Variable key length crypters use default key length if zero given
[strongswan.git] / src / libstrongswan / plugins / aes / aes_crypter.c
1 /*
2 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "aes_crypter.h"
19
20 /*
21 * The number of key schedule words for different block and key lengths
22 * allowing for method of computation which requires the length to be a
23 * multiple of the key length. This version of AES implementation supports
24 * all three keylengths 16, 24 and 32 bytes!
25 *
26 * Nk = 4 6 8
27 * -------------
28 * Nb = 4 | 60 60 64
29 * 6 | 96 90 96
30 * 8 | 120 120 120
31 */
32 #define AES_KS_LENGTH 120
33 #define AES_RC_LENGTH 29
34
35 typedef struct private_aes_crypter_t private_aes_crypter_t;
36
37 /**
38 * Class implementing the AES symmetric encryption algorithm.
39 *
40 * @ingroup crypters
41 */
42 struct private_aes_crypter_t {
43
44 /**
45 * Public part of this class.
46 */
47 aes_crypter_t public;
48
49 /**
50 * Number of words in the key input block.
51 */
52 u_int32_t aes_Nkey;
53
54 /**
55 * The number of cipher rounds.
56 */
57 u_int32_t aes_Nrnd;
58
59 /**
60 * The encryption key schedule.
61 */
62 u_int32_t aes_e_key[AES_KS_LENGTH];
63
64 /**
65 * The decryption key schedule.
66 */
67 u_int32_t aes_d_key[AES_KS_LENGTH];
68
69 /**
70 * Key size of this AES cypher object.
71 */
72 u_int32_t key_size;
73 };
74
75
76 /* ugly macro stuff */
77
78 /* 1. Define UNROLL for full loop unrolling in encryption and decryption.
79 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
80 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
81 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
82 * Do not enable this without understanding stack space requirements.
83 * 5. Define ARRAYS to use arrays to hold the local state block. If this
84 * is not defined, individually declared 32-bit words are used.
85 * 6. Define FAST_VARIABLE if a high speed variable block implementation
86 * is needed (essentially three separate fixed block size code sequences)
87 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
88 * version using 1 table (2 kbytes of table space) or 4 tables (8
89 * kbytes of table space) for higher speed.
90 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
91 * increase by using tables for the last rounds but with more table
92 * space (2 or 8 kbytes extra).
93 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
94 * slower version is provided.
95 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
96 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
97 */
98
99 #define UNROLL
100 //#define PARTIAL_UNROLL
101
102 #define FIXED_TABLES
103 //#define FF_TABLES
104 //#define ARRAYS
105 #define FAST_VARIABLE
106
107 //#define ONE_TABLE
108 #define FOUR_TABLES
109
110 //#define ONE_LR_TABLE
111 #define FOUR_LR_TABLES
112
113 //#define ONE_IM_TABLE
114 #define FOUR_IM_TABLES
115
116 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
117 #error both UNROLL and PARTIAL_UNROLL are defined
118 #endif
119
120 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
121 #error both ONE_TABLE and FOUR_TABLES are defined
122 #endif
123
124 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
125 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
126 #endif
127
128 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
129 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
130 #endif
131
132 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
133 #error an illegal block size has been specified
134 #endif
135
136 /**
137 * Rotates bytes within words by n positions, moving bytes
138 * to higher index positions with wrap around into low positions.
139 */
140 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
141 /**
142 * Moves bytes by n positions to higher index positions in
143 * words but without wrap around.
144 */
145 #define ups(x,n) ((x) << 8 * (n))
146
147 /**
148 * Extracts a byte from a word.
149 */
150 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
151 #define bytes2word(b0, b1, b2, b3) \
152 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
153
154
155 /* little endian processor without data alignment restrictions: AES_LE_OK */
156 /* original code: i386 */
157 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
158 #define AES_LE_OK 1
159 /* added (tested): alpha --jjo */
160 #elif defined(__alpha__)|| defined (__alpha)
161 #define AES_LE_OK 1
162 /* added (tested): ia64 --jjo */
163 #elif defined(__ia64__)|| defined (__ia64)
164 #define AES_LE_OK 1
165 #endif
166
167 #ifdef AES_LE_OK
168 /* little endian processor without data alignment restrictions */
169 #define word_in(x) *(u_int32_t*)(x)
170 #define const_word_in(x) *(const u_int32_t*)(x)
171 #define word_out(x,v) *(u_int32_t*)(x) = (v)
172 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
173 #else
174 /* slower but generic big endian or with data alignment restrictions */
175 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
176 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
177 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
178 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
179 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
180 #endif
181
182 // Disable at least some poor combinations of options
183
184 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
185 #define FIXED_TABLES
186 #undef UNROLL
187 #undef ONE_LR_TABLE
188 #undef FOUR_LR_TABLES
189 #undef ONE_IM_TABLE
190 #undef FOUR_IM_TABLES
191 #elif !defined(FOUR_TABLES)
192 #ifdef FOUR_LR_TABLES
193 #undef FOUR_LR_TABLES
194 #define ONE_LR_TABLE
195 #endif
196 #ifdef FOUR_IM_TABLES
197 #undef FOUR_IM_TABLES
198 #define ONE_IM_TABLE
199 #endif
200 #elif !defined(AES_BLOCK_SIZE)
201 #if defined(UNROLL)
202 #define PARTIAL_UNROLL
203 #undef UNROLL
204 #endif
205 #endif
206
207 // the finite field modular polynomial and elements
208
209 #define ff_poly 0x011b
210 #define ff_hi 0x80
211
212 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
213
214 #define m1 0x80808080
215 #define m2 0x7f7f7f7f
216 #define m3 0x0000001b
217 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
218
219 // The following defines provide alternative definitions of FFmulX that might
220 // give improved performance if a fast 32-bit multiply is not available. Note
221 // that a temporary variable u needs to be defined where FFmulX is used.
