File Coverage

_rijndael.c

Criterion	Covered	Total	%
statement	214	218	98.1
branch	89	92	96.7
condition			n/a
subroutine			n/a
pod			n/a
total	303	310	97.7

line	stmt	bran	code
1			/* rijndael - An implementation of the Rijndael cipher.
2			* Copyright (C) 2000, 2001 Rafael R. Sevilla
3			*
4			* Currently maintained by brian d foy,
5			*
6			* This library is free software; you can redistribute it and/or
7			* modify it under the terms of the GNU Lesser General Public
8			* License as published by the Free Software Foundation; either
9			* version 2 of the License, or (at your option) any later version.
10			*
11			* This library is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14			* Library General Public License for more details.
15			*
16			* You should have received a copy of the GNU Library General Public
17			* License along with this library; if not, write to the Free
18			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19			*/
20
21			#include "rijndael.h"
22			#include
23			#include
24			#include
25			#include
26
27			#if 0
28
29			static void
30			print_block(uint8_t *block)
31			{
32			int i;
33
34			for (i=0; i
35			printf("%02x", block[i]);
36			printf("\n");
37			}
38			#endif
39
40			/* These tables combine both the S-boxes and the mixcolumn transformation, so
41			that we can perform a round's encryption or by means of four table lookups
42			and four XOR's per column of state. They were generated by the
43			makertbls.pl script. */
44			static const uint32_t dtbl[] = {
45			0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
46			0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
47			0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
48			0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
49			0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
50			0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
51			0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
52			0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
53			0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
54			0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
55			0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
56			0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
57			0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
58			0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
59			0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
60			0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
61			0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
62			0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
63			0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
64			0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
65			0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
66			0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
67			0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
68			0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
69			0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
70			0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
71			0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
72			0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
73			0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
74			0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
75			0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
76			0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
77			0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
78			0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
79			0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
80			0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
81			0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
82			0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
83			0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
84			0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
85			0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
86			0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
87			0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
88			0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
89			0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
90			0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
91			0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
92			0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
93			0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
94			0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
95			0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
96			0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
97			0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
98			0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
99			0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
100			0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
101			0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
102			0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
103			0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
104			0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
105			0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
106			0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
107			0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
108			0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c,
109			};
110
111			static const uint32_t itbl[] = {
112			0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
113			0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
114			0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5,
115			0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5,
116			0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d,
117			0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
118			0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295,
119			0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e,
120			0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927,
121			0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d,
122			0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362,
123			0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
