Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / 4ebaa86a3ab1ea390d238e1f6dee62cd837c60ed / . / stack / smp / aes.cc
blob: 1665fcc763a2c6d4253764924b67a43e9a984efc [file] [log] [blame]
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]1/*
2 ---------------------------------------------------------------------------
3 Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.
4
5 LICENSE TERMS
6
7 The redistribution and use of this software (with or without changes)
8 is allowed without the payment of fees or royalties provided that:
9
10 1. source code distributions include the above copyright notice, this
11 list of conditions and the following disclaimer;
12
13 2. binary distributions include the above copyright notice, this list
14 of conditions and the following disclaimer in their documentation;
15
16 3. the name of the copyright holder is not used to endorse products
17 built using this software without specific written permission.
18
19 DISCLAIMER
20
21 This software is provided 'as is' with no explicit or implied warranties
22 in respect of its properties, including, but not limited to, correctness
23 and/or fitness for purpose.
24 ---------------------------------------------------------------------------
25 Issue 09/09/2006
26
27 This is an AES implementation that uses only 8-bit byte operations on the
28 cipher state (there are options to use 32-bit types if available).
29
30 The combination of mix columns and byte substitution used here is based on
31 that developed by Karl Malbrain. His contribution is acknowledged.
32 */
33
34/* define if you have a fast memcpy function on your system */
35#if 1
36# define HAVE_MEMCPY
37# include <string.h>
38#if 0
39# if defined( _MSC_VER )
40# include <intrin.h>
41# pragma intrinsic( memcpy )
42# endif
43#endif
44#endif
45
46#include <stdlib.h>
47
Satya Calloji444a8da2015-03-06 10:38:22 -0800[diff] [blame]48/* add the target configuration to allow using internal data types and compilation options */
49#include "bt_target.h"
50
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]51/* define if you have fast 32-bit types on your system */
52#if 1
53# define HAVE_UINT_32T
54#endif
55
56/* define if you don't want any tables */
57#if 1
58# define USE_TABLES
59#endif
60
61/* On Intel Core 2 duo VERSION_1 is faster */
62
63/* alternative versions (test for performance on your system) */
64#if 1
65# define VERSION_1
66#endif
67
68#include "aes.h"
69
70#if defined( HAVE_UINT_32T )
Marie Janssend19e0782016-07-15 12:48:27 -0700[diff] [blame]71 typedef uint32_t uint_32t;
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]72#endif
73
74/* functions for finite field multiplication in the AES Galois field */
75
76#define WPOLY 0x011b
77#define BPOLY 0x1b
78#define DPOLY 0x008d
79
80#define f1(x) (x)
Chih-Hung Hsieh63b05192016-05-20 10:29:31 -0700[diff] [blame]81#define f2(x) (((x) << 1) ^ ((((x) >> 7) & 1) * WPOLY))
82#define f4(x) (((x) << 2) ^ ((((x) >> 6) & 1) * WPOLY) ^ ((((x) >> 6) & 2) * WPOLY))
83#define f8(x) (((x) << 3) ^ ((((x) >> 5) & 1) * WPOLY) ^ ((((x) >> 5) & 2) * WPOLY) \
84 ^ ((((x) >> 5) & 4) * WPOLY))
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]85#define d2(x) (((x) >> 1) ^ ((x) & 1 ? DPOLY : 0))
86
Chih-Hung Hsieh63b05192016-05-20 10:29:31 -0700[diff] [blame]87#define f3(x) (f2(x) ^ (x))
88#define f9(x) (f8(x) ^ (x))
89#define fb(x) (f8(x) ^ f2(x) ^ (x))
90#define fd(x) (f8(x) ^ f4(x) ^ (x))
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]91#define fe(x) (f8(x) ^ f4(x) ^ f2(x))
92
93#if defined( USE_TABLES )
94
95#define sb_data(w) { /* S Box data values */ \
96 w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
97 w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
98 w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
99 w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
100 w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
101 w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
102 w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
103 w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
104 w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