222
223 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
224 // #define m4 0x1b1b1b1b
225 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
226
227 // perform column mix operation on four bytes in parallel
228
229 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
230
231 #if defined(FIXED_TABLES)
232
233 // the S-Box table
234
235 static const unsigned char s_box[256] =
236 {
237 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
238 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
239 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
240 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
241 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
242 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
243 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
244 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
245 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
246 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
247 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
248 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
249 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
250 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
251 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
252 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
253 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
254 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
255 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
256 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
257 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
258 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
259 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
260 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
261 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
262 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
263 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
264 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
265 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
266 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
267 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
268 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
269 };
270
271 // the inverse S-Box table
272
273 static const unsigned char inv_s_box[256] =
274 {
275 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
276 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
277 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
278 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
279 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
280 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
281 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
282 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
283 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
284 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
285 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
286 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
287 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
288 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
289 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
290 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
291 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
292 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
293 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
294 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
295 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
296 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
297 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
298 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
299 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
300 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
301 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
302 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
303 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
304 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
305 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
306 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
307 };
308
309 #define w0(p) 0x000000##p
310
311 // Number of elements required in this table for different
312 // block and key lengths is:
313 //
314 // Nk = 4 6 8
315 // ----------
316 // Nb = 4 | 10 8 7
317 // 6 | 19 12 11
318 // 8 | 29 19 14
319 //
320 // this table can be a table of bytes if the key schedule
321 // code is adjusted accordingly
322
323 static const u_int32_t rcon_tab[29] =
324 {
325 w0(01), w0(02), w0(04), w0(08),
326 w0(10), w0(20), w0(40), w0(80),
327 w0(1b), w0(36), w0(6c), w0(d8),
328 w0(ab), w0(4d), w0(9a), w0(2f),
329 w0(5e), w0(bc), w0(63), w0(c6),
330 w0(97), w0(35), w0(6a), w0(d4),
331 w0(b3), w0(7d), w0(fa), w0(ef),
332 w0(c5)
333 };
334
335 #undef w0
336
337 #define r0(p,q,r,s) 0x##p##q##r##s
338 #define r1(p,q,r,s) 0x##q##r##s##p
339 #define r2(p,q,r,s) 0x##r##s##p##q
340 #define r3(p,q,r,s) 0x##s##p##q##r
341 #define w0(p) 0x000000##p
342 #define w1(p) 0x0000##p##00
343 #define w2(p) 0x00##p##0000
344 #define w3(p) 0x##p##000000
345
346 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
347
348 // data for forward tables (other than last round)
349
350 #define f_table \
351 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
352 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
353 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
354 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
355 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
356 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
357 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
358 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
359 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
360 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
361 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
362 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
363 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
364 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
365 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
366 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
367 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
368 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
369 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
370 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
371 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
372 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
373 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
374 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
375 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
376 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
377 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
378 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
379 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
380 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
381 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
382 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
383 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
384 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
385 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
386 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
387 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
388 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
389 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
390 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
391 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
392 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
393 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
394 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
395 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
396 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
397 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
398 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
399 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
400 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
401 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
402 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
403 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
404 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
405 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
406 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
407 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
408 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
409 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
410 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
411 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
412 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
413 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
414 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
415
416 // data for inverse tables (other than last round)
417
418 #define i_table \
419 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
420 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
421 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
422 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
423 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
424 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
425 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
426 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
427 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
428 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
429 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
430 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
431 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
432 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
433 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
434 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
435 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
436 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
437 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
438 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
439 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
440 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
441 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
442 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
443 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
444 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
445 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
446 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
447 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
448 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
449 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
