1 /*
2 * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /**
11 * rijndael-alg-fst.c
12 *
13 * @version 3.0 (December 2000)
14 *
15 * Optimised ANSI C code for the Rijndael cipher (now AES)
16 *
17 * @author Vincent Rijmen
18 * @author Antoon Bosselaers
19 * @author Paulo Barreto
20 *
21 * This code is hereby placed in the public domain.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
24 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
31 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
32 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
33 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /* Note: rewritten a little bit to provide error control and an OpenSSL-
37 compatible API */
38
39 /*
40 * AES low level APIs are deprecated for public use, but still ok for internal
41 * use where we're using them to implement the higher level EVP interface, as is
42 * the case here.
43 */
44 #include "internal/deprecated.h"
45
46 #include <assert.h>
47
48 #include <stdlib.h>
49 #include <openssl/crypto.h>
50 #include <openssl/aes.h>
51 #include "aes_local.h"
52
53 #if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM)
54
55 #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
56 #define U64(C) C##UI64
57 #elif defined(__arch64__)
58 #define U64(C) C##UL
59 #else
60 #define U64(C) C##ULL
61 #endif
62
63 typedef union {
64 unsigned char b[8];
65 u32 w[2];
66 u64 d;
67 } uni;
68
69 /*
70 * Compute w := (w * x) mod (x^8 + x^4 + x^3 + x^1 + 1)
71 * Therefore the name "xtime".
72 */
XtimeWord(u32 * w)73 static void XtimeWord(u32 *w)
74 {
75 u32 a, b;
76
77 a = *w;
78 b = a & 0x80808080u;
79 a ^= b;
80 b -= b >> 7;
81 b &= 0x1B1B1B1Bu;
82 b ^= a << 1;
83 *w = b;
84 }
85
XtimeLong(u64 * w)86 static void XtimeLong(u64 *w)
87 {
88 u64 a, b;
89
90 a = *w;
91 b = a & U64(0x8080808080808080);
92 a ^= b;
93 b -= b >> 7;
94 b &= U64(0x1B1B1B1B1B1B1B1B);
95 b ^= a << 1;
96 *w = b;
97 }
98
99 /*
100 * This computes w := S * w ^ -1 + c, where c = {01100011}.
101 * Instead of using GF(2^8) mod (x^8+x^4+x^3+x+1} we do the inversion
102 * in GF(GF(GF(2^2)^2)^2) mod (X^2+X+8)
103 * and GF(GF(2^2)^2) mod (X^2+X+2)
104 * and GF(2^2) mod (X^2+X+1)
105 * The first part of the algorithm below transfers the coordinates
106 * {0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80} =>
107 * {1,Y,Y^2,Y^3,Y^4,Y^5,Y^6,Y^7} with Y=0x41:
108 * {0x01,0x41,0x66,0x6c,0x56,0x9a,0x58,0xc4}
109 * The last part undoes the coordinate transfer and the final affine
110 * transformation S:
111 * b[i] = b[i] + b[(i+4)%8] + b[(i+5)%8] + b[(i+6)%8] + b[(i+7)%8] + c[i]
112 * in one step.
113 * The multiplication in GF(2^2^2^2) is done in ordinary coords:
114 * A = (a0*1 + a1*x^4)
115 * B = (b0*1 + b1*x^4)
116 * AB = ((a0*b0 + 8*a1*b1)*1 + (a1*b0 + (a0+a1)*b1)*x^4)
117 * When A = (a0,a1) is given we want to solve AB = 1:
118 * (a) 1 = a0*b0 + 8*a1*b1
119 * (b) 0 = a1*b0 + (a0+a1)*b1
120 * => multiply (a) by a1 and (b) by a0
121 * (c) a1 = a1*a0*b0 + (8*a1*a1)*b1
122 * (d) 0 = a1*a0*b0 + (a0*a0+a1*a0)*b1
123 * => add (c) + (d)
124 * (e) a1 = (a0*a0 + a1*a0 + 8*a1*a1)*b1
125 * => therefore
126 * b1 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * a1
127 * => and adding (a1*b0) to (b) we get
128 * (f) a1*b0 = (a0+a1)*b1
129 * => therefore
130 * b0 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * (a0+a1)
131 * Note this formula also works for the case
132 * (a0+a1)*a0 + 8*a1*a1 = 0
133 * if the inverse element for 0^-1 is mapped to 0.
134 * Repeat the same for GF(2^2^2) and GF(2^2).
135 * We get the following algorithm:
136 * inv8(a0,a1):
137 * x0 = a0^a1
138 * [y0,y1] = mul4([x0,a1],[a0,a1]); (*)
139 * y1 = mul4(8,y1);
140 * t = inv4(y0^y1);
141 * [b0,b1] = mul4([x0,a1],[t,t]); (*)
142 * return [b0,b1];
143 * The non-linear multiplies (*) can be done in parallel at no extra cost.
144 */
SubWord(u32 * w)145 static void SubWord(u32 *w)
146 {
147 u32 x, y, a1, a2, a3, a4, a5, a6;
148
149 x = *w;
150 y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
151 x &= 0xDDDDDDDDu;
152 x ^= y & 0x57575757u;
153 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
154 x ^= y & 0x1C1C1C1Cu;
155 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
156 x ^= y & 0x4A4A4A4Au;
157 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
158 x ^= y & 0x42424242u;
159 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
160 x ^= y & 0x64646464u;
161 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
162 x ^= y & 0xE0E0E0E0u;
163 a1 = x;
164 a1 ^= (x & 0xF0F0F0F0u) >> 4;
165 a2 = ((x & 0xCCCCCCCCu) >> 2) | ((x & 0x33333333u) << 2);
166 a3 = x & a1;
167 a3 ^= (a3 & 0xAAAAAAAAu) >> 1;
168 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAu;
169 a4 = a2 & a1;
170 a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
171 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAu;
172 a5 = (a3 & 0xCCCCCCCCu) >> 2;
173 a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
174 a4 = a5 & 0x22222222u;
175 a4 |= a4 >> 1;
176 a4 ^= (a5 << 1) & 0x22222222u;
177 a3 ^= a4;
178 a5 = a3 & 0xA0A0A0A0u;
179 a5 |= a5 >> 1;
180 a5 ^= (a3 << 1) & 0xA0A0A0A0u;
181 a4 = a5 & 0xC0C0C0C0u;
182 a6 = a4 >> 2;
183 a4 ^= (a5 << 2) & 0xC0C0C0C0u;
184 a5 = a6 & 0x20202020u;
185 a5 |= a5 >> 1;
186 a5 ^= (a6 << 1) & 0x20202020u;
187 a4 |= a5;
188 a3 ^= a4 >> 4;
189 a3 &= 0x0F0F0F0Fu;
190 a2 = a3;
191 a2 ^= (a3 & 0x0C0C0C0Cu) >> 2;
192 a4 = a3 & a2;
193 a4 ^= (a4 & 0x0A0A0A0A0Au) >> 1;
194 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0Au;
195 a5 = a4 & 0x08080808u;
196 a5 |= a5 >> 1;
197 a5 ^= (a4 << 1) & 0x08080808u;
198 a4 ^= a5 >> 2;
199 a4 &= 0x03030303u;
200 a4 ^= (a4 & 0x02020202u) >> 1;
201 a4 |= a4 << 2;
202 a3 = a2 & a4;
203 a3 ^= (a3 & 0x0A0A0A0Au) >> 1;
204 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0Au;
205 a3 |= a3 << 4;
206 a2 = ((a1 & 0xCCCCCCCCu) >> 2) | ((a1 & 0x33333333u) << 2);
207 x = a1 & a3;
208 x ^= (x & 0xAAAAAAAAu) >> 1;
209 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAu;
210 a4 = a2 & a3;
211 a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
212 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAu;
213 a5 = (x & 0xCCCCCCCCu) >> 2;
214 x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
215 a4 = a5 & 0x22222222u;
216 a4 |= a4 >> 1;
217 a4 ^= (a5 << 1) & 0x22222222u;
218 x ^= a4;
219 y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
220 x &= 0x39393939u;
221 x ^= y & 0x3F3F3F3Fu;
222 y = ((y & 0xFCFCFCFCu) >> 2) | ((y & 0x03030303u) << 6);
223 x ^= y & 0x97979797u;
224 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
225 x ^= y & 0x9B9B9B9Bu;
226 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
227 x ^= y & 0x3C3C3C3Cu;
228 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
229 x ^= y & 0xDDDDDDDDu;
230 y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
231 x ^= y & 0x72727272u;
232 x ^= 0x63636363u;
233 *w = x;
234 }
235
SubLong(u64 * w)236 static void SubLong(u64 *w)
237 {
238 u64 x, y, a1, a2, a3, a4, a5, a6;
239
240 x = *w;
241 y = ((x & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((x & U64(0x0101010101010101)) << 7);
242 x &= U64(0xDDDDDDDDDDDDDDDD);
243 x ^= y & U64(0x5757575757575757);
244 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
245 x ^= y & U64(0x1C1C1C1C1C1C1C1C);
246 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
247 x ^= y & U64(0x4A4A4A4A4A4A4A4A);
248 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
249 x ^= y & U64(0x4242424242424242);
250 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
251 x ^= y & U64(0x6464646464646464);
252 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
253 x ^= y & U64(0xE0E0E0E0E0E0E0E0);
254 a1 = x;
255 a1 ^= (x & U64(0xF0F0F0F0F0F0F0F0)) >> 4;
256 a2 = ((x & U64(0xCCCCCCCCCCCCCCCC)) >> 2) | ((x & U64(0x3333333333333333)) << 2);
257 a3 = x & a1;
258 a3 ^= (a3 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
259 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & U64(0xAAAAAAAAAAAAAAAA);
260 a4 = a2 & a1;
261 a4 ^= (a4 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
262 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & U64(0xAAAAAAAAAAAAAAAA);
263 a5 = (a3 & U64(0xCCCCCCCCCCCCCCCC)) >> 2;
264 a3 ^= ((a4 << 2) ^ a4) & U64(0xCCCCCCCCCCCCCCCC);
265 a4 = a5 & U64(0x2222222222222222);
266 a4 |= a4 >> 1;
267 a4 ^= (a5 << 1) & U64(0x2222222222222222);
268 a3 ^= a4;
269 a5 = a3 & U64(0xA0A0A0A0A0A0A0A0);
270 a5 |= a5 >> 1;
271 a5 ^= (a3 << 1) & U64(0xA0A0A0A0A0A0A0A0);
272 a4 = a5 & U64(0xC0C0C0C0C0C0C0C0);
273 a6 = a4 >> 2;
274 a4 ^= (a5 << 2) & U64(0xC0C0C0C0C0C0C0C0);
275 a5 = a6 & U64(0x2020202020202020);
276 a5 |= a5 >> 1;
277 a5 ^= (a6 << 1) & U64(0x2020202020202020);
278 a4 |= a5;
279 a3 ^= a4 >> 4;
280 a3 &= U64(0x0F0F0F0F0F0F0F0F);
281 a2 = a3;
282 a2 ^= (a3 & U64(0x0C0C0C0C0C0C0C0C)) >> 2;
283 a4 = a3 & a2;
284 a4 ^= (a4 & U64(0x0A0A0A0A0A0A0A0A)) >> 1;
285 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & U64(0x0A0A0A0A0A0A0A0A);
286 a5 = a4 & U64(0x0808080808080808);
287 a5 |= a5 >> 1;
288 a5 ^= (a4 << 1) & U64(0x0808080808080808);
289 a4 ^= a5 >> 2;
290 a4 &= U64(0x0303030303030303);
291 a4 ^= (a4 & U64(0x0202020202020202)) >> 1;
292 a4 |= a4 << 2;
293 a3 = a2 & a4;
294 a3 ^= (a3 & U64(0x0A0A0A0A0A0A0A0A)) >> 1;
295 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & U64(0x0A0A0A0A0A0A0A0A);
296 a3 |= a3 << 4;
297 a2 = ((a1 & U64(0xCCCCCCCCCCCCCCCC)) >> 2) | ((a1 & U64(0x3333333333333333)) << 2);
298 x = a1 & a3;
299 x ^= (x & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
300 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & U64(0xAAAAAAAAAAAAAAAA);
301 a4 = a2 & a3;
302 a4 ^= (a4 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
303 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & U64(0xAAAAAAAAAAAAAAAA);
304 a5 = (x & U64(0xCCCCCCCCCCCCCCCC)) >> 2;
305 x ^= ((a4 << 2) ^ a4) & U64(0xCCCCCCCCCCCCCCCC);
306 a4 = a5 & U64(0x2222222222222222);
307 a4 |= a4 >> 1;
308 a4 ^= (a5 << 1) & U64(0x2222222222222222);
309 x ^= a4;
310 y = ((x & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((x & U64(0x0101010101010101)) << 7);