105 w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
106 w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
107 w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
108 w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
109 w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
110 w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
111 w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
112 w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
113 w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
114 w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
115 w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
116 w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
117 w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
118 w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
119 w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
120 w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
121 w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
122 w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
123 w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
124 w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
125 w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
126 w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
127 w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
128
129#define isb_data(w) { /* inverse S Box data values */ \
130 w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
131 w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
132 w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
133 w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
134 w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
135 w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
136 w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
137 w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
138 w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
139 w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
140 w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
141 w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
142 w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
143 w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
144 w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
145 w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
146 w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
147 w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
148 w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
149 w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
150 w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
151 w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
152 w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
153 w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
154 w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
155 w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
156 w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
157 w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
158 w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
159 w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
160 w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
161 w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
162
163#define mm_data(w) { /* basic data for forming finite field tables */ \
164 w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
165 w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
166 w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
167 w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
168 w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
169 w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
170 w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
171 w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
172 w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
173 w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
174 w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
175 w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
176 w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
177 w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
178 w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
179 w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
180 w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
181 w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
182 w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
183 w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
184 w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
185 w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
186 w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
187 w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
188 w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
189 w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
190 w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
191 w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
192 w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
193 w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
194 w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
195 w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
196
197static const uint_8t sbox[256] = sb_data(f1);
198static const uint_8t isbox[256] = isb_data(f1);
199
200static const uint_8t gfm2_sbox[256] = sb_data(f2);
201static const uint_8t gfm3_sbox[256] = sb_data(f3);
202
203static const uint_8t gfmul_9[256] = mm_data(f9);
204static const uint_8t gfmul_b[256] = mm_data(fb);
205static const uint_8t gfmul_d[256] = mm_data(fd);
206static const uint_8t gfmul_e[256] = mm_data(fe);
207
208#define s_box(x) sbox[(x)]
209#define is_box(x) isbox[(x)]
210#define gfm2_sb(x) gfm2_sbox[(x)]
211#define gfm3_sb(x) gfm3_sbox[(x)]
212#define gfm_9(x) gfmul_9[(x)]
213#define gfm_b(x) gfmul_b[(x)]
214#define gfm_d(x) gfmul_d[(x)]
215#define gfm_e(x) gfmul_e[(x)]
216
217#else
218
219/* this is the high bit of x right shifted by 1 */
220/* position. Since the starting polynomial has */
221/* 9 bits (0x11b), this right shift keeps the */
222/* values of all top bits within a byte */
223
224static uint_8t hibit(const uint_8t x)
225{ uint_8t r = (uint_8t)((x >> 1) | (x >> 2));
226
227 r |= (r >> 2);
228 r |= (r >> 4);
229 return (r + 1) >> 1;
230}
231
232/* return the inverse of the finite field element x */
233
234static uint_8t gf_inv(const uint_8t x)
235{ uint_8t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
236
237 if(x < 2)
238 return x;
239
240 for( ; ; )
241 {
242 if(n1)
243 while(n2 >= n1) /* divide polynomial p2 by p1 */
244 {
245 n2 /= n1; /* shift smaller polynomial left */
246 p2 ^= (p1 * n2) & 0xff; /* and remove from larger one */
247 v2 ^= (v1 * n2); /* shift accumulated value and */
248 n2 = hibit(p2); /* add into result */
249 }
250 else
251 return v1;
252
253 if(n2) /* repeat with values swapped */
254 while(n1 >= n2)
255 {
256 n1 /= n2;
257 p1 ^= p2 * n1;
258 v1 ^= v2 * n1;
259 n1 = hibit(p1);
260 }
261 else
262 return v2;
263 }
264}
265
266/* The forward and inverse affine transformations used in the S-box */
267uint_8t fwd_affine(const uint_8t x)
268{
269#if defined( HAVE_UINT_32T )
270 uint_32t w = x;
271 w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4);
272 return 0x63 ^ ((w ^ (w >> 8)) & 0xff);
273#else
274 return 0x63 ^ x ^ (x << 1) ^ (x << 2) ^ (x << 3) ^ (x << 4)
275 ^ (x >> 7) ^ (x >> 6) ^ (x >> 5) ^ (x >> 4);
276#endif
277}
278
279uint_8t inv_affine(const uint_8t x)
280{
281#if defined( HAVE_UINT_32T )
282 uint_32t w = x;
283 w = (w << 1) ^ (w << 3) ^ (w << 6);
284 return 0x05 ^ ((w ^ (w >> 8)) & 0xff);
285#else
286 return 0x05 ^ (x << 1) ^ (x << 3) ^ (x << 6)
287 ^ (x >> 7) ^ (x >> 5) ^ (x >> 2);
288#endif
289}
290
291#define s_box(x) fwd_affine(gf_inv(x))
292#define is_box(x) gf_inv(inv_affine(x))
293#define gfm2_sb(x) f2(s_box(x))
294#define gfm3_sb(x) f3(s_box(x))
295#define gfm_9(x) f9(x)
296#define gfm_b(x) fb(x)
297#define gfm_d(x) fd(x)
298#define gfm_e(x) fe(x)
299
300#endif
301
302#if defined( HAVE_MEMCPY )
303# define block_copy_nn(d, s, l) memcpy(d, s, l)
304# define block_copy(d, s) memcpy(d, s, N_BLOCK)
305#else
306# define block_copy_nn(d, s, l) copy_block_nn(d, s, l)
307# define block_copy(d, s) copy_block(d, s)
308#endif
309