450 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
451 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
452 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
453 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
454 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
455 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
456 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
457 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
458 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
459 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
460 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
461 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
462 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
463 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
464 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
465 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
466 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
467 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
468 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
469 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
470 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
471 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
472 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
473 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
474 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
475 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
476 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
477 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
478 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
479 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
480 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
481 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
482 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
483
484 // generate the required tables in the desired endian format
485
486 #undef r
487 #define r r0
488
489 #if defined(ONE_TABLE)
490 static const u_int32_t ft_tab[256] =
491 { f_table };
492 #elif defined(FOUR_TABLES)
493 static const u_int32_t ft_tab[4][256] =
494 { { f_table },
495 #undef r
496 #define r r1
497 { f_table },
498 #undef r
499 #define r r2
500 { f_table },
501 #undef r
502 #define r r3
503 { f_table }
504 };
505 #endif
506
507 #undef r
508 #define r r0
509 #if defined(ONE_TABLE)
510 static const u_int32_t it_tab[256] =
511 { i_table };
512 #elif defined(FOUR_TABLES)
513 static const u_int32_t it_tab[4][256] =
514 { { i_table },
515 #undef r
516 #define r r1
517 { i_table },
518 #undef r
519 #define r r2
520 { i_table },
521 #undef r
522 #define r r3
523 { i_table }
524 };
525 #endif
526
527 #endif
528
529 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
530
531 // data for inverse tables (last round)
532
533 #define li_table \
534 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
535 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
536 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
537 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
538 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
539 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
540 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
541 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
542 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
543 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
544 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
545 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
546 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
547 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
548 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
549 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
550 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
551 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
552 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
553 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
554 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
555 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
556 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
557 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
558 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
559 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
560 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
561 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
562 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
563 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
564 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
565 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
566
567 // generate the required tables in the desired endian format
568
569 #undef r
570 #define r(p,q,r,s) w0(q)
571 #if defined(ONE_LR_TABLE)
572 static const u_int32_t fl_tab[256] =
573 { f_table };
574 #elif defined(FOUR_LR_TABLES)
575 static const u_int32_t fl_tab[4][256] =
576 { { f_table },
577 #undef r
578 #define r(p,q,r,s) w1(q)
579 { f_table },
580 #undef r
581 #define r(p,q,r,s) w2(q)
582 { f_table },
583 #undef r
584 #define r(p,q,r,s) w3(q)
585 { f_table }
586 };
587 #endif
588
589 #undef w
590 #define w w0
591 #if defined(ONE_LR_TABLE)
592 static const u_int32_t il_tab[256] =
593 { li_table };
594 #elif defined(FOUR_LR_TABLES)
595 static const u_int32_t il_tab[4][256] =
596 { { li_table },
597 #undef w
598 #define w w1
599 { li_table },
600 #undef w
601 #define w w2
602 { li_table },
603 #undef w
604 #define w w3
605 { li_table }
606 };
607 #endif
608
609 #endif
610
611 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
612
613 #define m_table \
614 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
615 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
616 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
617 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
618 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
619 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
620 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
621 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
622 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
623 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
624 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
625 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
626 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
627 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
628 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
629 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
630 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
631 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
632 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
633 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
634 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
635 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
636 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
637 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
638 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
639 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
640 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
641 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
642 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
643 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
644 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
645 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
646 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
647 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
648 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
649 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
650 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
651 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
652 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
653 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
654 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
655 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
656 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
657 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
658 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
659 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
660 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
661 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
662 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
663 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
664 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
665 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
666 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
667 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
668 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
669 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
670 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
671 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
672 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
673 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
674 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
675 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
676 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
677 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
678
679 #undef r
680 #define r r0
681
682 #if defined(ONE_IM_TABLE)
683 static const u_int32_t im_tab[256] =
684 { m_table };
685 #elif defined(FOUR_IM_TABLES)
686 static const u_int32_t im_tab[4][256] =
687 { { m_table },
688 #undef r
689 #define r r1
690 { m_table },
691 #undef r
692 #define r r2
693 { m_table },
694 #undef r
695 #define r r3
696 { m_table }
697 };
698 #endif
699
700 #endif
701
702 #else
703
704 static int tab_gen = 0;
705
706 static unsigned char s_box[256]; // the S box
707 static unsigned char inv_s_box[256]; // the inverse S box
708 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
709
710 #if defined(ONE_TABLE)
711 static u_int32_t ft_tab[256];
712 static u_int32_t it_tab[256];
713 #elif defined(FOUR_TABLES)
714 static u_int32_t ft_tab[4][256];
715 static u_int32_t it_tab[4][256];
716 #endif
717
718 #if defined(ONE_LR_TABLE)
719 static u_int32_t fl_tab[256];
720 static u_int32_t il_tab[256];
721 #elif defined(FOUR_LR_TABLES)
722 static u_int32_t fl_tab[4][256];
723 static u_int32_t il_tab[4][256];
724 #endif
725
726 #if defined(ONE_IM_TABLE)
727 static u_int32_t im_tab[256];
728 #elif defined(FOUR_IM_TABLES)
729 static u_int32_t im_tab[4][256];
730 #endif
731
732 // Generate the tables for the dynamic table option
733
734 #if !defined(FF_TABLES)
735
736 // It will generally be sensible to use tables to compute finite
737 // field multiplies and inverses but where memory is scarse this
738 // code might sometimes be better.
