Line data Source code
1 : /* fd_aes_ref.c was imported from the OpenSSL project circa 2023-Aug.
2 : Original source file: crypto/aes/aes_core.c */
3 :
4 : /*
5 : * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
6 : *
7 : * Licensed under the Apache License 2.0 (the "License"). You may not use
8 : * this file except in compliance with the License. You can obtain a copy
9 : * in the file LICENSE in the source distribution or at
10 : * https://www.openssl.org/source/license.html
11 : */
12 :
13 : /**
14 : * rijndael-alg-fst.c
15 : *
16 : * @version 3.0 (December 2000)
17 : *
18 : * Optimised ANSI C code for the Rijndael cipher (now AES)
19 : *
20 : * @author Vincent Rijmen
21 : * @author Antoon Bosselaers
22 : * @author Paulo Barreto
23 : *
24 : * This code is hereby placed in the public domain.
25 : *
26 : * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
27 : * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
28 : * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
30 : * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31 : * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32 : * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
33 : * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
34 : * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
35 : * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
36 : * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 : */
38 :
39 : /* Note: rewritten a little bit to provide error control and an OpenSSL-
40 : compatible API */
41 :
42 : #include <assert.h>
43 : #include <stdlib.h>
44 : #include "fd_aes_gcm_ref.h"
45 :
46 : typedef union {
47 : uchar b[8];
48 : uint w[2];
49 : ulong d;
50 : } uni;
51 :
52 : /*
53 : * Compute w := (w * x) mod (x^8 + x^4 + x^3 + x^1 + 1)
54 : * Therefore the name "xtime".
55 : */
56 : static void
57 45499250 : XtimeWord( uint * w ) {
58 45499250 : uint a, b;
59 :
60 45499250 : a = *w;
61 45499250 : b = a & 0x80808080u;
62 45499250 : a ^= b;
63 45499250 : b -= b >> 7;
64 45499250 : b &= 0x1B1B1B1Bu;
65 45499250 : b ^= a << 1;
66 45499250 : *w = b;
67 45499250 : }
68 :
69 : static void
70 394049916 : XtimeLong( ulong * w ) {
71 394049916 : ulong a, b;
72 :
73 394049916 : a = *w;
74 394049916 : b = a & (ulong)(0x8080808080808080);
75 394049916 : a ^= b;
76 394049916 : b -= b >> 7;
77 394049916 : b &= (ulong)(0x1B1B1B1B1B1B1B1B);
78 394049916 : b ^= a << 1;
79 394049916 : *w = b;
80 394049916 : }
81 :
82 : /*
83 : * This computes w := S * w ^ -1 + c, where c = {01100011}.
84 : * Instead of using GF(2^8) mod (x^8+x^4+x^3+x+1} we do the inversion
85 : * in GF(GF(GF(2^2)^2)^2) mod (X^2+X+8)
86 : * and GF(GF(2^2)^2) mod (X^2+X+2)
87 : * and GF(2^2) mod (X^2+X+1)
88 : * The first part of the algorithm below transfers the coordinates
89 : * {0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80} =>
90 : * {1,Y,Y^2,Y^3,Y^4,Y^5,Y^6,Y^7} with Y=0x41:
91 : * {0x01,0x41,0x66,0x6c,0x56,0x9a,0x58,0xc4}
92 : * The last part undoes the coordinate transfer and the final affine
93 : * transformation S:
94 : * b[i] = b[i] + b[(i+4)%8] + b[(i+5)%8] + b[(i+6)%8] + b[(i+7)%8] + c[i]
95 : * in one step.
96 : * The multiplication in GF(2^2^2^2) is done in ordinary coords:
97 : * A = (a0*1 + a1*x^4)
98 : * B = (b0*1 + b1*x^4)
99 : * AB = ((a0*b0 + 8*a1*b1)*1 + (a1*b0 + (a0+a1)*b1)*x^4)
100 : * When A = (a0,a1) is given we want to solve AB = 1:
101 : * (a) 1 = a0*b0 + 8*a1*b1
102 : * (b) 0 = a1*b0 + (a0+a1)*b1
103 : * => multiply (a) by a1 and (b) by a0
104 : * (c) a1 = a1*a0*b0 + (8*a1*a1)*b1
105 : * (d) 0 = a1*a0*b0 + (a0*a0+a1*a0)*b1
106 : * => add (c) + (d)
107 : * (e) a1 = (a0*a0 + a1*a0 + 8*a1*a1)*b1
108 : * => therefore
109 : * b1 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * a1
110 : * => and adding (a1*b0) to (b) we get
111 : * (f) a1*b0 = (a0+a1)*b1
112 : * => therefore
113 : * b0 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * (a0+a1)
114 : * Note this formula also works for the case
115 : * (a0+a1)*a0 + 8*a1*a1 = 0
116 : * if the inverse element for 0^-1 is mapped to 0.
