projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
cleaned up pluto's crypto framework
[strongswan.git] / src / libstrongswan / plugins / aes / aes_crypter.c
1 /*
2 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "aes_crypter.h"
19
20 /*
21 * The number of key schedule words for different block and key lengths
22 * allowing for method of computation which requires the length to be a
23 * multiple of the key length. This version of AES implementation supports
24 * all three keylengths 16, 24 and 32 bytes!
25 *
26 * Nk = 4 6 8
27 * -------------
28 * Nb = 4 | 60 60 64
29 * 6 | 96 90 96
30 * 8 | 120 120 120
31 */
32 #define AES_KS_LENGTH 120
33 #define AES_RC_LENGTH 29
34
35 typedef struct private_aes_crypter_t private_aes_crypter_t;
36
37 /**
38 * Class implementing the AES symmetric encryption algorithm.
39 *
40 * @ingroup crypters
41 */
42 struct private_aes_crypter_t {
43
44 /**
45 * Public part of this class.
46 */
47 aes_crypter_t public;
48
49 /**
50 * Number of words in the key input block.
51 */
52 u_int32_t aes_Nkey;
53
54 /**
55 * The number of cipher rounds.
56 */
57 u_int32_t aes_Nrnd;
58
59 /**
60 * The encryption key schedule.
61 */
62 u_int32_t aes_e_key[AES_KS_LENGTH];
63
64 /**
65 * The decryption key schedule.
66 */
67 u_int32_t aes_d_key[AES_KS_LENGTH];
68
69 /**
70 * Key size of this AES cypher object.
71 */
72 u_int32_t key_size;
73 };
74
75
76 /* ugly macro stuff */
77
78 /* 1. Define UNROLL for full loop unrolling in encryption and decryption.
79 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
80 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
81 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
82 * Do not enable this without understanding stack space requirements.
83 * 5. Define ARRAYS to use arrays to hold the local state block. If this
84 * is not defined, individually declared 32-bit words are used.
85 * 6. Define FAST_VARIABLE if a high speed variable block implementation
86 * is needed (essentially three separate fixed block size code sequences)
87 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
88 * version using 1 table (2 kbytes of table space) or 4 tables (8
89 * kbytes of table space) for higher speed.
90 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
91 * increase by using tables for the last rounds but with more table
92 * space (2 or 8 kbytes extra).
93 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
94 * slower version is provided.
95 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
96 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
97 */
98
99 #define UNROLL
100 //#define PARTIAL_UNROLL
101
102 #define FIXED_TABLES
103 //#define FF_TABLES
104 //#define ARRAYS
105 #define FAST_VARIABLE
106
107 //#define ONE_TABLE
108 #define FOUR_TABLES
109
110 //#define ONE_LR_TABLE
111 #define FOUR_LR_TABLES
112
113 //#define ONE_IM_TABLE
114 #define FOUR_IM_TABLES
115
116 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
117 #error both UNROLL and PARTIAL_UNROLL are defined
118 #endif
119
120 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
121 #error both ONE_TABLE and FOUR_TABLES are defined
122 #endif
123
124 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
125 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
126 #endif
127
128 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
129 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
130 #endif
131
132 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
133 #error an illegal block size has been specified
134 #endif
135
136 /**
137 * Rotates bytes within words by n positions, moving bytes
138 * to higher index positions with wrap around into low positions.
139 */
140 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
141 /**
142 * Moves bytes by n positions to higher index positions in
143 * words but without wrap around.
144 */
145 #define ups(x,n) ((x) << 8 * (n))
146
147 /**
148 * Extracts a byte from a word.
149 */
150 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
151 #define bytes2word(b0, b1, b2, b3) \
152 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
153
154
155 /* little endian processor without data alignment restrictions: AES_LE_OK */
156 /* original code: i386 */
157 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
158 #define AES_LE_OK 1
159 /* added (tested): alpha --jjo */
160 #elif defined(__alpha__)|| defined (__alpha)
161 #define AES_LE_OK 1
162 /* added (tested): ia64 --jjo */
163 #elif defined(__ia64__)|| defined (__ia64)
164 #define AES_LE_OK 1
165 #endif
166
167 #ifdef AES_LE_OK
168 /* little endian processor without data alignment restrictions */
169 #define word_in(x) *(u_int32_t*)(x)
170 #define const_word_in(x) *(const u_int32_t*)(x)
171 #define word_out(x,v) *(u_int32_t*)(x) = (v)
172 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
173 #else
174 /* slower but generic big endian or with data alignment restrictions */
175 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
176 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
177 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
178 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
179 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
180 #endif
181
182 // Disable at least some poor combinations of options
183
184 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
185 #define FIXED_TABLES
186 #undef UNROLL
187 #undef ONE_LR_TABLE
188 #undef FOUR_LR_TABLES
189 #undef ONE_IM_TABLE
190 #undef FOUR_IM_TABLES
191 #elif !defined(FOUR_TABLES)
192 #ifdef FOUR_LR_TABLES
193 #undef FOUR_LR_TABLES
194 #define ONE_LR_TABLE
195 #endif
196 #ifdef FOUR_IM_TABLES
197 #undef FOUR_IM_TABLES
198 #define ONE_IM_TABLE
199 #endif
200 #elif !defined(AES_BLOCK_SIZE)
201 #if defined(UNROLL)
202 #define PARTIAL_UNROLL
203 #undef UNROLL
204 #endif
205 #endif
206
207 // the finite field modular polynomial and elements
208
209 #define ff_poly 0x011b
210 #define ff_hi 0x80
211
212 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
213
214 #define m1 0x80808080
215 #define m2 0x7f7f7f7f
216 #define m3 0x0000001b
217 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
218
219 // The following defines provide alternative definitions of FFmulX that might
220 // give improved performance if a fast 32-bit multiply is not available. Note
221 // that a temporary variable u needs to be defined where FFmulX is used.