310#if !defined( HAVE_MEMCPY )
311static void copy_block( void *d, const void *s )
312{
313#if defined( HAVE_UINT_32T )
314 ((uint_32t*)d)[ 0] = ((uint_32t*)s)[ 0];
315 ((uint_32t*)d)[ 1] = ((uint_32t*)s)[ 1];
316 ((uint_32t*)d)[ 2] = ((uint_32t*)s)[ 2];
317 ((uint_32t*)d)[ 3] = ((uint_32t*)s)[ 3];
318#else
319 ((uint_8t*)d)[ 0] = ((uint_8t*)s)[ 0];
320 ((uint_8t*)d)[ 1] = ((uint_8t*)s)[ 1];
321 ((uint_8t*)d)[ 2] = ((uint_8t*)s)[ 2];
322 ((uint_8t*)d)[ 3] = ((uint_8t*)s)[ 3];
323 ((uint_8t*)d)[ 4] = ((uint_8t*)s)[ 4];
324 ((uint_8t*)d)[ 5] = ((uint_8t*)s)[ 5];
325 ((uint_8t*)d)[ 6] = ((uint_8t*)s)[ 6];
326 ((uint_8t*)d)[ 7] = ((uint_8t*)s)[ 7];
327 ((uint_8t*)d)[ 8] = ((uint_8t*)s)[ 8];
328 ((uint_8t*)d)[ 9] = ((uint_8t*)s)[ 9];
329 ((uint_8t*)d)[10] = ((uint_8t*)s)[10];
330 ((uint_8t*)d)[11] = ((uint_8t*)s)[11];
331 ((uint_8t*)d)[12] = ((uint_8t*)s)[12];
332 ((uint_8t*)d)[13] = ((uint_8t*)s)[13];
333 ((uint_8t*)d)[14] = ((uint_8t*)s)[14];
334 ((uint_8t*)d)[15] = ((uint_8t*)s)[15];
335#endif
336}
337
338static void copy_block_nn( void * d, const void *s, uint_8t nn )
339{
340 while( nn-- )
341 *((uint_8t*)d)++ = *((uint_8t*)s)++;
342}
343#endif
344
345static void xor_block( void *d, const void *s )
346{
347#if defined( HAVE_UINT_32T )
348 ((uint_32t*)d)[ 0] ^= ((uint_32t*)s)[ 0];
349 ((uint_32t*)d)[ 1] ^= ((uint_32t*)s)[ 1];
350 ((uint_32t*)d)[ 2] ^= ((uint_32t*)s)[ 2];
351 ((uint_32t*)d)[ 3] ^= ((uint_32t*)s)[ 3];
352#else
353 ((uint_8t*)d)[ 0] ^= ((uint_8t*)s)[ 0];
354 ((uint_8t*)d)[ 1] ^= ((uint_8t*)s)[ 1];
355 ((uint_8t*)d)[ 2] ^= ((uint_8t*)s)[ 2];
356 ((uint_8t*)d)[ 3] ^= ((uint_8t*)s)[ 3];
357 ((uint_8t*)d)[ 4] ^= ((uint_8t*)s)[ 4];
358 ((uint_8t*)d)[ 5] ^= ((uint_8t*)s)[ 5];
359 ((uint_8t*)d)[ 6] ^= ((uint_8t*)s)[ 6];
360 ((uint_8t*)d)[ 7] ^= ((uint_8t*)s)[ 7];
361 ((uint_8t*)d)[ 8] ^= ((uint_8t*)s)[ 8];
362 ((uint_8t*)d)[ 9] ^= ((uint_8t*)s)[ 9];
363 ((uint_8t*)d)[10] ^= ((uint_8t*)s)[10];
364 ((uint_8t*)d)[11] ^= ((uint_8t*)s)[11];
365 ((uint_8t*)d)[12] ^= ((uint_8t*)s)[12];
366 ((uint_8t*)d)[13] ^= ((uint_8t*)s)[13];
367 ((uint_8t*)d)[14] ^= ((uint_8t*)s)[14];
368 ((uint_8t*)d)[15] ^= ((uint_8t*)s)[15];
369#endif
370}
371
372static void copy_and_key( void *d, const void *s, const void *k )
373{
374#if defined( HAVE_UINT_32T )
375 ((uint_32t*)d)[ 0] = ((uint_32t*)s)[ 0] ^ ((uint_32t*)k)[ 0];
376 ((uint_32t*)d)[ 1] = ((uint_32t*)s)[ 1] ^ ((uint_32t*)k)[ 1];
377 ((uint_32t*)d)[ 2] = ((uint_32t*)s)[ 2] ^ ((uint_32t*)k)[ 2];
378 ((uint_32t*)d)[ 3] = ((uint_32t*)s)[ 3] ^ ((uint_32t*)k)[ 3];
379#elif 1
380 ((uint_8t*)d)[ 0] = ((uint_8t*)s)[ 0] ^ ((uint_8t*)k)[ 0];
381 ((uint_8t*)d)[ 1] = ((uint_8t*)s)[ 1] ^ ((uint_8t*)k)[ 1];
382 ((uint_8t*)d)[ 2] = ((uint_8t*)s)[ 2] ^ ((uint_8t*)k)[ 2];
383 ((uint_8t*)d)[ 3] = ((uint_8t*)s)[ 3] ^ ((uint_8t*)k)[ 3];
384 ((uint_8t*)d)[ 4] = ((uint_8t*)s)[ 4] ^ ((uint_8t*)k)[ 4];
385 ((uint_8t*)d)[ 5] = ((uint_8t*)s)[ 5] ^ ((uint_8t*)k)[ 5];
386 ((uint_8t*)d)[ 6] = ((uint_8t*)s)[ 6] ^ ((uint_8t*)k)[ 6];
387 ((uint_8t*)d)[ 7] = ((uint_8t*)s)[ 7] ^ ((uint_8t*)k)[ 7];
388 ((uint_8t*)d)[ 8] = ((uint_8t*)s)[ 8] ^ ((uint_8t*)k)[ 8];
389 ((uint_8t*)d)[ 9] = ((uint_8t*)s)[ 9] ^ ((uint_8t*)k)[ 9];
390 ((uint_8t*)d)[10] = ((uint_8t*)s)[10] ^ ((uint_8t*)k)[10];
391 ((uint_8t*)d)[11] = ((uint_8t*)s)[11] ^ ((uint_8t*)k)[11];
392 ((uint_8t*)d)[12] = ((uint_8t*)s)[12] ^ ((uint_8t*)k)[12];
393 ((uint_8t*)d)[13] = ((uint_8t*)s)[13] ^ ((uint_8t*)k)[13];
394 ((uint_8t*)d)[14] = ((uint_8t*)s)[14] ^ ((uint_8t*)k)[14];
395 ((uint_8t*)d)[15] = ((uint_8t*)s)[15] ^ ((uint_8t*)k)[15];
396#else
397 block_copy(d, s);
398 xor_block(d, k);
399#endif
400}
401
402static void add_round_key( uint_8t d[N_BLOCK], const uint_8t k[N_BLOCK] )
403{
404 xor_block(d, k);
405}
406
407static void shift_sub_rows( uint_8t st[N_BLOCK] )
408{ uint_8t tt;
409
410 st[ 0] = s_box(st[ 0]); st[ 4] = s_box(st[ 4]);
411 st[ 8] = s_box(st[ 8]); st[12] = s_box(st[12]);
412
413 tt = st[1]; st[ 1] = s_box(st[ 5]); st[ 5] = s_box(st[ 9]);
414 st[ 9] = s_box(st[13]); st[13] = s_box( tt );
415
416 tt = st[2]; st[ 2] = s_box(st[10]); st[10] = s_box( tt );
417 tt = st[6]; st[ 6] = s_box(st[14]); st[14] = s_box( tt );
418
