
789 #elif defined(FOUR_LR_TABLES)
790 static u_int32_t fl_tab[4][256];
791 static u_int32_t il_tab[4][256];
792 #endif
793
794 #if defined(ONE_IM_TABLE)
795 static u_int32_t im_tab[256];
796 #elif defined(FOUR_IM_TABLES)
797 static u_int32_t im_tab[4][256];
798 #endif
799
800 /* Generate the tables for the dynamic table option */
801
802 #if !defined(FF_TABLES)
803
804 /* It will generally be sensible to use tables to compute finite
805 * field multiplies and inverses but where memory is scarse this
806 * code might sometimes be better.
807
808 * return 2 ^ (n - 1) where n is the bit number of the highest bit
809 * set in x with x in the range 1 < x < 0x00000200. This form is
810 * used so that locals within FFinv can be bytes rather than words
811 */
812
813 static unsigned char hibit(const u_int32_t x)
814 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
815
816 r |= (r >> 2);
817 r |= (r >> 4);
818 return (r + 1) >> 1;
819 }
820
821 /* return the inverse of the finite field element x */
822
823 static unsigned char FFinv(const unsigned char x)
824 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
825
826 if(x < 2) return x;
827
828 for(;;)
829 {
830 if(!n1) return v1;
831
832 while(n2 >= n1)
833 {
834 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
835 }
836
837 if(!n2) return v2;
838
839 while(n1 >= n2)
840 {
841 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
842 }
843 }
844 }
845
846 /* define the finite field multiplies required for Rijndael */
847
848 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
849 #define FFmul03(x) ((x) ^ FFmul02(x))
850 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
851 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
852 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
853 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
854
855 #else
856
857 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
858
859 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
860 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
861 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
862 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
863 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
864 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
865
866 #endif
867
868 /* The forward and inverse affine transformations used in the S-box */
869
870 #define fwd_affine(x) \
871 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
872
873 #define inv_affine(x) \
874 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
875
876 static void gen_tabs(void)
877 { u_int32_t i, w;
878
879 #if defined(FF_TABLES)
880
881 unsigned char pow[512], log[256];
882
883 /*
884 * log and power tables for GF(2^8) finite field with
885 * 0x011b as modular polynomial - the simplest primitive
886 * root is 0x03, used here to generate the tables
887 */
888
889 i = 0; w = 1;
890 do
891 {
892 pow[i] = (unsigned char)w;
893 pow[i + 255] = (unsigned char)w;
894 log[w] = (unsigned char)i++;
895 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
896 }
897 while (w != 1);
898
899 #endif
900
901 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
902 {
903 rcon_tab[i] = bytes2word(w, 0, 0, 0);
904 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
905 }
906
907 for(i = 0; i < 256; ++i)
908 { unsigned char b;
909
910 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
911
912 w = bytes2word(b, 0, 0, 0);
913 #if defined(ONE_LR_TABLE)
914 fl_tab[i] = w;
915 #elif defined(FOUR_LR_TABLES)
916 fl_tab[0][i] = w;
917 fl_tab[1][i] = upr(w,1);
918 fl_tab[2][i] = upr(w,2);
919 fl_tab[3][i] = upr(w,3);
920 #endif
921 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
922 #if defined(ONE_TABLE)
923 ft_tab[i] = w;
924 #elif defined(FOUR_TABLES)
925 ft_tab[0][i] = w;