311 x &= U64(0x3939393939393939);
312 x ^= y & U64(0x3F3F3F3F3F3F3F3F);
313 y = ((y & U64(0xFCFCFCFCFCFCFCFC)) >> 2) | ((y & U64(0x0303030303030303)) << 6);
314 x ^= y & U64(0x9797979797979797);
315 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
316 x ^= y & U64(0x9B9B9B9B9B9B9B9B);
317 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
318 x ^= y & U64(0x3C3C3C3C3C3C3C3C);
319 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
320 x ^= y & U64(0xDDDDDDDDDDDDDDDD);
321 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
322 x ^= y & U64(0x7272727272727272);
323 x ^= U64(0x6363636363636363);
324 *w = x;
325 }
326
327 /*
328 * This computes w := (S^-1 * (w + c))^-1
329 */
InvSubLong(u64 * w)330 static void InvSubLong(u64 *w)
331 {
332 u64 x, y, a1, a2, a3, a4, a5, a6;
333
334 x = *w;
335 x ^= U64(0x6363636363636363);
336 y = ((x & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((x & U64(0x0101010101010101)) << 7);
337 x &= U64(0xFDFDFDFDFDFDFDFD);
338 x ^= y & U64(0x5E5E5E5E5E5E5E5E);
339 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
340 x ^= y & U64(0xF3F3F3F3F3F3F3F3);
341 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
342 x ^= y & U64(0xF5F5F5F5F5F5F5F5);
343 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
344 x ^= y & U64(0x7878787878787878);
345 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
346 x ^= y & U64(0x7777777777777777);
347 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
348 x ^= y & U64(0x1515151515151515);
349 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
350 x ^= y & U64(0xA5A5A5A5A5A5A5A5);
351 a1 = x;
352 a1 ^= (x & U64(0xF0F0F0F0F0F0F0F0)) >> 4;
353 a2 = ((x & U64(0xCCCCCCCCCCCCCCCC)) >> 2) | ((x & U64(0x3333333333333333)) << 2);
354 a3 = x & a1;
355 a3 ^= (a3 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
356 a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & U64(0xAAAAAAAAAAAAAAAA);
357 a4 = a2 & a1;
358 a4 ^= (a4 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
359 a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & U64(0xAAAAAAAAAAAAAAAA);
360 a5 = (a3 & U64(0xCCCCCCCCCCCCCCCC)) >> 2;
361 a3 ^= ((a4 << 2) ^ a4) & U64(0xCCCCCCCCCCCCCCCC);
362 a4 = a5 & U64(0x2222222222222222);
363 a4 |= a4 >> 1;
364 a4 ^= (a5 << 1) & U64(0x2222222222222222);
365 a3 ^= a4;
366 a5 = a3 & U64(0xA0A0A0A0A0A0A0A0);
367 a5 |= a5 >> 1;
368 a5 ^= (a3 << 1) & U64(0xA0A0A0A0A0A0A0A0);
369 a4 = a5 & U64(0xC0C0C0C0C0C0C0C0);
370 a6 = a4 >> 2;
371 a4 ^= (a5 << 2) & U64(0xC0C0C0C0C0C0C0C0);
372 a5 = a6 & U64(0x2020202020202020);
373 a5 |= a5 >> 1;
374 a5 ^= (a6 << 1) & U64(0x2020202020202020);
375 a4 |= a5;
376 a3 ^= a4 >> 4;
377 a3 &= U64(0x0F0F0F0F0F0F0F0F);
378 a2 = a3;
379 a2 ^= (a3 & U64(0x0C0C0C0C0C0C0C0C)) >> 2;
380 a4 = a3 & a2;
381 a4 ^= (a4 & U64(0x0A0A0A0A0A0A0A0A)) >> 1;
382 a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & U64(0x0A0A0A0A0A0A0A0A);
383 a5 = a4 & U64(0x0808080808080808);
384 a5 |= a5 >> 1;
385 a5 ^= (a4 << 1) & U64(0x0808080808080808);
386 a4 ^= a5 >> 2;
387 a4 &= U64(0x0303030303030303);
388 a4 ^= (a4 & U64(0x0202020202020202)) >> 1;
389 a4 |= a4 << 2;
390 a3 = a2 & a4;
391 a3 ^= (a3 & U64(0x0A0A0A0A0A0A0A0A)) >> 1;
392 a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & U64(0x0A0A0A0A0A0A0A0A);
393 a3 |= a3 << 4;
394 a2 = ((a1 & U64(0xCCCCCCCCCCCCCCCC)) >> 2) | ((a1 & U64(0x3333333333333333)) << 2);
395 x = a1 & a3;
396 x ^= (x & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
397 x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & U64(0xAAAAAAAAAAAAAAAA);
398 a4 = a2 & a3;
399 a4 ^= (a4 & U64(0xAAAAAAAAAAAAAAAA)) >> 1;
400 a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & U64(0xAAAAAAAAAAAAAAAA);
401 a5 = (x & U64(0xCCCCCCCCCCCCCCCC)) >> 2;
402 x ^= ((a4 << 2) ^ a4) & U64(0xCCCCCCCCCCCCCCCC);
403 a4 = a5 & U64(0x2222222222222222);
404 a4 |= a4 >> 1;
405 a4 ^= (a5 << 1) & U64(0x2222222222222222);
406 x ^= a4;
407 y = ((x & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((x & U64(0x0101010101010101)) << 7);
408 x &= U64(0xB5B5B5B5B5B5B5B5);
409 x ^= y & U64(0x4040404040404040);
410 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
411 x ^= y & U64(0x8080808080808080);
412 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
413 x ^= y & U64(0x1616161616161616);
414 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
415 x ^= y & U64(0xEBEBEBEBEBEBEBEB);
416 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
417 x ^= y & U64(0x9797979797979797);
418 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
419 x ^= y & U64(0xFBFBFBFBFBFBFBFB);
420 y = ((y & U64(0xFEFEFEFEFEFEFEFE)) >> 1) | ((y & U64(0x0101010101010101)) << 7);
421 x ^= y & U64(0x7D7D7D7D7D7D7D7D);
422 *w = x;
423 }
424
ShiftRows(u64 * state)425 static void ShiftRows(u64 *state)
426 {
427 unsigned char s[4];
428 unsigned char *s0;
429 int r;
430
431 s0 = (unsigned char *)state;
432 for (r = 0; r < 4; r++) {
433 s[0] = s0[0 * 4 + r];
434 s[1] = s0[1 * 4 + r];
435 s[2] = s0[2 * 4 + r];
436 s[3] = s0[3 * 4 + r];
437 s0[0 * 4 + r] = s[(r + 0) % 4];
438 s0[1 * 4 + r] = s[(r + 1) % 4];
439 s0[2 * 4 + r] = s[(r + 2) % 4];
440 s0[3 * 4 + r] = s[(r + 3) % 4];
441 }
442 }
443
InvShiftRows(u64 * state)444 static void InvShiftRows(u64 *state)
445 {
446 unsigned char s[4];
447 unsigned char *s0;
448 int r;
449
450 s0 = (unsigned char *)state;
451 for (r = 0; r < 4; r++) {
452 s[0] = s0[0 * 4 + r];
453 s[1] = s0[1 * 4 + r];
454 s[2] = s0[2 * 4 + r];
455 s[3] = s0[3 * 4 + r];
456 s0[0 * 4 + r] = s[(4 - r) % 4];
457 s0[1 * 4 + r] = s[(5 - r) % 4];
458 s0[2 * 4 + r] = s[(6 - r) % 4];
459 s0[3 * 4 + r] = s[(7 - r) % 4];
460 }
461 }
462
MixColumns(u64 * state)463 static void MixColumns(u64 *state)
464 {
465 uni s1;
466 uni s;
467 int c;
468
469 for (c = 0; c < 2; c++) {
470 s1.d = state[c];
471 s.d = s1.d;
472 s.d ^= ((s.d & U64(0xFFFF0000FFFF0000)) >> 16)
473 | ((s.d & U64(0x0000FFFF0000FFFF)) << 16);
474 s.d ^= ((s.d & U64(0xFF00FF00FF00FF00)) >> 8)
475 | ((s.d & U64(0x00FF00FF00FF00FF)) << 8);
476 s.d ^= s1.d;
477 XtimeLong(&s1.d);
478 s.d ^= s1.d;
479 s.b[0] ^= s1.b[1];
480 s.b[1] ^= s1.b[2];
481 s.b[2] ^= s1.b[3];
482 s.b[3] ^= s1.b[0];
483 s.b[4] ^= s1.b[5];
484 s.b[5] ^= s1.b[6];
485 s.b[6] ^= s1.b[7];
486 s.b[7] ^= s1.b[4];
487 state[c] = s.d;
488 }
489 }
490
InvMixColumns(u64 * state)491 static void InvMixColumns(u64 *state)
492 {
493 uni s1;
494 uni s;
495 int c;
496
497 for (c = 0; c < 2; c++) {
498 s1.d = state[c];
499 s.d = s1.d;
500 s.d ^= ((s.d & U64(0xFFFF0000FFFF0000)) >> 16)
501 | ((s.d & U64(0x0000FFFF0000FFFF)) << 16);
502 s.d ^= ((s.d & U64(0xFF00FF00FF00FF00)) >> 8)
503 | ((s.d & U64(0x00FF00FF00FF00FF)) << 8);
504 s.d ^= s1.d;
505 XtimeLong(&s1.d);
506 s.d ^= s1.d;
507 s.b[0] ^= s1.b[1];
508 s.b[1] ^= s1.b[2];
509 s.b[2] ^= s1.b[3];
510 s.b[3] ^= s1.b[0];
511 s.b[4] ^= s1.b[5];
512 s.b[5] ^= s1.b[6];
513 s.b[6] ^= s1.b[7];
514 s.b[7] ^= s1.b[4];
515 XtimeLong(&s1.d);
516 s1.d ^= ((s1.d & U64(0xFFFF0000FFFF0000)) >> 16)
517 | ((s1.d & U64(0x0000FFFF0000FFFF)) << 16);
518 s.d ^= s1.d;
519 XtimeLong(&s1.d);
520 s1.d ^= ((s1.d & U64(0xFF00FF00FF00FF00)) >> 8)
521 | ((s1.d & U64(0x00FF00FF00FF00FF)) << 8);
522 s.d ^= s1.d;
523 state[c] = s.d;
524 }
525 }
526
AddRoundKey(u64 * state,const u64 * w)527 static void AddRoundKey(u64 *state, const u64 *w)
528 {
529 state[0] ^= w[0];
530 state[1] ^= w[1];
531 }
532
Cipher(const unsigned char * in,unsigned char * out,const u64 * w,int nr)533 static void Cipher(const unsigned char *in, unsigned char *out,
534 const u64 *w, int nr)
535 {
536 u64 state[2];
537 int i;
538
539 memcpy(state, in, 16);
540
541 AddRoundKey(state, w);
542
543 for (i = 1; i < nr; i++) {
544 SubLong(&state[0]);
545 SubLong(&state[1]);
546 ShiftRows(state);
547 MixColumns(state);
548 AddRoundKey(state, w + i * 2);
549 }
550
551 SubLong(&state[0]);
552 SubLong(&state[1]);
553 ShiftRows(state);
554 AddRoundKey(state, w + nr * 2);
555
556 memcpy(out, state, 16);
557 }
558
InvCipher(const unsigned char * in,unsigned char * out,const u64 * w,int nr)559 static void InvCipher(const unsigned char *in, unsigned char *out,
560 const u64 *w, int nr)
561
562 {
563 u64 state[2];
564 int i;
565
566 memcpy(state, in, 16);
567
568 AddRoundKey(state, w + nr * 2);
569
570 for (i = nr - 1; i > 0; i--) {
571 InvShiftRows(state);
572 InvSubLong(&state[0]);
573 InvSubLong(&state[1]);
574 AddRoundKey(state, w + i * 2);
575 InvMixColumns(state);
576 }
577
578 InvShiftRows(state);
579 InvSubLong(&state[0]);
580 InvSubLong(&state[1]);
581 AddRoundKey(state, w);
582
583 memcpy(out, state, 16);
584 }
585
RotWord(u32 * x)586 static void RotWord(u32 *x)
587 {
588 unsigned char *w0;
589 unsigned char tmp;
590
591 w0 = (unsigned char *)x;
592 tmp = w0[0];
593 w0[0] = w0[1];
594 w0[1] = w0[2];
595 w0[2] = w0[3];
596 w0[3] = tmp;
597 }
598
KeyExpansion(const unsigned char * key,u64 * w,int nr,int nk)599 static void KeyExpansion(const unsigned char *key, u64 *w,
600 int nr, int nk)
601 {
602 u32 rcon;
603 uni prev;
604 u32 temp;
605 int i, n;
606
607 memcpy(w, key, nk * 4);
608 memcpy(&rcon, "\1\0\0\0", 4);
609 n = nk / 2;
610 prev.d = w[n - 1];
611 for (i = n; i < (nr + 1) * 2; i++) {
612 temp = prev.w[1];
613 if (i % n == 0) {
614 RotWord(&temp);
615 SubWord(&temp);
616 temp ^= rcon;
617 XtimeWord(&rcon);
618 } else if (nk > 6 && i % n == 2) {
619 SubWord(&temp);
620 }
621 prev.d = w[i - n];
622 prev.w[0] ^= temp;
623 prev.w[1] ^= prev.w[0];
624 w[i] = prev.d;
625 }
626 }
627
628 /**
629 * Expand the cipher key into the encryption key schedule.
630 */
AES_set_encrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)631 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
632 AES_KEY *key)
633 {
634 u64 *rk;
635
636 if (!userKey || !key)
637 return -1;
638 if (bits != 128 && bits != 192 && bits != 256)
639 return -2;
640
641 rk = (u64 *)key->rd_key;
642
643 if (bits == 128)
644 key->rounds = 10;
645 else if (bits == 192)
646 key->rounds = 12;
647 else
648 key->rounds = 14;
649
650 KeyExpansion(userKey, rk, key->rounds, bits / 32);
651 return 0;
652 }
653
654 /**
655 * Expand the cipher key into the decryption key schedule.
