1 /* 2 * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /** 11 * rijndael-alg-fst.c 12 * 13 * @version 3.0 (December 2000) 14 * 15 * Optimised ANSI C code for the Rijndael cipher (now AES) 16 * 17 * @author Vincent Rijmen 18 * @author Antoon Bosselaers 19 * @author Paulo Barreto 20 * 21 * This code is hereby placed in the public domain. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS 24 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE 27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 31 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 32 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 33 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /* Note: rewritten a little bit to provide error control and an OpenSSL- 37 compatible API */ 38 39 #include <assert.h> 40 41 #include <stdlib.h> 42 #include <openssl/crypto.h> 43 #include <openssl/aes.h> 44 #include "aes_local.h" 45 46 #if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM) 47 typedef union { 48 unsigned char b[8]; 49 u32 w[2]; 50 u64 d; 51 } uni; 52 53 /* 54 * Compute w := (w * x) mod (x^8 + x^4 + x^3 + x^1 + 1) 55 * Therefore the name "xtime". 56 */ 57 static void XtimeWord(u32 *w) 58 { 59 u32 a, b; 60 61 a = *w; 62 b = a & 0x80808080u; 63 a ^= b; 64 b -= b >> 7; 65 b &= 0x1B1B1B1Bu; 66 b ^= a << 1; 67 *w = b; 68 } 69 70 static void XtimeLong(u64 *w) 71 { 72 u64 a, b; 73 74 a = *w; 75 b = a & 0x8080808080808080uLL; 76 a ^= b; 77 b -= b >> 7; 78 b &= 0x1B1B1B1B1B1B1B1BuLL; 79 b ^= a << 1; 80 *w = b; 81 } 82 83 /* 84 * This computes w := S * w ^ -1 + c, where c = {01100011}. 85 * Instead of using GF(2^8) mod (x^8+x^4+x^3+x+1} we do the inversion 86 * in GF(GF(GF(2^2)^2)^2) mod (X^2+X+8) 87 * and GF(GF(2^2)^2) mod (X^2+X+2) 88 * and GF(2^2) mod (X^2+X+1) 89 * The first part of the algorithm below transfers the coordinates 90 * {0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80} => 91 * {1,Y,Y^2,Y^3,Y^4,Y^5,Y^6,Y^7} with Y=0x41: 92 * {0x01,0x41,0x66,0x6c,0x56,0x9a,0x58,0xc4} 93 * The last part undoes the coordinate transfer and the final affine 94 * transformation S: 95 * b[i] = b[i] + b[(i+4)%8] + b[(i+5)%8] + b[(i+6)%8] + b[(i+7)%8] + c[i] 96 * in one step. 97 * The multiplication in GF(2^2^2^2) is done in ordinary coords: 98 * A = (a0*1 + a1*x^4) 99 * B = (b0*1 + b1*x^4) 100 * AB = ((a0*b0 + 8*a1*b1)*1 + (a1*b0 + (a0+a1)*b1)*x^4) 101 * When A = (a0,a1) is given we want to solve AB = 1: 102 * (a) 1 = a0*b0 + 8*a1*b1 103 * (b) 0 = a1*b0 + (a0+a1)*b1 104 * => multiply (a) by a1 and (b) by a0 105 * (c) a1 = a1*a0*b0 + (8*a1*a1)*b1 106 * (d) 0 = a1*a0*b0 + (a0*a0+a1*a0)*b1 107 * => add (c) + (d) 108 * (e) a1 = (a0*a0 + a1*a0 + 8*a1*a1)*b1 109 * => therefore 110 * b1 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * a1 111 * => and adding (a1*b0) to (b) we get 112 * (f) a1*b0 = (a0+a1)*b1 113 * => therefore 114 * b0 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * (a0+a1) 115 * Note this formula also works for the case 116 * (a0+a1)*a0 + 8*a1*a1 = 0 117 * if the inverse element for 0^-1 is mapped to 0. 118 * Repeat the same for GF(2^2^2) and GF(2^2). 119 * We get the following algorithm: 120 * inv8(a0,a1): 121 * x0 = a0^a1 122 * [y0,y1] = mul4([x0,a1],[a0,a1]); (*) 123 * y1 = mul4(8,y1); 124 * t = inv4(y0^y1); 125 * [b0,b1] = mul4([x0,a1],[t,t]); (*) 126 * return [b0,b1]; 127 * The non-linear multiplies (*) can be done in parallel at no extra cost. 128 */ 129 static void SubWord(u32 *w) 130 { 131 u32 x, y, a1, a2, a3, a4, a5, a6; 132 133 x = *w; 134 y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7); 135 x &= 0xDDDDDDDDu; 136 x ^= y & 0x57575757u; 137 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 138 x ^= y & 0x1C1C1C1Cu; 139 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 140 x ^= y & 0x4A4A4A4Au; 141 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 142 x ^= y & 0x42424242u; 143 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 144 x ^= y & 0x64646464u; 145 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 146 x ^= y & 0xE0E0E0E0u; 147 a1 = x; 148 a1 ^= (x & 0xF0F0F0F0u) >> 4; 149 a2 = ((x & 0xCCCCCCCCu) >> 2) | ((x & 0x33333333u) << 2); 150 a3 = x & a1; 151 a3 ^= (a3 & 0xAAAAAAAAu) >> 1; 152 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAu; 153 a4 = a2 & a1; 154 a4 ^= (a4 & 0xAAAAAAAAu) >> 1; 155 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAu; 156 a5 = (a3 & 0xCCCCCCCCu) >> 2; 157 a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu; 158 a4 = a5 & 0x22222222u; 159 a4 |= a4 >> 1; 160 a4 ^= (a5 << 1) & 0x22222222u; 161 a3 ^= a4; 162 a5 = a3 & 0xA0A0A0A0u; 163 a5 |= a5 >> 1; 164 a5 ^= (a3 << 1) & 0xA0A0A0A0u; 165 a4 = a5 & 0xC0C0C0C0u; 166 a6 = a4 >> 2; 167 a4 ^= (a5 << 2) & 0xC0C0C0C0u; 168 a5 = a6 & 0x20202020u; 169 a5 |= a5 >> 1; 170 a5 ^= (a6 << 1) & 0x20202020u; 171 a4 |= a5; 172 a3 ^= a4 >> 4; 173 a3 &= 0x0F0F0F0Fu; 174 a2 = a3; 175 a2 ^= (a3 & 0x0C0C0C0Cu) >> 2; 176 a4 = a3 & a2; 177 a4 ^= (a4 & 0x0A0A0A0A0Au) >> 1; 178 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0Au; 179 a5 = a4 & 0x08080808u; 180 a5 |= a5 >> 1; 181 a5 ^= (a4 << 1) & 0x08080808u; 182 a4 ^= a5 >> 2; 183 a4 &= 0x03030303u; 184 a4 ^= (a4 & 0x02020202u) >> 1; 185 a4 |= a4 << 2; 186 a3 = a2 & a4; 187 a3 ^= (a3 & 0x0A0A0A0Au) >> 1; 188 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0Au; 189 a3 |= a3 << 4; 190 a2 = ((a1 & 0xCCCCCCCCu) >> 2) | ((a1 & 0x33333333u) << 2); 191 x = a1 & a3; 192 x ^= (x & 0xAAAAAAAAu) >> 1; 193 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAu; 194 a4 = a2 & a3; 195 a4 ^= (a4 & 0xAAAAAAAAu) >> 1; 196 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAu; 197 a5 = (x & 0xCCCCCCCCu) >> 2; 198 x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu; 199 a4 = a5 & 0x22222222u; 200 a4 |= a4 >> 1; 201 a4 ^= (a5 << 1) & 0x22222222u; 202 x ^= a4; 203 y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7); 204 x &= 0x39393939u; 205 x ^= y & 0x3F3F3F3Fu; 206 y = ((y & 0xFCFCFCFCu) >> 2) | ((y & 0x03030303u) << 6); 207 x ^= y & 0x97979797u; 208 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 209 x ^= y & 0x9B9B9B9Bu; 210 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 211 x ^= y & 0x3C3C3C3Cu; 212 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 213 x ^= y & 0xDDDDDDDDu; 214 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7); 215 x ^= y & 0x72727272u; 216 x ^= 0x63636363u; 217 *w = x; 218 } 219 220 static void SubLong(u64 *w) 221 { 222 u64 x, y, a1, a2, a3, a4, a5, a6; 223 224 x = *w; 225 y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7); 226 x &= 0xDDDDDDDDDDDDDDDDuLL; 227 x ^= y & 0x5757575757575757uLL; 228 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 229 x ^= y & 0x1C1C1C1C1C1C1C1CuLL; 230 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 231 x ^= y & 0x4A4A4A4A4A4A4A4AuLL; 232 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 233 x ^= y & 0x4242424242424242uLL; 234 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 235 x ^= y & 0x6464646464646464uLL; 236 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 237 x ^= y & 0xE0E0E0E0E0E0E0E0uLL; 238 a1 = x; 239 a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4; 240 a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2); 241 a3 = x & a1; 242 a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 243 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL; 244 a4 = a2 & a1; 245 a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 246 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL; 247 a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2; 248 a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL; 249 a4 = a5 & 0x2222222222222222uLL; 250 a4 |= a4 >> 1; 251 a4 ^= (a5 << 1) & 0x2222222222222222uLL; 252 a3 ^= a4; 253 a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL; 254 a5 |= a5 >> 1; 255 a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL; 256 a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL; 257 a6 = a4 >> 2; 258 a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL; 259 a5 = a6 & 0x2020202020202020uLL; 260 a5 |= a5 >> 1; 261 a5 ^= (a6 << 1) & 0x2020202020202020uLL; 262 a4 |= a5; 263 a3 ^= a4 >> 4; 264 a3 &= 0x0F0F0F0F0F0F0F0FuLL; 265 a2 = a3; 266 a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2; 267 a4 = a3 & a2; 268 a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1; 269 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL; 270 a5 = a4 & 0x0808080808080808uLL; 271 a5 |= a5 >> 1; 272 a5 ^= (a4 << 1) & 0x0808080808080808uLL; 273 a4 ^= a5 >> 2; 274 a4 &= 0x0303030303030303uLL; 275 a4 ^= (a4 & 0x0202020202020202uLL) >> 1; 276 a4 |= a4 << 2; 277 a3 = a2 & a4; 278 a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1; 279 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL; 280 a3 |= a3 << 4; 281 a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2); 282 x = a1 & a3; 283 x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 284 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL; 285 a4 = a2 & a3; 286 a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 287 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL; 288 a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2; 289 x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL; 290 a4 = a5 & 0x2222222222222222uLL; 291 a4 |= a4 >> 1; 292 a4 ^= (a5 << 1) & 0x2222222222222222uLL; 293 x ^= a4; 294 y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7); 295 x &= 0x3939393939393939uLL; 296 x ^= y & 0x3F3F3F3F3F3F3F3FuLL; 297 y = ((y & 0xFCFCFCFCFCFCFCFCuLL) >> 2) | ((y & 0x0303030303030303uLL) << 6); 298 x ^= y & 0x9797979797979797uLL; 299 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 300 x ^= y & 0x9B9B9B9B9B9B9B9BuLL; 301 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 302 x ^= y & 0x3C3C3C3C3C3C3C3CuLL; 303 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 304 x ^= y & 0xDDDDDDDDDDDDDDDDuLL; 305 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 306 x ^= y & 0x7272727272727272uLL; 307 x ^= 0x6363636363636363uLL; 308 *w = x; 309 } 310 311 /* 312 * This computes w := (S^-1 * (w + c))^-1 313 */ 314 static void InvSubLong(u64 *w) 315 { 316 u64 x, y, a1, a2, a3, a4, a5, a6; 317 318 x = *w; 319 x ^= 0x6363636363636363uLL; 320 y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7); 321 x &= 0xFDFDFDFDFDFDFDFDuLL; 322 x ^= y & 0x5E5E5E5E5E5E5E5EuLL; 323 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 324 x ^= y & 0xF3F3F3F3F3F3F3F3uLL; 325 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 326 x ^= y & 0xF5F5F5F5F5F5F5F5uLL; 327 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 328 x ^= y & 0x7878787878787878uLL; 329 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 330 x ^= y & 0x7777777777777777uLL; 331 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 