summaryrefslogtreecommitdiff
path: root/rijndael.c
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2000-12-07 05:57:27 +0000
committerBen Lindstrom <mouring@eviladmin.org>2000-12-07 05:57:27 +0000
commit01f8463b15ead597f8ecf0052fd7569240dcaab9 (patch)
tree73ab1f33ee4c21041c160a93ff30e47c8179512b /rijndael.c
parenta14ee47f2eee3030cd784b93985a4de417a4b14c (diff)
- markus@cvs.openbsd.org 2000/12/06 23:10:39
[rijndael.c] unexpand(1) - markus@cvs.openbsd.org 2000/12/06 23:05:43 [cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h] new rijndael implementation. fixes endian bugs
Diffstat (limited to 'rijndael.c')
-rw-r--r--rijndael.c770
1 files changed, 294 insertions, 476 deletions
diff --git a/rijndael.c b/rijndael.c
index 963738030..92a39762f 100644
--- a/rijndael.c
+++ b/rijndael.c
@@ -1,493 +1,311 @@
1/* $OpenBSD: rijndael.c,v 1.2 2000/10/15 14:14:01 markus Exp $ */ 1/*
2 2 * rijndael-alg-fst.c v2.4 April '2000
3/* This is an independent implementation of the encryption algorithm: */ 3 * rijndael-alg-api.c v2.4 April '2000
4/* */ 4 *
5/* RIJNDAEL by Joan Daemen and Vincent Rijmen */ 5 * Optimised ANSI C code
6/* */ 6 *
7/* which is a candidate algorithm in the Advanced Encryption Standard */ 7 * authors: v1.0: Antoon Bosselaers
8/* programme of the US National Institute of Standards and Technology. */ 8 * v2.0: Vincent Rijmen, K.U.Leuven
9/* */ 9 * v2.3: Paulo Barreto
10/* Copyright in this implementation is held by Dr B R Gladman but I */ 10 * v2.4: Vincent Rijmen, K.U.Leuven
11/* hereby give permission for its free direct or derivative use subject */ 11 *
12/* to acknowledgment of its origin and compliance with any conditions */ 12 * This code is placed in the public domain.
13/* that the originators of the algorithm place on its exploitation. */ 13 */
14/* */ 14
15/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */ 15#include <stdio.h>
16 16#include <stdlib.h>
17/* Timing data for Rijndael (rijndael.c) 17#include <assert.h>
18
19Algorithm: rijndael (rijndael.c)
20
21128 bit key:
22Key Setup: 305/1389 cycles (encrypt/decrypt)
23Encrypt: 374 cycles = 68.4 mbits/sec
24Decrypt: 352 cycles = 72.7 mbits/sec
25Mean: 363 cycles = 70.5 mbits/sec
26
27192 bit key:
28Key Setup: 277/1595 cycles (encrypt/decrypt)
29Encrypt: 439 cycles = 58.3 mbits/sec
30Decrypt: 425 cycles = 60.2 mbits/sec
31Mean: 432 cycles = 59.3 mbits/sec
32
33256 bit key:
34Key Setup: 374/1960 cycles (encrypt/decrypt)
35Encrypt: 502 cycles = 51.0 mbits/sec
36Decrypt: 498 cycles = 51.4 mbits/sec
37Mean: 500 cycles = 51.2 mbits/sec
38
39*/
40 18
41#include "config.h" 19#include "config.h"
42#include "rijndael.h" 20#include "rijndael.h"
21#include "rijndael_boxes.h"
43 22
44void gen_tabs __P((void)); 23int
45 24rijndael_keysched(u_int8_t k[RIJNDAEL_MAXKC][4],
46/* 3. Basic macros for speeding up generic operations */ 25 u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS)
47
48/* Circular rotate of 32 bit values */
49
50#define rotr(x,n) (((x) >> ((int)(n))) | ((x) << (32 - (int)(n))))
51#define rotl(x,n) (((x) << ((int)(n))) | ((x) >> (32 - (int)(n))))
52
53/* Invert byte order in a 32 bit variable */
54
55#define bswap(x) (rotl(x, 8) & 0x00ff00ff | rotr(x, 8) & 0xff00ff00)
56
57/* Extract byte from a 32 bit quantity (little endian notation) */
58
59#define byte(x,n) ((u1byte)((x) >> (8 * n)))
