7d7e468584a77ab1e62ff2ab185d8c48998f0813
[strongswan.git] / src / libstrongswan / plugins / blowfish / blowfish_crypter.c
1 /*
2 * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57
58 #include "blowfish.h"
59 #include "bf_locl.h"
60
61 /* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
62 * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
63 * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
64 */
65 */
66
67 #include "blowfish_crypter.h"
68
69 #define BLOWFISH_BLOCK_SIZE 16
70
71 typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
72
73 /**
74 * Class implementing the Blowfish symmetric encryption algorithm.
75 *
76 * @ingroup crypters
77 */
78 struct private_blowfish_crypter_t {
79
80 /**
81 * Public part of this class.
82 */
83 blowfish_crypter_t public;
84
85 /**
86 * Number of words in the key input block.
87 */
88 u_int32_t aes_Nkey;
89
90 /**
91 * The number of cipher rounds.
92 */
93 u_int32_t aes_Nrnd;
94
95 /**
96 * The encryption key schedule.
97 */
98 u_int32_t aes_e_key[AES_KS_LENGTH];
99
100 /**
101 * The decryption key schedule.
102 */
103 u_int32_t aes_d_key[AES_KS_LENGTH];
104
105 /**
106 * Key size of this AES cypher object.
107 */
108 u_int32_t key_size;
109 };
110
111
112 /* ugly macro stuff */
113
114 /* 1. Define UNROLL for full loop unrolling in encryption and decryption.
115 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
116 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
117 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
118 * Do not enable this without understanding stack space requirements.
119 * 5. Define ARRAYS to use arrays to hold the local state block. If this
120 * is not defined, individually declared 32-bit words are used.
121 * 6. Define FAST_VARIABLE if a high speed variable block implementation
122 * is needed (essentially three separate fixed block size code sequences)
123 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
124 * version using 1 table (2 kbytes of table space) or 4 tables (8
125 * kbytes of table space) for higher speed.
126 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
127 * increase by using tables for the last rounds but with more table
128 * space (2 or 8 kbytes extra).
129 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
130 * slower version is provided.
131 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
132 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
133 */
134
135 #define UNROLL
136 //#define PARTIAL_UNROLL
137
138 #define FIXED_TABLES
139 //#define FF_TABLES
140 //#define ARRAYS
141 #define FAST_VARIABLE
142
143 //#define ONE_TABLE
144 #define FOUR_TABLES
145
146 //#define ONE_LR_TABLE
147 #define FOUR_LR_TABLES
148
149 //#define ONE_IM_TABLE
150 #define FOUR_IM_TABLES
151
152 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
153 #error both UNROLL and PARTIAL_UNROLL are defined
154 #endif
155
156 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
157 #error both ONE_TABLE and FOUR_TABLES are defined
158 #endif
159
160 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
161 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
162 #endif
163
164 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
165 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
166 #endif
167
168 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
169 #error an illegal block size has been specified
170 #endif
171
172 /**
173 * Rotates bytes within words by n positions, moving bytes
174 * to higher index positions with wrap around into low positions.
175 */
176 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
177 /**
178 * Moves bytes by n positions to higher index positions in
179 * words but without wrap around.
180 */
181 #define ups(x,n) ((x) << 8 * (n))
182
183 /**
184 * Extracts a byte from a word.
185 */
186 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
187 #define bytes2word(b0, b1, b2, b3) \
188 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
189
190
191 /* little endian processor without data alignment restrictions: AES_LE_OK */
192 /* original code: i386 */
193 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
194 #define AES_LE_OK 1
195 /* added (tested): alpha --jjo */
196 #elif defined(__alpha__)|| defined (__alpha)
197 #define AES_LE_OK 1
198 /* added (tested): ia64 --jjo */
199 #elif defined(__ia64__)|| defined (__ia64)
200 #define AES_LE_OK 1
201 #endif
202
203 #ifdef AES_LE_OK
204 /* little endian processor without data alignment restrictions */
205 #define word_in(x) *(u_int32_t*)(x)
206 #define const_word_in(x) *(const u_int32_t*)(x)
207 #define word_out(x,v) *(u_int32_t*)(x) = (v)
208 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
209 #else
210 /* slower but generic big endian or with data alignment restrictions */
211 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
212 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
213 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
214 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
215 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
216 #endif
217
218 // Disable at least some poor combinations of options
219
220 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
221 #define FIXED_TABLES
222 #undef UNROLL
223 #undef ONE_LR_TABLE
224 #undef FOUR_LR_TABLES
225 #undef ONE_IM_TABLE
226 #undef FOUR_IM_TABLES
227 #elif !defined(FOUR_TABLES)
228 #ifdef FOUR_LR_TABLES
229 #undef FOUR_LR_TABLES
230 #define ONE_LR_TABLE
231 #endif
232 #ifdef FOUR_IM_TABLES
233 #undef FOUR_IM_TABLES
234 #define ONE_IM_TABLE
235 #endif
236 #elif !defined(AES_BLOCK_SIZE)
237 #if defined(UNROLL)
238 #define PARTIAL_UNROLL
239 #undef UNROLL
240 #endif
241 #endif
242
243 // the finite field modular polynomial and elements
244
245 #define ff_poly 0x011b
246 #define ff_hi 0x80
247
248 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
249
250 #define m1 0x80808080
251 #define m2 0x7f7f7f7f
252 #define m3 0x0000001b
253 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
254
255 // The following defines provide alternative definitions of FFmulX that might
256 // give improved performance if a fast 32-bit multiply is not available. Note
257 // that a temporary variable u needs to be defined where FFmulX is used.