124			0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52,
125			0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566,
126			0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3,
127			0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed,
128			0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e,
129			0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
130			0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4,
131			0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd,
132			0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d,
133			0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060,
134			0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967,
135			0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
136			0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000,
137			0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c,
138			0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36,
139			0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624,
140			0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b,
141			0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
142			0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12,
143			0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14,
144			0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3,
145			0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b,
146			0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8,
147			0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
148			0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7,
149			0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177,
150			0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947,
151			0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322,
152			0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498,
153			0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
154			0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54,
155			0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382,
156			0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf,
157			0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb,
158			0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83,
159			0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef,
160			0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029,
161			0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235,
162			0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733,
163			0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117,
164			0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4,
165			0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
166			0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb,
167			0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d,
168			0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb,
169			0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a,
170			0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773,
171			0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
172			0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2,
173			0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff,
174			0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664,
175			0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0,
176			};
177
178
179			/* Needed only for the key schedule and for final rounds */
180			static const uint8_t sbox[256] = {
181			99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
182			118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164,
183			114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113,
184			216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
185			235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214,
186			179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203,
187			190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69,
188			249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245,
189			188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68,
190			23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42,
191			144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73,
192			6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109,
193			141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37,
194			46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62,
195			181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225,
196			248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
197			140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187,
198			22,
199			};
200
201			static const uint8_t isbox[256] = {
202			82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215,
203			251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222,
204			233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66,
205			250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73,
206			109, 139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92,
207			204, 93, 101, 182, 146, 108, 112, 72, 80, 253, 237, 185, 218, 94, 21,
208			70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140, 188, 211, 10, 247,
209			228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2,
210			193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220,
211			234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116, 34, 231, 173,
212			53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29,
213			41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75,
214			198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168,
215			51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81,
216			127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160,
217			224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97,
218			23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12,
219			125,
220			};
221
222			/* Used only by the key schedule */
223			static const uint8_t Logtable[256] = {
224			0, 0, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3,
225			100, 4, 224, 14, 52, 141, 129, 239, 76, 113, 8, 200, 248, 105, 28,
226			193, 125, 194, 29, 181, 249, 185, 39, 106, 77, 228, 166, 114, 154, 201,
227			9, 120, 101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53,
