a9c1c6053daf2b1aa73d0a6ad66373e2a227f93c
[strongswan.git] / src / libstrongswan / plugins / twofish / twofish_crypter.c
1 /*
2 * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2009 Andreas Steffen
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "twofish_crypter.h"
19
20 /*
21 * The number of key schedule words for different block and key lengths
22 * allowing for method of computation which requires the length to be a
23 * multiple of the key length. This version of AES implementation supports
24 * all three keylengths 16, 24 and 32 bytes!
25 *
26 * Nk = 4 6 8
27 * -------------
28 * Nb = 4 | 60 60 64
29 * 6 | 96 90 96
30 * 8 | 120 120 120
31 */
32 #define AES_KS_LENGTH 120
33 #define AES_RC_LENGTH 29
34
35 #define TWOFISH_BLOCK_SIZE 16
36
37 typedef struct private_twofish_crypter_t private_twofish_crypter_t;
38
39 /**
40 * Class implementing the AES symmetric encryption algorithm.
41 *
42 * @ingroup crypters
43 */
44 struct private_twofish_crypter_t {
45
46 /**
47 * Public part of this class.
48 */
49 twofish_crypter_t public;
50
51 /**
52 * Number of words in the key input block.
53 */
54 u_int32_t aes_Nkey;
55
56 /**
57 * The number of cipher rounds.
58 */
59 u_int32_t aes_Nrnd;
60
61 /**
62 * The encryption key schedule.
63 */
64 u_int32_t aes_e_key[AES_KS_LENGTH];
65
66 /**
67 * The decryption key schedule.
68 */
69 u_int32_t aes_d_key[AES_KS_LENGTH];
70
71 /**
72 * Key size of this AES cypher object.
73 */
74 u_int32_t key_size;
75 };
76
77
78 /* ugly macro stuff */
79
80 /* 1. Define UNROLL for full loop unrolling in encryption and decryption.
81 * 2. Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
82 * 3. Define FIXED_TABLES for compiled rather than dynamic tables.
83 * 4. Define FF_TABLES to use tables for field multiplies and inverses.
84 * Do not enable this without understanding stack space requirements.
85 * 5. Define ARRAYS to use arrays to hold the local state block. If this
86 * is not defined, individually declared 32-bit words are used.
87 * 6. Define FAST_VARIABLE if a high speed variable block implementation
88 * is needed (essentially three separate fixed block size code sequences)
89 * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
90 * version using 1 table (2 kbytes of table space) or 4 tables (8
91 * kbytes of table space) for higher speed.
92 * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
93 * increase by using tables for the last rounds but with more table
94 * space (2 or 8 kbytes extra).
95 * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
96 * slower version is provided.
97 * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
98 * or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
99 */
100
101 #define UNROLL
102 //#define PARTIAL_UNROLL
103
104 #define FIXED_TABLES
105 //#define FF_TABLES
106 //#define ARRAYS
107 #define FAST_VARIABLE
108
109 //#define ONE_TABLE
110 #define FOUR_TABLES
111
112 //#define ONE_LR_TABLE
113 #define FOUR_LR_TABLES
114
115 //#define ONE_IM_TABLE
116 #define FOUR_IM_TABLES
117
118 #if defined(UNROLL) && defined (PARTIAL_UNROLL)
119 #error both UNROLL and PARTIAL_UNROLL are defined
120 #endif
121
122 #if defined(ONE_TABLE) && defined (FOUR_TABLES)
123 #error both ONE_TABLE and FOUR_TABLES are defined
124 #endif
125
126 #if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
127 #error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
128 #endif
129
130 #if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
131 #error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
132 #endif
133
134 #if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
135 #error an illegal block size has been specified
136 #endif
137
138 /**
139 * Rotates bytes within words by n positions, moving bytes
140 * to higher index positions with wrap around into low positions.
141 */
142 #define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
143 /**
144 * Moves bytes by n positions to higher index positions in
145 * words but without wrap around.
146 */
147 #define ups(x,n) ((x) << 8 * (n))
148
149 /**
150 * Extracts a byte from a word.
151 */
152 #define bval(x,n) ((unsigned char)((x) >> 8 * (n)))
153 #define bytes2word(b0, b1, b2, b3) \
154 ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
155
156
157 /* little endian processor without data alignment restrictions: AES_LE_OK */
158 /* original code: i386 */
159 #if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
160 #define AES_LE_OK 1
161 /* added (tested): alpha --jjo */
162 #elif defined(__alpha__)|| defined (__alpha)
163 #define AES_LE_OK 1
164 /* added (tested): ia64 --jjo */
165 #elif defined(__ia64__)|| defined (__ia64)
166 #define AES_LE_OK 1
167 #endif
168
169 #ifdef AES_LE_OK
170 /* little endian processor without data alignment restrictions */
171 #define word_in(x) *(u_int32_t*)(x)
172 #define const_word_in(x) *(const u_int32_t*)(x)
173 #define word_out(x,v) *(u_int32_t*)(x) = (v)
174 #define const_word_out(x,v) *(const u_int32_t*)(x) = (v)
175 #else
176 /* slower but generic big endian or with data alignment restrictions */
177 /* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
178 #define word_in(x) ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
179 #define const_word_in(x) ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
180 #define word_out(x,v) ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
181 #define const_word_out(x,v) ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
182 #endif
183
184 // Disable at least some poor combinations of options
185
186 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
187 #define FIXED_TABLES
188 #undef UNROLL
189 #undef ONE_LR_TABLE
190 #undef FOUR_LR_TABLES
191 #undef ONE_IM_TABLE
192 #undef FOUR_IM_TABLES
193 #elif !defined(FOUR_TABLES)
194 #ifdef FOUR_LR_TABLES
195 #undef FOUR_LR_TABLES
196 #define ONE_LR_TABLE
197 #endif
198 #ifdef FOUR_IM_TABLES
199 #undef FOUR_IM_TABLES
200 #define ONE_IM_TABLE
201 #endif
202 #elif !defined(AES_BLOCK_SIZE)
203 #if defined(UNROLL)
204 #define PARTIAL_UNROLL
205 #undef UNROLL
206 #endif
207 #endif
208
209 // the finite field modular polynomial and elements
210
211 #define ff_poly 0x011b
212 #define ff_hi 0x80
213
214 // multiply four bytes in GF(2^8) by 'x' {02} in parallel
215
216 #define m1 0x80808080
217 #define m2 0x7f7f7f7f
218 #define m3 0x0000001b
219 #define FFmulX(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
220
221 // The following defines provide alternative definitions of FFmulX that might
222 // give improved performance if a fast 32-bit multiply is not available. Note
223 // that a temporary variable u needs to be defined where FFmulX is used.
