2001-10-25 13:50:21 +08:00
|
|
|
/* $OpenBSD: rijndael.c,v 1.6 2000/12/09 18:51:34 markus Exp $ */
|
|
|
|
|
2010-09-21 04:08:53 +08:00
|
|
|
/* contrib/pgcrypto/rijndael.c */
|
2005-07-11 23:07:59 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* This is an independent implementation of the encryption algorithm: */
|
|
|
|
/* */
|
|
|
|
/* RIJNDAEL by Joan Daemen and Vincent Rijmen */
|
|
|
|
/* */
|
|
|
|
/* which is a candidate algorithm in the Advanced Encryption Standard */
|
2014-05-07 00:12:18 +08:00
|
|
|
/* programme of the US National Institute of Standards and Technology. */
|
2001-10-25 13:50:21 +08:00
|
|
|
/* */
|
|
|
|
/* Copyright in this implementation is held by Dr B R Gladman but I */
|
2001-08-21 09:32:01 +08:00
|
|
|
/* hereby give permission for its free direct or derivative use subject */
|
2001-10-25 13:50:21 +08:00
|
|
|
/* to acknowledgment of its origin and compliance with any conditions */
|
2014-05-07 00:12:18 +08:00
|
|
|
/* that the originators of the algorithm place on its exploitation. */
|
2001-10-25 13:50:21 +08:00
|
|
|
/* */
|
|
|
|
/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
/* Timing data for Rijndael (rijndael.c)
|
|
|
|
|
|
|
|
Algorithm: rijndael (rijndael.c)
|
|
|
|
|
|
|
|
128 bit key:
|
2001-10-25 13:50:21 +08:00
|
|
|
Key Setup: 305/1389 cycles (encrypt/decrypt)
|
|
|
|
Encrypt: 374 cycles = 68.4 mbits/sec
|
|
|
|
Decrypt: 352 cycles = 72.7 mbits/sec
|
|
|
|
Mean: 363 cycles = 70.5 mbits/sec
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
192 bit key:
|
2001-10-25 13:50:21 +08:00
|
|
|
Key Setup: 277/1595 cycles (encrypt/decrypt)
|
|
|
|
Encrypt: 439 cycles = 58.3 mbits/sec
|
|
|
|
Decrypt: 425 cycles = 60.2 mbits/sec
|
|
|
|
Mean: 432 cycles = 59.3 mbits/sec
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
256 bit key:
|
2001-10-25 13:50:21 +08:00
|
|
|
Key Setup: 374/1960 cycles (encrypt/decrypt)
|
|
|
|
Encrypt: 502 cycles = 51.0 mbits/sec
|
|
|
|
Decrypt: 498 cycles = 51.4 mbits/sec
|
|
|
|
Mean: 500 cycles = 51.2 mbits/sec
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
*/
|
|
|
|
|
2005-07-11 23:07:59 +08:00
|
|
|
#include "postgres.h"
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-07-11 23:07:59 +08:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
|
|
|
#include "px.h"
|
2001-08-21 09:32:01 +08:00
|
|
|
#include "rijndael.h"
|
|
|
|
|
|
|
|
#define PRE_CALC_TABLES
|
|
|
|
#define LARGE_TABLES
|
|
|
|
|
2001-08-23 02:19:59 +08:00
|
|
|
static void gen_tabs(void);
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* 3. Basic macros for speeding up generic operations */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* Circular rotate of 32 bit values */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define rotr(x,n) (((x) >> ((int)(n))) | ((x) << (32 - (int)(n))))
|
|
|
|