60
61#if BYTE_ORDER != LITTLE_ENDIAN
62#define BLOCK_SWAP
63#endif
64
65/* For inverting byte order in input/output 32 bit words if needed */
66
67#ifdef BLOCK_SWAP
68#define BYTE_SWAP
69#define WORD_SWAP
70#endif
71
72#ifdef BYTE_SWAP
73#define io_swap(x) bswap(x)
74#else
75#define io_swap(x) (x)
76#endif
77
78/* For inverting the byte order of input/output blocks if needed */
79
80#ifdef WORD_SWAP
81
82#define get_block(x) \
83 ((u4byte*)(x))[0] = io_swap(in_blk[3]); \
84 ((u4byte*)(x))[1] = io_swap(in_blk[2]); \
85 ((u4byte*)(x))[2] = io_swap(in_blk[1]); \
86 ((u4byte*)(x))[3] = io_swap(in_blk[0])
87
88#define put_block(x) \
89 out_blk[3] = io_swap(((u4byte*)(x))[0]); \
90 out_blk[2] = io_swap(((u4byte*)(x))[1]); \
91 out_blk[1] = io_swap(((u4byte*)(x))[2]); \
92 out_blk[0] = io_swap(((u4byte*)(x))[3])
93
94#define get_key(x,len) \
95 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
96 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
97 switch((((len) + 63) / 64)) { \
98 case 2: \
99 ((u4byte*)(x))[0] = io_swap(in_key[3]); \
100 ((u4byte*)(x))[1] = io_swap(in_key[2]); \
101 ((u4byte*)(x))[2] = io_swap(in_key[1]); \
102 ((u4byte*)(x))[3] = io_swap(in_key[0]); \
103 break; \
104 case 3: \
105 ((u4byte*)(x))[0] = io_swap(in_key[5]); \
106 ((u4byte*)(x))[1] = io_swap(in_key[4]); \
107 ((u4byte*)(x))[2] = io_swap(in_key[3]); \
108 ((u4byte*)(x))[3] = io_swap(in_key[2]); \
109 ((u4byte*)(x))[4] = io_swap(in_key[1]); \
110 ((u4byte*)(x))[5] = io_swap(in_key[0]); \
111 break; \
112 case 4: \
113 ((u4byte*)(x))[0] = io_swap(in_key[7]); \
114 ((u4byte*)(x))[1] = io_swap(in_key[6]); \
115 ((u4byte*)(x))[2] = io_swap(in_key[5]); \
116 ((u4byte*)(x))[3] = io_swap(in_key[4]); \
117 ((u4byte*)(x))[4] = io_swap(in_key[3]); \
118 ((u4byte*)(x))[5] = io_swap(in_key[2]); \
119 ((u4byte*)(x))[6] = io_swap(in_key[1]); \
120 ((u4byte*)(x))[7] = io_swap(in_key[0]); \
121 }
122
123#else
124
125#define get_block(x) \
126 ((u4byte*)(x))[0] = io_swap(in_blk[0]); \
127 ((u4byte*)(x))[1] = io_swap(in_blk[1]); \
128 ((u4byte*)(x))[2] = io_swap(in_blk[2]); \
129 ((u4byte*)(x))[3] = io_swap(in_blk[3])
130
131#define put_block(x) \
132 out_blk[0] = io_swap(((u4byte*)(x))[0]); \
133 out_blk[1] = io_swap(((u4byte*)(x))[1]); \
134 out_blk[2] = io_swap(((u4byte*)(x))[2]); \
135 out_blk[3] = io_swap(((u4byte*)(x))[3])
136
137#define get_key(x,len) \
138 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
139 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
140 switch((((len) + 63) / 64)) { \
141 case 4: \
142 ((u4byte*)(x))[6] = io_swap(in_key[6]); \
143 ((u4byte*)(x))[7] = io_swap(in_key[7]); \
144 case 3: \
145 ((u4byte*)(x))[4] = io_swap(in_key[4]); \
146 ((u4byte*)(x))[5] = io_swap(in_key[5]); \
147 case 2: \
148 ((u4byte*)(x))[0] = io_swap(in_key[0]); \
149 ((u4byte*)(x))[1] = io_swap(in_key[1]); \
150 ((u4byte*)(x))[2] = io_swap(in_key[2]); \
151 ((u4byte*)(x))[3] = io_swap(in_key[3]); \
152 }
153
154#endif
155
156#define LARGE_TABLES
157
158u1byte pow_tab[256];
159u1byte log_tab[256];
160u1byte sbx_tab[256];
161u1byte isb_tab[256];
162u4byte rco_tab[ 10];
163u4byte ft_tab[4][256];
164u4byte it_tab[4][256];
165
166#ifdef LARGE_TABLES
167 u4byte fl_tab[4][256];
168 u4byte il_tab[4][256];
169#endif
170
171u4byte tab_gen = 0;
172