222
223 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
224 // #define m4 0x1b1b1b1b
225 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
226
227 // perform column mix operation on four bytes in parallel
228
229 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
230
231 #if defined(FIXED_TABLES)
232
233 // the S-Box table
234
235 static const unsigned char s_box[256] =
236 {
237 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
238 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
239 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
240 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
241 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
242 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
243 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
244 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
245 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
246 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
247 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
248 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
249 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
250 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
251 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
252 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
253 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
254 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
255 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
256 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
257 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
258 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
259 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
260 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
261 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
262 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
263 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
264 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
265 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
266 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
267 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
268 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
269 };
270
271 // the inverse S-Box table
272
273 static const unsigned char inv_s_box[256] =
274 {
275 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
276 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
277 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
278 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
279 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
280 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
281 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
282 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
283 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
284 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
285 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
286 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
287 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
288 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
289 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
290 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
291 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
292 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
293 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
294 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
295 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
296 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
297 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
298 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
299 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
300 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
301 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
302 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
303 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
304 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
305 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
306 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
307 };
308
309 #define w0(p) 0x000000##p
310
311 // Number of elements required in this table for different
312 // block and key lengths is:
313 //
314 // Nk = 4 6 8
315 // ----------
316 // Nb = 4 | 10 8 7
317 // 6 | 19 12 11
318 // 8 | 29 19 14
319 //
320 // this table can be a table of bytes if the key schedule
321 // code is adjusted accordingly
322
323 static const u_int32_t rcon_tab[29] =
324 {
325 w0(01), w0(02), w0(04), w0(08),
326 w0(10), w0(20), w0(40), w0(80),
327 w0(1b), w0(36), w0(6c), w0(d8),
328 w0(ab), w0(4d), w0(9a), w0(2f),
329 w0(5e), w0(bc), w0(63), w0(c6),
330 w0(97), w0(35), w0(6a), w0(d4),
331 w0(b3), w0(7d), w0(fa), w0(ef),
332 w0(c5)
333 };
334
335 #undef w0
336
337 #define r0(p,q,r,s) 0x##p##q##r##s
338 #define r1(p,q,r,s) 0x##q##r##s##p
339 #define r2(p,q,r,s) 0x##r##s##p##q
340 #define r3(p,q,r,s) 0x##s##p##q##r
341 #define w0(p) 0x000000##p
342 #define w1(p) 0x0000##p##00
343 #define w2(p) 0x00##p##0000
344 #define w3(p) 0x##p##000000
345
346 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
347
348 // data for forward tables (other than last round)
349
350 #define f_table \
351 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
352 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
353 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
354 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
355 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
356 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
357 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
358 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
359 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
360 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
361 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
362 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
363 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
364 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
365 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
366 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
367 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
368 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
369 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
370 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
371 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
372 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
373 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
374 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
375 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
376 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
377 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
378 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
379 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
380 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
381 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
382 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
383 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
384 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
385 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
386 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
387 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
388 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
389 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
390 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
391 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
392 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
393 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
394 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
395 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
396 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
397 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
398 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
399 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
400 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
401 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
402 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
403 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
404 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
405 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
406 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
407 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
408 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
409 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
410 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
411 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
412 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
413 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
414 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
415
416 // data for inverse tables (other than last round)
417
418 #define i_table \
419 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
420 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
421 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
422 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
423 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
424 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
425 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
426 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
427 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
428 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
429 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
430 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
431 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
432 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
433 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
434 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
435 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
436 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
437 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
438 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
439 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
440 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
441 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
442 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
443 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
444 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
445 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
446 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
447 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
448 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
449 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