224
225 // #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
226 // #define m4 0x1b1b1b1b
227 // #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
228
229 // perform column mix operation on four bytes in parallel
230
231 #define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
232
233 #if defined(FIXED_TABLES)
234
235 // the S-Box table
236
237 static const unsigned char s_box[256] =
238 {
239 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
240 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
241 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
242 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
243 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
244 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
245 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
246 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
247 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
248 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
249 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
250 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
251 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
252 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
253 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
254 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
255 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
256 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
257 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
258 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
259 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
260 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
261 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
262 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
263 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
264 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
265 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
266 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
267 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
268 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
269 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
270 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
271 };
272
273 // the inverse S-Box table
274
275 static const unsigned char inv_s_box[256] =
276 {
277 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
278 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
279 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
280 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
281 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
282 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
283 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
284 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
285 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
286 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
287 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
288 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
289 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
290 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
291 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
292 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
293 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
294 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
295 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
296 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
297 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
298 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
299 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
300 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
301 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
302 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
303 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
304 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
305 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
306 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
307 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
308 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
309 };
310
311 #define w0(p) 0x000000##p
312
313 // Number of elements required in this table for different
314 // block and key lengths is:
315 //
316 // Nk = 4 6 8
317 // ----------
318 // Nb = 4 | 10 8 7
319 // 6 | 19 12 11
320 // 8 | 29 19 14
321 //
322 // this table can be a table of bytes if the key schedule
323 // code is adjusted accordingly
324
325 static const u_int32_t rcon_tab[29] =
326 {
327 w0(01), w0(02), w0(04), w0(08),
328 w0(10), w0(20), w0(40), w0(80),
329 w0(1b), w0(36), w0(6c), w0(d8),
330 w0(ab), w0(4d), w0(9a), w0(2f),
331 w0(5e), w0(bc), w0(63), w0(c6),
332 w0(97), w0(35), w0(6a), w0(d4),
333 w0(b3), w0(7d), w0(fa), w0(ef),
334 w0(c5)
335 };
336
337 #undef w0
338
339 #define r0(p,q,r,s) 0x##p##q##r##s
340 #define r1(p,q,r,s) 0x##q##r##s##p
341 #define r2(p,q,r,s) 0x##r##s##p##q
342 #define r3(p,q,r,s) 0x##s##p##q##r
343 #define w0(p) 0x000000##p
344 #define w1(p) 0x0000##p##00
345 #define w2(p) 0x00##p##0000
346 #define w3(p) 0x##p##000000
347
348 #if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
349
350 // data for forward tables (other than last round)
351
352 #define f_table \
353 r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
354 r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
355 r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
356 r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
357 r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
358 r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
359 r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
360 r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
361 r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
362 r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
363 r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
364 r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
365 r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
366 r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
367 r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
368 r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
369 r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
370 r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
371 r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
372 r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
373 r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
374 r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
375 r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
376 r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
377 r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
378 r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
379 r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
380 r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
381 r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
382 r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
383 r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
384 r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
385 r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
386 r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
387 r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
388 r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
389 r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
390 r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
391 r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
392 r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
393 r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
394 r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
395 r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
396 r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
397 r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
398 r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
399 r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
400 r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
401 r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
402 r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
403 r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
404 r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
405 r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
406 r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
407 r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
408 r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
409 r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
410 r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
411 r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
412 r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
413 r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
414 r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
415 r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
416 r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
417
418 // data for inverse tables (other than last round)
419
420 #define i_table \
421 r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
422 r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
423 r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
424 r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
425 r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
426 r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
427 r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
428 r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
429 r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
430 r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
431 r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
432 r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
433 r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
434 r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
435 r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
436 r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
437 r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
438 r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
439 r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
440 r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
441 r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
442 r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
443 r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
444 r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
445 r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
446 r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
447 r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
448 r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
449 r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
450 r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
451 r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