117 : * Repeat the same for GF(2^2^2) and GF(2^2).
118 : * We get the following algorithm:
119 : * inv8(a0,a1):
120 : * x0 = a0^a1
121 : * [y0,y1] = mul4([x0,a1],[a0,a1]); (*)
122 : * y1 = mul4(8,y1);
123 : * t = inv4(y0^y1);
124 : * [b0,b1] = mul4([x0,a1],[t,t]); (*)
125 : * return [b0,b1];
126 : * The non-linear multiplies (*) can be done in parallel at no extra cost.
127 : */
128 : static void
129 45499250 : SubWord( uint * w ) {
130 45499250 : uint x, y, a1, a2, a3, a4, a5, a6;
131 :
132 45499250 : x = *w;
133 45499250 : y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
134 45499250 : x &= 0xDDDDDDDDu;
135 45499250 : x ^= y & 0x57575757u;
136 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
137 45499250 : x ^= y & 0x1C1C1C1Cu;
138 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
139 45499250 : x ^= y & 0x4A4A4A4Au;
140 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
141 45499250 : x ^= y & 0x42424242u;
142 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
143 45499250 : x ^= y & 0x64646464u;
144 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
145 45499250 : x ^= y & 0xE0E0E0E0u;
146 45499250 : a1 = x;
147 45499250 : a1 ^= (x & 0xF0F0F0F0u) >> 4;
148 45499250 : a2 = ((x & 0xCCCCCCCCu) >> 2) | ((x & 0x33333333u) << 2);
149 45499250 : a3 = x & a1;
150 45499250 : a3 ^= (a3 & 0xAAAAAAAAu) >> 1;
151 45499250 : a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAu;
152 45499250 : a4 = a2 & a1;
153 45499250 : a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
154 45499250 : a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAu;
155 45499250 : a5 = (a3 & 0xCCCCCCCCu) >> 2;
156 45499250 : a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
157 45499250 : a4 = a5 & 0x22222222u;
158 45499250 : a4 |= a4 >> 1;
159 45499250 : a4 ^= (a5 << 1) & 0x22222222u;
160 45499250 : a3 ^= a4;
161 45499250 : a5 = a3 & 0xA0A0A0A0u;
162 45499250 : a5 |= a5 >> 1;
163 45499250 : a5 ^= (a3 << 1) & 0xA0A0A0A0u;
164 45499250 : a4 = a5 & 0xC0C0C0C0u;
165 45499250 : a6 = a4 >> 2;
166 45499250 : a4 ^= (a5 << 2) & 0xC0C0C0C0u;
167 45499250 : a5 = a6 & 0x20202020u;
168 45499250 : a5 |= a5 >> 1;
169 45499250 : a5 ^= (a6 << 1) & 0x20202020u;
170 45499250 : a4 |= a5;
171 45499250 : a3 ^= a4 >> 4;
172 45499250 : a3 &= 0x0F0F0F0Fu;
173 45499250 : a2 = a3;
174 45499250 : a2 ^= (a3 & 0x0C0C0C0Cu) >> 2;
175 45499250 : a4 = a3 & a2;
176 45499250 : a4 ^= (uint)(a4 & 0x0A0A0A0A0Au) >> 1u;
177 45499250 : a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0Au;
178 45499250 : a5 = a4 & 0x08080808u;
179 45499250 : a5 |= a5 >> 1;
180 45499250 : a5 ^= (a4 << 1) & 0x08080808u;
181 45499250 : a4 ^= a5 >> 2;
182 45499250 : a4 &= 0x03030303u;
183 45499250 : a4 ^= (a4 & 0x02020202u) >> 1;
184 45499250 : a4 |= a4 << 2;
185 45499250 : a3 = a2 & a4;
186 45499250 : a3 ^= (a3 & 0x0A0A0A0Au) >> 1;
187 45499250 : a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0Au;
188 45499250 : a3 |= a3 << 4;
189 45499250 : a2 = ((a1 & 0xCCCCCCCCu) >> 2) | ((a1 & 0x33333333u) << 2);
