diff options
Diffstat (limited to 'src/lib/crypto/builtin/aes/aestab.c')
| -rw-r--r-- | src/lib/crypto/builtin/aes/aestab.c | 445 |
1 files changed, 185 insertions, 260 deletions
diff --git a/src/lib/crypto/builtin/aes/aestab.c b/src/lib/crypto/builtin/aes/aestab.c index ef182d6..3d48edf 100644 --- a/src/lib/crypto/builtin/aes/aestab.c +++ b/src/lib/crypto/builtin/aes/aestab.c @@ -1,52 +1,31 @@ /* - * Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK. - * All rights reserved. - * - * LICENSE TERMS - * - * The free distribution and use of this software in both source and binary - * form is allowed (with or without changes) provided that: - * - * 1. distributions of this source code include the above copyright - * notice, this list of conditions and the following disclaimer; - * - * 2. distributions in binary form include the above copyright - * notice, this list of conditions and the following disclaimer - * in the documentation and/or other associated materials; - * - * 3. the copyright holder's name is not used to endorse products - * built using this software without specific written permission. - * - * DISCLAIMER - * - * This software is provided 'as is' with no explcit or implied warranties - * in respect of any properties, including, but not limited to, correctness - * and fitness for purpose. - */ - -/* Issue Date: 07/02/2002 */ +--------------------------------------------------------------------------- +Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved. -#include "aesopt.h" +The redistribution and use of this software (with or without changes) +is allowed without the payment of fees or royalties provided that: -#if defined(FIXED_TABLES) || !defined(FF_TABLES) + source code distributions include the above copyright notice, this + list of conditions and the following disclaimer; -/* finite field arithmetic operations */ + binary distributions include the above copyright notice, this list + of conditions and the following disclaimer in their documentation. -#define f2(x) ((x<<1) ^ (((x>>7) & 1) * WPOLY)) -#define f4(x) ((x<<2) ^ (((x>>6) & 1) * WPOLY) ^ (((x>>6) & 2) * WPOLY)) -#define f8(x) ((x<<3) ^ (((x>>5) & 1) * WPOLY) ^ (((x>>5) & 2) * WPOLY) \ - ^ (((x>>5) & 4) * WPOLY)) -#define f3(x) (f2(x) ^ x) -#define f9(x) (f8(x) ^ x) -#define fb(x) (f8(x) ^ f2(x) ^ x) -#define fd(x) (f8(x) ^ f4(x) ^ x) -#define fe(x) (f8(x) ^ f4(x) ^ f2(x)) +This software is provided 'as is' with no explicit or implied warranties +in respect of its operation, including, but not limited to, correctness +and fitness for purpose. +--------------------------------------------------------------------------- +Issue Date: 20/12/2007 +*/ -#endif +#define DO_TABLES + +#include "aes.h" +#include "aesopt.h" -#if defined(FIXED_TABLES) +#if defined(STATIC_TABLES) -#define sb_data(w) \ +#define sb_data(w) {\ w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\ w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\ w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\ @@ -78,9 +57,9 @@ w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\ w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\ w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\ - w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) + w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) } -#define isb_data(w) \ +#define isb_data(w) {\ w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\ w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\ w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\ @@ -112,9 +91,9 @@ w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\ w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\ w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\ - w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d), + w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) } -#define mm_data(w) \ +#define mm_data(w) {\ w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\ w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\ w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\ @@ -146,35 +125,19 @@ w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\ w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\ w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\ - w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) + w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) } -#define h0(x) (x) +#define rc_data(w) {\ + w(0x01), w(0x02), w(0x04), w(0x08), w(0x10),w(0x20), w(0x40), w(0x80),\ + w(0x1b), w(0x36) } -/* These defines are used to ensure tables are generated in the - right format depending on the internal byte order required -*/ +#define h0(x) (x) #define w0(p) bytes2word(p, 0, 0, 0) #define w1(p) bytes2word(0, p, 0, 0) #define w2(p) bytes2word(0, 0, p, 0) #define w3(p) bytes2word(0, 0, 0, p) -/* Number of elements required in this table for different - block and key lengths is: - - Rcon Table key length (bytes) - Length 16 20 24 28 32 - --------------------- - block 16 | 10 9 8 7 7 - length 20 | 14 11 10 9 9 - (bytes) 24 | 19 15 12 11 11 - 28 | 24 19 16 13 13 - 32 | 29 23 19 17 14 - - this table can be a table of bytes if the key schedule - code is adjusted accordingly -*/ - #define u0(p) bytes2word(f2(p), p, p, f3(p)) #define u1(p) bytes2word(f3(p), f2(p), p, p) #define u2(p) bytes2word(p, f3(p), f2(p), p) @@ -185,135 +148,56 @@ #define v2(p) bytes2word(fd(p), fb(p), fe(p), f9(p)) #define v3(p) bytes2word(f9(p), fd(p), fb(p), fe(p)) -const uint32_t rcon_tab[29] = -{ - w0(0x01), w0(0x02), w0(0x04), w0(0x08), - w0(0x10), w0(0x20), w0(0x40), w0(0x80), - w0(0x1b), w0(0x36), w0(0x6c), w0(0xd8), - w0(0xab), w0(0x4d), w0(0x9a), w0(0x2f), - w0(0x5e), w0(0xbc), w0(0x63), w0(0xc6), - w0(0x97), w0(0x35), w0(0x6a), w0(0xd4), - w0(0xb3), w0(0x7d), w0(0xfa), w0(0xef), - w0(0xc5) -}; - -#ifdef SBX_SET -const uint8_t s_box[256] = { sb_data(h0) }; -#endif -#ifdef ISB_SET -const uint8_t inv_s_box[256] = { isb_data(h0) }; -#endif - -#ifdef FT1_SET -const uint32_t ft_tab[256] = { sb_data(u0) }; -#endif -#ifdef FT4_SET -const uint32_t ft_tab[4][256] = - { { sb_data(u0) }, { sb_data(u1) }, { sb_data(u2) }, { sb_data(u3) } }; #endif -#ifdef FL1_SET -const uint32_t fl_tab[256] = { sb_data(w0) }; -#endif -#ifdef FL4_SET -const uint32_t fl_tab[4][256] = - { { sb_data(w0) }, { sb_data(w1) }, { sb_data(w2) }, { sb_data(w3) } }; -#endif +#if defined(STATIC_TABLES) || !defined(FF_TABLES) -#ifdef