452 r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
453 r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
454 r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
455 r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
456 r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
457 r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
458 r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
459 r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
460 r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
461 r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
462 r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
463 r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
464 r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
465 r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
466 r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
467 r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
468 r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
469 r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
470 r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
471 r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
472 r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
473 r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
474 r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
475 r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
476 r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
477 r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
478 r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
479 r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
480 r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
481 r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
482 r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
483 r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
484 r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
485
486 // generate the required tables in the desired endian format
487
488 #undef r
489 #define r r0
490
491 #if defined(ONE_TABLE)
492 static const u_int32_t ft_tab[256] =
493 { f_table };
494 #elif defined(FOUR_TABLES)
495 static const u_int32_t ft_tab[4][256] =
496 { { f_table },
497 #undef r
498 #define r r1
499 { f_table },
500 #undef r
501 #define r r2
502 { f_table },
503 #undef r
504 #define r r3
505 { f_table }
506 };
507 #endif
508
509 #undef r
510 #define r r0
511 #if defined(ONE_TABLE)
512 static const u_int32_t it_tab[256] =
513 { i_table };
514 #elif defined(FOUR_TABLES)
515 static const u_int32_t it_tab[4][256] =
516 { { i_table },
517 #undef r
518 #define r r1
519 { i_table },
520 #undef r
521 #define r r2
522 { i_table },
523 #undef r
524 #define r r3
525 { i_table }
526 };
527 #endif
528
529 #endif
530
531 #if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
532
533 // data for inverse tables (last round)
534
535 #define li_table \
536 w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
537 w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
538 w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
539 w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
540 w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
541 w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
542 w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
543 w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
544 w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
545 w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
546 w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
547 w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
548 w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
549 w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
550 w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
551 w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
552 w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
553 w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
554 w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
555 w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
556 w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
557 w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
558 w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
559 w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
560 w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
561 w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
562 w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
563 w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
564 w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
565 w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
566 w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
567 w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
568
569 // generate the required tables in the desired endian format
570
571 #undef r
572 #define r(p,q,r,s) w0(q)
573 #if defined(ONE_LR_TABLE)
574 static const u_int32_t fl_tab[256] =
575 { f_table };
576 #elif defined(FOUR_LR_TABLES)
577 static const u_int32_t fl_tab[4][256] =
578 { { f_table },
579 #undef r
580 #define r(p,q,r,s) w1(q)
581 { f_table },
582 #undef r
583 #define r(p,q,r,s) w2(q)
584 { f_table },
585 #undef r
586 #define r(p,q,r,s) w3(q)
587 { f_table }
588 };
589 #endif
590
591 #undef w
592 #define w w0
593 #if defined(ONE_LR_TABLE)
594 static const u_int32_t il_tab[256] =
595 { li_table };
596 #elif defined(FOUR_LR_TABLES)
597 static const u_int32_t il_tab[4][256] =
598 { { li_table },
599 #undef w
600 #define w w1
601 { li_table },
602 #undef w
603 #define w w2
604 { li_table },
605 #undef w
606 #define w w3
607 { li_table }
608 };
609 #endif
610
611 #endif
612
613 #if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
614
615 #define m_table \
616 r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
617 r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
618 r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
619 r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
620 r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
621 r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
622 r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
623 r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
624 r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
625 r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
626 r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
627 r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
628 r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
629 r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
630 r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
631 r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
632 r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
633 r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
634 r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
635 r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
636 r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
637 r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
638 r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
639 r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
640 r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
641 r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
642 r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
643 r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
644 r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
645 r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
646 r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
647 r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
648 r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
649 r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
650 r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
651 r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
652 r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
653 r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
654 r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
655 r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
656 r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
657 r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
658 r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
659 r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
660 r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
661 r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
662 r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
663 r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
664 r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
665 r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
666 r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
667 r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
668 r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
669 r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
670 r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
671 r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
672 r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
673 r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
674 r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
675 r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
676 r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
677 r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
678 r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
679 r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
680
681 #undef r
682 #define r r0
683
684 #if defined(ONE_IM_TABLE)
685 static const u_int32_t im_tab[256] =
686 { m_table };
687 #elif defined(FOUR_IM_TABLES)
688 static const u_int32_t im_tab[4][256] =
689 { { m_table },
690 #undef r
691 #define r r1
692 { m_table },
693 #undef r
694 #define r r2
695 { m_table },
696 #undef r
697 #define r r3
698 { m_table }
699 };
700 #endif
701
702 #endif
703
704 #else
705
706 static int tab_gen = 0;
707
708 static unsigned char s_box[256]; // the S box
709 static unsigned char inv_s_box[256]; // the inverse S box
710 static u_int32_t rcon_tab[AES_RC_LENGTH]; // table of round constants
711
712 #if defined(ONE_TABLE)
713 static u_int32_t ft_tab[256];
714 static u_int32_t it_tab[256];
715 #elif defined(FOUR_TABLES)
716 static u_int32_t ft_tab[4][256];
717 static u_int32_t it_tab[4][256];
718 #endif
719
720 #if defined(ONE_LR_TABLE)
721 static u_int32_t fl_tab[256];
722 static u_int32_t il_tab[256];
723 #elif defined(FOUR_LR_TABLES)
724 static u_int32_t fl_tab[4][256];
725 static u_int32_t il_tab[4][256];
726 #endif
727
728 #if defined(ONE_IM_TABLE)
729 static u_int32_t im_tab[256];
730 #elif defined(FOUR_IM_TABLES)
731 static u_int32_t im_tab[4][256];
732 #endif
733
734 // Generate the tables for the dynamic table option
735
736 #if !defined(FF_TABLES)
737
738 // It will generally be sensible to use tables to compute finite
739 // field multiplies and inverses but where memory is scarse this
740 // code might sometimes be better.