419 tt = st[15]; st[15] = s_box(st[11]); st[11] = s_box(st[ 7]);
420 st[ 7] = s_box(st[ 3]); st[ 3] = s_box( tt );
421}
422
423static void inv_shift_sub_rows( uint_8t st[N_BLOCK] )
424{ uint_8t tt;
425
426 st[ 0] = is_box(st[ 0]); st[ 4] = is_box(st[ 4]);
427 st[ 8] = is_box(st[ 8]); st[12] = is_box(st[12]);
428
429 tt = st[13]; st[13] = is_box(st[9]); st[ 9] = is_box(st[5]);
430 st[ 5] = is_box(st[1]); st[ 1] = is_box( tt );
431
432 tt = st[2]; st[ 2] = is_box(st[10]); st[10] = is_box( tt );
433 tt = st[6]; st[ 6] = is_box(st[14]); st[14] = is_box( tt );
434
435 tt = st[3]; st[ 3] = is_box(st[ 7]); st[ 7] = is_box(st[11]);
436 st[11] = is_box(st[15]); st[15] = is_box( tt );
437}
438
439#if defined( VERSION_1 )
440 static void mix_sub_columns( uint_8t dt[N_BLOCK] )
441 { uint_8t st[N_BLOCK];
442 block_copy(st, dt);
443#else
444 static void mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
445 {
446#endif
447 dt[ 0] = gfm2_sb(st[0]) ^ gfm3_sb(st[5]) ^ s_box(st[10]) ^ s_box(st[15]);
448 dt[ 1] = s_box(st[0]) ^ gfm2_sb(st[5]) ^ gfm3_sb(st[10]) ^ s_box(st[15]);
449 dt[ 2] = s_box(st[0]) ^ s_box(st[5]) ^ gfm2_sb(st[10]) ^ gfm3_sb(st[15]);
450 dt[ 3] = gfm3_sb(st[0]) ^ s_box(st[5]) ^ s_box(st[10]) ^ gfm2_sb(st[15]);
451
452 dt[ 4] = gfm2_sb(st[4]) ^ gfm3_sb(st[9]) ^ s_box(st[14]) ^ s_box(st[3]);
453 dt[ 5] = s_box(st[4]) ^ gfm2_sb(st[9]) ^ gfm3_sb(st[14]) ^ s_box(st[3]);
454 dt[ 6] = s_box(st[4]) ^ s_box(st[9]) ^ gfm2_sb(st[14]) ^ gfm3_sb(st[3]);
455 dt[ 7] = gfm3_sb(st[4]) ^ s_box(st[9]) ^ s_box(st[14]) ^ gfm2_sb(st[3]);
456
457 dt[ 8] = gfm2_sb(st[8]) ^ gfm3_sb(st[13]) ^ s_box(st[2]) ^ s_box(st[7]);
458 dt[ 9] = s_box(st[8]) ^ gfm2_sb(st[13]) ^ gfm3_sb(st[2]) ^ s_box(st[7]);
459 dt[10] = s_box(st[8]) ^ s_box(st[13]) ^ gfm2_sb(st[2]) ^ gfm3_sb(st[7]);
460 dt[11] = gfm3_sb(st[8]) ^ s_box(st[13]) ^ s_box(st[2]) ^ gfm2_sb(st[7]);
461
462 dt[12] = gfm2_sb(st[12]) ^ gfm3_sb(st[1]) ^ s_box(st[6]) ^ s_box(st[11]);
463 dt[13] = s_box(st[12]) ^ gfm2_sb(st[1]) ^ gfm3_sb(st[6]) ^ s_box(st[11]);
464 dt[14] = s_box(st[12]) ^ s_box(st[1]) ^ gfm2_sb(st[6]) ^ gfm3_sb(st[11]);
465 dt[15] = gfm3_sb(st[12]) ^ s_box(st[1]) ^ s_box(st[6]) ^ gfm2_sb(st[11]);
466 }
467
468#if defined( VERSION_1 )
469 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK] )
470 { uint_8t st[N_BLOCK];
471 block_copy(st, dt);
472#else
473 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
474 {
475#endif
476 dt[ 0] = is_box(gfm_e(st[ 0]) ^ gfm_b(st[ 1]) ^ gfm_d(st[ 2]) ^ gfm_9(st[ 3]));
477 dt[ 5] = is_box(gfm_9(st[ 0]) ^ gfm_e(st[ 1]) ^ gfm_b(st[ 2]) ^ gfm_d(st[ 3]));
478 dt[10] = is_box(gfm_d(st[ 0]) ^ gfm_9(st[ 1]) ^ gfm_e(st[ 2]) ^ gfm_b(st[ 3]));
479 dt[15] = is_box(gfm_b(st[ 0]) ^ gfm_d(st[ 1]) ^ gfm_9(st[ 2]) ^ gfm_e(st[ 3]));
480
481 dt[ 4] = is_box(gfm_e(st[ 4]) ^ gfm_b(st[ 5]) ^ gfm_d(st[ 6]) ^ gfm_9(st[ 7]));
482 dt[ 9] = is_box(gfm_9(st[ 4]) ^ gfm_e(st[ 5]) ^ gfm_b(st[ 6]) ^ gfm_d(st[ 7]));
483 dt[14] = is_box(gfm_d(st[ 4]) ^ gfm_9(st[ 5]) ^ gfm_e(st[ 6]) ^ gfm_b(st[ 7]));
484 dt[ 3] = is_box(gfm_b(st[ 4]) ^ gfm_d(st[ 5]) ^ gfm_9(st[ 6]) ^ gfm_e(st[ 7]));
485
486 dt[ 8] = is_box(gfm_e(st[ 8]) ^ gfm_b(st[ 9]) ^ gfm_d(st[10]) ^ gfm_9(st[11]));
487 dt[13] = is_box(gfm_9(st[ 8]) ^ gfm_e(st[ 9]) ^ gfm_b(st[10]) ^ gfm_d(st[11]));
488 dt[ 2] = is_box(gfm_d(st[ 8]) ^ gfm_9(st[ 9]) ^ gfm_e(st[10]) ^ gfm_b(st[11]));
489 dt[ 7] = is_box(gfm_b(st[ 8]) ^ gfm_d(st[ 9]) ^ gfm_9(st[10]) ^ gfm_e(st[11]));
490
491 dt[12] = is_box(gfm_e(st[12]) ^ gfm_b(st[13]) ^ gfm_d(st[14]) ^ gfm_9(st[15]));
492 dt[ 1] = is_box(gfm_9(st[12]) ^ gfm_e(st[13]) ^ gfm_b(st[14]) ^ gfm_d(st[15]));
493 dt[ 6] = is_box(gfm_d(st[12]) ^ gfm_9(st[13]) ^ gfm_e(st[14]) ^ gfm_b(st[15]));
494 dt[11] = is_box(gfm_b(st[12]) ^ gfm_d(st[13]) ^ gfm_9(st[14]) ^ gfm_e(st[15]));
495 }
496
497#if defined( AES_ENC_PREKEYED ) || defined( AES_DEC_PREKEYED )
498
499/* Set the cipher key for the pre-keyed version */
Satya Calloji444a8da2015-03-06 10:38:22 -0800[diff] [blame]500/* NOTE: If the length_type used for the key length is an
501 unsigned 8-bit character, a key length of 256 bits must
502 be entered as a length in bytes (valid inputs are hence
503 128, 192, 16, 24 and 32).