IT1_SET -const uint32_t it_tab[256] = { isb_data(v0) }; -#endif -#ifdef IT4_SET -const uint32_t it_tab[4][256] = - { { isb_data(v0) }, { isb_data(v1) }, { isb_data(v2) }, { isb_data(v3) } }; -#endif +#define f2(x) ((x<<1) ^ (((x>>7) & 1) * WPOLY)) +#define f4(x) ((x<<2) ^ (((x>>6) & 1) * WPOLY) ^ (((x>>6) & 2) * WPOLY)) +#define f8(x) ((x<<3) ^ (((x>>5) & 1) * WPOLY) ^ (((x>>5) & 2) * WPOLY) \ + ^ (((x>>5) & 4) * WPOLY)) +#define f3(x) (f2(x) ^ x) +#define f9(x) (f8(x) ^ x) +#define fb(x) (f8(x) ^ f2(x) ^ x) +#define fd(x) (f8(x) ^ f4(x) ^ x) +#define fe(x) (f8(x) ^ f4(x) ^ f2(x)) -#ifdef IL1_SET -const uint32_t il_tab[256] = { isb_data(w0) }; -#endif -#ifdef IL4_SET -const uint32_t il_tab[4][256] = - { { isb_data(w0) }, { isb_data(w1) }, { isb_data(w2) }, { isb_data(w3) } }; -#endif +#else -#ifdef LS1_SET -const uint32_t ls_tab[256] = { sb_data(w0) }; -#endif -#ifdef LS4_SET -const uint32_t ls_tab[4][256] = - { { sb_data(w0) }, { sb_data(w1) }, { sb_data(w2) }, { sb_data(w3) } }; -#endif +#define f2(x) ((x) ? pow[log[x] + 0x19] : 0) +#define f3(x) ((x) ? pow[log[x] + 0x01] : 0) +#define f9(x) ((x) ? pow[log[x] + 0xc7] : 0) +#define fb(x) ((x) ? pow[log[x] + 0x68] : 0) +#define fd(x) ((x) ? pow[log[x] + 0xee] : 0) +#define fe(x) ((x) ? pow[log[x] + 0xdf] : 0) -#ifdef IM1_SET -const uint32_t im_tab[256] = { mm_data(v0) }; -#endif -#ifdef IM4_SET -const uint32_t im_tab[4][256] = - { { mm_data(v0) }, { mm_data(v1) }, { mm_data(v2) }, { mm_data(v3) } }; #endif -#else /* dynamic table generation */ - -uint8_t tab_init = 0; - -#define const - -uint32_t rcon_tab[RC_LENGTH]; +#include "aestab.h" -#ifdef SBX_SET -uint8_t s_box[256]; -#endif -#ifdef ISB_SET -uint8_t inv_s_box[256]; +#if defined(__cplusplus) +extern "C" +{ #endif -#ifdef FT1_SET -uint32_t ft_tab[256]; -#endif -#ifdef FT4_SET -uint32_t ft_tab[4][256]; -#endif +#if defined(STATIC_TABLES) -#ifdef FL1_SET -uint32_t fl_tab[256]; -#endif -#ifdef FL4_SET -uint32_t fl_tab[4][256]; -#endif +/* implemented in case of wrong call for fixed tables */ -#ifdef IT1_SET -uint32_t it_tab[256]; -#endif -#ifdef IT4_SET -uint32_t it_tab[4][256]; -#endif +AES_RETURN aes_init(void) +{ + return EXIT_SUCCESS; +} -#ifdef IL1_SET -uint32_t il_tab[256]; -#endif -#ifdef IL4_SET -uint32_t il_tab[4][256]; -#endif +#else /* Generate the tables for the dynamic table option */ -#ifdef LS1_SET -uint32_t ls_tab[256]; -#endif -#ifdef LS4_SET -uint32_t ls_tab[4][256]; -#endif - -#ifdef IM1_SET -uint32_t im_tab[256]; -#endif -#ifdef IM4_SET -uint32_t im_tab[4][256]; -#endif +#if defined(FF_TABLES) -#if !defined(FF_TABLES) +#define gf_inv(x) ((x) ? pow[ 255 - log[x]] : 0) -/* Generate the tables for the dynamic table option +#else - It will generally be sensible to use tables to compute finite +/* It will generally be sensible to use tables to compute finite field multiplies and inverses but where memory is scarse this code might sometimes be better. But it only has effect during initialisation so its pretty unimportant in overall terms. @@ -334,58 +218,64 @@ static uint8_t hibit(const uint32_t x) /* return the inverse of the finite field element x */ -static uint8_t fi(const uint8_t x) +static uint8_t