332 x ^= y & 0x1515151515151515uLL; 333 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 334 x ^= y & 0xA5A5A5A5A5A5A5A5uLL; 335 a1 = x; 336 a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4; 337 a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2); 338 a3 = x & a1; 339 a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 340 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL; 341 a4 = a2 & a1; 342 a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 343 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL; 344 a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2; 345 a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL; 346 a4 = a5 & 0x2222222222222222uLL; 347 a4 |= a4 >> 1; 348 a4 ^= (a5 << 1) & 0x2222222222222222uLL; 349 a3 ^= a4; 350 a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL; 351 a5 |= a5 >> 1; 352 a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL; 353 a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL; 354 a6 = a4 >> 2; 355 a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL; 356 a5 = a6 & 0x2020202020202020uLL; 357 a5 |= a5 >> 1; 358 a5 ^= (a6 << 1) & 0x2020202020202020uLL; 359 a4 |= a5; 360 a3 ^= a4 >> 4; 361 a3 &= 0x0F0F0F0F0F0F0F0FuLL; 362 a2 = a3; 363 a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2; 364 a4 = a3 & a2; 365 a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1; 366 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL; 367 a5 = a4 & 0x0808080808080808uLL; 368 a5 |= a5 >> 1; 369 a5 ^= (a4 << 1) & 0x0808080808080808uLL; 370 a4 ^= a5 >> 2; 371 a4 &= 0x0303030303030303uLL; 372 a4 ^= (a4 & 0x0202020202020202uLL) >> 1; 373 a4 |= a4 << 2; 374 a3 = a2 & a4; 375 a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1; 376 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL; 377 a3 |= a3 << 4; 378 a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2); 379 x = a1 & a3; 380 x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 381 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL; 382 a4 = a2 & a3; 383 a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1; 384 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL; 385 a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2; 386 x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL; 387 a4 = a5 & 0x2222222222222222uLL; 388 a4 |= a4 >> 1; 389 a4 ^= (a5 << 1) & 0x2222222222222222uLL; 390 x ^= a4; 391 y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7); 392 x &= 0xB5B5B5B5B5B5B5B5uLL; 393 x ^= y & 0x4040404040404040uLL; 394 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 395 x ^= y & 0x8080808080808080uLL; 396 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 397 x ^= y & 0x1616161616161616uLL; 398 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 399 x ^= y & 0xEBEBEBEBEBEBEBEBuLL; 400 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 401 x ^= y & 0x9797979797979797uLL; 402 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 403 x ^= y & 0xFBFBFBFBFBFBFBFBuLL; 404 y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7); 405 x ^= y & 0x7D7D7D7D7D7D7D7DuLL; 406 *w = x; 407 } 408 409 static void ShiftRows(u64 *state) 410 { 411 unsigned char s[4]; 412 unsigned char *s0; 413 int r; 414 415 s0 = (unsigned char *)state; 416 for (r = 0; r < 4; r++) { 417 s[0] = s0[0*4 + r]; 418 s[1] = s0[1*4 + r]; 419 s[2] = s0[2*4 + r]; 420 s[3] = s0[3*4 + r]; 421 s0[0*4 + r] = s[(r+0) % 4]; 422 s0[1*4 + r] = s[(r+1) % 4]; 423 s0[2*4 + r] = s[(r+2) % 4]; 424 s0[3*4 + r] = s[(r+3) % 4]; 425 } 426 } 427 428 static void InvShiftRows(u64 *state) 429 { 430 unsigned char s[4]; 431 unsigned char *s0; 432 int r; 433 434 s0 = (unsigned char *)state; 435 for (r = 0; r < 4; r++) { 436 s[0] = s0[0*4 + r]; 437 s[1] = s0[1*4 + r]; 438 s[2] = s0[2*4 + r]; 439 s[3] = s0[3*4 + r]; 440 s0[0*4 + r] = s[(4-r) % 4]; 441 s0[1*4 + r] = s[(5-r) % 4]; 442 s0[2*4 + r] = s[(6-r) % 4]; 443 s0[3*4 + r] = s[(7-r) % 4]; 444 } 445 } 446 447 static void MixColumns(u64 *state) 448 { 449 uni s1; 450 uni s; 451 int c; 452 453 for (c = 0; c < 2; c++) { 454 s1.d = state[c]; 455 s.d = s1.d; 456 s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16) 457 | ((s.d & 0x0000FFFF0000FFFFuLL) << 16); 458 s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8) 459 | ((s.d & 0x00FF00FF00FF00FFuLL) << 8); 460 s.d ^= s1.d; 461 XtimeLong(&s1.d); 462 s.d ^= s1.d; 463 s.b[0] ^= s1.b[1]; 464 s.b[1] ^= s1.b[2]; 465 s.b[2] ^= s1.b[3]; 466 s.b[3] ^= s1.b[0]; 467 s.b[4] ^= s1.b[5]; 468 s.b[5] ^= s1.b[6]; 469 s.b[6] ^= s1.b[7]; 470 s.b[7] ^= s1.b[4]; 471 state[c] = s.d; 472 } 473 } 474 475 static void InvMixColumns(u64 *state) 476 { 477 uni s1; 478 uni s; 479 int c; 480 481 for (c = 0; c < 2; c++) { 482 s1.d = state[c]; 483 s.d = s1.d; 484 s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16) 485 | ((s.d & 0x0000FFFF0000FFFFuLL) << 16); 486 s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8) 487 | ((s.d & 0x00FF00FF00FF00FFuLL) << 8); 488 s.d ^= s1.d; 489 XtimeLong(&s1.d); 490 s.d ^= s1.d; 491 s.b[0] ^= s1.b[1]; 492 s.b[1] ^= s1.b[2]; 493 s.b[2] ^= s1.b[3]; 494 s.b[3] ^= s1.b[0]; 495 s.b[4] ^= s1.b[5]; 496 s.b[5] ^= s1.b[6]; 497 s.b[6] ^= s1.b[7]; 498 s.b[7] ^= s1.b[4]; 499 XtimeLong(&s1.d); 500 s1.d ^= ((s1.d & 0xFFFF0000FFFF0000uLL) >> 16) 501 | ((s1.d & 0x0000FFFF0000FFFFuLL) << 16); 502 s.d ^= s1.d; 503 XtimeLong(&s1.d); 504 s1.d ^= ((s1.d & 0xFF00FF00FF00FF00uLL) >> 8) 505 | ((s1.d & 0x00FF00FF00FF00FFuLL) << 8); 506 s.d ^= s1.d; 507 state[c] = s.d; 508 } 509 } 510 511 static void AddRoundKey(u64 *state, const u64 *w) 512 { 513 state[0] ^= w[0]; 514 state[1] ^= w[1]; 515 } 516 517 static void Cipher(const unsigned char *in, unsigned char *out, 518 const u64 *w, int nr) 519 { 520 u64 state[2]; 521 int i; 522 523 memcpy(state, in, 16); 524 525 AddRoundKey(state, w); 526 527 for (i = 1; i < nr; i++) { 528 SubLong(&state[0]); 529 SubLong(&state[1]); 530 ShiftRows(state); 531 MixColumns(state); 532 AddRoundKey(state, w + i*2); 533 } 534 535 SubLong(&state[0]); 536 SubLong(&state[1]); 537 ShiftRows(state); 538 AddRoundKey(state, w + nr*2); 539 540 memcpy(out, state, 16); 541 } 542 543 static void InvCipher(const unsigned char *in, unsigned char *out, 544 const u64 *w, int nr) 545 546 { 547 u64 state[2]; 548 int i; 549 550 memcpy(state, in, 16); 551 552 AddRoundKey(state, w + nr*2); 553 554 for (i = nr - 1; i > 0; i--) { 555 InvShiftRows(state); 556 InvSubLong(&state[0]); 557 InvSubLong(&state[1]); 558 AddRoundKey(state, w + i*2); 559 InvMixColumns(state); 560 } 561 562 InvShiftRows(state); 563 InvSubLong(&state[0]); 564 InvSubLong(&state[1]); 565 AddRoundKey(state, w); 566 567 memcpy(out, state, 16); 568 } 569 570 static void RotWord(u32 *x) 571 { 572 unsigned char *w0; 573 unsigned char tmp; 574 575 w0 = (unsigned char *)x; 576 tmp = w0[0]; 577 w0[0] = w0[1]; 578 w0[1] = w0[2]; 579 w0[2] = w0[3]; 580 w0[3] = tmp; 581 } 582 583 static void KeyExpansion(const unsigned char *key, u64 *w, 584 int nr, int nk) 585 { 586 u32 rcon; 587 uni prev; 588 u32 temp; 589 int i, n; 590 591 memcpy(w, key, nk*4); 592 memcpy(&rcon, "\1\0\0\0", 4); 593 n = nk/2; 594 prev.d = w[n-1]; 595 for (i = n; i < (nr+1)*2; i++) { 596 temp = prev.w[1]; 597 if (i % n == 0) { 598 RotWord(&temp); 599 SubWord(&temp); 600 temp ^= rcon; 601 XtimeWord(&rcon); 602 } else if (nk > 6 && i % n == 2) { 603 SubWord(&temp); 604 } 605 prev.d = w[i-n]; 606 prev.w[0] ^= temp; 607 prev.w[1] ^= prev.w[0]; 608 w[i] = prev.d; 609 } 610 } 611 612 /** 613 * Expand the cipher key into the encryption key schedule. 614 */ 615 int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 616 AES_KEY *key) 617 { 618 u64 *rk; 619 620 if (!userKey || !key) 621 return -1; 622 if (bits != 128 && bits != 192 && bits != 256) 623 return -2; 624 625 rk = (u64*)key->rd_key; 626 627 if (bits == 128) 628 key->rounds = 10; 629 else if (bits == 192) 630 key->rounds = 12; 631 else 632 key->rounds = 14; 633 634 KeyExpansion(userKey, rk, key->rounds, bits/32); 635 return 0; 636 } 637 638 /** 639 * Expand the cipher key into the decryption key schedule. 640 */ 641 int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 642 AES_KEY *key) 643 { 644 return AES_set_encrypt_key(userKey, bits, key); 645 } 646 647 /* 648 * Encrypt a single block 649 * in and out can overlap 650 */ 651 void AES_encrypt(const unsigned char *in, unsigned char *out, 652 const AES_KEY *key) 653 { 654 const u64 *rk; 655 656 assert(in && out && key); 657 rk = (u64*)key->rd_key; 658 659 Cipher(in, out, rk, key->rounds); 660 } 661 662 /* 663 * Decrypt a single block 664 * in and out can overlap 665 */ 666 void AES_decrypt(const unsigned char *in, unsigned char *out, 667 const AES_KEY *key) 668 { 669 const u64 *rk; 670 671 assert(in && out && key); 672 rk = (u64*)key->rd_key; 673 674 InvCipher(in, out, rk, key->rounds); 675 } 676 677 # ifndef OPENSSL_SMALL_FOOTPRINT 678 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 679 size_t blocks, const AES_KEY *key, 680 const unsigned char *ivec); 681 682 static void RawToBits(const u8 raw[64], u64 bits[8]) 683 { 684 int i, j; 685 u64 in, out; 686 687 memset(bits, 0, 64); 688 for (i = 0; i < 8; i++) { 689 in = 0; 690 for (j = 0; j < 8; j++) 691 in |= ((u64)raw[i * 8 + j]) << (8 * j); 692 out = in & 0xF0F0F0F00F0F0F0FuLL; 693 out |= (in & 0x0F0F0F0F00000000uLL) >> 28; 694 out |= (in & 0x00000000F0F0F0F0uLL) << 28; 695 in = out & 0xCCCC3333CCCC3333uLL; 696 in |= (out & 0x3333000033330000uLL) >> 14; 697 in |= (out & 0x0000CCCC0000CCCCuLL) << 14; 698 out = in & 0xAA55AA55AA55AA55uLL; 699 out |= (in & 0x5500550055005500uLL) >> 7; 700 out |= (in & 0x00AA00AA00AA00AAuLL) << 7; 701 for (j = 0; j < 8; j++) { 702 bits[j] |= (out & 0xFFuLL) << (8 * i); 703 out = out >> 8; 704 } 705 } 706 } 707 708 static void BitsToRaw(const u64 bits[8], u8 raw[64]) 709 { 710 int i, j; 711 u64 in, out; 712 713 for (i = 0; i < 8; i++) { 714 in = 0; 715 for (j = 0; j < 8; j++) 716 in |= ((bits[j] >> (8 * i)) & 0xFFuLL) << (8 * j); 717 out = in & 0xF0F0F0F00F0F0F0FuLL; 718 out |= (in & 0x0F0F0F0F00000000uLL) >> 28; 719 out |= (in & 0x00000000F0F0F0F0uLL) << 28; 720 in = out & 0xCCCC3333CCCC3333uLL; 721 in |= (out & 0x3333000033330000uLL) >> 14; 722 in |= (out & 0x0000CCCC0000CCCCuLL) << 14; 723 out = in & 0xAA55AA55AA55AA55uLL; 724 out |= (in & 0x5500550055005500uLL) >> 7; 725 out |= (in & 0x00AA00AA00AA00AAuLL) << 7; 726 for (j = 0; j < 8; j++) { 727 raw[i * 8 + j] = (u8)out; 728 out = out >> 8; 729 } 730 } 731 } 732 733 static void BitsXtime(u64 state[8]) 734 { 735 u64 b; 736 737 b = state[7]; 738 state[7] = state[6]; 739 state[6] = state[5]; 740 state[5] = state[4]; 741 state[4] = state[3] ^ b; 742 state[3] = state[2] ^ b; 743 state[2] = state[1]; 744 state[1] = state[0] ^ b; 745 state[0] = b; 746 } 747 748 /* 749 * This S-box implementation follows a circuit described in 750 * Boyar and Peralta: "A new combinational logic minimization 751 * technique with applications to cryptology." 