656 */
AES_set_decrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)657 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
658 AES_KEY *key)
659 {
660 return AES_set_encrypt_key(userKey, bits, key);
661 }
662
663 /*
664 * Encrypt a single block
665 * in and out can overlap
666 */
AES_encrypt(const unsigned char * in,unsigned char * out,const AES_KEY * key)667 void AES_encrypt(const unsigned char *in, unsigned char *out,
668 const AES_KEY *key)
669 {
670 const u64 *rk;
671
672 assert(in && out && key);
673 rk = (u64 *)key->rd_key;
674
675 Cipher(in, out, rk, key->rounds);
676 }
677
678 /*
679 * Decrypt a single block
680 * in and out can overlap
681 */
AES_decrypt(const unsigned char * in,unsigned char * out,const AES_KEY * key)682 void AES_decrypt(const unsigned char *in, unsigned char *out,
683 const AES_KEY *key)
684 {
685 const u64 *rk;
686
687 assert(in && out && key);
688 rk = (u64 *)key->rd_key;
689
690 InvCipher(in, out, rk, key->rounds);
691 }
692 #elif !defined(AES_ASM)
693 /*-
694 Te0[x] = S [x].[02, 01, 01, 03];
695 Te1[x] = S [x].[03, 02, 01, 01];
696 Te2[x] = S [x].[01, 03, 02, 01];
697 Te3[x] = S [x].[01, 01, 03, 02];
698
699 Td0[x] = Si[x].[0e, 09, 0d, 0b];
700 Td1[x] = Si[x].[0b, 0e, 09, 0d];
701 Td2[x] = Si[x].[0d, 0b, 0e, 09];
702 Td3[x] = Si[x].[09, 0d, 0b, 0e];
703 Td4[x] = Si[x].[01];
704 */
705
706 static const u32 Te0[256] = {
707 0xc66363a5U,
708 0xf87c7c84U,
709 0xee777799U,
710 0xf67b7b8dU,
711 0xfff2f20dU,
712 0xd66b6bbdU,
713 0xde6f6fb1U,
714 0x91c5c554U,
715 0x60303050U,
716 0x02010103U,
717 0xce6767a9U,
718 0x562b2b7dU,
719 0xe7fefe19U,
720 0xb5d7d762U,
721 0x4dababe6U,
722 0xec76769aU,
723 0x8fcaca45U,
724 0x1f82829dU,
725 0x89c9c940U,
726 0xfa7d7d87U,
727 0xeffafa15U,
728 0xb25959ebU,
729 0x8e4747c9U,
730 0xfbf0f00bU,
731 0x41adadecU,
732 0xb3d4d467U,
733 0x5fa2a2fdU,
734 0x45afafeaU,
735 0x239c9cbfU,
736 0x53a4a4f7U,
737 0xe4727296U,
738 0x9bc0c05bU,
739 0x75b7b7c2U,
740 0xe1fdfd1cU,
741 0x3d9393aeU,
742 0x4c26266aU,
743 0x6c36365aU,
744 0x7e3f3f41U,
745 0xf5f7f702U,
746 0x83cccc4fU,
747 0x6834345cU,
748 0x51a5a5f4U,
749 0xd1e5e534U,
750 0xf9f1f108U,
751 0xe2717193U,
752 0xabd8d873U,
753 0x62313153U,
754 0x2a15153fU,
755 0x0804040cU,
756 0x95c7c752U,
757 0x46232365U,
758 0x9dc3c35eU,
759 0x30181828U,
760 0x379696a1U,
761 0x0a05050fU,
762 0x2f9a9ab5U,
763 0x0e070709U,
764 0x24121236U,
765 0x1b80809bU,
766 0xdfe2e23dU,
767 0xcdebeb26U,
768 0x4e272769U,
769 0x7fb2b2cdU,
770 0xea75759fU,
771 0x1209091bU,
772 0x1d83839eU,
773 0x582c2c74U,
774 0x341a1a2eU,
775 0x361b1b2dU,
776 0xdc6e6eb2U,
777 0xb45a5aeeU,
778 0x5ba0a0fbU,
779 0xa45252f6U,
780 0x763b3b4dU,
781 0xb7d6d661U,
782 0x7db3b3ceU,
783 0x5229297bU,
784 0xdde3e33eU,
785 0x5e2f2f71U,
786 0x13848497U,
787 0xa65353f5U,
788 0xb9d1d168U,
789 0x00000000U,
790 0xc1eded2cU,
791 0x40202060U,
792 0xe3fcfc1fU,
793 0x79b1b1c8U,
794 0xb65b5bedU,
795 0xd46a6abeU,
796 0x8dcbcb46U,
797 0x67bebed9U,
798 0x7239394bU,
799 0x944a4adeU,
800 0x984c4cd4U,
801 0xb05858e8U,
802 0x85cfcf4aU,
803 0xbbd0d06bU,
804 0xc5efef2aU,
805 0x4faaaae5U,
806 0xedfbfb16U,
807 0x864343c5U,
808 0x9a4d4dd7U,
809 0x66333355U,
810 0x11858594U,
811 0x8a4545cfU,
812 0xe9f9f910U,
813 0x04020206U,
814 0xfe7f7f81U,
815 0xa05050f0U,
816 0x783c3c44U,
817 0x259f9fbaU,
818 0x4ba8a8e3U,
819 0xa25151f3U,
820 0x5da3a3feU,
821 0x804040c0U,
822 0x058f8f8aU,
823 0x3f9292adU,
824 0x219d9dbcU,
825 0x70383848U,
826 0xf1f5f504U,
827 0x63bcbcdfU,
828 0x77b6b6c1U,
829 0xafdada75U,
830 0x42212163U,
831 0x20101030U,
832 0xe5ffff1aU,
833 0xfdf3f30eU,
834 0xbfd2d26dU,
835 0x81cdcd4cU,
836 0x180c0c14U,
837 0x26131335U,
838 0xc3ecec2fU,
839 0xbe5f5fe1U,
840 0x359797a2U,
841 0x884444ccU,
842 0x2e171739U,
843 0x93c4c457U,
844 0x55a7a7f2U,
845 0xfc7e7e82U,
846 0x7a3d3d47U,
847 0xc86464acU,
848 0xba5d5de7U,
849 0x3219192bU,
850 0xe6737395U,
851 0xc06060a0U,
852 0x19818198U,
853 0x9e4f4fd1U,
854 0xa3dcdc7fU,
855 0x44222266U,
856 0x542a2a7eU,
857 0x3b9090abU,
858 0x0b888883U,
859 0x8c4646caU,
860 0xc7eeee29U,
861 0x6bb8b8d3U,
862 0x2814143cU,
863 0xa7dede79U,
864 0xbc5e5ee2U,
865 0x160b0b1dU,
866 0xaddbdb76U,
867 0xdbe0e03bU,
868 0x64323256U,
869 0x743a3a4eU,
870 0x140a0a1eU,
871 0x924949dbU,
872 0x0c06060aU,
873 0x4824246cU,
874 0xb85c5ce4U,
875 0x9fc2c25dU,
876 0xbdd3d36eU,
877 0x43acacefU,
878 0xc46262a6U,
879 0x399191a8U,
880 0x319595a4U,
881 0xd3e4e437U,
882 0xf279798bU,
883 0xd5e7e732U,
884 0x8bc8c843U,
885 0x6e373759U,
886 0xda6d6db7U,
887 0x018d8d8cU,
888 0xb1d5d564U,
889 0x9c4e4ed2U,
890 0x49a9a9e0U,
891 0xd86c6cb4U,
892 0xac5656faU,
893 0xf3f4f407U,
894 0xcfeaea25U,
895 0xca6565afU,
896 0xf47a7a8eU,
897 0x47aeaee9U,
898 0x10080818U,
899 0x6fbabad5U,
900 0xf0787888U,
901 0x4a25256fU,
902 0x5c2e2e72U,
903 0x381c1c24U,
904 0x57a6a6f1U,
905 0x73b4b4c7U,
906 0x97c6c651U,
907 0xcbe8e823U,
908 0xa1dddd7cU,
909 0xe874749cU,
910 0x3e1f1f21U,
911 0x964b4bddU,
912 0x61bdbddcU,
913 0x0d8b8b86U,
914 0x0f8a8a85U,
915 0xe0707090U,
916 0x7c3e3e42U,
917 0x71b5b5c4U,
918 0xcc6666aaU,
919 0x904848d8U,
920 0x06030305U,
921 0xf7f6f601U,
922 0x1c0e0e12U,
923 0xc26161a3U,
924 0x6a35355fU,
925 0xae5757f9U,
926 0x69b9b9d0U,
927 0x17868691U,
928 0x99c1c158U,
929 0x3a1d1d27U,
930 0x279e9eb9U,
931 0xd9e1e138U,
932 0xebf8f813U,
933 0x2b9898b3U,
934 0x22111133U,
935 0xd26969bbU,
936 0xa9d9d970U,
937 0x078e8e89U,
938 0x339494a7U,
939 0x2d9b9bb6U,
940 0x3c1e1e22U,
941 0x15878792U,
942 0xc9e9e920U,
943 0x87cece49U,
944 0xaa5555ffU,
945 0x50282878U,
946 0xa5dfdf7aU,
947 0x038c8c8fU,
948 0x59a1a1f8U,
949 0x09898980U,
950 0x1a0d0d17U,
951 0x65bfbfdaU,
952 0xd7e6e631U,
953 0x844242c6U,
954 0xd06868b8U,
955 0x824141c3U,
956 0x299999b0U,
957 0x5a2d2d77U,
958 0x1e0f0f11U,
959 0x7bb0b0cbU,
960 0xa85454fcU,
961 0x6dbbbbd6U,
962 0x2c16163aU,
963 };
964 static const u32 Te1[256] = {
965 0xa5c66363U,
966 0x84f87c7cU,
967 0x99ee7777U,
968 0x8df67b7bU,
969 0x0dfff2f2U,
970 0xbdd66b6bU,
971 0xb1de6f6fU,
972 0x5491c5c5U,
973 0x50603030U,
974 0x03020101U,
975 0xa9ce6767U,
976 0x7d562b2bU,
977 0x19e7fefeU,
978 0x62b5d7d7U,
979 0xe64dababU,
980 0x9aec7676U,
981 0x458fcacaU,
982 0x9d1f8282U,
983 0x4089c9c9U,
984 0x87fa7d7dU,
985 0x15effafaU,
986 0xebb25959U,
987 0xc98e4747U,
988 0x0bfbf0f0U,
989 0xec41adadU,
990 0x67b3d4d4U,
991 0xfd5fa2a2U,
992 0xea45afafU,
993 0xbf239c9cU,
994 0xf753a4a4U,
995 0x96e47272U,
996 0x5b9bc0c0U,
997 0xc275b7b7U,
998 0x1ce1fdfdU,
999 0xae3d9393U,
1000 0x6a4c2626U,
1001 0x5a6c3636U,
1002 0x417e3f3fU,
1003 0x02f5f7f7U,
1004 0x4f83ccccU,
1005 0x5c683434U,
1006 0xf451a5a5U,
1007 0x34d1e5e5U,
1008 0x08f9f1f1U,
1009 0x93e27171U,
1010 0x73abd8d8U,
1011 0x53623131U,
1012 0x3f2a1515U,
1013 0x0c080404U,
1014 0x5295c7c7U,
1015 0x65462323U,
1016 0x5e9dc3c3U,
1017 0x28301818U,
1018 0xa1379696U,
1019 0x0f0a0505U,
1020 0xb52f9a9aU,
1021 0x090e0707U,
1022 0x36241212U,
1023 0x9b1b8080U,
1024 0x3ddfe2e2U,
1025 0x26cdebebU,
1026 0x694e2727U,
1027 0xcd7fb2b2U,
1028 0x9fea7575U,
1029 0x1b120909U,
1030 0x9e1d8383U,
1031 0x74582c2cU,
1032 0x2e341a1aU,
1033 0x2d361b1bU,
1034 0xb2dc6e6eU,
1035 0xeeb45a5aU,
1036 0xfb5ba0a0U,
1037 0xf6a45252U,
1038 0x4d763b3bU,
1039 0x61b7d6d6U,
1040 0xce7db3b3U,
1041 0x7b522929U,
1042 0x3edde3e3U,
1043 0x715e2f2fU,
1044 0x97138484U,
1045 0xf5a65353U,
1046 0x68b9d1d1U,
1047 0x00000000U,
1048 0x2cc1ededU,
1049 0x60402020U,
1050 0x1fe3fcfcU,
1051 0xc879b1b1U,
1052 0xedb65b5bU,
1053 0xbed46a6aU,
1054 0x468dcbcbU,
1055 0xd967bebeU,
1056 0x4b723939U,
1057 0xde944a4aU,
1058 0xd4984c4cU,
1059 0xe8b05858U,
1060 0x4a85cfcfU,
1061 0x6bbbd0d0U,
1062 0x2ac5efefU,
1063 0xe54faaaaU,
1064 0x16edfbfbU,
1065 0xc5864343U,
1066 0xd79a4d4dU,
1067 0x55663333U,
1068 0x94118585U,
1069 0xcf8a4545U,
1070 0x10e9f9f9U,
1071 0x06040202U,
1072 0x81fe7f7fU,
1073 0xf0a05050U,
1074 0x44783c3cU,
1075 0xba259f9fU,
1076 0xe34ba8a8U,
1077 0xf3a25151U,
1078 0xfe5da3a3U,
1079 0xc0804040U,
1080 0x8a058f8fU,
1081 0xad3f9292U,
1082 0xbc219d9dU,
1083 0x48703838U,
1084 0x04f1f5f5U,
1085 0xdf63bcbcU,
1086 0xc177b6b6U,
1087 0x75afdadaU,
1088 0x63422121U,
1089 0x30201010U,
1090 0x1ae5ffffU,
1091 0x0efdf3f3U,
1092 0x6dbfd2d2U,
1093 0x4c81cdcdU,
1094 0x14180c0cU,
1095 0x35261313U,
1096 0x2fc3ececU,
1097 0xe1be5f5fU,
1098 0xa2359797U,
1099 0xcc884444U,
1100 0x392e1717U,
1101 0x5793c4c4U,
1102 0xf255a7a7U,
1103 0x82fc7e7eU,
1104 0x477a3d3dU,
1105 0xacc86464U,
1106 0xe7ba5d5dU,
1107 0x2b321919U,
1108 0x95e67373U,
1109 0xa0c06060U,
1110 0x98198181U,
1111 0xd19e4f4fU,
1112 0x7fa3dcdcU,
1113 0x66442222U,
1114 0x7e542a2aU,
1115 0xab3b9090U,
1116 0x830b8888U,
1117 0xca8c4646U,
1118 0x29c7eeeeU,
1119 0xd36bb8b8U,
1120 0x3c281414U,
1121 0x79a7dedeU,
1122 0xe2bc5e5eU,
1123 0x1d160b0bU,
1124 0x76addbdbU,
1125 0x3bdbe0e0U,
1126 0x56643232U,
1127 0x4e743a3aU,
1128 0x1e140a0aU,
1129 0xdb924949U,
1130 0x0a0c0606U,
1131 0x6c482424U,
1132 0xe4b85c5cU,
1133 0x5d9fc2c2U,
1134 0x6ebdd3d3U,
1135 0xef43acacU,
