1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved.
4
5 The redistribution and use of this software (with or without changes)
6 is allowed without the payment of fees or royalties provided that:
7
8 source code distributions include the above copyright notice, this
9 list of conditions and the following disclaimer;
10
11 binary distributions include the above copyright notice, this list
12 of conditions and the following disclaimer in their documentation.
13
14 This software is provided 'as is' with no explicit or implied warranties
15 in respect of its operation, including, but not limited to, correctness
16 and fitness for purpose.
17 ---------------------------------------------------------------------------
18 Issue Date: 20/12/2007
19 */
20
21 #define DO_TABLES
22
23 #include "aes.h"
24 #include "aesopt.h"
25
26 #include "crypto_int.h"
27 #ifdef K5_BUILTIN_AES
28
29 #if defined(STATIC_TABLES)
30
31 #define sb_data(w) {\
32 w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
33 w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
34 w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
35 w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
36 w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
37 w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
38 w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
39 w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
40 w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
41 w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
42 w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
43 w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
44 w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
45 w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
46 w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
47 w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
48 w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
49 w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
50 w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
51 w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
52 w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
53 w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
54 w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
55 w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
56 w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
57 w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
58 w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
59 w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
60 w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
61 w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
62 w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
63 w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
64
65 #define isb_data(w) {\
66 w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
67 w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
68 w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
69 w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
70 w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
71 w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
72 w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
73 w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
74 w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
75 w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
76 w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
77 w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
78 w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
79 w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
80 w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
81 w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
82 w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
83 w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
84 w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
85 w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
86 w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
87 w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
88 w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
89 w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
90 w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
91 w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
92 w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
93 w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
94 w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
95 w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
96 w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
97 w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
98
99 #define mm_data(w) {\
100 w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
101 w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
102 w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
103 w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
104 w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
105 w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
106 w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
107 w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
108 w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
109 w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
110 w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
111 w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
112 w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
113 w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
114 w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
115 w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
116 w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
117 w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
118 w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
119 w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
120 w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
121 w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
122 w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
123 w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
124 w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
125 w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
126 w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
127 w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
128 w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
129 w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
130 w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
131 w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
132
133 #define rc_data(w) {\
134 w(0x01), w(0x02), w(0x04), w(0x08), w(0x10),w(0x20), w(0x40), w(0x80),\
135 w(0x1b), w(0x36) }
136
137 #define h0(x) (x)
138
139 #define w0(p) bytes2word(p, 0, 0, 0)
140 #define w1(p) bytes2word(0, p, 0, 0)
141 #define w2(p) bytes2word(0, 0, p, 0)
142 #define w3(p) bytes2word(0, 0, 0, p)
143
144 #define u0(p) bytes2word(f2(p), p, p, f3(p))
145 #define u1(p) bytes2word(f3(p), f2(p), p, p)
146 #define u2(p) bytes2word(p, f3(p), f2(p), p)
147 #define u3(p) bytes2word(p, p, f3(p), f2(p))
148
149 #define v0(p) bytes2word(fe(p), f9(p), fd(p), fb(p))
150 #define v1(p) bytes2word(fb(p), fe(p), f9(p), fd(p))
151 #define v2(p) bytes2word(fd(p), fb(p), fe(p), f9(p))
152 #define v3(p) bytes2word(f9(p), fd(p), fb(p), fe(p))
153
154 #endif
155
156 #if defined(STATIC_TABLES) || !defined(FF_TABLES)
157
158 #define f2(x) ((x<<1) ^ (((x>>7) & 1) * WPOLY))
159 #define f4(x) ((x<<2) ^ (((x>>6) & 1) * WPOLY) ^ (((x>>6) & 2) * WPOLY))
160 #define f8(x) ((x<<3) ^ (((x>>5) & 1) * WPOLY) ^ (((x>>5) & 2) * WPOLY) \
161 ^ (((x>>5) & 4) * WPOLY))
162 #define f3(x) (f2(x) ^ x)
163 #define f9(x) (f8(x) ^ x)
164 #define fb(x) (f8(x) ^ f2(x) ^ x)
165 #define fd(x) (f8(x) ^ f4(x) ^ x)
166 #define fe(x) (f8(x) ^ f4(x) ^ f2(x))
167
168 #else
169
170 #define f2(x) ((x) ? pow[log[x] + 0x19] : 0)
171 #define f3(x) ((x) ? pow[log[x] + 0x01] : 0)
172 #define f9(x) ((x) ? pow[log[x] + 0xc7] : 0)
173 #define fb(x) ((x) ? pow[log[x] + 0x68] : 0)
174 #define fd(x) ((x) ? pow[log[x] + 0xee] : 0)
175 #define fe(x) ((x) ? pow[log[x] + 0xdf] : 0)
176
177 #endif
178
179 #include "aestab.h"
180
181 #if defined(__cplusplus)
182 extern "C"
183 {
184 #endif
185
186 #if defined(STATIC_TABLES)
187
188 /* implemented in case of wrong call for fixed tables */
189
aes_init(void)190 AES_RETURN aes_init(void)
191 {
192 return EXIT_SUCCESS;
193 }
194
195 #else /* Generate the tables for the dynamic table option */
196
197 #if defined(FF_TABLES)
198
199 #define gf_inv(x) ((x) ? pow[ 255 - log[x]] : 0)
200
201 #else
202
203 /* It will generally be sensible to use tables to compute finite
204 field multiplies and inverses but where memory is scarse this
205 code might sometimes be better. But it only has effect during
206 initialisation so its pretty unimportant in overall terms.