450 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
451 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
452 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
453 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
454 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
455 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
456 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
457 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
458 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
459 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
460 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
461 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
462 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
463 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
464 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
465 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
466 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
467 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
468 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
469 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
470 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
471 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
472 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
473 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
474 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
475 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
476 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
477 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
478 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
479 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
480 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
481 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
482 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
483
484 // generate the required tables in the desired endian format
485
486 #undef r
487 #define r r0
488
489 #if defined(ONE_TABLE)
490 static const u_int32_t ft_tab[256] =
491 { f_table };
492 #elif defined(FOUR_TABLES)
493 static const u_int32_t ft_tab[4][256] =
494 { { f_table },
495 #undef r
496 #define r r1
497 { f_table },
498 #undef r
499 #define r r2
500 { f_table },
501 #undef r
502 #define r r3
503 { f_table }
504 };
505 #endif
506
507 #undef r
508 #define r r0
509 #if defined(ONE_TABLE)
510 static const u_int32_t it_tab[256] =
511 { i_table };
512 #elif defined(FOUR_TABLES)
513 static const u_int32_t it_tab[4][256] =
514 { { i_table },
515 #undef r
516 #define r r1
517 { i_table },
518 #undef r
519 #define r r2
520 { i_table },
521 #undef r
522 #define r r3
523 { i_table }
524 };
525 #endif
526
527 #endif
528
529 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
530
531 // data for inverse tables (last round)
532
533 #define li_table \
534 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
535 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
536 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
537 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
538 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
539 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
540 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
541 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
542 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
543 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
544 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
545 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
546 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
547 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
548 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
549 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
550 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
551 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
552 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
553 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
554 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
555 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
556 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
557 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
558 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
559 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
560 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
561 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
562 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
563 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
564 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
565 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
566
567 // generate the required tables in the desired endian format
568
569 #undef r
570 #define r(p,q,r,s) w0(q)
571 #if defined(ONE_LR_TABLE)
572 static const u_int32_t fl_tab[256] =
573 { f_table };
574 #elif defined(FOUR_LR_TABLES)
575 static const u_int32_t fl_tab[4][256] =
576 { { f_table },
577 #undef r
578 #define r(p,q,r,s) w1(q)
579 { f_table },
580 #undef r
581 #define r(p,q,r,s) w2(q)
582 { f_table },
583 #undef r
584 #define r(p,q,r,s) w3(q)
585 { f_table }
586 };
587 #endif
588
589 #undef w
590 #define w w0
591 #if defined(ONE_LR_TABLE)
592 static const u_int32_t il_tab[256] =
593 { li_table };
594 #elif defined(FOUR_LR_TABLES)
595 static const u_int32_t il_tab[4][256] =
596 { { li_table },
597 #undef w
598 #define w w1
599 { li_table },
600 #undef w
601 #define w w2
602 { li_table },
603 #undef w
604 #define w w3
605 { li_table }
606 };
607 #endif
608
609 #endif
610
611 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
612
613 #define m_table \
614 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
615 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
616 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
617 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
618 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
619 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
620 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
621 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
622 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
623 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
624 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
625 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
626 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
627 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
628 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
629 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
630 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
631 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
632 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
633 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
634 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
635 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
636 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
637 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
638 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
639 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
640 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
641 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
642 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
643 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
644 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
645 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
646 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
647 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
648 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
649 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
650 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
651 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
652 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
653 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
654 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
655 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
656 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
657 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
658 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
659 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
660 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
661 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
662 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
663 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
664 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
665 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
666 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
667 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
668 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
669 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
670 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
671 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
672 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
673 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
674 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
675 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
676 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
677 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
678
679 #undef r
680 #define r r0
681
682 #if defined(ONE_IM_TABLE)
683 static const u_int32_t im_tab[256] =
684 { m_table };
685 #elif defined(FOUR_IM_TABLES)
686 static const u_int32_t im_tab[4][256] =
687 { { m_table },
688 #undef r
689 #define r r1
690 { m_table },
691 #undef r
692 #define r r2
693 { m_table },
694 #undef r
695 #define r r3
696 { m_table }
697 };
698 #endif
699
700 #endif
701
702 #else
703
704 static int tab_gen = 0;
705
706 static unsigned char s_box[256]; // the S box
707 static unsigned char inv_s_box[256]; // the inverse S box
708 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
709
710 #if defined(ONE_TABLE)
711 static u_int32_t ft_tab[256];
712 static u_int32_t it_tab[256];
713 #elif defined(FOUR_TABLES)
714 static u_int32_t ft_tab[4][256];
715 static u_int32_t it_tab[4][256];
716 #endif
717
718 #if defined(ONE_LR_TABLE)
719 static u_int32_t fl_tab[256];
720 static u_int32_t il_tab[256];
721 #elif defined(FOUR_LR_TABLES)
722 static u_int32_t fl_tab[4][256];
723 static u_int32_t il_tab[4][256];
724 #endif
725
726 #if defined(ONE_IM_TABLE)
727 static u_int32_t im_tab[256];
728 #elif defined(FOUR_IM_TABLES)
729 static u_int32_t im_tab[4][256];
730 #endif
731
732 // Generate the tables for the dynamic table option
733
734 #if !defined(FF_TABLES)
735
736 // It will generally be sensible to use tables to compute finite
737 // field multiplies and inverses but where memory is scarse this
738 // code might sometimes be better.