741
742 // return 2 ^ (n - 1) where n is the bit number of the highest bit
743 // set in x with x in the range 1 < x < 0x00000200. This form is
744 // used so that locals within FFinv can be bytes rather than words
745
746 static unsigned char hibit(const u_int32_t x)
747 { unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
748
749 r |= (r >> 2);
750 r |= (r >> 4);
751 return (r + 1) >> 1;
752 }
753
754 // return the inverse of the finite field element x
755
756 static unsigned char FFinv(const unsigned char x)
757 { unsigned char p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
758
759 if(x < 2) return x;
760
761 for(;;)
762 {
763 if(!n1) return v1;
764
765 while(n2 >= n1)
766 {
767 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
768 }
769
770 if(!n2) return v2;
771
772 while(n1 >= n2)
773 {
774 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
775 }
776 }
777 }
778
779 // define the finite field multiplies required for Rijndael
780
781 #define FFmul02(x) ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
782 #define FFmul03(x) ((x) ^ FFmul02(x))
783 #define FFmul09(x) ((x) ^ FFmul02(FFmul02(FFmul02(x))))
784 #define FFmul0b(x) ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
785 #define FFmul0d(x) ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
786 #define FFmul0e(x) FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
787
788 #else
789
790 #define FFinv(x) ((x) ? pow[255 - log[x]]: 0)
791
792 #define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
793 #define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
794 #define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
795 #define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
796 #define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
797 #define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
798
799 #endif
800
801 // The forward and inverse affine transformations used in the S-box
802
803 #define fwd_affine(x) \
804 (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
805
806 #define inv_affine(x) \
807 (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
808
809 static void gen_tabs(void)
810 { u_int32_t i, w;
811
812 #if defined(FF_TABLES)
813
814 unsigned char pow[512], log[256];
815
816 // log and power tables for GF(2^8) finite field with
817 // 0x011b as modular polynomial - the simplest primitive
818 // root is 0x03, used here to generate the tables
819
820 i = 0; w = 1;
821 do
822 {
823 pow[i] = (unsigned char)w;
824 pow[i + 255] = (unsigned char)w;
825 log[w] = (unsigned char)i++;
826 w ^= (w << 1) ^ (w & ff_hi ? ff_poly : 0);
827 }
828 while (w != 1);
829
830 #endif
831
832 for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
833 {
834 rcon_tab[i] = bytes2word(w, 0, 0, 0);
835 w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
836 }
837
838 for(i = 0; i < 256; ++i)
839 { unsigned char b;
840
841 s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
842
843 w = bytes2word(b, 0, 0, 0);
844 #if defined(ONE_LR_TABLE)
845 fl_tab[i] = w;
846 #elif defined(FOUR_LR_TABLES)
847 fl_tab[0][i] = w;
848 fl_tab[1][i] = upr(w,1);
849 fl_tab[2][i] = upr(w,2);
850 fl_tab[3][i] = upr(w,3);
851 #endif
852 w = bytes2word(FFmul02(b), b, b, FFmul03(b));
853 #if defined(ONE_TABLE)
854 ft_tab[i] = w;
855 #elif defined(FOUR_TABLES)
856 ft_tab[0][i] = w;
857 ft_tab[1][i] = upr(w,1);
858 ft_tab[2][i] = upr(w,2);
859 ft_tab[3][i] = upr(w,3);
860 #endif
861 inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
862
863 w = bytes2word(b, 0, 0, 0);
864 #if defined(ONE_LR_TABLE)
865 il_tab[i] = w;
866 #elif defined(FOUR_LR_TABLES)
867 il_tab[0][i] = w;
868 il_tab[1][i] = upr(w,1);
869 il_tab[2][i] = upr(w,2);
870 il_tab[3][i] = upr(w,3);
871 #endif
872 w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
873 #if defined(ONE_TABLE)
874 it_tab[i] = w;
875 #elif defined(FOUR_TABLES)
876 it_tab[0][i] = w;
877 it_tab[1][i] = upr(w,1);
878 it_tab[2][i] = upr(w,2);
879 it_tab[3][i] = upr(w,3);
880 #endif
881 #if defined(ONE_IM_TABLE)
882 im_tab[b] = w;
883 #elif defined(FOUR_IM_TABLES)
884 im_tab[0][b] = w;
885 im_tab[1][b] = upr(w,1);
886 im_tab[2][b] = upr(w,2);
887 im_tab[3][b] = upr(w,3);
888 #endif
889
890 }
891 }
892
893 #endif
894
895 #define no_table(x,box,vf,rf,c) bytes2word( \
896 box[bval(vf(x,0,c),rf(0,c))], \
897 box[bval(vf(x,1,c),rf(1,c))], \
898 box[bval(vf(x,2,c),rf(2,c))], \
899 box[bval(vf(x,3,c),rf(3,c))])
900
901 #define one_table(x,op,tab,vf,rf,c) \
902 ( tab[bval(vf(x,0,c),rf(0,c))] \
903 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
904 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
905 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
906
907 #define four_tables(x,tab,vf,rf,c) \
908 ( tab[0][bval(vf(x,0,c),rf(0,c))] \
909 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
910 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
911 ^ tab[3][bval(vf(x,3,c),rf(3,c))])
912
913 #define vf1(x,r,c) (x)
914 #define rf1(r,c) (r)
915 #define rf2(r,c) ((r-c)&3)
916
917 #if defined(FOUR_LR_TABLES)
918 #define ls_box(x,c) four_tables(x,fl_tab,vf1,rf2,c)
919 #elif defined(ONE_LR_TABLE)
920 #define ls_box(x,c) one_table(x,upr,fl_tab,vf1,rf2,c)
921 #else
922 #define ls_box(x,c) no_table(x,s_box,vf1,rf2,c)
923 #endif
924
925 #if defined(FOUR_IM_TABLES)
926 #define inv_mcol(x) four_tables(x,im_tab,vf1,rf1,0)
927 #elif defined(ONE_IM_TABLE)
928 #define inv_mcol(x) one_table(x,upr,im_tab,vf1,rf1,0)
929 #else
930 #define inv_mcol(x) \
931 (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
932 f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
933 #endif
934
935 #define nc (AES_BLOCK_SIZE/4)
936
937 // Initialise the key schedule from the user supplied key. The key
938 // length is now specified in bytes - 16, 24 or 32 as appropriate.