#define rotl(x,n) (((x) << ((int)(n))) | ((x) >> (32 - (int)(n))))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* Invert byte order in a 32 bit variable */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define bswap(x) ((rotl((x), 8) & 0x00ff00ff) | (rotr((x), 8) & 0xff00ff00))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* Extract byte from a 32 bit quantity (little endian notation) */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define byte(x,n) ((u1byte)((x) >> (8 * (n))))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2007-04-06 13:36:51 +08:00
|
|
|
#ifdef WORDS_BIGENDIAN
|
2001-10-25 13:50:21 +08:00
|
|
|
#define io_swap(x) bswap(x)
|
2001-08-21 09:32:01 +08:00
|
|
|
#else
|
2001-10-25 13:50:21 +08:00
|
|
|
#define io_swap(x) (x)
|
2001-08-21 09:32:01 +08:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef PRINT_TABS
|
|
|
|
#undef PRE_CALC_TABLES
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef PRE_CALC_TABLES
|
|
|
|
|
|
|
|
#include "rijndael.tbl"
|
|
|
|
#define tab_gen 1
|
2001-10-25 13:50:21 +08:00
|
|
|
#else /* !PRE_CALC_TABLES */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
static u1byte pow_tab[256];
|
|
|
|
static u1byte log_tab[256];
|
|
|
|
static u1byte sbx_tab[256];
|
|
|
|
static u1byte isb_tab[256];
|
|
|
|
static u4byte rco_tab[10];
|
|
|
|
static u4byte ft_tab[4][256];
|
|
|
|
static u4byte it_tab[4][256];
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#ifdef LARGE_TABLES
|
|
|
|
static u4byte fl_tab[4][256];
|
|
|
|
static u4byte il_tab[4][256];
|
2001-08-21 09:32:01 +08:00
|
|
|
#endif
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
static u4byte tab_gen = 0;
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:18:54 +08:00
|
|
|
#endif /* !PRE_CALC_TABLES */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define ff_mult(a,b) ((a) && (b) ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define f_rn(bo, bi, n, k) \
|
|
|
|
(bo)[n] = ft_tab[0][byte((bi)[n],0)] ^ \
|
|
|
|
ft_tab[1][byte((bi)[((n) + 1) & 3],1)] ^ \
|
|
|
|
ft_tab[2][byte((bi)[((n) + 2) & 3],2)] ^ \
|
|
|
|
ft_tab[3][byte((bi)[((n) + 3) & 3],3)] ^ *((k) + (n))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define i_rn(bo, bi, n, k) \
|
2005-05-26 05:40:43 +08:00
|
|
|
(bo)[n] = it_tab[0][byte((bi)[n],0)] ^ \
|
|
|
|
it_tab[1][byte((bi)[((n) + 3) & 3],1)] ^ \
|
|
|
|
it_tab[2][byte((bi)[((n) + 2) & 3],2)] ^ \
|
|
|
|
it_tab[3][byte((bi)[((n) + 1) & 3],3)] ^ *((k) + (n))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
#ifdef LARGE_TABLES
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define ls_box(x) \
|
|
|
|
( fl_tab[0][byte(x, 0)] ^ \
|
|
|
|
fl_tab[1][byte(x, 1)] ^ \
|
|
|
|
fl_tab[2][byte(x, 2)] ^ \
|
|
|
|
fl_tab[3][byte(x, 3)] )
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define f_rl(bo, bi, n, k) \
|
|
|
|
(bo)[n] = fl_tab[0][byte((bi)[n],0)] ^ \
|
|
|
|
fl_tab[1][byte((bi)[((n) + 1) & 3],1)] ^ \
|
|
|
|
fl_tab[2][byte((bi)[((n) + 2) & 3],2)] ^ \
|
|
|
|
fl_tab[3][byte((bi)[((n) + 3) & 3],3)] ^ *((k) + (n))
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define i_rl(bo, bi, n, k) \
|
|
|
|
