File Coverage

_rijndael.c

Criterion	Covered	Total	%
statement	191	193	98.9
branch	101	104	97.1
condition			n/a
subroutine			n/a
pod			n/a
total	292	297	98.3

line	stmt	bran	code
1			/* rijndael - An implementation of the Rijndael cipher.
2			* Copyright (C) 2000, 2001 Rafael R. Sevilla
3			*
4			* Currently maintained by brian d foy,
5			*
6			* This library is free software; you can redistribute it and/or
7			* modify it under the terms of the GNU Lesser General Public
8			* License as published by the Free Software Foundation; either
9			* version 2 of the License, or (at your option) any later version.
10			*
11			* This library is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14			* Library General Public License for more details.
15			*
16			* You should have received a copy of the GNU Library General Public
17			* License along with this library; if not, write to the Free
18			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19			*/
20
21			#include "rijndael.h"
22			#include
23			#include
24			#include
25			#include
26
27			#if 0
28
29			static void
30			print_block(uint8_t *block)
31			{
32			int i;
33
34			for (i=0; i
35			printf("%02x", block[i]);
36			printf("\n");
37			}
38			#endif
39
40			/* These tables combine both the S-boxes and the mixcolumn transformation, so
41			that we can perform a round's encryption or by means of four table lookups
42			and four XOR's per column of state. They were generated by the
43			makertbls.pl script. */
44			uint32_t dtbl[] = {
45			0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
46			0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
47			0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
48			0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
49			0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
50			0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
51			0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
52			0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
53			0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
54			0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
55			0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
56			0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
57			0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
58			0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
59			0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
60			0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
61			0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
62			0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
63			0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
64			0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
65			0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
66			0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
67			0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
68			0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
69			0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
70			0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
71			0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
72			0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
73			0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
74			0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
75			0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
76			0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
77			0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
78			0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
79			0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
80			0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
81			0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
82			0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
83			0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
84			0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
85			0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
86			0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
87			0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
88			0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
89			0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
90			0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