739
740 // return 2 ^ (n - 1) where n is the bit number of the highest bit
741 // set in x with x in the range 1 < x < 0x00000200. This form is
742 // used so that locals within FFinv can be bytes rather than words
743
744 static unsigned char hibit(const u_int32_t x)
745 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
746
747 r |= (r >> 2);
748 r |= (r >> 4);
749 return (r + 1) >> 1;
750 }
751
752 // return the inverse of the finite field element x
753
754 static unsigned char FFinv(const unsigned char x)
755 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
756
757 if(x < 2) return x;
758
759 for(;;)
760 {
761 if(!n1) return v1;
762
763 while(n2 >= n1)
764 {
765 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
766 }
767
768 if(!n2) return v2;
769
770 while(n1 >= n2)
771 {
772 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
773 }
774 }
775 }
776
777 // define the finite field multiplies required for Rijndael
778
779 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
780 #define FFmul03(x) ((x) ^ FFmul02(x))
781 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
782 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
783 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
784 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
785
786 #else
787
788 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
789
790 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
791 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
792 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
793 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
794 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
795 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
796
797 #endif
798
799 // The forward and inverse affine transformations used in the S-box
800
801 #define fwd_affine(x) \
802 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
803
804 #define inv_affine(x) \
805 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
806
807 static void gen_tabs(void)
808 { u_int32_t i, w;
809
810 #if defined(FF_TABLES)
811
812 unsigned char pow[512], log[256];
813
814 // log and power tables for GF(2^8) finite field with
815 // 0x011b as modular polynomial - the simplest primitive
816 // root is 0x03, used here to generate the tables
817
818 i = 0; w = 1;
819 do
820 {
821 pow[i] = (unsigned char)w;
822 pow[i + 255] = (unsigned char)w;
823 log[w] = (unsigned char)i++;
824 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
825 }
826 while (w != 1);
827
828 #endif
829
830 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
831 {
832 rcon_tab[i] = bytes2word(w, 0, 0, 0);
833 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
834 }
835
836 for(i = 0; i < 256; ++i)
837 { unsigned char b;
838
839 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
840
841 w = bytes2word(b, 0, 0, 0);
842 #if defined(ONE_LR_TABLE)
843 fl_tab[i] = w;
844 #elif defined(FOUR_LR_TABLES)
845 fl_tab[0][i] = w;
846 fl_tab[1][i] = upr(w,1);
847 fl_tab[2][i] = upr(w,2);
848 fl_tab[3][i] = upr(w,3);
849 #endif
850 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
851 #if defined(ONE_TABLE)
852 ft_tab[i] = w;
853 #elif defined(FOUR_TABLES)
854 ft_tab[0][i] = w;
855 ft_tab[1][i] = upr(w,1);
856 ft_tab[2][i] = upr(w,2);
857 ft_tab[3][i] = upr(w,3);
858 #endif
859 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
860
861 w = bytes2word(b, 0, 0, 0);
862 #if defined(ONE_LR_TABLE)
863 il_tab[i] = w;
864 #elif defined(FOUR_LR_TABLES)
865 il_tab[0][i] = w;
866 il_tab[1][i] = upr(w,1);
867 il_tab[2][i] = upr(w,2);
868 il_tab[3][i] = upr(w,3);
869 #endif
870 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
871 #if defined(ONE_TABLE)
872 it_tab[i] = w;
873 #elif defined(FOUR_TABLES)
874 it_tab[0][i] = w;
875 it_tab[1][i] = upr(w,1);
876 it_tab[2][i] = upr(w,2);
877 it_tab[3][i] = upr(w,3);
878 #endif
879 #if defined(ONE_IM_TABLE)
880 im_tab[b] = w;
881 #elif defined(FOUR_IM_TABLES)
882 im_tab[0][b] = w;
883 im_tab[1][b] = upr(w,1);
884 im_tab[2][b] = upr(w,2);
885 im_tab[3][b] = upr(w,3);
886 #endif
887
888 }
889 }
890
891 #endif
892
893 #define no_table(x,box,vf,rf,c) bytes2word( \
894 box[bval(vf(x,0,c),rf(0,c))], \
895 box[bval(vf(x,1,c),rf(1,c))], \
896 box[bval(vf(x,2,c),rf(2,c))], \
897 box[bval(vf(x,3,c),rf(3,c))])
898
899 #define one_table(x,op,tab,vf,rf,c) \
900 ( tab[bval(vf(x,0,c),rf(0,c))] \
901 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
902 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
903 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
904
905 #define four_tables(x,tab,vf,rf,c) \
906 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
907 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
908 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
909 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
910
911 #define vf1(x,r,c) (x)
912 #define rf1(r,c) (r)
913 #define rf2(r,c) ((r-c)&3)
914
915 #if defined(FOUR_LR_TABLES)
916 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
917 #elif defined(ONE_LR_TABLE)
918 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
919 #else
920 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
921 #endif
922
923 #if defined(FOUR_IM_TABLES)
924 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
925 #elif defined(ONE_IM_TABLE)
926 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
927 #else
928 #define inv_mcol(x) \
929 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
930 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
931 #endif
932
933 #define nc (AES_BLOCK_SIZE/4)
934
935 // Initialise the key schedule from the user supplied key. The key
936 // length is now specified in bytes - 16, 24 or 32 as appropriate.