gf_inv(const uint8_t x) { uint8_t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0; - if(x < 2) return x; + if(x < 2) + return x; - for(;;) + for( ; ; ) { - if(!n1) return v1; - - while(n2 >= n1) - { - n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2); - } - - if(!n2) return v2; - - while(n1 >= n2) - { - n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1); - } + if(n1) + while(n2 >= n1) /* divide polynomial p2 by p1 */ + { + n2 /= n1; /* shift smaller polynomial left */ + p2 ^= (p1 * n2) & 0xff; /* and remove from larger one */ + v2 ^= v1 * n2; /* shift accumulated value and */ + n2 = hibit(p2); /* add into result */ + } + else + return v1; + + if(n2) /* repeat with values swapped */ + while(n1 >= n2) + { + n1 /= n2; + p1 ^= p2 * n1; + v1 ^= v2 * n1; + n1 = hibit(p1); + } + else + return v2; } } -#else - -/* define the finite field multiplies required for Rijndael */ - -#define f2(x) ((x) ? pow[log[x] + 0x19] : 0) -#define f3(x) ((x) ? pow[log[x] + 0x01] : 0) -#define f9(x) ((x) ? pow[log[x] + 0xc7] : 0) -#define fb(x) ((x) ? pow[log[x] + 0x68] : 0) -#define fd(x) ((x) ? pow[log[x] + 0xee] : 0) -#define fe(x) ((x) ? pow[log[x] + 0xdf] : 0) -#define fi(x) ((x) ? pow[255 - log[x]]: 0) - #endif /* The forward and inverse affine transformations used in the S-box */ +uint8_t fwd_affine(const uint8_t x) +{ uint32_t w = x; + w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4); + return 0x63 ^ ((w ^ (w >> 8)) & 0xff); +} -#define fwd_affine(x) \ - (w = (uint32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(uint8_t)(w^(w>>8))) +uint8_t inv_affine(const uint8_t x) +{ uint32_t w = x; + w = (w << 1) ^ (w << 3) ^ (w << 6); + return 0x05 ^ ((w ^ (w >> 8)) & 0xff); +} -#define inv_affine(x) \ - (w = (uint32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(uint8_t)(w^(w>>8))) +static int init = 0; -void gen_tabs(void) +AES_RETURN aes_init(void) { uint32_t i, w; #if defined(FF_TABLES) uint8_t pow[512], log[256]; + if(init) + return EXIT_SUCCESS; /* log and power tables for GF(2^8) finite field with WPOLY as modular polynomial - the simplest primitive root is 0x03, used here to generate the tables @@ -401,93 +291,128 @@ void gen_tabs(void) } while (w != 1); +#else + if(init) + return EXIT_SUCCESS; #endif for(i = 0, w = 1; i < RC_LENGTH; ++i) { - rcon_tab[i] = bytes2word(w, 0, 0, 0); + t_set(r,c)[i] = bytes2word(w, 0, 0, 0); w = f2(w); } for(i = 0; i < 256; ++i) { uint8_t b; - b = fwd_affine(fi((uint8_t)i)); + b = fwd_affine(gf_inv((uint8_t)i)); w = bytes2word(f2(b), b, b, f3(b)); -#ifdef SBX_SET - s_box[i] = b; +#if defined( SBX_SET ) + t_set(s,box)[i] = b; #endif -#ifdef FT1_SET /* tables for a normal encryption round */ - ft_tab[i] = w; +#if defined( FT1_SET ) /* tables for a normal encryption round */ + t_set(f,n)[i] = w; #endif -#ifdef FT4_SET - ft_tab[0][i] = w; - ft_tab[1][i] = upr(w,1); - ft_tab[2][i] = upr(w,2); - ft_tab[3][i] = upr(w,3); +#if defined( FT4_SET ) + t_set(f,n)[0][i] = w; + t_set(f,n)[1][i] = upr(w,1); + t_set(f,n)[2][i] = upr(w,2); + t_set(f,n)[3][i] = upr(w,3); #endif w = bytes2word(b, 0, 0, 0); -#ifdef FL1_SET /* tables for last encryption round (may also */ - fl_tab[i] = w; /* be used in the key