- some improvements to new asn1 stuff
[strongswan.git] / Source / lib / crypto / crypters / aes_cbc_crypter.c
1 /**
2 * @file aes_cbc_crypter.c
3 *
4 * @brief Implementation of aes_cbc_crypter_t
5 *
6 */
7
8 /*
9 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "aes_cbc_crypter.h"
25
26
27
28 /*
29 * The number of key schedule words for different block and key lengths
30 * allowing for method of computation which requires the length to be a
31 * multiple of the key length. This version of AES implementation supports
32 * all three keylengths 16, 24 and 32 bytes!
33 *
34 * Nk = 4 6 8
35 * -------------
36 * Nb = 4 | 60 60 64
37 * 6 | 96 90 96
38 * 8 | 120 120 120
39 */
40 #define AES_KS_LENGTH 120
41 #define AES_RC_LENGTH 29
42
43 #define AES_BLOCK_SIZE 16
44
45 typedef struct private_aes_cbc_crypter_t private_aes_cbc_crypter_t;
46
47 /**
48 * @brief Class implementing the AES symmetric encryption algorithm.
49 *
50 * @ingroup crypters
51 */
52 struct private_aes_cbc_crypter_t {
53
54 /**
55 * Public part of this class.
56 */
57 aes_cbc_crypter_t public;
58
59 /**
60 * Number of words in the key input block.
61 */
62 u_int32_t aes_Nkey;
63
64 /**
65 * The number of cipher rounds.
66 */
67 u_int32_t aes_Nrnd;
68
69 /**
70 * The encryption key schedule.
71 */
72 u_int32_t aes_e_key[AES_KS_LENGTH];
73
74 /**
75 * The decryption key schedule.
76 */
77 u_int32_t aes_d_key[AES_KS_LENGTH];
78
79 /**
80 * The number of columns in the cipher state.
81 */
82 u_int32_t aes_Ncol;
83
84 /**
85 * Key size of this AES cypher object.
86 */
87 u_int32_t key_size;
88
89 /**
90 * Decrypts a block.
91 *
92 * No memory gets allocated.
93 *
94 * @param this calling object
95 * @param[in] in_blk block to decrypt
96 * @param[out] out_blk decrypted data are written to this location
97 */
98 void (*decrypt_block) (const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[]);
99
100 /**
101 * Encrypts a block.
102 *
103 * No memory gets allocated.
104 *
105 * @param this calling object
106 * @param[in] in_blk block to encrypt
107 * @param[out] out_blk encrypted data are written to this location
108 */
109 void (*encrypt_block) (const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[]);
110 };
111
112
113 /* ugly macro stuff */
114
115 /* 1. Define UNROLL for full loop unrolling in encryption and decryption.
116 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
117 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
118 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
119 * Do not enable this without understanding stack space requirements.
120 * 5. Define ARRAYS to use arrays to hold the local state block. If this
121 * is not defined, individually declared 32-bit words are used.
122 * 6. Define FAST_VARIABLE if a high speed variable block implementation
123 * is needed (essentially three separate fixed block size code sequences)
124 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
125 * version using 1 table (2 kbytes of table space) or 4 tables (8
126 * kbytes of table space) for higher speed.
127 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
128 * increase by using tables for the last rounds but with more table
129 * space (2 or 8 kbytes extra).
130 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
131 * slower version is provided.
132 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
133 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
134 */
135
136 #define UNROLL
137 //#define PARTIAL_UNROLL
138
139 #define FIXED_TABLES
140 //#define FF_TABLES
141 //#define ARRAYS
142 #define FAST_VARIABLE
143
144 //#define ONE_TABLE
145 #define FOUR_TABLES
146
147 //#define ONE_LR_TABLE
148 #define FOUR_LR_TABLES
149
150 //#define ONE_IM_TABLE
151 #define FOUR_IM_TABLES
152
153 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
154 #error both UNROLL and PARTIAL_UNROLL are defined
155 #endif
156
157 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
158 #error both ONE_TABLE and FOUR_TABLES are defined
159 #endif
160
161 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
162 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
163 #endif
164
165 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
166 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
167 #endif
168
169 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
170 #error an illegal block size has been specified
171 #endif
172
173 /**
174 * Rotates bytes within words by n positions, moving bytes
175 * to higher index positions with wrap around into low positions.
176 */
177 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
178 /**
179 * Moves bytes by n positions to higher index positions in
180 * words but without wrap around.
181 */
182 #define ups(x,n) ((x) << 8 * (n))
183
184 /**
185 * Extracts a byte from a word.