(bo)[n] = il_tab[0][byte((bi)[n],0)] ^ \
|
|
|
|
il_tab[1][byte((bi)[((n) + 3) & 3],1)] ^ \
|
|
|
|
il_tab[2][byte((bi)[((n) + 2) & 3],2)] ^ \
|
|
|
|
il_tab[3][byte((bi)[((n) + 1) & 3],3)] ^ *((k) + (n))
|
2001-08-21 09:32:01 +08:00
|
|
|
#else
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define ls_box(x) \
|
|
|
|
((u4byte)sbx_tab[byte(x, 0)] << 0) ^ \
|
|
|
|
((u4byte)sbx_tab[byte(x, 1)] << 8) ^ \
|
|
|
|
((u4byte)sbx_tab[byte(x, 2)] << 16) ^ \
|
|
|
|
((u4byte)sbx_tab[byte(x, 3)] << 24)
|
|
|
|
|
2005-05-26 05:40:43 +08:00
|
|
|
#define f_rl(bo, bi, n, k) \
|
|
|
|
(bo)[n] = (u4byte)sbx_tab[byte((bi)[n],0)] ^ \
|
|
|
|
rotl(((u4byte)sbx_tab[byte((bi)[((n) + 1) & 3],1)]), 8) ^ \
|
|
|
|
rotl(((u4byte)sbx_tab[byte((bi)[((n) + 2) & 3],2)]), 16) ^ \
|
|
|
|
rotl(((u4byte)sbx_tab[byte((bi)[((n) + 3) & 3],3)]), 24) ^ *((k) + (n))
|
|
|
|
|
|
|
|
#define i_rl(bo, bi, n, k) \
|
|
|
|
(bo)[n] = (u4byte)isb_tab[byte((bi)[n],0)] ^ \
|
|
|
|
rotl(((u4byte)isb_tab[byte((bi)[((n) + 3) & 3],1)]), 8) ^ \
|
|
|
|
rotl(((u4byte)isb_tab[byte((bi)[((n) + 2) & 3],2)]), 16) ^ \
|
|
|
|
rotl(((u4byte)isb_tab[byte((bi)[((n) + 1) & 3],3)]), 24) ^ *((k) + (n))
|
2001-08-21 09:32:01 +08:00
|
|
|
#endif
|
|
|
|
|
|
|
|
static void
|
|
|
|
gen_tabs(void)
|
|
|
|
{
|
|
|
|
#ifndef PRE_CALC_TABLES
|
2001-10-25 13:50:21 +08:00
|
|
|
u4byte i,
|
|
|
|
t;
|
|
|
|
u1byte p,
|
|
|
|
q;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* log and power tables for GF(2**8) finite field with */
|
2018-04-02 03:01:28 +08:00
|
|
|
/* 0x11b as modular polynomial - the simplest primitive */
|
2001-10-25 13:50:21 +08:00
|
|
|
/* root is 0x11, used here to generate the tables */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0, p = 1; i < 256; ++i)
|
|
|
|
{
|
|
|
|
pow_tab[i] = (u1byte) p;
|
|
|
|
log_tab[p] = (u1byte) i;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0);
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
log_tab[1] = 0;
|
|
|
|
p = 1;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0; i < 10; ++i)
|
|
|
|
{
|
|
|
|
rco_tab[i] = p;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
p = (p << 1) ^ (p & 0x80 ? 0x1b : 0);
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* note that the affine byte transformation matrix in */
|
|
|
|
/* rijndael specification is in big endian format with */
|
|
|
|
/* bit 0 as the most significant bit. In the remainder */
|
|
|
|
/* of the specification the bits are numbered from the */
|
2014-05-07 00:12:18 +08:00
|
|
|
/* least significant end of a byte. */
|
2001-10-25 13:50:21 +08:00
|
|
|
|
|
|
|
for (i = 0; i < 256; ++i)
|
|
|
|
{
|
|
|
|
p = (i ? pow_tab[255 - log_tab[i]] : 0);
|
|
|
|
q = p;
|
|
|
|
q = (q >> 7) | (q << 1);
|
|
|
|
p ^= q;
|
|
|
|
q = (q >> 7) | (q << 1);
|
|
|
|
p ^= q;
|
|
|
|
q = (q >> 7) | (q << 1);
|
|
|
|
p ^= q;
|
|
|
|
q = (q >> 7) | (q << 1);
|
|
|
|
p ^= q ^ 0x63;
|
|
|
|
sbx_tab[i] = (u1byte) p;
|
|
|
|
isb_tab[p] = (u1byte) i;
