1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 1998-2006, Brian Gladman, Worcester, UK. All rights reserved.
4
5 LICENSE TERMS
6
7 The free distribution and use of this software in both source and binary
8 form is allowed (with or without changes) provided that:
9
10 1. distributions of this source code include the above copyright
11 notice, this list of conditions and the following disclaimer;
12
13 2. distributions in binary form include the above copyright
14 notice, this list of conditions and the following disclaimer
15 in the documentation and/or other associated materials;
16
17 3. the copyright holder's name is not used to endorse products
18 built using this software without specific written permission.
19
20 ALTERNATIVELY, provided that this notice is retained in full, this product
21 may be distributed under the terms of the GNU General Public License (GPL),
22 in which case the provisions of the GPL apply INSTEAD OF those given above.
23
24 DISCLAIMER
25
26 This software is provided 'as is' with no explicit or implied warranties
27 in respect of its properties, including, but not limited to, correctness
28 and/or fitness for purpose.
29 ---------------------------------------------------------------------------
30 Issue 09/09/2006
31 */
32
33 #define DO_TABLES
34
35 #include "aes.h"
36 #include "aesopt.h"
37
38
39 #if defined(__cplusplus)
40 extern "C"
41 {
42 #endif
43
44
45 //[winfix]
46 #if 0
47 #if ZRTP_PLATFORM != ZP_WIN32 && ZRTP_PLATFORM != ZP_WIN32_KERNEL
48 #ifndef FIXED_TABLES
49 #warning "FIXED_TABLES isn't defined. Use dynamic tables."
50 #else
51 #warning "FIXED_TABLES is defined. Use static tables."
52 #endif
53 #endif
54 #endif
55
56 #if defined(FIXED_TABLES)
57
58 #define sb_data(w) {\
59 w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
60 w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
61 w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
62 w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
63 w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
64 w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
65 w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
66 w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
67 w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
68 w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
69 w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
70 w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
71 w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
72 w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
73 w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
74 w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
75 w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
76 w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
77 w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
78 w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
79 w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
80 w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
81 w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
82 w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
83 w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
84 w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
85 w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
86 w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
87 w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
88 w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
89 w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
90 w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
91
92 #define isb_data(w) {\
93 w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
94 w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
95 w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
96 w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
97 w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
98 w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
99 w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
100 w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
101 w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
102 w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
103 w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
104 w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
105 w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
106 w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
107 w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
108 w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
109 w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