186 */
187 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
188 #define bytes2word(b0, b1, b2, b3) \
189 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
190
191
192 /* little endian processor without data alignment restrictions: AES_LE_OK */
193 /* original code: i386 */
194 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
195 #define AES_LE_OK 1
196 /* added (tested): alpha --jjo */
197 #elif defined(__alpha__)|| defined (__alpha)
198 #define AES_LE_OK 1
199 /* added (tested): ia64 --jjo */
200 #elif defined(__ia64__)|| defined (__ia64)
201 #define AES_LE_OK 1
202 #endif
203
204 #ifdef AES_LE_OK
205 /* little endian processor without data alignment restrictions */
206 #define word_in(x) *(u_int32_t*)(x)
207 #define const_word_in(x) *(const u_int32_t*)(x)
208 #define word_out(x,v) *(u_int32_t*)(x) = (v)
209 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
210 #else
211 /* slower but generic big endian or with data alignment restrictions */
212 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
213 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
214 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
215 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
216 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
217 #endif
218
219 // Disable at least some poor combinations of options
220
221 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
222 #define FIXED_TABLES
223 #undef UNROLL
224 #undef ONE_LR_TABLE
225 #undef FOUR_LR_TABLES
226 #undef ONE_IM_TABLE
227 #undef FOUR_IM_TABLES
228 #elif !defined(FOUR_TABLES)
229 #ifdef FOUR_LR_TABLES
230 #undef FOUR_LR_TABLES
231 #define ONE_LR_TABLE
232 #endif
233 #ifdef FOUR_IM_TABLES
234 #undef FOUR_IM_TABLES
235 #define ONE_IM_TABLE
236 #endif
237 #elif !defined(AES_BLOCK_SIZE)
238 #if defined(UNROLL)
239 #define PARTIAL_UNROLL
240 #undef UNROLL
241 #endif
242 #endif
243
244 // the finite field modular polynomial and elements
245
246 #define ff_poly 0x011b
247 #define ff_hi 0x80
248
249 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
250
251 #define m1 0x80808080
252 #define m2 0x7f7f7f7f
253 #define m3 0x0000001b
254 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
255
256 // The following defines provide alternative definitions of FFmulX that might
257 // give improved performance if a fast 32-bit multiply is not available. Note
258 // that a temporary variable u needs to be defined where FFmulX is used.
259
260 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
261 // #define m4 0x1b1b1b1b
262 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
263
264 // perform column mix operation on four bytes in parallel
265
266 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
267
268 #if defined(FIXED_TABLES)
269
270 // the S-Box table
271
272 static const unsigned char s_box[256] =
273 {
274 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
275 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
276 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
277 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
278 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
279 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
280 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
281 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
282 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
283 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
284 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
285 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
286 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
287 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
288 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
289 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
290 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
291 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
292 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
293 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
294 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
295 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
296 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
297 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
298 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
299 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
300 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
301 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
302 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
303 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
304 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
305 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
306 };
307
308 // the inverse S-Box table
309
310 static const unsigned char inv_s_box[256] =
311 {
312 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
313 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
314 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
315 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
316 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
317 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
318 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
319 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
320 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
321 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
322 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
323 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
324 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
325 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
326 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
327 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
328 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
329 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
330 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
331 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
332 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
333 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
334 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
335 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
336 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
337 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
338 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
339 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
340 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
341 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
342 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
343 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
344 };
345
346 #define w0(p) 0x000000##p
347
348 // Number of elements required in this table for different
349 // block and key lengths is:
350 //
351 // Nk = 4 6 8
352 // ----------
353 // Nb = 4 | 10 8 7
354 // 6 | 19 12 11
355 // 8 | 29 19 14
356 //
357 // this table can be a table of bytes if the key schedule
358 // code is adjusted accordingly
359
360 static const u_int32_t rcon_tab[29] =
361 {
362 w0(01), w0(02), w0(04), w0(08),
363 w0(10), w0(20), w0(40), w0(80),
364 w0(1b), w0(36), w0(6c), w0(d8),
365 w0(ab), w0(4d), w0(9a), w0(2f),
366 w0(5e), w0(bc), w0(63), w0(c6),
367 w0(97), w0(35), w0(6a), w0(d4),
368 w0(b3), w0(7d), w0(fa), w0(ef),
369 w0(c5)
370 };
371
372 #undef w0
373
374 #define r0(p,q,r,s) 0x##p##q##r##s
375 #define r1(p,q,r,s) 0x##q##r##s##p
376 #define r2(p,q,r,s) 0x##r##s##p##q
377 #define r3(p,q,r,s) 0x##s##p##q##r
378 #define w0(p) 0x000000##p
379 #define w1(p) 0x0000##p##00
380 #define w2(p) 0x00##p##0000
381 #define w3(p) 0x##p##000000
382
383 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
384
385 // data for forward tables (other than last round)
386
387 #define f_table \
388 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
389 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
390 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
391 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
392 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
393 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
394 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
395 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
396 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
397 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
398 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
399 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
400 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
401 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
402 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
403 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
404 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
405 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
406 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
407 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
408 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
409 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
410 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
411 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
412 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
413 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
414 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
415 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
416 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
417 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
418 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
419 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
420 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
421 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
422 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
423 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
424 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
425 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
426 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
427 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
428 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
429 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
430 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
431 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
432 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
433 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
434 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
435 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
436 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
437 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
438 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
439 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
440 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
441 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
442 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
443 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
444 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
445 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
446 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
447 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
448 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
449 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
450 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
451 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
452
453 // data for inverse tables (other than last round)
454
455 #define i_table \
456 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
457 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
458 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
459 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
460 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
461 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
462 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
463 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
464 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
465 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