926 ft_tab[1][i] = upr(w,1);
927 ft_tab[2][i] = upr(w,2);
928 ft_tab[3][i] = upr(w,3);
929 #endif
930 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
931
932 w = bytes2word(b, 0, 0, 0);
933 #if defined(ONE_LR_TABLE)
934 il_tab[i] = w;
935 #elif defined(FOUR_LR_TABLES)
936 il_tab[0][i] = w;
937 il_tab[1][i] = upr(w,1);
938 il_tab[2][i] = upr(w,2);
939 il_tab[3][i] = upr(w,3);
940 #endif
941 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
942 #if defined(ONE_TABLE)
943 it_tab[i] = w;
944 #elif defined(FOUR_TABLES)
945 it_tab[0][i] = w;
946 it_tab[1][i] = upr(w,1);
947 it_tab[2][i] = upr(w,2);
948 it_tab[3][i] = upr(w,3);
949 #endif
950 #if defined(ONE_IM_TABLE)
951 im_tab[b] = w;
952 #elif defined(FOUR_IM_TABLES)
953 im_tab[0][b] = w;
954 im_tab[1][b] = upr(w,1);
955 im_tab[2][b] = upr(w,2);
956 im_tab[3][b] = upr(w,3);
957 #endif
958
959 }
960 }
961
962 #endif
963
964 #define no_table(x,box,vf,rf,c) bytes2word( \
965 box[bval(vf(x,0,c),rf(0,c))], \
966 box[bval(vf(x,1,c),rf(1,c))], \
967 box[bval(vf(x,2,c),rf(2,c))], \
968 box[bval(vf(x,3,c),rf(3,c))])
969
970 #define one_table(x,op,tab,vf,rf,c) \
971 ( tab[bval(vf(x,0,c),rf(0,c))] \
972 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
973 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
974 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
975
976 #define four_tables(x,tab,vf,rf,c) \
977 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
978 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
979 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
980 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
981
982 #define vf1(x,r,c) (x)
983 #define rf1(r,c) (r)
984 #define rf2(r,c) ((r-c)&3)
985
986 #if defined(FOUR_LR_TABLES)
987 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
988 #elif defined(ONE_LR_TABLE)
989 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
990 #else
991 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
992 #endif
993
994 #if defined(FOUR_IM_TABLES)
995 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
996 #elif defined(ONE_IM_TABLE)
997 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
998 #else
999 #define inv_mcol(x) \
1000 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
1001 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
1002 #endif
1003
1004 // Initialise the key schedule from the user supplied key. The key
1005 // length is now specified in bytes - 16, 24 or 32 as appropriate.
1006 // This corresponds to bit lengths of 128, 192 and 256 bits, and
1007 // to Nk values of 4, 6 and 8 respectively.
1008
1009 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
1010 #define cp(t,f) *t++ = *f++
1011
1012 #define cpy(d,s) \
1013 switch(this->aes_Ncol) \
1014 { case 8: cp(d,s); cp(d,s); \
1015 case 6: cp(d,s); cp(d,s); \
1016 case 4: cp(d,s); cp(d,s); \
1017 cp(d,s); cp(d,s); \
1018 }
1019
1020 #define mix(d,s) \
1021 switch(this->aes_Ncol) \
1022 { case 8: mx(d,s); mx(d,s); \
1023 case 6: mx(d,s); mx(d,s); \
1024 case 4: mx(d,s); mx(d,s); \
1025 mx(d,s); mx(d,s); \
1026 }
1027
1028 // y = output word, x = input word, r = row, c = column
1029 // for r = 0, 1, 2 and 3 = column accessed for row r
1030
1031 #if defined(ARRAYS)
1032 #define s(x,c) x[c]
1033 #else
1034 #define s(x,c) x##c
1035 #endif
1036
1037 // I am grateful to Frank Yellin for the following constructions
1038 // which, given the column (c) of the output state variable that
1039 // is being computed, return the input state variables which are
1040 // needed for each row (r) of the state
1041
1042 // For the fixed block size options, compilers reduce these two
1043 // expressions to fixed variable referethis->aes_Ncoles. For variable block
1044 // size code conditional clauses will sometimes be returned
1045