258
259 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
260 // #define m4 0x1b1b1b1b
261 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
262
263 // perform column mix operation on four bytes in parallel
264
265 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
266
267 #if defined(FIXED_TABLES)
268
269 // the S-Box table
270
271 static const unsigned char s_box[256] =
272 {
273 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
274 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
275 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
276 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
277 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
278 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
279 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
280 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
281 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
282 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
283 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
284 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
285 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
286 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
287 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
288 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
289 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
290 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
291 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
292 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
293 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
294 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
295 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
296 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
297 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
298 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
299 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
300 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
301 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
302 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
303 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
304 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
305 };
306
307 // the inverse S-Box table
308
309 static const unsigned char inv_s_box[256] =
310 {
311 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
312 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
313 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
314 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
315 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
316 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
317 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
318 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
319 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
320 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
321 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
322 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
323 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
324 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
325 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
326 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
327 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
328 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
329 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
330 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
331 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
332 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
333 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
334 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
335 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
336 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
337 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
338 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
339 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
340 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
341 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
342 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
343 };
344
345 #define w0(p) 0x000000##p
346
347 // Number of elements required in this table for different
348 // block and key lengths is:
349 //
350 // Nk = 4 6 8
351 // ----------
352 // Nb = 4 | 10 8 7
353 // 6 | 19 12 11
354 // 8 | 29 19 14
355 //
356 // this table can be a table of bytes if the key schedule
357 // code is adjusted accordingly
358
359 static const u_int32_t rcon_tab[29] =
360 {
361 w0(01), w0(02), w0(04), w0(08),
362 w0(10), w0(20), w0(40), w0(80),
363 w0(1b), w0(36), w0(6c), w0(d8),
364 w0(ab), w0(4d), w0(9a), w0(2f),
365 w0(5e), w0(bc), w0(63), w0(c6),
366 w0(97), w0(35), w0(6a), w0(d4),
367 w0(b3), w0(7d), w0(fa), w0(ef),
368 w0(c5)
369 };
370
371 #undef w0
372
373 #define r0(p,q,r,s) 0x##p##q##r##s
374 #define r1(p,q,r,s) 0x##q##r##s##p
375 #define r2(p,q,r,s) 0x##r##s##p##q
376 #define r3(p,q,r,s) 0x##s##p##q##r
377 #define w0(p) 0x000000##p
378 #define w1(p) 0x0000##p##00
379 #define w2(p) 0x00##p##0000
380 #define w3(p) 0x##p##000000
381
382 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
383
384 // data for forward tables (other than last round)
385
386 #define f_table \
387 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
388 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
389 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
390 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
391 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
392 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
393 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
394 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
395 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
396 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
397 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
398 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
399 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
400 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
401 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
402 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
403 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
404 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
405 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
406 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
407 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
408 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
409 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
410 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
411 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
412 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
413 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
414 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
415 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
416 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
417 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
418 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
419 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
420 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
421 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
422 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
423 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
424 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
425 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
426 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
427 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
428 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
429 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
430 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
431 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
432 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
433 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
434 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
435 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
436 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
437 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
438 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
439 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
440 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
441 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
442 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
443 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
444 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
445 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
446 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
447 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
448 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
449 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
450 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
451
452 // data for inverse tables (other than last round)
453
454 #define i_table \
455 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
456 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
457 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
458 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
459 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
460 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
461 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
462 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
463 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
464 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
465 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
466 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
467 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
468 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
469 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
470 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
471 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
472 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
473 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
474 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
475 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
476 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
477 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
478 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
479 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
480 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
481 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
482 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
483 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
484 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
485 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