190 45499250 : x = a1 & a3;
191 45499250 : x ^= (x & 0xAAAAAAAAu) >> 1;
192 45499250 : x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAu;
193 45499250 : a4 = a2 & a3;
194 45499250 : a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
195 45499250 : a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAu;
196 45499250 : a5 = (x & 0xCCCCCCCCu) >> 2;
197 45499250 : x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
198 45499250 : a4 = a5 & 0x22222222u;
199 45499250 : a4 |= a4 >> 1;
200 45499250 : a4 ^= (a5 << 1) & 0x22222222u;
201 45499250 : x ^= a4;
202 45499250 : y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
203 45499250 : x &= 0x39393939u;
204 45499250 : x ^= y & 0x3F3F3F3Fu;
205 45499250 : y = ((y & 0xFCFCFCFCu) >> 2) | ((y & 0x03030303u) << 6);
206 45499250 : x ^= y & 0x97979797u;
207 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
208 45499250 : x ^= y & 0x9B9B9B9Bu;
209 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
210 45499250 : x ^= y & 0x3C3C3C3Cu;
211 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
212 45499250 : x ^= y & 0xDDDDDDDDu;
213 45499250 : y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
214 45499250 : x ^= y & 0x72727272u;
215 45499250 : x ^= 0x63636363u;
216 45499250 : *w = x;
217 45499250 : }
218 :
219 : static void
220 437833240 : SubLong( ulong * w ) {
221 437833240 : ulong x, y, a1, a2, a3, a4, a5, a6;
222 :
223 437833240 : x = *w;
224 437833240 : y = ((x & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((x & (0x0101010101010101UL)) << 7);
225 437833240 : x &= (0xDDDDDDDDDDDDDDDDUL);
226 437833240 : x ^= y & (0x5757575757575757UL);
227 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
228 437833240 : x ^= y & (0x1C1C1C1C1C1C1C1CUL);
229 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
230 437833240 : x ^= y & (0x4A4A4A4A4A4A4A4AUL);
231 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
232 437833240 : x ^= y & (0x4242424242424242UL);
233 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
234 437833240 : x ^= y & (0x6464646464646464UL);
235 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
236 437833240 : x ^= y & (0xE0E0E0E0E0E0E0E0UL);
237 437833240 : a1 = x;
238 437833240 : a1 ^= (x & (0xF0F0F0F0F0F0F0F0UL)) >> 4;
239 437833240 : a2 = ((x & (0xCCCCCCCCCCCCCCCCUL)) >> 2) | ((x & (0x3333333333333333UL)) << 2);
240 437833240 : a3 = x & a1;
241 437833240 : a3 ^= (a3 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
242 437833240 : a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & (0xAAAAAAAAAAAAAAAAUL);
243 437833240 : a4 = a2 & a1;
244 437833240 : a4 ^= (a4 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
245 437833240 : a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & (0xAAAAAAAAAAAAAAAAUL);
246 437833240 : a5 = (a3 & (0xCCCCCCCCCCCCCCCCUL)) >> 2;
247 437833240 : a3 ^= ((a4 << 2) ^ a4) & (0xCCCCCCCCCCCCCCCCUL);
248 437833240 : a4 = a5 & (0x2222222222222222UL);
249 437833240 : a4 |= a4 >> 1;