1046 #define unused 77 // Sunset Strip
1047
1048 #define fwd_var(x,r,c) \
1049 ( r==0 ? \
1050 ( c==0 ? s(x,0) \
1051 : c==1 ? s(x,1) \
1052 : c==2 ? s(x,2) \
1053 : c==3 ? s(x,3) \
1054 : c==4 ? s(x,4) \
1055 : c==5 ? s(x,5) \
1056 : c==6 ? s(x,6) \
1057 : s(x,7)) \
1058 : r==1 ? \
1059 ( c==0 ? s(x,1) \
1060 : c==1 ? s(x,2) \
1061 : c==2 ? s(x,3) \
1062 : c==3 ? this->aes_Ncol==4 ? s(x,0) : s(x,4) \
1063 : c==4 ? s(x,5) \
1064 : c==5 ? this->aes_Ncol==8 ? s(x,6) : s(x,0) \
1065 : c==6 ? s(x,7) \
1066 : s(x,0)) \
1067 : r==2 ? \
1068 ( c==0 ? this->aes_Ncol==8 ? s(x,3) : s(x,2) \
1069 : c==1 ? this->aes_Ncol==8 ? s(x,4) : s(x,3) \
1070 : c==2 ? this->aes_Ncol==4 ? s(x,0) : this->aes_Ncol==8 ? s(x,5) : s(x,4) \
1071 : c==3 ? this->aes_Ncol==4 ? s(x,1) : this->aes_Ncol==8 ? s(x,6) : s(x,5) \
1072 : c==4 ? this->aes_Ncol==8 ? s(x,7) : s(x,0) \
1073 : c==5 ? this->aes_Ncol==8 ? s(x,0) : s(x,1) \
1074 : c==6 ? s(x,1) \
1075 : s(x,2)) \
1076 : \
1077 ( c==0 ? this->aes_Ncol==8 ? s(x,4) : s(x,3) \
1078 : c==1 ? this->aes_Ncol==4 ? s(x,0) : this->aes_Ncol==8 ? s(x,5) : s(x,4) \
1079 : c==2 ? this->aes_Ncol==4 ? s(x,1) : this->aes_Ncol==8 ? s(x,6) : s(x,5) \
1080 : c==3 ? this->aes_Ncol==4 ? s(x,2) : this->aes_Ncol==8 ? s(x,7) : s(x,0) \
1081 : c==4 ? this->aes_Ncol==8 ? s(x,0) : s(x,1) \
1082 : c==5 ? this->aes_Ncol==8 ? s(x,1) : s(x,2) \
1083 : c==6 ? s(x,2) \
1084 : s(x,3)))
1085
1086 #define inv_var(x,r,c) \
1087 ( r==0 ? \
1088 ( c==0 ? s(x,0) \
1089 : c==1 ? s(x,1) \
1090 : c==2 ? s(x,2) \
1091 : c==3 ? s(x,3) \
1092 : c==4 ? s(x,4) \
1093 : c==5 ? s(x,5) \
1094 : c==6 ? s(x,6) \
1095 : s(x,7)) \
1096 : r==1 ? \
1097 ( c==0 ? this->aes_Ncol==4 ? s(x,3) : this->aes_Ncol==8 ? s(x,7) : s(x,5) \
1098 : c==1 ? s(x,0) \
1099 : c==2 ? s(x,1) \
1100 : c==3 ? s(x,2) \
1101 : c==4 ? s(x,3) \
1102 : c==5 ? s(x,4) \
1103 : c==6 ? s(x,5) \
1104 : s(x,6)) \
1105 : r==2 ? \
1106 ( c==0 ? this->aes_Ncol==4 ? s(x,2) : this->aes_Ncol==8 ? s(x,5) : s(x,4) \
1107 : c==1 ? this->aes_Ncol==4 ? s(x,3) : this->aes_Ncol==8 ? s(x,6) : s(x,5) \
1108 : c==2 ? this->aes_Ncol==8 ? s(x,7) : s(x,0) \
1109 : c==3 ? this->aes_Ncol==8 ? s(x,0) : s(x,1) \
1110 : c==4 ? this->aes_Ncol==8 ? s(x,1) : s(x,2) \
1111 : c==5 ? this->aes_Ncol==8 ? s(x,2) : s(x,3) \
1112 : c==6 ? s(x,3) \
1113 : s(x,4)) \
1114 : \
1115 ( c==0 ? this->aes_Ncol==4 ? s(x,1) : this->aes_Ncol==8 ? s(x,4) : s(x,3) \
1116 : c==1 ? this->aes_Ncol==4 ? s(x,2) : this->aes_Ncol==8 ? s(x,5) : s(x,4) \
1117 : c==2 ? this->aes_Ncol==4 ? s(x,3) : this->aes_Ncol==8 ? s(x,6) : s(x,5) \
1118 : c==3 ? this->aes_Ncol==8 ? s(x,7) : s(x,0) \
1119 : c==4 ? this->aes_Ncol==8 ? s(x,0) : s(x,1) \
1120 : c==5 ? this->aes_Ncol==8 ? s(x,1) : s(x,2) \
1121 : c==6 ? s(x,2) \
1122 : s(x,3)))
1123
1124 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1125 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1126
1127 #if defined(FOUR_TABLES)
1128 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1129 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1130 #elif defined(ONE_TABLE)
1131 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1132 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1133 #else
1134 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1135 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1136 #endif
1137
1138 #if defined(FOUR_LR_TABLES)
1139 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1140 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1141 #elif defined(ONE_LR_TABLE)
1142 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1143 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1144 #else
1145 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1146 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1147 #endif
1148
1149 #if AES_BLOCK_SIZE == 16