486 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
487 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
488 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
489 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
490 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
491 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
492 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
493 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
494 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
495 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
496 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
497 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
498 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
499 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
500 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
501 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
502 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
503 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
504 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
505 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
506 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
507 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
508 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
509 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
510 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
511 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
512 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
513 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
514 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
515 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
516 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
517 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
518 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
519
520 // generate the required tables in the desired endian format
521
522 #undef r
523 #define r r0
524
525 #if defined(ONE_TABLE)
526 static const u_int32_t ft_tab[256] =
527 { f_table };
528 #elif defined(FOUR_TABLES)
529 static const u_int32_t ft_tab[4][256] =
530 { { f_table },
531 #undef r
532 #define r r1
533 { f_table },
534 #undef r
535 #define r r2
536 { f_table },
537 #undef r
538 #define r r3
539 { f_table }
540 };
541 #endif
542
543 #undef r
544 #define r r0
545 #if defined(ONE_TABLE)
546 static const u_int32_t it_tab[256] =
547 { i_table };
548 #elif defined(FOUR_TABLES)
549 static const u_int32_t it_tab[4][256] =
550 { { i_table },
551 #undef r
552 #define r r1
553 { i_table },
554 #undef r
555 #define r r2
556 { i_table },
557 #undef r
558 #define r r3
559 { i_table }
560 };
561 #endif
562
563 #endif
564
565 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
566
567 // data for inverse tables (last round)
568
569 #define li_table \
570 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
571 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
572 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
573 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
574 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
575 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
576 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
577 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
578 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
579 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
580 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
581 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
582 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
583 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
584 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
585 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
586 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
587 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
588 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
589 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
590 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
591 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
592 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
593 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
594 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
595 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
596 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
597 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
598 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
599 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
600 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
601 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
602
603 // generate the required tables in the desired endian format
604
605 #undef r
606 #define r(p,q,r,s) w0(q)
607 #if defined(ONE_LR_TABLE)
608 static const u_int32_t fl_tab[256] =
609 { f_table };
610 #elif defined(FOUR_LR_TABLES)
611 static const u_int32_t fl_tab[4][256] =
612 { { f_table },
613 #undef r
614 #define r(p,q,r,s) w1(q)
615 { f_table },
616 #undef r
617 #define r(p,q,r,s) w2(q)
618 { f_table },
619 #undef r
620 #define r(p,q,r,s) w3(q)
621 { f_table }
622 };
623 #endif
624
625 #undef w
626 #define w w0
627 #if defined(ONE_LR_TABLE)
628 static const u_int32_t il_tab[256] =
629 { li_table };
630 #elif defined(FOUR_LR_TABLES)
631 static const u_int32_t il_tab[4][256] =
632 { { li_table },
633 #undef w
634 #define w w1
635 { li_table },
636 #undef w
637 #define w w2
638 { li_table },
639 #undef w
640 #define w w3
641 { li_table }
642 };
643 #endif
644
645 #endif
646
647 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
648
649 #define m_table \
650 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
651 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
652 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
653 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
654 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
655 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
656 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
657 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
658 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
659 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
660 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
661 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
662 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
663 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
664 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
665 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
666 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
667 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
668 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
669 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
670 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
671 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
672 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
673 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
674 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
675 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
676 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
677 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
678 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
679 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
680 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
681 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
682 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
683 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
684 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
685 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
686 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
687 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
688 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
689 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
690 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
691 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
692 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
693 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
694 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
695 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
696 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
697 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
698 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
699 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
700 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
701 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
702 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
703 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
704 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
705 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
706 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
707 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
708 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
709 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
710 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
711 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
712 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
713 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
714
715 #undef r
716 #define r r0
717
718 #if defined(ONE_IM_TABLE)
719 static const u_int32_t im_tab[256] =
720 { m_table };
721 #elif defined(FOUR_IM_TABLES)
722 static const u_int32_t im_tab[4][256] =
723 { { m_table },
724 #undef r
725 #define r r1
726 { m_table },
727 #undef r
728 #define r r2
729 { m_table },
730 #undef r
731 #define r r3
732 { m_table }
733 };
734 #endif
735
736 #endif
737
738 #else
739
740 static int tab_gen = 0;
741
742 static unsigned char s_box[256]; // the S box
743 static unsigned char inv_s_box[256]; // the inverse S box
744 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
745
746 #if defined(ONE_TABLE)
747 static u_int32_t ft_tab[256];
748 static u_int32_t it_tab[256];
749 #elif defined(FOUR_TABLES)
750 static u_int32_t ft_tab[4][256];
751 static u_int32_t it_tab[4][256];
752 #endif
753
754 #if defined(ONE_LR_TABLE)
755 static u_int32_t fl_tab[256];
756 static u_int32_t il_tab[256];
757 #elif defined(FOUR_LR_TABLES)
758 static u_int32_t fl_tab[4][256];
759 static u_int32_t il_tab[4][256];
760 #endif
761
762 #if defined(ONE_IM_TABLE)
763 static u_int32_t im_tab[256];
764 #elif defined(FOUR_IM_TABLES)
765 static u_int32_t im_tab[4][256];
766 #endif
767
768 // Generate the tables for the dynamic table option
769
770 #if !defined(FF_TABLES)
771
772 // It will generally be sensible to use tables to compute finite
773 // field multiplies and inverses but where memory is scarse this
774 // code might sometimes be better.
