1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved.
4
5 The redistribution and use of this software (with or without changes)
6 is allowed without the payment of fees or royalties provided that:
7
8 source code distributions include the above copyright notice, this
9 list of conditions and the following disclaimer;
10
11 binary distributions include the above copyright notice, this list
12 of conditions and the following disclaimer in their documentation.
13
14 This software is provided 'as is' with no explicit or implied warranties
15 in respect of its operation, including, but not limited to, correctness
16 and fitness for purpose.
17 ---------------------------------------------------------------------------
18 Issue Date: 20/12/2007
19 */
20
21 #define DO_TABLES
22
23 #include "aes.h"
24 #include "aesopt.h"
25
26 #if defined(FIXED_TABLES)
27
28 #define sb_data(w) {\
29 w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
30 w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
31 w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
32 w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
33 w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
34 w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
35 w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
36 w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
37 w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
38 w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
39 w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
40 w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
41 w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
42 w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
43 w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
44 w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
45 w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
46 w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
47 w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
48 w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
49 w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
50 w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
51 w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
52 w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
53 w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
54 w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
55 w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
56 w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
57 w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
58 w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
59 w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
60 w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
61
62 #define isb_data(w) {\
63 w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
64 w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
65 w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
66 w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
67 w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
68 w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
69 w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
70 w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
71 w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
72 w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
73 w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
74 w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
75 w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
76 w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
77 w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
78 w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
79 w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
80 w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
81 w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
82 w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
83 w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
84 w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
85 w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
86 w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
87 w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
88 w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
89 w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
90 w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
91 w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