1150
1151 #if defined(ARRAYS)
1152 #define locals(y,x) x[4],y[4]
1153 #else
1154 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1155 // the following defines prevent the compiler requiring the declaration
1156 // of generated but unused variables in the fwd_var and inv_var macros
1157 #define b04 unused
1158 #define b05 unused
1159 #define b06 unused
1160 #define b07 unused
1161 #define b14 unused
1162 #define b15 unused
1163 #define b16 unused
1164 #define b17 unused
1165 #endif
1166 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1167 s(y,2) = s(x,2); s(y,3) = s(x,3);
1168 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1169 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1170 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1171
1172 #elif AES_BLOCK_SIZE == 24
1173
1174 #if defined(ARRAYS)
1175 #define locals(y,x) x[6],y[6]
1176 #else
1177 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1178 y##0,y##1,y##2,y##3,y##4,y##5
1179 #define b06 unused
1180 #define b07 unused
1181 #define b16 unused
1182 #define b17 unused
1183 #endif
1184 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1185 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1186 s(y,4) = s(x,4); s(y,5) = s(x,5);
1187 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1188 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1189 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1190 so(y,x,3); so(y,x,4); so(y,x,5)
1191 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1192 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1193 #else
1194
1195 #if defined(ARRAYS)
1196 #define locals(y,x) x[8],y[8]
1197 #else
1198 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1199 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1200 #endif
1201 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1202 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1203 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1204 s(y,6) = s(x,6); s(y,7) = s(x,7);
1205
1206 #if AES_BLOCK_SIZE == 32
1207
1208 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1209 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1210 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1211 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1212 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1213 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1214 #else
1215
1216 #define state_in(y,x,k) \
1217 switch(this->aes_Ncol) \
1218 { case 8: si(y,x,k,7); si(y,x,k,6); \
1219 case 6: si(y,x,k,5); si(y,x,k,4); \
1220 case 4: si(y,x,k,3); si(y,x,k,2); \
1221 si(y,x,k,1); si(y,x,k,0); \
1222 }
1223
1224 #define state_out(y,x) \
1225 switch(this->aes_Ncol) \
1226 { case 8: so(y,x,7); so(y,x,6); \
1227 case 6: so(y,x,5); so(y,x,4); \
1228 case 4: so(y,x,3); so(y,x,2); \
1229 so(y,x,1); so(y,x,0); \
1230 }
1231
1232 #if defined(FAST_VARIABLE)
1233
1234 #define round(rm,y,x,k) \
1235 switch(this->aes_Ncol) \
1236 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1237 rm(y,x,k,5); rm(y,x,k,4); \
1238 rm(y,x,k,3); rm(y,x,k,2); \
1239 rm(y,x,k,1); rm(y,x,k,0); \
1240 break; \
1241 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1242 rm(y,x,k,3); rm(y,x,k,2); \
1243 rm(y,x,k,1); rm(y,x,k,0); \
1244 break; \
1245 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1246 rm(y,x,k,1); rm(y,x,k,0); \
1247 break; \
1248 }
1249 #else
1250
1251 #define round(rm,y,x,k) \
1252 switch(this->aes_Ncol) \
1253 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1254 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1255 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1256 rm(y,x,k,1); rm(y,x,k,0); \
1257 }
1258
1259 #endif
1260
1261 #endif
1262 #endif
1263
1264
1265 /**
1266 * Implementation of private_aes_cbc_crypter_t.encrypt_block.