775
776 // return 2 ^ (n - 1) where n is the bit number of the highest bit
777 // set in x with x in the range 1 < x < 0x00000200. This form is
778 // used so that locals within FFinv can be bytes rather than words
779
780 static unsigned char hibit(const u_int32_t x)
781 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
782
783 r |= (r >> 2);
784 r |= (r >> 4);
785 return (r + 1) >> 1;
786 }
787
788 // return the inverse of the finite field element x
789
790 static unsigned char FFinv(const unsigned char x)
791 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
792
793 if(x < 2) return x;
794
795 for(;;)
796 {
797 if(!n1) return v1;
798
799 while(n2 >= n1)
800 {
801 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
802 }
803
804 if(!n2) return v2;
805
806 while(n1 >= n2)
807 {
808 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
809 }
810 }
811 }
812
813 // define the finite field multiplies required for Rijndael
814
815 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
816 #define FFmul03(x) ((x) ^ FFmul02(x))
817 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
818 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
819 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
820 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
821
822 #else
823
824 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
825
826 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
827 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
828 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
829 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
830 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
831 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
832
833 #endif
834
835 // The forward and inverse affine transformations used in the S-box
836
837 #define fwd_affine(x) \
838 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
839
840 #define inv_affine(x) \
841 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
842
843 static void gen_tabs(void)
844 { u_int32_t i, w;
845
846 #if defined(FF_TABLES)
847
848 unsigned char pow[512], log[256];
849
850 // log and power tables for GF(2^8) finite field with
851 // 0x011b as modular polynomial - the simplest primitive
852 // root is 0x03, used here to generate the tables
853
854 i = 0; w = 1;
855 do
856 {
857 pow[i] = (unsigned char)w;
858 pow[i + 255] = (unsigned char)w;
859 log[w] = (unsigned char)i++;
860 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
861 }
862 while (w != 1);
863
864 #endif
865
866 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
867 {
868 rcon_tab[i] = bytes2word(w, 0, 0, 0);
869 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
870 }
871
872 for(i = 0; i < 256; ++i)
873 { unsigned char b;
874
875 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
876
877 w = bytes2word(b, 0, 0, 0);
878 #if defined(ONE_LR_TABLE)
879 fl_tab[i] = w;
880 #elif defined(FOUR_LR_TABLES)
881 fl_tab[0][i] = w;
882 fl_tab[1][i] = upr(w,1);
883 fl_tab[2][i] = upr(w,2);
884 fl_tab[3][i] = upr(w,3);
885 #endif
886 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
887 #if defined(ONE_TABLE)
888 ft_tab[i] = w;
889 #elif defined(FOUR_TABLES)
890 ft_tab[0][i] = w;
891 ft_tab[1][i] = upr(w,1);
892 ft_tab[2][i] = upr(w,2);
893 ft_tab[3][i] = upr(w,3);
894 #endif
895 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
896
897 w = bytes2word(b, 0, 0, 0);
898 #if defined(ONE_LR_TABLE)
899 il_tab[i] = w;
900 #elif defined(FOUR_LR_TABLES)
901 il_tab[0][i] = w;
902 il_tab[1][i] = upr(w,1);
903 il_tab[2][i] = upr(w,2);
904 il_tab[3][i] = upr(w,3);
905 #endif
906 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
907 #if defined(ONE_TABLE)
908 it_tab[i] = w;
909 #elif defined(FOUR_TABLES)
910 it_tab[0][i] = w;
911 it_tab[1][i] = upr(w,1);
912 it_tab[2][i] = upr(w,2);
913 it_tab[3][i] = upr(w,3);
914 #endif
915 #if defined(ONE_IM_TABLE)
916 im_tab[b] = w;
917 #elif defined(FOUR_IM_TABLES)
918 im_tab[0][b] = w;
919 im_tab[1][b] = upr(w,1);
920 im_tab[2][b] = upr(w,2);
921 im_tab[3][b] = upr(w,3);
922 #endif
923
924 }
925 }
926
927 #endif
928
929 #define no_table(x,box,vf,rf,c) bytes2word( \
930 box[bval(vf(x,0,c),rf(0,c))], \
931 box[bval(vf(x,1,c),rf(1,c))], \
932 box[bval(vf(x,2,c),rf(2,c))], \
933 box[bval(vf(x,3,c),rf(3,c))])
934
935 #define one_table(x,op,tab,vf,rf,c) \
936 ( tab[bval(vf(x,0,c),rf(0,c))] \
937 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
938 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
939 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
940
941 #define four_tables(x,tab,vf,rf,c) \
942 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
943 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
944 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
945 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
946
947 #define vf1(x,r,c) (x)
948 #define rf1(r,c) (r)
949 #define rf2(r,c) ((r-c)&3)
950
951 #if defined(FOUR_LR_TABLES)
952 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
953 #elif defined(ONE_LR_TABLE)
954 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
955 #else
956 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
957 #endif
958
959 #if defined(FOUR_IM_TABLES)
960 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
961 #elif defined(ONE_IM_TABLE)
962 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
963 #else
964 #define inv_mcol(x) \
965 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
966 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
967 #endif
968
969 #define nc (AES_BLOCK_SIZE/4)
970
971 // Initialise the key schedule from the user supplied key. The key
972 // length is now specified in bytes - 16, 24 or 32 as appropriate.