752 * https://eprint.iacr.org/2009/191.pdf 753 * 754 * The math is similar to above, in that it uses 755 * a tower field of GF(2^2^2^2) but with a different 756 * basis representation, that is better suited to 757 * logic designs. 758 */ 759 static void BitsSub(u64 state[8]) 760 { 761 u64 x0, x1, x2, x3, x4, x5, x6, x7; 762 u64 y1, y2, y3, y4, y5, y6, y7, y8, y9, y10, y11; 763 u64 y12, y13, y14, y15, y16, y17, y18, y19, y20, y21; 764 u64 t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11; 765 u64 t12, t13, t14, t15, t16, t17, t18, t19, t20, t21; 766 u64 t22, t23, t24, t25, t26, t27, t28, t29, t30, t31; 767 u64 t32, t33, t34, t35, t36, t37, t38, t39, t40, t41; 768 u64 t42, t43, t44, t45, t46, t47, t48, t49, t50, t51; 769 u64 t52, t53, t54, t55, t56, t57, t58, t59, t60, t61; 770 u64 t62, t63, t64, t65, t66, t67; 771 u64 z0, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10, z11; 772 u64 z12, z13, z14, z15, z16, z17; 773 u64 s0, s1, s2, s3, s4, s5, s6, s7; 774 775 x7 = state[0]; 776 x6 = state[1]; 777 x5 = state[2]; 778 x4 = state[3]; 779 x3 = state[4]; 780 x2 = state[5]; 781 x1 = state[6]; 782 x0 = state[7]; 783 y14 = x3 ^ x5; 784 y13 = x0 ^ x6; 785 y9 = x0 ^ x3; 786 y8 = x0 ^ x5; 787 t0 = x1 ^ x2; 788 y1 = t0 ^ x7; 789 y4 = y1 ^ x3; 790 y12 = y13 ^ y14; 791 y2 = y1 ^ x0; 792 y5 = y1 ^ x6; 793 y3 = y5 ^ y8; 794 t1 = x4 ^ y12; 795 y15 = t1 ^ x5; 796 y20 = t1 ^ x1; 797 y6 = y15 ^ x7; 798 y10 = y15 ^ t0; 799 y11 = y20 ^ y9; 800 y7 = x7 ^ y11; 801 y17 = y10 ^ y11; 802 y19 = y10 ^ y8; 803 y16 = t0 ^ y11; 804 y21 = y13 ^ y16; 805 y18 = x0 ^ y16; 806 t2 = y12 & y15; 807 t3 = y3 & y6; 808 t4 = t3 ^ t2; 809 t5 = y4 & x7; 810 t6 = t5 ^ t2; 811 t7 = y13 & y16; 812 t8 = y5 & y1; 813 t9 = t8 ^ t7; 814 t10 = y2 & y7; 815 t11 = t10 ^ t7; 816 t12 = y9 & y11; 817 t13 = y14 & y17; 818 t14 = t13 ^ t12; 819 t15 = y8 & y10; 820 t16 = t15 ^ t12; 821 t17 = t4 ^ t14; 822 t18 = t6 ^ t16; 823 t19 = t9 ^ t14; 824 t20 = t11 ^ t16; 825 t21 = t17 ^ y20; 826 t22 = t18 ^ y19; 827 t23 = t19 ^ y21; 828 t24 = t20 ^ y18; 829 t25 = t21 ^ t22; 830 t26 = t21 & t23; 831 t27 = t24 ^ t26; 832 t28 = t25 & t27; 833 t29 = t28 ^ t22; 834 t30 = t23 ^ t24; 835 t31 = t22 ^ t26; 836 t32 = t31 & t30; 837 t33 = t32 ^ t24; 838 t34 = t23 ^ t33; 839 t35 = t27 ^ t33; 840 t36 = t24 & t35; 841 t37 = t36 ^ t34; 842 t38 = t27 ^ t36; 843 t39 = t29 & t38; 844 t40 = t25 ^ t39; 845 t41 = t40 ^ t37; 846 t42 = t29 ^ t33; 847 t43 = t29 ^ t40; 848 t44 = t33 ^ t37; 849 t45 = t42 ^ t41; 850 z0 = t44 & y15; 851 z1 = t37 & y6; 852 z2 = t33 & x7; 853 z3 = t43 & y16; 854 z4 = t40 & y1; 855 z5 = t29 & y7; 856 z6 = t42 & y11; 857 z7 = t45 & y17; 858 z8 = t41 & y10; 859 z9 = t44 & y12; 860 z10 = t37 & y3; 861 z11 = t33 & y4; 862 z12 = t43 & y13; 863 z13 = t40 & y5; 864 z14 = t29 & y2; 865 z15 = t42 & y9; 866 z16 = t45 & y14; 867 z17 = t41 & y8; 868 t46 = z15 ^ z16; 869 t47 = z10 ^ z11; 870 t48 = z5 ^ z13; 871 t49 = z9 ^ z10; 872 t50 = z2 ^ z12; 873 t51 = z2 ^ z5; 874 t52 = z7 ^ z8; 875 t53 = z0 ^ z3; 876 t54 = z6 ^ z7; 877 t55 = z16 ^ z17; 878 t56 = z12 ^ t48; 879 t57 = t50 ^ t53; 880 t58 = z4 ^ t46; 881 t59 = z3 ^ t54; 882 t60 = t46 ^ t57; 883 t61 = z14 ^ t57; 884 t62 = t52 ^ t58; 885 t63 = t49 ^ t58; 886 t64 = z4 ^ t59; 887 t65 = t61 ^ t62; 888 t66 = z1 ^ t63; 889 s0 = t59 ^ t63; 890 s6 = ~(t56 ^ t62); 891 s7 = ~(t48 ^ t60); 892 t67 = t64 ^ t65; 893 s3 = t53 ^ t66; 894 s4 = t51 ^ t66; 895 s5 = t47 ^ t65; 896 s1 = ~(t64 ^ s3); 897 s2 = ~(t55 ^ t67); 898 state[0] = s7; 899 state[1] = s6; 900 state[2] = s5; 901 state[3] = s4; 902 state[4] = s3; 903 state[5] = s2; 904 state[6] = s1; 905 state[7] = s0; 906 } 907 908 static void BitsShiftRows(u64 state[8]) 909 { 910 u64 s, s0; 911 int i; 912 913 for (i = 0; i < 8; i++) { 914 s = state[i]; 915 s0 = s & 0x1111111111111111uLL; 916 s0 |= ((s & 0x2220222022202220uLL) >> 4) | ((s & 0x0002000200020002uLL) << 12); 917 s0 |= ((s & 0x4400440044004400uLL) >> 8) | ((s & 0x0044004400440044uLL) << 8); 918 s0 |= ((s & 0x8000800080008000uLL) >> 12) | ((s & 0x0888088808880888uLL) << 4); 919 state[i] = s0; 920 } 921 } 922 923 static void BitsMixColumns(u64 state[8]) 924 { 925 u64 s1, s; 926 u64 s0[8]; 927 int i; 928 929 for (i = 0; i < 8; i++) { 930 s1 = state[i]; 931 s = s1; 932 s ^= ((s & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((s & 0x3333333333333333uLL) << 2); 933 s ^= ((s & 0xAAAAAAAAAAAAAAAAuLL) >> 1) | ((s & 0x5555555555555555uLL) << 1); 934 s ^= s1; 935 s0[i] = s; 936 } 937 BitsXtime(state); 938 for (i = 0; i < 8; i++) { 939 s1 = state[i]; 940 s = s0[i]; 941 s ^= s1; 942 s ^= ((s1 & 0xEEEEEEEEEEEEEEEEuLL) >> 1) | ((s1 & 0x1111111111111111uLL) << 3); 943 state[i] = s; 944 } 945 } 946 947 static void BitsAddRoundKey(u64 state[8], const u64 key[8]) 948 { 949 int i; 950 951 for (i = 0; i < 8; i++) 952 state[i] ^= key[i]; 953 } 954 955 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out, 956 size_t blocks, const AES_KEY *key, 957 const unsigned char *ivec) 958 { 959 struct { 960 u8 cipher[64]; 961 u64 state[8]; 962 u64 rd_key[AES_MAXNR + 1][8]; 963 } *bs; 964 u32 ctr32; 965 int i; 966 967 ctr32 = GETU32(ivec + 12); 968 if (blocks >= 4 969 && (bs = OPENSSL_malloc(sizeof(*bs)))) { 970 for (i = 0; i < key->rounds + 1; i++) { 971 memcpy(bs->cipher + 0, &key->rd_key[4 * i], 16); 972 memcpy(bs->cipher + 16, bs->cipher, 16); 973 memcpy(bs->cipher + 32, bs->cipher, 32); 974 RawToBits(bs->cipher, bs->rd_key[i]); 975 } 976 while (blocks) { 977 memcpy(bs->cipher, ivec, 12); 978 PUTU32(bs->cipher + 12, ctr32); 979 ctr32++; 980 memcpy(bs->cipher + 16, ivec, 12); 981 PUTU32(bs->cipher + 28, ctr32); 982 ctr32++; 983 memcpy(bs->cipher + 32, ivec, 12); 984 PUTU32(bs->cipher + 44, ctr32); 985 ctr32++; 986 memcpy(bs->cipher + 48, ivec, 12); 987 PUTU32(bs->cipher + 60, ctr32); 988 ctr32++; 989 RawToBits(bs->cipher, bs->state); 990 BitsAddRoundKey(bs->state, bs->rd_key[0]); 991 for (i = 1; i < key->rounds; i++) { 992 BitsSub(bs->state); 993 BitsShiftRows(bs->state); 994 BitsMixColumns(bs->state); 995 BitsAddRoundKey(bs->state, bs->rd_key[i]); 996 } 997 BitsSub(bs->state); 998 BitsShiftRows(bs->state); 999 BitsAddRoundKey(bs->state, bs->rd_key[key->rounds]); 1000 BitsToRaw(bs->state, bs->cipher); 1001 for (i = 0; i < 64 && blocks; i++) { 1002 out[i] = in[i] ^ bs->cipher[i]; 1003 if ((i & 15) == 15) 1004 blocks--; 1005 } 1006 in += i; 1007 out += i; 1008 } 1009 OPENSSL_clear_free(bs, sizeof(*bs)); 1010 } else { 1011 unsigned char cipher[16]; 1012 1013 while (blocks) { 1014 memcpy(cipher, ivec, 12); 1015 PUTU32(cipher + 12, ctr32); 1016 AES_encrypt(cipher, cipher, key); 1017 for (i = 0; i < 16; i++) 1018 out[i] = in[i] ^ cipher[i]; 1019 in += 16; 1020 out += 16; 1021 ctr32++; 1022 blocks--; 1023 } 1024 } 1025 } 1026 # endif 1027 #elif !defined(AES_ASM) 1028 /*- 1029 Te0[x] = S [x].[02, 01, 01, 03]; 1030 Te1[x] = S [x].[03, 02, 01, 01]; 1031 Te2[x] = S [x].[01, 03, 02, 01]; 1032 Te3[x] = S [x].[01, 01, 03, 02]; 1033 1034 Td0[x] = Si[x].[0e, 09, 0d, 0b]; 1035 Td1[x] = Si[x].[0b, 0e, 09, 0d]; 1036 Td2[x] = Si[x].[0d, 0b, 0e, 09]; 1037 Td3[x] = Si[x].[09, 0d, 0b, 0e]; 1038 Td4[x] = Si[x].[01]; 1039 */ 1040 1041 static const u32 Te0[256] = { 1042 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, 1043 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, 1044 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, 1045 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, 1046 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U, 1047 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU, 1048 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU, 1049 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU, 1050 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU, 1051 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU, 1052 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U, 1053 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU, 1054 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU, 1055 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U, 1056 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU, 1057 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU, 1058 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU, 1059 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU, 1060 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU, 1061 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U, 1062 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU, 1063 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU, 1064 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU, 1065 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU, 1066 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U, 1067 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U, 1068 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U, 1069 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U, 1070 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU, 1071 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U, 1072 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U, 1073 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU, 1074 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU, 1075 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U, 1076 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U, 1077 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U, 1078 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU, 1079 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U, 1080 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU, 1081 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U, 1082 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU, 1083 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U, 1084 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U, 1085 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU, 1086 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U, 1087 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U, 1088 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U, 1089 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U, 1090 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U, 1091 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U, 1092 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U, 1093 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U, 1094 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU, 1095 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U, 1096 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U, 1097 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U, 1098 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U, 1099 