110 w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
111 w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
112 w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
113 w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
114 w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
115 w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
116 w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
117 w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
118 w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
119 w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
120 w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
121 w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
122 w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
123 w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
124 w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
125
126 #define mm_data(w) {\
127 w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
128 w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
129 w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
130 w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
131 w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
132 w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
133 w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
134 w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
135 w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
136 w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
137 w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
138 w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
139 w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
140 w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
141 w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
142 w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
143 w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
144 w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
145 w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
146 w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
147 w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
148 w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
149 w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
150 w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
151 w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
152 w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
153 w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
154 w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
155 w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
156 w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
157 w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
158 w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
159
160 #define rc_data(w) {\
161 w(0x01), w(0x02), w(0x04), w(0x08), w(0x10),w(0x20), w(0x40), w(0x80),\
162 w(0x1b), w(0x36) }
163
164 #define h0(x) (x)
165
166 #define w0(p) bytes2word(p, 0, 0, 0)
167 #define w1(p) bytes2word(0, p, 0, 0)
168 #define w2(p) bytes2word(0, 0, p, 0)
169 #define w3(p) bytes2word(0, 0, 0, p)
170
171 #define u0(p) bytes2word(f2(p), p, p, f3(p))
172 #define u1(p) bytes2word(f3(p), f2(p), p, p)
173 #define u2(p) bytes2word(p, f3(p), f2(p), p)
174 #define u3(p) bytes2word(p, p, f3(p), f2(p))
175
176 #define v0(p) bytes2word(fe(p), f9(p), fd(p), fb(p))
177 #define v1(p) bytes2word(fb(p), fe(p), f9(p), fd(p))
178 #define v2(p) bytes2word(fd(p), fb(p), fe(p), f9(p))
179 #define v3(p) bytes2word(f9(p), fd(p), fb(p), fe(p))
180
181 #endif
182
183 #if defined(FIXED_TABLES) || !defined(FF_TABLES)
184
185 #define f2(x) ((x<<1) ^ (((x>>7) & 1) * WPOLY))
186 #define f4(x) ((x<<2) ^ (((x>>6) & 1) * WPOLY) ^ (((x>>6) & 2) * WPOLY))
187 #define f8(x) ((x<<3) ^ (((x>>5) & 1) * WPOLY) ^ (((x>>5) & 2) * WPOLY) \
188 ^ (((x>>5) & 4) * WPOLY))
189 #define f3(x) (f2(x) ^ x)
190 #define f9(x) (f8(x) ^ x)
191 #define fb(x) (f8(x) ^ f2(x) ^ x)
192 #define fd(x) (f8(x) ^ f4(x) ^ x)
193 #define fe(x) (f8(x) ^ f4(x) ^ f2(x))
194
195 #else
196
197 #define f2(x) ((x) ? pow[log[x] + 0x19] : 0)
198 #define f3(x) ((x) ? pow[log[x] + 0x01] : 0)
199 #define f9(x) ((x) ? pow[log[x] + 0xc7] : 0)
200 #define fb(x) ((x) ? pow[log[x] + 0x68] : 0)
201 #define fd(x) ((x) ? pow[log[x] + 0xee] : 0)
202 #define fe(x) ((x) ? pow[log[x] + 0xdf] : 0)
203 #define fi(x) ((x) ? pow[ 255 - log[x]] : 0)
204
205 #endif
206
207 #include "aestab.h"
208
209 #if defined(FIXED_TABLES)
210
211 /* implemented in case of wrong call for fixed tables */
212
zrtp_bg_gen_tabs(void)213 AES_RETURN zrtp_bg_gen_tabs(void)