973 // This corresponds to bit lengths of 128, 192 and 256 bits, and
974 // to Nk values of 4, 6 and 8 respectively.
975
976 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
977 #define cp(t,f) *t++ = *f++
978
979 #if AES_BLOCK_SIZE == 16
980 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
981 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
982 #elif AES_BLOCK_SIZE == 24
983 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
984 cp(d,s); cp(d,s)
985 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
986 mx(d,s); mx(d,s)
987 #elif AES_BLOCK_SIZE == 32
988 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
989 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
990 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
991 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
992 #else
993
994 #define cpy(d,s) \
995 switch(nc) \
996 { case 8: cp(d,s); cp(d,s); \
997 case 6: cp(d,s); cp(d,s); \
998 case 4: cp(d,s); cp(d,s); \
999 cp(d,s); cp(d,s); \
1000 }
1001
1002 #define mix(d,s) \
1003 switch(nc) \
1004 { case 8: mx(d,s); mx(d,s); \
1005 case 6: mx(d,s); mx(d,s); \
1006 case 4: mx(d,s); mx(d,s); \
1007 mx(d,s); mx(d,s); \
1008 }
1009
1010 #endif
1011
1012 // y = output word, x = input word, r = row, c = column
1013 // for r = 0, 1, 2 and 3 = column accessed for row r
1014
1015 #if defined(ARRAYS)
1016 #define s(x,c) x[c]
1017 #else
1018 #define s(x,c) x##c
1019 #endif
1020
1021 // I am grateful to Frank Yellin for the following constructions
1022 // which, given the column (c) of the output state variable that
1023 // is being computed, return the input state variables which are
1024 // needed for each row (r) of the state
1025
1026 // For the fixed block size options, compilers reduce these two
1027 // expressions to fixed variable references. For variable block
1028 // size code conditional clauses will sometimes be returned
1029
1030 #define unused 77 // Sunset Strip
1031
1032 #define fwd_var(x,r,c) \
1033 ( r==0 ? \
1034 ( c==0 ? s(x,0) \
1035 : c==1 ? s(x,1) \
1036 : c==2 ? s(x,2) \
1037 : c==3 ? s(x,3) \
1038 : c==4 ? s(x,4) \
1039 : c==5 ? s(x,5) \
1040 : c==6 ? s(x,6) \
1041 : s(x,7)) \
1042 : r==1 ? \
1043 ( c==0 ? s(x,1) \
1044 : c==1 ? s(x,2) \
1045 : c==2 ? s(x,3) \
1046 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1047 : c==4 ? s(x,5) \
1048 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1049 : c==6 ? s(x,7) \
1050 : s(x,0)) \
1051 : r==2 ? \
1052 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1053 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1054 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1055 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1056 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1057 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1058 : c==6 ? s(x,1) \
1059 : s(x,2)) \
1060 : \
1061 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1062 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1063 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1064 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1065 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1066 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1067 : c==6 ? s(x,2) \
1068 : s(x,3)))
1069
1070 #define inv_var(x,r,c) \
1071 ( r==0 ? \
1072 ( c==0 ? s(x,0) \
1073 : c==1 ? s(x,1) \
1074 : c==2 ? s(x,2) \
1075 : c==3 ? s(x,3) \
1076 : c==4 ? s(x,4) \
1077 : c==5 ? s(x,5) \
1078 : c==6 ? s(x,6) \
1079 : s(x,7)) \
1080 : r==1 ? \
1081 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1082 : c==1 ? s(x,0) \
1083 : c==2 ? s(x,1) \
1084 : c==3 ? s(x,2) \
1085 : c==4 ? s(x,3) \
1086 : c==5 ? s(x,4) \
1087 : c==6 ? s(x,5) \
1088 : s(x,6)) \
1089 : r==2 ? \
1090 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1091 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1092 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1093 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1094 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1095 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1096 : c==6 ? s(x,3) \
1097 : s(x,4)) \
1098 : \
1099 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1100 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1101 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1102 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1103 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1104 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1105 : c==6 ? s(x,2) \
1106 : s(x,3)))
1107
1108 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1109 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1110
1111 #if defined(FOUR_TABLES)
1112 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1113 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1114 #elif defined(ONE_TABLE)
1115 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1116 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1117 #else
1118 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1119 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1120 #endif
1121
1122 #if defined(FOUR_LR_TABLES)
1123 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1124 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1125 #elif defined(ONE_LR_TABLE)
1126 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1127 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1128 #else
1129 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1130 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1131 #endif