1136 0xa6c46262U,
1137 0xa8399191U,
1138 0xa4319595U,
1139 0x37d3e4e4U,
1140 0x8bf27979U,
1141 0x32d5e7e7U,
1142 0x438bc8c8U,
1143 0x596e3737U,
1144 0xb7da6d6dU,
1145 0x8c018d8dU,
1146 0x64b1d5d5U,
1147 0xd29c4e4eU,
1148 0xe049a9a9U,
1149 0xb4d86c6cU,
1150 0xfaac5656U,
1151 0x07f3f4f4U,
1152 0x25cfeaeaU,
1153 0xafca6565U,
1154 0x8ef47a7aU,
1155 0xe947aeaeU,
1156 0x18100808U,
1157 0xd56fbabaU,
1158 0x88f07878U,
1159 0x6f4a2525U,
1160 0x725c2e2eU,
1161 0x24381c1cU,
1162 0xf157a6a6U,
1163 0xc773b4b4U,
1164 0x5197c6c6U,
1165 0x23cbe8e8U,
1166 0x7ca1ddddU,
1167 0x9ce87474U,
1168 0x213e1f1fU,
1169 0xdd964b4bU,
1170 0xdc61bdbdU,
1171 0x860d8b8bU,
1172 0x850f8a8aU,
1173 0x90e07070U,
1174 0x427c3e3eU,
1175 0xc471b5b5U,
1176 0xaacc6666U,
1177 0xd8904848U,
1178 0x05060303U,
1179 0x01f7f6f6U,
1180 0x121c0e0eU,
1181 0xa3c26161U,
1182 0x5f6a3535U,
1183 0xf9ae5757U,
1184 0xd069b9b9U,
1185 0x91178686U,
1186 0x5899c1c1U,
1187 0x273a1d1dU,
1188 0xb9279e9eU,
1189 0x38d9e1e1U,
1190 0x13ebf8f8U,
1191 0xb32b9898U,
1192 0x33221111U,
1193 0xbbd26969U,
1194 0x70a9d9d9U,
1195 0x89078e8eU,
1196 0xa7339494U,
1197 0xb62d9b9bU,
1198 0x223c1e1eU,
1199 0x92158787U,
1200 0x20c9e9e9U,
1201 0x4987ceceU,
1202 0xffaa5555U,
1203 0x78502828U,
1204 0x7aa5dfdfU,
1205 0x8f038c8cU,
1206 0xf859a1a1U,
1207 0x80098989U,
1208 0x171a0d0dU,
1209 0xda65bfbfU,
1210 0x31d7e6e6U,
1211 0xc6844242U,
1212 0xb8d06868U,
1213 0xc3824141U,
1214 0xb0299999U,
1215 0x775a2d2dU,
1216 0x111e0f0fU,
1217 0xcb7bb0b0U,
1218 0xfca85454U,
1219 0xd66dbbbbU,
1220 0x3a2c1616U,
1221 };
1222 static const u32 Te2[256] = {
1223 0x63a5c663U,
1224 0x7c84f87cU,
1225 0x7799ee77U,
1226 0x7b8df67bU,
1227 0xf20dfff2U,
1228 0x6bbdd66bU,
1229 0x6fb1de6fU,
1230 0xc55491c5U,
1231 0x30506030U,
1232 0x01030201U,
1233 0x67a9ce67U,
1234 0x2b7d562bU,
1235 0xfe19e7feU,
1236 0xd762b5d7U,
1237 0xabe64dabU,
1238 0x769aec76U,
1239 0xca458fcaU,
1240 0x829d1f82U,
1241 0xc94089c9U,
1242 0x7d87fa7dU,
1243 0xfa15effaU,
1244 0x59ebb259U,
1245 0x47c98e47U,
1246 0xf00bfbf0U,
1247 0xadec41adU,
1248 0xd467b3d4U,
1249 0xa2fd5fa2U,
1250 0xafea45afU,
1251 0x9cbf239cU,
1252 0xa4f753a4U,
1253 0x7296e472U,
1254 0xc05b9bc0U,
1255 0xb7c275b7U,
1256 0xfd1ce1fdU,
1257 0x93ae3d93U,
1258 0x266a4c26U,
1259 0x365a6c36U,
1260 0x3f417e3fU,
1261 0xf702f5f7U,
1262 0xcc4f83ccU,
1263 0x345c6834U,
1264 0xa5f451a5U,
1265 0xe534d1e5U,
1266 0xf108f9f1U,
1267 0x7193e271U,
1268 0xd873abd8U,
1269 0x31536231U,
1270 0x153f2a15U,
1271 0x040c0804U,
1272 0xc75295c7U,
1273 0x23654623U,
1274 0xc35e9dc3U,
1275 0x18283018U,
1276 0x96a13796U,
1277 0x050f0a05U,
1278 0x9ab52f9aU,
1279 0x07090e07U,
1280 0x12362412U,
1281 0x809b1b80U,
1282 0xe23ddfe2U,
1283 0xeb26cdebU,
1284 0x27694e27U,
1285 0xb2cd7fb2U,
1286 0x759fea75U,
1287 0x091b1209U,
1288 0x839e1d83U,
1289 0x2c74582cU,
1290 0x1a2e341aU,
1291 0x1b2d361bU,
1292 0x6eb2dc6eU,
1293 0x5aeeb45aU,
1294 0xa0fb5ba0U,
1295 0x52f6a452U,
1296 0x3b4d763bU,
1297 0xd661b7d6U,
1298 0xb3ce7db3U,
1299 0x297b5229U,
1300 0xe33edde3U,
1301 0x2f715e2fU,
1302 0x84971384U,
1303 0x53f5a653U,
1304 0xd168b9d1U,
1305 0x00000000U,
1306 0xed2cc1edU,
1307 0x20604020U,
1308 0xfc1fe3fcU,
1309 0xb1c879b1U,
1310 0x5bedb65bU,
1311 0x6abed46aU,
1312 0xcb468dcbU,
1313 0xbed967beU,
1314 0x394b7239U,
1315 0x4ade944aU,
1316 0x4cd4984cU,
1317 0x58e8b058U,
1318 0xcf4a85cfU,
1319 0xd06bbbd0U,
1320 0xef2ac5efU,
1321 0xaae54faaU,
1322 0xfb16edfbU,
1323 0x43c58643U,
1324 0x4dd79a4dU,
1325 0x33556633U,
1326 0x85941185U,
1327 0x45cf8a45U,
1328 0xf910e9f9U,
1329 0x02060402U,
1330 0x7f81fe7fU,
1331 0x50f0a050U,
1332 0x3c44783cU,
1333 0x9fba259fU,
1334 0xa8e34ba8U,
1335 0x51f3a251U,
1336 0xa3fe5da3U,
1337 0x40c08040U,
1338 0x8f8a058fU,
1339 0x92ad3f92U,
1340 0x9dbc219dU,
1341 0x38487038U,
1342 0xf504f1f5U,
1343 0xbcdf63bcU,
1344 0xb6c177b6U,
1345 0xda75afdaU,
1346 0x21634221U,
1347 0x10302010U,
1348 0xff1ae5ffU,
1349 0xf30efdf3U,
1350 0xd26dbfd2U,
1351 0xcd4c81cdU,
1352 0x0c14180cU,
1353 0x13352613U,
1354 0xec2fc3ecU,
1355 0x5fe1be5fU,
1356 0x97a23597U,
1357 0x44cc8844U,
1358 0x17392e17U,
1359 0xc45793c4U,
1360 0xa7f255a7U,
1361 0x7e82fc7eU,
1362 0x3d477a3dU,
1363 0x64acc864U,
1364 0x5de7ba5dU,
1365 0x192b3219U,
1366 0x7395e673U,
1367 0x60a0c060U,
1368 0x81981981U,
1369 0x4fd19e4fU,
1370 0xdc7fa3dcU,
1371 0x22664422U,
1372 0x2a7e542aU,
1373 0x90ab3b90U,
1374 0x88830b88U,
1375 0x46ca8c46U,
1376 0xee29c7eeU,
1377 0xb8d36bb8U,
1378 0x143c2814U,
1379 0xde79a7deU,
1380 0x5ee2bc5eU,
1381 0x0b1d160bU,
1382 0xdb76addbU,
1383 0xe03bdbe0U,
1384 0x32566432U,
1385 0x3a4e743aU,
1386 0x0a1e140aU,
1387 0x49db9249U,
1388 0x060a0c06U,
1389 0x246c4824U,
1390 0x5ce4b85cU,
1391 0xc25d9fc2U,
1392 0xd36ebdd3U,
1393 0xacef43acU,
1394 0x62a6c462U,
1395 0x91a83991U,
1396 0x95a43195U,
1397 0xe437d3e4U,
1398 0x798bf279U,
1399 0xe732d5e7U,
1400 0xc8438bc8U,
1401 0x37596e37U,
1402 0x6db7da6dU,
1403 0x8d8c018dU,
1404 0xd564b1d5U,
1405 0x4ed29c4eU,
1406 0xa9e049a9U,
1407 0x6cb4d86cU,
1408 0x56faac56U,
1409 0xf407f3f4U,
1410 0xea25cfeaU,
1411 0x65afca65U,
1412 0x7a8ef47aU,
1413 0xaee947aeU,
1414 0x08181008U,
1415 0xbad56fbaU,
1416 0x7888f078U,
1417 0x256f4a25U,
1418 0x2e725c2eU,
1419 0x1c24381cU,
1420 0xa6f157a6U,
1421 0xb4c773b4U,
1422 0xc65197c6U,
1423 0xe823cbe8U,
1424 0xdd7ca1ddU,
1425 0x749ce874U,
1426 0x1f213e1fU,
1427 0x4bdd964bU,
1428 0xbddc61bdU,
1429 0x8b860d8bU,
1430 0x8a850f8aU,
1431 0x7090e070U,
1432 0x3e427c3eU,
1433 0xb5c471b5U,
1434 0x66aacc66U,
1435 0x48d89048U,
1436 0x03050603U,
1437 0xf601f7f6U,
1438 0x0e121c0eU,
1439 0x61a3c261U,
1440 0x355f6a35U,
1441 0x57f9ae57U,
1442 0xb9d069b9U,
1443 0x86911786U,
1444 0xc15899c1U,
1445 0x1d273a1dU,
1446 0x9eb9279eU,
1447 0xe138d9e1U,
1448 0xf813ebf8U,
1449 0x98b32b98U,
1450 0x11332211U,
1451 0x69bbd269U,
1452 0xd970a9d9U,
1453 0x8e89078eU,
1454 0x94a73394U,
1455 0x9bb62d9bU,
1456 0x1e223c1eU,
1457 0x87921587U,
1458 0xe920c9e9U,
1459 0xce4987ceU,
1460 0x55ffaa55U,
1461 0x28785028U,
1462 0xdf7aa5dfU,
1463 0x8c8f038cU,
1464 0xa1f859a1U,
1465 0x89800989U,
1466 0x0d171a0dU,
1467 0xbfda65bfU,
1468 0xe631d7e6U,
1469 0x42c68442U,
1470 0x68b8d068U,
1471 0x41c38241U,
1472 0x99b02999U,
1473 0x2d775a2dU,
1474 0x0f111e0fU,
1475 0xb0cb7bb0U,
1476 0x54fca854U,
1477 0xbbd66dbbU,
1478 0x163a2c16U,
1479 };
1480 static const u32 Te3[256] = {
1481 0x6363a5c6U,
1482 0x7c7c84f8U,
1483 0x777799eeU,
1484 0x7b7b8df6U,
1485 0xf2f20dffU,
1486 0x6b6bbdd6U,
1487 0x6f6fb1deU,
1488 0xc5c55491U,
1489 0x30305060U,
1490 0x01010302U,
1491 0x6767a9ceU,
1492 0x2b2b7d56U,
1493 0xfefe19e7U,
1494 0xd7d762b5U,
1495 0xababe64dU,
1496 0x76769aecU,
1497 0xcaca458fU,
1498 0x82829d1fU,
1499 0xc9c94089U,
1500 0x7d7d87faU,
1501 0xfafa15efU,
1502 0x5959ebb2U,
1503 0x4747c98eU,
1504 0xf0f00bfbU,
1505 0xadadec41U,
1506 0xd4d467b3U,
1507 0xa2a2fd5fU,
1508 0xafafea45U,
1509 0x9c9cbf23U,
1510 0xa4a4f753U,
1511 0x727296e4U,
1512 0xc0c05b9bU,
1513 0xb7b7c275U,
1514 0xfdfd1ce1U,
1515 0x9393ae3dU,
1516 0x26266a4cU,
1517 0x36365a6cU,
1518 0x3f3f417eU,
1519 0xf7f702f5U,
1520 0xcccc4f83U,
1521 0x34345c68U,
1522 0xa5a5f451U,
1523 0xe5e534d1U,
1524 0xf1f108f9U,
1525 0x717193e2U,
1526 0xd8d873abU,
1527 0x31315362U,
1528 0x15153f2aU,
1529 0x04040c08U,
1530 0xc7c75295U,
1531 0x23236546U,
1532 0xc3c35e9dU,
1533 0x18182830U,
1534 0x9696a137U,
1535 0x05050f0aU,
1536 0x9a9ab52fU,
1537 0x0707090eU,
1538 0x12123624U,
1539 0x80809b1bU,
1540 0xe2e23ddfU,
1541 0xebeb26cdU,
1542 0x2727694eU,
1543 0xb2b2cd7fU,
1544 0x75759feaU,
1545 0x09091b12U,
1546 0x83839e1dU,
1547 0x2c2c7458U,
1548 0x1a1a2e34U,
1549 0x1b1b2d36U,
1550 0x6e6eb2dcU,
1551 0x5a5aeeb4U,
1552 0xa0a0fb5bU,
1553 0x5252f6a4U,
1554 0x3b3b4d76U,
1555 0xd6d661b7U,
1556 0xb3b3ce7dU,
1557 0x29297b52U,
1558 0xe3e33eddU,
1559 0x2f2f715eU,
1560 0x84849713U,
1561 0x5353f5a6U,
1562 0xd1d168b9U,
1563 0x00000000U,
1564 0xeded2cc1U,
1565 0x20206040U,
1566 0xfcfc1fe3U,
1567 0xb1b1c879U,
1568 0x5b5bedb6U,
1569 0x6a6abed4U,
1570 0xcbcb468dU,
1571 0xbebed967U,
1572 0x39394b72U,
1573 0x4a4ade94U,
1574 0x4c4cd498U,
1575 0x5858e8b0U,
1576 0xcfcf4a85U,
1577 0xd0d06bbbU,
1578 0xefef2ac5U,
1579 0xaaaae54fU,
1580 0xfbfb16edU,
1581 0x4343c586U,
1582 0x4d4dd79aU,
1583 0x33335566U,
1584 0x85859411U,
1585 0x4545cf8aU,
1586 0xf9f910e9U,
1587 0x02020604U,
1588 0x7f7f81feU,
1589 0x5050f0a0U,
1590 0x3c3c4478U,
1591 0x9f9fba25U,
1592 0xa8a8e34bU,
1593 0x5151f3a2U,
1594 0xa3a3fe5dU,
1595 0x4040c080U,
1596 0x8f8f8a05U,
1597 0x9292ad3fU,
1598 0x9d9dbc21U,
1599 0x38384870U,
1600 0xf5f504f1U,
1601 0xbcbcdf63U,
1602 0xb6b6c177U,
1603 0xdada75afU,
1604 0x21216342U,
1605 0x10103020U,
1606 0xffff1ae5U,
1607 0xf3f30efdU,
1608 0xd2d26dbfU,
1609 0xcdcd4c81U,
1610 0x0c0c1418U,
1611 0x13133526U,
1612 0xecec2fc3U,
1613 0x5f5fe1beU,
1614 0x9797a235U,
1615 0x4444cc88U,
1616 0x1717392eU,
1617 0xc4c45793U,
1618 0xa7a7f255U,
1619 0x7e7e82fcU,
1620 0x3d3d477aU,
1621 0x6464acc8U,
1622 0x5d5de7baU,
1623 0x19192b32U,