207 */
208
209 /* return 2 ^ (n - 1) where n is the bit number of the highest bit
210 set in x with x in the range 1 < x < 0x00000200. This form is
211 used so that locals within fi can be bytes rather than words
212 */
213
214 static uint8_t hibit(const uint32_t x)
215 { uint8_t r = (uint8_t)((x >> 1) | (x >> 2));
216
217 r |= (r >> 2);
218 r |= (r >> 4);
219 return (r + 1) >> 1;
220 }
221
222 /* return the inverse of the finite field element x */
223
224 static uint8_t gf_inv(const uint8_t x)
225 { uint8_t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
226
227 if(x < 2)
228 return x;
229
230 for( ; ; )
231 {
232 if(n1)
233 while(n2 >= n1) /* divide polynomial p2 by p1 */
234 {
235 n2 /= n1; /* shift smaller polynomial left */
236 p2 ^= (p1 * n2) & 0xff; /* and remove from larger one */
237 v2 ^= v1 * n2; /* shift accumulated value and */
238 n2 = hibit(p2); /* add into result */
239 }
240 else
241 return v1;
242
243 if(n2) /* repeat with values swapped */
244 while(n1 >= n2)
245 {
246 n1 /= n2;
247 p1 ^= p2 * n1;
248 v1 ^= v2 * n1;
249 n1 = hibit(p1);
250 }
251 else
252 return v2;
253 }
254 }
255
256 #endif
257
258 /* The forward and inverse affine transformations used in the S-box */
259 uint8_t fwd_affine(const uint8_t x)
260 { uint32_t w = x;
261 w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4);
262 return 0x63 ^ ((w ^ (w >> 8)) & 0xff);
263 }
264
265 uint8_t inv_affine(const uint8_t x)
266 { uint32_t w = x;
267 w = (w << 1) ^ (w << 3) ^ (w << 6);
268 return 0x05 ^ ((w ^ (w >> 8)) & 0xff);
269 }
270
271 static int init = 0;
272
273 AES_RETURN aes_init(void)
274 { uint32_t i, w;
275
276 #if defined(FF_TABLES)
277
278 uint8_t pow[512], log[256];
279
280 if(init)
281 return EXIT_SUCCESS;
282 /* log and power tables for GF(2^8) finite field with
283 WPOLY as modular polynomial - the simplest primitive
284 root is 0x03, used here to generate the tables
285 */
286
287 i = 0; w = 1;
288 do
289 {
290 pow[i] = (uint8_t)w;
291 pow[i + 255] = (uint8_t)w;
292 log[w] = (uint8_t)i++;
293 w ^= (w << 1) ^ (w & 0x80 ? WPOLY : 0);
294 }
295 while (w != 1);
296
297 #else
298 if(init)
299 return EXIT_SUCCESS;
300 #endif
301
302 for(i = 0, w = 1; i < RC_LENGTH; ++i)
303 {
304 t_set(r,c)[i] = bytes2word(w, 0, 0, 0);
305 w = f2(w);
306 }
307
308 for(i = 0; i < 256; ++i)
309 { uint8_t b;
310
311 b = fwd_affine(gf_inv((uint8_t)i));
312 w = bytes2word(f2(b), b, b, f3(b));
313
314 #if defined( SBX_SET )
315 t_set(s,box)[i] = b;
316 #endif
317
318 #if defined( FT1_SET ) /* tables for a normal encryption round */
319 t_set(f,n)[i] = w;
320 #endif
321 #if defined( FT4_SET )
322 t_set(f,n)[0][i] = w;
323 t_set(f,n)[1][i] = upr(w,1);
324 t_set(f,n)[2][i] = upr(w,2);