1132
1133 #if AES_BLOCK_SIZE == 16
1134
1135 #if defined(ARRAYS)
1136 #define locals(y,x) x[4],y[4]
1137 #else
1138 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1139 // the following defines prevent the compiler requiring the declaration
1140 // of generated but unused variables in the fwd_var and inv_var macros
1141 #define b04 unused
1142 #define b05 unused
1143 #define b06 unused
1144 #define b07 unused
1145 #define b14 unused
1146 #define b15 unused
1147 #define b16 unused
1148 #define b17 unused
1149 #endif
1150 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1151 s(y,2) = s(x,2); s(y,3) = s(x,3);
1152 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1153 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1154 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1155
1156 #elif AES_BLOCK_SIZE == 24
1157
1158 #if defined(ARRAYS)
1159 #define locals(y,x) x[6],y[6]
1160 #else
1161 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1162 y##0,y##1,y##2,y##3,y##4,y##5
1163 #define b06 unused
1164 #define b07 unused
1165 #define b16 unused
1166 #define b17 unused
1167 #endif
1168 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1169 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1170 s(y,4) = s(x,4); s(y,5) = s(x,5);
1171 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1172 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1173 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1174 so(y,x,3); so(y,x,4); so(y,x,5)
1175 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1176 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1177 #else
1178
1179 #if defined(ARRAYS)
1180 #define locals(y,x) x[8],y[8]
1181 #else
1182 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1183 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1184 #endif
1185 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1186 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1187 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1188 s(y,6) = s(x,6); s(y,7) = s(x,7);
1189
1190 #if AES_BLOCK_SIZE == 32
1191
1192 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1193 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1194 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1195 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1196 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1197 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1198 #else
1199
1200 #define state_in(y,x,k) \
1201 switch(nc) \
1202 { case 8: si(y,x,k,7); si(y,x,k,6); \
1203 case 6: si(y,x,k,5); si(y,x,k,4); \
1204 case 4: si(y,x,k,3); si(y,x,k,2); \
1205 si(y,x,k,1); si(y,x,k,0); \
1206 }
1207
1208 #define state_out(y,x) \
1209 switch(nc) \
1210 { case 8: so(y,x,7); so(y,x,6); \
1211 case 6: so(y,x,5); so(y,x,4); \
1212 case 4: so(y,x,3); so(y,x,2); \
1213 so(y,x,1); so(y,x,0); \
1214 }
1215
1216 #if defined(FAST_VARIABLE)
1217
1218 #define round(rm,y,x,k) \
1219 switch(nc) \
1220 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1221 rm(y,x,k,5); rm(y,x,k,4); \
1222 rm(y,x,k,3); rm(y,x,k,2); \
1223 rm(y,x,k,1); rm(y,x,k,0); \
1224 break; \
1225 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1226 rm(y,x,k,3); rm(y,x,k,2); \
1227 rm(y,x,k,1); rm(y,x,k,0); \
1228 break; \
1229 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1230 rm(y,x,k,1); rm(y,x,k,0); \
1231 break; \
1232 }
1233 #else
1234
1235 #define round(rm,y,x,k) \
1236 switch(nc) \
1237 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1238 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1239 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1240 rm(y,x,k,1); rm(y,x,k,0); \
1241 }
1242
1243 #endif
1244
1245 #endif
1246 #endif
1247
1248 /**
1249 * Encrypt a single block of data.
1250 */
1251 static void encrypt_block(const private_blowfish_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1252 { u_int32_t locals(b0, b1);
1253 const u_int32_t *kp = this->aes_e_key;
1254
1255 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1256 u_int32_t f2;
1257 #endif
1258
1259 state_in(b0, in_blk, kp); kp += nc;
1260
1261 #if defined(UNROLL)
1262
1263 switch(this->aes_Nrnd)
1264 {
1265 case 14: round(fwd_rnd, b1, b0, kp );
1266 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1267 case 12: round(fwd_rnd, b1, b0, kp );
1268 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1269 case 10: round(fwd_rnd, b1, b0, kp );
1270 round(fwd_rnd, b0, b1, kp + nc);
1271 round(fwd_rnd, b1, b0, kp + 2 * nc);
1272 round(fwd_rnd, b0, b1, kp + 3 * nc);
1273 round(fwd_rnd, b1, b0, kp + 4 * nc);
1274 round(fwd_rnd, b0, b1, kp + 5 * nc);
1275 round(fwd_rnd, b1, b0, kp + 6 * nc);
1276 round(fwd_rnd, b0, b1, kp + 7 * nc);
1277 round(fwd_rnd, b1, b0, kp + 8 * nc);
1278 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1279 }
1280
1281 #elif defined(PARTIAL_UNROLL)
1282 { u_int32_t rnd;
1283
1284 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1285 {
1286 round(fwd_rnd, b1, b0, kp);
1287 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1288 }
1289
1290 round(fwd_rnd, b1, b0, kp);
1291 round(fwd_lrnd, b0, b1, kp + nc);
1292 }
1293 #else
1294 { u_int32_t rnd;
1295
1296 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1297 {
1298 round(fwd_rnd, b1, b0, kp);
1299 l_copy(b0, b1); kp += nc;
1300 }
1301
1302 round(fwd_lrnd, b0, b1, kp);
1303 }
1304 #endif
1305
1306 state_out(out_blk, b0);
1307 }
1308
1309 /**
1310 * Decrypt a single block of data.