937 // This corresponds to bit lengths of 128, 192 and 256 bits, and
938 // to Nk values of 4, 6 and 8 respectively.
939
940 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
941 #define cp(t,f) *t++ = *f++
942
943 #if AES_BLOCK_SIZE == 16
944 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
945 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
946 #elif AES_BLOCK_SIZE == 24
947 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
948 cp(d,s); cp(d,s)
949 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
950 mx(d,s); mx(d,s)
951 #elif AES_BLOCK_SIZE == 32
952 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
953 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
954 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
955 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
956 #else
957
958 #define cpy(d,s) \
959 switch(nc) \
960 { case 8: cp(d,s); cp(d,s); \
961 case 6: cp(d,s); cp(d,s); \
962 case 4: cp(d,s); cp(d,s); \
963 cp(d,s); cp(d,s); \
964 }
965
966 #define mix(d,s) \
967 switch(nc) \
968 { case 8: mx(d,s); mx(d,s); \
969 case 6: mx(d,s); mx(d,s); \
970 case 4: mx(d,s); mx(d,s); \
971 mx(d,s); mx(d,s); \
972 }
973
974 #endif
975
976 // y = output word, x = input word, r = row, c = column
977 // for r = 0, 1, 2 and 3 = column accessed for row r
978
979 #if defined(ARRAYS)
980 #define s(x,c) x[c]
981 #else
982 #define s(x,c) x##c
983 #endif
984
985 // I am grateful to Frank Yellin for the following constructions
986 // which, given the column (c) of the output state variable that
987 // is being computed, return the input state variables which are
988 // needed for each row (r) of the state
989
990 // For the fixed block size options, compilers reduce these two
991 // expressions to fixed variable references. For variable block
992 // size code conditional clauses will sometimes be returned
993
994 #define unused 77 // Sunset Strip
995
996 #define fwd_var(x,r,c) \
997 ( r==0 ? \
998 ( c==0 ? s(x,0) \
999 : c==1 ? s(x,1) \
1000 : c==2 ? s(x,2) \
1001 : c==3 ? s(x,3) \
1002 : c==4 ? s(x,4) \
1003 : c==5 ? s(x,5) \
1004 : c==6 ? s(x,6) \
1005 : s(x,7)) \
1006 : r==1 ? \
1007 ( c==0 ? s(x,1) \
1008 : c==1 ? s(x,2) \
1009 : c==2 ? s(x,3) \
1010 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1011 : c==4 ? s(x,5) \
1012 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1013 : c==6 ? s(x,7) \
1014 : s(x,0)) \
1015 : r==2 ? \
1016 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1017 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1018 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1019 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1020 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1021 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1022 : c==6 ? s(x,1) \
1023 : s(x,2)) \
1024 : \
1025 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1026 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1027 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1028 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1029 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1030 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1031 : c==6 ? s(x,2) \
1032 : s(x,3)))
1033
1034 #define inv_var(x,r,c) \
1035 ( r==0 ? \
1036 ( c==0 ? s(x,0) \
1037 : c==1 ? s(x,1) \
1038 : c==2 ? s(x,2) \
1039 : c==3 ? s(x,3) \
1040 : c==4 ? s(x,4) \
1041 : c==5 ? s(x,5) \
1042 : c==6 ? s(x,6) \
1043 : s(x,7)) \
1044 : r==1 ? \
1045 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1046 : c==1 ? s(x,0) \
1047 : c==2 ? s(x,1) \
1048 : c==3 ? s(x,2) \
1049 : c==4 ? s(x,3) \
1050 : c==5 ? s(x,4) \
1051 : c==6 ? s(x,5) \
1052 : s(x,6)) \
1053 : r==2 ? \
1054 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1055 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1056 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1057 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1058 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1059 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1060 : c==6 ? s(x,3) \
1061 : s(x,4)) \
1062 : \
1063 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1064 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1065 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1066 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1067 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1068 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1069 : c==6 ? s(x,2) \
1070 : s(x,3)))
1071
1072 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1073 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1074
1075 #if defined(FOUR_TABLES)