466 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
467 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
468 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
469 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
470 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
471 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
472 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
473 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
474 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
475 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
476 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
477 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
478 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
479 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
480 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
481 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
482 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
483 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
484 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
485 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
486 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
487 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
488 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
489 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
490 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
491 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
492 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
493 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
494 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
495 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
496 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
497 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
498 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
499 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
500 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
501 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
502 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
503 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
504 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
505 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
506 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
507 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
508 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
509 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
510 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
511 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
512 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
513 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
514 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
515 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
516 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
517 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
518 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
519 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
520
521 // generate the required tables in the desired endian format
522
523 #undef r
524 #define r r0
525
526 #if defined(ONE_TABLE)
527 static const u_int32_t ft_tab[256] =
528 { f_table };
529 #elif defined(FOUR_TABLES)
530 static const u_int32_t ft_tab[4][256] =
531 { { f_table },
532 #undef r
533 #define r r1
534 { f_table },
535 #undef r
536 #define r r2
537 { f_table },
538 #undef r
539 #define r r3
540 { f_table }
541 };
542 #endif
543
544 #undef r
545 #define r r0
546 #if defined(ONE_TABLE)
547 static const u_int32_t it_tab[256] =
548 { i_table };
549 #elif defined(FOUR_TABLES)
550 static const u_int32_t it_tab[4][256] =
551 { { i_table },
552 #undef r
553 #define r r1
554 { i_table },
555 #undef r
556 #define r r2
557 { i_table },
558 #undef r
559 #define r r3
560 { i_table }
561 };
562 #endif
563
564 #endif
565
566 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
567
568 // data for inverse tables (last round)
569
570 #define li_table \
571 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
572 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
573 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
574 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
575 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
576 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
577 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
578 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
579 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
580 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
581 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
582 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
583 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
584 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
585 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
586 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
587 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
588 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
589 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
590 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
591 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
592 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
593 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
594 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
595 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
596 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
597 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
598 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
599 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
600 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
601 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
602 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
603
604 // generate the required tables in the desired endian format
605
606 #undef r
607 #define r(p,q,r,s) w0(q)
608 #if defined(ONE_LR_TABLE)
609 static const u_int32_t fl_tab[256] =
610 { f_table };
611 #elif defined(FOUR_LR_TABLES)
612 static const u_int32_t fl_tab[4][256] =
613 { { f_table },
614 #undef r
615 #define r(p,q,r,s) w1(q)
616 { f_table },
617 #undef r
618 #define r(p,q,r,s) w2(q)
619 { f_table },
620 #undef r
621 #define r(p,q,r,s) w3(q)
622 { f_table }
623 };
624 #endif
625
626 #undef w
627 #define w w0
628 #if defined(ONE_LR_TABLE)
629 static const u_int32_t il_tab[256] =
630 { li_table };
631 #elif defined(FOUR_LR_TABLES)
632 static const u_int32_t il_tab[4][256] =
633 { { li_table },
634 #undef w
635 #define w w1
636 { li_table },
637 #undef w
638 #define w w2
639 { li_table },
640 #undef w
641 #define w w3
642 { li_table }
643 };
644 #endif
645
646 #endif
647
648 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
649
650 #define m_table \
651 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
652 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
653 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
654 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
655 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
656 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
657 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
658 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
659 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
660 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
661 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
662 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
663 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
664 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
665 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
666 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
667 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
668 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
669 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
670 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
671 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
672 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
673 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
674 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
675 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
676 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
677 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
678 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
679 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
680 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
681 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
682 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
683 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
684 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
685 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
686 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
687 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
688 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
689 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
690 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
691 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
692 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
693 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
694 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
695 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
696 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
697 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
698 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
699 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
700 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
701 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
702 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
703 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
704 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
705 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
706 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
707 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
708 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
709 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
710 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
711 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
712 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
713 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
714 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
715
716 #undef r
717 #define r r0
718
719 #if defined(ONE_IM_TABLE)
720 static const u_int32_t im_tab[256] =
721 { m_table };
722 #elif defined(FOUR_IM_TABLES)
723 static const u_int32_t im_tab[4][256] =
724 { { m_table },
725 #undef r
726 #define r r1
727 { m_table },
728 #undef r
729 #define r r2
730 { m_table },
731 #undef r
732 #define r r3
733 { m_table }
734 };
735 #endif
736
737 #endif
738
739 #else
740
741 static int tab_gen = 0;
742
743 static unsigned char s_box[256]; // the S box
744 static unsigned char inv_s_box[256]; // the inverse S box
745 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
746
747 #if defined(ONE_TABLE)
748 static u_int32_t ft_tab[256];
749 static u_int32_t it_tab[256];
750 #elif defined(FOUR_TABLES)
751 static u_int32_t ft_tab[4][256];
752 static u_int32_t it_tab[4][256];
753 #endif
754
755 #if defined(ONE_LR_TABLE)
756 static u_int32_t fl_tab[256];
757 static u_int32_t il_tab[256];
758 #elif defined(FOUR_LR_TABLES)
759 static u_int32_t fl_tab[4][256];
760 static u_int32_t il_tab[4][256];
761 #endif
762
763 #if defined(ONE_IM_TABLE)
764 static u_int32_t im_tab[256];
765 #elif defined(FOUR_IM_TABLES)
766 static u_int32_t im_tab[4][256];
767 #endif
768
769 // Generate the tables for the dynamic table option
770
771 #if !defined(FF_TABLES)
772
773 // It will generally be sensible to use tables to compute finite
774 // field multiplies and inverses but where memory is scarse this
775 // code might sometimes be better.