939 // This corresponds to bit lengths of 128, 192 and 256 bits, and
940 // to Nk values of 4, 6 and 8 respectively.
941
942 #define mx(t,f) (*t++ = inv_mcol(*f),f++)
943 #define cp(t,f) *t++ = *f++
944
945 #if AES_BLOCK_SIZE == 16
946 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s)
947 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s)
948 #elif AES_BLOCK_SIZE == 24
949 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
950 cp(d,s); cp(d,s)
951 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
952 mx(d,s); mx(d,s)
953 #elif AES_BLOCK_SIZE == 32
954 #define cpy(d,s) cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
955 cp(d,s); cp(d,s); cp(d,s); cp(d,s)
956 #define mix(d,s) mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
957 mx(d,s); mx(d,s); mx(d,s); mx(d,s)
958 #else
959
960 #define cpy(d,s) \
961 switch(nc) \
962 { case 8: cp(d,s); cp(d,s); \
963 case 6: cp(d,s); cp(d,s); \
964 case 4: cp(d,s); cp(d,s); \
965 cp(d,s); cp(d,s); \
966 }
967
968 #define mix(d,s) \
969 switch(nc) \
970 { case 8: mx(d,s); mx(d,s); \
971 case 6: mx(d,s); mx(d,s); \
972 case 4: mx(d,s); mx(d,s); \
973 mx(d,s); mx(d,s); \
974 }
975
976 #endif
977
978 // y = output word, x = input word, r = row, c = column
979 // for r = 0, 1, 2 and 3 = column accessed for row r
980
981 #if defined(ARRAYS)
982 #define s(x,c) x[c]
983 #else
984 #define s(x,c) x##c
985 #endif
986
987 // I am grateful to Frank Yellin for the following constructions
988 // which, given the column (c) of the output state variable that
989 // is being computed, return the input state variables which are
990 // needed for each row (r) of the state
991
992 // For the fixed block size options, compilers reduce these two
993 // expressions to fixed variable references. For variable block
994 // size code conditional clauses will sometimes be returned
995
996 #define unused 77 // Sunset Strip
997
998 #define fwd_var(x,r,c) \
999 ( r==0 ? \
1000 ( c==0 ? s(x,0) \
1001 : c==1 ? s(x,1) \
1002 : c==2 ? s(x,2) \
1003 : c==3 ? s(x,3) \
1004 : c==4 ? s(x,4) \
1005 : c==5 ? s(x,5) \
1006 : c==6 ? s(x,6) \
1007 : s(x,7)) \
1008 : r==1 ? \
1009 ( c==0 ? s(x,1) \
1010 : c==1 ? s(x,2) \
1011 : c==2 ? s(x,3) \
1012 : c==3 ? nc==4 ? s(x,0) : s(x,4) \
1013 : c==4 ? s(x,5) \
1014 : c==5 ? nc==8 ? s(x,6) : s(x,0) \
1015 : c==6 ? s(x,7) \
1016 : s(x,0)) \
1017 : r==2 ? \
1018 ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
1019 : c==1 ? nc==8 ? s(x,4) : s(x,3) \
1020 : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1021 : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1022 : c==4 ? nc==8 ? s(x,7) : s(x,0) \
1023 : c==5 ? nc==8 ? s(x,0) : s(x,1) \
1024 : c==6 ? s(x,1) \
1025 : s(x,2)) \
1026 : \
1027 ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
1028 : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
1029 : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
1030 : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
1031 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1032 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1033 : c==6 ? s(x,2) \
1034 : s(x,3)))
1035
1036 #define inv_var(x,r,c) \
1037 ( r==0 ? \
1038 ( c==0 ? s(x,0) \
1039 : c==1 ? s(x,1) \
1040 : c==2 ? s(x,2) \
1041 : c==3 ? s(x,3) \
1042 : c==4 ? s(x,4) \
1043 : c==5 ? s(x,5) \
1044 : c==6 ? s(x,6) \
1045 : s(x,7)) \
1046 : r==1 ? \
1047 ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
1048 : c==1 ? s(x,0) \
1049 : c==2 ? s(x,1) \
1050 : c==3 ? s(x,2) \
1051 : c==4 ? s(x,3) \
1052 : c==5 ? s(x,4) \
1053 : c==6 ? s(x,5) \
1054 : s(x,6)) \
1055 : r==2 ? \
1056 ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1057 : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1058 : c==2 ? nc==8 ? s(x,7) : s(x,0) \
1059 : c==3 ? nc==8 ? s(x,0) : s(x,1) \
1060 : c==4 ? nc==8 ? s(x,1) : s(x,2) \
1061 : c==5 ? nc==8 ? s(x,2) : s(x,3) \
1062 : c==6 ? s(x,3) \
1063 : s(x,4)) \
1064 : \
1065 ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
1066 : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
1067 : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
1068 : c==3 ? nc==8 ? s(x,7) : s(x,0) \
1069 : c==4 ? nc==8 ? s(x,0) : s(x,1) \
1070 : c==5 ? nc==8 ? s(x,1) : s(x,2) \
1071 : c==6 ? s(x,2) \
1072 : s(x,3)))
1073
1074 #define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
1075 #define so(y,x,c) word_out(y + 4 * c, s(x,c))
1076
1077 #if defined(FOUR_TABLES)
1078 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
1079 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
1080 #elif defined(ONE_TABLE)
