1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.
4
5 LICENSE TERMS
6
7 The redistribution and use of this software (with or without changes)
8 is allowed without the payment of fees or royalties provided that:
9
10 1. source code distributions include the above copyright notice, this
11 list of conditions and the following disclaimer;
12
13 2. binary distributions include the above copyright notice, this list
14 of conditions and the following disclaimer in their documentation;
15
16 3. the name of the copyright holder is not used to endorse products
17 built using this software without specific written permission.
18
19 DISCLAIMER
20
21 This software is provided 'as is' with no explicit or implied warranties
22 in respect of its properties, including, but not limited to, correctness
23 and/or fitness for purpose.
24 ---------------------------------------------------------------------------
25 Issue 09/09/2006
26
27 This is an AES implementation that uses only 8-bit byte operations on the
28 cipher state (there are options to use 32-bit types if available).
29
30 The combination of mix columns and byte substitution used here is based on
31 that developed by Karl Malbrain. His contribution is acknowledged.
32 */
33
34 /* define if you have a fast memcpy function on your system */
35 #if 1
36 # define HAVE_MEMCPY
37 # include <string.h>
38 #if 0
39 # if defined( _MSC_VER )
40 # include <intrin.h>
41 # pragma intrinsic( memcpy )
42 # endif
43 #endif
44 #endif
45
46 #include <stdlib.h>
47
48 /* add the target configuration to allow using internal data types and compilation options */
49 #include "common/bt_target.h"
50
51 /* define if you have fast 32-bit types on your system */
52 #if 1
53 # define HAVE_UINT_32T
54 #endif
55
56 /* define if you don't want any tables */
57 #if 1
58 # define USE_TABLES
59 #endif
60
61 /* On Intel Core 2 duo VERSION_1 is faster */
62
63 /* alternative versions (test for performance on your system) */
64 #if 1
65 # define VERSION_1
66 #endif
67
68 #include "aes.h"
69
70 #if defined( HAVE_UINT_32T )
71 typedef UINT32 uint_32t;
72 #endif
73
74 /* functions for finite field multiplication in the AES Galois field */
75
76 #define WPOLY 0x011b
77 #define BPOLY 0x1b
78 #define DPOLY 0x008d
79
80 #define f1(x) (x)
81 #define f2(x) ((x << 1) ^ (((x >> 7) & 1) * WPOLY))
82 #define f4(x) ((x << 2) ^ (((x >> 6) & 1) * WPOLY) ^ (((x >> 6) & 2) * WPOLY))
83 #define f8(x) ((x << 3) ^ (((x >> 5) & 1) * WPOLY) ^ (((x >> 5) & 2) * WPOLY) \
84 ^ (((x >> 5) & 4) * WPOLY))
85 #define d2(x) (((x) >> 1) ^ ((x) & 1 ? DPOLY : 0))
86
87 #define f3(x) (f2(x) ^ x)
88 #define f9(x) (f8(x) ^ x)
89 #define fb(x) (f8(x) ^ f2(x) ^ x)
90 #define fd(x) (f8(x) ^ f4(x) ^ x)
91 #define fe(x) (f8(x) ^ f4(x) ^ f2(x))
92
93 #if defined( USE_TABLES )
94
95 #define sb_data(w) { /* S Box data values */ \
96 w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
97 w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
98 w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
99 w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
100 w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
101 w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
102 w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
103 w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
104 w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
105 w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