92 w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
93 w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
94 w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
95
96 #define mm_data(w) {\
97 w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
98 w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
99 w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
100 w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
101 w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
102 w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
103 w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
104 w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
105 w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
106 w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
107 w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
108 w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
109 w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
110 w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
111 w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
112 w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
113 w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
114 w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
115 w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
116 w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
117 w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
118 w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
119 w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
120 w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
121 w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
122 w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
123 w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
124 w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
125 w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
126 w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
127 w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
128 w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
129
130 #define rc_data(w) {\
131 w(0x01), w(0x02), w(0x04), w(0x08), w(0x10),w(0x20), w(0x40), w(0x80),\
132 w(0x1b), w(0x36) }
133
134 #define h0(x) (x)
135
136 #define w0(p) bytes2word(p, 0, 0, 0)
137 #define w1(p) bytes2word(0, p, 0, 0)
138 #define w2(p) bytes2word(0, 0, p, 0)
139 #define w3(p) bytes2word(0, 0, 0, p)
140
141 #define u0(p) bytes2word(f2(p), p, p, f3(p))
142 #define u1(p) bytes2word(f3(p), f2(p), p, p)
143 #define u2(p) bytes2word(p, f3(p), f2(p), p)
144 #define u3(p) bytes2word(p, p, f3(p), f2(p))
145
146 #define v0(p) bytes2word(fe(p), f9(p), fd(p), fb(p))
147 #define v1(p) bytes2word(fb(p), fe(p), f9(p), fd(p))
148 #define v2(p) bytes2word(fd(p), fb(p), fe(p), f9(p))
149 #define v3(p) bytes2word(f9(p), fd(p), fb(p), fe(p))
150
151 #endif
152
153 #if defined(FIXED_TABLES) || !defined(FF_TABLES)
154
155 #define f2(x) ((x<<1) ^ (((x>>7) & 1) * WPOLY))
156 #define f4(x) ((x<<2) ^ (((x>>6) & 1) * WPOLY) ^ (((x>>6) & 2) * WPOLY))
157 #define f8(x) ((x<<3) ^ (((x>>5) & 1) * WPOLY) ^ (((x>>5) & 2) * WPOLY) \
158 ^ (((x>>5) & 4) * WPOLY))
159 #define f3(x) (f2(x) ^ x)
160 #define f9(x) (f8(x) ^ x)
161 #define fb(x) (f8(x) ^ f2(x) ^ x)
162 #define fd(x) (f8(x) ^ f4(x) ^ x)
163 #define fe(x) (f8(x) ^ f4(x) ^ f2(x))
164
165 #else
166
167 #define f2(x) ((x) ? pow[log[x] + 0x19] : 0)
168 #define f3(x) ((x) ? pow[log[x] + 0x01] : 0)
169 #define f9(x) ((x) ? pow[log[x] + 0xc7] : 0)
170 #define fb(x) ((x) ? pow[log[x] + 0x68] : 0)
171 #define fd(x) ((x) ? pow[log[x] + 0xee] : 0)
172 #define fe(x) ((x) ? pow[log[x] + 0xdf] : 0)
173
174 #endif
175
176 #include "aestab.h"
177
178 #if defined(__cplusplus)
179 extern "C"
180 {
181 #endif
182
183 #if defined(FIXED_TABLES)
184
185 /* implemented in case of wrong call for fixed tables */
186
aes_init(void)187 AES_RETURN aes_init(void)
188 {
189 return EXIT_SUCCESS;
190 }
191
192 #else /* Generate the tables for the dynamic table option */
193
194 #if defined(FF_TABLES)
195
196 #define gf_inv(x) ((x) ? pow[ 255 - log[x]] : 0)
197
198 #else
199
200 /* It will generally be sensible to use tables to compute finite
201 field multiplies and inverses but where memory is scarse this
202 code might sometimes be better. But it only has effect during
203 initialisation so its pretty unimportant in overall terms.
204 */
205
206 /* return 2 ^ (n - 1) where n is the bit number of the highest bit