173#define ff_mult(a,b) (a && b ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0)
174
175#define f_rn(bo, bi, n, k) \
176 bo[n] = ft_tab[0][byte(bi[n],0)] ^ \
177 ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
178 ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
179 ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
180
181#define i_rn(bo, bi, n, k) \
182 bo[n] = it_tab[0][byte(bi[n],0)] ^ \
183 it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
184 it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
185 it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
186
187#ifdef LARGE_TABLES
188
189#define ls_box(x) \
190 ( fl_tab[0][byte(x, 0)] ^ \
191 fl_tab[1][byte(x, 1)] ^ \
192 fl_tab[2][byte(x, 2)] ^ \
193 fl_tab[3][byte(x, 3)] )
194
195#define f_rl(bo, bi, n, k) \
196 bo[n] = fl_tab[0][byte(bi[n],0)] ^ \
197 fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
198 fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
199 fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
200
201#define i_rl(bo, bi, n, k) \
202 bo[n] = il_tab[0][byte(bi[n],0)] ^ \
203 il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
204 il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
205 il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
206
207#else
208
209#define ls_box(x) \
210 ((u4byte)sbx_tab[byte(x, 0)] << 0) ^ \
211 ((u4byte)sbx_tab[byte(x, 1)] << 8) ^ \
212 ((u4byte)sbx_tab[byte(x, 2)] << 16) ^ \
213 ((u4byte)sbx_tab[byte(x, 3)] << 24)
214
215#define f_rl(bo, bi, n, k) \
216 bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^ \
217 rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \
218 rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
219 rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n)
220
221#define i_rl(bo, bi, n, k) \
222 bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^ \
223 rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \
224 rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
225 rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n)
226
227#endif
228
229void
230gen_tabs(void)
231{ 26{
232 u4byte i, t; 27 /* Calculate the necessary round keys
233 u1byte p, q; 28 * The number of calculations depends on keyBits and blockBits
234 29 */
235 /* log and power tables for GF(2**8) finite field with */ 30 int j, r, t, rconpointer = 0;
236 /* 0x11b as modular polynomial - the simplest prmitive */ 31 u_int8_t tk[RIJNDAEL_MAXKC][4];
237 /* root is 0x11, used here to generate the tables */ 32 int KC = ROUNDS - 6;
238 33
239 for(i = 0,p = 1; i < 256; ++i) { 34 for (j = KC-1; j >= 0; j--) {
240 pow_tab[i] = (u1byte)p; log_tab[p] = (u1byte)i; 35 *((u_int32_t*)tk[j]) = *((u_int32_t*)k[j]);
241
242 p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0);
243 }
244
245 log_tab[1] = 0; p = 1;
246
247 for(i = 0; i < 10; ++i) {
248 rco_tab[i] = p;
249
250 p = (p << 1) ^ (p & 0x80 ? 0x1b : 0);
251 } 36 }
252 37 r = 0;
253 /* note that the affine byte transformation matrix in */ 38 t = 0;
254 /* rijndael specification is in big endian format with */ 39 /* copy values into round key array */
255 /* bit 0 as the most significant bit. In the remainder */ 40 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) {
256 /* of the specification the bits are numbered from the */ 41 for (; (j < KC) && (t < 4); j++, t++) {