106 w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
107 w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
108 w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
109 w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
110 w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
111 w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
112 w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
113 w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
114 w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
115 w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
116 w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
117 w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
118 w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
119 w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
120 w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
121 w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
122 w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
123 w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
124 w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
125 w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
126 w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
127 w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
128
129 #define isb_data(w) { /* inverse S Box data values */ \
130 w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
131 w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
132 w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
133 w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
134 w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
135 w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
136 w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
137 w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
138 w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
139 w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
140 w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
141 w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
142 w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
143 w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
144 w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
145 w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
146 w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
147 w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
148 w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
149 w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
150 w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
151 w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
152 w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
153 w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
154 w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
155 w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
156 w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
157 w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
158 w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
159 w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
160 w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
161 w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
162
163 #define mm_data(w) { /* basic data for forming finite field tables */ \
164 w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
165 w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
166 w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
167 w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
168 w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
169 w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
170 w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
171 w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
172 w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
173 w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
174 w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
175 w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
176 w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
177 w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
178 w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
179 w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
180 w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
181 w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
182 w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
183 w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
184 w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
185 w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
186 w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
187 w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
188 w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
189 w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
190 w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
191 w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
192 w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
193 w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
194 w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
195 w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
196
197 static const uint_8t sbox[256] = sb_data(f1);
198 static const uint_8t isbox[256] = isb_data(f1);
199
200 static const uint_8t gfm2_sbox[256] = sb_data(f2);
201 static const uint_8t gfm3_sbox[256] = sb_data(f3);
202
203 static const uint_8t gfmul_9[256] = mm_data(f9);
204 static const uint_8t gfmul_b[256] = mm_data(fb);
205 static const uint_8t gfmul_d[256] = mm_data(fd);
206 static const uint_8t gfmul_e[256] = mm_data(fe);
207
208 #define s_box(x) sbox[(x)]
209 #define is_box(x) isbox[(x)]
210 #define gfm2_sb(x) gfm2_sbox[(x)]
211 #define gfm3_sb(x) gfm3_sbox[(x)]
212 #define gfm_9(x) gfmul_9[(x)]
213 #define gfm_b(x) gfmul_b[(x)]
214 #define gfm_d(x) gfmul_d[(x)]
215 #define gfm_e(x) gfmul_e[(x)]
216
217 #else
218
219 /* this is the high bit of x right shifted by 1 */
220 /* position. Since the starting polynomial has */
221 /* 9 bits (0x11b), this right shift keeps the */
222 /* values of all top bits within a byte */
223
hibit(const uint_8t x)224 static uint_8t hibit(const uint_8t x)
225 {
226 uint_8t r = (uint_8t)((x >> 1) | (x >> 2));
227
228 r |= (r >> 2);
229 r |= (r >> 4);
230 return (r + 1) >> 1;
231 }
232
233 /* return the inverse of the finite field element x */
234
gf_inv(const uint_8t x)235 static uint_8t gf_inv(const uint_8t x)
236 {
237 uint_8t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
238
239 if (x < 2) {
240 return x;
241 }
242
243 for ( ; ; ) {
244 if (n1) {
245 while (n2 >= n1) { /* divide polynomial p2 by p1 */
246 n2 /= n1; /* shift smaller polynomial left */
247 p2 ^= (p1 * n2) & 0xff; /* and remove from larger one */
248 v2 ^= (v1 * n2); /* shift accumulated value and */
249 n2 = hibit(p2); /* add into result */
250 }
251 } else {
252 return v1;