207 set in x with x in the range 1 < x < 0x00000200. This form is
208 used so that locals within fi can be bytes rather than words
209 */
210
211 static uint8_t hibit(const uint32_t x)
212 { uint8_t r = (uint8_t)((x >> 1) | (x >> 2));
213
214 r |= (r >> 2);
215 r |= (r >> 4);
216 return (r + 1) >> 1;
217 }
218
219 /* return the inverse of the finite field element x */
220
221 static uint8_t gf_inv(const uint8_t x)
222 { uint8_t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
223
224 if(x < 2)
225 return x;
226
227 for( ; ; )
228 {
229 if(n1)
230 while(n2 >= n1) /* divide polynomial p2 by p1 */
231 {
232 n2 /= n1; /* shift smaller polynomial left */
233 p2 ^= (p1 * n2) & 0xff; /* and remove from larger one */
234 v2 ^= v1 * n2; /* shift accumulated value and */
235 n2 = hibit(p2); /* add into result */
236 }
237 else
238 return v1;
239
240 if(n2) /* repeat with values swapped */
241 while(n1 >= n2)
242 {
243 n1 /= n2;
244 p1 ^= p2 * n1;
245 v1 ^= v2 * n1;
246 n1 = hibit(p1);
247 }
248 else
249 return v2;
250 }
251 }
252
253 #endif
254
255 /* The forward and inverse affine transformations used in the S-box */
256 uint8_t fwd_affine(const uint8_t x)
257 { uint32_t w = x;
258 w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4);
259 return 0x63 ^ ((w ^ (w >> 8)) & 0xff);
260 }
261
262 uint8_t inv_affine(const uint8_t x)
263 { uint32_t w = x;
264 w = (w << 1) ^ (w << 3) ^ (w << 6);
265 return 0x05 ^ ((w ^ (w >> 8)) & 0xff);
266 }
267
268 static int init = 0;
269
270 AES_RETURN aes_init(void)
271 { uint32_t i, w;
272
273 #if defined(FF_TABLES)
274
275 uint8_t pow[512], log[256];
276
277 if(init)
278 return EXIT_SUCCESS;
279 /* log and power tables for GF(2^8) finite field with
280 WPOLY as modular polynomial - the simplest primitive
281 root is 0x03, used here to generate the tables
282 */
283
284 i = 0; w = 1;
285 do
286 {
287 pow[i] = (uint8_t)w;
288 pow[i + 255] = (uint8_t)w;
289 log[w] = (uint8_t)i++;
290 w ^= (w << 1) ^ (w & 0x80 ? WPOLY : 0);
291 }
292 while (w != 1);
293
294 #else
295 if(init)
296 return EXIT_SUCCESS;
297 #endif
298
299 for(i = 0, w = 1; i < RC_LENGTH; ++i)
300 {
301 t_set(r,c)[i] = bytes2word(w, 0, 0, 0);
302 w = f2(w);
303 }
304
305 for(i = 0; i < 256; ++i)
306 { uint8_t b;
307
308 b = fwd_affine(gf_inv((uint8_t)i));
309 w = bytes2word(f2(b), b, b, f3(b));
310
311 #if defined( SBX_SET )
312 t_set(s,box)[i] = b;
313 #endif
314
315 #if defined( FT1_SET ) /* tables for a normal encryption round */
316 t_set(f,n)[i] = w;
317 #endif
318 #if defined( FT4_SET )
319 t_set(f,n)[0][i] = w;
320 t_set(f,n)[1][i] = upr(w,1);
321 t_set(f,n)[2][i] = upr(w,2);
322 t_set(f,n)[3][i] = upr(w,3);
323 #endif
324 w = bytes2word(b, 0, 0, 0);
325
326 #if defined( FL1_SET ) /* tables for last encryption round (may also */
327 t_set(f,l)[i] = w; /* be used in the key schedule) */
328 #endif
329 #if defined( FL4_SET )
330 t_set(f,l)[0][i] = w;
331 t_set(f,l)[1][i] = upr(w,1);
332 t_set(f,l)[2][i] = upr(w,2);
333 t_set(f,l)[3][i] = upr(w,3);
334 #endif
335
336 #if defined( LS1_SET ) /* table for key schedule if t_set(f,l) above is*/
337 t_set(l,s)[i] = w; /* not of the required form */
338 #endif
339 #if defined( LS4_SET )
340 t_set(l,s)[0][i] = w;
341 t_set(l,s)[1][i] = upr(w,1);
342 t_set(l,s)[2][i] = upr(w,2);
343 t_set(l,s)[3][i] = upr(w,3);
344 #endif
345
346 b = gf_inv(inv_affine((uint8_t)i));
347 w = bytes2word(fe(b), f9(b), fd(b), fb(b));
348
349 #if defined( IM1_SET ) /* tables for the inverse mix column operation */
350 t_set(i,m)[b] = w;
351 #endif
352 #if defined( IM4_SET )
353 t_set(i,m)[0][b] = w;
354 t_set(i,m)[1][b] = upr(w,1);
355 t_set(i,m)[2][b] = upr(w,2);
356 t_set(i,m)[3][b] = upr(w,3);
357 #endif
358
359 #if defined( ISB_SET )
360 t_set(i,box)[i] = b;
361 #endif
362 #if defined( IT1_SET ) /* tables for a normal decryption round */
363 t_set(i,n)[i] = w;
364 #endif
365 #if defined( IT4_SET )
366 t_set(i,n)[0][i] = w;
367 t_set(i,n)[1][i] = upr(w,1);
368 t_set(i,n)[2][i] = upr(w,2);
369 t_set(i,n)[3][i] = upr(w,3);
370 #endif
371 w = bytes2word(b, 0, 0, 0);
372 #if defined( IL1_SET ) /* tables for last decryption round */
373 t_set(i,l)[i] = w;
374 #endif
375 #if defined( IL4_SET )
376 t_set(i,l)[0][i] = w;
377 t_set(i,l)[1][i] = upr(w,1);
378 t_set(i,l)[2][i] = upr(w,2);
379 t_set(i,l)[3][i] = upr(w,3);
380 #endif
381 }
382 init = 1;
383 return EXIT_SUCCESS;
384 }
385
386 #endif
387
388 #if defined(__cplusplus)
389 }
390 #endif
391
392