1081 #define fwd_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
1082 #define inv_rnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
1083 #else
1084 #define fwd_rnd(y,x,k,c) s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
1085 #define inv_rnd(y,x,k,c) s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
1086 #endif
1087
1088 #if defined(FOUR_LR_TABLES)
1089 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
1090 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
1091 #elif defined(ONE_LR_TABLE)
1092 #define fwd_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
1093 #define inv_lrnd(y,x,k,c) s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
1094 #else
1095 #define fwd_lrnd(y,x,k,c) s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
1096 #define inv_lrnd(y,x,k,c) s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
1097 #endif
1098
1099 #if AES_BLOCK_SIZE == 16
1100
1101 #if defined(ARRAYS)
1102 #define locals(y,x) x[4],y[4]
1103 #else
1104 #define locals(y,x) x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
1105 // the following defines prevent the compiler requiring the declaration
1106 // of generated but unused variables in the fwd_var and inv_var macros
1107 #define b04 unused
1108 #define b05 unused
1109 #define b06 unused
1110 #define b07 unused
1111 #define b14 unused
1112 #define b15 unused
1113 #define b16 unused
1114 #define b17 unused
1115 #endif
1116 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1117 s(y,2) = s(x,2); s(y,3) = s(x,3);
1118 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
1119 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
1120 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
1121
1122 #elif AES_BLOCK_SIZE == 24
1123
1124 #if defined(ARRAYS)
1125 #define locals(y,x) x[6],y[6]
1126 #else
1127 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5, \
1128 y##0,y##1,y##2,y##3,y##4,y##5
1129 #define b06 unused
1130 #define b07 unused
1131 #define b16 unused
1132 #define b17 unused
1133 #endif
1134 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1135 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1136 s(y,4) = s(x,4); s(y,5) = s(x,5);
1137 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
1138 si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
1139 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); \
1140 so(y,x,3); so(y,x,4); so(y,x,5)
1141 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
1142 rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
1143 #else
1144
1145 #if defined(ARRAYS)
1146 #define locals(y,x) x[8],y[8]
1147 #else
1148 #define locals(y,x) x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
1149 y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
1150 #endif
1151 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
1152 s(y,2) = s(x,2); s(y,3) = s(x,3); \
1153 s(y,4) = s(x,4); s(y,5) = s(x,5); \
1154 s(y,6) = s(x,6); s(y,7) = s(x,7);
1155
1156 #if AES_BLOCK_SIZE == 32
1157
1158 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
1159 si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
1160 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
1161 so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
1162 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
1163 rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
1164 #else
1165
1166 #define state_in(y,x,k) \
1167 switch(nc) \
1168 { case 8: si(y,x,k,7); si(y,x,k,6); \
1169 case 6: si(y,x,k,5); si(y,x,k,4); \
1170 case 4: si(y,x,k,3); si(y,x,k,2); \
1171 si(y,x,k,1); si(y,x,k,0); \
1172 }
1173
1174 #define state_out(y,x) \
1175 switch(nc) \
1176 { case 8: so(y,x,7); so(y,x,6); \
1177 case 6: so(y,x,5); so(y,x,4); \
1178 case 4: so(y,x,3); so(y,x,2); \
1179 so(y,x,1); so(y,x,0); \
1180 }
1181
1182 #if defined(FAST_VARIABLE)
1183
1184 #define round(rm,y,x,k) \
1185 switch(nc) \
1186 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1187 rm(y,x,k,5); rm(y,x,k,4); \
1188 rm(y,x,k,3); rm(y,x,k,2); \
1189 rm(y,x,k,1); rm(y,x,k,0); \
1190 break; \
1191 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1192 rm(y,x,k,3); rm(y,x,k,2); \
1193 rm(y,x,k,1); rm(y,x,k,0); \
1194 break; \
1195 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1196 rm(y,x,k,1); rm(y,x,k,0); \
1197 break; \
1198 }
1199 #else
1200
1201 #define round(rm,y,x,k) \
1202 switch(nc) \
1203 { case 8: rm(y,x,k,7); rm(y,x,k,6); \
1204 case 6: rm(y,x,k,5); rm(y,x,k,4); \
1205 case 4: rm(y,x,k,3); rm(y,x,k,2); \
1206 rm(y,x,k,1); rm(y,x,k,0); \
1207 }
1208
1209 #endif
1210
1211 #endif
1212 #endif
1213
1214 /**
1215 * Encrypt a single block of data.