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U, 1100 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U, 1101 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU, 1102 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U, 1103 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U, 1104 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, 1105 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, 1106 }; 1107 static const u32 Te1[256] = { 1108 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU, 1109 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, 1110 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, 1111 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U, 1112 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU, 1113 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U, 1114 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU, 1115 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U, 1116 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U, 1117 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU, 1118 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U, 1119 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U, 1120 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U, 1121 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU, 1122 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U, 1123 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U, 1124 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU, 1125 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U, 1126 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U, 1127 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U, 1128 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU, 1129 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU, 1130 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U, 1131 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU, 1132 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU, 1133 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U, 1134 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU, 1135 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U, 1136 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU, 1137 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U, 1138 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U, 1139 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U, 1140 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU, 1141 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U, 1142 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU, 1143 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U, 1144 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU, 1145 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U, 1146 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U, 1147 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU, 1148 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU, 1149 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU, 1150 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U, 1151 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U, 1152 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU, 1153 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U, 1154 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU, 1155 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U, 1156 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU, 1157 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U, 1158 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU, 1159 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU, 1160 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U, 1161 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU, 1162 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U, 1163 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU, 1164 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U, 1165 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U, 1166 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U, 1167 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU, 1168 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU, 1169 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U, 1170 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU, 1171 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U, 1172 }; 1173 static const u32 Te2[256] = { 1174 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, 1175 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, 1176 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, 1177 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U, 1178 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU, 1179 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U, 1180 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU, 1181 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U, 1182 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U, 1183 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU, 1184 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U, 1185 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U, 1186 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U, 1187 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU, 1188 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U, 1189 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U, 1190 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU, 1191 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U, 1192 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U, 1193 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U, 1194 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU, 1195 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU, 1196 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U, 1197 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU, 1198 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU, 1199 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U, 1200 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU, 1201 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U, 1202 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU, 1203 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U, 1204 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U, 1205 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U, 1206 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU, 1207 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U, 1208 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU, 1209 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U, 1210 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU, 1211 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U, 1212 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U, 1213 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU, 1214 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU, 1215 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU, 1216 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U, 1217 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U, 1218 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU, 1219 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U, 1220 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU, 1221 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U, 1222 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU, 1223 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U, 1224 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU, 1225 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU, 1226 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U, 1227 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU, 1228 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U, 1229 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU, 1230 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U, 1231 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U, 1232 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U, 1233 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU, 1234 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU, 1235 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U, 1236 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, 1237 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, 1238 }; 1239 static const u32 Te3[256] = { 1240 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, 1241 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, 1242 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U, 1243 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, 1244 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU, 1245 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU, 1246 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U, 1247 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU, 1248 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU, 1249 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U, 1250 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U, 1251 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU, 1252 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU, 1253 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU, 1254 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU, 1255 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU, 1256 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U, 1257 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU, 1258 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU, 1259 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U, 1260 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U, 1261 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U, 1262 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U, 1263 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U, 1264 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU, 1265 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U, 1266 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU, 1267 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU, 1268 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U, 1269 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U, 1270 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U, 1271 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU, 1272 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U, 1273 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU, 1274 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU, 1275 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U, 1276 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U, 1277 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU, 1278 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U, 1279 