739
740 // return 2 ^ (n - 1) where n is the bit number of the highest bit
741 // set in x with x in the range 1 < x < 0x00000200. This form is
742 // used so that locals within FFinv can be bytes rather than words
743
744 static unsigned char hibit(const u_int32_t x)
745 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
746
747 r |= (r >> 2);
748 r |= (r >> 4);
749 return (r + 1) >> 1;
750 }
751
752 // return the inverse of the finite field element x
753
754 static unsigned char FFinv(const unsigned char x)
755 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
756
757 if(x < 2) return x;
758
759 for(;;)
760 {
761 if(!n1) return v1;
762
763 while(n2 >= n1)
764 {
765 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
766 }
767
768 if(!n2) return v2;
769
770 while(n1 >= n2)
771 {
772 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
773 }
774 }
775 }
776
777 // define the finite field multiplies required for Rijndael
778
779 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
780 #define FFmul03(x) ((x) ^ FFmul02(x))
781 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
782 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
783 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
784 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
785
786 #else
787
788 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
789
790 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
791 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
792 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
793 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
794 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
795 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
796
797 #endif
798
799 // The forward and inverse affine transformations used in the S-box
800
801 #define fwd_affine(x) \
802 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
803
804 #define inv_affine(x) \
805 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
806
807 static void gen_tabs(void)
808 { u_int32_t i, w;
809
810 #if defined(FF_TABLES)
811
812 unsigned char pow[512], log[256];
813
814 // log and power tables for GF(2^8) finite field with
815 // 0x011b as modular polynomial - the simplest primitive
816 // root is 0x03, used here to generate the tables
817
818 i = 0; w = 1;
819 do
820 {
821 pow[i] = (unsigned char)w;
822 pow[i + 255] = (unsigned char)w;
823 log[w] = (unsigned char)i++;
824 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
825 }
826 while (w != 1);
827
828 #endif
829
830 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
831 {
832 rcon_tab[i] = bytes2word(w, 0, 0, 0);
833 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
834 }
835
836 for(i = 0; i < 256; ++i)
837 { unsigned char b;
838
839 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
840
841 w = bytes2word(b, 0, 0, 0);
842 #if defined(ONE_LR_TABLE)
843 fl_tab[i] = w;
844 #elif defined(FOUR_LR_TABLES)
845 fl_tab[0][i] = w;
846 fl_tab[1][i] = upr(w,1);
847 fl_tab[2][i] = upr(w,2);
848 fl_tab[3][i] = upr(w,3);
849 #endif
850 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
851 #if defined(ONE_TABLE)
852 ft_tab[i] = w;
853 #elif defined(FOUR_TABLES)
854 ft_tab[0][i] = w;
855 ft_tab[1][i] = upr(w,1);
856 ft_tab[2][i] = upr(w,2);
857 ft_tab[3][i] = upr(w,3);
858 #endif
859 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
860
861 w = bytes2word(b, 0, 0, 0);
862 #if defined(ONE_LR_TABLE)
863 il_tab[i] = w;
864 #elif defined(FOUR_LR_TABLES)
865 il_tab[0][i] = w;
866 il_tab[1][i] = upr(w,1);
867 il_tab[2][i] = upr(w,2);
868 il_tab[3][i] = upr(w,3);
869 #endif
870 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
871 #if defined(ONE_TABLE)
872 it_tab[i] = w;
873 #elif defined(FOUR_TABLES)
874 it_tab[0][i] = w;
875 it_tab[1][i] = upr(w,1);
876 it_tab[2][i] = upr(w,2);
877 it_tab[3][i] = upr(w,3);
878 #endif
879 #if defined(ONE_IM_TABLE)
880 im_tab[b] = w;
881 #elif defined(FOUR_IM_TABLES)
882 im_tab[0][b] = w;
883 im_tab[1][b] = upr(w,1);
884 im_tab[2][b] = upr(w,2);
885 im_tab[3][b] = upr(w,3);
886 #endif
887
888 }
889 }
890
891 #endif
892
893 #define no_table(x,box,vf,rf,c) bytes2word( \
894 box[bval(vf(x,0,c),rf(0,c))], \
895 box[bval(vf(x,1,c),rf(1,c))], \
896 box[bval(vf(x,2,c),rf(2,c))], \
897 box[bval(vf(x,3,c),rf(3,c))])
898
899 #define one_table(x,op,tab,vf,rf,c) \
900 ( tab[bval(vf(x,0,c),rf(0,c))] \
901 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
902 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
903 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
904
905 #define four_tables(x,tab,vf,rf,c) \
906 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
907 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
908 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
909 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
910
911 #define vf1(x,r,c) (x)
912 #define rf1(r,c) (r)
913 #define rf2(r,c) ((r-c)&3)
914
915 #if defined(FOUR_LR_TABLES)
916 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
917 #elif defined(ONE_LR_TABLE)
918 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
919 #else
920 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
921 #endif
922
923 #if defined(FOUR_IM_TABLES)
924 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
925 #elif defined(ONE_IM_TABLE)
926 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
927 #else
928 #define inv_mcol(x) \
929 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
930 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
931 #endif
932
933 #define nc (AES_BLOCK_SIZE/4)
934
935 // Initialise the key schedule from the user supplied key. The key
936 // length is now specified in bytes - 16, 24 or 32 as appropriate.
