1 /* $FreeBSD: src/sys/crypto/rijndael/rijndael-alg-fst.c,v 1.3.2.1 2001/07/03 11:01:35 ume Exp $ */ 2 /* $DragonFly: src/sys/crypto/rijndael/rijndael-alg-fst.c,v 1.2 2003/06/17 04:28:20 dillon Exp $ */ 3 /* $KAME: rijndael-alg-fst.c,v 1.7 2001/05/27 00:23:23 itojun Exp $ */ 4 5 /* 6 * rijndael-alg-fst.c v2.3 April '2000 7 * 8 * Optimised ANSI C code 9 * 10 * authors: v1.0: Antoon Bosselaers 11 * v2.0: Vincent Rijmen 12 * v2.3: Paulo Barreto 13 * 14 * This code is placed in the public domain. 15 */ 16 17 #include <sys/cdefs.h> 18 #include <sys/types.h> 19 #ifdef _KERNEL 20 #include <sys/systm.h> 21 #else 22 #include <string.h> 23 #endif 24 #include <crypto/rijndael/rijndael-alg-fst.h> 25 #include <crypto/rijndael/rijndael_local.h> 26 27 #include <crypto/rijndael/boxes-fst.dat> 28 29 int rijndaelKeySched(word8 k[MAXKC][4], word8 W[MAXROUNDS+1][4][4], int ROUNDS) { 30 /* Calculate the necessary round keys 31 * The number of calculations depends on keyBits and blockBits 32 */ 33 int j, r, t, rconpointer = 0; 34 union { 35 word8 x8[MAXKC][4]; 36 word32 x32[MAXKC]; 37 } xtk; 38 #define tk xtk.x8 39 int KC = ROUNDS - 6; 40 41 for (j = KC-1; j >= 0; j--) { 42 *((word32*)tk[j]) = *((word32*)k[j]); 43 } 44 r = 0; 45 t = 0; 46 /* copy values into round key array */ 47 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { 48 for (; (j < KC) && (t < 4); j++, t++) { 49 *((word32*)W[r][t]) = *((word32*)tk[j]); 50 } 51 if (t == 4) { 52 r++; 53 t = 0; 54 } 55 } 56 57 while (r < ROUNDS + 1) { /* while not enough round key material calculated */ 58 /* calculate new values */ 59 tk[0][0] ^= S[tk[KC-1][1]]; 60 tk[0][1] ^= S[tk[KC-1][2]]; 61 tk[0][2] ^= S[tk[KC-1][3]]; 62 tk[0][3] ^= S[tk[KC-1][0]]; 63 tk[0][0] ^= rcon[rconpointer++]; 64 65 if (KC != 8) { 66 for (j = 1; j < KC; j++) { 67 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 68 } 69 } else { 70 for (j = 1; j < KC/2; j++) { 71 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 72 } 73 tk[KC/2][0] ^= S[tk[KC/2 - 1][0]]; 74 tk[KC/2][1] ^= S[tk[KC/2 - 1][1]]; 75 tk[KC/2][2] ^= S[tk[KC/2 - 1][2]]; 76 tk[KC/2][3] ^= S[tk[KC/2 - 1][3]]; 77 for (j = KC/2 + 1; j < KC; j++) { 78 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 79 } 80 } 81 /* copy values into round key array */ 82 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { 83 for (; (j < KC) && (t < 4); j++, t++) { 84 *((word32*)W[r][t]) = *((word32*)tk[j]); 85 } 86 if (t == 4) { 87 r++; 88 t = 0; 89 } 90 } 91 } 92 return 0; 93 #undef tk 94 } 95 96 int rijndaelKeyEncToDec(word8 W[MAXROUNDS+1][4][4], int ROUNDS) { 97 int r; 98 word8 *w; 99 100 for (r = 1; r < ROUNDS; r++) { 101 w = W[r][0]; 102 *((word32*)w) = 103 *((const word32*)U1[w[0]]) 104 ^ *((const word32*)U2[w[1]]) 105 ^ *((const word32*)U3[w[2]]) 106 ^ *((const word32*)U4[w[3]]); 107 108 w = W[r][1]; 109 *((word32*)w) = 110 *((const word32*)U1[w[0]]) 111 ^ *((const word32*)U2[w[1]]) 112 ^ *((const word32*)U3[w[2]]) 113 ^ *((const word32*)U4[w[3]]); 114 115 w = W[r][2]; 116 *((word32*)w) = 117 *((const word32*)U1[w[0]]) 118 ^ *((const word32*)U2[w[1]]) 119 ^ *((const word32*)U3[w[2]]) 120 ^ *((const word32*)U4[w[3]]); 121 122 w = W[r][3]; 123 *((word32*)w) = 124 *((const word32*)U1[w[0]]) 125 ^ *((const word32*)U2[w[1]]) 126 ^ *((const word32*)U3[w[2]]) 127 ^ *((const word32*)U4[w[3]]); 128 } 129 return 0; 130 } 131 132 /** 133 * Encrypt a single block. 