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU, 1280 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U, 1281 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U, 1282 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U, 1283 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U, 1284 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU, 1285 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U, 1286 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU, 1287 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U, 1288 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU, 1289 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U, 1290 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU, 1291 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU, 1292 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU, 1293 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU, 1294 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U, 1295 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U, 1296 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U, 1297 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U, 1298 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U, 1299 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U, 1300 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU, 1301 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U, 1302 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, 1303 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, 1304 }; 1305 1306 static const u32 Td0[256] = { 1307 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, 1308 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, 1309 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, 1310 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU, 1311 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U, 1312 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U, 1313 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU, 1314 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U, 1315 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU, 1316 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U, 1317 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U, 1318 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U, 1319 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U, 1320 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU, 1321 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U, 1322 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU, 1323 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U, 1324 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU, 1325 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U, 1326 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U, 1327 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U, 1328 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU, 1329 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U, 1330 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU, 1331 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U, 1332 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU, 1333 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U, 1334 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU, 1335 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU, 1336 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U, 1337 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU, 1338 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U, 1339 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU, 1340 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U, 1341 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U, 1342 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U, 1343 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU, 1344 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U, 1345 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U, 1346 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU, 1347 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U, 1348 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U, 1349 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U, 1350 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U, 1351 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U, 1352 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU, 1353 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U, 1354 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U, 1355 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U, 1356 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U, 1357 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U, 1358 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU, 1359 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU, 1360 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU, 1361 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU, 1362 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U, 1363 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U, 1364 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU, 1365 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU, 1366 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U, 1367 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU, 1368 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U, 1369 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U, 1370 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U, 1371 }; 1372 static const u32 Td1[256] = { 1373 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU, 1374 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U, 1375 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU, 1376 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U, 1377 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U, 1378 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U, 1379 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U, 1380 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U, 1381 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U, 1382 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU, 1383 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU, 1384 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU, 1385 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U, 1386 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU, 1387 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U, 1388 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U, 1389 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U, 1390 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU, 1391 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU, 1392 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U, 1393 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU, 1394 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U, 1395 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU, 1396 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU, 1397 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U, 1398 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U, 1399 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U, 1400 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU, 1401 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U, 1402 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU, 1403 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U, 1404 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U, 1405 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U, 1406 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU, 1407 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U, 1408 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U, 1409 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U, 1410 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U, 1411 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U, 1412 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U, 1413 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU, 1414 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU, 1415 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U, 1416 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU, 1417 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U, 1418 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU, 1419 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU, 1420 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U, 1421 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU, 1422 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U, 1423 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U, 1424 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U, 1425 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U, 1426 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U, 1427 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U, 1428 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U, 1429 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU, 1430 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U, 1431 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U, 1432 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU, 1433 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U, 1434 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U, 1435 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U, 1436 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U, 1437 }; 1438 static const u32 Td2[256] = { 1439 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U, 1440 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U, 1441 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U, 1442 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U, 1443 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU, 1444 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U, 1445 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U, 1446 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U, 1447 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U, 1448 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU, 1449 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U, 1450 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U, 1451 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU, 1452 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U, 1453 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U, 1454 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U, 1455 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U, 1456 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U, 1457 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U, 1458 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU, 1459 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U, 1460 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U, 