228			147, 218, 142, 150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241,
229			64, 70, 131, 56, 102, 221, 253, 48, 191, 6, 139, 98, 179, 37, 226,
230			152, 34, 136, 145, 16, 126, 110, 72, 195, 163, 182, 30, 66, 58, 107,
231			40, 84, 250, 133, 61, 186, 43, 121, 10, 21, 155, 159, 94, 202, 78,
232			212, 172, 229, 243, 115, 167, 87, 175, 88, 168, 80, 244, 234, 214, 116,
233			79, 174, 233, 213, 231, 230, 173, 232, 44, 215, 117, 122, 235, 22, 11,
234			245, 89, 203, 95, 176, 156, 169, 81, 160, 127, 12, 246, 111, 23, 196,
235			73, 236, 216, 67, 31, 45, 164, 118, 123, 183, 204, 187, 62, 90, 251,
236			96, 177, 134, 59, 82, 161, 108, 170, 85, 41, 157, 151, 178, 135, 144,
237			97, 190, 220, 252, 188, 149, 207, 205, 55, 63, 91, 209, 83, 57, 132,
238			60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, 68, 17,
239			146, 217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165, 103,
240			74, 237, 222, 197, 49, 254, 24, 13, 99, 140, 128, 192, 247, 112, 7,
241			};
242
243			static const uint8_t Alogtable[256] = {
244			1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19,
245			53, 95, 225, 56, 72, 216, 115, 149, 164, 247, 2, 6, 10, 30, 34,
246			102, 170, 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217, 112, 144,
247			171, 230, 49, 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184,
248			211, 110, 178, 205, 76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241,
249			8, 24, 40, 120, 136, 131, 158, 185, 208, 107, 189, 220, 127, 129, 152,
250			179, 206, 73, 219, 118, 154, 181, 196, 87, 249, 16, 48, 80, 240, 11,
251			29, 39, 105, 187, 214, 97, 163, 254, 25, 43, 125, 135, 146, 173, 236,
252			47, 113, 147, 174, 233, 32, 96, 160, 251, 22, 58, 78, 210, 109, 183,
253			194, 93, 231, 50, 86, 250, 21, 63, 65, 195, 94, 226, 61, 71, 201,
254			64, 192, 91, 237, 44, 116, 156, 191, 218, 117, 159, 186, 213, 100, 172,
255			239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, 155, 182, 193, 88,
256			232, 35, 101, 175, 234, 37, 111, 177, 200, 67, 197, 84, 252, 31, 33,
257			99, 165, 244, 7, 9, 27, 45, 119, 153, 176, 203, 70, 202, 69, 207,
258			74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, 18,
259			54, 90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23,
260			57, 75, 221, 124, 132, 151, 162, 253, 28, 36, 108, 180, 199, 82, 246, 1,
261			};
262
263			#define ROTBYTE(x) (((x) >> 8) \| (((x) & 0xff) << 24))
264			#define ROTRBYTE(x) (((x) << 8) \| (((x) >> 24) & 0xff))
265			#define SUBBYTE(x, box) (((box)[((x) & 0xff)]) \| \
266			((box)[(((x) >> 8) & 0xff)] << 8) \| \
267			((box)[(((x) >> 16) & 0xff)] << 16) \| \
268			((box)[(((x) >> 24) & 0xff)] << 24))
269
270	779		static uint8_t xtime(uint8_t a) {
271			uint8_t b;
272
273	779	100	b = (a & 0x80) ? 0x1b : 0;
274	779		a<<=1;
275	779		a^=b;
276	779		return(a);
277			}
278
279	73344		static uint8_t mul(uint8_t a, uint8_t b) {
280	73344	50	if (a && b) return Alogtable[(Logtable[a] + Logtable[b])%255];
		100
281	468		else return 0;
282			}
283
284	1146		static void inv_mix_column(const uint32_t a, uint32_t b) {
285			uint8_t c[4][4];
286			int i, j;
287
288	5730	100	for(j = 0; j < 4; j++) {
289	22920	100	for(i = 0; i < 4; i++) {
290	18336		c[j][i] = mul(0xe, (a[j] >> i*8) & 0xff)
291	18336		^ mul(0xb, (a[j] >> ((i+1)%4)*8) & 0xff)
292	18336		^ mul(0xd, (a[j] >> ((i+2)%4)*8) & 0xff)
293	18336		^ mul(0x9, (a[j] >> ((i+3)%4)*8) & 0xff);
294			}
295			}
296	5730	100	for(i = 0; i < 4; i++) {
297	4584		b[i] = 0;
298	22920	100	for(j = 0; j < 4; j++)
299	18336		b[i] \|= c[i][j] << (j*8);
300			}
301	1146		}
302
303	98		void rijndael_setup(RIJNDAEL_context ctx, size_t keysize, const uint8_t key) {
304			int nk, nr, i, lastkey;
305			uint32_t temp, rcon;
306
307			/* Truncate keysizes to the valid key sizes provided by Rijndael */
308	98	100	if (keysize >= 32) {
309	63		nk = 8;
310	63		nr = 14;
311	35	100	} else if (keysize >= 24) {
312	6		nk = 6;
313	6		nr = 12;
314			} else { /* must be 16 or more */
315	29		nk = 4;
316	29		nr = 10;
317			}
318
319	98		lastkey = (RIJNDAEL_BLOCKSIZE/4) * (nr + 1);
320	98		ctx->nrounds = nr;
321	98		rcon = 1;
322	754	100	for (i=0; i
323	1312		ctx->keys[i] = key[i4] + (key[i4+1]<<8) + (key[i*4+2]<<16) +
324	656		(key[i*4+3]<<24);
325			}
326
327	4810	100	for (i=nk; i
328	4712		temp = ctx->keys[i-1];
329	4712	100	if (i % nk == 0) {
330	779		temp = SUBBYTE(ROTBYTE(temp), sbox) ^ rcon;
331	779		rcon = (uint32_t)xtime((uint8_t)rcon&0xff);
332	3933	100	} else if (nk > 6 && (i%nk) == 4) {
		100
333	378		temp = SUBBYTE(temp, sbox);
334			}
335	4712		ctx->keys[i] = ctx->keys[i-nk] ^ temp;
336			}
337			/* Generate the inverse keys */
338	490	100	for (i=0; i<4; i++) {
339	392		ctx->ikeys[i] = ctx->keys[i];
340	392		ctx->ikeys[lastkey-4 + i] = ctx->keys[lastkey-4 + i];
341			}
342	1244	100	for (i=4; i
343	1146		inv_mix_column(&(ctx->keys[i]), &(ctx->ikeys[i]));
344	98		}
345
346			/* Key addition that also packs every byte in the key to a word rep. */
347	2318		static void key_addition_8to32(const uint8_t txt, const uint32_t keys, uint32_t *out) {
348			const uint8_t *ptr;
349			int i, j;
350			uint32_t val;
351
352	2318		ptr = txt;
353	11590	100	for (i=0; i<4; i++) {
354	9272		val = 0;
355	46360	100	for (j=0; j<4; j++)
356	37088		val \|= (ptr++ << 8j);
357	9272		out[i] = keys[i]^val;
358			}
359	2318		}
360
361	28634		static void key_addition32(const uint32_t txt, const uint32_t keys, uint32_t *out) {
362			int i;
363
364	143170	100	for (i=0; i<4; i++)
365	114536		out[i] = keys[i] ^ txt[i];
366	28634		}
367
368	2318		static void key_addition32to8(const uint32_t txt, const uint32_t keys, uint8_t *out) {
369			uint8_t *ptr;
370			int i, j;
371			uint32_t val;
372
373	2318		ptr = out;
374	11590	100	for (i=0; i<4; i++) {
375	9272		val = txt[i] ^ keys[i];
376	46360	100	for (j=0; j<4; j++)
377	37088		ptr++ = (val >> 8j) & 0xff;
378			}
379	2318		}
380
381			static int idx[4][4] = {
382			{ 0, 1, 2, 3 },
383			{ 1, 2, 3, 0 },
384			{ 2, 3, 0, 1 },
385			{ 3, 0, 1, 2 } };
386
387			/*
388			* rijndael_encrypt()
389			*
390			* Encrypt 16 bytes of data with the Rijndael algorithm. Before this
391			* function can be used, rijndael_setup must be used in order to initialize
392			* Rijndael's key schedule.