253 }
254
255 if (n2) { /* repeat with values swapped */
256 while (n1 >= n2) {
257 n1 /= n2;
258 p1 ^= p2 * n1;
259 v1 ^= v2 * n1;
260 n1 = hibit(p1);
261 }
262 } else {
263 return v2;
264 }
265 }
266 }
267
268 /* The forward and inverse affine transformations used in the S-box */
fwd_affine(const uint_8t x)269 uint_8t fwd_affine(const uint_8t x)
270 {
271 #if defined( HAVE_UINT_32T )
272 uint_32t w = x;
273 w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4);
274 return 0x63 ^ ((w ^ (w >> 8)) & 0xff);
275 #else
276 return 0x63 ^ x ^ (x << 1) ^ (x << 2) ^ (x << 3) ^ (x << 4)
277 ^ (x >> 7) ^ (x >> 6) ^ (x >> 5) ^ (x >> 4);
278 #endif
279 }
280
inv_affine(const uint_8t x)281 uint_8t inv_affine(const uint_8t x)
282 {
283 #if defined( HAVE_UINT_32T )
284 uint_32t w = x;
285 w = (w << 1) ^ (w << 3) ^ (w << 6);
286 return 0x05 ^ ((w ^ (w >> 8)) & 0xff);
287 #else
288 return 0x05 ^ (x << 1) ^ (x << 3) ^ (x << 6)
289 ^ (x >> 7) ^ (x >> 5) ^ (x >> 2);
290 #endif
291 }
292
293 #define s_box(x) fwd_affine(gf_inv(x))
294 #define is_box(x) gf_inv(inv_affine(x))
295 #define gfm2_sb(x) f2(s_box(x))
296 #define gfm3_sb(x) f3(s_box(x))
297 #define gfm_9(x) f9(x)
298 #define gfm_b(x) fb(x)
299 #define gfm_d(x) fd(x)
300 #define gfm_e(x) fe(x)
301
302 #endif
303
304 #if defined( HAVE_MEMCPY )
305 # define block_copy_nn(d, s, l) memcpy(d, s, l)
306 # define block_copy(d, s) memcpy(d, s, N_BLOCK)
307 #else
308 # define block_copy_nn(d, s, l) copy_block_nn(d, s, l)
309 # define block_copy(d, s) copy_block(d, s)
310 #endif
311
312 #if !defined( HAVE_MEMCPY )
copy_block(void * d,const void * s)313 static void copy_block( void *d, const void *s )
314 {
315 #if defined( HAVE_UINT_32T )
316 ((uint_32t *)d)[ 0] = ((uint_32t *)s)[ 0];
317 ((uint_32t *)d)[ 1] = ((uint_32t *)s)[ 1];
318 ((uint_32t *)d)[ 2] = ((uint_32t *)s)[ 2];
319 ((uint_32t *)d)[ 3] = ((uint_32t *)s)[ 3];
320 #else
321 ((uint_8t *)d)[ 0] = ((uint_8t *)s)[ 0];
322 ((uint_8t *)d)[ 1] = ((uint_8t *)s)[ 1];
323 ((uint_8t *)d)[ 2] = ((uint_8t *)s)[ 2];
324 ((uint_8t *)d)[ 3] = ((uint_8t *)s)[ 3];
325 ((uint_8t *)d)[ 4] = ((uint_8t *)s)[ 4];
326 ((uint_8t *)d)[ 5] = ((uint_8t *)s)[ 5];
327 ((uint_8t *)d)[ 6] = ((uint_8t *)s)[ 6];
328 ((uint_8t *)d)[ 7] = ((uint_8t *)s)[ 7];
329 ((uint_8t *)d)[ 8] = ((uint_8t *)s)[ 8];
330 ((uint_8t *)d)[ 9] = ((uint_8t *)s)[ 9];
331 ((uint_8t *)d)[10] = ((uint_8t *)s)[10];
332 ((uint_8t *)d)[11] = ((uint_8t *)s)[11];
333 ((uint_8t *)d)[12] = ((uint_8t *)s)[12];
334 ((uint_8t *)d)[13] = ((uint_8t *)s)[13];
335 ((uint_8t *)d)[14] = ((uint_8t *)s)[14];
336 ((uint_8t *)d)[15] = ((uint_8t *)s)[15];
337 #endif
338 }
339
copy_block_nn(void * d,const void * s,uint_8t nn)340 static void copy_block_nn( void *d, const void *s, uint_8t nn )
341 {
342 while ( nn-- ) {
343 *((uint_8t *)d)++ = *((uint_8t *)s)++;
344 }
345 }
346 #endif
347
xor_block(void * d,const void * s)348 static void xor_block( void *d, const void *s )
349 {
350 #if defined( HAVE_UINT_32T )
351 ((uint_32t *)d)[ 0] ^= ((uint_32t *)s)[ 0];
352 ((uint_32t *)d)[ 1] ^= ((uint_32t *)s)[ 1];
353 ((uint_32t *)d)[ 2] ^= ((uint_32t *)s)[ 2];
354 ((uint_32t *)d)[ 3] ^= ((uint_32t *)s)[ 3];
355 #else
356 ((uint_8t *)d)[ 0] ^= ((uint_8t *)s)[ 0];
357 ((uint_8t *)d)[ 1] ^= ((uint_8t *)s)[ 1];
358 ((uint_8t *)d)[ 2] ^= ((uint_8t *)s)[ 2];
359 ((uint_8t *)d)[ 3] ^= ((uint_8t *)s)[ 3];
360 ((uint_8t *)d)[ 4] ^= ((uint_8t *)s)[ 4];
361 ((uint_8t *)d)[ 5] ^= ((uint_8t *)s)[ 5];