91			0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
92			0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
93			0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
94			0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
95			0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
96			0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
97			0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
98			0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
99			0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
100			0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
101			0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
102			0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
103			0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
104			0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
105			0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
106			0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
107			0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
108			0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c,
109			};
110
111			uint32_t itbl[] = {
112			0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
113			0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
114			0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5,
115			0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5,
116			0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d,
117			0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
118			0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295,
119			0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e,
120			0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927,
121			0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d,
122			0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362,
123			0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
124			0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52,
125			0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566,
126			0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3,
127			0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed,
128			0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e,
129			0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
130			0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4,
131			0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd,
132			0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d,
133			0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060,
134			0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967,
135			0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
136			0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000,
137			0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c,
138			0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36,
139			0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624,
140			0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b,
141			0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
142			0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12,
143			0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14,
144			0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3,
145			0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b,
146			0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8,
147			0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
148			0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7,
149			0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177,
150			0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947,
151			0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322,
152			0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498,
153			0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
154			0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54,
155			0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382,
156			0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf,
157			0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb,
158			0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83,
159			0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef,
160			0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029,
161			0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235,
162			0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733,
163			0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117,
164			0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4,
165			0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
166			0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb,
167			0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d,
168			0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb,
169			0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a,
170			0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773,
171			0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
172			0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2,
173			0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff,
174			0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664,
175			0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0,
176			};
177
178
179			/* Needed only for the key schedule and for final rounds */
180			uint8_t sbox[256] = {
181			99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
182			118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164,
183			114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113,
184			216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
185			235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214,
186			179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203,
187			190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69,
188			249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245,
189			188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68,
190			23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42,
191			144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73,
192			6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109,
193			141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37,
194			46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62,
195			181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225,
196			248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
197			140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187,
198			22,
199			};
200
201			uint8_t isbox[256] = {
202			82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215,
203			251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222,
204			233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66,
205			250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73,
206			109, 139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92,
207			204, 93, 101, 182, 146, 108, 112, 72, 80, 253, 237, 185, 218, 94, 21,
208			70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140, 188, 211, 10, 247,
209			228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2,
210			193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220,
211			234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116, 34, 231, 173,
212			53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29,
213			41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75,
214			198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168,
215			51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81,
216			127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160,
217			224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97,
218			23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12,
219			125,
220			};
221
222			/* Used only by the key schedule */
223			uint8_t Logtable[256] = {
224			0, 0, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3,
225			100, 4, 224, 14, 52, 141, 129, 239, 76, 113, 8, 200, 248, 105, 28,
226			193, 125, 194, 29, 181, 249, 185, 39, 106, 77, 228, 166, 114, 154, 201,
227			9, 120, 101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53,
228			147, 218, 142, 150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241,
229			64, 70, 131, 56, 102, 221, 253, 48, 191, 6, 139, 98, 179, 37, 226,
230			152, 34, 136, 145, 16, 126, 110, 72, 195, 163, 182, 30, 66, 58, 107,
231			40, 84, 250, 133, 61, 186, 43, 121, 10, 21, 155, 159, 94, 202, 78,
232			212, 172, 229, 243, 115, 167, 87, 175, 88, 168, 80, 244, 234, 214, 116,
233			79, 174, 233, 213, 231, 230, 173, 232, 44, 215, 117, 122, 235, 22, 11,