937 // This corresponds to bit lengths of 128, 192 and 256 bits, and
938 // to Nk values of 4, 6 and 8 respectively.
939
940 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
941 #define cp(t,f) *t++ = *f++
942
943 #if AES_BLOCK_SIZE == 16
944 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
945 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
946 #elif AES_BLOCK_SIZE == 24
947 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
948 cp(d,s); cp(d,s)
949 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
950 mx(d,s); mx(d,s)
951 #elif AES_BLOCK_SIZE == 32
952 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
953 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
954 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
955 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
956 #else
957
958 #define cpy(d,s) \
959 switch(nc) \
960 { case 8: cp(d,s); cp(d,s); \
961 case 6: cp(d,s); cp(d,s); \
962 case 4: cp(d,s); cp(d,s); \
963 cp(d,s); cp(d,s); \
964 }
965
966 #define mix(d,s) \
967 switch(nc) \
968 { case 8: mx(d,s); mx(d,s); \
969 case 6: mx(d,s); mx(d,s); \
970 case 4: mx(d,s); mx(d,s); \
971 mx(d,s); mx(d,s); \
972 }
973
974 #endif
975
976 // y = output word, x = input word, r = row, c = column
977 // for r = 0, 1, 2 and 3 = column accessed for row r
978
979 #if defined(ARRAYS)
980 #define s(x,c) x[c]
981 #else
982 #define s(x,c) x##c
983 #endif
984
985 // I am grateful to Frank Yellin for the following constructions
986 // which, given the column (c) of the output state variable that
987 // is being computed, return the input state variables which are
988 // needed for each row (r) of the state
989
990 // For the fixed block size options, compilers reduce these two
991 // expressions to fixed variable references. For variable block
992 // size code conditional clauses will sometimes be returned
993
994 #define unused 77 // Sunset Strip
995
996 #define fwd_var(x,r,c) \
997 ( r==0 ? \
998 ( c==0 ? s(x,0) \
999 : c==1 ? s(x,1) \
1000 : c==2 ? s(x,2) \
1001 : c==3 ? s(x,3) \
1002 : c==4 ? s(x,4) \
1003 : c==5 ? s(x,5) \
1004 : c==6 ? s(x,6) \
1005 : s(x,7)) \
1006 : r==1 ? \
1007 ( c==0 ? s(x,1) \
1008 : c==1 ? s(x,2) \
1009 : c==2 ? s(x,3) \
1010 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1011 : c==4 ? s(x,5) \
1012 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1013 : c==6 ? s(x,7) \
1014 : s(x,0)) \
1015 : r==2 ? \
1016 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1017 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1018 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1019 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1020 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1021 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1022 : c==6 ? s(x,1) \
1023 : s(x,2)) \
1024 : \
1025 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1026 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1027 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1028 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1029 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1030 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1031 : c==6 ? s(x,2) \
1032 : s(x,3)))
1033
1034 #define inv_var(x,r,c) \
1035 ( r==0 ? \
1036 ( c==0 ? s(x,0) \
1037 : c==1 ? s(x,1) \
1038 : c==2 ? s(x,2) \
1039 : c==3 ? s(x,3) \
1040 : c==4 ? s(x,4) \
1041 : c==5 ? s(x,5) \
1042 : c==6 ? s(x,6) \
1043 : s(x,7)) \
1044 : r==1 ? \
1045 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1046 : c==1 ? s(x,0) \
1047 : c==2 ? s(x,1) \
1048 : c==3 ? s(x,2) \
1049 : c==4 ? s(x,3) \
1050 : c==5 ? s(x,4) \
1051 : c==6 ? s(x,5) \
1052 : s(x,6)) \
1053 : r==2 ? \
1054 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1055 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1056 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1057 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1058 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1059 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1060 : c==6 ? s(x,3) \
1061 : s(x,4)) \
1062 : \
1063 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1064 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1065 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1066 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1067 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1068 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1069 : c==6 ? s(x,2) \
1070 : s(x,3)))
1071
1072 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1073 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1074
1075 #if defined(FOUR_TABLES)