362 ((uint_8t *)d)[ 6] ^= ((uint_8t *)s)[ 6];
363 ((uint_8t *)d)[ 7] ^= ((uint_8t *)s)[ 7];
364 ((uint_8t *)d)[ 8] ^= ((uint_8t *)s)[ 8];
365 ((uint_8t *)d)[ 9] ^= ((uint_8t *)s)[ 9];
366 ((uint_8t *)d)[10] ^= ((uint_8t *)s)[10];
367 ((uint_8t *)d)[11] ^= ((uint_8t *)s)[11];
368 ((uint_8t *)d)[12] ^= ((uint_8t *)s)[12];
369 ((uint_8t *)d)[13] ^= ((uint_8t *)s)[13];
370 ((uint_8t *)d)[14] ^= ((uint_8t *)s)[14];
371 ((uint_8t *)d)[15] ^= ((uint_8t *)s)[15];
372 #endif
373 }
374
copy_and_key(void * d,const void * s,const void * k)375 static void copy_and_key( void *d, const void *s, const void *k )
376 {
377 #if defined( HAVE_UINT_32T )
378 ((uint_32t *)d)[ 0] = ((uint_32t *)s)[ 0] ^ ((uint_32t *)k)[ 0];
379 ((uint_32t *)d)[ 1] = ((uint_32t *)s)[ 1] ^ ((uint_32t *)k)[ 1];
380 ((uint_32t *)d)[ 2] = ((uint_32t *)s)[ 2] ^ ((uint_32t *)k)[ 2];
381 ((uint_32t *)d)[ 3] = ((uint_32t *)s)[ 3] ^ ((uint_32t *)k)[ 3];
382 #elif 1
383 ((uint_8t *)d)[ 0] = ((uint_8t *)s)[ 0] ^ ((uint_8t *)k)[ 0];
384 ((uint_8t *)d)[ 1] = ((uint_8t *)s)[ 1] ^ ((uint_8t *)k)[ 1];
385 ((uint_8t *)d)[ 2] = ((uint_8t *)s)[ 2] ^ ((uint_8t *)k)[ 2];
386 ((uint_8t *)d)[ 3] = ((uint_8t *)s)[ 3] ^ ((uint_8t *)k)[ 3];
387 ((uint_8t *)d)[ 4] = ((uint_8t *)s)[ 4] ^ ((uint_8t *)k)[ 4];
388 ((uint_8t *)d)[ 5] = ((uint_8t *)s)[ 5] ^ ((uint_8t *)k)[ 5];
389 ((uint_8t *)d)[ 6] = ((uint_8t *)s)[ 6] ^ ((uint_8t *)k)[ 6];
390 ((uint_8t *)d)[ 7] = ((uint_8t *)s)[ 7] ^ ((uint_8t *)k)[ 7];
391 ((uint_8t *)d)[ 8] = ((uint_8t *)s)[ 8] ^ ((uint_8t *)k)[ 8];
392 ((uint_8t *)d)[ 9] = ((uint_8t *)s)[ 9] ^ ((uint_8t *)k)[ 9];
393 ((uint_8t *)d)[10] = ((uint_8t *)s)[10] ^ ((uint_8t *)k)[10];
394 ((uint_8t *)d)[11] = ((uint_8t *)s)[11] ^ ((uint_8t *)k)[11];
395 ((uint_8t *)d)[12] = ((uint_8t *)s)[12] ^ ((uint_8t *)k)[12];
396 ((uint_8t *)d)[13] = ((uint_8t *)s)[13] ^ ((uint_8t *)k)[13];
397 ((uint_8t *)d)[14] = ((uint_8t *)s)[14] ^ ((uint_8t *)k)[14];
398 ((uint_8t *)d)[15] = ((uint_8t *)s)[15] ^ ((uint_8t *)k)[15];
399 #else
400 block_copy(d, s);
401 xor_block(d, k);
402 #endif
403 }
404
add_round_key(uint_8t d[N_BLOCK],const uint_8t k[N_BLOCK])405 static void add_round_key( uint_8t d[N_BLOCK], const uint_8t k[N_BLOCK] )
406 {
407 xor_block(d, k);
408 }
409
shift_sub_rows(uint_8t st[N_BLOCK])410 static void shift_sub_rows( uint_8t st[N_BLOCK] )
411 {
412 uint_8t tt;
413
414 st[ 0] = s_box(st[ 0]); st[ 4] = s_box(st[ 4]);
415 st[ 8] = s_box(st[ 8]); st[12] = s_box(st[12]);
416
417 tt = st[1]; st[ 1] = s_box(st[ 5]); st[ 5] = s_box(st[ 9]);
418 st[ 9] = s_box(st[13]); st[13] = s_box( tt );
419
420 tt = st[2]; st[ 2] = s_box(st[10]); st[10] = s_box( tt );
421 tt = st[6]; st[ 6] = s_box(st[14]); st[14] = s_box( tt );
422
423 tt = st[15]; st[15] = s_box(st[11]); st[11] = s_box(st[ 7]);
424 st[ 7] = s_box(st[ 3]); st[ 3] = s_box( tt );
425 }
426
inv_shift_sub_rows(uint_8t st[N_BLOCK])427 static void inv_shift_sub_rows( uint_8t st[N_BLOCK] )
428 {
429 uint_8t tt;
430
431 st[ 0] = is_box(st[ 0]); st[ 4] = is_box(st[ 4]);
432 st[ 8] = is_box(st[ 8]); st[12] = is_box(st[12]);
433
434 tt = st[13]; st[13] = is_box(st[9]); st[ 9] = is_box(st[5]);
435 st[ 5] = is_box(st[1]); st[ 1] = is_box( tt );
436
437 tt = st[2]; st[ 2] = is_box(st[10]); st[10] = is_box( tt );
438 tt = st[6]; st[ 6] = is_box(st[14]); st[14] = is_box( tt );
439
440 tt = st[3]; st[ 3] = is_box(st[ 7]); st[ 7] = is_box(st[11]);
441 st[11] = is_box(st[15]); st[15] = is_box( tt );
442 }
443