134 */ 135 int rijndaelEncrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { 136 int r; 137 union { 138 word8 x8[16]; 139 word32 x32[4]; 140 } xa, xb; 141 #define a xa.x8 142 #define b xb.x8 143 union { 144 word8 x8[4][4]; 145 word32 x32[4]; 146 } xtemp; 147 #define temp xtemp.x8 148 149 memcpy(a, in, sizeof a); 150 151 *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[0][0]); 152 *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[0][1]); 153 *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[0][2]); 154 *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[0][3]); 155 *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) 156 ^ *((const word32*)T2[temp[1][1]]) 157 ^ *((const word32*)T3[temp[2][2]]) 158 ^ *((const word32*)T4[temp[3][3]]); 159 *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) 160 ^ *((const word32*)T2[temp[2][1]]) 161 ^ *((const word32*)T3[temp[3][2]]) 162 ^ *((const word32*)T4[temp[0][3]]); 163 *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) 164 ^ *((const word32*)T2[temp[3][1]]) 165 ^ *((const word32*)T3[temp[0][2]]) 166 ^ *((const word32*)T4[temp[1][3]]); 167 *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) 168 ^ *((const word32*)T2[temp[0][1]]) 169 ^ *((const word32*)T3[temp[1][2]]) 170 ^ *((const word32*)T4[temp[2][3]]); 171 for (r = 1; r < ROUNDS-1; r++) { 172 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); 173 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); 174 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); 175 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); 176 177 *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) 178 ^ *((const word32*)T2[temp[1][1]]) 179 ^ *((const word32*)T3[temp[2][2]]) 180 ^ *((const word32*)T4[temp[3][3]]); 181 *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) 182 ^ *((const word32*)T2[temp[2][1]]) 183 ^ *((const word32*)T3[temp[3][2]]) 184 ^ *((const word32*)T4[temp[0][3]]); 185 *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) 186 ^ *((const word32*)T2[temp[3][1]]) 187 ^ *((const word32*)T3[temp[0][2]]) 188 ^ *((const word32*)T4[temp[1][3]]); 189 *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) 190 ^ *((const word32*)T2[temp[0][1]]) 191 ^ *((const word32*)T3[temp[1][2]]) 192 ^ *((const word32*)T4[temp[2][3]]); 193 } 194 /* last round is special */ 195 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[ROUNDS-1][0]); 196 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[ROUNDS-1][1]); 197 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[ROUNDS-1][2]); 198 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[ROUNDS-1][3]); 199 b[ 0] = T1[temp[0][0]][1]; 200 b[ 1] = T1[temp[1][1]][1]; 201 b[ 2] = T1[temp[2][2]][1]; 202 b[ 3] = T1[temp[3][3]][1]; 203 b[ 4] = T1[temp[1][0]][1]; 204 b[ 5] = T1[temp[2][1]][1]; 205 b[ 