1624 0x737395e6U,
1625 0x6060a0c0U,
1626 0x81819819U,
1627 0x4f4fd19eU,
1628 0xdcdc7fa3U,
1629 0x22226644U,
1630 0x2a2a7e54U,
1631 0x9090ab3bU,
1632 0x8888830bU,
1633 0x4646ca8cU,
1634 0xeeee29c7U,
1635 0xb8b8d36bU,
1636 0x14143c28U,
1637 0xdede79a7U,
1638 0x5e5ee2bcU,
1639 0x0b0b1d16U,
1640 0xdbdb76adU,
1641 0xe0e03bdbU,
1642 0x32325664U,
1643 0x3a3a4e74U,
1644 0x0a0a1e14U,
1645 0x4949db92U,
1646 0x06060a0cU,
1647 0x24246c48U,
1648 0x5c5ce4b8U,
1649 0xc2c25d9fU,
1650 0xd3d36ebdU,
1651 0xacacef43U,
1652 0x6262a6c4U,
1653 0x9191a839U,
1654 0x9595a431U,
1655 0xe4e437d3U,
1656 0x79798bf2U,
1657 0xe7e732d5U,
1658 0xc8c8438bU,
1659 0x3737596eU,
1660 0x6d6db7daU,
1661 0x8d8d8c01U,
1662 0xd5d564b1U,
1663 0x4e4ed29cU,
1664 0xa9a9e049U,
1665 0x6c6cb4d8U,
1666 0x5656faacU,
1667 0xf4f407f3U,
1668 0xeaea25cfU,
1669 0x6565afcaU,
1670 0x7a7a8ef4U,
1671 0xaeaee947U,
1672 0x08081810U,
1673 0xbabad56fU,
1674 0x787888f0U,
1675 0x25256f4aU,
1676 0x2e2e725cU,
1677 0x1c1c2438U,
1678 0xa6a6f157U,
1679 0xb4b4c773U,
1680 0xc6c65197U,
1681 0xe8e823cbU,
1682 0xdddd7ca1U,
1683 0x74749ce8U,
1684 0x1f1f213eU,
1685 0x4b4bdd96U,
1686 0xbdbddc61U,
1687 0x8b8b860dU,
1688 0x8a8a850fU,
1689 0x707090e0U,
1690 0x3e3e427cU,
1691 0xb5b5c471U,
1692 0x6666aaccU,
1693 0x4848d890U,
1694 0x03030506U,
1695 0xf6f601f7U,
1696 0x0e0e121cU,
1697 0x6161a3c2U,
1698 0x35355f6aU,
1699 0x5757f9aeU,
1700 0xb9b9d069U,
1701 0x86869117U,
1702 0xc1c15899U,
1703 0x1d1d273aU,
1704 0x9e9eb927U,
1705 0xe1e138d9U,
1706 0xf8f813ebU,
1707 0x9898b32bU,
1708 0x11113322U,
1709 0x6969bbd2U,
1710 0xd9d970a9U,
1711 0x8e8e8907U,
1712 0x9494a733U,
1713 0x9b9bb62dU,
1714 0x1e1e223cU,
1715 0x87879215U,
1716 0xe9e920c9U,
1717 0xcece4987U,
1718 0x5555ffaaU,
1719 0x28287850U,
1720 0xdfdf7aa5U,
1721 0x8c8c8f03U,
1722 0xa1a1f859U,
1723 0x89898009U,
1724 0x0d0d171aU,
1725 0xbfbfda65U,
1726 0xe6e631d7U,
1727 0x4242c684U,
1728 0x6868b8d0U,
1729 0x4141c382U,
1730 0x9999b029U,
1731 0x2d2d775aU,
1732 0x0f0f111eU,
1733 0xb0b0cb7bU,
1734 0x5454fca8U,
1735 0xbbbbd66dU,
1736 0x16163a2cU,
1737 };
1738
1739 static const u32 Td0[256] = {
1740 0x51f4a750U,
1741 0x7e416553U,
1742 0x1a17a4c3U,
1743 0x3a275e96U,
1744 0x3bab6bcbU,
1745 0x1f9d45f1U,
1746 0xacfa58abU,
1747 0x4be30393U,
1748 0x2030fa55U,
1749 0xad766df6U,
1750 0x88cc7691U,
1751 0xf5024c25U,
1752 0x4fe5d7fcU,
1753 0xc52acbd7U,
1754 0x26354480U,
1755 0xb562a38fU,
1756 0xdeb15a49U,
1757 0x25ba1b67U,
1758 0x45ea0e98U,
1759 0x5dfec0e1U,
1760 0xc32f7502U,
1761 0x814cf012U,
1762 0x8d4697a3U,
1763 0x6bd3f9c6U,
1764 0x038f5fe7U,
1765 0x15929c95U,
1766 0xbf6d7aebU,
1767 0x955259daU,
1768 0xd4be832dU,
1769 0x587421d3U,
1770 0x49e06929U,
1771 0x8ec9c844U,
1772 0x75c2896aU,
1773 0xf48e7978U,
1774 0x99583e6bU,
1775 0x27b971ddU,
1776 0xbee14fb6U,
1777 0xf088ad17U,
1778 0xc920ac66U,
1779 0x7dce3ab4U,
1780 0x63df4a18U,
1781 0xe51a3182U,
1782 0x97513360U,
1783 0x62537f45U,
1784 0xb16477e0U,
1785 0xbb6bae84U,
1786 0xfe81a01cU,
1787 0xf9082b94U,
1788 0x70486858U,
1789 0x8f45fd19U,
1790 0x94de6c87U,
1791 0x527bf8b7U,
1792 0xab73d323U,
1793 0x724b02e2U,
1794 0xe31f8f57U,
1795 0x6655ab2aU,
1796 0xb2eb2807U,
1797 0x2fb5c203U,
1798 0x86c57b9aU,
1799 0xd33708a5U,
1800 0x302887f2U,
1801 0x23bfa5b2U,
1802 0x02036abaU,
1803 0xed16825cU,
1804 0x8acf1c2bU,
1805 0xa779b492U,
1806 0xf307f2f0U,
1807 0x4e69e2a1U,
1808 0x65daf4cdU,
1809 0x0605bed5U,
1810 0xd134621fU,
1811 0xc4a6fe8aU,
1812 0x342e539dU,
1813 0xa2f355a0U,
1814 0x058ae132U,
1815 0xa4f6eb75U,
1816 0x0b83ec39U,
1817 0x4060efaaU,
1818 0x5e719f06U,
1819 0xbd6e1051U,
1820 0x3e218af9U,
1821 0x96dd063dU,
1822 0xdd3e05aeU,
1823 0x4de6bd46U,
1824 0x91548db5U,
1825 0x71c45d05U,
1826 0x0406d46fU,
1827 0x605015ffU,
1828 0x1998fb24U,
1829 0xd6bde997U,
1830 0x894043ccU,
1831 0x67d99e77U,
1832 0xb0e842bdU,
1833 0x07898b88U,
1834 0xe7195b38U,
1835 0x79c8eedbU,
1836 0xa17c0a47U,
1837 0x7c420fe9U,
1838 0xf8841ec9U,
1839 0x00000000U,
1840 0x09808683U,
1841 0x322bed48U,
1842 0x1e1170acU,
1843 0x6c5a724eU,
1844 0xfd0efffbU,
1845 0x0f853856U,
1846 0x3daed51eU,
1847 0x362d3927U,
1848 0x0a0fd964U,
1849 0x685ca621U,
1850 0x9b5b54d1U,
1851 0x24362e3aU,
1852 0x0c0a67b1U,
1853 0x9357e70fU,
1854 0xb4ee96d2U,
1855 0x1b9b919eU,
1856 0x80c0c54fU,
1857 0x61dc20a2U,
1858 0x5a774b69U,
1859 0x1c121a16U,
1860 0xe293ba0aU,
1861 0xc0a02ae5U,
1862 0x3c22e043U,
1863 0x121b171dU,
1864 0x0e090d0bU,
1865 0xf28bc7adU,
1866 0x2db6a8b9U,
1867 0x141ea9c8U,
1868 0x57f11985U,
1869 0xaf75074cU,
1870 0xee99ddbbU,
1871 0xa37f60fdU,
1872 0xf701269fU,
1873 0x5c72f5bcU,
1874 0x44663bc5U,
1875 0x5bfb7e34U,
1876 0x8b432976U,
1877 0xcb23c6dcU,
1878 0xb6edfc68U,
1879 0xb8e4f163U,
1880 0xd731dccaU,
1881 0x42638510U,
1882 0x13972240U,
1883 0x84c61120U,
1884 0x854a247dU,
1885 0xd2bb3df8U,
1886 0xaef93211U,
1887 0xc729a16dU,
1888 0x1d9e2f4bU,
1889 0xdcb230f3U,
1890 0x0d8652ecU,
1891 0x77c1e3d0U,
1892 0x2bb3166cU,
1893 0xa970b999U,
1894 0x119448faU,
1895 0x47e96422U,
1896 0xa8fc8cc4U,
1897 0xa0f03f1aU,
1898 0x567d2cd8U,
1899 0x223390efU,
1900 0x87494ec7U,
1901 0xd938d1c1U,
1902 0x8ccaa2feU,
1903 0x98d40b36U,
1904 0xa6f581cfU,
1905 0xa57ade28U,
1906 0xdab78e26U,
1907 0x3fadbfa4U,
1908 0x2c3a9de4U,
1909 0x5078920dU,
1910 0x6a5fcc9bU,
1911 0x547e4662U,
1912 0xf68d13c2U,
1913 0x90d8b8e8U,
1914 0x2e39f75eU,
1915 0x82c3aff5U,
1916 0x9f5d80beU,
1917 0x69d0937cU,
1918 0x6fd52da9U,
1919 0xcf2512b3U,
1920 0xc8ac993bU,
1921 0x10187da7U,
1922 0xe89c636eU,
1923 0xdb3bbb7bU,
1924 0xcd267809U,
1925 0x6e5918f4U,
1926 0xec9ab701U,
1927 0x834f9aa8U,
1928 0xe6956e65U,
1929 0xaaffe67eU,
1930 0x21bccf08U,
1931 0xef15e8e6U,
1932 0xbae79bd9U,
1933 0x4a6f36ceU,
1934 0xea9f09d4U,
1935 0x29b07cd6U,
1936 0x31a4b2afU,
1937 0x2a3f2331U,
1938 0xc6a59430U,
1939 0x35a266c0U,
1940 0x744ebc37U,
1941 0xfc82caa6U,
1942 0xe090d0b0U,
1943 0x33a7d815U,
1944 0xf104984aU,
1945 0x41ecdaf7U,
1946 0x7fcd500eU,
1947 0x1791f62fU,
1948 0x764dd68dU,
1949 0x43efb04dU,
1950 0xccaa4d54U,
1951 0xe49604dfU,
1952 0x9ed1b5e3U,
1953 0x4c6a881bU,
1954 0xc12c1fb8U,
1955 0x4665517fU,
1956 0x9d5eea04U,
1957 0x018c355dU,
1958 0xfa877473U,
1959 0xfb0b412eU,
1960 0xb3671d5aU,
1961 0x92dbd252U,
1962 0xe9105633U,
1963 0x6dd64713U,
1964 0x9ad7618cU,
1965 0x37a10c7aU,
1966 0x59f8148eU,
1967 0xeb133c89U,
1968 0xcea927eeU,
1969 0xb761c935U,
1970 0xe11ce5edU,
1971 0x7a47b13cU,
1972 0x9cd2df59U,
1973 0x55f2733fU,
1974 0x1814ce79U,
1975 0x73c737bfU,
1976 0x53f7cdeaU,
1977 0x5ffdaa5bU,
1978 0xdf3d6f14U,
1979 0x7844db86U,
1980 0xcaaff381U,
1981 0xb968c43eU,
1982 0x3824342cU,
1983 0xc2a3405fU,
1984 0x161dc372U,
1985 0xbce2250cU,
1986 0x283c498bU,
1987 0xff0d9541U,
1988 0x39a80171U,
1989 0x080cb3deU,
1990 0xd8b4e49cU,
1991 0x6456c190U,
1992 0x7bcb8461U,
1993 0xd532b670U,
1994 0x486c5c74U,
1995 0xd0b85742U,
1996 };
1997 static const u32 Td1[256] = {
1998 0x5051f4a7U,
1999 0x537e4165U,
2000 0xc31a17a4U,
2001 0x963a275eU,
2002 0xcb3bab6bU,
2003 0xf11f9d45U,
2004 0xabacfa58U,
2005 0x934be303U,
2006 0x552030faU,
2007 0xf6ad766dU,
2008 0x9188cc76U,
2009 0x25f5024cU,
2010 0xfc4fe5d7U,
2011 0xd7c52acbU,
2012 0x80263544U,
2013 0x8fb562a3U,
2014 0x49deb15aU,
2015 0x6725ba1bU,
2016 0x9845ea0eU,
2017 0xe15dfec0U,
2018 0x02c32f75U,
2019 0x12814cf0U,
2020 0xa38d4697U,
2021 0xc66bd3f9U,
2022 0xe7038f5fU,
2023 0x9515929cU,
2024 0xebbf6d7aU,
2025 0xda955259U,
2026 0x2dd4be83U,
2027 0xd3587421U,
2028 0x2949e069U,
2029 0x448ec9c8U,
2030 0x6a75c289U,
2031 0x78f48e79U,
2032 0x6b99583eU,
2033 0xdd27b971U,
2034 0xb6bee14fU,
2035 0x17f088adU,
2036 0x66c920acU,
2037 0xb47dce3aU,
2038 0x1863df4aU,
2039 0x82e51a31U,
2040 0x60975133U,
2041 0x4562537fU,
2042 0xe0b16477U,
2043 0x84bb6baeU,
2044 0x1cfe81a0U,
2045 0x94f9082bU,
2046 0x58704868U,
2047 0x198f45fdU,
2048 0x8794de6cU,
2049 0xb7527bf8U,
2050 0x23ab73d3U,
2051 0xe2724b02U,
2052 0x57e31f8fU,
2053 0x2a6655abU,
2054 0x07b2eb28U,
2055 0x032fb5c2U,
2056 0x9a86c57bU,
2057 0xa5d33708U,
2058 0xf2302887U,
2059 0xb223bfa5U,
2060 0xba02036aU,
2061 0x5ced1682U,
2062 0x2b8acf1cU,
2063 0x92a779b4U,
2064 0xf0f307f2U,
2065 0xa14e69e2U,
2066 0xcd65daf4U,
2067 0xd50605beU,
2068 0x1fd13462U,
2069 0x8ac4a6feU,
2070 0x9d342e53U,
2071 0xa0a2f355U,
2072 0x32058ae1U,
2073 0x75a4f6ebU,
2074 0x390b83ecU,
2075 0xaa4060efU,
2076 0x065e719fU,
2077 0x51bd6e10U,
2078 0xf93e218aU,
2079 0x3d96dd06U,
2080 0xaedd3e05U,
2081 0x464de6bdU,
2082 0xb591548dU,
2083 0x0571c45dU,
2084 0x6f0406d4U,
2085 0xff605015U,
2086 0x241998fbU,
2087 0x97d6bde9U,
2088 0xcc894043U,
2089 0x7767d99eU,
2090 0xbdb0e842U,
2091 0x8807898bU,
2092 0x38e7195bU,
2093 0xdb79c8eeU,
2094 0x47a17c0aU,
2095 0xe97c420fU,
2096 0xc9f8841eU,
2097 0x00000000U,
2098 0x83098086U,
2099 0x48322bedU,
2100 0xac1e1170U,
2101 0x4e6c5a72U,
2102 0xfbfd0effU,
2103 0x560f8538U,
2104 0x1e3daed5U,
2105 0x27362d39U,
2106 0x640a0fd9U,
2107 0x21685ca6U,
2108 0xd19b5b54U,
2109 0x3a24362eU,
2110 0xb10c0a67U,
2111 0x0f9357e7U,
2112 0xd2b4ee96U,
2113 0x9e1b9b91U,