1461 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U, 1462 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U, 1463 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U, 1464 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU, 1465 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU, 1466 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U, 1467 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU, 1468 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U, 1469 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU, 1470 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU, 1471 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU, 1472 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU, 1473 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U, 1474 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U, 1475 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U, 1476 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U, 1477 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U, 1478 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U, 1479 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U, 1480 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU, 1481 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU, 1482 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U, 1483 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U, 1484 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU, 1485 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU, 1486 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U, 1487 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U, 1488 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U, 1489 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U, 1490 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U, 1491 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U, 1492 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U, 1493 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU, 1494 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U, 1495 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U, 1496 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U, 1497 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U, 1498 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U, 1499 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U, 1500 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU, 1501 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U, 1502 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U, 1503 }; 1504 static const u32 Td3[256] = { 1505 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU, 1506 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU, 1507 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U, 1508 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U, 1509 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU, 1510 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU, 1511 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U, 1512 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU, 1513 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U, 1514 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU, 1515 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U, 1516 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U, 1517 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U, 1518 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U, 1519 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U, 1520 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU, 1521 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU, 1522 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U, 1523 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U, 1524 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU, 1525 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU, 1526 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U, 1527 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U, 1528 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U, 1529 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U, 1530 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU, 1531 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U, 1532 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U, 1533 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU, 1534 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU, 1535 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U, 1536 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U, 1537 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U, 1538 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU, 1539 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U, 1540 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U, 1541 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U, 1542 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U, 1543 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U, 1544 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U, 1545 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U, 1546 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU, 1547 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U, 1548 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U, 1549 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU, 1550 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU, 1551 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U, 1552 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU, 1553 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U, 1554 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U, 1555 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U, 1556 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U, 1557 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U, 1558 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U, 1559 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU, 1560 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU, 1561 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU, 1562 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU, 1563 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U, 1564 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U, 1565 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U, 1566 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU, 1567 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U, 1568 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U, 1569 }; 1570 static const u8 Td4[256] = { 1571 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U, 1572 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU, 1573 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U, 1574 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU, 1575 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU, 1576 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU, 1577 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U, 1578 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U, 1579 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U, 1580 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U, 1581 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU, 1582 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U, 1583 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU, 1584 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U, 1585 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U, 1586 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU, 1587 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU, 1588 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U, 1589 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U, 1590 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU, 1591 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U, 1592 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU, 1593 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U, 1594 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U, 1595 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U, 1596 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU, 1597 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU, 1598 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU, 1599 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U, 1600 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U, 1601 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U, 1602 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU, 1603 }; 1604 static const u32 rcon[] = { 1605 0x01000000, 0x02000000, 0x04000000, 0x08000000, 1606 0x10000000, 0x20000000, 0x40000000, 0x80000000, 1607 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ 1608 }; 1609 1610 /** 1611 * Expand the cipher key into the encryption key schedule. 1612 */ 1613 int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 1614 AES_KEY *key) 1615 { 1616 1617 u32 *rk; 1618 int i = 0; 1619 u32 temp; 1620 1621 if (!userKey || !key) 1622 return -1; 1623 if (bits != 128 && bits != 192 && bits != 256) 1624 return -2; 1625 1626 rk = key->rd_key; 1627 1628 if (bits == 128) 1629 key->rounds = 10; 1630 else if (bits == 192) 1631 key->rounds = 12; 1632 else 1633 key->rounds = 14; 1634 1635 rk[0] = GETU32(userKey ); 1636 rk[1] = GETU32(userKey + 4); 1637 rk[2] = GETU32(userKey + 8); 1638 rk[3] = GETU32(userKey + 12); 1639 if (bits == 128) { 1640 while (1) { 1641 temp = rk[3]; 1642 rk[4] = rk[0] ^ 1643 (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ 1644 (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ 1645 (Te0[(temp ) & 0xff] & 0x0000ff00) ^ 1646 (Te1[(temp >> 24) ] & 0x000000ff) ^ 1647 rcon[i]; 1648 rk[5] = rk[1] ^ rk[4]; 1649 rk[6] = rk[2] ^ rk[5]; 1650 rk[7] = rk[3] ^ rk[6]; 1651 if (++i == 10) { 1652 return 0; 1653 } 1654 rk += 4; 1655 } 1656 } 1657 rk[4] = GETU32(userKey + 16); 1658 rk[5] = GETU32(userKey + 20); 1659 if (bits == 192) { 1660 while (1) { 1661 temp = rk[ 5]; 1662 rk[ 6] = rk[ 0] ^ 1663 (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ 1664 (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ 1665 (Te0[(temp ) & 0xff] & 0x0000ff00) ^ 1666 (Te1[(temp >> 24) ] & 0x000000ff) ^ 1667 rcon[i]; 1668 rk[ 7] = rk[ 1] ^ rk[ 6]; 1669 rk[ 8] = rk[ 2] ^ rk[ 7]; 1670 rk[ 9] = rk[ 3] ^ rk[ 8]; 1671 if (++i == 8) { 1672 return 0; 1673 } 1674 rk[10] = rk[ 4] ^ rk[ 9]; 1675 rk[11] = rk[ 5] ^ rk[10]; 1676 rk += 6; 1677 } 1678 } 1679 rk[6] = GETU32(userKey + 24); 1680 rk[7] = GETU32(userKey + 28); 1681 if (bits == 256) { 1682 while (1) { 1683 temp = rk[ 7]; 1684 rk[ 8] = rk[ 0] ^ 1685 (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ 1686 (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ 1687 (Te0[(temp ) & 0xff] & 0x0000ff00) ^ 1688 (Te1[(temp >> 24) ] & 0x000000ff) ^ 1689 rcon[i]; 1690 rk[ 9] = rk[ 1] ^ rk[ 8]; 1691 rk[10] = rk[ 2] ^ rk[ 9]; 1692 rk[11] = rk[ 3] ^ rk[10]; 1693 if (++i == 7) { 1694 return 0; 1695 } 1696 temp = rk[11]; 1697 rk[12] = rk[ 4] ^ 1698 (Te2[(temp >> 24) ] & 0xff000000) ^ 1699 (Te3[(temp >> 16) & 0xff] & 0x00ff0000) ^ 1700 (Te0[(temp >> 8) & 0xff] & 0x0000ff00) ^ 1701 (Te1[(temp ) & 0xff] & 0x000000ff); 1702 rk[13] = rk[ 5] ^ rk[12]; 1703 rk[14] = rk[ 6] ^ rk[13]; 1704 rk[15] = rk[ 7] ^ rk[14]; 1705 1706 rk += 8; 1707 } 1708 } 1709 return 0; 1710 } 1711 1712 /** 1713 * Expand the cipher key into the decryption key schedule. 