1076 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1077 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1078 #elif defined(ONE_TABLE)
1079 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1080 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1081 #else
1082 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1083 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1084 #endif
1085
1086 #if defined(FOUR_LR_TABLES)
1087 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1088 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1089 #elif defined(ONE_LR_TABLE)
1090 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1091 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1092 #else
1093 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1094 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1095 #endif
1096
1097 #if AES_BLOCK_SIZE == 16
1098
1099 #if defined(ARRAYS)
1100 #define locals(y,x) x[4],y[4]
1101 #else
1102 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1103 // the following defines prevent the compiler requiring the declaration
1104 // of generated but unused variables in the fwd_var and inv_var macros
1105 #define b04 unused
1106 #define b05 unused
1107 #define b06 unused
1108 #define b07 unused
1109 #define b14 unused
1110 #define b15 unused
1111 #define b16 unused
1112 #define b17 unused
1113 #endif
1114 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1115 s(y,2) = s(x,2); s(y,3) = s(x,3);
1116 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1117 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1118 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1119
1120 #elif AES_BLOCK_SIZE == 24
1121
1122 #if defined(ARRAYS)
1123 #define locals(y,x) x[6],y[6]
1124 #else
1125 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1126 y##0,y##1,y##2,y##3,y##4,y##5
1127 #define b06 unused
1128 #define b07 unused
1129 #define b16 unused
1130 #define b17 unused
1131 #endif
1132 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1133 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1134 s(y,4) = s(x,4); s(y,5) = s(x,5);
1135 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1136 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1137 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1138 so(y,x,3); so(y,x,4); so(y,x,5)
1139 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1140 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1141 #else
1142
1143 #if defined(ARRAYS)
1144 #define locals(y,x) x[8],y[8]
1145 #else
1146 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1147 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1148 #endif
1149 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1150 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1151 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1152 s(y,6) = s(x,6); s(y,7) = s(x,7);
1153
1154 #if AES_BLOCK_SIZE == 32
1155
1156 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1157 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1158 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1159 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1160 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1161 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1162 #else
1163
1164 #define state_in(y,x,k) \
1165 switch(nc) \
1166 { case 8: si(y,x,k,7); si(y,x,k,6); \
1167 case 6: si(y,x,k,5); si(y,x,k,4); \
1168 case 4: si(y,x,k,3); si(y,x,k,2); \
1169 si(y,x,k,1); si(y,x,k,0); \
1170 }
1171
1172 #define state_out(y,x) \
1173 switch(nc) \
1174 { case 8: so(y,x,7); so(y,x,6); \
1175 case 6: so(y,x,5); so(y,x,4); \
1176 case 4: so(y,x,3); so(y,x,2); \
1177 so(y,x,1); so(y,x,0); \
1178 }
1179
1180 #if defined(FAST_VARIABLE)
1181
1182 #define round(rm,y,x,k) \
1183 switch(nc) \
1184 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1185 rm(y,x,k,5); rm(y,x,k,4); \
1186 rm(y,x,k,3); rm(y,x,k,2); \
1187 rm(y,x,k,1); rm(y,x,k,0); \
1188 break; \
1189 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1190 rm(y,x,k,3); rm(y,x,k,2); \
1191 rm(y,x,k,1); rm(y,x,k,0); \
1192 break; \
1193 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1194 rm(y,x,k,1); rm(y,x,k,0); \
1195 break; \
1196 }
1197 #else
1198
1199 #define round(rm,y,x,k) \
1200 switch(nc) \
1201 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1202 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1203 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1204 rm(y,x,k,1); rm(y,x,k,0); \
1205 }
1206
1207 #endif
1208
1209 #endif
1210 #endif
1211
1212 /**
1213 * Encrypt a single block of data.