2114 0x4f80c0c5U,
2115 0xa261dc20U,
2116 0x695a774bU,
2117 0x161c121aU,
2118 0x0ae293baU,
2119 0xe5c0a02aU,
2120 0x433c22e0U,
2121 0x1d121b17U,
2122 0x0b0e090dU,
2123 0xadf28bc7U,
2124 0xb92db6a8U,
2125 0xc8141ea9U,
2126 0x8557f119U,
2127 0x4caf7507U,
2128 0xbbee99ddU,
2129 0xfda37f60U,
2130 0x9ff70126U,
2131 0xbc5c72f5U,
2132 0xc544663bU,
2133 0x345bfb7eU,
2134 0x768b4329U,
2135 0xdccb23c6U,
2136 0x68b6edfcU,
2137 0x63b8e4f1U,
2138 0xcad731dcU,
2139 0x10426385U,
2140 0x40139722U,
2141 0x2084c611U,
2142 0x7d854a24U,
2143 0xf8d2bb3dU,
2144 0x11aef932U,
2145 0x6dc729a1U,
2146 0x4b1d9e2fU,
2147 0xf3dcb230U,
2148 0xec0d8652U,
2149 0xd077c1e3U,
2150 0x6c2bb316U,
2151 0x99a970b9U,
2152 0xfa119448U,
2153 0x2247e964U,
2154 0xc4a8fc8cU,
2155 0x1aa0f03fU,
2156 0xd8567d2cU,
2157 0xef223390U,
2158 0xc787494eU,
2159 0xc1d938d1U,
2160 0xfe8ccaa2U,
2161 0x3698d40bU,
2162 0xcfa6f581U,
2163 0x28a57adeU,
2164 0x26dab78eU,
2165 0xa43fadbfU,
2166 0xe42c3a9dU,
2167 0x0d507892U,
2168 0x9b6a5fccU,
2169 0x62547e46U,
2170 0xc2f68d13U,
2171 0xe890d8b8U,
2172 0x5e2e39f7U,
2173 0xf582c3afU,
2174 0xbe9f5d80U,
2175 0x7c69d093U,
2176 0xa96fd52dU,
2177 0xb3cf2512U,
2178 0x3bc8ac99U,
2179 0xa710187dU,
2180 0x6ee89c63U,
2181 0x7bdb3bbbU,
2182 0x09cd2678U,
2183 0xf46e5918U,
2184 0x01ec9ab7U,
2185 0xa8834f9aU,
2186 0x65e6956eU,
2187 0x7eaaffe6U,
2188 0x0821bccfU,
2189 0xe6ef15e8U,
2190 0xd9bae79bU,
2191 0xce4a6f36U,
2192 0xd4ea9f09U,
2193 0xd629b07cU,
2194 0xaf31a4b2U,
2195 0x312a3f23U,
2196 0x30c6a594U,
2197 0xc035a266U,
2198 0x37744ebcU,
2199 0xa6fc82caU,
2200 0xb0e090d0U,
2201 0x1533a7d8U,
2202 0x4af10498U,
2203 0xf741ecdaU,
2204 0x0e7fcd50U,
2205 0x2f1791f6U,
2206 0x8d764dd6U,
2207 0x4d43efb0U,
2208 0x54ccaa4dU,
2209 0xdfe49604U,
2210 0xe39ed1b5U,
2211 0x1b4c6a88U,
2212 0xb8c12c1fU,
2213 0x7f466551U,
2214 0x049d5eeaU,
2215 0x5d018c35U,
2216 0x73fa8774U,
2217 0x2efb0b41U,
2218 0x5ab3671dU,
2219 0x5292dbd2U,
2220 0x33e91056U,
2221 0x136dd647U,
2222 0x8c9ad761U,
2223 0x7a37a10cU,
2224 0x8e59f814U,
2225 0x89eb133cU,
2226 0xeecea927U,
2227 0x35b761c9U,
2228 0xede11ce5U,
2229 0x3c7a47b1U,
2230 0x599cd2dfU,
2231 0x3f55f273U,
2232 0x791814ceU,
2233 0xbf73c737U,
2234 0xea53f7cdU,
2235 0x5b5ffdaaU,
2236 0x14df3d6fU,
2237 0x867844dbU,
2238 0x81caaff3U,
2239 0x3eb968c4U,
2240 0x2c382434U,
2241 0x5fc2a340U,
2242 0x72161dc3U,
2243 0x0cbce225U,
2244 0x8b283c49U,
2245 0x41ff0d95U,
2246 0x7139a801U,
2247 0xde080cb3U,
2248 0x9cd8b4e4U,
2249 0x906456c1U,
2250 0x617bcb84U,
2251 0x70d532b6U,
2252 0x74486c5cU,
2253 0x42d0b857U,
2254 };
2255 static const u32 Td2[256] = {
2256 0xa75051f4U,
2257 0x65537e41U,
2258 0xa4c31a17U,
2259 0x5e963a27U,
2260 0x6bcb3babU,
2261 0x45f11f9dU,
2262 0x58abacfaU,
2263 0x03934be3U,
2264 0xfa552030U,
2265 0x6df6ad76U,
2266 0x769188ccU,
2267 0x4c25f502U,
2268 0xd7fc4fe5U,
2269 0xcbd7c52aU,
2270 0x44802635U,
2271 0xa38fb562U,
2272 0x5a49deb1U,
2273 0x1b6725baU,
2274 0x0e9845eaU,
2275 0xc0e15dfeU,
2276 0x7502c32fU,
2277 0xf012814cU,
2278 0x97a38d46U,
2279 0xf9c66bd3U,
2280 0x5fe7038fU,
2281 0x9c951592U,
2282 0x7aebbf6dU,
2283 0x59da9552U,
2284 0x832dd4beU,
2285 0x21d35874U,
2286 0x692949e0U,
2287 0xc8448ec9U,
2288 0x896a75c2U,
2289 0x7978f48eU,
2290 0x3e6b9958U,
2291 0x71dd27b9U,
2292 0x4fb6bee1U,
2293 0xad17f088U,
2294 0xac66c920U,
2295 0x3ab47dceU,
2296 0x4a1863dfU,
2297 0x3182e51aU,
2298 0x33609751U,
2299 0x7f456253U,
2300 0x77e0b164U,
2301 0xae84bb6bU,
2302 0xa01cfe81U,
2303 0x2b94f908U,
2304 0x68587048U,
2305 0xfd198f45U,
2306 0x6c8794deU,
2307 0xf8b7527bU,
2308 0xd323ab73U,
2309 0x02e2724bU,
2310 0x8f57e31fU,
2311 0xab2a6655U,
2312 0x2807b2ebU,
2313 0xc2032fb5U,
2314 0x7b9a86c5U,
2315 0x08a5d337U,
2316 0x87f23028U,
2317 0xa5b223bfU,
2318 0x6aba0203U,
2319 0x825ced16U,
2320 0x1c2b8acfU,
2321 0xb492a779U,
2322 0xf2f0f307U,
2323 0xe2a14e69U,
2324 0xf4cd65daU,
2325 0xbed50605U,
2326 0x621fd134U,
2327 0xfe8ac4a6U,
2328 0x539d342eU,
2329 0x55a0a2f3U,
2330 0xe132058aU,
2331 0xeb75a4f6U,
2332 0xec390b83U,
2333 0xefaa4060U,
2334 0x9f065e71U,
2335 0x1051bd6eU,
2336 0x8af93e21U,
2337 0x063d96ddU,
2338 0x05aedd3eU,
2339 0xbd464de6U,
2340 0x8db59154U,
2341 0x5d0571c4U,
2342 0xd46f0406U,
2343 0x15ff6050U,
2344 0xfb241998U,
2345 0xe997d6bdU,
2346 0x43cc8940U,
2347 0x9e7767d9U,
2348 0x42bdb0e8U,
2349 0x8b880789U,
2350 0x5b38e719U,
2351 0xeedb79c8U,
2352 0x0a47a17cU,
2353 0x0fe97c42U,
2354 0x1ec9f884U,
2355 0x00000000U,
2356 0x86830980U,
2357 0xed48322bU,
2358 0x70ac1e11U,
2359 0x724e6c5aU,
2360 0xfffbfd0eU,
2361 0x38560f85U,
2362 0xd51e3daeU,
2363 0x3927362dU,
2364 0xd9640a0fU,
2365 0xa621685cU,
2366 0x54d19b5bU,
2367 0x2e3a2436U,
2368 0x67b10c0aU,
2369 0xe70f9357U,
2370 0x96d2b4eeU,
2371 0x919e1b9bU,
2372 0xc54f80c0U,
2373 0x20a261dcU,
2374 0x4b695a77U,
2375 0x1a161c12U,
2376 0xba0ae293U,
2377 0x2ae5c0a0U,
2378 0xe0433c22U,
2379 0x171d121bU,
2380 0x0d0b0e09U,
2381 0xc7adf28bU,
2382 0xa8b92db6U,
2383 0xa9c8141eU,
2384 0x198557f1U,
2385 0x074caf75U,
2386 0xddbbee99U,
2387 0x60fda37fU,
2388 0x269ff701U,
2389 0xf5bc5c72U,
2390 0x3bc54466U,
2391 0x7e345bfbU,
2392 0x29768b43U,
2393 0xc6dccb23U,
2394 0xfc68b6edU,
2395 0xf163b8e4U,
2396 0xdccad731U,
2397 0x85104263U,
2398 0x22401397U,
2399 0x112084c6U,
2400 0x247d854aU,
2401 0x3df8d2bbU,
2402 0x3211aef9U,
2403 0xa16dc729U,
2404 0x2f4b1d9eU,
2405 0x30f3dcb2U,
2406 0x52ec0d86U,
2407 0xe3d077c1U,
2408 0x166c2bb3U,
2409 0xb999a970U,
2410 0x48fa1194U,
2411 0x642247e9U,
2412 0x8cc4a8fcU,
2413 0x3f1aa0f0U,
2414 0x2cd8567dU,
2415 0x90ef2233U,
2416 0x4ec78749U,
2417 0xd1c1d938U,
2418 0xa2fe8ccaU,
2419 0x0b3698d4U,
2420 0x81cfa6f5U,
2421 0xde28a57aU,
2422 0x8e26dab7U,
2423 0xbfa43fadU,
2424 0x9de42c3aU,
2425 0x920d5078U,
2426 0xcc9b6a5fU,
2427 0x4662547eU,
2428 0x13c2f68dU,
2429 0xb8e890d8U,
2430 0xf75e2e39U,
2431 0xaff582c3U,
2432 0x80be9f5dU,
2433 0x937c69d0U,
2434 0x2da96fd5U,
2435 0x12b3cf25U,
2436 0x993bc8acU,
2437 0x7da71018U,
2438 0x636ee89cU,
2439 0xbb7bdb3bU,
2440 0x7809cd26U,
2441 0x18f46e59U,
2442 0xb701ec9aU,
2443 0x9aa8834fU,
2444 0x6e65e695U,
2445 0xe67eaaffU,
2446 0xcf0821bcU,
2447 0xe8e6ef15U,
2448 0x9bd9bae7U,
2449 0x36ce4a6fU,
2450 0x09d4ea9fU,
2451 0x7cd629b0U,
2452 0xb2af31a4U,
2453 0x23312a3fU,
2454 0x9430c6a5U,
2455 0x66c035a2U,
2456 0xbc37744eU,
2457 0xcaa6fc82U,
2458 0xd0b0e090U,
2459 0xd81533a7U,
2460 0x984af104U,
2461 0xdaf741ecU,
2462 0x500e7fcdU,
2463 0xf62f1791U,
2464 0xd68d764dU,
2465 0xb04d43efU,
2466 0x4d54ccaaU,
2467 0x04dfe496U,
2468 0xb5e39ed1U,
2469 0x881b4c6aU,
2470 0x1fb8c12cU,
2471 0x517f4665U,
2472 0xea049d5eU,
2473 0x355d018cU,
2474 0x7473fa87U,
2475 0x412efb0bU,
2476 0x1d5ab367U,
2477 0xd25292dbU,
2478 0x5633e910U,
2479 0x47136dd6U,
2480 0x618c9ad7U,
2481 0x0c7a37a1U,
2482 0x148e59f8U,
2483 0x3c89eb13U,
2484 0x27eecea9U,
2485 0xc935b761U,
2486 0xe5ede11cU,
2487 0xb13c7a47U,
2488 0xdf599cd2U,
2489 0x733f55f2U,
2490 0xce791814U,
2491 0x37bf73c7U,
2492 0xcdea53f7U,
2493 0xaa5b5ffdU,
2494 0x6f14df3dU,
2495 0xdb867844U,
2496 0xf381caafU,
2497 0xc43eb968U,
2498 0x342c3824U,
2499 0x405fc2a3U,
2500 0xc372161dU,
2501 0x250cbce2U,
2502 0x498b283cU,
2503 0x9541ff0dU,
2504 0x017139a8U,
2505 0xb3de080cU,
2506 0xe49cd8b4U,
2507 0xc1906456U,
2508 0x84617bcbU,
2509 0xb670d532U,
2510 0x5c74486cU,
2511 0x5742d0b8U,
2512 };
2513 static const u32 Td3[256] = {
2514 0xf4a75051U,
2515 0x4165537eU,
2516 0x17a4c31aU,
2517 0x275e963aU,
2518 0xab6bcb3bU,
2519 0x9d45f11fU,
2520 0xfa58abacU,
2521 0xe303934bU,
2522 0x30fa5520U,
2523 0x766df6adU,
2524 0xcc769188U,
2525 0x024c25f5U,
2526 0xe5d7fc4fU,
2527 0x2acbd7c5U,
2528 0x35448026U,
2529 0x62a38fb5U,
2530 0xb15a49deU,
2531 0xba1b6725U,
2532 0xea0e9845U,
2533 0xfec0e15dU,
2534 0x2f7502c3U,
2535 0x4cf01281U,
2536 0x4697a38dU,
2537 0xd3f9c66bU,
2538 0x8f5fe703U,
2539 0x929c9515U,
2540 0x6d7aebbfU,
2541 0x5259da95U,
2542 0xbe832dd4U,
2543 0x7421d358U,
2544 0xe0692949U,
2545 0xc9c8448eU,
2546 0xc2896a75U,
2547 0x8e7978f4U,
2548 0x583e6b99U,
2549 0xb971dd27U,
2550 0xe14fb6beU,
2551 0x88ad17f0U,
2552 0x20ac66c9U,
2553 0xce3ab47dU,
2554 0xdf4a1863U,
2555 0x1a3182e5U,
2556 0x51336097U,
2557 0x537f4562U,
2558 0x6477e0b1U,
2559 0x6bae84bbU,
2560 0x81a01cfeU,
2561 0x082b94f9U,
2562 0x48685870U,
2563 0x45fd198fU,
2564 0xde6c8794U,
2565 0x7bf8b752U,
2566 0x73d323abU,
2567 0x4b02e272U,
2568 0x1f8f57e3U,
2569 0x55ab2a66U,
2570 0xeb2807b2U,
2571 0xb5c2032fU,
2572 0xc57b9a86U,
2573 0x3708a5d3U,
2574 0x2887f230U,
2575 0xbfa5b223U,
2576 0x036aba02U,
2577 0x16825cedU,
2578 0xcf1c2b8aU,
2579 0x79b492a7U,
2580 0x07f2f0f3U,
2581 0x69e2a14eU,
2582 0xdaf4cd65U,
2583 0x05bed506U,
2584 0x34621fd1U,
2585 0xa6fe8ac4U,
2586 0x2e539d34U,
2587 0xf355a0a2U,
2588 0x8ae13205U,
2589 0xf6eb75a4U,
2590 0x83ec390bU,
2591 0x60efaa40U,
2592 0x719f065eU,
2593 0x6e1051bdU,
2594 0x218af93eU,
2595 0xdd063d96U,
2596 0x3e05aeddU,
2597 0xe6bd464dU,
2598 0x548db591U,
2599 0xc45d0571U,
2600 0x06d46f04U,
2601 0x5015ff60U,
2602 0x98fb2419U,