257 /* least significant end of a byte. */ 42 *((u_int32_t*)W[r][t]) = *((u_int32_t*)tk[j]);
258 43 }
259 for(i = 0; i < 256; ++i) { 44 if (t == 4) {
260 p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p; 45 r++;
261 q = (q >> 7) | (q << 1); p ^= q; 46 t = 0;
262 q = (q >> 7) | (q << 1); p ^= q;
263 q = (q >> 7) | (q << 1); p ^= q;
264 q = (q >> 7) | (q << 1); p ^= q ^ 0x63;
265 sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i;
266 }
267
268 for(i = 0; i < 256; ++i) {
269 p = sbx_tab[i];
270
271#ifdef LARGE_TABLES
272
273 t = p; fl_tab[0][i] = t;
274 fl_tab[1][i] = rotl(t, 8);
275 fl_tab[2][i] = rotl(t, 16);
276 fl_tab[3][i] = rotl(t, 24);
277#endif
278 t = ((u4byte)ff_mult(2, p)) |
279 ((u4byte)p << 8) |
280 ((u4byte)p << 16) |
281 ((u4byte)ff_mult(3, p) << 24);
282
283 ft_tab[0][i] = t;
284 ft_tab[1][i] = rotl(t, 8);
285 ft_tab[2][i] = rotl(t, 16);
286 ft_tab[3][i] = rotl(t, 24);
287
288 p = isb_tab[i];
289
290#ifdef LARGE_TABLES
291
292 t = p; il_tab[0][i] = t;
293 il_tab[1][i] = rotl(t, 8);
294 il_tab[2][i] = rotl(t, 16);
295 il_tab[3][i] = rotl(t, 24);
296#endif
297 t = ((u4byte)ff_mult(14, p)) |
298 ((u4byte)ff_mult( 9, p) << 8) |
299 ((u4byte)ff_mult(13, p) << 16) |
300 ((u4byte)ff_mult(11, p) << 24);
301
302 it_tab[0][i] = t;
303 it_tab[1][i] = rotl(t, 8);
304 it_tab[2][i] = rotl(t, 16);
305 it_tab[3][i] = rotl(t, 24);
306 }
307
308 tab_gen = 1;
309}
310
311#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
312
313#define imix_col(y,x) \
314 u = star_x(x); \
315 v = star_x(u); \
316 w = star_x(v); \
317 t = w ^ (x); \
318 (y) = u ^ v ^ w; \
319 (y) ^= rotr(u ^ t, 8) ^ \
320 rotr(v ^ t, 16) ^ \
321 rotr(t,24)
322
323/* initialise the key schedule from the user supplied key */
324
325#define loop4(i) \
326{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
327 t ^= e_key[4 * i]; e_key[4 * i + 4] = t; \
328 t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t; \
329 t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t; \
330 t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t; \
331}
332
333#define loop6(i) \
334{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
335 t ^= e_key[6 * i]; e_key[6 * i + 6] = t; \
336 t ^= e_key[6 * i + 1]; e_key[6 * i + 7] = t; \
337 t ^= e_key[6 * i + 2]; e_key[6 * i + 8] = t; \
338 t ^= e_key[6 * i + 3]; e_key[6 * i + 9] = t; \
339 t ^= e_key[6 * i + 4]; e_key[6 * i + 10] = t; \
340 t ^= e_key[6 * i + 5]; e_key[6 * i + 11] = t; \
341}
342
343#define loop8(i) \
344{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
345 t ^= e_key[8 * i]; e_key[8 * i + 8] = t; \
346 t ^= e_key[8 * i + 1]; e_key[8 * i + 9] = t; \
347 t ^= e_key[8 * i + 2]; e_key[8 * i + 10] = t; \
348 t ^= e_key[8 * i + 3]; e_key[8 * i + 11] = t; \
349 t = e_key[8 * i + 4] ^ ls_box(t); \
350 e_key[8 * i + 12] = t; \
351 t ^= e_key[8 * i + 5]; e_key[8 * i + 13] = t; \
352 t ^= e_key[8 * i + 6]; e_key[8 * i + 14] = t; \
353 t ^= e_key[8 * i + 7]; e_key[8 * i + 15] = t; \
354}
355
356rijndael_ctx *
357rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len,
358 int encrypt)
359{
360 u4byte i, t, u, v, w;
361 u4byte *e_key = ctx->e_key;
362 u4byte *d_key = ctx->d_key;
363
364 ctx->decrypt = !encrypt;
365
366 if(!tab_gen)
367 gen_tabs();
368
369 ctx->k_len = (key_len + 31) / 32;
370
371 e_key[0] = in_key[0]; e_key[1] = in_key[1];
372 e_key[2] = in_key[2]; e_key[3] = in_key[3];