776
777 // return 2 ^ (n - 1) where n is the bit number of the highest bit
778 // set in x with x in the range 1 < x < 0x00000200. This form is
779 // used so that locals within FFinv can be bytes rather than words
780
781 static unsigned char hibit(const u_int32_t x)
782 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
783
784 r |= (r >> 2);
785 r |= (r >> 4);
786 return (r + 1) >> 1;
787 }
788
789 // return the inverse of the finite field element x
790
791 static unsigned char FFinv(const unsigned char x)
792 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
793
794 if(x < 2) return x;
795
796 for(;;)
797 {
798 if(!n1) return v1;
799
800 while(n2 >= n1)
801 {
802 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
803 }
804
805 if(!n2) return v2;
806
807 while(n1 >= n2)
808 {
809 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
810 }
811 }
812 }
813
814 // define the finite field multiplies required for Rijndael
815
816 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
817 #define FFmul03(x) ((x) ^ FFmul02(x))
818 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
819 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
820 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
821 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
822
823 #else
824
825 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
826
827 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
828 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
829 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
830 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
831 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
832 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
833
834 #endif
835
836 // The forward and inverse affine transformations used in the S-box
837
838 #define fwd_affine(x) \
839 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
840
841 #define inv_affine(x) \
842 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
843
844 static void gen_tabs(void)
845 { u_int32_t i, w;
846
847 #if defined(FF_TABLES)
848
849 unsigned char pow[512], log[256];
850
851 // log and power tables for GF(2^8) finite field with
852 // 0x011b as modular polynomial - the simplest primitive
853 // root is 0x03, used here to generate the tables
854
855 i = 0; w = 1;
856 do
857 {
858 pow[i] = (unsigned char)w;
859 pow[i + 255] = (unsigned char)w;
860 log[w] = (unsigned char)i++;
861 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
862 }
863 while (w != 1);
864
865 #endif
866
867 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
868 {
869 rcon_tab[i] = bytes2word(w, 0, 0, 0);
870 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
871 }
872
873 for(i = 0; i < 256; ++i)
874 { unsigned char b;
875
876 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
877
878 w = bytes2word(b, 0, 0, 0);
879 #if defined(ONE_LR_TABLE)
880 fl_tab[i] = w;
881 #elif defined(FOUR_LR_TABLES)
882 fl_tab[0][i] = w;
883 fl_tab[1][i] = upr(w,1);
884 fl_tab[2][i] = upr(w,2);
885 fl_tab[3][i] = upr(w,3);
886 #endif
887 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
888 #if defined(ONE_TABLE)
889 ft_tab[i] = w;
890 #elif defined(FOUR_TABLES)
891 ft_tab[0][i] = w;
892 ft_tab[1][i] = upr(w,1);
893 ft_tab[2][i] = upr(w,2);
894 ft_tab[3][i] = upr(w,3);
895 #endif
896 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
897
898 w = bytes2word(b, 0, 0, 0);
899 #if defined(ONE_LR_TABLE)
900 il_tab[i] = w;
901 #elif defined(FOUR_LR_TABLES)
902 il_tab[0][i] = w;
903 il_tab[1][i] = upr(w,1);
904 il_tab[2][i] = upr(w,2);
905 il_tab[3][i] = upr(w,3);
906 #endif
907 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
908 #if defined(ONE_TABLE)
909 it_tab[i] = w;
910 #elif defined(FOUR_TABLES)
911 it_tab[0][i] = w;
912 it_tab[1][i] = upr(w,1);
913 it_tab[2][i] = upr(w,2);
914 it_tab[3][i] = upr(w,3);
915 #endif
916 #if defined(ONE_IM_TABLE)
917 im_tab[b] = w;
918 #elif defined(FOUR_IM_TABLES)
919 im_tab[0][b] = w;
920 im_tab[1][b] = upr(w,1);
921 im_tab[2][b] = upr(w,2);
922 im_tab[3][b] = upr(w,3);
923 #endif
924
925 }
926 }
927
928 #endif
929
930 #define no_table(x,box,vf,rf,c) bytes2word( \
931 box[bval(vf(x,0,c),rf(0,c))], \
932 box[bval(vf(x,1,c),rf(1,c))], \
933 box[bval(vf(x,2,c),rf(2,c))], \
934 box[bval(vf(x,3,c),rf(3,c))])
935
936 #define one_table(x,op,tab,vf,rf,c) \
937 ( tab[bval(vf(x,0,c),rf(0,c))] \
938 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
939 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
940 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
941
942 #define four_tables(x,tab,vf,rf,c) \
943 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
944 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
945 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
946 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
947
948 #define vf1(x,r,c) (x)
949 #define rf1(r,c) (r)
950 #define rf2(r,c) ((r-c)&3)
951
952 #if defined(FOUR_LR_TABLES)
953 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
954 #elif defined(ONE_LR_TABLE)
955 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
956 #else
957 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
958 #endif
959
960 #if defined(FOUR_IM_TABLES)
961 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
962 #elif defined(ONE_IM_TABLE)
963 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
964 #else
965 #define inv_mcol(x) \
966 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
967 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
968 #endif
969
970 #define nc (this->aes_Ncol)
971
972 // Initialise the key schedule from the user supplied key. The key
973 // length is now specified in bytes - 16, 24 or 32 as appropriate.