schedule) */ +#if defined( FL1_SET ) /* tables for last encryption round (may also */ + t_set(f,l)[i] = w; /* be used in the key schedule) */ #endif -#ifdef FL4_SET - fl_tab[0][i] = w; - fl_tab[1][i] = upr(w,1); - fl_tab[2][i] = upr(w,2); - fl_tab[3][i] = upr(w,3); +#if defined( FL4_SET ) + t_set(f,l)[0][i] = w; + t_set(f,l)[1][i] = upr(w,1); + t_set(f,l)[2][i] = upr(w,2); + t_set(f,l)[3][i] = upr(w,3); #endif -#ifdef LS1_SET /* table for key schedule if fl_tab above is */ - ls_tab[i] = w; /* not of the required form */ +#if defined( LS1_SET ) /* table for key schedule if t_set(f,l) above is*/ + t_set(l,s)[i] = w; /* not of the required form */ #endif -#ifdef LS4_SET - ls_tab[0][i] = w; - ls_tab[1][i] = upr(w,1); - ls_tab[2][i] = upr(w,2); - ls_tab[3][i] = upr(w,3); +#if defined( LS4_SET ) + t_set(l,s)[0][i] = w; + t_set(l,s)[1][i] = upr(w,1); + t_set(l,s)[2][i] = upr(w,2); + t_set(l,s)[3][i] = upr(w,3); #endif - b = fi(inv_affine((uint8_t)i)); + b = gf_inv(inv_affine((uint8_t)i)); w = bytes2word(fe(b), f9(b), fd(b), fb(b)); -#ifdef IM1_SET /* tables for the inverse mix column operation */ - im_tab[b] = w; +#if defined( IM1_SET ) /* tables for the inverse mix column operation */ + t_set(i,m)[b] = w; #endif -#ifdef IM4_SET - im_tab[0][b] = w; - im_tab[1][b] = upr(w,1); - im_tab[2][b] = upr(w,2); - im_tab[3][b] = upr(w,3); +#if defined( IM4_SET ) + t_set(i,m)[0][b] = w; + t_set(i,m)[1][b] = upr(w,1); + t_set(i,m)[2][b] = upr(w,2); + t_set(i,m)[3][b] = upr(w,3); #endif -#ifdef ISB_SET - inv_s_box[i] = b; +#if defined( ISB_SET ) + t_set(i,box)[i] = b; #endif -#ifdef IT1_SET /* tables for a normal decryption round */ - it_tab[i] = w; +#if defined( IT1_SET ) /* tables for a normal decryption round */ + t_set(i,n)[i] = w; #endif -#ifdef IT4_SET - it_tab[0][i] = w; - it_tab[1][i] = upr(w,1); - it_tab[2][i] = upr(w,2); - it_tab[3][i] = upr(w,3); +#if defined( IT4_SET ) + t_set(i,n)[0][i] = w; + t_set(i,n)[1][i] = upr(w,1); + t_set(i,n)[2][i] = upr(w,2); + t_set(i,n)[3][i] = upr(w,3); #endif w = bytes2word(b, 0, 0, 0); -#ifdef IL1_SET /* tables for last decryption round */ - il_tab[i] = w; +#if defined( IL1_SET ) /* tables for last decryption round */ + t_set(i,l)[i] = w; #endif -#ifdef IL4_SET - il_tab[0][i] = w; - il_tab[1][i] = upr(w,1); - il_tab[2][i] = upr(w,2); - il_tab[3][i] = upr(w,3); +#if defined( IL4_SET ) + t_set(i,l)[0][i] = w; + t_set(i,l)[1][i] = upr(w,1); + t_set(i,l)[2][i] = upr(w,2); + t_set(i,l)[3][i] = upr(w,3); #endif } + init = 1; + return EXIT_SUCCESS; +} + +/* + Automatic code initialisation (suggested by by Henrik S. Gaßmann) + based on code provided by Joe Lowe and placed in the public domain at: + http://stackoverflow.com/questions/1113409/attribute-constructor-equivalent-in-vc +*/ + +#ifdef _MSC_VER + +#pragma section(".CRT$XCU", read) - tab_init = 1; +__declspec(allocate(".CRT$XCU")) void (__cdecl *aes_startup)(void) = aes_init; + +#elif defined(__GNUC__) + +static void aes_startup(void) __attribute__((constructor)); + +static void aes_startup(void) +{ + aes_init(); } +#else + +#pragma message( "dynamic tables must be initialised manually on your system" ) + #endif + +#endif + +#if defined(__cplusplus) +} +#endif + |