373
374 switch(ctx->k_len) {
375 case 4: t = e_key[3];
376 for(i = 0; i < 10; ++i)
377 loop4(i);
378 break;
379
380 case 6: e_key[4] = in_key[4]; t = e_key[5] = in_key[5];
381 for(i = 0; i < 8; ++i)
382 loop6(i);
383 break;
384
385 case 8: e_key[4] = in_key[4]; e_key[5] = in_key[5];
386 e_key[6] = in_key[6]; t = e_key[7] = in_key[7];
387 for(i = 0; i < 7; ++i)
388 loop8(i);
389 break;
390 }
391
392 if (!encrypt) {
393 d_key[0] = e_key[0]; d_key[1] = e_key[1];
394 d_key[2] = e_key[2]; d_key[3] = e_key[3];
395
396 for(i = 4; i < 4 * ctx->k_len + 24; ++i) {
397 imix_col(d_key[i], e_key[i]);
398 } 47 }
399 } 48 }
400 49
401 return ctx; 50 while (r < ROUNDS + 1) { /* while not enough round key material calculated */
51 /* calculate new values */
52 tk[0][0] ^= S[tk[KC-1][1]];
53 tk[0][1] ^= S[tk[KC-1][2]];
54 tk[0][2] ^= S[tk[KC-1][3]];
55 tk[0][3] ^= S[tk[KC-1][0]];
56 tk[0][0] ^= rcon[rconpointer++];
57
58 if (KC != 8) {
59 for (j = 1; j < KC; j++) {
60 *((u_int32_t*)tk[j]) ^= *((u_int32_t*)tk[j-1]);
61 }
62 } else {
63 for (j = 1; j < KC/2; j++) {
64 *((u_int32_t*)tk[j]) ^= *((u_int32_t*)tk[j-1]);
65 }
66 tk[KC/2][0] ^= S[tk[KC/2 - 1][0]];
67 tk[KC/2][1] ^= S[tk[KC/2 - 1][1]];
68 tk[KC/2][2] ^= S[tk[KC/2 - 1][2]];
69 tk[KC/2][3] ^= S[tk[KC/2 - 1][3]];
70 for (j = KC/2 + 1; j < KC; j++) {
71 *((u_int32_t*)tk[j]) ^= *((u_int32_t*)tk[j-1]);
72 }
73 }
74 /* copy values into round key array */
75 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) {
76 for (; (j < KC) && (t < 4); j++, t++) {
77 *((u_int32_t*)W[r][t]) = *((u_int32_t*)tk[j]);
78 }
79 if (t == 4) {
80 r++;
81 t = 0;
82 }
83 }
84 }
85 return 0;
402} 86}
403 87
404/* encrypt a block of text */ 88int
405 89rijndael_key_enc_to_dec(u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS)
406#define f_nround(bo, bi, k) \ 90{
407 f_rn(bo, bi, 0, k); \ 91 int r;
408 f_rn(bo, bi, 1, k); \ 92 u_int8_t *w;
409 f_rn(bo, bi, 2, k); \ 93
410 f_rn(bo, bi, 3, k); \ 94 for (r = 1; r < ROUNDS; r++) {
411 k += 4 95 w = W[r][0];
412 96 *((u_int32_t*)w) = *((u_int32_t*)U1[w[0]])
413#define f_lround(bo, bi, k) \ 97 ^ *((u_int32_t*)U2[w[1]])
414 f_rl(bo, bi, 0, k); \ 98 ^ *((u_int32_t*)U3[w[2]])
415 f_rl(bo, bi, 1, k); \ 99 ^ *((u_int32_t*)U4[w[3]]);
416 f_rl(bo, bi, 2, k); \ 100
417 f_rl(bo, bi, 3, k) 101 w = W[r][1];
418 102 *((u_int32_t*)w) = *((u_int32_t*)U1[w[0]])
419void 103 ^ *((u_int32_t*)U2[w[1]])
420rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) 104 ^ *((u_int32_t*)U3[w[2]])
421{ 105 ^ *((u_int32_t*)U4[w[3]]);
422 u4byte k_len = ctx->k_len; 106
423 u4byte *e_key = ctx->e_key; 107 w = W[r][2];
424 u4byte b0[4], b1[4], *kp; 108 *((u_int32_t*)w) = *((u_int32_t*)U1[w[0]])
425 109 ^ *((u_int32_t*)U2[w[1]])
426 b0[0] = in_blk[0] ^ e_key[0]; b0[1] = in_blk[1] ^ e_key[1]; 110 ^ *((u_int32_t*)U3[w[2]])
427 b0[2] = in_blk[2] ^ e_key[2]; b0[3] = in_blk[3] ^ e_key[3]; 111 ^ *((u_int32_t*)U4[w[3]]);
428 112
429 kp = e_key + 4; 113 w = W[r][3];
430 114 *((u_int32_t*)w) = *((u_int32_t*)U1[w[0]])
431 if(k_len > 6) { 115 ^ *((u_int32_t*)U2[w[1]])
432 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 116 ^ *((u_int32_t*)U3[w[2]])
117 ^ *((u_int32_t*)U4[w[3]]);
433 } 118 }
434 119 return 0;
435 if(k_len > 4) { 120}
436 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 121
122/**
123 * Encrypt a single block.