974 // This corresponds to bit lengths of 128, 192 and 256 bits, and
975 // to Nk values of 4, 6 and 8 respectively.
976
977 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
978 #define cp(t,f) *t++ = *f++
979
980 #if AES_BLOCK_SIZE == 16
981 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
982 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
983 #elif AES_BLOCK_SIZE == 24
984 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
985 cp(d,s); cp(d,s)
986 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
987 mx(d,s); mx(d,s)
988 #elif AES_BLOCK_SIZE == 32
989 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
990 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
991 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
992 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
993 #else
994
995 #define cpy(d,s) \
996 switch(nc) \
997 { case 8: cp(d,s); cp(d,s); \
998 case 6: cp(d,s); cp(d,s); \
999 case 4: cp(d,s); cp(d,s); \
1000 cp(d,s); cp(d,s); \
1001 }
1002
1003 #define mix(d,s) \
1004 switch(nc) \
1005 { case 8: mx(d,s); mx(d,s); \
1006 case 6: mx(d,s); mx(d,s); \
1007 case 4: mx(d,s); mx(d,s); \
1008 mx(d,s); mx(d,s); \
1009 }
1010
1011 #endif
1012
1013 // y = output word, x = input word, r = row, c = column
1014 // for r = 0, 1, 2 and 3 = column accessed for row r
1015
1016 #if defined(ARRAYS)
1017 #define s(x,c) x[c]
1018 #else
1019 #define s(x,c) x##c
1020 #endif
1021
1022 // I am grateful to Frank Yellin for the following constructions
1023 // which, given the column (c) of the output state variable that
1024 // is being computed, return the input state variables which are
1025 // needed for each row (r) of the state
1026
1027 // For the fixed block size options, compilers reduce these two
1028 // expressions to fixed variable references. For variable block
1029 // size code conditional clauses will sometimes be returned
1030
1031 #define unused 77 // Sunset Strip
1032
1033 #define fwd_var(x,r,c) \
1034 ( r==0 ? \
1035 ( c==0 ? s(x,0) \
1036 : c==1 ? s(x,1) \
1037 : c==2 ? s(x,2) \
1038 : c==3 ? s(x,3) \
1039 : c==4 ? s(x,4) \
1040 : c==5 ? s(x,5) \
1041 : c==6 ? s(x,6) \
1042 : s(x,7)) \
1043 : r==1 ? \
1044 ( c==0 ? s(x,1) \
1045 : c==1 ? s(x,2) \
1046 : c==2 ? s(x,3) \
1047 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1048 : c==4 ? s(x,5) \
1049 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1050 : c==6 ? s(x,7) \
1051 : s(x,0)) \
1052 : r==2 ? \
1053 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1054 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1055 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1056 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1057 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1058 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1059 : c==6 ? s(x,1) \
1060 : s(x,2)) \
1061 : \
1062 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1063 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1064 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1065 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1066 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1067 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1068 : c==6 ? s(x,2) \
1069 : s(x,3)))
1070
1071 #define inv_var(x,r,c) \
1072 ( r==0 ? \
1073 ( c==0 ? s(x,0) \
1074 : c==1 ? s(x,1) \
1075 : c==2 ? s(x,2) \
1076 : c==3 ? s(x,3) \
1077 : c==4 ? s(x,4) \
1078 : c==5 ? s(x,5) \
1079 : c==6 ? s(x,6) \
1080 : s(x,7)) \
1081 : r==1 ? \
1082 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1083 : c==1 ? s(x,0) \
1084 : c==2 ? s(x,1) \
1085 : c==3 ? s(x,2) \
1086 : c==4 ? s(x,3) \
1087 : c==5 ? s(x,4) \
1088 : c==6 ? s(x,5) \
1089 : s(x,6)) \
1090 : r==2 ? \
1091 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1092 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1093 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1094 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1095 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1096 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1097 : c==6 ? s(x,3) \
1098 : s(x,4)) \
1099 : \
1100 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1101 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1102 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1103 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1104 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1105 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1106 : c==6 ? s(x,2) \
1107 : s(x,3)))
1108
1109 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1110 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1111
1112 #if defined(FOUR_TABLES)
1113 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1114 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1115 #elif defined(ONE_TABLE)
1116 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1117 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1118 #else
1119 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1120 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1121 #endif
1122
1123 #if defined(FOUR_LR_TABLES)
1124 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1125 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1126 #elif defined(ONE_LR_TABLE)
1127 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1128 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1129 #else
1130 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1131 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1132 #endif