1076 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1077 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1078 #elif defined(ONE_TABLE)
1079 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1080 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1081 #else
1082 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1083 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1084 #endif
1085
1086 #if defined(FOUR_LR_TABLES)
1087 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1088 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1089 #elif defined(ONE_LR_TABLE)
1090 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1091 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1092 #else
1093 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1094 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1095 #endif
1096
1097 #if AES_BLOCK_SIZE == 16
1098
1099 #if defined(ARRAYS)
1100 #define locals(y,x) x[4],y[4]
1101 #else
1102 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1103 // the following defines prevent the compiler requiring the declaration
1104 // of generated but unused variables in the fwd_var and inv_var macros
1105 #define b04 unused
1106 #define b05 unused
1107 #define b06 unused
1108 #define b07 unused
1109 #define b14 unused
1110 #define b15 unused
1111 #define b16 unused
1112 #define b17 unused
1113 #endif
1114 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1115 s(y,2) = s(x,2); s(y,3) = s(x,3);
1116 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1117 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1118 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1119
1120 #elif AES_BLOCK_SIZE == 24
1121
1122 #if defined(ARRAYS)
1123 #define locals(y,x) x[6],y[6]
1124 #else
1125 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1126 y##0,y##1,y##2,y##3,y##4,y##5
1127 #define b06 unused
1128 #define b07 unused
1129 #define b16 unused
1130 #define b17 unused
1131 #endif
1132 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1133 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1134 s(y,4) = s(x,4); s(y,5) = s(x,5);
1135 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1136 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1137 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1138 so(y,x,3); so(y,x,4); so(y,x,5)
1139 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1140 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1141 #else
1142
1143 #if defined(ARRAYS)
1144 #define locals(y,x) x[8],y[8]
1145 #else
1146 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1147 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1148 #endif
1149 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1150 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1151 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1152 s(y,6) = s(x,6); s(y,7) = s(x,7);
1153
1154 #if AES_BLOCK_SIZE == 32
1155
1156 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1157 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1158 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1159 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1160 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1161 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1162 #else
1163
1164 #define state_in(y,x,k) \
1165 switch(nc) \
1166 { case 8: si(y,x,k,7); si(y,x,k,6); \
1167 case 6: si(y,x,k,5); si(y,x,k,4); \
1168 case 4: si(y,x,k,3); si(y,x,k,2); \
1169 si(y,x,k,1); si(y,x,k,0); \
1170 }
1171
1172 #define state_out(y,x) \
1173 switch(nc) \
1174 { case 8: so(y,x,7); so(y,x,6); \
1175 case 6: so(y,x,5); so(y,x,4); \
1176 case 4: so(y,x,3); so(y,x,2); \
1177 so(y,x,1); so(y,x,0); \
1178 }
1179
1180 #if defined(FAST_VARIABLE)
1181
1182 #define round(rm,y,x,k) \
1183 switch(nc) \
1184 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1185 rm(y,x,k,5); rm(y,x,k,4); \
1186 rm(y,x,k,3); rm(y,x,k,2); \
1187 rm(y,x,k,1); rm(y,x,k,0); \
1188 break; \
1189 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1190 rm(y,x,k,3); rm(y,x,k,2); \
1191 rm(y,x,k,1); rm(y,x,k,0); \
1192 break; \
1193 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1194 rm(y,x,k,1); rm(y,x,k,0); \
1195 break; \
1196 }
1197 #else
1198
1199 #define round(rm,y,x,k) \
1200 switch(nc) \
1201 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1202 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1203 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1204 rm(y,x,k,1); rm(y,x,k,0); \
1205 }
1206
1207 #endif
1208
1209 #endif
1210 #endif
1211
1212 /**
1213 * Encrypt a single block of data.