1267 */
1268 static status_t encrypt_block (private_aes_cbc_crypter_t *this, u_int8_t *data, u_int8_t *encrypted)
1269 {
1270 u_int32_t locals(b0, b1);
1271 const u_int32_t *kp = this->aes_e_key;
1272
1273 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1274 u_int32_t f2;
1275 #endif
1276
1277 /*
1278 * Allocate memory for the encrypted value
1279 */
1280 // encrypted->ptr = allocator_alloc(this->blocksize);
1281 // if (encrypted->ptr == NULL)
1282 // {
1283 // return OUT_OF_RES;
1284 // }
1285 // encrypted->len = this->blocksize;
1286
1287
1288 state_in(b0, data, kp); kp += this->aes_Ncol;
1289
1290 #if defined(UNROLL)
1291
1292 switch(this->aes_Nrnd)
1293 {
1294 case 14: round(fwd_rnd, b1, b0, kp );
1295 round(fwd_rnd, b0, b1, kp + this->aes_Ncol ); kp += 2 * this->aes_Ncol;
1296 case 12: round(fwd_rnd, b1, b0, kp );
1297 round(fwd_rnd, b0, b1, kp + this->aes_Ncol ); kp += 2 * this->aes_Ncol;
1298 case 10: round(fwd_rnd, b1, b0, kp );
1299 round(fwd_rnd, b0, b1, kp + this->aes_Ncol);
1300 round(fwd_rnd, b1, b0, kp + 2 * this->aes_Ncol);
1301 round(fwd_rnd, b0, b1, kp + 3 * this->aes_Ncol);
1302 round(fwd_rnd, b1, b0, kp + 4 * this->aes_Ncol);
1303 round(fwd_rnd, b0, b1, kp + 5 * this->aes_Ncol);
1304 round(fwd_rnd, b1, b0, kp + 6 * this->aes_Ncol);
1305 round(fwd_rnd, b0, b1, kp + 7 * this->aes_Ncol);
1306 round(fwd_rnd, b1, b0, kp + 8 * this->aes_Ncol);
1307 round(fwd_lrnd, b0, b1, kp + 9 * this->aes_Ncol);
1308 }
1309
1310 #elif defined(PARTIAL_UNROLL)
1311 { u_int32_t rnd;
1312
1313 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1314 {
1315 round(fwd_rnd, b1, b0, kp);
1316 round(fwd_rnd, b0, b1, kp + this->aes_Ncol); kp += 2 * this->aes_Ncol;
1317 }
1318
1319 round(fwd_rnd, b1, b0, kp);
1320 round(fwd_lrnd, b0, b1, kp + this->aes_Ncol);
1321 }
1322 #else
1323 { u_int32_t rnd;
1324
1325 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1326 {
1327 round(fwd_rnd, b1, b0, kp);
1328 l_copy(b0, b1); kp += this->aes_Ncol;
1329 }
1330
1331 round(fwd_lrnd, b0, b1, kp);
1332 }
1333 #endif
1334
1335 state_out(encrypted, b0);
1336
1337 return SUCCESS;
1338 }
1339
1340 /**
1341 * Implementation of private_aes_cbc_crypter_t.decrypt_block.
1342 */
1343 static status_t decrypt_block (private_aes_cbc_crypter_t *this, u_int8_t *data, u_int8_t *decrypted)
1344 {
1345 u_int32_t locals(b0, b1);
1346 const u_int32_t *kp = this->aes_d_key;
1347
1348 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1349 u_int32_t f2, f4, f8, f9;
1350 #endif
1351
1352 /*
1353 * Allocate memory for the encrypted value
1354 */
1355 // decrypted->ptr = allocator_alloc(this->blocksize);
1356 // if (decrypted->ptr == NULL)
1357 // {
1358 // return OUT_OF_RES;
1359 // }
1360 // decrypted->len = this->blocksize;
1361
1362
1363 state_in(b0, data, kp); kp += this->aes_Ncol;
1364
1365 #if defined(UNROLL)
1366
1367 switch(this->aes_Nrnd)
1368 {
1369 case 14: round(inv_rnd, b1, b0, kp );
1370 round(inv_rnd, b0, b1, kp + this->aes_Ncol ); kp += 2 * this->aes_Ncol;
1371 case 12: round(inv_rnd, b1, b0, kp );
1372 round(inv_rnd, b0, b1, kp + this->aes_Ncol ); kp += 2 * this->aes_Ncol;
1373 case 10: round(inv_rnd, b1, b0, kp );
1374 round(inv_rnd, b0, b1, kp + this->aes_Ncol);
1375 round(inv_rnd, b1, b0, kp + 2 * this->aes_Ncol);
1376 round(inv_rnd, b0, b1, kp + 3 * this->aes_Ncol);
1377 round(inv_rnd, b1, b0, kp + 4 * this->aes_Ncol);
1378 round(inv_rnd, b0, b1, kp + 5 * this->aes_Ncol);
1379 round(inv_rnd, b1, b0, kp + 6 * this->aes_Ncol);
1380 round(inv_rnd, b0, b1, kp + 7 * this->aes_Ncol);
1381 round(inv_rnd, b1, b0, kp + 8 * this->aes_Ncol);
1382 round(inv_lrnd, b0, b1, kp + 9 * this->aes_Ncol);
1383 }
1384
1385 #elif defined(PARTIAL_UNROLL)
1386 { u_int32_t rnd;
1387
1388 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1389 {
1390 round(inv_rnd, b1, b0, kp);
1391 round(inv_rnd, b0, b1, kp + this->aes_Ncol); kp += 2 * this->aes_Ncol;
1392 }
1393
1394 round(inv_rnd, b1, b0, kp);
1395 round(inv_lrnd, b0, b1, kp + this->aes_Ncol);
1396 }
1397 #else
1398 { u_int32_t rnd;
1399
1400 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1401 {
1402 round(inv_rnd, b1, b0, kp);
1403 l_copy(b0, b1); kp += this->aes_Ncol;
1404 }
1405
1406 round(inv_lrnd, b0, b1, kp);
1407 }
1408 #endif
1409
1410 state_out(decrypted, b0);
1411
1412
1413 return SUCCESS;
1414 }
1415
1416
1417 /**
1418 * Implementation of crypter_t.decrypt.