393			*
394			* This function always encrypts 16 bytes of plaintext to 16 bytes of
395			* ciphertext. The memory areas of the plaintext and the ciphertext can
396			* overlap.
397			*/
398
399	1927		static void rijndael_encrypt(const RIJNDAEL_context ctx, const uint8_t plaintext, uint8_t *ciphertext) {
400			int r, j;
401			uint32_t wtxt[4], t[4]; /* working ciphertext */
402			uint32_t e;
403
404	1927		key_addition_8to32(plaintext, &(ctx->keys[0]), wtxt);
405	25540	100	for (r=1; rnrounds; r++) {
406	118065	100	for (j=0; j<4; j++) {
407	188904		t[j] = dtbl[wtxt[j] & 0xff] ^
408	94452		ROTRBYTE(dtbl[(wtxt[idx[1][j]] >> 8) & 0xff]^
409			ROTRBYTE(dtbl[(wtxt[idx[2][j]] >> 16) & 0xff] ^
410			ROTRBYTE(dtbl[(wtxt[idx[3][j]] >> 24) & 0xff])));
411			}
412	23613		key_addition32(t, &(ctx->keys[r*4]), wtxt);
413			}
414			/* last round is special: there is no mixcolumn, so we can't use the big
415			tables. */
416	9635	100	for (j=0; j<4; j++) {
417	7708		e = wtxt[j] & 0xff;
418	7708		e \|= (wtxt[idx[1][j]]) & (0xff << 8 );
419	7708		e \|= (wtxt[idx[2][j]]) & (0xff << 16);
420	7708		e \|= (wtxt[idx[3][j]]) & (0xffU << 24);
421	7708		t[j] = e;
422			}
423	9635	100	for (j=0; j<4; j++)
424	7708		t[j] = SUBBYTE(t[j], sbox);
425	1927		key_addition32to8(t, &(ctx->keys[4*ctx->nrounds]), ciphertext);
426	1927		}
427
428			static int iidx[4][4] = {
429			{ 0, 1, 2, 3 },
430			{ 3, 0, 1, 2 },
431			{ 2, 3, 0, 1 },
432			{ 1, 2, 3, 0 } };
433
434			/*
435			* rijndael_decrypt()
436			*
437			* Decrypt 16 bytes of data with the Rijndael algorithm.
438			*
439			* Before this function can be used, rijndael_setup() must be used in order
440			* to set up the key schedule required for the decryption algorithm.
441			*
442			* This function always decrypts 16 bytes of ciphertext to 16 bytes of
443			* plaintext. The memory areas of the plaintext and the ciphertext can
444			* overlap.