2603 0xbde997d6U,
2604 0x4043cc89U,
2605 0xd99e7767U,
2606 0xe842bdb0U,
2607 0x898b8807U,
2608 0x195b38e7U,
2609 0xc8eedb79U,
2610 0x7c0a47a1U,
2611 0x420fe97cU,
2612 0x841ec9f8U,
2613 0x00000000U,
2614 0x80868309U,
2615 0x2bed4832U,
2616 0x1170ac1eU,
2617 0x5a724e6cU,
2618 0x0efffbfdU,
2619 0x8538560fU,
2620 0xaed51e3dU,
2621 0x2d392736U,
2622 0x0fd9640aU,
2623 0x5ca62168U,
2624 0x5b54d19bU,
2625 0x362e3a24U,
2626 0x0a67b10cU,
2627 0x57e70f93U,
2628 0xee96d2b4U,
2629 0x9b919e1bU,
2630 0xc0c54f80U,
2631 0xdc20a261U,
2632 0x774b695aU,
2633 0x121a161cU,
2634 0x93ba0ae2U,
2635 0xa02ae5c0U,
2636 0x22e0433cU,
2637 0x1b171d12U,
2638 0x090d0b0eU,
2639 0x8bc7adf2U,
2640 0xb6a8b92dU,
2641 0x1ea9c814U,
2642 0xf1198557U,
2643 0x75074cafU,
2644 0x99ddbbeeU,
2645 0x7f60fda3U,
2646 0x01269ff7U,
2647 0x72f5bc5cU,
2648 0x663bc544U,
2649 0xfb7e345bU,
2650 0x4329768bU,
2651 0x23c6dccbU,
2652 0xedfc68b6U,
2653 0xe4f163b8U,
2654 0x31dccad7U,
2655 0x63851042U,
2656 0x97224013U,
2657 0xc6112084U,
2658 0x4a247d85U,
2659 0xbb3df8d2U,
2660 0xf93211aeU,
2661 0x29a16dc7U,
2662 0x9e2f4b1dU,
2663 0xb230f3dcU,
2664 0x8652ec0dU,
2665 0xc1e3d077U,
2666 0xb3166c2bU,
2667 0x70b999a9U,
2668 0x9448fa11U,
2669 0xe9642247U,
2670 0xfc8cc4a8U,
2671 0xf03f1aa0U,
2672 0x7d2cd856U,
2673 0x3390ef22U,
2674 0x494ec787U,
2675 0x38d1c1d9U,
2676 0xcaa2fe8cU,
2677 0xd40b3698U,
2678 0xf581cfa6U,
2679 0x7ade28a5U,
2680 0xb78e26daU,
2681 0xadbfa43fU,
2682 0x3a9de42cU,
2683 0x78920d50U,
2684 0x5fcc9b6aU,
2685 0x7e466254U,
2686 0x8d13c2f6U,
2687 0xd8b8e890U,
2688 0x39f75e2eU,
2689 0xc3aff582U,
2690 0x5d80be9fU,
2691 0xd0937c69U,
2692 0xd52da96fU,
2693 0x2512b3cfU,
2694 0xac993bc8U,
2695 0x187da710U,
2696 0x9c636ee8U,
2697 0x3bbb7bdbU,
2698 0x267809cdU,
2699 0x5918f46eU,
2700 0x9ab701ecU,
2701 0x4f9aa883U,
2702 0x956e65e6U,
2703 0xffe67eaaU,
2704 0xbccf0821U,
2705 0x15e8e6efU,
2706 0xe79bd9baU,
2707 0x6f36ce4aU,
2708 0x9f09d4eaU,
2709 0xb07cd629U,
2710 0xa4b2af31U,
2711 0x3f23312aU,
2712 0xa59430c6U,
2713 0xa266c035U,
2714 0x4ebc3774U,
2715 0x82caa6fcU,
2716 0x90d0b0e0U,
2717 0xa7d81533U,
2718 0x04984af1U,
2719 0xecdaf741U,
2720 0xcd500e7fU,
2721 0x91f62f17U,
2722 0x4dd68d76U,
2723 0xefb04d43U,
2724 0xaa4d54ccU,
2725 0x9604dfe4U,
2726 0xd1b5e39eU,
2727 0x6a881b4cU,
2728 0x2c1fb8c1U,
2729 0x65517f46U,
2730 0x5eea049dU,
2731 0x8c355d01U,
2732 0x877473faU,
2733 0x0b412efbU,
2734 0x671d5ab3U,
2735 0xdbd25292U,
2736 0x105633e9U,
2737 0xd647136dU,
2738 0xd7618c9aU,
2739 0xa10c7a37U,
2740 0xf8148e59U,
2741 0x133c89ebU,
2742 0xa927eeceU,
2743 0x61c935b7U,
2744 0x1ce5ede1U,
2745 0x47b13c7aU,
2746 0xd2df599cU,
2747 0xf2733f55U,
2748 0x14ce7918U,
2749 0xc737bf73U,
2750 0xf7cdea53U,
2751 0xfdaa5b5fU,
2752 0x3d6f14dfU,
2753 0x44db8678U,
2754 0xaff381caU,
2755 0x68c43eb9U,
2756 0x24342c38U,
2757 0xa3405fc2U,
2758 0x1dc37216U,
2759 0xe2250cbcU,
2760 0x3c498b28U,
2761 0x0d9541ffU,
2762 0xa8017139U,
2763 0x0cb3de08U,
2764 0xb4e49cd8U,
2765 0x56c19064U,
2766 0xcb84617bU,
2767 0x32b670d5U,
2768 0x6c5c7448U,
2769 0xb85742d0U,
2770 };
2771 static const u8 Td4[256] = {
2772 0x52U,
2773 0x09U,
2774 0x6aU,
2775 0xd5U,
2776 0x30U,
2777 0x36U,
2778 0xa5U,
2779 0x38U,
2780 0xbfU,
2781 0x40U,
2782 0xa3U,
2783 0x9eU,
2784 0x81U,
2785 0xf3U,
2786 0xd7U,
2787 0xfbU,
2788 0x7cU,
2789 0xe3U,
2790 0x39U,
2791 0x82U,
2792 0x9bU,
2793 0x2fU,
2794 0xffU,
2795 0x87U,
2796 0x34U,
2797 0x8eU,
2798 0x43U,
2799 0x44U,
2800 0xc4U,
2801 0xdeU,
2802 0xe9U,
2803 0xcbU,
2804 0x54U,
2805 0x7bU,
2806 0x94U,
2807 0x32U,
2808 0xa6U,
2809 0xc2U,
2810 0x23U,
2811 0x3dU,
2812 0xeeU,
2813 0x4cU,
2814 0x95U,
2815 0x0bU,
2816 0x42U,
2817 0xfaU,
2818 0xc3U,
2819 0x4eU,
2820 0x08U,
2821 0x2eU,
2822 0xa1U,
2823 0x66U,
2824 0x28U,
2825 0xd9U,
2826 0x24U,
2827 0xb2U,
2828 0x76U,
2829 0x5bU,
2830 0xa2U,
2831 0x49U,
2832 0x6dU,
2833 0x8bU,
2834 0xd1U,
2835 0x25U,
2836 0x72U,
2837 0xf8U,
2838 0xf6U,
2839 0x64U,
2840 0x86U,
2841 0x68U,
2842 0x98U,
2843 0x16U,
2844 0xd4U,
2845 0xa4U,
2846 0x5cU,
2847 0xccU,
2848 0x5dU,
2849 0x65U,
2850 0xb6U,
2851 0x92U,
2852 0x6cU,
2853 0x70U,
2854 0x48U,
2855 0x50U,
2856 0xfdU,
2857 0xedU,
2858 0xb9U,
2859 0xdaU,
2860 0x5eU,
2861 0x15U,
2862 0x46U,
2863 0x57U,
2864 0xa7U,
2865 0x8dU,
2866 0x9dU,
2867 0x84U,
2868 0x90U,
2869 0xd8U,
2870 0xabU,
2871 0x00U,
2872 0x8cU,
2873 0xbcU,
2874 0xd3U,
2875 0x0aU,
2876 0xf7U,
2877 0xe4U,
2878 0x58U,
2879 0x05U,
2880 0xb8U,
2881 0xb3U,
2882 0x45U,
2883 0x06U,
2884 0xd0U,
2885 0x2cU,
2886 0x1eU,
2887 0x8fU,
2888 0xcaU,
2889 0x3fU,
2890 0x0fU,
2891 0x02U,
2892 0xc1U,
2893 0xafU,
2894 0xbdU,
2895 0x03U,
2896 0x01U,
2897 0x13U,
2898 0x8aU,
2899 0x6bU,
2900 0x3aU,
2901 0x91U,
2902 0x11U,
2903 0x41U,
2904 0x4fU,
2905 0x67U,
2906 0xdcU,
2907 0xeaU,
2908 0x97U,
2909 0xf2U,
2910 0xcfU,
2911 0xceU,
2912 0xf0U,
2913 0xb4U,
2914 0xe6U,
2915 0x73U,
2916 0x96U,
2917 0xacU,
2918 0x74U,
2919 0x22U,
2920 0xe7U,
2921 0xadU,
2922 0x35U,
2923 0x85U,
2924 0xe2U,
2925 0xf9U,
2926 0x37U,
2927 0xe8U,
2928 0x1cU,
2929 0x75U,
2930 0xdfU,
2931 0x6eU,
2932 0x47U,
2933 0xf1U,
2934 0x1aU,
2935 0x71U,
2936 0x1dU,
2937 0x29U,
2938 0xc5U,
2939 0x89U,
2940 0x6fU,
2941 0xb7U,
2942 0x62U,
2943 0x0eU,
2944 0xaaU,
2945 0x18U,
2946 0xbeU,
2947 0x1bU,
2948 0xfcU,
2949 0x56U,
2950 0x3eU,
2951 0x4bU,
2952 0xc6U,
2953 0xd2U,
2954 0x79U,
2955 0x20U,
2956 0x9aU,
2957 0xdbU,
2958 0xc0U,
2959 0xfeU,
2960 0x78U,
2961 0xcdU,
2962 0x5aU,
2963 0xf4U,
2964 0x1fU,
2965 0xddU,
2966 0xa8U,
2967 0x33U,
2968 0x88U,
2969 0x07U,
2970 0xc7U,
2971 0x31U,
2972 0xb1U,
2973 0x12U,
2974 0x10U,
2975 0x59U,
2976 0x27U,
2977 0x80U,
2978 0xecU,
2979 0x5fU,
2980 0x60U,
2981 0x51U,
2982 0x7fU,
2983 0xa9U,
2984 0x19U,
2985 0xb5U,
2986 0x4aU,
2987 0x0dU,
2988 0x2dU,
2989 0xe5U,
2990 0x7aU,
2991 0x9fU,
2992 0x93U,
2993 0xc9U,
2994 0x9cU,
2995 0xefU,
2996 0xa0U,
2997 0xe0U,
2998 0x3bU,
2999 0x4dU,
3000 0xaeU,
3001 0x2aU,
3002 0xf5U,
3003 0xb0U,
3004 0xc8U,
3005 0xebU,
3006 0xbbU,
3007 0x3cU,
3008 0x83U,
3009 0x53U,
3010 0x99U,
3011 0x61U,
3012 0x17U,
3013 0x2bU,
3014 0x04U,
3015 0x7eU,
3016 0xbaU,
3017 0x77U,
3018 0xd6U,
3019 0x26U,
3020 0xe1U,
3021 0x69U,
3022 0x14U,
3023 0x63U,
3024 0x55U,
3025 0x21U,
3026 0x0cU,
3027 0x7dU,
3028 };
3029 static const u32 rcon[] = {
3030 0x01000000,
3031 0x02000000,
3032 0x04000000,
3033 0x08000000,
3034 0x10000000,
3035 0x20000000,
3036 0x40000000,
3037 0x80000000,
3038 0x1B000000,
3039 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
3040 };
3041
3042 /**
3043 * Expand the cipher key into the encryption key schedule.
3044 */
AES_set_encrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)3045 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
3046 AES_KEY *key)
3047 {
3048
3049 u32 *rk;
3050 int i = 0;
3051 u32 temp;
3052
3053 if (!userKey || !key)
3054 return -1;
3055 if (bits != 128 && bits != 192 && bits != 256)
3056 return -2;
3057
3058 rk = key->rd_key;
3059
3060 if (bits == 128)
3061 key->rounds = 10;
3062 else if (bits == 192)
3063 key->rounds = 12;
3064 else
3065 key->rounds = 14;
3066
3067 rk[0] = GETU32(userKey);
3068 rk[1] = GETU32(userKey + 4);
3069 rk[2] = GETU32(userKey + 8);
3070 rk[3] = GETU32(userKey + 12);
3071 if (bits == 128) {
3072 while (1) {
3073 temp = rk[3];
3074 rk[4] = rk[0] ^ (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ (Te0[(temp) & 0xff] & 0x0000ff00) ^ (Te1[(temp >> 24)] & 0x000000ff) ^ rcon[i];
3075 rk[5] = rk[1] ^ rk[4];
3076 rk[6] = rk[2] ^ rk[5];
3077 rk[7] = rk[3] ^ rk[6];
3078 if (++i == 10) {
3079 return 0;
3080 }
3081 rk += 4;
3082 }
3083 }
3084 rk[4] = GETU32(userKey + 16);
3085 rk[5] = GETU32(userKey + 20);
3086 if (bits == 192) {
3087 while (1) {
3088 temp = rk[5];
3089 rk[6] = rk[0] ^ (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ (Te0[(temp) & 0xff] & 0x0000ff00) ^ (Te1[(temp >> 24)] & 0x000000ff) ^ rcon[i];
3090 rk[7] = rk[1] ^ rk[6];
3091 rk[8] = rk[2] ^ rk[7];
3092 rk[9] = rk[3] ^ rk[8];
3093 if (++i == 8) {
3094 return 0;
3095 }
3096 rk[10] = rk[4] ^ rk[9];
3097 rk[11] = rk[5] ^ rk[10];
3098 rk += 6;
3099 }
3100 }
3101 rk[6] = GETU32(userKey + 24);
3102 rk[7] = GETU32(userKey + 28);
3103 if (bits == 256) {
3104 while (1) {
3105 temp = rk[7];
3106 rk[8] = rk[0] ^ (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ (Te0[(temp) & 0xff] & 0x0000ff00) ^ (Te1[(temp >> 24)] & 0x000000ff) ^ rcon[i];
3107 rk[9] = rk[1] ^ rk[8];
3108 rk[10] = rk[2] ^ rk[9];
3109 rk[11] = rk[3] ^ rk[10];
3110 if (++i == 7) {
3111 return 0;
3112 }
3113 temp = rk[11];
3114 rk[12] = rk[4] ^ (Te2[(temp >> 24)] & 0xff000000) ^ (Te3[(temp >> 16) & 0xff] & 0x00ff0000) ^ (Te0[(temp >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(temp) & 0xff] & 0x000000ff);
3115 rk[13] = rk[5] ^ rk[12];
3116 rk[14] = rk[6] ^ rk[13];
3117 rk[15] = rk[7] ^ rk[14];
3118
3119 rk += 8;
3120 }
3121 }
3122 return 0;
3123 }
3124
3125 /**
3126 * Expand the cipher key into the decryption key schedule.