325 t_set(f,n)[3][i] = upr(w,3);
326 #endif
327 w = bytes2word(b, 0, 0, 0);
328
329 #if defined( FL1_SET ) /* tables for last encryption round (may also */
330 t_set(f,l)[i] = w; /* be used in the key schedule) */
331 #endif
332 #if defined( FL4_SET )
333 t_set(f,l)[0][i] = w;
334 t_set(f,l)[1][i] = upr(w,1);
335 t_set(f,l)[2][i] = upr(w,2);
336 t_set(f,l)[3][i] = upr(w,3);
337 #endif
338
339 #if defined( LS1_SET ) /* table for key schedule if t_set(f,l) above is*/
340 t_set(l,s)[i] = w; /* not of the required form */
341 #endif
342 #if defined( LS4_SET )
343 t_set(l,s)[0][i] = w;
344 t_set(l,s)[1][i] = upr(w,1);
345 t_set(l,s)[2][i] = upr(w,2);
346 t_set(l,s)[3][i] = upr(w,3);
347 #endif
348
349 b = gf_inv(inv_affine((uint8_t)i));
350 w = bytes2word(fe(b), f9(b), fd(b), fb(b));
351
352 #if defined( IM1_SET ) /* tables for the inverse mix column operation */
353 t_set(i,m)[b] = w;
354 #endif
355 #if defined( IM4_SET )
356 t_set(i,m)[0][b] = w;
357 t_set(i,m)[1][b] = upr(w,1);
358 t_set(i,m)[2][b] = upr(w,2);
359 t_set(i,m)[3][b] = upr(w,3);
360 #endif
361
362 #if defined( ISB_SET )
363 t_set(i,box)[i] = b;
364 #endif
365 #if defined( IT1_SET ) /* tables for a normal decryption round */
366 t_set(i,n)[i] = w;
367 #endif
368 #if defined( IT4_SET )
369 t_set(i,n)[0][i] = w;
370 t_set(i,n)[1][i] = upr(w,1);
371 t_set(i,n)[2][i] = upr(w,2);
372 t_set(i,n)[3][i] = upr(w,3);
373 #endif
374 w = bytes2word(b, 0, 0, 0);
375 #if defined( IL1_SET ) /* tables for last decryption round */
376 t_set(i,l)[i] = w;
377 #endif
378 #if defined( IL4_SET )
379 t_set(i,l)[0][i] = w;
380 t_set(i,l)[1][i] = upr(w,1);
381 t_set(i,l)[2][i] = upr(w,2);
382 t_set(i,l)[3][i] = upr(w,3);
383 #endif
384 }
385 init = 1;
386 return EXIT_SUCCESS;
387 }
388
389 /*
390 Automatic code initialisation (suggested by by Henrik S. Gaßmann)
391 based on code provided by Joe Lowe and placed in the public domain at:
392 http://stackoverflow.com/questions/1113409/attribute-constructor-equivalent-in-vc
393 */
394
395 #ifdef _MSC_VER
396
397 #pragma section(".CRT$XCU", read)
398
399 __declspec(allocate(".CRT$XCU")) void (__cdecl *aes_startup)(void) = aes_init;
400
401 #elif defined(__GNUC__)
402
403 static void aes_startup(void) __attribute__((constructor));
404
405 static void aes_startup(void)
406 {
407 aes_init();
408 }
409
410 #else
411
412 #pragma message( "dynamic tables must be initialised manually on your system" )
413
414 #endif
415
416 #endif
417
418 #if defined(__cplusplus)
419 }
420 #endif
421
422 #else /* K5_BUILTIN_AES */
423
424 /* Include aestab.h for proper dependency generation, but without defining the
425 * table objects. */
426 #undef DO_TABLES
427 #include "aestab.h"
428
429 #endif
430