1214 */
1215 static void encrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1216 { u_int32_t locals(b0, b1);
1217 const u_int32_t *kp = this->aes_e_key;
1218
1219 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1220 u_int32_t f2;
1221 #endif
1222
1223 state_in(b0, in_blk, kp); kp += nc;
1224
1225 #if defined(UNROLL)
1226
1227 switch(this->aes_Nrnd)
1228 {
1229 case 14: round(fwd_rnd, b1, b0, kp );
1230 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1231 case 12: round(fwd_rnd, b1, b0, kp );
1232 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1233 case 10: round(fwd_rnd, b1, b0, kp );
1234 round(fwd_rnd, b0, b1, kp + nc);
1235 round(fwd_rnd, b1, b0, kp + 2 * nc);
1236 round(fwd_rnd, b0, b1, kp + 3 * nc);
1237 round(fwd_rnd, b1, b0, kp + 4 * nc);
1238 round(fwd_rnd, b0, b1, kp + 5 * nc);
1239 round(fwd_rnd, b1, b0, kp + 6 * nc);
1240 round(fwd_rnd, b0, b1, kp + 7 * nc);
1241 round(fwd_rnd, b1, b0, kp + 8 * nc);
1242 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1243 }
1244
1245 #elif defined(PARTIAL_UNROLL)
1246 { u_int32_t rnd;
1247
1248 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1249 {
1250 round(fwd_rnd, b1, b0, kp);
1251 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1252 }
1253
1254 round(fwd_rnd, b1, b0, kp);
1255 round(fwd_lrnd, b0, b1, kp + nc);
1256 }
1257 #else
1258 { u_int32_t rnd;
1259
1260 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1261 {
1262 round(fwd_rnd, b1, b0, kp);
1263 l_copy(b0, b1); kp += nc;
1264 }
1265
1266 round(fwd_lrnd, b0, b1, kp);
1267 }
1268 #endif
1269
1270 state_out(out_blk, b0);
1271 }
1272
1273 /**
1274 * Decrypt a single block of data.
1275 */
1276 static void decrypt_block(const private_aes_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1277 { u_int32_t locals(b0, b1);
1278 const u_int32_t *kp = this->aes_d_key;
1279
1280 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1281 u_int32_t f2, f4, f8, f9;
1282 #endif
1283
1284 state_in(b0, in_blk, kp); kp += nc;
1285
1286 #if defined(UNROLL)
1287
1288 switch(this->aes_Nrnd)
1289 {
1290 case 14: round(inv_rnd, b1, b0, kp );
1291 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1292 case 12: round(inv_rnd, b1, b0, kp );
1293 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1294 case 10: round(inv_rnd, b1, b0, kp );
1295 round(inv_rnd, b0, b1, kp + nc);
1296 round(inv_rnd, b1, b0, kp + 2 * nc);
1297 round(inv_rnd, b0, b1, kp + 3 * nc);
1298 round(inv_rnd, b1, b0, kp + 4 * nc);
1299 round(inv_rnd, b0, b1, kp + 5 * nc);
1300 round(inv_rnd, b1, b0, kp + 6 * nc);
1301 round(inv_rnd, b0, b1, kp + 7 * nc);
1302 round(inv_rnd, b1, b0, kp + 8 * nc);
1303 round(inv_lrnd, b0, b1, kp + 9 * nc);
1304 }
1305
1306 #elif defined(PARTIAL_UNROLL)
1307 { u_int32_t rnd;
1308
1309 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1310 {
1311 round(inv_rnd, b1, b0, kp);
1312 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1313 }
1314
1315 round(inv_rnd, b1, b0, kp);
1316 round(inv_lrnd, b0, b1, kp + nc);
1317 }
1318 #else
1319 { u_int32_t rnd;
1320
1321 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1322 {
1323 round(inv_rnd, b1, b0, kp);
1324 l_copy(b0, b1); kp += nc;
1325 }
1326
1327 round(inv_lrnd, b0, b1, kp);
1328 }
1329 #endif
1330
1331 state_out(out_blk, b0);
1332 }
1333
1334 /**
1335 * Implementation of crypter_t.decrypt.
1336 */
1337 static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
1338 chunk_t *decrypted)
1339 {
1340 int pos;
1341 const u_int32_t *iv_i;
1342 u_int8_t *in, *out;
1343
1344 if (decrypted)
1345 {
1346 *decrypted = chunk_alloc(data.len);
1347 out = decrypted->ptr;
1348 }
1349 else
1350 {
1351 out = data.ptr;
1352 }
1353 in = data.ptr;
1354
1355 pos = data.len-16;
1356 in += pos;
1357 out += pos;
1358 while (pos >= 0)
1359 {
1360 decrypt_block(this, in, out);
1361 if (pos==0)
1362 {
1363 iv_i=(const u_int32_t*) (iv.ptr);
1364 }
1365 else
1366 {
1367 iv_i=(const u_int32_t*) (in-16);
1368 }
1369 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1370 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1371 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1372 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1373 in-=16;
1374 out-=16;
1375 pos-=16;
1376 }
1377 }
1378
1379
1380 /**
1381 * Implementation of crypter_t.decrypt.
1382 */
1383 static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
1384 chunk_t *encrypted)
1385 {
1386 int pos;
1387 const u_int32_t *iv_i;
1388 u_int8_t *in, *out;
1389
1390 in = data.ptr;
1391 out = data.ptr;
1392 if (encrypted)
1393 {
1394 *encrypted = chunk_alloc(data.len);
1395 out = encrypted->ptr;
1396 }
1397
1398 pos=0;
1399 while(pos<data.len)
1400 {
1401 if (pos==0)
1402 {
1403 iv_i=(const u_int32_t*) iv.ptr;
1404 }
1405 else
1406 {
1407 iv_i=(const u_int32_t*) (out-16);
1408 }
1409 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1410 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1411 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1412 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1413 encrypt_block(this, out, out);
1414 in+=16;
1415 out+=16;
1416 pos+=16;
1417 }
1418 }
1419
1420 /**
1421 * Implementation of crypter_t.get_block_size.