214 {
215 return EXIT_SUCCESS;
216 }
217
218 #else /* dynamic table generation */
219
220 #if !defined(FF_TABLES)
221
222 /* Generate the tables for the dynamic table option
223
224 It will generally be sensible to use tables to compute finite
225 field multiplies and inverses but where memory is scarse this
226 code might sometimes be better. But it only has effect during
227 initialisation so its pretty unimportant in overall terms.
228 */
229
230 /* return 2 ^ (n - 1) where n is the bit number of the highest bit
231 set in x with x in the range 1 < x < 0x00000200. This form is
232 used so that locals within fi can be bytes rather than words
233 */
234
235 static uint_8t hibit(const uint_32t x)
236 { uint_8t r = (uint_8t)((x >> 1) | (x >> 2));
237
238 r |= (r >> 2);
239 r |= (r >> 4);
240 return (r + 1) >> 1;
241 }
242
243 /* return the inverse of the finite field element x */
244
245 static uint_8t fi(const uint_8t x)
246 { uint_8t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
247
248 if(x < 2) return x;
249
250 for(;;)
251 {
252 if(!n1) return v1;
253
254 while(n2 >= n1)
255 {
256 n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
257 }
258
259 if(!n2) return v2;
260
261 while(n1 >= n2)
262 {
263 n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
264 }
265 }
266 }
267
268 #endif
269
270 /* The forward and inverse affine transformations used in the S-box */
271
272 #define fwd_affine(x) \
273 (w = (uint_32t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(uint_8t)(w^(w>>8)))
274
275 #define inv_affine(x) \
276 (w = (uint_32t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(uint_8t)(w^(w>>8)))
277
278 static int init = 0;
279
280 AES_RETURN zrtp_bg_gen_tabs(void)
281 { uint_32t i, w;
282 #if defined(FF_TABLES)
283
284 uint_8t pow[512], log[256];
285
286 if(init)
287 return EXIT_SUCCESS;
288 /* log and power tables for GF(2^8) finite field with
289 WPOLY as modular polynomial - the simplest primitive
290 root is 0x03, used here to generate the tables
291 */
292
293 i = 0; w = 1;
294 do
295 {
296 pow[i] = (uint_8t)w;
297 pow[i + 255] = (uint_8t)w;
298 log[w] = (uint_8t)i++;
299 w ^= (w << 1) ^ (w & 0x80 ? WPOLY : 0);
300 }
301 while (w != 1);
302
303 #else
304 if(init)
305 return EXIT_SUCCESS;
306 #endif
307
308 for(i = 0, w = 1; i < RC_LENGTH; ++i)
309 {
310 t_set(r,c)[i] = bytes2word(w, 0, 0, 0);
311 w = f2(w);
312 }
313
314 for(i = 0; i < 256; ++i)
315 { uint_8t b;
316
317 b = fwd_affine(fi((uint_8t)i));
318 w = bytes2word(f2(b), b, b, f3(b));
319
320 #if defined( SBX_SET )
321 t_set(s,box)[i] = b;
322 #endif
323
324 #if defined( FT1_SET ) /* tables for a normal encryption round */
325 t_set(f,n)[i] = w;
326 #endif
327 #if defined( FT4_SET )
328 t_set(f,n)[0][i] = w;
329 t_set(f,n)[1][i] = upr(w,1);
330 t_set(f,n)[2][i] = upr(w,2);
331 t_set(f,n)[3][i] = upr(w,3);
332 #endif
333 w = bytes2word(b, 0, 0, 0);
334
335 #if defined( FL1_SET ) /* tables for last encryption round (may also */
336 t_set(f,l)[i] = w; /* be used in the key schedule) */
337 #endif
338 #if defined( FL4_SET )
339 t_set(f,l)[0][i] = w;
340 t_set(f,l)[1][i] = upr(w,1);
341 t_set(f,l)[2][i] = upr(w,2);
342 t_set(f,l)[3][i] = upr(w,3);
343 #endif
344
345 #if defined( LS1_SET ) /* table for key schedule if t_set(f,l) above is */
346 t_set(l,s)[i] = w; /* not of the required form */
347 #endif
348 #if defined( LS4_SET )
349 t_set(l,s)[0][i] = w;
350 t_set(l,s)[1][i] = upr(w,1);
351 t_set(l,s)[2][i] = upr(w,2);
352 t_set(l,s)[3][i] = upr(w,3);
353 #endif
354
355 b = fi(inv_affine((uint_8t)i));
356 w = bytes2word(fe(b), f9(b), fd(b), fb(b));
357
358 #if defined( IM1_SET ) /* tables for the inverse mix column operation */
359 t_set(i,m)[b] = w;
360 #endif
361 #if defined( IM4_SET )
362 t_set(i,m)[0][b] = w;
363 t_set(i,m)[1][b] = upr(w,1);
364 t_set(i,m)[2][b] = upr(w,2);
365 t_set(i,m)[3][b] = upr(w,3);
366 #endif
367
368 #if defined( ISB_SET )
369 t_set(i,box)[i] = b;
370 #endif
371 #if defined( IT1_SET ) /* tables for a normal decryption round */
372 t_set(i,n)[i] = w;
373 #endif
374 #if defined( IT4_SET )
375 t_set(i,n)[0][i] = w;
376 t_set(i,n)[1][i] = upr(w,1);
377 t_set(i,n)[2][i] = upr(w,2);
378 t_set(i,n)[3][i] = upr(w,3);
379 #endif
380 w = bytes2word(b, 0, 0, 0);
381 #if defined( IL1_SET ) /* tables for last decryption round */
382 t_set(i,l)[i] = w;
383 #endif
384 #if defined( IL4_SET )
385 t_set(i,l)[0][i] = w;
386 t_set(i,l)[1][i] = upr(w,1);
387 t_set(i,l)[2][i] = upr(w,2);
388 t_set(i,l)[3][i] = upr(w,3);
389 #endif
390 }
391 init = 1;
392 return EXIT_SUCCESS;
393 }
394
395 #endif
396
397 #if defined(__cplusplus)
398 }
399 #endif
400
401