6] = T1[temp[3][2]][1]; 206 b[ 7] = T1[temp[0][3]][1]; 207 b[ 8] = T1[temp[2][0]][1]; 208 b[ 9] = T1[temp[3][1]][1]; 209 b[10] = T1[temp[0][2]][1]; 210 b[11] = T1[temp[1][3]][1]; 211 b[12] = T1[temp[3][0]][1]; 212 b[13] = T1[temp[0][1]][1]; 213 b[14] = T1[temp[1][2]][1]; 214 b[15] = T1[temp[2][3]][1]; 215 *((word32*)(b )) ^= *((word32*)rk[ROUNDS][0]); 216 *((word32*)(b+ 4)) ^= *((word32*)rk[ROUNDS][1]); 217 *((word32*)(b+ 8)) ^= *((word32*)rk[ROUNDS][2]); 218 *((word32*)(b+12)) ^= *((word32*)rk[ROUNDS][3]); 219 220 memcpy(out, b, sizeof b /* XXX out */); 221 222 return 0; 223 #undef a 224 #undef b 225 #undef temp 226 } 227 228 #ifdef INTERMEDIATE_VALUE_KAT 229 /** 230 * Encrypt only a certain number of rounds. 231 * Only used in the Intermediate Value Known Answer Test. 232 */ 233 int rijndaelEncryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { 234 int r; 235 word8 temp[4][4]; 236 237 /* make number of rounds sane */ 238 if (rounds > ROUNDS) { 239 rounds = ROUNDS; 240 } 241 242 *((word32*)a[0]) = *((word32*)a[0]) ^ *((word32*)rk[0][0]); 243 *((word32*)a[1]) = *((word32*)a[1]) ^ *((word32*)rk[0][1]); 244 *((word32*)a[2]) = *((word32*)a[2]) ^ *((word32*)rk[0][2]); 245 *((word32*)a[3]) = *((word32*)a[3]) ^ *((word32*)rk[0][3]); 246 247 for (r = 1; (r <= rounds) && (r < ROUNDS); r++) { 248 *((word32*)temp[0]) = *((word32*)T1[a[0][0]]) 249 ^ *((word32*)T2[a[1][1]]) 250 ^ *((word32*)T3[a[2][2]]) 251 ^ *((word32*)T4[a[3][3]]); 252 *((word32*)temp[1]) = *((word32*)T1[a[1][0]]) 253 ^ *((word32*)T2[a[2][1]]) 254 ^ *((word32*)T3[a[3][2]]) 255 ^ *((word32*)T4[a[0][3]]); 256 *((word32*)temp[2]) = *((word32*)T1[a[2][0]]) 257 ^ *((word32*)T2[a[3][1]]) 258 ^ *((word32*)T3[a[0][2]]) 259 ^ *((word32*)T4[a[1][3]]); 260 *((word32*)temp[3]) = *((word32*)T1[a[3][0]]) 261 ^ *((word32*)T2[a[0][1]]) 262 ^ *((word32*)T3[a[1][2]]) 263 ^ *((word32*)T4[a[2][3]]); 264 *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[r][0]); 265 *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[r][1]); 266 *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[r][2]); 267 *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[r][3]); 268 } 269 if (rounds == ROUNDS) { 270 /* last round is special */ 271 temp[0][0] = T1[a[0][0]][1]; 272 temp[0][1] = T1[a[1][1]][1]; 273 temp[0][2] = T1[a[2][2]][1]; 274 temp[0][3] = T1[a[3][3]][1]; 275 temp[1][0] = T1[a[1][0]][1]; 276 temp[1][1] = T1[a[2][1]][1]; 277 temp[1][2] = T1[a[3][2]][1]; 278 temp[1][3] = T1[a[0][3]][1]; 279 temp[2][0] = T1[a[2][0]][1]; 280 temp[2][1] = T1[a[3][1]][1]; 281 temp[2][2] = T1[a[0][2]][1]; 282 temp[2][3] = T1[a[1][3]][1]; 283 temp[3][0] = T1[a[3][0]][1]; 284 temp[3][1] = T1[a[0][1]][1]; 285 temp[3][2] = T1[a[1][2]][1]; 286 temp[3][3] = T1[a[2][3]][1]; 287 *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[ROUNDS][0]); 288 *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[ROUNDS][1]); 289 *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[ROUNDS][2]); 290 *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[ROUNDS][3]); 291 } 292 293 return 0; 294 } 295 #endif /* INTERMEDIATE_VALUE_KAT */ 296 297 /** 298 * Decrypt a single block. 