1214 */
1215 static void encrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1216 { u_int32_t locals(b0, b1);
1217 const u_int32_t *kp = this->aes_e_key;
1218
1219 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1220 u_int32_t f2;
1221 #endif
1222
1223 state_in(b0, in_blk, kp); kp += nc;
1224
1225 #if defined(UNROLL)
1226
1227 switch(this->aes_Nrnd)
1228 {
1229 case 14: round(fwd_rnd, b1, b0, kp );
1230 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1231 case 12: round(fwd_rnd, b1, b0, kp );
1232 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1233 case 10: round(fwd_rnd, b1, b0, kp );
1234 round(fwd_rnd, b0, b1, kp + nc);
1235 round(fwd_rnd, b1, b0, kp + 2 * nc);
1236 round(fwd_rnd, b0, b1, kp + 3 * nc);
1237 round(fwd_rnd, b1, b0, kp + 4 * nc);
1238 round(fwd_rnd, b0, b1, kp + 5 * nc);
1239 round(fwd_rnd, b1, b0, kp + 6 * nc);
1240 round(fwd_rnd, b0, b1, kp + 7 * nc);
1241 round(fwd_rnd, b1, b0, kp + 8 * nc);
1242 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1243 }
1244
1245 #elif defined(PARTIAL_UNROLL)
1246 { u_int32_t rnd;
1247
1248 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1249 {
1250 round(fwd_rnd, b1, b0, kp);
1251 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1252 }
1253
1254 round(fwd_rnd, b1, b0, kp);
1255 round(fwd_lrnd, b0, b1, kp + nc);
1256 }
1257 #else
1258 { u_int32_t rnd;
1259
1260 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1261 {
1262 round(fwd_rnd, b1, b0, kp);
1263 l_copy(b0, b1); kp += nc;
1264 }
1265
1266 round(fwd_lrnd, b0, b1, kp);
1267 }
1268 #endif
1269
1270 state_out(out_blk, b0);
1271 }
1272
1273 /**
1274 * Decrypt a single block of data.
1275 */
1276 static void decrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1277 { u_int32_t locals(b0, b1);
1278 const u_int32_t *kp = this->aes_d_key;
1279
1280 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1281 u_int32_t f2, f4, f8, f9;
1282 #endif
1283
1284 state_in(b0, in_blk, kp); kp += nc;
1285
1286 #if defined(UNROLL)
1287
1288 switch(this->aes_Nrnd)
1289 {
1290 case 14: round(inv_rnd, b1, b0, kp );
1291 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1292 case 12: round(inv_rnd, b1, b0, kp );
1293 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1294 case 10: round(inv_rnd, b1, b0, kp );
1295 round(inv_rnd, b0, b1, kp + nc);
1296 round(inv_rnd, b1, b0, kp + 2 * nc);
1297 round(inv_rnd, b0, b1, kp + 3 * nc);
1298 round(inv_rnd, b1, b0, kp + 4 * nc);
1299 round(inv_rnd, b0, b1, kp + 5 * nc);
1300 round(inv_rnd, b1, b0, kp + 6 * nc);
1301 round(inv_rnd, b0, b1, kp + 7 * nc);
1302 round(inv_rnd, b1, b0, kp + 8 * nc);
1303 round(inv_lrnd, b0, b1, kp + 9 * nc);
1304 }
1305
1306 #elif defined(PARTIAL_UNROLL)
1307 { u_int32_t rnd;
1308
1309 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1310 {
1311 round(inv_rnd, b1, b0, kp);
1312 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1313 }
1314
1315 round(inv_rnd, b1, b0, kp);
1316 round(inv_lrnd, b0, b1, kp + nc);
1317 }
1318 #else
1319 { u_int32_t rnd;
1320
1321 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1322 {
1323 round(inv_rnd, b1, b0, kp);
1324 l_copy(b0, b1); kp += nc;
1325 }
1326
1327 round(inv_lrnd, b0, b1, kp);
1328 }
1329 #endif
1330
1331 state_out(out_blk, b0);
1332 }
1333
1334 METHOD(crypter_t, decrypt, void,
1335 private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
1336 {
1337 int pos;
1338 const u_int32_t *iv_i;
1339 u_int8_t *in, *out;
1340
1341 if (decrypted)
1342 {
1343 *decrypted = chunk_alloc(data.len);
1344 out = decrypted->ptr;
1345 }
1346 else
1347 {
1348 out = data.ptr;
1349 }
1350 in = data.ptr;
1351
1352 pos = data.len-16;
1353 in += pos;
1354 out += pos;
1355 while (pos >= 0)
1356 {
1357 decrypt_block(this, in, out);
1358 if (pos==0)
1359 {
1360 iv_i=(const u_int32_t*) (iv.ptr);
1361 }
1362 else
1363 {
1364 iv_i=(const u_int32_t*) (in-16);
1365 }
1366 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1367 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1368 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1369 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1370 in-=16;
1371 out-=16;
1372 pos-=16;
1373 }
1374 }
1375
1376 METHOD(crypter_t, encrypt, void,
1377 private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
1378 {
1379 int pos;
1380 const u_int32_t *iv_i;