445			*/
446
447	391		static void rijndael_decrypt(const RIJNDAEL_context ctx, const uint8_t ciphertext, uint8_t *plaintext) {
448			int r, j;
449			uint32_t wtxt[4], t[4]; /* working ciphertext */
450			uint32_t e;
451
452	391		key_addition_8to32(ciphertext, &(ctx->ikeys[4*ctx->nrounds]), wtxt);
453	5412	100	for (r=ctx->nrounds-1; r> 0; r--) {
454	25105	100	for (j=0; j<4; j++) {
455	40168		t[j] = itbl[wtxt[j] & 0xff] ^
456	20084		ROTRBYTE(itbl[(wtxt[iidx[1][j]] >> 8) & 0xff]^
457			ROTRBYTE(itbl[(wtxt[iidx[2][j]] >> 16) & 0xff] ^
458			ROTRBYTE(itbl[(wtxt[iidx[3][j]] >> 24) & 0xff])));
459			}
460	5021		key_addition32(t, &(ctx->ikeys[r*4]), wtxt);
461			}
462			/* last round is special: there is no mixcolumn, so we can't use the big
463			tables. */
464	1955	100	for (j=0; j<4; j++) {
465	1564		e = wtxt[j] & 0xff;
466	1564		e \|= (wtxt[iidx[1][j]]) & (0xff << 8);
467	1564		e \|= (wtxt[iidx[2][j]]) & (0xff << 16);
468	1564		e \|= (wtxt[iidx[3][j]]) & (0xffU << 24);
469	1564		t[j] = e;
470			}
471	1955	100	for (j=0; j<4; j++)
472	1564		t[j] = SUBBYTE(t[j], isbox);
473	391		key_addition32to8(t, &(ctx->ikeys[0]), plaintext);
474	391		}
475
476	502		static void xor_block_with(const uint8_t* input, uint8_t* output) {
477			int j;
478	8534	100	for (j=0; j
479	8032		output[j] ^= input[j];
480	502		}
481
482	1370		static void xor_block_to(const uint8_t* block, const uint8_t* input, uint8_t* output) {
483			int j;
484	23290	100	for (j=0; j
485	21920		output[j] = block[j] ^ input[j];
486	1370		}
487
488	44		static void xor_bytes_to(const uint8_t* block, const uint8_t* input, size_t inputlen, uint8_t* output) {
489			int j;
490	396	100	for (j=0; j
491	352		output[j] = block[j] ^ input[j];
492	44		}
493
494			#define xor_bytes_with(input, output, length) xor_bytes_to(input, output, length, output)
495			#define block_no(ptr, index) ((ptr) + (index)*RIJNDAEL_BLOCKSIZE)
496			#define copy_block(from, to) memcpy(to, from, RIJNDAEL_BLOCKSIZE)
497
498	18		static void ecb_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t *output) {
499	18		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
500	219	100	for (i = 0; i
501	201		rijndael_encrypt(ctx, block_no(input, i), block_no(output, i));
502			}
503	18		}
504
505	16		static void cbc_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
506			uint8_t block[RIJNDAEL_BLOCKSIZE];
507	16		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
508
509			//* set initial value
510	16		copy_block(iv, block);
511	206	100	for (i=0; i< nblocks; i++) {
512	190		xor_block_with(block_no(input, i), block);
513	190		rijndael_encrypt(ctx, block, block);
514	190		copy_block(block, block_no(output, i));
515			}
516	16		}
517
518	25		static void cfb_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
519			uint8_t block[RIJNDAEL_BLOCKSIZE];
520	25		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE, leftover = inputlen % RIJNDAEL_BLOCKSIZE;
521
522	25		copy_block(iv, block);
523	337	100	for (i=0; i
524	312		rijndael_encrypt(ctx, block, block);
525	312		xor_block_with(block_no(input, i), block);
526	312		copy_block(block, block_no(output, i));
527			}
528	25	100	if (leftover) {
529	11		rijndael_encrypt(ctx, block, block);
530	11		xor_bytes_with(block_no(input, nblocks), block, leftover);
531	11		memcpy(block_no(output, nblocks), block, leftover);
532			}
533	25		}
534
535	50		static void ofb_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
536			uint8_t block[RIJNDAEL_BLOCKSIZE];
537	50		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE, leftover = inputlen % RIJNDAEL_BLOCKSIZE;
538
539	50		copy_block(iv, block);
540	566	100	for (i=0; i
541	516		rijndael_encrypt(ctx, block, block);
542	516		xor_block_to(block_no(input, i), block, block_no(output, i));
543			}
544	50	100	if (leftover) {
545	22		rijndael_encrypt(ctx, block, block);
546	22		xor_bytes_to(block_no(input, nblocks), block, leftover, block_no(output, nblocks));
547			}
548	50		}
549