234			245, 89, 203, 95, 176, 156, 169, 81, 160, 127, 12, 246, 111, 23, 196,
235			73, 236, 216, 67, 31, 45, 164, 118, 123, 183, 204, 187, 62, 90, 251,
236			96, 177, 134, 59, 82, 161, 108, 170, 85, 41, 157, 151, 178, 135, 144,
237			97, 190, 220, 252, 188, 149, 207, 205, 55, 63, 91, 209, 83, 57, 132,
238			60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, 68, 17,
239			146, 217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165, 103,
240			74, 237, 222, 197, 49, 254, 24, 13, 99, 140, 128, 192, 247, 112, 7,
241			};
242
243			uint8_t Alogtable[256] = {
244			1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19,
245			53, 95, 225, 56, 72, 216, 115, 149, 164, 247, 2, 6, 10, 30, 34,
246			102, 170, 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217, 112, 144,
247			171, 230, 49, 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184,
248			211, 110, 178, 205, 76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241,
249			8, 24, 40, 120, 136, 131, 158, 185, 208, 107, 189, 220, 127, 129, 152,
250			179, 206, 73, 219, 118, 154, 181, 196, 87, 249, 16, 48, 80, 240, 11,
251			29, 39, 105, 187, 214, 97, 163, 254, 25, 43, 125, 135, 146, 173, 236,
252			47, 113, 147, 174, 233, 32, 96, 160, 251, 22, 58, 78, 210, 109, 183,
253			194, 93, 231, 50, 86, 250, 21, 63, 65, 195, 94, 226, 61, 71, 201,
254			64, 192, 91, 237, 44, 116, 156, 191, 218, 117, 159, 186, 213, 100, 172,
255			239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, 155, 182, 193, 88,
256			232, 35, 101, 175, 234, 37, 111, 177, 200, 67, 197, 84, 252, 31, 33,
257			99, 165, 244, 7, 9, 27, 45, 119, 153, 176, 203, 70, 202, 69, 207,
258			74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, 18,
259			54, 90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23,
260			57, 75, 221, 124, 132, 151, 162, 253, 28, 36, 108, 180, 199, 82, 246, 1,
261			};
262
263			#define ROTBYTE(x) (((x) >> 8) \| (((x) & 0xff) << 24))
264			#define ROTRBYTE(x) (((x) << 8) \| (((x) >> 24) & 0xff))
265			#define SUBBYTE(x, box) (((box)[((x) & 0xff)]) \| \
266			((box)[(((x) >> 8) & 0xff)] << 8) \| \
267			((box)[(((x) >> 16) & 0xff)] << 16) \| \
268			((box)[(((x) >> 24) & 0xff)] << 24))
269
270			static uint8_t
271	559		xtime(uint8_t a)
272			{
273			uint8_t b;
274
275	559	100	b = (a & 0x80) ? 0x1b : 0;
276	559		a<<=1;
277	559		a^=b;
278	559		return(a);
279			}
280
281			static uint8_t
282	60672		mul(uint8_t a, uint8_t b)
283			{
284	60672	50	if (a && b) return Alogtable[(Logtable[a] + Logtable[b])%255];
		100
285	432		else return 0;
286			}
287
288			static void
289	948		inv_mix_column(uint32_t a, uint32_t b)
290			{
291			uint8_t c[4][4];
292			int i, j;
293
294	4740	100	for(j = 0; j < 4; j++) {
295	18960	100	for(i = 0; i < 4; i++) {
296	15168		c[j][i] = mul(0xe, (a[j] >> i*8) & 0xff)
297	15168		^ mul(0xb, (a[j] >> ((i+1)%4)*8) & 0xff)
298	15168		^ mul(0xd, (a[j] >> ((i+2)%4)*8) & 0xff)
299	15168		^ mul(0x9, (a[j] >> ((i+3)%4)*8) & 0xff);
300			}
301			}
302	4740	100	for(i = 0; i < 4; i++) {
303	3792		b[i] = 0;
304	18960	100	for(j = 0; j < 4; j++)
305	15168		b[i] \|= c[i][j] << (j*8);
306			}
307	948		}
308
309			void
310	76		rijndael_setup(RIJNDAEL_context ctx, size_t keysize, const uint8_t key)
311			{
312			int nk, nr, i, lastkey;
313			uint32_t temp, rcon;
314
315			/* Truncate keysizes to the valid key sizes provided by Rijndael */
316	76	100	if (keysize >= 32) {
317	63		nk = 8;
318	63		nr = 14;
319	13	100	} else if (keysize >= 24) {
320	6		nk = 6;
321	6		nr = 12;
322			} else { /* must be 16 or more */
323	7		nk = 4;
324	7		nr = 10;
325			}
326
327	76		lastkey = (RIJNDAEL_BLOCKSIZE/4) * (nr + 1);
328	76		ctx->nrounds = nr;
329	76		rcon = 1;
330	644	100	for (i=0; i
331	1136		ctx->keys[i] = key[i4] + (key[i4+1]<<8) + (key[i*4+2]<<16) +
332	568		(key[i*4+3]<<24);
333			}
334
335	3908	100	for (i=nk; i
336	3832		temp = ctx->keys[i-1];
337	3832	100	if (i % nk == 0) {
338	559		temp = SUBBYTE(ROTBYTE(temp), sbox) ^ rcon;
339	559		rcon = (uint32_t)xtime((uint8_t)rcon&0xff);
340	3273	100	} else if (nk > 6 && (i%nk) == 4) {
		100
341	378		temp = SUBBYTE(temp, sbox);
342			}
343	3832		ctx->keys[i] = ctx->keys[i-nk] ^ temp;
344			}
345			/* Generate the inverse keys */
346	380	100	for (i=0; i<4; i++) {
347	304		ctx->ikeys[i] = ctx->keys[i];