124 */
125int
126rijndael_encrypt(rijndael_key *key, u_int8_t a[16], u_int8_t b[16])
127{
128 u_int8_t (*rk)[4][4] = key->keySched;
129 int ROUNDS = key->ROUNDS;
130 int r;
131 u_int8_t temp[4][4];
132
133 *((u_int32_t*)temp[0]) = *((u_int32_t*)(a )) ^ *((u_int32_t*)rk[0][0]);
134 *((u_int32_t*)temp[1]) = *((u_int32_t*)(a+ 4)) ^ *((u_int32_t*)rk[0][1]);
135 *((u_int32_t*)temp[2]) = *((u_int32_t*)(a+ 8)) ^ *((u_int32_t*)rk[0][2]);
136 *((u_int32_t*)temp[3]) = *((u_int32_t*)(a+12)) ^ *((u_int32_t*)rk[0][3]);
137 *((u_int32_t*)(b )) = *((u_int32_t*)T1[temp[0][0]])
138 ^ *((u_int32_t*)T2[temp[1][1]])
139 ^ *((u_int32_t*)T3[temp[2][2]])
140 ^ *((u_int32_t*)T4[temp[3][3]]);
141 *((u_int32_t*)(b + 4)) = *((u_int32_t*)T1[temp[1][0]])
142 ^ *((u_int32_t*)T2[temp[2][1]])
143 ^ *((u_int32_t*)T3[temp[3][2]])
144 ^ *((u_int32_t*)T4[temp[0][3]]);
145 *((u_int32_t*)(b + 8)) = *((u_int32_t*)T1[temp[2][0]])
146 ^ *((u_int32_t*)T2[temp[3][1]])
147 ^ *((u_int32_t*)T3[temp[0][2]])
148 ^ *((u_int32_t*)T4[temp[1][3]]);
149 *((u_int32_t*)(b +12)) = *((u_int32_t*)T1[temp[3][0]])
150 ^ *((u_int32_t*)T2[temp[0][1]])
151 ^ *((u_int32_t*)T3[temp[1][2]])
152 ^ *((u_int32_t*)T4[temp[2][3]]);
153 for (r = 1; r < ROUNDS-1; r++) {
154 *((u_int32_t*)temp[0]) = *((u_int32_t*)(b )) ^ *((u_int32_t*)rk[r][0]);
155 *((u_int32_t*)temp[1]) = *((u_int32_t*)(b+ 4)) ^ *((u_int32_t*)rk[r][1]);
156 *((u_int32_t*)temp[2]) = *((u_int32_t*)(b+ 8)) ^ *((u_int32_t*)rk[r][2]);
157 *((u_int32_t*)temp[3]) = *((u_int32_t*)(b+12)) ^ *((u_int32_t*)rk[r][3]);
158
159 *((u_int32_t*)(b )) = *((u_int32_t*)T1[temp[0][0]])
160 ^ *((u_int32_t*)T2[temp[1][1]])
161 ^ *((u_int32_t*)T3[temp[2][2]])
162 ^ *((u_int32_t*)T4[temp[3][3]]);
163 *((u_int32_t*)(b + 4)) = *((u_int32_t*)T1[temp[1][0]])
164 ^ *((u_int32_t*)T2[temp[2][1]])
165 ^ *((u_int32_t*)T3[temp[3][2]])
166 ^ *((u_int32_t*)T4[temp[0][3]]);
167 *((u_int32_t*)(b + 8)) = *((u_int32_t*)T1[temp[2][0]])
168 ^ *((u_int32_t*)T2[temp[3][1]])
169 ^ *((u_int32_t*)T3[temp[0][2]])
170 ^ *((u_int32_t*)T4[temp[1][3]]);
171 *((u_int32_t*)(b +12)) = *((u_int32_t*)T1[temp[3][0]])
172 ^ *((u_int32_t*)T2[temp[0][1]])
173 ^ *((u_int32_t*)T3[temp[1][2]])
174 ^ *((u_int32_t*)T4[temp[2][3]]);
437 } 175 }
438 176 /* last round is special */
439 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 177 *((u_int32_t*)temp[0]) = *((u_int32_t*)(b )) ^ *((u_int32_t*)rk[ROUNDS-1][0]);
440 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 178 *((u_int32_t*)temp[1]) = *((u_int32_t*)(b+ 4)) ^ *((u_int32_t*)rk[ROUNDS-1][1]);
441 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 179 *((u_int32_t*)temp[2]) = *((u_int32_t*)(b+ 8)) ^ *((u_int32_t*)rk[ROUNDS-1][2]);
442 f_nround(b1, b0, kp); f_nround(b0, b1, kp); 180 *((u_int32_t*)temp[3]) = *((u_int32_t*)(b+12)) ^ *((u_int32_t*)rk[ROUNDS-1][3]);
443 f_nround(b1, b0, kp); f_lround(b0, b1, kp); 181 b[ 0] = T1[temp[0][0]][1];
444 182 b[ 1] = T1[temp[1][1]][1];
445 out_blk[0] = b0[0]; out_blk[1] = b0[1]; 183 b[ 2] = T1[temp[2][2]][1];
446 out_blk[2] = b0[2]; out_blk[3] = b0[3]; 184 b[ 3] = T1[temp[3][3]][1];
185 b[ 4] = T1[temp[1][0]][1];
186 b[ 5] = T1[temp[2][1]][1];
187 b[ 6] = T1[temp[3][2]][1];
188 b[ 7] = T1[temp[0][3]][1];
189 b[ 8] = T1[temp[2][0]][1];
190 b[ 9] = T1[temp[3][1]][1];
191 b[10] = T1[temp[0][2]][1];
192 b[11] = T1[temp[1][3]][1];
193 b[12] = T1[temp[3][0]][1];
194 b[13] = T1[temp[0][1]][1];
195 b[14] = T1[temp[1][2]][1];
196 b[15] = T1[temp[2][3]][1];
197 *((u_int32_t*)(b )) ^= *((u_int32_t*)rk[ROUNDS][0]);
198 *((u_int32_t*)(b+ 4)) ^= *((u_int32_t*)rk[ROUNDS][1]);
199 *((u_int32_t*)(b+ 8)) ^= *((u_int32_t*)rk[ROUNDS][2]);
200 *((u_int32_t*)(b+12)) ^= *((u_int32_t*)rk[ROUNDS][3]);
201
202 return 0;
447} 203}
448 204
449/* decrypt a block of text */ 205/**
450 206 * Decrypt a single block.