1422 */
1423 static size_t get_block_size (private_aes_crypter_t *this)
1424 {
1425 return AES_BLOCK_SIZE;
1426 }
1427
1428 /**
1429 * Implementation of crypter_t.get_key_size.
1430 */
1431 static size_t get_key_size (private_aes_crypter_t *this)
1432 {
1433 return this->key_size;
1434 }
1435
1436 /**
1437 * Implementation of crypter_t.set_key.
1438 */
1439 static void set_key (private_aes_crypter_t *this, chunk_t key)
1440 {
1441 u_int32_t *kf, *kt, rci, f = 0;
1442 u_int8_t *in_key = key.ptr;
1443
1444 this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
1445
1446 this->aes_e_key[0] = const_word_in(in_key );
1447 this->aes_e_key[1] = const_word_in(in_key + 4);
1448 this->aes_e_key[2] = const_word_in(in_key + 8);
1449 this->aes_e_key[3] = const_word_in(in_key + 12);
1450
1451 kf = this->aes_e_key;
1452 kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
1453 rci = 0;
1454
1455 switch(this->aes_Nkey)
1456 {
1457 case 4: do
1458 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1459 kf[5] = kf[1] ^ kf[4];
1460 kf[6] = kf[2] ^ kf[5];
1461 kf[7] = kf[3] ^ kf[6];
1462 kf += 4;
1463 }
1464 while(kf < kt);
1465 break;
1466
1467 case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
1468 this->aes_e_key[5] = const_word_in(in_key + 20);
1469 do
1470 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1471 kf[ 7] = kf[1] ^ kf[ 6];
1472 kf[ 8] = kf[2] ^ kf[ 7];
1473 kf[ 9] = kf[3] ^ kf[ 8];
1474 kf[10] = kf[4] ^ kf[ 9];
1475 kf[11] = kf[5] ^ kf[10];
1476 kf += 6;
1477 }
1478 while(kf < kt);
1479 break;
1480
1481 case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
1482 this->aes_e_key[5] = const_word_in(in_key + 20);
1483 this->aes_e_key[6] = const_word_in(in_key + 24);
1484 this->aes_e_key[7] = const_word_in(in_key + 28);
1485 do
1486 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1487 kf[ 9] = kf[1] ^ kf[ 8];
1488 kf[10] = kf[2] ^ kf[ 9];
1489 kf[11] = kf[3] ^ kf[10];
1490 kf[12] = kf[4] ^ ls_box(kf[11],0);
1491 kf[13] = kf[5] ^ kf[12];
1492 kf[14] = kf[6] ^ kf[13];
1493 kf[15] = kf[7] ^ kf[14];
1494 kf += 8;
1495 }
1496 while (kf < kt);
1497 break;
1498 }
1499
1500 if(!f)
1501 {
1502 u_int32_t i;
1503
1504 kt = this->aes_d_key + nc * this->aes_Nrnd;
1505 kf = this->aes_e_key;
1506
1507 cpy(kt, kf); kt -= 2 * nc;
1508
1509 for(i = 1; i < this->aes_Nrnd; ++i)
1510 {
1511 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1512 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1513 u_int32_t f2, f4, f8, f9;
1514 #endif
1515 mix(kt, kf);
1516 #else
1517 cpy(kt, kf);
1518 #endif
1519 kt -= 2 * nc;
1520 }
1521 cpy(kt, kf);
1522 }
1523 }
1524
1525 /**
1526 * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
1527 */
1528 static void destroy (private_aes_crypter_t *this)
1529 {
1530 free(this);
1531 }
1532
1533 /*
1534 * Described in header
1535 */
1536 aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
1537 {
1538 private_aes_crypter_t *this;
1539
1540 if (algo != ENCR_AES_CBC)
1541 {
1542 return NULL;
1543 }
1544
1545 this = malloc_thing(private_aes_crypter_t);
1546
1547 #if !defined(FIXED_TABLES)
1548 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1549 #endif
1550
1551 this->key_size = key_size;
1552 switch(key_size)
1553 {
1554 case 32: /* bytes */
1555 this->aes_Nkey = 8;
1556 break;
1557 case 24: /* bytes */
1558 this->aes_Nkey = 6;
1559 break;
1560 case 16: /* bytes */
1561 this->aes_Nkey = 4;
1562 break;
1563 default:
1564 free(this);
1565 return NULL;
1566 }
1567
1568 this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1569 this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1570 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1571 this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
1572 this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
1573 this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
1574
1575 return &(this->public);
1576 }
strongSwan - IPsec VPN