444 #if defined( VERSION_1 )
mix_sub_columns(uint_8t dt[N_BLOCK])445 static void mix_sub_columns( uint_8t dt[N_BLOCK] )
446 {
447 uint_8t st[N_BLOCK];
448 block_copy(st, dt);
449 #else
450 static void mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
451 {
452 #endif
453 dt[ 0] = gfm2_sb(st[0]) ^ gfm3_sb(st[5]) ^ s_box(st[10]) ^ s_box(st[15]);
454 dt[ 1] = s_box(st[0]) ^ gfm2_sb(st[5]) ^ gfm3_sb(st[10]) ^ s_box(st[15]);
455 dt[ 2] = s_box(st[0]) ^ s_box(st[5]) ^ gfm2_sb(st[10]) ^ gfm3_sb(st[15]);
456 dt[ 3] = gfm3_sb(st[0]) ^ s_box(st[5]) ^ s_box(st[10]) ^ gfm2_sb(st[15]);
457
458 dt[ 4] = gfm2_sb(st[4]) ^ gfm3_sb(st[9]) ^ s_box(st[14]) ^ s_box(st[3]);
459 dt[ 5] = s_box(st[4]) ^ gfm2_sb(st[9]) ^ gfm3_sb(st[14]) ^ s_box(st[3]);
460 dt[ 6] = s_box(st[4]) ^ s_box(st[9]) ^ gfm2_sb(st[14]) ^ gfm3_sb(st[3]);
461 dt[ 7] = gfm3_sb(st[4]) ^ s_box(st[9]) ^ s_box(st[14]) ^ gfm2_sb(st[3]);
462
463 dt[ 8] = gfm2_sb(st[8]) ^ gfm3_sb(st[13]) ^ s_box(st[2]) ^ s_box(st[7]);
464 dt[ 9] = s_box(st[8]) ^ gfm2_sb(st[13]) ^ gfm3_sb(st[2]) ^ s_box(st[7]);
465 dt[10] = s_box(st[8]) ^ s_box(st[13]) ^ gfm2_sb(st[2]) ^ gfm3_sb(st[7]);
466 dt[11] = gfm3_sb(st[8]) ^ s_box(st[13]) ^ s_box(st[2]) ^ gfm2_sb(st[7]);
467
468 dt[12] = gfm2_sb(st[12]) ^ gfm3_sb(st[1]) ^ s_box(st[6]) ^ s_box(st[11]);
469 dt[13] = s_box(st[12]) ^ gfm2_sb(st[1]) ^ gfm3_sb(st[6]) ^ s_box(st[11]);
470 dt[14] = s_box(st[12]) ^ s_box(st[1]) ^ gfm2_sb(st[6]) ^ gfm3_sb(st[11]);
471 dt[15] = gfm3_sb(st[12]) ^ s_box(st[1]) ^ s_box(st[6]) ^ gfm2_sb(st[11]);
472 }
473
474 #if defined( VERSION_1 )
475 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK] )
476 {
477 uint_8t st[N_BLOCK];
478 block_copy(st, dt);
479 #else
480 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
481 {
482 #endif
483 dt[ 0] = is_box(gfm_e(st[ 0]) ^ gfm_b(st[ 1]) ^ gfm_d(st[ 2]) ^ gfm_9(st[ 3]));
484 dt[ 5] = is_box(gfm_9(st[ 0]) ^ gfm_e(st[ 1]) ^ gfm_b(st[ 2]) ^ gfm_d(st[ 3]));
485 dt[10] = is_box(gfm_d(st[ 0]) ^ gfm_9(st[ 1]) ^ gfm_e(st[ 2]) ^ gfm_b(st[ 3]));
486 dt[15] = is_box(gfm_b(st[ 0]) ^ gfm_d(st[ 1]) ^ gfm_9(st[ 2]) ^ gfm_e(st[ 3]));
487
488 dt[ 4] = is_box(gfm_e(st[ 4]) ^ gfm_b(st[ 5]) ^ gfm_d(st[ 6]) ^ gfm_9(st[ 7]));
489 dt[ 9] = is_box(gfm_9(st[ 4]) ^ gfm_e(st[ 5]) ^ gfm_b(st[ 6]) ^ gfm_d(st[ 7]));
490 dt[14] = is_box(gfm_d(st[ 4]) ^ gfm_9(st[ 5]) ^ gfm_e(st[ 6]) ^ gfm_b(st[ 7]));
491 dt[ 3] = is_box(gfm_b(st[ 4]) ^ gfm_d(st[ 5]) ^ gfm_9(st[ 6]) ^ gfm_e(st[ 7]));
492
493 dt[ 8] = is_box(gfm_e(st[ 8]) ^ gfm_b(st[ 9]) ^ gfm_d(st[10]) ^ gfm_9(st[11]));
494 dt[13] = is_box(gfm_9(st[ 8]) ^ gfm_e(st[ 9]) ^ gfm_b(st[10]) ^ gfm_d(st[11]));
495 dt[ 2] = is_box(gfm_d(st[ 8]) ^ gfm_9(st[ 9]) ^ gfm_e(st[10]) ^ gfm_b(st[11]));
496 dt[ 7] = is_box(gfm_b(st[ 8]) ^ gfm_d(st[ 9]) ^ gfm_9(st[10]) ^ gfm_e(st[11]));
497
498 dt[12] = is_box(gfm_e(st[12]) ^ gfm_b(st[13]) ^ gfm_d(st[14]) ^ gfm_9(st[15]));
499 dt[ 1] = is_box(gfm_9(st[12]) ^ gfm_e(st[13]) ^ gfm_b(st[14]) ^ gfm_d(st[15]));
500 dt[ 6] = is_box(gfm_d(st[12]) ^ gfm_9(st[13]) ^ gfm_e(st[14]) ^ gfm_b(st[15]));
501 dt[11] = is_box(gfm_b(st[12]) ^ gfm_d(st[13]) ^ gfm_9(st[14]) ^ gfm_e(st[15]));
502 }
503
504 #if defined( AES_ENC_PREKEYED ) || defined( AES_DEC_PREKEYED )
505
506 /* Set the cipher key for the pre-keyed version */
507 /* NOTE: If the length_type used for the key length is an
508 unsigned 8-bit character, a key length of 256 bits must
509 be entered as a length in bytes (valid inputs are hence
510 128, 192, 16, 24 and 32).