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0; i < 256; ++i)
|
|
|
|
{
|
|
|
|
p = sbx_tab[i];
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#ifdef LARGE_TABLES
|
|
|
|
|
|
|
|
t = p;
|
|
|
|
fl_tab[0][i] = t;
|
|
|
|
fl_tab[1][i] = rotl(t, 8);
|
2001-08-21 09:32:01 +08:00
|
|
|
fl_tab[2][i] = rotl(t, 16);
|
|
|
|
fl_tab[3][i] = rotl(t, 24);
|
|
|
|
#endif
|
2001-10-25 13:50:21 +08:00
|
|
|
t = ((u4byte) ff_mult(2, p)) |
|
|
|
|
((u4byte) p << 8) |
|
|
|
|
((u4byte) p << 16) |
|
|
|
|
((u4byte) ff_mult(3, p) << 24);
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
ft_tab[0][i] = t;
|
2001-10-25 13:50:21 +08:00
|
|
|
ft_tab[1][i] = rotl(t, 8);
|
2001-08-21 09:32:01 +08:00
|
|
|
ft_tab[2][i] = rotl(t, 16);
|
|
|
|
ft_tab[3][i] = rotl(t, 24);
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
p = isb_tab[i];
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#ifdef LARGE_TABLES
|
|
|
|
|
|
|
|
t = p;
|
|
|
|
il_tab[0][i] = t;
|
|
|
|
il_tab[1][i] = rotl(t, 8);
|
|
|
|
il_tab[2][i] = rotl(t, 16);
|
2001-08-21 09:32:01 +08:00
|
|
|
il_tab[3][i] = rotl(t, 24);
|
2001-10-25 13:50:21 +08:00
|
|
|
#endif
|
|
|
|
t = ((u4byte) ff_mult(14, p)) |
|
|
|
|
((u4byte) ff_mult(9, p) << 8) |
|
|
|
|
((u4byte) ff_mult(13, p) << 16) |
|
|
|
|
((u4byte) ff_mult(11, p) << 24);
|
|
|
|
|
|
|
|
it_tab[0][i] = t;
|
|
|
|
it_tab[1][i] = rotl(t, 8);
|
|
|
|
it_tab[2][i] = rotl(t, 16);
|
|
|
|
it_tab[3][i] = rotl(t, 24);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
tab_gen = 1;
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:18:54 +08:00
|
|
|
#endif /* !PRE_CALC_TABLES */
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define imix_col(y,x) \
|
2002-09-06 05:08:26 +08:00
|
|
|
do { \
|
2001-10-25 13:50:21 +08:00
|
|
|
u = star_x(x); \
|
|
|
|
v = star_x(u); \
|
|
|
|
w = star_x(v); \
|
|
|
|
t = w ^ (x); \
|
|
|
|
(y) = u ^ v ^ w; \
|
2001-08-21 09:32:01 +08:00
|
|
|
(y) ^= rotr(u ^ t, 8) ^ \
|
2001-10-25 13:50:21 +08:00
|
|
|
rotr(v ^ t, 16) ^ \
|
2002-09-06 05:08:26 +08:00
|
|
|
rotr(t,24); \
|
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* initialise the key schedule from the user supplied key */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define loop4(i) \
|
|
|
|
do { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
|
|
|
|
t ^= e_key[4 * i]; e_key[4 * i + 4] = t; \
|
|
|
|
t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t; \
|
|
|
|
t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t; \
|
|
|
|
t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t; \
|
2001-10-25 08:55:48 +08:00
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define loop6(i) \
|
|
|
|
do { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
|
2005-05-26 05:40:43 +08:00
|
|
|
t ^= e_key[6 * (i)]; e_key[6 * (i) + 6] = t; \
|
|
|
|
t ^= e_key[6 * (i) + 1]; e_key[6 * (i) + 7] = t; \
|
|
|
|
t ^= e_key[6 * (i) + 2]; e_key[6 * (i) + 8] = t; \
|
|
|
|
t ^= e_key[6 * (i) + 3]; e_key[6 * (i) + 9] = t; \
|
|
|
|
t ^= e_key[6 * (i) + 4]; e_key[6 * (i) + 10] = t; \