504*/
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]505
506return_type aes_set_key( const unsigned char key[], length_type keylen, aes_context ctx[1] )
507{
508 uint_8t cc, rc, hi;
509
510 switch( keylen )
511 {
512 case 16:
Satya Calloji444a8da2015-03-06 10:38:22 -0800[diff] [blame]513 case 128: /* length in bits (128 = 8*16) */
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]514 keylen = 16;
515 break;
516 case 24:
Satya Calloji444a8da2015-03-06 10:38:22 -0800[diff] [blame]517 case 192: /* length in bits (192 = 8*24) */
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]518 keylen = 24;
519 break;
520 case 32:
Satya Calloji444a8da2015-03-06 10:38:22 -0800[diff] [blame]521/* case 256: length in bits (256 = 8*32) */
Ganesh Ganapathi Battaead3cde2013-02-05 15:22:31 -0800[diff] [blame]522 keylen = 32;
523 break;
524 default:
525 ctx->rnd = 0;
526 return (return_type)-1;
527 }
528 block_copy_nn(ctx->ksch, key, keylen);
529 hi = (keylen + 28) << 2;
530 ctx->rnd = (hi >> 4) - 1;
531 for( cc = keylen, rc = 1; cc < hi; cc += 4 )
532 { uint_8t tt, t0, t1, t2, t3;
533
534 t0 = ctx->ksch[cc - 4];
535 t1 = ctx->ksch[cc - 3];
536 t2 = ctx->ksch[cc - 2];
537 t3 = ctx->ksch[cc - 1];
538 if( cc % keylen == 0 )
539 {
540 tt = t0;
541 t0 = s_box(t1) ^ rc;
542 t1 = s_box(t2);
543 t2 = s_box(t3);
544 t3 = s_box(tt);
545 rc = f2(rc);
546 }
547 else if( keylen > 24 && cc % keylen == 16 )
548 {
549 t0 = s_box(t0);
550 t1 = s_box(t1);
551 t2 = s_box(t2);
552 t3 = s_box(t3);
553 }
554 tt = cc - keylen;
555 ctx->ksch[cc + 0] = ctx->ksch[tt + 0] ^ t0;
556 ctx->ksch[cc + 1] = ctx->ksch[tt + 1] ^ t1;
557 ctx->ksch[cc + 2] = ctx->ksch[tt + 2] ^ t2;
558 ctx->ksch[cc + 3] = ctx->ksch[tt + 3] ^ t3;
559 }
560 return 0;
561}
562
563#endif
564
565#if defined( AES_ENC_PREKEYED )
566
567/* Encrypt a single block of 16 bytes */
568
569return_type aes_encrypt( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK], const aes_context ctx[1] )
570{
571 if( ctx->rnd )
572 {
573 uint_8t s1[N_BLOCK], r;
574 copy_and_key( s1, in, ctx->ksch );
575
576 for( r = 1 ; r < ctx->rnd ; ++r )
577#if defined( VERSION_1 )
578 {
579 mix_sub_columns( s1 );
580 add_round_key( s1, ctx->ksch + r * N_BLOCK);
581 }
582#else
583 { uint_8t s2[N_BLOCK];
584 mix_sub_columns( s2, s1 );
585 copy_and_key( s1, s2, ctx->ksch + r * N_BLOCK);
586 }
587#endif
588 shift_sub_rows( s1 );
589 copy_and_key( out, s1, ctx->ksch + r * N_BLOCK );
590 }
591 else
592 return (return_type)-1;
593 return 0;
594}
595
596/* CBC encrypt a number of blocks (input and return an IV) */
597
598return_type aes_cbc_encrypt( const unsigned char *in, unsigned char *out,
599 int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
600{
601
602 while(n_block--)
603 {
604 xor_block(iv, in);
605 if(aes_encrypt(iv, iv, ctx) != EXIT_SUCCESS)
606 return EXIT_FAILURE;
607 memcpy(out, iv, N_BLOCK);
608 in += N_BLOCK;
609 out += N_BLOCK;
610 }
611 return EXIT_SUCCESS;
612}
613
614#endif
615
616#if defined( AES_DEC_PREKEYED )
617
618/* Decrypt a single block of 16 bytes */
619
620return_type aes_decrypt( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK], const aes_context ctx[1] )
621{
622 if( ctx->rnd )
623 {
624 uint_8t s1[N_BLOCK], r;
625 copy_and_key( s1, in, ctx->ksch + ctx->rnd * N_BLOCK );
626 inv_shift_sub_rows( s1 );
627
628 for( r = ctx->rnd ; --r ; )
629#if defined( VERSION_1 )
630 {
631 add_round_key( s1, ctx->ksch + r * N_BLOCK );
632 inv_mix_sub_columns( s1 );
633 }
634#else