1419 */
1420 static status_t decrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
1421 {
1422 int ret, pos;
1423 const u_int32_t *iv_i;
1424 u_int8_t *in, *out;
1425
1426 ret = data.len;
1427 if (((data.len) % 16) != 0)
1428 {
1429 /* data length must be padded to a multiple of blocksize */
1430 return INVALID_ARG;
1431 }
1432
1433 decrypted->ptr = allocator_alloc(data.len);
1434 if (decrypted->ptr == NULL)
1435 {
1436 return OUT_OF_RES;
1437 }
1438 decrypted->len = data.len;
1439
1440 in = data.ptr;
1441 out = decrypted->ptr;
1442
1443 pos=data.len-16;
1444 in+=pos;
1445 out+=pos;
1446 while(pos>=0) {
1447 this->decrypt_block(this,in,out);
1448 if (pos==0)
1449 iv_i=(const u_int32_t*) (iv.ptr);
1450 else
1451 iv_i=(const u_int32_t*) (in-16);
1452 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1453 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1454 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1455 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1456 in-=16;
1457 out-=16;
1458 pos-=16;
1459 }
1460
1461 return SUCCESS;
1462 }
1463
1464
1465 /**
1466 * Implementation of crypter_t.decrypt.
1467 */
1468 static status_t encrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
1469 {
1470 int ret, pos;
1471 const u_int32_t *iv_i;
1472 u_int8_t *in, *out;
1473
1474 ret = data.len;
1475 if (((data.len) % 16) != 0)
1476 {
1477 /* data length must be padded to a multiple of blocksize */
1478 return INVALID_ARG;
1479 }
1480
1481 encrypted->ptr = allocator_alloc(data.len);
1482 if (encrypted->ptr == NULL)
1483 {
1484 return OUT_OF_RES;
1485 }
1486 encrypted->len = data.len;
1487
1488 in = data.ptr;
1489 out = encrypted->ptr;
1490
1491 pos=0;
1492 while(pos<data.len)
1493 {
1494 if (pos==0)
1495 iv_i=(const u_int32_t*) iv.ptr;
1496 else
1497 iv_i=(const u_int32_t*) (out-16);
1498 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1499 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1500 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1501 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1502 this->encrypt_block(this,out,out);
1503 in+=16;
1504 out+=16;
1505 pos+=16;
1506 }
1507 return SUCCESS;
1508 }
1509
1510 /**
1511 * Implementation of crypter_t.get_block_size.
1512 */
1513 static size_t get_block_size (private_aes_cbc_crypter_t *this)
1514 {
1515 return this->blocksize;
1516 }
1517
1518 /**
1519 * Implementation of crypter_t.set_key.