3127 */
AES_set_decrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)3128 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
3129 AES_KEY *key)
3130 {
3131
3132 u32 *rk;
3133 int i, j, status;
3134 u32 temp;
3135
3136 /* first, start with an encryption schedule */
3137 status = AES_set_encrypt_key(userKey, bits, key);
3138 if (status < 0)
3139 return status;
3140
3141 rk = key->rd_key;
3142
3143 /* invert the order of the round keys: */
3144 for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
3145 temp = rk[i];
3146 rk[i] = rk[j];
3147 rk[j] = temp;
3148 temp = rk[i + 1];
3149 rk[i + 1] = rk[j + 1];
3150 rk[j + 1] = temp;
3151 temp = rk[i + 2];
3152 rk[i + 2] = rk[j + 2];
3153 rk[j + 2] = temp;
3154 temp = rk[i + 3];
3155 rk[i + 3] = rk[j + 3];
3156 rk[j + 3] = temp;
3157 }
3158 /* apply the inverse MixColumn transform to all round keys but the first and the last: */
3159 for (i = 1; i < (key->rounds); i++) {
3160 rk += 4;
3161 rk[0] = Td0[Te1[(rk[0] >> 24)] & 0xff] ^ Td1[Te1[(rk[0] >> 16) & 0xff] & 0xff] ^ Td2[Te1[(rk[0] >> 8) & 0xff] & 0xff] ^ Td3[Te1[(rk[0]) & 0xff] & 0xff];
3162 rk[1] = Td0[Te1[(rk[1] >> 24)] & 0xff] ^ Td1[Te1[(rk[1] >> 16) & 0xff] & 0xff] ^ Td2[Te1[(rk[1] >> 8) & 0xff] & 0xff] ^ Td3[Te1[(rk[1]) & 0xff] & 0xff];
3163 rk[2] = Td0[Te1[(rk[2] >> 24)] & 0xff] ^ Td1[Te1[(rk[2] >> 16) & 0xff] & 0xff] ^ Td2[Te1[(rk[2] >> 8) & 0xff] & 0xff] ^ Td3[Te1[(rk[2]) & 0xff] & 0xff];
3164 rk[3] = Td0[Te1[(rk[3] >> 24)] & 0xff] ^ Td1[Te1[(rk[3] >> 16) & 0xff] & 0xff] ^ Td2[Te1[(rk[3] >> 8) & 0xff] & 0xff] ^ Td3[Te1[(rk[3]) & 0xff] & 0xff];
3165 }
3166 return 0;
3167 }
3168
3169 /*
3170 * Encrypt a single block
3171 * in and out can overlap
3172 */
AES_encrypt(const unsigned char * in,unsigned char * out,const AES_KEY * key)3173 void AES_encrypt(const unsigned char *in, unsigned char *out,
3174 const AES_KEY *key)
3175 {
3176
3177 const u32 *rk;
3178 u32 s0, s1, s2, s3, t0, t1, t2, t3;
3179 #ifndef FULL_UNROLL
3180 int r;
3181 #endif /* ?FULL_UNROLL */
3182
3183 assert(in && out && key);
3184 rk = key->rd_key;
3185
3186 /*
3187 * map byte array block to cipher state
3188 * and add initial round key:
3189 */
3190 s0 = GETU32(in) ^ rk[0];
3191 s1 = GETU32(in + 4) ^ rk[1];
3192 s2 = GETU32(in + 8) ^ rk[2];
3193 s3 = GETU32(in + 12) ^ rk[3];
3194 #ifdef FULL_UNROLL
3195 /* round 1: */
3196 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[4];
3197 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[5];
3198 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[6];
3199 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[7];
3200 /* round 2: */
3201 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[8];
3202 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[9];
3203 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
3204 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
3205 /* round 3: */
3206 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
3207 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
3208 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
3209 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
3210 /* round 4: */
3211 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
3212 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
3213 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
3214 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
3215 /* round 5: */
3216 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
3217 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
3218 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
3219 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
3220 /* round 6: */
3221 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
3222 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
3223 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
3224 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
3225 /* round 7: */
3226 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
3227 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
3228 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
3229 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
3230 /* round 8: */
3231 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
3232 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
3233 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
3234 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
3235 /* round 9: */
3236 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
3237 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
3238 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
3239 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
3240 if (key->rounds > 10) {
3241 /* round 10: */
3242 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
3243 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
3244 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
3245 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
3246 /* round 11: */
3247 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
3248 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
3249 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
3250 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
3251 if (key->rounds > 12) {
3252 /* round 12: */
3253 s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
3254 s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
3255 s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
3256 s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
3257 /* round 13: */
3258 t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
3259 t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
3260 t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
3261 t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
3262 }
3263 }
3264 rk += key->rounds << 2;
3265 #else /* !FULL_UNROLL */
3266 /*
3267 * Nr - 1 full rounds:
3268 */
3269 r = key->rounds >> 1;
3270 for (;;) {
3271 t0 = Te0[(s0 >> 24)] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[(s3) & 0xff] ^ rk[4];
3272 t1 = Te0[(s1 >> 24)] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[(s0) & 0xff] ^ rk[5];
3273 t2 = Te0[(s2 >> 24)] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[(s1) & 0xff] ^ rk[6];
3274 t3 = Te0[(s3 >> 24)] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[(s2) & 0xff] ^ rk[7];
3275
3276 rk += 8;
3277 if (--r == 0) {
3278 break;
3279 }
3280
3281 s0 = Te0[(t0 >> 24)] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[(t3) & 0xff] ^ rk[0];
3282 s1 = Te0[(t1 >> 24)] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[(t0) & 0xff] ^ rk[1];
3283 s2 = Te0[(t2 >> 24)] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[(t1) & 0xff] ^ rk[2];
3284 s3 = Te0[(t3 >> 24)] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[(t2) & 0xff] ^ rk[3];
3285 }
3286 #endif /* ?FULL_UNROLL */
3287 /*
3288 * apply last round and
3289 * map cipher state to byte array block:
3290 */
3291 s0 = (Te2[(t0 >> 24)] & 0xff000000) ^ (Te3[(t1 >> 16) & 0xff] & 0x00ff0000) ^ (Te0[(t2 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t3) & 0xff] & 0x000000ff) ^ rk[0];
3292 PUTU32(out, s0);
3293 s1 = (Te2[(t1 >> 24)] & 0xff000000) ^ (Te3[(t2 >> 16) & 0xff] & 0x00ff0000) ^ (Te0[(t3 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t0) & 0xff] & 0x000000ff) ^ rk[1];
3294 PUTU32(out + 4, s1);
3295 s2 = (Te2[(t2 >> 24)] & 0xff000000) ^ (Te3[(t3 >> 16) & 0xff] & 0x00ff0000) ^ (Te0[(t0 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t1) & 0xff] & 0x000000ff) ^ rk[2];
3296 PUTU32(out + 8, s2);
3297 s3 = (Te2[(t3 >> 24)] & 0xff000000) ^ (Te3[(t0 >> 16) & 0xff] & 0x00ff0000) ^ (Te0[(t1 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t2) & 0xff] & 0x000000ff) ^ rk[3];
3298 PUTU32(out + 12, s3);
3299 }
3300
3301 /*
3302 * Decrypt a single block
3303 * in and out can overlap
3304 */
AES_decrypt(const unsigned char * in,unsigned char * out,const AES_KEY * key)3305 void AES_decrypt(const unsigned char *in, unsigned char *out,
3306 const AES_KEY *key)
3307 {
3308
3309 const u32 *rk;
3310 u32 s0, s1, s2, s3, t0, t1, t2, t3;
3311 #ifndef FULL_UNROLL
3312 int r;
3313 #endif /* ?FULL_UNROLL */
3314
3315 assert(in && out && key);
3316 rk = key->rd_key;
3317
3318 /*
3319 * map byte array block to cipher state
3320 * and add initial round key:
3321 */
3322 s0 = GETU32(in) ^ rk[0];
3323 s1 = GETU32(in + 4) ^ rk[1];
3324 s2 = GETU32(in + 8) ^ rk[2];
3325 s3 = GETU32(in + 12) ^ rk[3];
3326 #ifdef FULL_UNROLL
3327 /* round 1: */
3328 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[4];
3329 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[5];
3330 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[6];
3331 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[7];
3332 /* round 2: */
3333 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[8];
3334 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[9];
3335 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
3336 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
3337 /* round 3: */
3338 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
3339 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
3340 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
3341 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
3342 /* round 4: */
3343 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
3344 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
3345 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
3346 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
3347 /* round 5: */
3348 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
3349 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
3350 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
3351 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
3352 /* round 6: */
3353 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
3354 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
3355 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
3356 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
3357 /* round 7: */
3358 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
3359 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
3360 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
3361 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
3362 /* round 8: */
3363 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
3364 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
3365 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
3366 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
3367 /* round 9: */
3368 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
3369 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
3370 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
3371 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
3372 if (key->rounds > 10) {
3373 /* round 10: */
3374 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
3375 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
3376 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
3377 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
3378 /* round 11: */
3379 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
3380 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
3381 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
3382 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
3383 if (key->rounds > 12) {
3384 /* round 12: */
3385 s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
3386 s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
3387 s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
3388 s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
3389 /* round 13: */
3390 t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
3391 t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
3392 t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
3393 t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
3394 }
3395 }
3396 rk += key->rounds << 2;
3397 #else /* !FULL_UNROLL */
3398 /*
3399 * Nr - 1 full rounds:
3400 */
3401 r = key->rounds >> 1;
3402 for (;;) {
3403 t0 = Td0[(s0 >> 24)] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[(s1) & 0xff] ^ rk[4];
3404 t1 = Td0[(s1 >> 24)] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[(s2) & 0xff] ^ rk[5];
3405 t2 = Td0[(s2 >> 24)] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[(s3) & 0xff] ^ rk[6];
3406 t3 = Td0[(s3 >> 24)] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[(s0) & 0xff] ^ rk[7];
3407
3408 rk += 8;
3409 if (--r == 0) {
3410 break;
3411 }
3412
3413 s0 = Td0[(t0 >> 24)] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[(t1) & 0xff] ^ rk[0];
3414 s1 = Td0[(t1 >> 24)] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[(t2) & 0xff] ^ rk[1];
3415 s2 = Td0[(t2 >> 24)] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[(t3) & 0xff] ^ rk[2];
3416 s3 = Td0[(t3 >> 24)] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[(t0) & 0xff] ^ rk[3];
3417 }
3418 #endif /* ?FULL_UNROLL */
3419 /*
3420 * apply last round and
3421 * map cipher state to byte array block:
3422 */
3423 s0 = ((u32)Td4[(t0 >> 24)] << 24) ^ ((u32)Td4[(t3 >> 16) & 0xff] << 16) ^ ((u32)Td4[(t2 >> 8) & 0xff] << 8) ^ ((u32)Td4[(t1) & 0xff]) ^ rk[0];
3424 PUTU32(out, s0);
3425 s1 = ((u32)Td4[(t1 >> 24)] << 24) ^ ((u32)Td4[(t0 >> 16) & 0xff] << 16) ^ ((u32)Td4[(t3 >> 8) & 0xff] << 8) ^ ((u32)Td4[(t2) & 0xff]) ^ rk[1];
3426 PUTU32(out + 4, s1);
3427 s2 = ((u32)Td4[(t2 >> 24)] << 24) ^ ((u32)Td4[(t1 >> 16) & 0xff] << 16) ^ ((u32)Td4[(t0 >> 8) & 0xff] << 8) ^ ((u32)Td4[(t3) & 0xff]) ^ rk[2];
3428 PUTU32(out + 8, s2);
3429 s3 = ((u32)Td4[(t3 >> 24)] << 24) ^ ((u32)Td4[(t2 >> 16) & 0xff] << 16) ^ ((u32)Td4[(t1 >> 8) & 0xff] << 8) ^ ((u32)Td4[(t0) & 0xff]) ^ rk[3];
3430 PUTU32(out + 12, s3);
3431 }
3432
3433 #else /* AES_ASM */
3434
3435 static const u8 Te4[256] = {
3436 0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U,
3437 0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U,
3438 0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U,
3439 0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U,
3440 0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU,
3441 0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U,
3442 0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU,
3443 0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U,
3444 0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U,
3445 0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U,
3446 0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU,
3447 0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU,
3448 0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U,
3449 0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U,
3450 0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U,
3451 0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U,
3452 0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U,
3453 0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U,
3454 0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U,
3455 0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU,
3456 0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU,
3457 0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U,
3458 0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U,
3459 0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U,
3460 0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U,
3461 0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU,
3462 0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU,
3463 0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU,
3464 0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U,
3465 0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU,
3466 0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U,
3467 0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U
3468 };
3469 static const u32 rcon[] = {
3470 0x01000000,
3471 0x02000000,
3472 0x04000000,
3473 0x08000000,
3474 0x10000000,
3475 0x20000000,
3476 0x40000000,
3477 0x80000000,
3478 0x1B000000,
3479 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
3480 };
3481
3482 /**
3483 * Expand the cipher key into the encryption key schedule.
3484 */
AES_set_encrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)3485 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
3486 AES_KEY *key)
3487 {
3488 u32 *rk;
3489 int i = 0;
3490 u32 temp;
3491
3492 if (!userKey || !key)
3493 return -1;
3494 if (bits != 128 && bits != 192 && bits != 256)
3495 return -2;
3496
3497 rk = key->rd_key;
3498
3499 if (bits == 128)
3500 key->rounds = 10;
3501 else if (bits == 192)
3502 key->rounds = 12;
3503 else
3504 key->rounds = 14;
3505
3506 rk[0] = GETU32(userKey);
3507 rk[1] = GETU32(userKey + 4);
3508 rk[2] = GETU32(userKey + 8);
3509 rk[3] = GETU32(userKey + 12);
3510 if (bits == 128) {
3511 while (1) {
3512 temp = rk[3];
3513 rk[4] = rk[0] ^ ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ ((u32)Te4[(temp) & 0xff] << 8) ^ ((u32)Te4[(temp >> 24)]) ^ rcon[i];
3514 rk[5] = rk[1] ^ rk[4];
3515 rk[6] = rk[2] ^ rk[5];
3516 rk[7] = rk[3] ^ rk[6];
3517 if (++i == 10) {
3518 return 0;
3519 }
3520 rk += 4;
3521 }
3522 }
3523 rk[4] = GETU32(userKey + 16);
3524 rk[5] = GETU32(userKey + 20);
3525 if (bits == 192) {
3526 while (1) {
3527 temp = rk[5];
3528 rk[6] = rk[0] ^ ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ ((u32)Te4[(temp) & 0xff] << 8) ^ ((u32)Te4[(temp >> 24)]) ^ rcon[i];
3529 rk[7] = rk[1] ^ rk[6];
3530 rk[8] = rk[2] ^ rk[7];
3531 rk[9] = rk[3] ^ rk[8];
3532 if (++i == 8) {
3533 return 0;
3534 }
3535 rk[10] = rk[4] ^ rk[9];
3536 rk[11] = rk[5] ^ rk[10];
3537 rk += 6;
3538 }
3539 }
3540 rk[6] = GETU32(userKey + 24);
3541 rk[7] = GETU32(userKey + 28);
3542 if (bits == 256) {
3543 while (1) {
3544 temp = rk[7];
3545 rk[8] = rk[0] ^ ((u32)Te4[(temp >> 16) & 0xff] << 24) ^ ((u32)Te4[(temp >> 8) & 0xff] << 16) ^ ((u32)Te4[(temp) & 0xff] << 8) ^ ((u32)Te4[(temp >> 24)]) ^ rcon[i];
3546 rk[9] = rk[1] ^ rk[8];
3547 rk[10] = rk[2] ^ rk[9];
3548 rk[11] = rk[3] ^ rk[10];
3549 if (++i == 7) {
3550 return 0;
3551 }
3552 temp = rk[11];
3553 rk[12] = rk[4] ^ ((u32)Te4[(temp >> 24)] << 24) ^ ((u32)Te4[(temp >> 16) & 0xff] << 16) ^ ((u32)Te4[(temp >> 8) & 0xff] << 8) ^ ((u32)Te4[(temp) & 0xff]);
3554 rk[13] = rk[5] ^ rk[12];
3555 rk[14] = rk[6] ^ rk[13];
3556 rk[15] = rk[7] ^ rk[14];
3557
3558 rk += 8;
3559 }
3560 }
3561 return 0;
3562 }
3563
3564 /**
3565 * Expand the cipher key into the decryption key schedule.
3566 */
AES_set_decrypt_key(const unsigned char * userKey,const int bits,AES_KEY * key)3567 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
3568 AES_KEY *key)
3569 {
3570
3571 u32 *rk;
3572 int i, j, status;
3573 u32 temp;
3574
3575 /* first, start with an encryption schedule */
3576 status = AES_set_encrypt_key(userKey, bits, key);
3577 if (status < 0)
3578 return status;
3579
3580 rk = key->rd_key;
3581
3582 /* invert the order of the round keys: */
3583 for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
3584 temp = rk[i];
3585 rk[i] = rk[j];
3586 rk[j] = temp;
3587 temp = rk[i + 1];
3588 rk[i + 1] = rk[j + 1];
3589 rk[j + 1] = temp;
3590 temp = rk[i + 2];
3591 rk[i + 2] = rk[j + 2];
3592 rk[j + 2] = temp;
3593 temp = rk[i + 3];
3594 rk[i + 3] = rk[j + 3];
3595 rk[j + 3] = temp;
3596 }
3597 /* apply the inverse MixColumn transform to all round keys but the first and the last: */
3598 for (i = 1; i < (key->rounds); i++) {
3599 rk += 4;
3600 for (j = 0; j < 4; j++) {
3601 u32 tp1, tp2, tp4, tp8, tp9, tpb, tpd, tpe, m;
3602
3603 tp1 = rk[j];
3604 m = tp1 & 0x80808080;
3605 tp2 = ((tp1 & 0x7f7f7f7f) << 1) ^ ((m - (m >> 7)) & 0x1b1b1b1b);
3606 m = tp2 & 0x80808080;
3607 tp4 = ((tp2 & 0x7f7f7f7f) << 1) ^ ((m - (m >> 7)) & 0x1b1b1b1b);
3608 m = tp4 & 0x80808080;
3609 tp8 = ((tp4 & 0x7f7f7f7f) << 1) ^ ((m - (m >> 7)) & 0x1b1b1b1b);
3610 tp9 = tp8 ^ tp1;
3611 tpb = tp9 ^ tp2;
3612 tpd = tp9 ^ tp4;
3613 tpe = tp8 ^ tp4 ^ tp2;
3614 #if defined(ROTATE)
3615 rk[j] = tpe ^ ROTATE(tpd, 16) ^ ROTATE(tp9, 24) ^ ROTATE(tpb, 8);
3616 #else
3617 rk[j] = tpe ^ (tpd >> 16) ^ (tpd << 16) ^ (tp9 >> 8) ^ (tp9 << 24) ^ (tpb >> 24) ^ (tpb << 8);
3618 #endif
3619 }
3620 }
3621 return 0;
3622 }
3623
3624 #endif /* AES_ASM */
3625