348	304		ctx->ikeys[lastkey-4 + i] = ctx->keys[lastkey-4 + i];
349			}
350	1024	100	for (i=4; i
351	948		inv_mix_column(&(ctx->keys[i]), &(ctx->ikeys[i]));
352	76		}
353
354			/* Key addition that also packs every byte in the key to a word rep. */
355			static void
356	1754		key_addition_8to32(const uint8_t txt, uint32_t keys, uint32_t *out)
357			{
358			const uint8_t *ptr;
359			int i, j;
360			uint32_t val;
361
362	1754		ptr = txt;
363	8770	100	for (i=0; i<4; i++) {
364	7016		val = 0;
365	35080	100	for (j=0; j<4; j++)
366	28064		val \|= (ptr++ << 8j);
367	7016		out[i] = keys[i]^val;
368			}
369	1754		}
370
371			static void
372	22534		key_addition32(const uint32_t txt, uint32_t keys, uint32_t *out)
373			{
374			int i;
375
376	112670	100	for (i=0; i<4; i++)
377	90136		out[i] = keys[i] ^ txt[i];
378	22534		}
379
380			static void
381	1754		key_addition32to8(const uint32_t txt, uint32_t keys, uint8_t *out)
382			{
383			uint8_t *ptr;
384			int i, j;
385			uint32_t val;
386
387	1754		ptr = out;
388	8770	100	for (i=0; i<4; i++) {
389	7016		val = txt[i] ^ keys[i];
390	35080	100	for (j=0; j<4; j++)
391	28064		ptr++ = (val >> 8j) & 0xff;
392			}
393	1754		}
394
395			static int idx[4][4] = {
396			{ 0, 1, 2, 3 },
397			{ 1, 2, 3, 0 },
398			{ 2, 3, 0, 1 },
399			{ 3, 0, 1, 2 } };
400
401			void
402	1415		rijndael_encrypt(RIJNDAEL_context *ctx,
403			const uint8_t *plaintext,
404			uint8_t *ciphertext)
405			{
406			int r, j;
407			uint32_t wtxt[4], t[4]; /* working ciphertext */
408			uint32_t e;
409
410	1415		key_addition_8to32(plaintext, &(ctx->keys[0]), wtxt);
411	19604	100	for (r=1; rnrounds; r++) {
412	90945	100	for (j=0; j<4; j++) {
413	145512		t[j] = dtbl[wtxt[j] & 0xff] ^
414	72756		ROTRBYTE(dtbl[(wtxt[idx[1][j]] >> 8) & 0xff]^
415			ROTRBYTE(dtbl[(wtxt[idx[2][j]] >> 16) & 0xff] ^
416			ROTRBYTE(dtbl[(wtxt[idx[3][j]] >> 24) & 0xff])));
417			}
418	18189		key_addition32(t, &(ctx->keys[r*4]), wtxt);
419			}
420			/* last round is special: there is no mixcolumn, so we can't use the big
421			tables. */
422	7075	100	for (j=0; j<4; j++) {
423	5660		e = wtxt[j] & 0xff;
424	5660		e \|= (wtxt[idx[1][j]]) & (0xff << 8 );
425	5660		e \|= (wtxt[idx[2][j]]) & (0xff << 16);
426	5660		e \|= (wtxt[idx[3][j]]) & (0xffU << 24);
427	5660		t[j] = e;
428			}
429	7075	100	for (j=0; j<4; j++)
430	5660		t[j] = SUBBYTE(t[j], sbox);
431	1415		key_addition32to8(t, &(ctx->keys[4*ctx->nrounds]), ciphertext);
432	1415		}
433
434			static int iidx[4][4] = {
435			{ 0, 1, 2, 3 },
436			{ 3, 0, 1, 2 },
437			{ 2, 3, 0, 1 },
438			{ 1, 2, 3, 0 } };
439
440			void
441	339		rijndael_decrypt(RIJNDAEL_context *ctx,
442			const uint8_t *ciphertext,
443			uint8_t *plaintext)
444			{
445			int r, j;
446			uint32_t wtxt[4], t[4]; /* working ciphertext */
447			uint32_t e;
448
449	339		key_addition_8to32(ciphertext, &(ctx->ikeys[4*ctx->nrounds]), wtxt);
450	4684	100	for (r=ctx->nrounds-1; r> 0; r--) {
451	21725	100	for (j=0; j<4; j++) {
452	34760		t[j] = itbl[wtxt[j] & 0xff] ^
453	17380		ROTRBYTE(itbl[(wtxt[iidx[1][j]] >> 8) & 0xff]^
454			ROTRBYTE(itbl[(wtxt[iidx[2][j]] >> 16) & 0xff] ^
455			ROTRBYTE(itbl[(wtxt[iidx[3][j]] >> 24) & 0xff])));
456			}
457	4345		key_addition32(t, &(ctx->ikeys[r*4]), wtxt);
458			}
459			/* last round is special: there is no mixcolumn, so we can't use the big
460			tables. */
461	1695	100	for (j=0; j<4; j++) {
462	1356		e = wtxt[j] & 0xff;
463	1356		e \|= (wtxt[iidx[1][j]]) & (0xff << 8);
464	1356		e \|= (wtxt[iidx[2][j]]) & (0xff << 16);
465	1356		e \|= (wtxt[iidx[3][j]]) & (0xffU << 24);
466	1356		t[j] = e;
467			}
468	1695	100	for (j=0; j<4; j++)
469	1356		t[j] = SUBBYTE(t[j], isbox);
470	339		key_addition32to8(t, &(ctx->ikeys[0]), plaintext);
471	339		}
472
473			void
474	76		block_encrypt(RIJNDAEL_context ctx, uint8_t input, int inputlen,
475			uint8_t output, uint8_t iv)
476			{
477			int i, j, nblocks, carry_flg;
478			uint8_t block[RIJNDAEL_BLOCKSIZE], block2[RIJNDAEL_BLOCKSIZE], oldptxt;
479
480	76		nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
481
482	76		switch (ctx->mode) {
483			case MODE_ECB: /* electronic code book */
484	203	100	for (i = 0; i
485	185		rijndael_encrypt(ctx, &input[RIJNDAEL_BLOCKSIZE*i],
486	185		&output[RIJNDAEL_BLOCKSIZE*i]);
487			}
488	18		break;