|
|
|
|
t ^= e_key[6 * (i) + 5]; e_key[6 * (i) + 11] = t; \
|
2001-10-25 08:55:48 +08:00
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
#define loop8(i) \
|
|
|
|
do { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
|
2005-05-26 05:40:43 +08:00
|
|
|
t ^= e_key[8 * (i)]; e_key[8 * (i) + 8] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 1]; e_key[8 * (i) + 9] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 2]; e_key[8 * (i) + 10] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 3]; e_key[8 * (i) + 11] = t; \
|
|
|
|
t = e_key[8 * (i) + 4] ^ ls_box(t); \
|
|
|
|
e_key[8 * (i) + 12] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 5]; e_key[8 * (i) + 13] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 6]; e_key[8 * (i) + 14] = t; \
|
|
|
|
t ^= e_key[8 * (i) + 7]; e_key[8 * (i) + 15] = t; \
|
2001-10-25 08:55:48 +08:00
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
rijndael_ctx *
|
2009-06-11 22:49:15 +08:00
|
|
|
rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len,
|
2001-10-25 13:50:21 +08:00
|
|
|
int encrypt)
|
|
|
|
{
|
|
|
|
u4byte i,
|
|
|
|
t,
|
|
|
|
u,
|
|
|
|
v,
|
|
|
|
w;
|
|
|
|
u4byte *e_key = ctx->e_key;
|
|
|
|
u4byte *d_key = ctx->d_key;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
ctx->decrypt = !encrypt;
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (!tab_gen)
|
2001-08-21 09:32:01 +08:00
|
|
|
gen_tabs();
|
|
|
|
|
|
|
|
ctx->k_len = (key_len + 31) / 32;
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
e_key[0] = io_swap(in_key[0]);
|
|
|
|
e_key[1] = io_swap(in_key[1]);
|
|
|
|
e_key[2] = io_swap(in_key[2]);
|
|
|
|
e_key[3] = io_swap(in_key[3]);
|
|
|
|
|
|
|
|
switch (ctx->k_len)
|
|
|
|
{
|
|
|
|
case 4:
|
|
|
|
t = e_key[3];
|
|
|
|
for (i = 0; i < 10; ++i)
|
|
|
|
loop4(i);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 6:
|
|
|
|
e_key[4] = io_swap(in_key[4]);
|
|
|
|
t = e_key[5] = io_swap(in_key[5]);
|
|
|
|
for (i = 0; i < 8; ++i)
|
|
|
|
loop6(i);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 8:
|
|
|
|
e_key[4] = io_swap(in_key[4]);
|
|
|
|
e_key[5] = io_swap(in_key[5]);
|
|
|
|
e_key[6] = io_swap(in_key[6]);
|
|
|
|
t = e_key[7] = io_swap(in_key[7]);
|
|
|
|
for (i = 0; i < 7; ++i)
|
|
|
|
loop8(i);
|
|
|
|
break;
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (!encrypt)
|
|
|
|
{
|
|
|
|
d_key[0] = e_key[0];
|
|
|
|
d_key[1] = e_key[1];
|
|
|
|
d_key[2] = e_key[2];
|
|
|
|
d_key[3] = e_key[3];
|
2001-08-21 09:32:01 +08:00
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 4; i < 4 * ctx->k_len + 24; ++i)
|
2001-08-21 09:32:01 +08:00
|
|
|
imix_col(d_key[i], e_key[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
return ctx;
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* encrypt a block of text */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
#define f_nround(bo, bi, k) \
|
2002-09-06 05:08:26 +08:00
|
|
|
do { \
|
2001-10-25 13:50:21 +08:00
|
|
|
f_rn(bo, bi, 0, k); \
|
|
|