250 437833240 : a4 ^= (a5 << 1) & (0x2222222222222222UL);
251 437833240 : a3 ^= a4;
252 437833240 : a5 = a3 & (0xA0A0A0A0A0A0A0A0UL);
253 437833240 : a5 |= a5 >> 1;
254 437833240 : a5 ^= (a3 << 1) & (0xA0A0A0A0A0A0A0A0UL);
255 437833240 : a4 = a5 & (0xC0C0C0C0C0C0C0C0UL);
256 437833240 : a6 = a4 >> 2;
257 437833240 : a4 ^= (a5 << 2) & (0xC0C0C0C0C0C0C0C0UL);
258 437833240 : a5 = a6 & (0x2020202020202020UL);
259 437833240 : a5 |= a5 >> 1;
260 437833240 : a5 ^= (a6 << 1) & (0x2020202020202020UL);
261 437833240 : a4 |= a5;
262 437833240 : a3 ^= a4 >> 4;
263 437833240 : a3 &= (0x0F0F0F0F0F0F0F0FUL);
264 437833240 : a2 = a3;
265 437833240 : a2 ^= (a3 & (0x0C0C0C0C0C0C0C0CUL)) >> 2;
266 437833240 : a4 = a3 & a2;
267 437833240 : a4 ^= (a4 & (0x0A0A0A0A0A0A0A0AUL)) >> 1;
268 437833240 : a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & (0x0A0A0A0A0A0A0A0AUL);
269 437833240 : a5 = a4 & (0x0808080808080808UL);
270 437833240 : a5 |= a5 >> 1;
271 437833240 : a5 ^= (a4 << 1) & (0x0808080808080808UL);
272 437833240 : a4 ^= a5 >> 2;
273 437833240 : a4 &= (0x0303030303030303UL);
274 437833240 : a4 ^= (a4 & (0x0202020202020202UL)) >> 1;
275 437833240 : a4 |= a4 << 2;
276 437833240 : a3 = a2 & a4;
277 437833240 : a3 ^= (a3 & (0x0A0A0A0A0A0A0A0AUL)) >> 1;
278 437833240 : a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & (0x0A0A0A0A0A0A0A0AUL);
279 437833240 : a3 |= a3 << 4;
280 437833240 : a2 = ((a1 & (0xCCCCCCCCCCCCCCCCUL)) >> 2) | ((a1 & (0x3333333333333333UL)) << 2);
281 437833240 : x = a1 & a3;
282 437833240 : x ^= (x & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
283 437833240 : x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & (0xAAAAAAAAAAAAAAAAUL);
284 437833240 : a4 = a2 & a3;
285 437833240 : a4 ^= (a4 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
286 437833240 : a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & (0xAAAAAAAAAAAAAAAAUL);
287 437833240 : a5 = (x & (0xCCCCCCCCCCCCCCCCUL)) >> 2;
288 437833240 : x ^= ((a4 << 2) ^ a4) & (0xCCCCCCCCCCCCCCCCUL);
289 437833240 : a4 = a5 & (0x2222222222222222UL);
290 437833240 : a4 |= a4 >> 1;
291 437833240 : a4 ^= (a5 << 1) & (0x2222222222222222UL);
292 437833240 : x ^= a4;
293 437833240 : y = ((x & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((x & (0x0101010101010101UL)) << 7);
294 437833240 : x &= (0x3939393939393939UL);
295 437833240 : x ^= y & (0x3F3F3F3F3F3F3F3FUL);
296 437833240 : y = ((y & (0xFCFCFCFCFCFCFCFCUL)) >> 2) | ((y & (0x0303030303030303UL)) << 6);
297 437833240 : x ^= y & (0x9797979797979797UL);
298 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
299 437833240 : x ^= y & (0x9B9B9B9B9B9B9B9BUL);
300 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
301 437833240 : x ^= y & (0x3C3C3C3C3C3C3C3CUL);
302 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
303 437833240 : x ^= y & (0xDDDDDDDDDDDDDDDDUL);
304 437833240 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
305 437833240 : x ^= y & (0x7272727272727272UL);
306 437833240 : x ^= (0x6363636363636363UL);