1133
1134 #if AES_BLOCK_SIZE == 16
1135
1136 #if defined(ARRAYS)
1137 #define locals(y,x) x[4],y[4]
1138 #else
1139 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1140 // the following defines prevent the compiler requiring the declaration
1141 // of generated but unused variables in the fwd_var and inv_var macros
1142 #define b04 unused
1143 #define b05 unused
1144 #define b06 unused
1145 #define b07 unused
1146 #define b14 unused
1147 #define b15 unused
1148 #define b16 unused
1149 #define b17 unused
1150 #endif
1151 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1152 s(y,2) = s(x,2); s(y,3) = s(x,3);
1153 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1154 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1155 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1156
1157 #elif AES_BLOCK_SIZE == 24
1158
1159 #if defined(ARRAYS)
1160 #define locals(y,x) x[6],y[6]
1161 #else
1162 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1163 y##0,y##1,y##2,y##3,y##4,y##5
1164 #define b06 unused
1165 #define b07 unused
1166 #define b16 unused
1167 #define b17 unused
1168 #endif
1169 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1170 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1171 s(y,4) = s(x,4); s(y,5) = s(x,5);
1172 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1173 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1174 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1175 so(y,x,3); so(y,x,4); so(y,x,5)
1176 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1177 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1178 #else
1179
1180 #if defined(ARRAYS)
1181 #define locals(y,x) x[8],y[8]
1182 #else
1183 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1184 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1185 #endif
1186 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1187 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1188 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1189 s(y,6) = s(x,6); s(y,7) = s(x,7);
1190
1191 #if AES_BLOCK_SIZE == 32
1192
1193 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1194 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1195 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1196 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1197 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1198 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1199 #else
1200
1201 #define state_in(y,x,k) \
1202 switch(nc) \
1203 { case 8: si(y,x,k,7); si(y,x,k,6); \
1204 case 6: si(y,x,k,5); si(y,x,k,4); \
1205 case 4: si(y,x,k,3); si(y,x,k,2); \
1206 si(y,x,k,1); si(y,x,k,0); \
1207 }
1208
1209 #define state_out(y,x) \
1210 switch(nc) \
1211 { case 8: so(y,x,7); so(y,x,6); \
1212 case 6: so(y,x,5); so(y,x,4); \
1213 case 4: so(y,x,3); so(y,x,2); \
1214 so(y,x,1); so(y,x,0); \
1215 }
1216
1217 #if defined(FAST_VARIABLE)
1218
1219 #define round(rm,y,x,k) \
1220 switch(nc) \
1221 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1222 rm(y,x,k,5); rm(y,x,k,4); \
1223 rm(y,x,k,3); rm(y,x,k,2); \
1224 rm(y,x,k,1); rm(y,x,k,0); \
1225 break; \
1226 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1227 rm(y,x,k,3); rm(y,x,k,2); \
1228 rm(y,x,k,1); rm(y,x,k,0); \
1229 break; \
1230 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1231 rm(y,x,k,1); rm(y,x,k,0); \
1232 break; \
1233 }
1234 #else
1235
1236 #define round(rm,y,x,k) \
1237 switch(nc) \
1238 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1239 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1240 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1241 rm(y,x,k,1); rm(y,x,k,0); \
1242 }
1243
1244 #endif
1245
1246 #endif
1247 #endif
1248
1249 /**
1250 * Implementation of private_aes_cbc_crypter_t.encrypt_block.
1251 */
1252 static void encrypt_block(const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1253 { u_int32_t locals(b0, b1);
1254 const u_int32_t *kp = this->aes_e_key;
1255
1256 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1257 u_int32_t f2;
1258 #endif
1259
1260 state_in(b0, in_blk, kp); kp += nc;
1261
1262 #if defined(UNROLL)
1263
1264 switch(this->aes_Nrnd)
1265 {
1266 case 14: round(fwd_rnd, b1, b0, kp );
1267 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1268 case 12: round(fwd_rnd, b1, b0, kp );
1269 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1270 case 10: round(fwd_rnd, b1, b0, kp );
1271 round(fwd_rnd, b0, b1, kp + nc);
1272 round(fwd_rnd, b1, b0, kp + 2 * nc);
1273 round(fwd_rnd, b0, b1, kp + 3 * nc);
1274 round(fwd_rnd, b1, b0, kp + 4 * nc);
1275 round(fwd_rnd, b0, b1, kp + 5 * nc);
1276 round(fwd_rnd, b1, b0, kp + 6 * nc);
1277 round(fwd_rnd, b0, b1, kp + 7 * nc);
1278 round(fwd_rnd, b1, b0, kp + 8 * nc);
1279 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1280 }
1281
1282 #elif defined(PARTIAL_UNROLL)
1283 { u_int32_t rnd;
1284
1285 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1286 {
1287 round(fwd_rnd, b1, b0, kp);
1288 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1289 }
1290
1291 round(fwd_rnd, b1, b0, kp);
1292 round(fwd_lrnd, b0, b1, kp + nc);
1293 }
1294 #else
1295 { u_int32_t rnd;
1296
1297 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1298 {
1299 round(fwd_rnd, b1, b0, kp);
1300 l_copy(b0, b1); kp += nc;
1301 }
1302
1303 round(fwd_lrnd, b0, b1, kp);
1304 }
1305 #endif
1306
1307 state_out(out_blk, b0);
1308 }
1309
1310 /**
1311 * Implementation of private_aes_cbc_crypter_t.decrypt_block.