1714 */ 1715 int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 1716 AES_KEY *key) 1717 { 1718 1719 u32 *rk; 1720 int i, j, status; 1721 u32 temp; 1722 1723 /* first, start with an encryption schedule */ 1724 status = AES_set_encrypt_key(userKey, bits, key); 1725 if (status < 0) 1726 return status; 1727 1728 rk = key->rd_key; 1729 1730 /* invert the order of the round keys: */ 1731 for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) { 1732 temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; 1733 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; 1734 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; 1735 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; 1736 } 1737 /* apply the inverse MixColumn transform to all round keys but the first and the last: */ 1738 for (i = 1; i < (key->rounds); i++) { 1739 rk += 4; 1740 rk[0] = 1741 Td0[Te1[(rk[0] >> 24) ] & 0xff] ^ 1742 Td1[Te1[(rk[0] >> 16) & 0xff] & 0xff] ^ 1743 Td2[Te1[(rk[0] >> 8) & 0xff] & 0xff] ^ 1744 Td3[Te1[(rk[0] ) & 0xff] & 0xff]; 1745 rk[1] = 1746 Td0[Te1[(rk[1] >> 24) ] & 0xff] ^ 1747 Td1[Te1[(rk[1] >> 16) & 0xff] & 0xff] ^ 1748 Td2[Te1[(rk[1] >> 8) & 0xff] & 0xff] ^ 1749 Td3[Te1[(rk[1] ) & 0xff] & 0xff]; 1750 rk[2] = 1751 Td0[Te1[(rk[2] >> 24) ] & 0xff] ^ 1752 Td1[Te1[(rk[2] >> 16) & 0xff] & 0xff] ^ 1753 Td2[Te1[(rk[2] >> 8) & 0xff] & 0xff] ^ 1754 Td3[Te1[(rk[2] ) & 0xff] & 0xff]; 1755 rk[3] = 1756 Td0[Te1[(rk[3] >> 24) ] & 0xff] ^ 1757 Td1[Te1[(rk[3] >> 16) & 0xff] & 0xff] ^ 1758 Td2[Te1[(rk[3] >> 8) & 0xff] & 0xff] ^ 1759 Td3[Te1[(rk[3] ) & 0xff] & 0xff]; 1760 } 1761 return 0; 1762 } 1763 1764 /* 1765 * Encrypt a single block 1766 * in and out can overlap 1767 */ 1768 void AES_encrypt(const unsigned char *in, unsigned char *out, 1769 const AES_KEY *key) { 1770 1771 const u32 *rk; 1772 u32 s0, s1, s2, s3, t0, t1, t2, t3; 1773 #ifndef FULL_UNROLL 1774 int r; 1775 #endif /* ?FULL_UNROLL */ 1776 1777 assert(in && out && key); 1778 rk = key->rd_key; 1779 1780 /* 1781 * map byte array block to cipher state 1782 * and add initial round key: 1783 */ 1784 s0 = GETU32(in ) ^ rk[0]; 1785 s1 = GETU32(in + 4) ^ rk[1]; 1786 s2 = GETU32(in + 8) ^ rk[2]; 1787 s3 = GETU32(in + 12) ^ rk[3]; 1788 #ifdef FULL_UNROLL 1789 /* round 1: */ 1790 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; 1791 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; 1792 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; 1793 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; 1794 /* round 2: */ 1795 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; 1796 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; 1797 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; 1798 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; 1799 /* round 3: */ 1800 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; 1801 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; 1802 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; 1803 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; 1804 /* round 4: */ 1805 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; 1806 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; 1807 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; 1808 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; 1809 /* round 5: */ 1810 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; 1811 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; 1812 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; 1813 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; 1814 /* round 6: */ 1815 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; 1816 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; 1817 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; 1818 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; 1819 /* round 7: */ 1820 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; 1821 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; 1822 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; 1823 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; 1824 /* round 8: */ 1825 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; 1826 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; 1827 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; 1828 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; 1829 /* round 9: */ 1830 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; 1831 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; 1832 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; 1833 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; 1834 if (key->rounds > 10) { 1835 /* round 10: */ 1836 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; 1837 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41]; 1838 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42]; 1839 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43]; 1840 /* round 11: */ 1841 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44]; 1842 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45]; 1843 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46]; 1844 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47]; 1845 if (key->rounds > 12) { 1846 /* round 12: */ 1847 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48]; 1848 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49]; 1849 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50]; 1850 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51]; 1851 /* round 13: */ 1852 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52]; 1853 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53]; 1854 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54]; 1855 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55]; 1856 } 1857 } 1858 rk += key->rounds << 2; 1859 #else /* !FULL_UNROLL */ 1860 /* 1861 * Nr - 1 full rounds: 1862 */ 1863 r = key->rounds >> 1; 1864 for (;;) { 1865 t0 = 1866 Te0[(s0 >> 24) ] ^ 1867 Te1[(s1 >> 16) & 0xff] ^ 1868 Te2[(s2 >> 8) & 0xff] ^ 1869 Te3[(s3 ) & 0xff] ^ 1870 rk[4]; 1871 t1 = 1872 Te0[(s1 >> 24) ] ^ 1873 Te1[(s2 >> 16) & 0xff] ^ 1874 Te2[(s3 >> 8) & 0xff] ^ 1875 Te3[(s0 ) & 0xff] ^ 1876 rk[5]; 1877 t2 = 1878 Te0[(s2 >> 24) ] ^ 1879 Te1[(s3 >> 16) & 0xff] ^ 1880 Te2[(s0 >> 8) & 0xff] ^ 1881 Te3[(s1 ) & 0xff] ^ 1882 rk[6]; 1883 t3 = 1884 Te0[(s3 >> 24) ] ^ 1885 Te1[(s0 >> 16) & 0xff] ^ 1886 Te2[(s1 >> 8) & 0xff] ^ 1887 Te3[(s2 ) & 0xff] ^ 1888 rk[7]; 1889 1890 rk += 8; 1891 if (--r == 0) { 1892 break; 1893 } 1894 1895 s0 = 1896 Te0[(t0 >> 24) ] ^ 1897 Te1[(t1 >> 16) & 0xff] ^ 1898 Te2[(t2 >> 8) & 0xff] ^ 1899 Te3[(t3 ) & 0xff] ^ 1900 rk[0]; 1901 s1 = 1902 Te0[(t1 >> 24) ] ^ 1903 Te1[(t2 >> 16) & 0xff] ^ 1904 Te2[(t3 >> 8) & 0xff] ^ 1905 Te3[(t0 ) & 0xff] ^ 1906 rk[1]; 1907 s2 = 1908 Te0[(t2 >> 24) ] ^ 1909 Te1[(t3 >> 16) & 0xff] ^ 1910 Te2[(t0 >> 8) & 0xff] ^ 1911 Te3[(t1 ) & 0xff] ^ 1912 rk[2]; 1913 s3 = 1914 Te0[(t3 >> 24) ] ^ 1915 Te1[(t0 >> 16) & 0xff] ^ 1916 Te2[(t1 >> 8) & 0xff] ^ 1917 Te3[(t2 ) & 0xff] ^ 1918 rk[3]; 1919 } 1920 #endif /* ?FULL_UNROLL */ 1921 /* 1922 * apply last round and 1923 * map cipher state to byte array block: 1924 */ 1925 s0 = 1926 (Te2[(t0 >> 24) ] & 0xff000000) ^ 1927 (Te3[(t1 >> 16) & 0xff] & 0x00ff0000) ^ 1928 (Te0[(t2 >> 8) & 0xff] & 0x0000ff00) ^ 1929 (Te1[(t3 ) & 0xff] & 0x000000ff) ^ 1930 rk[0]; 1931 PUTU32(out , s0); 1932 s1 = 1933 (Te2[(t1 >> 24) ] & 0xff000000) ^ 1934 (Te3[(t2 >> 16) & 0xff] & 0x00ff0000) ^ 1935 (Te0[(t3 >> 8) & 0xff] & 0x0000ff00) ^ 1936 (Te1[(t0 ) & 0xff] & 0x000000ff) ^ 1937 rk[1]; 1938 PUTU32(out + 4, s1); 1939 s2 = 1940 (Te2[(t2 >> 24) ] & 0xff000000) ^ 1941 (Te3[(t3 >> 16) & 0xff] & 0x00ff0000) ^ 1942 (Te0[(t0 >> 8) & 0xff] & 0x0000ff00) ^ 1943 (Te1[(t1 ) & 0xff] & 0x000000ff) ^ 1944 rk[2]; 1945 PUTU32(out + 8, s2); 1946 s3 = 1947 (Te2[(t3 >> 24) ] & 0xff000000) ^ 1948 (Te3[(t0 >> 16) & 0xff] & 0x00ff0000) ^ 1949 (Te0[(t1 >> 8) & 0xff] & 0x0000ff00) ^ 1950 (Te1[(t2 ) & 0xff] & 0x000000ff) ^ 1951 rk[3]; 1952 PUTU32(out + 12, s3); 1953 } 1954 1955 /* 1956 * Decrypt a single block 1957 * in and out can overlap 1958 */ 1959 void AES_decrypt(const unsigned char *in, unsigned char *out, 1960 const AES_KEY *key) 1961 { 1962 1963 const u32 *rk; 1964 u32 s0, s1, s2, s3, t0, t1, t2, t3; 1965 #ifndef FULL_UNROLL 1966 int r; 1967 #endif /* ?FULL_UNROLL */ 1968 1969 assert(in && out && key); 1970 rk = key->rd_key; 1971 1972 /* 1973 * map byte array block to cipher state 1974 * and add initial round key: 1975 */ 1976 s0 = GETU32(in ) ^ rk[0]; 1977 s1 = GETU32(in + 4) ^ rk[1]; 1978 s2 = GETU32(in + 8) ^ rk[2]; 1979 s3 = GETU32(in + 12) ^ rk[3]; 1980 #ifdef FULL_UNROLL 1981 /* round 1: */ 1982 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4]; 1983 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5]; 1984 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6]; 1985 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7]; 1986 /* round 2: */ 1987 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8]; 1988 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9]; 1989 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10]; 1990 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11]; 1991 /* round 3: */ 1992 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12]; 1993 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13]; 1994 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14]; 1995 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15]; 1996 /* round 4: */ 1997 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16]; 1998 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17]; 1999 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18]; 2000 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19]; 2001 /* round 5: */ 2002 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20]; 2003 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21]; 2004 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22]; 2005 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23]; 2006 /* round 6: */ 2007 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24]; 2008 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25]; 2009 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26]; 