|
f_rn(bo, bi, 1, k); \
|
|
|
|
f_rn(bo, bi, 2, k); \
|
|
|
|
f_rn(bo, bi, 3, k); \
|
2002-09-06 05:08:26 +08:00
|
|
|
k += 4; \
|
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
#define f_lround(bo, bi, k) \
|
2002-09-06 05:08:26 +08:00
|
|
|
do { \
|
2001-10-25 13:50:21 +08:00
|
|
|
f_rl(bo, bi, 0, k); \
|
|
|
|
f_rl(bo, bi, 1, k); \
|
|
|
|
f_rl(bo, bi, 2, k); \
|
2002-09-06 05:08:26 +08:00
|
|
|
f_rl(bo, bi, 3, k); \
|
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
|
2001-10-25 13:50:21 +08:00
|
|
|
{
|
|
|
|
u4byte k_len = ctx->k_len;
|
|
|
|
u4byte *e_key = ctx->e_key;
|
|
|
|
u4byte b0[4],
|
|
|
|
b1[4],
|
|
|
|
*kp;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
b0[0] = io_swap(in_blk[0]) ^ e_key[0];
|
|
|
|
b0[1] = io_swap(in_blk[1]) ^ e_key[1];
|
|
|
|
b0[2] = io_swap(in_blk[2]) ^ e_key[2];
|
|
|
|
b0[3] = io_swap(in_blk[3]) ^ e_key[3];
|
|
|
|
|
|
|
|
kp = e_key + 4;
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (k_len > 6)
|
|
|
|
{
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (k_len > 4)
|
|
|
|
{
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_nround(b0, b1, kp);
|
|
|
|
f_nround(b1, b0, kp);
|
|
|
|
f_lround(b0, b1, kp);
|
|
|
|
|
|
|
|
out_blk[0] = io_swap(b0[0]);
|
|
|
|
out_blk[1] = io_swap(b0[1]);
|
|
|
|
out_blk[2] = io_swap(b0[2]);
|
|
|
|
out_blk[3] = io_swap(b0[3]);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
/* decrypt a block of text */
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
#define i_nround(bo, bi, k) \
|
2002-09-06 05:08:26 +08:00
|
|
|
do { \
|
2001-10-25 13:50:21 +08:00
|
|
|
i_rn(bo, bi, 0, k); \
|
|
|
|
i_rn(bo, bi, 1, k); \
|
|
|
|
i_rn(bo, bi, 2, k); \
|
|
|
|
i_rn(bo, bi, 3, k); \
|
2002-09-06 05:08:26 +08:00
|
|
|
k -= 4; \
|
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
#define i_lround(bo, bi, k) \
|
2002-09-06 05:08:26 +08:00
|
|
|
do { \
|
2001-10-25 13:50:21 +08:00
|
|
|
i_rl(bo, bi, 0, k); \
|
|
|
|
i_rl(bo, bi, 1, k); \
|
|
|
|
i_rl(bo, bi, 2, k); \
|
2002-09-06 05:08:26 +08:00
|
|
|
i_rl(bo, bi, 3, k); \
|
|
|
|
} while (0)
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
|
2001-10-25 13:50:21 +08:00
|
|
|
{
|
|
|
|
u4byte b0[4],
|
|
|
|
b1[4],
|
|
|
|
*kp;
|
|
|
|
u4byte k_len = ctx->k_len;
|
|
|
|
u4byte *e_key = ctx->e_key;
|
|
|
|
u4byte *d_key = ctx->d_key;
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
b0[0] = io_swap(in_blk[0]) ^ e_key[4 * k_len + 24];
|
|
|
|
b0[1] = io_swap(in_blk[1]) ^ e_key[4 * k_len + 25];
|
|
|
|
b0[2] = io_swap(in_blk[2]) ^ e_key[4 * k_len + 26];
|
|
|
|
b0[3] = io_swap(in_blk[3]) ^ e_key[4 * k_len + 27];
|
|
|
|
|
|
|
|
kp = d_key + 4 * (k_len + 5);
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (k_len > 6)
|
|
|
|
{
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
if (k_len > 4)
|
|
|
|
{
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_nround(b0, b1, kp);
|
|
|
|
i_nround(b1, b0, kp);
|
|
|
|
i_lround(b0, b1, kp);
|
|
|
|
|
|
|
|
out_blk[0] = io_swap(b0[0]);