299 */ 300 int rijndaelDecrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { 301 int r; 302 union { 303 word8 x8[16]; 304 word32 x32[4]; 305 } xa, xb; 306 #define a xa.x8 307 #define b xb.x8 308 union { 309 word8 x8[4][4]; 310 word32 x32[4]; 311 } xtemp; 312 #define temp xtemp.x8 313 314 memcpy(a, in, sizeof a); 315 316 *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[ROUNDS][0]); 317 *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[ROUNDS][1]); 318 *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[ROUNDS][2]); 319 *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[ROUNDS][3]); 320 321 *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) 322 ^ *((const word32*)T6[temp[3][1]]) 323 ^ *((const word32*)T7[temp[2][2]]) 324 ^ *((const word32*)T8[temp[1][3]]); 325 *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) 326 ^ *((const word32*)T6[temp[0][1]]) 327 ^ *((const word32*)T7[temp[3][2]]) 328 ^ *((const word32*)T8[temp[2][3]]); 329 *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) 330 ^ *((const word32*)T6[temp[1][1]]) 331 ^ *((const word32*)T7[temp[0][2]]) 332 ^ *((const word32*)T8[temp[3][3]]); 333 *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) 334 ^ *((const word32*)T6[temp[2][1]]) 335 ^ *((const word32*)T7[temp[1][2]]) 336 ^ *((const word32*)T8[temp[0][3]]); 337 for (r = ROUNDS-1; r > 1; r--) { 338 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); 339 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); 340 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); 341 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); 342 *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) 343 ^ *((const word32*)T6[temp[3][1]]) 344 ^ *((const word32*)T7[temp[2][2]]) 345 ^ *((const word32*)T8[temp[1][3]]); 346 *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) 347 ^ *((const word32*)T6[temp[0][1]]) 348 ^ *((const word32*)T7[temp[3][2]]) 349 ^ *((const word32*)T8[temp[2][3]]); 350 *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) 351 ^ *((const word32*)T6[temp[1][1]]) 352 ^ *((const word32*)T7[temp[0][2]]) 353 ^ *((const word32*)T8[temp[3][3]]); 354 *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) 355 ^ *((const word32*)T6[temp[2][1]]) 356 ^ *((const word32*)T7[temp[1][2]]) 357 ^ *((const word32*)T8[temp[0][3]]); 358 } 359 /* last round is special */ 360 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[1][0]); 361 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[1][1]); 362 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[1][2]); 363 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[1][3]); 364 b[ 0] = S5[temp[0][0]]; 365 b[ 1] = S5[temp[3][1]]; 366 b[ 2] = S5[temp[2][2]]; 367 b[ 3] = S5[temp[1][3]]; 368 b[ 4] = S5[temp[1][0]]; 369 b[ 5] = S5[temp[0][1]]; 370 b[ 6] = S5[temp[3][2]]; 371 b[ 7] = S5[temp[2][3]]; 372 b[ 8] = S5[temp[2][0]]; 373 b[ 9] = S5[temp[1][1]]; 374 b[10] = S5[temp[0][2]]; 375 b[11] = S5[temp[3][3]]; 376 b[12] = S5[temp[3][0]]; 377 b[13] = S5[temp[2][1]]; 378 b[14] = S5[temp[1][2]]; 379 b[15] = S5[temp[0][3]]; 380 *((word32*)(b )) ^= *((word32*)rk[0][0]); 381 *((word32*)(b+ 4)) ^= *((word32*)rk[0][1]); 382 *((word32*)(b+ 8)) ^= *((word32*)rk[0][2]); 383 *((word32*)(b+12)) ^= *((word32*)rk[0][3]); 384 385 memcpy(out, b, sizeof b /* XXX out */); 386 387 return 0; 388 #undef a 389 #undef b 390 #undef temp 391 } 392 393 394 #ifdef INTERMEDIATE_VALUE_KAT 395 /** 396 * Decrypt only a certain number of rounds. 