451#define i_nround(bo, bi, k) \ 207 */
452 i_rn(bo, bi, 0, k); \ 208int
453 i_rn(bo, bi, 1, k); \ 209rijndael_decrypt(rijndael_key *key, u_int8_t a[16], u_int8_t b[16])
454 i_rn(bo, bi, 2, k); \ 210{
455 i_rn(bo, bi, 3, k); \ 211 u_int8_t (*rk)[4][4] = key->keySched;
456 k -= 4 212 int ROUNDS = key->ROUNDS;
457 213 int r;
458#define i_lround(bo, bi, k) \ 214 u_int8_t temp[4][4];
459 i_rl(bo, bi, 0, k); \ 215
460 i_rl(bo, bi, 1, k); \ 216 *((u_int32_t*)temp[0]) = *((u_int32_t*)(a )) ^ *((u_int32_t*)rk[ROUNDS][0]);
461 i_rl(bo, bi, 2, k); \ 217 *((u_int32_t*)temp[1]) = *((u_int32_t*)(a+ 4)) ^ *((u_int32_t*)rk[ROUNDS][1]);
462 i_rl(bo, bi, 3, k) 218 *((u_int32_t*)temp[2]) = *((u_int32_t*)(a+ 8)) ^ *((u_int32_t*)rk[ROUNDS][2]);
463 219 *((u_int32_t*)temp[3]) = *((u_int32_t*)(a+12)) ^ *((u_int32_t*)rk[ROUNDS][3]);
464void 220
465rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk) 221 *((u_int32_t*)(b )) = *((u_int32_t*)T5[temp[0][0]])
466{ 222 ^ *((u_int32_t*)T6[temp[3][1]])
467 u4byte b0[4], b1[4], *kp; 223 ^ *((u_int32_t*)T7[temp[2][2]])
468 u4byte k_len = ctx->k_len; 224 ^ *((u_int32_t*)T8[temp[1][3]]);
469 u4byte *e_key = ctx->e_key; 225 *((u_int32_t*)(b+ 4)) = *((u_int32_t*)T5[temp[1][0]])
470 u4byte *d_key = ctx->d_key; 226 ^ *((u_int32_t*)T6[temp[0][1]])
471 227 ^ *((u_int32_t*)T7[temp[3][2]])
472 b0[0] = in_blk[0] ^ e_key[4 * k_len + 24]; b0[1] = in_blk[1] ^ e_key[4 * k_len + 25]; 228 ^ *((u_int32_t*)T8[temp[2][3]]);
473 b0[2] = in_blk[2] ^ e_key[4 * k_len + 26]; b0[3] = in_blk[3] ^ e_key[4 * k_len + 27]; 229 *((u_int32_t*)(b+ 8)) = *((u_int32_t*)T5[temp[2][0]])
474 230 ^ *((u_int32_t*)T6[temp[1][1]])
475 kp = d_key + 4 * (k_len + 5); 231 ^ *((u_int32_t*)T7[temp[0][2]])
476 232 ^ *((u_int32_t*)T8[temp[3][3]]);
477 if(k_len > 6) { 233 *((u_int32_t*)(b+12)) = *((u_int32_t*)T5[temp[3][0]])
478 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 234 ^ *((u_int32_t*)T6[temp[2][1]])
479 } 235 ^ *((u_int32_t*)T7[temp[1][2]])
480 236 ^ *((u_int32_t*)T8[temp[0][3]]);
481 if(k_len > 4) { 237 for (r = ROUNDS-1; r > 1; r--) {
482 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 238 *((u_int32_t*)temp[0]) = *((u_int32_t*)(b )) ^ *((u_int32_t*)rk[r][0]);
239 *((u_int32_t*)temp[1]) = *((u_int32_t*)(b+ 4)) ^ *((u_int32_t*)rk[r][1]);
240 *((u_int32_t*)temp[2]) = *((u_int32_t*)(b+ 8)) ^ *((u_int32_t*)rk[r][2]);
241 *((u_int32_t*)temp[3]) = *((u_int32_t*)(b+12)) ^ *((u_int32_t*)rk[r][3]);
242 *((u_int32_t*)(b )) = *((u_int32_t*)T5[temp[0][0]])
243 ^ *((u_int32_t*)T6[temp[3][1]])
244 ^ *((u_int32_t*)T7[temp[2][2]])
245 ^ *((u_int32_t*)T8[temp[1][3]]);
246 *((u_int32_t*)(b+ 4)) = *((u_int32_t*)T5[temp[1][0]])