307 437833240 : *w = x;
308 437833240 : }
309 :
310 : /*
311 : * This computes w := (S^-1 * (w + c))^-1
312 : */
313 : static void
314 0 : InvSubLong( ulong * w ) {
315 0 : ulong x, y, a1, a2, a3, a4, a5, a6;
316 :
317 0 : x = *w;
318 0 : x ^= (0x6363636363636363UL);
319 0 : y = ((x & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((x & (0x0101010101010101UL)) << 7);
320 0 : x &= (0xFDFDFDFDFDFDFDFDUL);
321 0 : x ^= y & (0x5E5E5E5E5E5E5E5EUL);
322 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
323 0 : x ^= y & (0xF3F3F3F3F3F3F3F3UL);
324 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
325 0 : x ^= y & (0xF5F5F5F5F5F5F5F5UL);
326 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
327 0 : x ^= y & (0x7878787878787878UL);
328 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
329 0 : x ^= y & (0x7777777777777777UL);
330 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
331 0 : x ^= y & (0x1515151515151515UL);
332 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
333 0 : x ^= y & (0xA5A5A5A5A5A5A5A5UL);
334 0 : a1 = x;
335 0 : a1 ^= (x & (0xF0F0F0F0F0F0F0F0UL)) >> 4;
336 0 : a2 = ((x & (0xCCCCCCCCCCCCCCCCUL)) >> 2) | ((x & (0x3333333333333333UL)) << 2);
337 0 : a3 = x & a1;
338 0 : a3 ^= (a3 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
339 0 : a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & (0xAAAAAAAAAAAAAAAAUL);
340 0 : a4 = a2 & a1;
341 0 : a4 ^= (a4 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
342 0 : a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & (0xAAAAAAAAAAAAAAAAUL);
343 0 : a5 = (a3 & (0xCCCCCCCCCCCCCCCCUL)) >> 2;
344 0 : a3 ^= ((a4 << 2) ^ a4) & (0xCCCCCCCCCCCCCCCCUL);
345 0 : a4 = a5 & (0x2222222222222222UL);
346 0 : a4 |= a4 >> 1;
347 0 : a4 ^= (a5 << 1) & (0x2222222222222222UL);
348 0 : a3 ^= a4;
349 0 : a5 = a3 & (0xA0A0A0A0A0A0A0A0UL);
350 0 : a5 |= a5 >> 1;
351 0 : a5 ^= (a3 << 1) & (0xA0A0A0A0A0A0A0A0UL);
352 0 : a4 = a5 & (0xC0C0C0C0C0C0C0C0UL);
353 0 : a6 = a4 >> 2;
354 0 : a4 ^= (a5 << 2) & (0xC0C0C0C0C0C0C0C0UL);
355 0 : a5 = a6 & (0x2020202020202020UL);
356 0 : a5 |= a5 >> 1;
357 0 : a5 ^= (a6 << 1) & (0x2020202020202020UL);
358 0 : a4 |= a5;
359 0 : a3 ^= a4 >> 4;
360 0 : a3 &= (0x0F0F0F0F0F0F0F0FUL);
361 0 : a2 = a3;
362 0 : a2 ^= (a3 & (0x0C0C0C0C0C0C0C0CUL)) >> 2;
363 0 : a4 = a3 & a2;
364 0 : a4 ^= (a4 & (0x0A0A0A0A0A0A0A0AUL)) >> 1;
365 0 : a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & (0x0A0A0A0A0A0A0A0AUL);
366 0 : a5 = a4 & (0x0808080808080808UL);
367 0 : a5 |= a5 >> 1;
368 0 : a5 ^= (a4 << 1) & (0x0808080808080808UL);
369 0 : a4 ^= a5 >> 2;
370 0 : a4 &= (0x0303030303030303UL);
371 0 : a4 ^= (a4 & (0x0202020202020202UL)) >> 1;
372 0 : a4 |= a4 << 2;
373 0 : a3 = a2 & a4;
374 0 : a3 ^= (a3 & (0x0A0A0A0A0A0A0A0AUL)) >> 1;
375 0 : a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & (0x0A0A0A0A0A0A0A0AUL);
376 0 : a3 |= a3 << 4;
377 0 : a2 = ((a1 & (0xCCCCCCCCCCCCCCCCUL)) >> 2) | ((a1 & (0x3333333333333333UL)) << 2);