1311 */
1312 static void decrypt_block(const private_blowfish_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1313 { u_int32_t locals(b0, b1);
1314 const u_int32_t *kp = this->aes_d_key;
1315
1316 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1317 u_int32_t f2, f4, f8, f9;
1318 #endif
1319
1320 state_in(b0, in_blk, kp); kp += nc;
1321
1322 #if defined(UNROLL)
1323
1324 switch(this->aes_Nrnd)
1325 {
1326 case 14: round(inv_rnd, b1, b0, kp );
1327 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1328 case 12: round(inv_rnd, b1, b0, kp );
1329 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1330 case 10: round(inv_rnd, b1, b0, kp );
1331 round(inv_rnd, b0, b1, kp + nc);
1332 round(inv_rnd, b1, b0, kp + 2 * nc);
1333 round(inv_rnd, b0, b1, kp + 3 * nc);
1334 round(inv_rnd, b1, b0, kp + 4 * nc);
1335 round(inv_rnd, b0, b1, kp + 5 * nc);
1336 round(inv_rnd, b1, b0, kp + 6 * nc);
1337 round(inv_rnd, b0, b1, kp + 7 * nc);
1338 round(inv_rnd, b1, b0, kp + 8 * nc);
1339 round(inv_lrnd, b0, b1, kp + 9 * nc);
1340 }
1341
1342 #elif defined(PARTIAL_UNROLL)
1343 { u_int32_t rnd;
1344
1345 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1346 {
1347 round(inv_rnd, b1, b0, kp);
1348 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1349 }
1350
1351 round(inv_rnd, b1, b0, kp);
1352 round(inv_lrnd, b0, b1, kp + nc);
1353 }
1354 #else
1355 { u_int32_t rnd;
1356
1357 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1358 {
1359 round(inv_rnd, b1, b0, kp);
1360 l_copy(b0, b1); kp += nc;
1361 }
1362
1363 round(inv_lrnd, b0, b1, kp);
1364 }
1365 #endif
1366
1367 state_out(out_blk, b0);
1368 }
1369
1370 /**
1371 * Implementation of crypter_t.decrypt.
1372 */
1373 static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
1374 chunk_t *decrypted)
1375 {
1376 int pos;
1377 const u_int32_t *iv_i;
1378 u_int8_t *in, *out;
1379
1380 if (decrypted)
1381 {
1382 *decrypted = chunk_alloc(data.len);
1383 out = decrypted->ptr;
1384 }
1385 else
1386 {
1387 out = data.ptr;
1388 }
1389 in = data.ptr;
1390
1391 pos = data.len-16;
1392 in += pos;
1393 out += pos;
1394 while (pos >= 0)
1395 {
1396 decrypt_block(this, in, out);
1397 if (pos==0)
1398 {
1399 iv_i=(const u_int32_t*) (iv.ptr);
1400 }
1401 else
1402 {
1403 iv_i=(const u_int32_t*) (in-16);
1404 }
1405 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1406 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1407 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1408 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1409 in-=16;
1410 out-=16;
1411 pos-=16;
1412 }
1413 }
1414
1415
1416 /**
1417 * Implementation of crypter_t.decrypt.
1418 */
1419 static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
1420 chunk_t *encrypted)
1421 {
1422 int pos;
1423 const u_int32_t *iv_i;
1424 u_int8_t *in, *out;
1425
1426 in = data.ptr;
1427 out = data.ptr;
1428 if (encrypted)
1429 {
1430 *encrypted = chunk_alloc(data.len);
1431 out = encrypted->ptr;
1432 }
1433
1434 pos=0;
1435 while(pos<data.len)
1436 {
1437 if (pos==0)
1438 {
1439 iv_i=(const u_int32_t*) iv.ptr;
1440 }
1441 else
1442 {
1443 iv_i=(const u_int32_t*) (out-16);
1444 }
1445 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1446 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1447 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1448 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1449 encrypt_block(this, out, out);
1450 in+=16;
1451 out+=16;
1452 pos+=16;
1453 }
1454 }
1455
1456 /**
1457 * Implementation of crypter_t.get_block_size.