489			case MODE_CBC: /* Cipher block chaining */
490			/* set initial value */
491	16		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
492	170	100	for (i=0; i< nblocks; i++) {
493	2618	100	for (j=0; j
494	2464		block[j] ^= input[i*RIJNDAEL_BLOCKSIZE + j] & 0xff;
495	154		rijndael_encrypt(ctx, block, block);
496	154		memcpy(&output[RIJNDAEL_BLOCKSIZE*i], block, RIJNDAEL_BLOCKSIZE);
497			}
498	16		break;
499			case MODE_CFB: /* 128-bit cipher feedback */
500	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
501	184	100	for (i=0; i
502	170		rijndael_encrypt(ctx, block, block);
503	2890	100	for (j=0; j
504	2720		block[j] ^= input[i*RIJNDAEL_BLOCKSIZE + j];
505	170		memcpy(&output[RIJNDAEL_BLOCKSIZE*i], block, RIJNDAEL_BLOCKSIZE);
506			}
507	14		break;
508			case MODE_OFB: /* 128-bit output feedback */
509	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
510	226	100	for (i=0; i
511	212		rijndael_encrypt(ctx, block, block);
512	3604	100	for (j=0; j
513	6784		output[RIJNDAEL_BLOCKSIZE*i + j] = block[j] ^
514	3392		input[RIJNDAEL_BLOCKSIZE*i + j];
515			}
516			}
517	14		break;
518			case MODE_CTR: /* counter */
519	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
520	170	100	for (i=0; i
521	156		rijndael_encrypt(ctx, block, block2);
522	2652	100	for (j=0; j
523	4992		output[RIJNDAEL_BLOCKSIZE*i + j] = block2[j] ^
524	2496		input[RIJNDAEL_BLOCKSIZE*i + j];
525			}
526	156		block[RIJNDAEL_BLOCKSIZE-1]++;
527	156		carry_flg = block[RIJNDAEL_BLOCKSIZE-1] != 0 ? 0 : 1;
528	159	50	for (j=RIJNDAEL_BLOCKSIZE-2; j>=0; j--) {
529	159	100	if (carry_flg) {
530	3		block[j]++;
531	3		carry_flg = block[j] != 0 ? 0 : 1;
532			} else
533	156		break;
534			}
535			}
536	14		break;
537			default:
538	0		break;
539			}
540	76		}
541
542			void
543	76		block_decrypt(RIJNDAEL_context ctx, uint8_t input, int inputlen,
544			uint8_t output, uint8_t iv)
545			{
546			int i, j, nblocks, carry_flg;
547			uint8_t block[RIJNDAEL_BLOCKSIZE], block2[RIJNDAEL_BLOCKSIZE];
548
549	76		nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
550	76		switch (ctx->mode) {
551			case MODE_ECB:
552	203	100	for (i = 0; i
553	185		rijndael_decrypt(ctx, &input[RIJNDAEL_BLOCKSIZE*i],
554	185		&output[RIJNDAEL_BLOCKSIZE*i]);
555			}
556	18		break;
557			case MODE_CBC:
558			/* first block */
559	16		rijndael_decrypt(ctx, input, block);
560			/* XOR the block with the IV to get the output */
561	272	100	for (i=0; i
562	256		output[i] = block[i] ^ iv[i];
563	154	100	for (i=1; i
564	138		rijndael_decrypt(ctx, &input[i*RIJNDAEL_BLOCKSIZE], block);
565	2346	100	for (j=0; j
566	4416		output[i*RIJNDAEL_BLOCKSIZE + j] = block[j] ^
567	2208		input[(i-1)*RIJNDAEL_BLOCKSIZE + j];
568			}
569			}
570	16		break;
571			case MODE_CFB: /* 128-bit cipher feedback */
572	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
573	184	100	for (i=0; i
574	170		rijndael_encrypt(ctx, block, block); /* ENCRYPT is right! */
575	2890	100	for (j=0; j
576	5440		output[RIJNDAEL_BLOCKSIZE*i + j] = block[j] ^
577	2720		input[RIJNDAEL_BLOCKSIZE*i + j];
578			}
579	170		memcpy(block, &input[RIJNDAEL_BLOCKSIZE*i], RIJNDAEL_BLOCKSIZE);
580			}
581	14		break;
582			case MODE_OFB: /* 128-bit output feedback */
583			/* this is exactly the same as encryption in OFB...in fact you can use
584			the encryption in OFB mode to decrypt! */
585	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
586	226	100	for (i=0; i
587	212		rijndael_encrypt(ctx, block, block);
588	3604	100	for (j=0; j
589	6784		output[RIJNDAEL_BLOCKSIZE*i + j] = block[j] ^
590	3392		input[RIJNDAEL_BLOCKSIZE*i + j];
591			}
592			}
593	14		break;
594			case MODE_CTR: /* counter */
595	14		memcpy(block, iv, RIJNDAEL_BLOCKSIZE);
596	170	100	for (i=0; i
597	156		rijndael_encrypt(ctx, block, block2);
598	2652	100	for (j=0; j
599	4992		output[RIJNDAEL_BLOCKSIZE*i + j] = block2[j] ^
600	2496		input[RIJNDAEL_BLOCKSIZE*i + j];
601			}
602	156		block[RIJNDAEL_BLOCKSIZE-1]++;
603	156		carry_flg = block[RIJNDAEL_BLOCKSIZE-1] != 0 ? 0 : 1;
604	159	50	for (j=RIJNDAEL_BLOCKSIZE-2; j>=0; j--) {
605	159	100	if (carry_flg) {
606	3		block[j]++;
607	3		carry_flg = block[j] != 0 ? 0 : 1;
608			} else
609	156		break;
610			}
611			}
612	14		break;
613			default:
614	0		break;
615			}
616	76		}
617