378 0 : x = a1 & a3;
379 0 : x ^= (x & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
380 0 : x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & (0xAAAAAAAAAAAAAAAAUL);
381 0 : a4 = a2 & a3;
382 0 : a4 ^= (a4 & (0xAAAAAAAAAAAAAAAAUL)) >> 1;
383 0 : a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & (0xAAAAAAAAAAAAAAAAUL);
384 0 : a5 = (x & (0xCCCCCCCCCCCCCCCCUL)) >> 2;
385 0 : x ^= ((a4 << 2) ^ a4) & (0xCCCCCCCCCCCCCCCCUL);
386 0 : a4 = a5 & (0x2222222222222222UL);
387 0 : a4 |= a4 >> 1;
388 0 : a4 ^= (a5 << 1) & (0x2222222222222222UL);
389 0 : x ^= a4;
390 0 : y = ((x & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((x & (0x0101010101010101UL)) << 7);
391 0 : x &= (0xB5B5B5B5B5B5B5B5UL);
392 0 : x ^= y & (0x4040404040404040UL);
393 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
394 0 : x ^= y & (0x8080808080808080UL);
395 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
396 0 : x ^= y & (0x1616161616161616UL);
397 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
398 0 : x ^= y & (0xEBEBEBEBEBEBEBEBUL);
399 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
400 0 : x ^= y & (0x9797979797979797UL);
401 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
402 0 : x ^= y & (0xFBFBFBFBFBFBFBFBUL);
403 0 : y = ((y & (0xFEFEFEFEFEFEFEFEUL)) >> 1) | ((y & (0x0101010101010101UL)) << 7);
404 0 : x ^= y & (0x7D7D7D7D7D7D7D7DUL);
405 0 : *w = x;
406 0 : }
407 :
408 : static void
409 218916620 : ShiftRows( ulong * state ) {
410 218916620 : uchar s[4];
411 218916620 : uchar *s0;
412 218916620 : int r;
413 :
414 218916620 : s0 = (uchar *)state;
415 1094583100 : for (r = 0; r < 4; r++) {
416 875666480 : s[0] = s0[0*4 + r];
417 875666480 : s[1] = s0[1*4 + r];
418 875666480 : s[2] = s0[2*4 + r];
419 875666480 : s[3] = s0[3*4 + r];
420 875666480 : s0[0*4 + r] = s[(r+0) % 4];
421 875666480 : s0[1*4 + r] = s[(r+1) % 4];
422 875666480 : s0[2*4 + r] = s[(r+2) % 4];
423 875666480 : s0[3*4 + r] = s[(r+3) % 4];
424 875666480 : }
425 218916620 : }
426 :
427 : static void
428 0 : InvShiftRows( ulong * state ) {
429 0 : uchar s[4];
430 0 : uchar *s0;
431 0 : int r;
432 :
433 0 : s0 = (uchar *)state;
434 0 : for (r = 0; r < 4; r++) {
435 0 : s[0] = s0[0*4 + r];
436 0 : s[1] = s0[1*4 + r];
437 0 : s[2] = s0[2*4 + r];
438 0 : s[3] = s0[3*4 + r];
439 0 : s0[0*4 + r] = s[(4-r) % 4];
440 0 : s0[1*4 + r] = s[(5-r) % 4];
441 0 : s0[2*4 + r] = s[(6-r) % 4];
442 0 : s0[3*4 + r] = s[(7-r) % 4];
443 0 : }
444 0 : }
445 :
446 : static void
447 197024958 : MixColumns( ulong * state ) {
448 197024958 : uni s1;
449 197024958 : uni s;
450 197024958 : int c;
451 :
452 591074874 : for (c = 0; c < 2; c++) {
453 394049916 : s1.d = state[c];
454 394049916 : s.d = s1.d;
455 394049916 : s.d ^= ((s.d & (0xFFFF0000FFFF0000UL)) >> 16)
456 394049916 : | ((s.d & (0x0000FFFF0000FFFFUL)) << 16);
457 394049916 : s.d ^= ((s.d & (0xFF00FF00FF00FF00UL)) >> 8)
458 394049916 : | ((s.d & (0x00FF00FF00FF00FFUL)) << 8);
459 394049916 : s.d ^= s1.d;
460 394049916 : XtimeLong(&s1.d);