2010 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27]; 2011 /* round 7: */ 2012 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28]; 2013 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29]; 2014 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30]; 2015 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31]; 2016 /* round 8: */ 2017 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32]; 2018 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33]; 2019 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34]; 2020 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35]; 2021 /* round 9: */ 2022 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36]; 2023 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37]; 2024 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38]; 2025 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39]; 2026 if (key->rounds > 10) { 2027 /* round 10: */ 2028 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40]; 2029 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41]; 2030 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42]; 2031 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43]; 2032 /* round 11: */ 2033 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44]; 2034 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45]; 2035 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46]; 2036 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47]; 2037 if (key->rounds > 12) { 2038 /* round 12: */ 2039 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48]; 2040 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49]; 2041 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50]; 2042 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51]; 2043 /* round 13: */ 2044 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52]; 2045 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53]; 2046 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54]; 2047 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55]; 2048 } 2049 } 2050 rk += key->rounds << 2; 2051 #else /* !FULL_UNROLL */ 2052 /* 2053 * Nr - 1 full rounds: 2054 */ 2055 r = key->rounds >> 1; 2056 for (;;) { 2057 t0 = 2058 Td0[(s0 >> 24) ] ^ 2059 Td1[(s3 >> 16) & 0xff] ^ 2060 Td2[(s2 >> 8) & 0xff] ^ 2061 Td3[(s1 ) & 0xff] ^ 2062 rk[4]; 2063 t1 = 2064 Td0[(s1 >> 24) ] ^ 2065 Td1[(s0 >> 16) & 0xff] ^ 2066 Td2[(s3 >> 8) & 0xff] ^ 2067 Td3[(s2 ) & 0xff] ^ 2068 rk[5]; 2069 t2 = 2070 Td0[(s2 >> 24) ] ^ 2071 Td1[(s1 >> 16) & 0xff] ^ 2072 Td2[(s0 >> 8) & 0xff] ^ 2073 Td3[(s3 ) & 0xff] ^ 2074 rk[6]; 2075 t3 = 2076 Td0[(s3 >> 24) ] ^ 2077 Td1[(s2 >> 16) & 0xff] ^ 2078 Td2[(s1 >> 8) & 0xff] ^ 2079 Td3[(s0 ) & 0xff] ^ 2080 rk[7]; 2081 2082 rk += 8; 2083 if (--r == 0) { 2084 break; 2085 } 2086 2087 s0 = 2088 Td0[(t0 >> 24) ] ^ 2089 Td1[(t3 >> 16) & 0xff] ^ 2090 Td2[(t2 >> 8) & 0xff] ^ 2091 Td3[(t1 ) & 0xff] ^ 2092 rk[0]; 2093 s1 = 2094 Td0[(t1 >> 24) ] ^ 2095 Td1[(t0 >> 16) & 0xff] ^ 2096 Td2[(t3 >> 8) & 0xff] ^ 2097 Td3[(t2 ) & 0xff] ^ 2098 rk[1]; 2099 s2 = 2100 Td0[(t2 >> 24) ] ^ 2101 Td1[(t1 >> 16) & 0xff] ^ 2102 Td2[(t0 >> 8) & 0xff] ^ 2103 Td3[(t3 ) & 0xff] ^ 2104 rk[2]; 2105 s3 = 2106 Td0[(t3 >> 24) ] ^ 2107 Td1[(t2 >> 16) & 0xff] ^ 2108 Td2[(t1 >> 8) & 0xff] ^ 2109 Td3[(t0 ) & 0xff] ^ 2110 rk[3]; 2111 } 2112 #endif /* ?FULL_UNROLL */ 2113 /* 2114 * apply last round and 2115 * map cipher state to byte array block: 2116 */ 2117 s0 = 2118 ((u32)Td4[(t0 >> 24) ] << 24) ^ 2119 ((u32)Td4[(t3 >> 16) & 0xff] << 16) ^ 2120 ((u32)Td4[(t2 >> 8) & 0xff] << 8) ^ 2121 ((u32)Td4[(t1 ) & 0xff]) ^ 2122 rk[0]; 2123 PUTU32(out , s0); 2124 s1 = 2125 ((u32)Td4[(t1 >> 24) ] << 24) ^ 2126 ((u32)Td4[(t0 >> 16) & 0xff] << 16) ^ 2127 ((u32)Td4[(t3 >> 8) & 0xff] << 8) ^ 2128 ((u32)Td4[(t2 ) & 0xff]) ^ 2129 rk[1]; 2130 PUTU32(out + 4, s1); 2131 s2 = 2132 ((u32)Td4[(t2 >> 24) ] << 24) ^ 2133 ((u32)Td4[(t1 >> 16) & 0xff] << 16) ^ 2134 ((u32)Td4[(t0 >> 8) & 0xff] << 8) ^ 2135 ((u32)Td4[(t3 ) & 0xff]) ^ 2136 rk[2]; 2137 PUTU32(out + 8, s2); 2138 s3 = 2139 ((u32)Td4[(t3 >> 24) ] << 24) ^ 2140 ((u32)Td4[(t2 >> 16) & 0xff] << 16) ^ 2141 ((u32)Td4[(t1 >> 8) & 0xff] << 8) ^ 2142 ((u32)Td4[(t0 ) & 0xff]) ^ 2143 rk[3]; 2144 PUTU32(out + 12, s3); 2145 } 2146 2147 #else /* AES_ASM */ 2148 2149 static const u8 Te4[256] = { 2150 0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U, 2151 0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U, 2152 0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U, 2153 0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U, 2154 0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU, 2155 0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U, 2156 0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU, 2157 0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U, 2158 0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U, 2159 0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U, 2160 0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU, 2161 0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU, 2162 0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U, 2163 0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U, 2164 0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U, 2165 0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U, 2166 0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U, 2167 0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U, 2168 0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U, 2169 0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU, 2170 0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU, 2171 0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U, 2172 0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U, 2173 0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U, 2174 0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U, 2175 0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU, 2176 0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU, 2177 0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU, 2178 0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U, 2179 0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU, 2180 0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U, 2181 0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U 2182 }; 2183 static const u32 rcon[] = { 2184 0x01000000, 0x02000000, 0x04000000, 0x08000000, 2185 0x10000000, 0x20000000, 0x40000000, 0x80000000, 2186 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ 2187 }; 2188 2189 /** 2190 * Expand the cipher key into the encryption key schedule. 2191 */ 2192 int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 2193 AES_KEY *key) 2194 { 2195 u32 *rk; 2196 int i = 0; 2197 u32 temp; 2198 2199 if (!userKey || !key) 2200 return -1; 2201 if (bits != 128 && bits != 192 && bits != 256) 2202 return -2; 2203 2204 rk = key->rd_key; 2205 2206 if (bits == 128) 2207 key->rounds = 10; 2208 else if (bits == 192) 2209 key->rounds = 12; 2210 else 2211 key->rounds = 14; 2212 2213 rk[0] = GETU32(userKey ); 2214 rk[1] = GETU32(userKey + 4); 2215 rk[2] = GETU32(userKey + 8); 2216 rk[3] = GETU32(userKey + 12); 2217 if (bits == 128) { 2218 while (1) { 2219 temp = rk[3]; 2220 rk[4] = rk[0] ^ 2221 ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ 2222 ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ 2223 ((u32)Te4[(temp ) & 0xff] << 8) ^ 2224 ((u32)Te4[(temp >> 24) ]) ^ 2225 rcon[i]; 2226 rk[5] = rk[1] ^ rk[4]; 2227 rk[6] = rk[2] ^ rk[5]; 2228 rk[7] = rk[3] ^ rk[6]; 2229 if (++i == 10) { 2230 return 0; 2231 } 2232 rk += 4; 2233 } 2234 } 2235 rk[4] = GETU32(userKey + 16); 2236 rk[5] = GETU32(userKey + 20); 2237 if (bits == 192) { 2238 while (1) { 2239 temp = rk[ 5]; 2240 rk[ 6] = rk[ 0] ^ 2241 ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ 2242 ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ 2243 ((u32)Te4[(temp ) & 0xff] << 8) ^ 2244 ((u32)Te4[(temp >> 24) ]) ^ 2245 rcon[i]; 2246 rk[ 7] = rk[ 1] ^ rk[ 6]; 2247 rk[ 8] = rk[ 2] ^ rk[ 7]; 2248 rk[ 9] = rk[ 3] ^ rk[ 8]; 2249 if (++i == 8) { 2250 return 0; 2251 } 2252 rk[10] = rk[ 4] ^ rk[ 9]; 2253 rk[11] = rk[ 5] ^ rk[10]; 2254 rk += 6; 2255 } 2256 } 2257 rk[6] = GETU32(userKey + 24); 2258 rk[7] = GETU32(userKey + 28); 2259 if (bits == 256) { 2260 while (1) { 2261 temp = rk[ 7]; 2262 rk[ 8] = rk[ 0] ^ 2263 ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ 2264 ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ 2265 ((u32)Te4[(temp ) & 0xff] << 8) ^ 2266 ((u32)Te4[(temp >> 24) ]) ^ 2267 rcon[i]; 2268 rk[ 9] = rk[ 1] ^ rk[ 8]; 2269 rk[10] = rk[ 2] ^ rk[ 9]; 2270 rk[11] = rk[ 3] ^ rk[10]; 2271 if (++i == 7) { 2272 return 0; 2273 } 2274 temp = rk[11]; 2275 rk[12] = rk[ 4] ^ 2276 ((u32)Te4[(temp >> 24) ] << 24) ^ 2277 ((u32)Te4[(temp >> 16) & 0xff] << 16) ^ 2278 ((u32)Te4[(temp >> 8) & 0xff] << 8) ^ 2279 ((u32)Te4[(temp ) & 0xff]); 2280 rk[13] = rk[ 5] ^ rk[12]; 2281 rk[14] = rk[ 6] ^ rk[13]; 2282 rk[15] = rk[ 7] ^ rk[14]; 2283 2284 rk += 8; 2285 } 2286 } 2287 return 0; 2288 } 2289 2290 /** 2291 * Expand the cipher key into the decryption key schedule. 2292 */ 2293 int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 2294 AES_KEY *key) 2295 { 2296 2297 u32 *rk; 2298 int i, j, status; 2299 u32 temp; 2300 2301 /* first, start with an encryption schedule */ 2302 status = AES_set_encrypt_key(userKey, bits, key); 2303 if (status < 0) 2304 return status; 2305 2306 rk = key->rd_key; 2307 2308 /* invert the order of the round keys: */ 2309 for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) { 2310 temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; 2311 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; 2312 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; 2313 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; 2314 } 2315 /* apply the inverse MixColumn transform to all round keys but the first and the last: */ 2316 for (i = 1; i < (key->rounds); i++) { 2317 rk += 4; 2318 for (j = 0; j < 4; j++) { 2319 u32 tp1, tp2, tp4, tp8, tp9, tpb, tpd, tpe, m; 2320 2321 tp1 = rk[j]; 2322 m = tp1 & 0x80808080; 2323 tp2 = ((tp1 & 0x7f7f7f7f) << 1) ^ 2324 ((m - (m >> 7)) & 0x1b1b1b1b); 2325 m = tp2 & 0x80808080; 2326 tp4 = ((tp2 & 0x7f7f7f7f) << 1) ^ 2327 ((m - (m >> 7)) & 0x1b1b1b1b); 2328 m = tp4 & 0x80808080; 2329 tp8 = ((tp4 & 0x7f7f7f7f) << 1) ^ 2330 ((m - (m >> 7)) & 0x1b1b1b1b); 2331 tp9 = tp8 ^ tp1; 2332 tpb = tp9 ^ tp2; 2333 tpd = tp9 ^ tp4; 2334 tpe = tp8 ^ tp4 ^ tp2; 2335 #if defined(ROTATE) 2336 rk[j] = tpe ^ ROTATE(tpd,16) ^ 2337 ROTATE(tp9,24) ^ ROTATE(tpb,8); 2338 #else 2339 rk[j] = tpe ^ (tpd >> 16) ^ (tpd << 16) ^ 2340 (tp9 >> 8) ^ (tp9 << 24) ^ 2341 (tpb >> 24) ^ (tpb << 8); 2342 #endif 2343 } 2344 } 2345 return 0; 2346 } 2347 2348 #endif /* AES_ASM */ 2349