|
|
|
|
out_blk[1] = io_swap(b0[1]);
|
|
|
|
out_blk[2] = io_swap(b0[2]);
|
|
|
|
out_blk[3] = io_swap(b0[3]);
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* conventional interface
|
|
|
|
*
|
|
|
|
* ATM it hopes all data is 4-byte aligned - which
|
|
|
|
* should be true for PX. -marko
|
|
|
|
*/
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
aes_set_key(rijndael_ctx *ctx, const uint8 *key, unsigned keybits, int enc)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
uint32 *k;
|
|
|
|
|
|
|
|
k = (uint32 *) key;
|
2001-08-21 09:32:01 +08:00
|
|
|
rijndael_set_key(ctx, k, keybits, enc);
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
aes_ecb_encrypt(rijndael_ctx *ctx, uint8 *data, unsigned len)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
unsigned bs = 16;
|
|
|
|
uint32 *d;
|
|
|
|
|
|
|
|
while (len >= bs)
|
|
|
|
{
|
|
|
|
d = (uint32 *) data;
|
2001-08-21 09:32:01 +08:00
|
|
|
rijndael_encrypt(ctx, d, d);
|
|
|
|
|
|
|
|
len -= bs;
|
|
|
|
data += bs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
aes_ecb_decrypt(rijndael_ctx *ctx, uint8 *data, unsigned len)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
unsigned bs = 16;
|
|
|
|
uint32 *d;
|
|
|
|
|
|
|
|
while (len >= bs)
|
|
|
|
{
|
|
|
|
d = (uint32 *) data;
|
2001-08-21 09:32:01 +08:00
|
|
|
rijndael_decrypt(ctx, d, d);
|
|
|
|
|
|
|
|
len -= bs;
|
|
|
|
data += bs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
aes_cbc_encrypt(rijndael_ctx *ctx, uint8 *iva, uint8 *data, unsigned len)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
uint32 *iv = (uint32 *) iva;
|
|
|
|
uint32 *d = (uint32 *) data;
|
|
|
|
unsigned bs = 16;
|
|
|
|
|
|
|
|
while (len >= bs)
|
|
|
|
{
|
|
|
|
d[0] ^= iv[0];
|
|
|
|
d[1] ^= iv[1];
|
|
|
|
d[2] ^= iv[2];
|
|
|
|
d[3] ^= iv[3];
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
rijndael_encrypt(ctx, d, d);
|
|
|
|
|
|
|
|
iv = d;
|
2001-10-25 13:50:21 +08:00
|
|
|
d += bs / 4;
|
2001-08-21 09:32:01 +08:00
|
|
|
len -= bs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
void
|
2009-06-11 22:49:15 +08:00
|
|
|
aes_cbc_decrypt(rijndael_ctx *ctx, uint8 *iva, uint8 *data, unsigned len)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
uint32 *d = (uint32 *) data;
|
|
|
|
unsigned bs = 16;
|
|
|
|
uint32 buf[4],
|
|
|
|
iv[4];
|
2001-08-21 09:32:01 +08:00
|
|
|
|
|
|
|
memcpy(iv, iva, bs);
|
2001-10-25 13:50:21 +08:00
|
|
|
while (len >= bs)
|
|
|
|
{
|
|
|
|
buf[0] = d[0];
|
|
|
|
buf[1] = d[1];
|
|
|
|
buf[2] = d[2];
|
|
|
|
buf[3] = d[3];
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
rijndael_decrypt(ctx, buf, d);
|
2001-10-25 13:50:21 +08:00
|
|
|
|
|
|
|
d[0] ^= iv[0];
|
|
|
|
d[1] ^= iv[1];
|
|
|
|
d[2] ^= iv[2];
|
|
|
|
d[3] ^= iv[3];
|
|
|
|
|
|
|
|
iv[0] = buf[0];
|
|
|
|
iv[1] = buf[1];
|
|
|
|
iv[2] = buf[2];
|
|
|
|
iv[3] = buf[3];
|
2001-08-21 09:32:01 +08:00
|
|
|
d += 4;
|
|
|
|
len -= bs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* pre-calculate tables.