461 394049916 : s.d ^= s1.d;
462 394049916 : s.b[0] ^= s1.b[1];
463 394049916 : s.b[1] ^= s1.b[2];
464 394049916 : s.b[2] ^= s1.b[3];
465 394049916 : s.b[3] ^= s1.b[0];
466 394049916 : s.b[4] ^= s1.b[5];
467 394049916 : s.b[5] ^= s1.b[6];
468 394049916 : s.b[6] ^= s1.b[7];
469 394049916 : s.b[7] ^= s1.b[4];
470 394049916 : state[c] = s.d;
471 394049916 : }
472 197024958 : }
473 :
474 : static void InvMixColumns(ulong * state)
475 0 : {
476 0 : uni s1;
477 0 : uni s;
478 0 : int c;
479 :
480 0 : for (c = 0; c < 2; c++) {
481 0 : s1.d = state[c];
482 0 : s.d = s1.d;
483 0 : s.d ^= ((s.d & (0xFFFF0000FFFF0000UL)) >> 16)
484 0 : | ((s.d & (0x0000FFFF0000FFFFUL)) << 16);
485 0 : s.d ^= ((s.d & (0xFF00FF00FF00FF00UL)) >> 8)
486 0 : | ((s.d & (0x00FF00FF00FF00FFUL)) << 8);
487 0 : s.d ^= s1.d;
488 0 : XtimeLong(&s1.d);
489 0 : s.d ^= s1.d;
490 0 : s.b[0] ^= s1.b[1];
491 0 : s.b[1] ^= s1.b[2];
492 0 : s.b[2] ^= s1.b[3];
493 0 : s.b[3] ^= s1.b[0];
494 0 : s.b[4] ^= s1.b[5];
495 0 : s.b[5] ^= s1.b[6];
496 0 : s.b[6] ^= s1.b[7];
497 0 : s.b[7] ^= s1.b[4];
498 0 : XtimeLong(&s1.d);
499 0 : s1.d ^= ((s1.d & (0xFFFF0000FFFF0000UL)) >> 16)
500 0 : | ((s1.d & (0x0000FFFF0000FFFFUL)) << 16);
501 0 : s.d ^= s1.d;
502 0 : XtimeLong(&s1.d);
503 0 : s1.d ^= ((s1.d & (0xFF00FF00FF00FF00UL)) >> 8)
504 0 : | ((s1.d & (0x00FF00FF00FF00FFUL)) << 8);
505 0 : s.d ^= s1.d;
506 0 : state[c] = s.d;
507 0 : }
508 0 : }
509 :
510 : static void
511 : AddRoundKey( ulong * state,
512 240808282 : ulong const * w ) {
513 240808282 : state[0] ^= w[0];
514 240808282 : state[1] ^= w[1];
515 240808282 : }
516 :
517 : static void
518 : Cipher( uchar const * in,
519 : uchar * out,
520 : ulong const * w,
521 21891662 : int nr ) {
522 21891662 : ulong state[2];
523 21891662 : int i;
524 :
525 21891662 : memcpy(state, in, 16);
526 :
527 21891662 : AddRoundKey(state, w);
528 :
529 218916620 : for (i = 1; i < nr; i++) {
530 197024958 : SubLong(&state[0]);
531 197024958 : SubLong(&state[1]);
532 197024958 : ShiftRows(state);
533 197024958 : MixColumns(state);
534 197024958 : AddRoundKey(state, w + i*2);
535 197024958 : }
536 :
537 21891662 : SubLong(&state[0]);
538 21891662 : SubLong(&state[1]);
539 21891662 : ShiftRows(state);
540 21891662 : AddRoundKey(state, w + nr*2);
541 :
542 21891662 : memcpy(out, state, 16);
543 21891662 : }
544 :
545 : static void
546 : InvCipher( uchar const * in,
547 : uchar * out,
548 : ulong const * w,
549 0 : int nr ) {
550 0 : ulong state[2];
551 0 : int i;
552 :
553 0 : memcpy(state, in, 16);
554 :
555 0 : AddRoundKey(state, w + nr*2);
556 :
557 0 : for (i = nr - 1; i > 0; i--) {
558 0 : InvShiftRows(state);
559 0 : InvSubLong(&state[0]);
560 0 : InvSubLong(&state[1]);
561 0 : AddRoundKey(state, w + i*2);
562 0 : InvMixColumns(state);
563 0 : }
564 :
565 0 : InvShiftRows(state);
566 0 : InvSubLong(&state[0]);
567 0 : InvSubLong(&state[1]);
568 0 : AddRoundKey(state, w);
569 :
570 0 : memcpy(out, state, 16);
571 0 : }
572 :
573 : static void