1312 */
1313 static void decrypt_block(const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1314 { u_int32_t locals(b0, b1);
1315 const u_int32_t *kp = this->aes_d_key;
1316
1317 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1318 u_int32_t f2, f4, f8, f9;
1319 #endif
1320
1321 state_in(b0, in_blk, kp); kp += nc;
1322
1323 #if defined(UNROLL)
1324
1325 switch(this->aes_Nrnd)
1326 {
1327 case 14: round(inv_rnd, b1, b0, kp );
1328 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1329 case 12: round(inv_rnd, b1, b0, kp );
1330 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1331 case 10: round(inv_rnd, b1, b0, kp );
1332 round(inv_rnd, b0, b1, kp + nc);
1333 round(inv_rnd, b1, b0, kp + 2 * nc);
1334 round(inv_rnd, b0, b1, kp + 3 * nc);
1335 round(inv_rnd, b1, b0, kp + 4 * nc);
1336 round(inv_rnd, b0, b1, kp + 5 * nc);
1337 round(inv_rnd, b1, b0, kp + 6 * nc);
1338 round(inv_rnd, b0, b1, kp + 7 * nc);
1339 round(inv_rnd, b1, b0, kp + 8 * nc);
1340 round(inv_lrnd, b0, b1, kp + 9 * nc);
1341 }
1342
1343 #elif defined(PARTIAL_UNROLL)
1344 { u_int32_t rnd;
1345
1346 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1347 {
1348 round(inv_rnd, b1, b0, kp);
1349 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1350 }
1351
1352 round(inv_rnd, b1, b0, kp);
1353 round(inv_lrnd, b0, b1, kp + nc);
1354 }
1355 #else
1356 { u_int32_t rnd;
1357
1358 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1359 {
1360 round(inv_rnd, b1, b0, kp);
1361 l_copy(b0, b1); kp += nc;
1362 }
1363
1364 round(inv_lrnd, b0, b1, kp);
1365 }
1366 #endif
1367
1368 state_out(out_blk, b0);
1369 }
1370
1371 /**
1372 * Implementation of crypter_t.decrypt.
1373 */
1374 static status_t decrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
1375 {
1376 int ret, pos;
1377 const u_int32_t *iv_i;
1378 u_int8_t *in, *out;
1379
1380 ret = data.len;
1381 if (((data.len) % 16) != 0)
1382 {
1383 /* data length must be padded to a multiple of blocksize */
1384 return INVALID_ARG;
1385 }
1386
1387 decrypted->ptr = malloc(data.len);
1388 if (decrypted->ptr == NULL)
1389 {
1390 return OUT_OF_RES;
1391 }
1392 decrypted->len = data.len;
1393
1394 in = data.ptr;
1395 out = decrypted->ptr;
1396
1397 pos=data.len-16;
1398 in+=pos;
1399 out+=pos;
1400 while(pos>=0) {
1401 this->decrypt_block(this,in,out);
1402 if (pos==0)
1403 iv_i=(const u_int32_t*) (iv.ptr);
1404 else
1405 iv_i=(const u_int32_t*) (in-16);
1406 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1407 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1408 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1409 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1410 in-=16;
1411 out-=16;
1412 pos-=16;
1413 }
1414
1415 return SUCCESS;
1416 }
1417
1418
1419 /**
1420 * Implementation of crypter_t.decrypt.
1421 */
1422 static status_t encrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
1423 {
1424 int ret, pos;
1425 const u_int32_t *iv_i;
1426 u_int8_t *in, *out;
1427
1428 ret = data.len;
1429 if (((data.len) % 16) != 0)
1430 {
1431 /* data length must be padded to a multiple of blocksize */
1432 return INVALID_ARG;
1433 }
1434
1435 encrypted->ptr = malloc(data.len);
1436 if (encrypted->ptr == NULL)
1437 {
1438 return OUT_OF_RES;
1439 }
1440 encrypted->len = data.len;
1441
1442 in = data.ptr;
1443 out = encrypted->ptr;
1444
1445 pos=0;
1446 while(pos<data.len)
1447 {
1448 if (pos==0)
1449 iv_i=(const u_int32_t*) iv.ptr;
1450 else
1451 iv_i=(const u_int32_t*) (out-16);
1452 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1453 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1454 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1455 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1456 this->encrypt_block(this,out,out);
1457 in+=16;
1458 out+=16;
1459 pos+=16;
1460 }
1461 return SUCCESS;
1462 }
1463
1464 /**
1465 * Implementation of crypter_t.get_block_size.