635 { uint_8t s2[N_BLOCK];
636 copy_and_key( s2, s1, ctx->ksch + r * N_BLOCK );
637 inv_mix_sub_columns( s1, s2 );
638 }
639#endif
640 copy_and_key( out, s1, ctx->ksch );
641 }
642 else
643 return (return_type)-1;
644 return 0;
645}
646
647/* CBC decrypt a number of blocks (input and return an IV) */
648
649return_type aes_cbc_decrypt( const unsigned char *in, unsigned char *out,
650 int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
651{
652 while(n_block--)
653 { uint_8t tmp[N_BLOCK];
654
655 memcpy(tmp, in, N_BLOCK);
656 if(aes_decrypt(in, out, ctx) != EXIT_SUCCESS)
657 return EXIT_FAILURE;
658 xor_block(out, iv);
659 memcpy(iv, tmp, N_BLOCK);
660 in += N_BLOCK;
661 out += N_BLOCK;
662 }
663 return EXIT_SUCCESS;
664}
665
666#endif
667
668#if defined( AES_ENC_128_OTFK )
669
670/* The 'on the fly' encryption key update for for 128 bit keys */
671
672static void update_encrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
673{ uint_8t cc;
674
675 k[0] ^= s_box(k[13]) ^ *rc;
676 k[1] ^= s_box(k[14]);
677 k[2] ^= s_box(k[15]);
678 k[3] ^= s_box(k[12]);
679 *rc = f2( *rc );
680
681 for(cc = 4; cc < 16; cc += 4 )
682 {
683 k[cc + 0] ^= k[cc - 4];
684 k[cc + 1] ^= k[cc - 3];
685 k[cc + 2] ^= k[cc - 2];
686 k[cc + 3] ^= k[cc - 1];
687 }
688}
689
690/* Encrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
691
692void aes_encrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
693 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
694{ uint_8t s1[N_BLOCK], r, rc = 1;
695
696 if(o_key != key)
697 block_copy( o_key, key );
698 copy_and_key( s1, in, o_key );
699
700 for( r = 1 ; r < 10 ; ++r )
701#if defined( VERSION_1 )
702 {
703 mix_sub_columns( s1 );
704 update_encrypt_key_128( o_key, &rc );
705 add_round_key( s1, o_key );
706 }
707#else
708 { uint_8t s2[N_BLOCK];
709 mix_sub_columns( s2, s1 );
710 update_encrypt_key_128( o_key, &rc );
711 copy_and_key( s1, s2, o_key );
712 }
713#endif
714
715 shift_sub_rows( s1 );
716 update_encrypt_key_128( o_key, &rc );
717 copy_and_key( out, s1, o_key );
718}
719
720#endif
721
722#if defined( AES_DEC_128_OTFK )
723
724/* The 'on the fly' decryption key update for for 128 bit keys */
725
726static void update_decrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
727{ uint_8t cc;
728
729 for( cc = 12; cc > 0; cc -= 4 )
730 {
731 k[cc + 0] ^= k[cc - 4];
732 k[cc + 1] ^= k[cc - 3];
733 k[cc + 2] ^= k[cc - 2];
734 k[cc + 3] ^= k[cc - 1];
735 }
736 *rc = d2(*rc);
737 k[0] ^= s_box(k[13]) ^ *rc;
738 k[1] ^= s_box(k[14]);
739 k[2] ^= s_box(k[15]);
740 k[3] ^= s_box(k[12]);
741}
742
743/* Decrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
744
745void aes_decrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
746 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
747{
748 uint_8t s1[N_BLOCK], r, rc = 0x6c;
749 if(o_key != key)
750 block_copy( o_key, key );
751
752 copy_and_key( s1, in, o_key );
753 inv_shift_sub_rows( s1 );
754
755 for( r = 10 ; --r ; )
756#if defined( VERSION_1 )
757 {
758 update_decrypt_key_128( o_key, &rc );
759 add_round_key( s1, o_key );
760 inv_mix_sub_columns( s1 );
761 }
762#else
763 { uint_8t s2[N_BLOCK];
764 update_decrypt_key_128( o_key, &rc );
765 copy_and_key( s2, s1, o_key );
766 inv_mix_sub_columns( s1, s2 );
767 }
768#endif
769 update_decrypt_key_128( o_key, &rc );
770 copy_and_key( out, s1, o_key );
771}
772
773#endif
774
775#if defined( AES_ENC_256_OTFK )
776
777/* The 'on the fly' encryption key update for for 256 bit keys */