1458 */
1459 static size_t get_block_size (private_blowfish_crypter_t *this)
1460 {
1461 return BLOWFISH_BLOCK_SIZE;
1462 }
1463
1464 /**
1465 * Implementation of crypter_t.get_key_size.
1466 */
1467 static size_t get_key_size (private_blowfish_crypter_t *this)
1468 {
1469 return this->key_size;
1470 }
1471
1472 /**
1473 * Implementation of crypter_t.set_key.
1474 */
1475 static void set_key (private_blowfish_crypter_t *this, chunk_t key)
1476 {
1477 u_int32_t *kf, *kt, rci, f = 0;
1478 u_int8_t *in_key = key.ptr;
1479
1480 this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
1481
1482 this->aes_e_key[0] = const_word_in(in_key );
1483 this->aes_e_key[1] = const_word_in(in_key + 4);
1484 this->aes_e_key[2] = const_word_in(in_key + 8);
1485 this->aes_e_key[3] = const_word_in(in_key + 12);
1486
1487 kf = this->aes_e_key;
1488 kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
1489 rci = 0;
1490
1491 switch(this->aes_Nkey)
1492 {
1493 case 4: do
1494 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1495 kf[5] = kf[1] ^ kf[4];
1496 kf[6] = kf[2] ^ kf[5];
1497 kf[7] = kf[3] ^ kf[6];
1498 kf += 4;
1499 }
1500 while(kf < kt);
1501 break;
1502
1503 case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
1504 this->aes_e_key[5] = const_word_in(in_key + 20);
1505 do
1506 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1507 kf[ 7] = kf[1] ^ kf[ 6];
1508 kf[ 8] = kf[2] ^ kf[ 7];
1509 kf[ 9] = kf[3] ^ kf[ 8];
1510 kf[10] = kf[4] ^ kf[ 9];
1511 kf[11] = kf[5] ^ kf[10];
1512 kf += 6;
1513 }
1514 while(kf < kt);
1515 break;
1516
1517 case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
1518 this->aes_e_key[5] = const_word_in(in_key + 20);
1519 this->aes_e_key[6] = const_word_in(in_key + 24);
1520 this->aes_e_key[7] = const_word_in(in_key + 28);
1521 do
1522 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1523 kf[ 9] = kf[1] ^ kf[ 8];
1524 kf[10] = kf[2] ^ kf[ 9];
1525 kf[11] = kf[3] ^ kf[10];
1526 kf[12] = kf[4] ^ ls_box(kf[11],0);
1527 kf[13] = kf[5] ^ kf[12];
1528 kf[14] = kf[6] ^ kf[13];
1529 kf[15] = kf[7] ^ kf[14];
1530 kf += 8;
1531 }
1532 while (kf < kt);
1533 break;
1534 }
1535
1536 if(!f)
1537 {
1538 u_int32_t i;
1539
1540 kt = this->aes_d_key + nc * this->aes_Nrnd;
1541 kf = this->aes_e_key;
1542
1543 cpy(kt, kf); kt -= 2 * nc;
1544
1545 for(i = 1; i < this->aes_Nrnd; ++i)
1546 {
1547 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1548 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1549 u_int32_t f2, f4, f8, f9;
1550 #endif
1551 mix(kt, kf);
1552 #else
1553 cpy(kt, kf);
1554 #endif
1555 kt -= 2 * nc;
1556 }
1557 cpy(kt, kf);
1558 }
1559 }
1560
1561 /**
1562 * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy.
1563 */
1564 static void destroy (private_blowfish_crypter_t *this)
1565 {
1566 free(this);
1567 }
1568
1569 /*
1570 * Described in header
1571 */
1572 blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
1573 {
1574 private_blowfish_crypter_t *this;
1575
1576 if (algo != ENCR_BLOWFISH)
1577 {
1578 return NULL;
1579 }
1580
1581 this = malloc_thing(private_blowfish_crypter_t);
1582
1583 #if !defined(FIXED_TABLES)
1584 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1585 #endif
1586
1587 this->key_size = key_size;
1588 switch(key_size)
1589 {
1590 case 32: /* bytes */
1591 this->aes_Nkey = 8;
1592 break;
1593 case 24: /* bytes */
1594 this->aes_Nkey = 6;
1595 break;
1596 case 16: /* bytes */
1597 this->aes_Nkey = 4;
1598 break;
1599 default:
1600 free(this);
1601 return NULL;
1602 }
1603
1604 this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1605 this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1606 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1607 this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
1608 this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
1609 this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
1610
1611 return &(this->public);
1612 }