574 45499250 : RotWord( uint * x ) {
575 45499250 : uchar *w0;
576 45499250 : uchar tmp;
577 :
578 45499250 : w0 = (uchar *)x;
579 45499250 : tmp = w0[0];
580 45499250 : w0[0] = w0[1];
581 45499250 : w0[1] = w0[2];
582 45499250 : w0[2] = w0[3];
583 45499250 : w0[3] = tmp;
584 45499250 : }
585 :
586 : static void
587 : KeyExpansion( uchar const * key,
588 : ulong * w,
589 : int nr,
590 4549925 : int nk ) {
591 4549925 : uint rcon;
592 4549925 : uni prev;
593 4549925 : uint temp;
594 4549925 : int i, n;
595 :
596 4549925 : memcpy( w, key, (ulong)nk*4UL );
597 4549925 : memcpy( &rcon, "\1\0\0\0", 4 );
598 4549925 : n = nk/2;
599 4549925 : prev.d = w[n-1];
600 95548425 : for (i = n; i < (nr+1)*2; i++) {
601 90998500 : temp = prev.w[1];
602 90998500 : if (i % n == 0) {
603 45499250 : RotWord(&temp);
604 45499250 : SubWord(&temp);
605 45499250 : temp ^= rcon;
606 45499250 : XtimeWord(&rcon);
607 45499250 : } else if (nk > 6 && i % n == 2) {
608 0 : SubWord(&temp);
609 0 : }
610 90998500 : prev.d = w[i-n];
611 90998500 : prev.w[0] ^= temp;
612 90998500 : prev.w[1] ^= prev.w[0];
613 90998500 : w[i] = prev.d;
614 90998500 : }
615 4549925 : }
616 :
617 : /**
618 : * Expand the cipher key into the encryption key schedule.
619 : */
620 : int
621 : fd_aes_ref_set_encrypt_key( uchar const * userKey,
622 : ulong const bits,
623 4549925 : fd_aes_key_ref_t * key ) {
624 4549925 : ulong *rk;
625 :
626 4549925 : if (!userKey || !key)
627 0 : return -1;
628 4549925 : if (bits != 128 && bits != 192 && bits != 256)
629 0 : return -2;
630 :
631 4549925 : rk = (ulong *)fd_type_pun( key->rd_key ); /* strict aliasing violation */
632 :
633 4549925 : if (bits == 128)
634 4549925 : key->rounds = 10;
635 0 : else if (bits == 192)
636 0 : key->rounds = 12;
637 0 : else
638 0 : key->rounds = 14;
639 :
640 4549925 : KeyExpansion(userKey, rk, key->rounds, (int)(bits/32UL) );
641 4549925 : return 0;
642 4549925 : }
643 :
644 : /**
645 : * Expand the cipher key into the decryption key schedule.
646 : */
647 : int
648 : fd_aes_ref_set_decrypt_key( uchar const * userKey,
649 : ulong const bits,
650 0 : fd_aes_key_ref_t * key ) {
651 0 : return fd_aes_ref_set_encrypt_key(userKey, bits, key);
652 0 : }
653 :
654 : /*
655 : * Encrypt a single block
656 : * in and out can overlap
657 : */
658 : void
659 : fd_aes_ref_encrypt_core( uchar const * in,
660 : uchar * out,
661 21891662 : fd_aes_key_ref_t const * key ) {
662 :
663 21891662 : assert(in && out && key);
664 21891662 : ulong const * rk = (ulong *)fd_type_pun_const( key->rd_key );
665 :
666 21891662 : Cipher(in, out, rk, key->rounds);
667 21891662 : }
668 :
669 : /*
670 : * Decrypt a single block
671 : * in and out can overlap
672 : */
673 : void
674 : fd_aes_ref_decrypt_core( uchar const * in,
675 : uchar * out,
676 0 : fd_aes_key_ref_t const * key ) {
677 :
678 0 : assert(in && out && key);
679 0 : ulong const * rk = (ulong const *)fd_type_pun_const( key->rd_key );
680 :
681 0 : InvCipher(in, out, rk, key->rounds );
682 0 : }
|