1466 */
1467 static size_t get_block_size (private_aes_cbc_crypter_t *this)
1468 {
1469 return AES_BLOCK_SIZE;
1470 }
1471
1472 /**
1473 * Implementation of crypter_t.get_key_size.
1474 */
1475 static size_t get_key_size (private_aes_cbc_crypter_t *this)
1476 {
1477 return this->key_size;
1478 }
1479
1480 /**
1481 * Implementation of crypter_t.set_key.
1482 */
1483 static status_t set_key (private_aes_cbc_crypter_t *this, chunk_t key)
1484 {
1485 u_int32_t *kf, *kt, rci, f = 0;
1486 u_int8_t *in_key = key.ptr;
1487
1488 if (key.len != this->key_size)
1489 {
1490 return INVALID_ARG;
1491 }
1492
1493 this->aes_Nrnd = (this->aes_Nkey > (this->aes_Ncol) ? this->aes_Nkey : (this->aes_Ncol)) + 6;
1494
1495 this->aes_e_key[0] = const_word_in(in_key );
1496 this->aes_e_key[1] = const_word_in(in_key + 4);
1497 this->aes_e_key[2] = const_word_in(in_key + 8);
1498 this->aes_e_key[3] = const_word_in(in_key + 12);
1499
1500 kf = this->aes_e_key;
1501 kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
1502 rci = 0;
1503
1504 switch(this->aes_Nkey)
1505 {
1506 case 4: do
1507 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1508 kf[5] = kf[1] ^ kf[4];
1509 kf[6] = kf[2] ^ kf[5];
1510 kf[7] = kf[3] ^ kf[6];
1511 kf += 4;
1512 }
1513 while(kf < kt);
1514 break;
1515
1516 case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
1517 this->aes_e_key[5] = const_word_in(in_key + 20);
1518 do
1519 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1520 kf[ 7] = kf[1] ^ kf[ 6];
1521 kf[ 8] = kf[2] ^ kf[ 7];
1522 kf[ 9] = kf[3] ^ kf[ 8];
1523 kf[10] = kf[4] ^ kf[ 9];
1524 kf[11] = kf[5] ^ kf[10];
1525 kf += 6;
1526 }
1527 while(kf < kt);
1528 break;
1529
1530 case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
1531 this->aes_e_key[5] = const_word_in(in_key + 20);
1532 this->aes_e_key[6] = const_word_in(in_key + 24);
1533 this->aes_e_key[7] = const_word_in(in_key + 28);
1534 do
1535 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1536 kf[ 9] = kf[1] ^ kf[ 8];
1537 kf[10] = kf[2] ^ kf[ 9];
1538 kf[11] = kf[3] ^ kf[10];
1539 kf[12] = kf[4] ^ ls_box(kf[11],0);
1540 kf[13] = kf[5] ^ kf[12];
1541 kf[14] = kf[6] ^ kf[13];
1542 kf[15] = kf[7] ^ kf[14];
1543 kf += 8;
1544 }
1545 while (kf < kt);
1546 break;
1547 }
1548
1549 if(!f)
1550 {
1551 u_int32_t i;
1552
1553 kt = this->aes_d_key + nc * this->aes_Nrnd;
1554 kf = this->aes_e_key;
1555
1556 cpy(kt, kf); kt -= 2 * nc;
1557
1558 for(i = 1; i < this->aes_Nrnd; ++i)
1559 {
1560 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1561 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1562 u_int32_t f2, f4, f8, f9;
1563 #endif
1564 mix(kt, kf);
1565 #else
1566 cpy(kt, kf);
1567 #endif
1568 kt -= 2 * nc;
1569 }
1570 cpy(kt, kf);
1571 }
1572
1573 return SUCCESS;
1574 }
1575
1576 /**
1577 * Implementation of crypter_t.destroy and aes_cbc_crypter_t.destroy.
1578 */
1579 static void destroy (private_aes_cbc_crypter_t *this)
1580 {
1581 free(this);
1582 }
1583
1584 /*
1585 * Described in header
1586 */
1587 aes_cbc_crypter_t *aes_cbc_crypter_create(size_t key_size)
1588 {
1589 private_aes_cbc_crypter_t *this = malloc_thing(private_aes_cbc_crypter_t);
1590
1591 #if !defined(FIXED_TABLES)
1592 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1593 #endif
1594
1595 this->key_size = key_size;
1596 switch(key_size) {
1597 case 32: /* bytes */
1598 this->aes_Ncol = 8;
1599 this->aes_Nkey = 8;
1600 break;
1601 case 24: /* bytes */
1602 this->aes_Ncol = 6;
1603 this->aes_Nkey = 6;
1604 break;
1605 case 16: /* bytes */
1606 this->aes_Ncol = 4;
1607 this->aes_Nkey = 4;
1608 break;
1609 default:
1610 free(this);
1611 return NULL;
1612 }
1613
1614 /* functions of crypter_t interface */
1615 this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1616 this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1617 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1618 this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
1619 this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key;
1620 this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
1621
1622 /* private functions */
1623 this->decrypt_block = decrypt_block;
1624 this->encrypt_block = encrypt_block;
1625
1626 return &(this->public);
1627 }