1381 u_int8_t *in, *out;
1382
1383 in = data.ptr;
1384 out = data.ptr;
1385 if (encrypted)
1386 {
1387 *encrypted = chunk_alloc(data.len);
1388 out = encrypted->ptr;
1389 }
1390
1391 pos=0;
1392 while(pos<data.len)
1393 {
1394 if (pos==0)
1395 {
1396 iv_i=(const u_int32_t*) iv.ptr;
1397 }
1398 else
1399 {
1400 iv_i=(const u_int32_t*) (out-16);
1401 }
1402 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1403 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1404 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1405 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1406 encrypt_block(this, out, out);
1407 in+=16;
1408 out+=16;
1409 pos+=16;
1410 }
1411 }
1412
1413 METHOD(crypter_t, get_block_size, size_t,
1414 private_aes_crypter_t *this)
1415 {
1416 return AES_BLOCK_SIZE;
1417 }
1418
1419 METHOD(crypter_t, get_iv_size, size_t,
1420 private_aes_crypter_t *this)
1421 {
1422 return AES_BLOCK_SIZE;
1423 }
1424
1425 METHOD(crypter_t, get_key_size, size_t,
1426 private_aes_crypter_t *this)
1427 {
1428 return this->key_size;
1429 }
1430
1431 METHOD(crypter_t, set_key, void,
1432 private_aes_crypter_t *this, chunk_t key)
1433 {
1434 u_int32_t *kf, *kt, rci, f = 0;
1435 u_int8_t *in_key = key.ptr;
1436
1437 this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
1438
1439 this->aes_e_key[0] = const_word_in(in_key );
1440 this->aes_e_key[1] = const_word_in(in_key + 4);
1441 this->aes_e_key[2] = const_word_in(in_key + 8);
1442 this->aes_e_key[3] = const_word_in(in_key + 12);
1443
1444 kf = this->aes_e_key;
1445 kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
1446 rci = 0;
1447
1448 switch(this->aes_Nkey)
1449 {
1450 case 4: do
1451 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1452 kf[5] = kf[1] ^ kf[4];
1453 kf[6] = kf[2] ^ kf[5];
1454 kf[7] = kf[3] ^ kf[6];
1455 kf += 4;
1456 }
1457 while(kf < kt);
1458 break;
1459
1460 case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
1461 this->aes_e_key[5] = const_word_in(in_key + 20);
1462 do
1463 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1464 kf[ 7] = kf[1] ^ kf[ 6];
1465 kf[ 8] = kf[2] ^ kf[ 7];
1466 kf[ 9] = kf[3] ^ kf[ 8];
1467 kf[10] = kf[4] ^ kf[ 9];
1468 kf[11] = kf[5] ^ kf[10];
1469 kf += 6;
1470 }
1471 while(kf < kt);
1472 break;
1473
1474 case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
1475 this->aes_e_key[5] = const_word_in(in_key + 20);
1476 this->aes_e_key[6] = const_word_in(in_key + 24);
1477 this->aes_e_key[7] = const_word_in(in_key + 28);
1478 do
1479 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1480 kf[ 9] = kf[1] ^ kf[ 8];
1481 kf[10] = kf[2] ^ kf[ 9];
1482 kf[11] = kf[3] ^ kf[10];
1483 kf[12] = kf[4] ^ ls_box(kf[11],0);
1484 kf[13] = kf[5] ^ kf[12];
1485 kf[14] = kf[6] ^ kf[13];
1486 kf[15] = kf[7] ^ kf[14];
1487 kf += 8;
1488 }
1489 while (kf < kt);
1490 break;
1491 }
1492
1493 if(!f)
1494 {
1495 u_int32_t i;
1496
1497 kt = this->aes_d_key + nc * this->aes_Nrnd;
1498 kf = this->aes_e_key;
1499
1500 cpy(kt, kf); kt -= 2 * nc;
1501
1502 for(i = 1; i < this->aes_Nrnd; ++i)
1503 {
1504 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1505 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1506 u_int32_t f2, f4, f8, f9;
1507 #endif
1508 mix(kt, kf);
1509 #else
1510 cpy(kt, kf);
1511 #endif
1512 kt -= 2 * nc;
1513 }
1514 cpy(kt, kf);
1515 }
1516 }
1517
1518 METHOD(crypter_t, destroy, void,
1519 private_aes_crypter_t *this)
1520 {
1521 free(this);
1522 }
1523
1524 /*
1525 * Described in header
1526 */
1527 aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
1528 {
1529 private_aes_crypter_t *this;
1530
1531 if (algo != ENCR_AES_CBC)
1532 {
1533 return NULL;
1534 }
1535 switch (key_size)
1536 {
1537 case 0:
1538 key_size = 16;
1539 break;
1540 case 32:
1541 case 24:
1542 case 16:
1543 break;
1544 default:
1545 return NULL;
1546 }
1547
1548 #if !defined(FIXED_TABLES)
1549 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1550 #endif
1551
1552 INIT(this,
1553 .public.crypter = {
1554 .encrypt = _encrypt,
1555 .decrypt = _decrypt,
1556 .get_block_size = _get_block_size,
1557 .get_iv_size = _get_iv_size,
1558 .get_key_size = _get_key_size,
1559 .set_key = _set_key,
1560 .destroy = _destroy,
1561 },
1562 .key_size = key_size,
1563 .aes_Nkey = key_size / 4,
1564 );
1565
1566 return &(this->public);
1567 }