397 * Only used in the Intermediate Value Known Answer Test. 398 * Operations rearranged such that the intermediate values 399 * of decryption correspond with the intermediate values 400 * of encryption. 401 */ 402 int rijndaelDecryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { 403 int r, i; 404 word8 temp[4], shift; 405 406 /* make number of rounds sane */ 407 if (rounds > ROUNDS) { 408 rounds = ROUNDS; 409 } 410 /* first round is special: */ 411 *(word32 *)a[0] ^= *(word32 *)rk[ROUNDS][0]; 412 *(word32 *)a[1] ^= *(word32 *)rk[ROUNDS][1]; 413 *(word32 *)a[2] ^= *(word32 *)rk[ROUNDS][2]; 414 *(word32 *)a[3] ^= *(word32 *)rk[ROUNDS][3]; 415 for (i = 0; i < 4; i++) { 416 a[i][0] = Si[a[i][0]]; 417 a[i][1] = Si[a[i][1]]; 418 a[i][2] = Si[a[i][2]]; 419 a[i][3] = Si[a[i][3]]; 420 } 421 for (i = 1; i < 4; i++) { 422 shift = (4 - i) & 3; 423 temp[0] = a[(0 + shift) & 3][i]; 424 temp[1] = a[(1 + shift) & 3][i]; 425 temp[2] = a[(2 + shift) & 3][i]; 426 temp[3] = a[(3 + shift) & 3][i]; 427 a[0][i] = temp[0]; 428 a[1][i] = temp[1]; 429 a[2][i] = temp[2]; 430 a[3][i] = temp[3]; 431 } 432 /* ROUNDS-1 ordinary rounds */ 433 for (r = ROUNDS-1; r > rounds; r--) { 434 *(word32 *)a[0] ^= *(word32 *)rk[r][0]; 435 *(word32 *)a[1] ^= *(word32 *)rk[r][1]; 436 *(word32 *)a[2] ^= *(word32 *)rk[r][2]; 437 *(word32 *)a[3] ^= *(word32 *)rk[r][3]; 438 439 *((word32*)a[0]) = 440 *((word32*)U1[a[0][0]]) 441 ^ *((word32*)U2[a[0][1]]) 442 ^ *((word32*)U3[a[0][2]]) 443 ^ *((word32*)U4[a[0][3]]); 444 445 *((word32*)a[1]) = 446 *((word32*)U1[a[1][0]]) 447 ^ *((word32*)U2[a[1][1]]) 448 ^ *((word32*)U3[a[1][2]]) 449 ^ *((word32*)U4[a[1][3]]); 450 451 *((word32*)a[2]) = 452 *((word32*)U1[a[2][0]]) 453 ^ *((word32*)U2[a[2][1]]) 454 ^ *((word32*)U3[a[2][2]]) 455 ^ *((word32*)U4[a[2][3]]); 456 457 *((word32*)a[3]) = 458 *((word32*)U1[a[3][0]]) 459 ^ *((word32*)U2[a[3][1]]) 460 ^ *((word32*)U3[a[3][2]]) 461 ^ *((word32*)U4[a[3][3]]); 462 for (i = 0; i < 4; i++) { 463 a[i][0] = Si[a[i][0]]; 464 a[i][1] = Si[a[i][1]]; 465 a[i][2] = Si[a[i][2]]; 466 a[i][3] = Si[a[i][3]]; 467 } 468 for (i = 1; i < 4; i++) { 469 shift = (4 - i) & 3; 470 temp[0] = a[(0 + shift) & 3][i]; 471 temp[1] = a[(1 + shift) & 3][i]; 472 temp[2] = a[(2 + shift) & 3][i]; 473 temp[3] = a[(3 + shift) & 3][i]; 474 a[0][i] = temp[0]; 475 a[1][i] = temp[1]; 476 a[2][i] = temp[2]; 477 a[3][i] = temp[3]; 478 } 479 } 480 if (rounds == 0) { 481 /* End with the extra key addition */ 482 *(word32 *)a[0] ^= *(word32 *)rk[0][0]; 483 *(word32 *)a[1] ^= *(word32 *)rk[0][1]; 484 *(word32 *)a[2] ^= *(word32 *)rk[0][2]; 485 *(word32 *)a[3] ^= *(word32 *)rk[0][3]; 486 } 487 return 0; 488 } 489 #endif /* INTERMEDIATE_VALUE_KAT */ 490