1216 */
1217 static void encrypt_block(const private_twofish_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1218 { u_int32_t locals(b0, b1);
1219 const u_int32_t *kp = this->aes_e_key;
1220
1221 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1222 u_int32_t f2;
1223 #endif
1224
1225 state_in(b0, in_blk, kp); kp += nc;
1226
1227 #if defined(UNROLL)
1228
1229 switch(this->aes_Nrnd)
1230 {
1231 case 14: round(fwd_rnd, b1, b0, kp );
1232 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1233 case 12: round(fwd_rnd, b1, b0, kp );
1234 round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1235 case 10: round(fwd_rnd, b1, b0, kp );
1236 round(fwd_rnd, b0, b1, kp + nc);
1237 round(fwd_rnd, b1, b0, kp + 2 * nc);
1238 round(fwd_rnd, b0, b1, kp + 3 * nc);
1239 round(fwd_rnd, b1, b0, kp + 4 * nc);
1240 round(fwd_rnd, b0, b1, kp + 5 * nc);
1241 round(fwd_rnd, b1, b0, kp + 6 * nc);
1242 round(fwd_rnd, b0, b1, kp + 7 * nc);
1243 round(fwd_rnd, b1, b0, kp + 8 * nc);
1244 round(fwd_lrnd, b0, b1, kp + 9 * nc);
1245 }
1246
1247 #elif defined(PARTIAL_UNROLL)
1248 { u_int32_t rnd;
1249
1250 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1251 {
1252 round(fwd_rnd, b1, b0, kp);
1253 round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
1254 }
1255
1256 round(fwd_rnd, b1, b0, kp);
1257 round(fwd_lrnd, b0, b1, kp + nc);
1258 }
1259 #else
1260 { u_int32_t rnd;
1261
1262 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1263 {
1264 round(fwd_rnd, b1, b0, kp);
1265 l_copy(b0, b1); kp += nc;
1266 }
1267
1268 round(fwd_lrnd, b0, b1, kp);
1269 }
1270 #endif
1271
1272 state_out(out_blk, b0);
1273 }
1274
1275 /**
1276 * Decrypt a single block of data.
1277 */
1278 static void decrypt_block(const private_twofish_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
1279 { u_int32_t locals(b0, b1);
1280 const u_int32_t *kp = this->aes_d_key;
1281
1282 #if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
1283 u_int32_t f2, f4, f8, f9;
1284 #endif
1285
1286 state_in(b0, in_blk, kp); kp += nc;
1287
1288 #if defined(UNROLL)
1289
1290 switch(this->aes_Nrnd)
1291 {
1292 case 14: round(inv_rnd, b1, b0, kp );
1293 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1294 case 12: round(inv_rnd, b1, b0, kp );
1295 round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
1296 case 10: round(inv_rnd, b1, b0, kp );
1297 round(inv_rnd, b0, b1, kp + nc);
1298 round(inv_rnd, b1, b0, kp + 2 * nc);
1299 round(inv_rnd, b0, b1, kp + 3 * nc);
1300 round(inv_rnd, b1, b0, kp + 4 * nc);
1301 round(inv_rnd, b0, b1, kp + 5 * nc);
1302 round(inv_rnd, b1, b0, kp + 6 * nc);
1303 round(inv_rnd, b0, b1, kp + 7 * nc);
1304 round(inv_rnd, b1, b0, kp + 8 * nc);
1305 round(inv_lrnd, b0, b1, kp + 9 * nc);
1306 }
1307
1308 #elif defined(PARTIAL_UNROLL)
1309 { u_int32_t rnd;
1310
1311 for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
1312 {
1313 round(inv_rnd, b1, b0, kp);
1314 round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
1315 }
1316
1317 round(inv_rnd, b1, b0, kp);
1318 round(inv_lrnd, b0, b1, kp + nc);
1319 }
1320 #else
1321 { u_int32_t rnd;
1322
1323 for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
1324 {
1325 round(inv_rnd, b1, b0, kp);
1326 l_copy(b0, b1); kp += nc;
1327 }
1328
1329 round(inv_lrnd, b0, b1, kp);
1330 }
1331 #endif
1332
1333 state_out(out_blk, b0);
1334 }
1335
1336 /**
1337 * Implementation of crypter_t.decrypt.
1338 */
1339 static void decrypt(private_twofish_crypter_t *this, chunk_t data, chunk_t iv,
1340 chunk_t *decrypted)
1341 {
1342 int pos;
1343 const u_int32_t *iv_i;
1344 u_int8_t *in, *out;
1345
1346 if (decrypted)
1347 {
1348 *decrypted = chunk_alloc(data.len);
1349 out = decrypted->ptr;
1350 }
1351 else
1352 {
1353 out = data.ptr;
1354 }
1355 in = data.ptr;
1356
1357 pos = data.len-16;
1358 in += pos;
1359 out += pos;
1360 while (pos >= 0)
1361 {
1362 decrypt_block(this, in, out);
1363 if (pos==0)
1364 {
1365 iv_i=(const u_int32_t*) (iv.ptr);
1366 }
1367 else
1368 {
1369 iv_i=(const u_int32_t*) (in-16);
1370 }
1371 *((u_int32_t *)(&out[ 0])) ^= iv_i[0];
1372 *((u_int32_t *)(&out[ 4])) ^= iv_i[1];
1373 *((u_int32_t *)(&out[ 8])) ^= iv_i[2];
1374 *((u_int32_t *)(&out[12])) ^= iv_i[3];
1375 in-=16;
1376 out-=16;
1377 pos-=16;
1378 }
1379 }
1380
1381
1382 /**
1383 * Implementation of crypter_t.decrypt.