1520 */
1521 static status_t set_key (private_aes_cbc_crypter_t *this, chunk_t key)
1522 {
1523 u_int32_t *kf, *kt, rci, f = 0;
1524
1525 if (key.len != this->blocksize)
1526 {
1527 /* key length not as expected */
1528 return INVALID_ARG;
1529 }
1530
1531 this->aes_Nrnd = (this->aes_Nkey > this->aes_Ncol ? this->aes_Nkey : this->aes_Ncol) + 6;
1532
1533 this->aes_e_key[0] = const_word_in(key.ptr);
1534 this->aes_e_key[1] = const_word_in(key.ptr + 4);
1535 this->aes_e_key[2] = const_word_in(key.ptr + 8);
1536 this->aes_e_key[3] = const_word_in(key.ptr + 12);
1537
1538 kf = this->aes_e_key;
1539 kt = kf + this->aes_Ncol * (this->aes_Nrnd + 1) - this->aes_Nkey;
1540 rci = 0;
1541
1542 switch(this->aes_Nkey)
1543 {
1544 case 4: do
1545 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1546 kf[5] = kf[1] ^ kf[4];
1547 kf[6] = kf[2] ^ kf[5];
1548 kf[7] = kf[3] ^ kf[6];
1549 kf += 4;
1550 }
1551 while(kf < kt);
1552 break;
1553
1554 case 6: this->aes_e_key[4] = const_word_in(key.ptr + 16);
1555 this->aes_e_key[5] = const_word_in(key.ptr + 20);
1556 do
1557 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1558 kf[ 7] = kf[1] ^ kf[ 6];
1559 kf[ 8] = kf[2] ^ kf[ 7];
1560 kf[ 9] = kf[3] ^ kf[ 8];
1561 kf[10] = kf[4] ^ kf[ 9];
1562 kf[11] = kf[5] ^ kf[10];
1563 kf += 6;
1564 }
1565 while(kf < kt);
1566 break;
1567
1568 case 8: this->aes_e_key[4] = const_word_in(key.ptr + 16);
1569 this->aes_e_key[5] = const_word_in(key.ptr + 20);
1570 this->aes_e_key[6] = const_word_in(key.ptr + 24);
1571 this->aes_e_key[7] = const_word_in(key.ptr + 28);
1572 do
1573 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1574 kf[ 9] = kf[1] ^ kf[ 8];
1575 kf[10] = kf[2] ^ kf[ 9];
1576 kf[11] = kf[3] ^ kf[10];
1577 kf[12] = kf[4] ^ ls_box(kf[11],0);
1578 kf[13] = kf[5] ^ kf[12];
1579 kf[14] = kf[6] ^ kf[13];
1580 kf[15] = kf[7] ^ kf[14];
1581 kf += 8;
1582 }
1583 while (kf < kt);
1584 break;
1585 }
1586
1587 if(!f)
1588 { u_int32_t i;
1589
1590 kt = this->aes_d_key + this->aes_Ncol * this->aes_Nrnd;
1591 kf = this->aes_e_key;
1592
1593 cpy(kt, kf); kt -= 2 * this->aes_Ncol;
1594
1595 for(i = 1; i < this->aes_Nrnd; ++i)
1596 {
1597 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1598 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1599 u_int32_t f2, f4, f8, f9;
1600 #endif
1601 mix(kt, kf);
1602 #else
1603 cpy(kt, kf);
1604 #endif
1605 kt -= 2 * this->aes_Ncol;
1606 }
1607
1608 cpy(kt, kf);
1609 }
1610
1611 return SUCCESS;
1612 }
1613
1614 /**
1615 * Implementation of crypter_t.destroy and aes_cbc_crypter_t.destroy.
1616 */
1617 static status_t destroy (private_aes_cbc_crypter_t *this)
1618 {
1619 allocator_free(this);
1620 return SUCCESS;
1621 }
1622
1623
1624 aes_cbc_crypter_t *aes_cbc_crypter_create(size_t blocksize)
1625 {
1626 private_aes_cbc_crypter_t *this = allocator_alloc_thing(private_aes_cbc_crypter_t);
1627 if (this == NULL)
1628 {
1629 return NULL;
1630 }
1631 #if !defined(FIXED_TABLES)
1632 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1633 #endif
1634
1635 switch(blocksize) {
1636 case 32: /* bytes */
1637 this->aes_Ncol = 8;
1638 this->blocksize = blocksize;
1639 break;
1640 case 24: /* bytes */
1641 this->aes_Ncol = 6;
1642 this->blocksize = blocksize;
1643 break;
1644 case 16: /* bytes */
1645 default:
1646 this->aes_Ncol = 4;
1647 this->blocksize = 16;
1648 break;
1649 }
1650
1651
1652 /* functions of crypter_t interface */
1653 this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1654 this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1655 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1656 this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key;
1657 this->public.crypter_interface.destroy = (status_t (*) (crypter_t *)) destroy;
1658
1659 /* public functions */
1660 this->public.destroy = (status_t (*) (aes_cbc_crypter_t *)) destroy;
1661
1662 /* private functions */
1663 this->encrypt_block = encrypt_block;
1664 this->decrypt_block = decrypt_block;
1665
1666
1667 return &(this->public);
1668 }