550	352		static void increment_counter(uint8_t* counter) {
551	352		int i = RIJNDAEL_BLOCKSIZE-1, carry_flg = 1;
552
553	716	100	while (carry_flg && i >= 0)
		50
554	364		carry_flg = !++counter[i--];
555	352		}
556
557	28		static void ctr_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
558			uint8_t block[RIJNDAEL_BLOCKSIZE], counter[RIJNDAEL_BLOCKSIZE];
559	28		int i, carry_flg, nblocks = inputlen / RIJNDAEL_BLOCKSIZE, leftover = inputlen % RIJNDAEL_BLOCKSIZE;
560
561	28		copy_block(iv, counter);
562	380	100	for (i=0; i
563	352		rijndael_encrypt(ctx, counter, block);
564	352		xor_block_to(block, block_no(input, i), block_no(output, i));
565	352		increment_counter(counter);
566			}
567	28	50	if (leftover) {
568	0		rijndael_encrypt(ctx, counter, block);
569	0		xor_bytes_to(block, block_no(input, nblocks), leftover, block_no(output, nblocks));
570			/* increment_counter(counter); */
571			}
572	28		}
573
574	98		void block_encrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
575	98		switch (ctx->mode) {
576			case MODE_ECB: /* electronic code book */
577	18		ecb_encrypt(ctx, input, inputlen, output);
578	18		break;
579			case MODE_CBC: /* Cipher block chaining */
580			/* set initial value */
581	16		cbc_encrypt(ctx, input, inputlen, output, iv);
582	16		break;
583			case MODE_CFB: /* 128-bit cipher feedback */
584	25		cfb_encrypt(ctx, input, inputlen, output, iv);
585	25		break;
586			case MODE_OFB: /* 128-bit output feedback */
587	25		ofb_encrypt(ctx, input, inputlen, output, iv);
588	25		break;
589			case MODE_CTR: /* counter */
590	14		ctr_encrypt(ctx, input, inputlen, output, iv);
591	14		break;
592			default:
593	0		break;
594			}
595	98		}
596
597	18		static void ecb_decrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t *output) {
598	18		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
599	219	100	for (i = 0; i
600	201		rijndael_decrypt(ctx, block_no(input, i), block_no(output, i));
601			}
602	18		}
603
604	16		static void cbc_decrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
605			uint8_t block[RIJNDAEL_BLOCKSIZE];
606	16		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE;
607
608			/* first block */
609	16		rijndael_decrypt(ctx, input, block);
610			/* XOR the block with the IV to get the output */
611	16		xor_block_to(block, iv, output);
612	190	100	for (i=1; i
613	174		rijndael_decrypt(ctx, block_no(input, i), block);
614	174		xor_block_to(block, block_no(input, i-1), block_no(output, i));
615			}
616	16		}
617
618	25		static void cfb_decrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
619			uint8_t block[RIJNDAEL_BLOCKSIZE];
620	25		int i, nblocks = inputlen / RIJNDAEL_BLOCKSIZE, leftover = inputlen % RIJNDAEL_BLOCKSIZE;
621
622	25		copy_block(iv, block);
623	337	100	for (i=0; i
624	312		rijndael_encrypt(ctx, block, block); /* ENCRYPT is right! */
625	312		xor_block_to(block, block_no(input, i), block_no(output, i));
626	312		copy_block(block_no(input, i), block);
627			}
628	25	100	if (leftover) {
629	11		rijndael_encrypt(ctx, block, block); /* ENCRYPT is right! */
630	11		xor_bytes_to(block, block_no(input, i), leftover, block_no(output, i));
631	11		memcpy(block, block_no(input, i), leftover);
632			}
633	25		}
634
635	98		void block_decrypt(const RIJNDAEL_context ctx, const uint8_t input, int inputlen, uint8_t output, const uint8_t iv) {
636	98		switch (ctx->mode) {
637			case MODE_ECB:
638	18		ecb_decrypt(ctx, input, inputlen, output);
639	18		break;
640			case MODE_CBC:
641	16		cbc_decrypt(ctx, input, inputlen, output, iv);
642	16		break;
643			case MODE_CFB: /* 128-bit cipher feedback */
644	25		cfb_decrypt(ctx, input, inputlen, output, iv);
645	25		break;
646			case MODE_OFB: /* 128-bit output feedback */
647	25		ofb_encrypt(ctx, input, inputlen, output, iv);
648	25		break;
649			case MODE_CTR: /* counter */
650	14		ctr_encrypt(ctx, input, inputlen, output, iv);
651	14		break;
652			default:
653	0		break;
654			}
655	98		}
656