1384 */
1385 static void encrypt (private_twofish_crypter_t *this, chunk_t data, chunk_t iv,
1386 chunk_t *encrypted)
1387 {
1388 int pos;
1389 const u_int32_t *iv_i;
1390 u_int8_t *in, *out;
1391
1392 in = data.ptr;
1393 out = data.ptr;
1394 if (encrypted)
1395 {
1396 *encrypted = chunk_alloc(data.len);
1397 out = encrypted->ptr;
1398 }
1399
1400 pos=0;
1401 while(pos<data.len)
1402 {
1403 if (pos==0)
1404 {
1405 iv_i=(const u_int32_t*) iv.ptr;
1406 }
1407 else
1408 {
1409 iv_i=(const u_int32_t*) (out-16);
1410 }
1411 *((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
1412 *((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
1413 *((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
1414 *((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
1415 encrypt_block(this, out, out);
1416 in+=16;
1417 out+=16;
1418 pos+=16;
1419 }
1420 }
1421
1422 /**
1423 * Implementation of crypter_t.get_block_size.
1424 */
1425 static size_t get_block_size (private_twofish_crypter_t *this)
1426 {
1427 return TWOFISH_BLOCK_SIZE;
1428 }
1429
1430 /**
1431 * Implementation of crypter_t.get_key_size.
1432 */
1433 static size_t get_key_size (private_twofish_crypter_t *this)
1434 {
1435 return this->key_size;
1436 }
1437
1438 /**
1439 * Implementation of crypter_t.set_key.
1440 */
1441 static void set_key (private_twofish_crypter_t *this, chunk_t key)
1442 {
1443 u_int32_t *kf, *kt, rci, f = 0;
1444 u_int8_t *in_key = key.ptr;
1445
1446 this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
1447
1448 this->aes_e_key[0] = const_word_in(in_key );
1449 this->aes_e_key[1] = const_word_in(in_key + 4);
1450 this->aes_e_key[2] = const_word_in(in_key + 8);
1451 this->aes_e_key[3] = const_word_in(in_key + 12);
1452
1453 kf = this->aes_e_key;
1454 kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
1455 rci = 0;
1456
1457 switch(this->aes_Nkey)
1458 {
1459 case 4: do
1460 { kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
1461 kf[5] = kf[1] ^ kf[4];
1462 kf[6] = kf[2] ^ kf[5];
1463 kf[7] = kf[3] ^ kf[6];
1464 kf += 4;
1465 }
1466 while(kf < kt);
1467 break;
1468
1469 case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
1470 this->aes_e_key[5] = const_word_in(in_key + 20);
1471 do
1472 { kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
1473 kf[ 7] = kf[1] ^ kf[ 6];
1474 kf[ 8] = kf[2] ^ kf[ 7];
1475 kf[ 9] = kf[3] ^ kf[ 8];
1476 kf[10] = kf[4] ^ kf[ 9];
1477 kf[11] = kf[5] ^ kf[10];
1478 kf += 6;
1479 }
1480 while(kf < kt);
1481 break;
1482
1483 case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
1484 this->aes_e_key[5] = const_word_in(in_key + 20);
1485 this->aes_e_key[6] = const_word_in(in_key + 24);
1486 this->aes_e_key[7] = const_word_in(in_key + 28);
1487 do
1488 { kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
1489 kf[ 9] = kf[1] ^ kf[ 8];
1490 kf[10] = kf[2] ^ kf[ 9];
1491 kf[11] = kf[3] ^ kf[10];
1492 kf[12] = kf[4] ^ ls_box(kf[11],0);
1493 kf[13] = kf[5] ^ kf[12];
1494 kf[14] = kf[6] ^ kf[13];
1495 kf[15] = kf[7] ^ kf[14];
1496 kf += 8;
1497 }
1498 while (kf < kt);
1499 break;
1500 }
1501
1502 if(!f)
1503 {
1504 u_int32_t i;
1505
1506 kt = this->aes_d_key + nc * this->aes_Nrnd;
1507 kf = this->aes_e_key;
1508
1509 cpy(kt, kf); kt -= 2 * nc;
1510
1511 for(i = 1; i < this->aes_Nrnd; ++i)
1512 {
1513 #if defined(ONE_TABLE) || defined(FOUR_TABLES)
1514 #if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
1515 u_int32_t f2, f4, f8, f9;
1516 #endif
1517 mix(kt, kf);
1518 #else
1519 cpy(kt, kf);
1520 #endif
1521 kt -= 2 * nc;
1522 }
1523 cpy(kt, kf);
1524 }
1525 }
1526
1527 /**
1528 * Implementation of crypter_t.destroy and twofish_crypter_t.destroy.
1529 */
1530 static void destroy (private_twofish_crypter_t *this)
1531 {
1532 free(this);
1533 }
1534
1535 /*
1536 * Described in header
1537 */
1538 twofish_crypter_t *twofish_crypter_create(encryption_algorithm_t algo, size_t key_size)
1539 {
1540 private_twofish_crypter_t *this;
1541
1542 if (algo != ENCR_TWOFISH)
1543 {
1544 return NULL;
1545 }
1546
1547 this = malloc_thing(private_twofish_crypter_t);
1548
1549 #if !defined(FIXED_TABLES)
1550 if(!tab_gen) { gen_tabs(); tab_gen = 1; }
1551 #endif
1552
1553 this->key_size = key_size;
1554 switch(key_size)
1555 {
1556 case 32: /* bytes */
1557 this->aes_Nkey = 8;
1558 break;
1559 case 24: /* bytes */
1560 this->aes_Nkey = 6;
1561 break;
1562 case 16: /* bytes */
1563 this->aes_Nkey = 4;
1564 break;
1565 default:
1566 free(this);
1567 return NULL;
1568 }
1569
1570 this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
1571 this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
1572 this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
1573 this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
1574 this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
1575 this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
1576
1577 return &(this->public);
1578 }