778
779static void update_encrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
780{ uint_8t cc;
781
782 k[0] ^= s_box(k[29]) ^ *rc;
783 k[1] ^= s_box(k[30]);
784 k[2] ^= s_box(k[31]);
785 k[3] ^= s_box(k[28]);
786 *rc = f2( *rc );
787
788 for(cc = 4; cc < 16; cc += 4)
789 {
790 k[cc + 0] ^= k[cc - 4];
791 k[cc + 1] ^= k[cc - 3];
792 k[cc + 2] ^= k[cc - 2];
793 k[cc + 3] ^= k[cc - 1];
794 }
795
796 k[16] ^= s_box(k[12]);
797 k[17] ^= s_box(k[13]);
798 k[18] ^= s_box(k[14]);
799 k[19] ^= s_box(k[15]);
800
801 for( cc = 20; cc < 32; cc += 4 )
802 {
803 k[cc + 0] ^= k[cc - 4];
804 k[cc + 1] ^= k[cc - 3];
805 k[cc + 2] ^= k[cc - 2];
806 k[cc + 3] ^= k[cc - 1];
807 }
808}
809
810/* Encrypt a single block of 16 bytes with 'on the fly' 256 bit keying */
811
812void aes_encrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
813 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
814{
815 uint_8t s1[N_BLOCK], r, rc = 1;
816 if(o_key != key)
817 {
818 block_copy( o_key, key );
819 block_copy( o_key + 16, key + 16 );
820 }
821 copy_and_key( s1, in, o_key );
822
823 for( r = 1 ; r < 14 ; ++r )
824#if defined( VERSION_1 )
825 {
826 mix_sub_columns(s1);
827 if( r & 1 )
828 add_round_key( s1, o_key + 16 );
829 else
830 {
831 update_encrypt_key_256( o_key, &rc );
832 add_round_key( s1, o_key );
833 }
834 }
835#else
836 { uint_8t s2[N_BLOCK];
837 mix_sub_columns( s2, s1 );
838 if( r & 1 )
839 copy_and_key( s1, s2, o_key + 16 );
840 else
841 {
842 update_encrypt_key_256( o_key, &rc );
843 copy_and_key( s1, s2, o_key );
844 }
845 }
846#endif
847
848 shift_sub_rows( s1 );
849 update_encrypt_key_256( o_key, &rc );
850 copy_and_key( out, s1, o_key );
851}
852
853#endif
854
855#if defined( AES_DEC_256_OTFK )
856
857/* The 'on the fly' encryption key update for for 256 bit keys */
858
859static void update_decrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
860{ uint_8t cc;
861
862 for(cc = 28; cc > 16; cc -= 4)
863 {
864 k[cc + 0] ^= k[cc - 4];
865 k[cc + 1] ^= k[cc - 3];
866 k[cc + 2] ^= k[cc - 2];
867 k[cc + 3] ^= k[cc - 1];
868 }
869
870 k[16] ^= s_box(k[12]);
871 k[17] ^= s_box(k[13]);
872 k[18] ^= s_box(k[14]);
873 k[19] ^= s_box(k[15]);
874
875 for(cc = 12; cc > 0; cc -= 4)
876 {
877 k[cc + 0] ^= k[cc - 4];
878 k[cc + 1] ^= k[cc - 3];
879 k[cc + 2] ^= k[cc - 2];
880 k[cc + 3] ^= k[cc - 1];
881 }
882
883 *rc = d2(*rc);
884 k[0] ^= s_box(k[29]) ^ *rc;
885 k[1] ^= s_box(k[30]);
886 k[2] ^= s_box(k[31]);
887 k[3] ^= s_box(k[28]);
888}
889
890/* Decrypt a single block of 16 bytes with 'on the fly'
891 256 bit keying
892*/
893void aes_decrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
894 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
895{
896 uint_8t s1[N_BLOCK], r, rc = 0x80;
897
898 if(o_key != key)
899 {
900 block_copy( o_key, key );
901 block_copy( o_key + 16, key + 16 );
902 }
903
904 copy_and_key( s1, in, o_key );
905 inv_shift_sub_rows( s1 );
906
907 for( r = 14 ; --r ; )
908#if defined( VERSION_1 )
909 {
910 if( ( r & 1 ) )
911 {
912 update_decrypt_key_256( o_key, &rc );
913 add_round_key( s1, o_key + 16 );
914 }
915 else
916 add_round_key( s1, o_key );
917 inv_mix_sub_columns( s1 );
918 }
919#else
920 { uint_8t s2[N_BLOCK];
921 if( ( r & 1 ) )
922 {
923 update_decrypt_key_256( o_key, &rc );
924 copy_and_key( s2, s1, o_key + 16 );
925 }
926 else
927 copy_and_key( s2, s1, o_key );
928 inv_mix_sub_columns( s1, s2 );
929 }
930#endif
931 copy_and_key( out, s1, o_key );
932}
933
934#endif