247 ^ *((u_int32_t*)T6[temp[0][1]])
248 ^ *((u_int32_t*)T7[temp[3][2]])
249 ^ *((u_int32_t*)T8[temp[2][3]]);
250 *((u_int32_t*)(b+ 8)) = *((u_int32_t*)T5[temp[2][0]])
251 ^ *((u_int32_t*)T6[temp[1][1]])
252 ^ *((u_int32_t*)T7[temp[0][2]])
253 ^ *((u_int32_t*)T8[temp[3][3]]);
254 *((u_int32_t*)(b+12)) = *((u_int32_t*)T5[temp[3][0]])
255 ^ *((u_int32_t*)T6[temp[2][1]])
256 ^ *((u_int32_t*)T7[temp[1][2]])
257 ^ *((u_int32_t*)T8[temp[0][3]]);
483 } 258 }
259 /* last round is special */
260 *((u_int32_t*)temp[0]) = *((u_int32_t*)(b )) ^ *((u_int32_t*)rk[1][0]);
261 *((u_int32_t*)temp[1]) = *((u_int32_t*)(b+ 4)) ^ *((u_int32_t*)rk[1][1]);
262 *((u_int32_t*)temp[2]) = *((u_int32_t*)(b+ 8)) ^ *((u_int32_t*)rk[1][2]);
263 *((u_int32_t*)temp[3]) = *((u_int32_t*)(b+12)) ^ *((u_int32_t*)rk[1][3]);
264 b[ 0] = S5[temp[0][0]];
265 b[ 1] = S5[temp[3][1]];
266 b[ 2] = S5[temp[2][2]];
267 b[ 3] = S5[temp[1][3]];
268 b[ 4] = S5[temp[1][0]];
269 b[ 5] = S5[temp[0][1]];
270 b[ 6] = S5[temp[3][2]];
271 b[ 7] = S5[temp[2][3]];
272 b[ 8] = S5[temp[2][0]];
273 b[ 9] = S5[temp[1][1]];
274 b[10] = S5[temp[0][2]];
275 b[11] = S5[temp[3][3]];
276 b[12] = S5[temp[3][0]];
277 b[13] = S5[temp[2][1]];
278 b[14] = S5[temp[1][2]];
279 b[15] = S5[temp[0][3]];
280 *((u_int32_t*)(b )) ^= *((u_int32_t*)rk[0][0]);
281 *((u_int32_t*)(b+ 4)) ^= *((u_int32_t*)rk[0][1]);
282 *((u_int32_t*)(b+ 8)) ^= *((u_int32_t*)rk[0][2]);
283 *((u_int32_t*)(b+12)) ^= *((u_int32_t*)rk[0][3]);
284
285 return 0;
286}
484 287
485 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 288int
486 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 289rijndael_makekey(rijndael_key *key, int direction, int keyLen, u_int8_t *keyMaterial)
487 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 290{
488 i_nround(b1, b0, kp); i_nround(b0, b1, kp); 291 u_int8_t k[RIJNDAEL_MAXKC][4];
489 i_nround(b1, b0, kp); i_lround(b0, b1, kp); 292 int i;
490 293
491 out_blk[0] = b0[0]; out_blk[1] = b0[1]; 294 if (key == NULL)
492 out_blk[2] = b0[2]; out_blk[3] = b0[3]; 295 return -1;
296 if ((direction != RIJNDAEL_ENCRYPT) && (direction != RIJNDAEL_DECRYPT))
297 return -1;
298 if ((keyLen != 128) && (keyLen != 192) && (keyLen != 256))
299 return -1;
300
301 key->ROUNDS = keyLen/32 + 6;
302
303 /* initialize key schedule: */
304 for (i = 0; i < keyLen/8; i++)
305 k[i >> 2][i & 3] = (u_int8_t)keyMaterial[i];
306
307 rijndael_keysched(k, key->keySched, key->ROUNDS);
308 if (direction == RIJNDAEL_DECRYPT)
309 rijndael_key_enc_to_dec(key->keySched, key->ROUNDS);
310 return 0;
493} 311}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 13:29:58 +0000