|
|
|
|
*
|
|
|
|
* On i386 lifts 17k from .bss to .rodata
|
|
|
|
* and avoids 1k code and setup time.
|
2001-10-25 13:50:21 +08:00
|
|
|
* -marko
|
2001-08-21 09:32:01 +08:00
|
|
|
*/
|
|
|
|
#ifdef PRINT_TABS
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
static void
|
|
|
|
show256u8(char *name, uint8 *data)
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
int i;
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
printf("static const u1byte %s[256] = {\n ", name);
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0; i < 256;)
|
|
|
|
{
|
2001-08-21 09:32:01 +08:00
|
|
|
printf("%u", pow_tab[i++]);
|
|
|
|
if (i < 256)
|
|
|
|
printf(i % 16 ? ", " : ",\n ");
|
|
|
|
}
|
|
|
|
printf("\n};\n\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
static void
|
|
|
|
show4x256u32(char *name, uint32 data[4][256])
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
int i,
|
|
|
|
j;
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
printf("static const u4byte %s[4][256] = {\n{\n ", name);
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0; i < 4; i++)
|
|
|
|
{
|
|
|
|
for (j = 0; j < 256;)
|
|
|
|
{
|
2001-08-21 09:32:01 +08:00
|
|
|
printf("0x%08x", data[i][j]);
|
|
|
|
j++;
|
|
|
|
if (j < 256)
|
|
|
|
printf(j % 4 ? ", " : ",\n ");
|
|
|
|
}
|
|
|
|
printf(i < 3 ? "\n}, {\n " : "\n}\n");
|
|
|
|
}
|
|
|
|
printf("};\n\n");
|
|
|
|
}
|
|
|
|
|
2001-10-25 13:50:21 +08:00
|
|
|
int
|
|
|
|
main()
|
2001-08-21 09:32:01 +08:00
|
|
|
{
|
2001-10-25 13:50:21 +08:00
|
|
|
int i;
|
|
|
|
char *hdr = "/* Generated by rijndael.c */\n\n";
|
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
gen_tabs();
|
|
|
|
|
|
|
|
printf(hdr);
|
|
|
|
show256u8("pow_tab", pow_tab);
|
|
|
|
show256u8("log_tab", log_tab);
|
|
|
|
show256u8("sbx_tab", sbx_tab);
|
|
|
|
show256u8("isb_tab", isb_tab);
|
2001-10-25 13:50:21 +08:00
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
show4x256u32("ft_tab", ft_tab);
|
|
|
|
show4x256u32("it_tab", it_tab);
|
|
|
|
#ifdef LARGE_TABLES
|
|
|
|
show4x256u32("fl_tab", fl_tab);
|
|
|
|
show4x256u32("il_tab", il_tab);
|
|
|
|
#endif
|
|
|
|
printf("static const u4byte rco_tab[10] = {\n ");
|
2001-10-25 13:50:21 +08:00
|
|
|
for (i = 0; i < 10; i++)
|
|
|
|
{
|
2001-08-21 09:32:01 +08:00
|
|
|
printf("0x%08x", rco_tab[i]);
|
2001-10-25 13:50:21 +08:00
|
|
|
if (i < 9)
|
|
|
|
printf(", ");
|
|
|
|
if (i == 4)
|
|
|
|
printf("\n ");
|
2001-08-21 09:32:01 +08:00
|
|
|
}
|
|
|
|
printf("\n};\n\n");
|
|
|
|
return 0;
|
|
|
|
}
|
2001-10-28 14:26:15 +08:00
|
|
|
|
2001-08-21 09:32:01 +08:00
|
|
|
#endif
|