511 */
512
513 return_type aes_set_key( const unsigned char key[], length_type keylen, aes_context ctx[1] )
514 {
515 uint_8t cc, rc, hi;
516
517 switch ( keylen ) {
518 case 16:
519 case 128: /* length in bits (128 = 8*16) */
520 keylen = 16;
521 break;
522 case 24:
523 case 192: /* length in bits (192 = 8*24) */
524 keylen = 24;
525 break;
526 case 32:
527 /* case 256: length in bits (256 = 8*32) */
528 keylen = 32;
529 break;
530 default:
531 ctx->rnd = 0;
532 return (return_type) - 1;
533 }
534 block_copy_nn(ctx->ksch, key, keylen);
535 hi = (keylen + 28) << 2;
536 ctx->rnd = (hi >> 4) - 1;
537 for ( cc = keylen, rc = 1; cc < hi; cc += 4 ) {
538 uint_8t tt, t0, t1, t2, t3;
539
540 t0 = ctx->ksch[cc - 4];
541 t1 = ctx->ksch[cc - 3];
542 t2 = ctx->ksch[cc - 2];
543 t3 = ctx->ksch[cc - 1];
544 if ( cc % keylen == 0 ) {
545 tt = t0;
546 t0 = s_box(t1) ^ rc;
547 t1 = s_box(t2);
548 t2 = s_box(t3);
549 t3 = s_box(tt);
550 rc = f2(rc);
551 } else if ( keylen > 24 && cc % keylen == 16 ) {
552 t0 = s_box(t0);
553 t1 = s_box(t1);
554 t2 = s_box(t2);
555 t3 = s_box(t3);
556 }
557 tt = cc - keylen;
558 ctx->ksch[cc + 0] = ctx->ksch[tt + 0] ^ t0;
559 ctx->ksch[cc + 1] = ctx->ksch[tt + 1] ^ t1;
560 ctx->ksch[cc + 2] = ctx->ksch[tt + 2] ^ t2;
561 ctx->ksch[cc + 3] = ctx->ksch[tt + 3] ^ t3;
562 }
563 return 0;
564 }
565
566 #endif
567
568 #if defined( AES_ENC_PREKEYED )
569
570 /* Encrypt a single block of 16 bytes */
571
572 /* @breif change the name by snake for avoid the conflict with libcrypto */
573 return_type bluedroid_aes_encrypt( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK], const aes_context ctx[1] )
574 {
575 if ( ctx->rnd ) {
576 uint_8t s1[N_BLOCK], r;
577 copy_and_key( s1, in, ctx->ksch );
578
579 for ( r = 1 ; r < ctx->rnd ; ++r )
580 #if defined( VERSION_1 )
581 {
582 mix_sub_columns( s1 );
583 add_round_key( s1, ctx->ksch + r * N_BLOCK);
584 }
585 #else
586 {
587 uint_8t s2[N_BLOCK];
588 mix_sub_columns( s2, s1 );
589 copy_and_key( s1, s2, ctx->ksch + r * N_BLOCK);
590 }
591 #endif
592 shift_sub_rows( s1 );
593 copy_and_key( out, s1, ctx->ksch + r * N_BLOCK );
594 } else {
595 return (return_type) - 1;
596 }
597 return 0;
598 }
599
600 /* CBC encrypt a number of blocks (input and return an IV) */
601
602 return_type aes_cbc_encrypt( const unsigned char *in, unsigned char *out,
603 int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
604 {
605
606 while (n_block--) {
607 xor_block(iv, in);
608 if (bluedroid_aes_encrypt(iv, iv, ctx) != EXIT_SUCCESS) {
609 return EXIT_FAILURE;
610 }
611 memcpy(out, iv, N_BLOCK);
612 in += N_BLOCK;
613 out += N_BLOCK;
614 }
615 return EXIT_SUCCESS;
616 }
617
618 #endif
619
620 #if defined( AES_DEC_PREKEYED )
621
622 /* Decrypt a single block of 16 bytes */
623
624 return_type bluedroid_aes_decrypt( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK], const aes_context ctx[1] )
625 {
626 if ( ctx->rnd ) {
627 uint_8t s1[N_BLOCK], r;
628 copy_and_key( s1, in, ctx->ksch + ctx->rnd * N_BLOCK );
629 inv_shift_sub_rows( s1 );
630
631 for ( r = ctx->rnd ; --r ; )
632 #if defined( VERSION_1 )
633 {
634 add_round_key( s1, ctx->ksch + r * N_BLOCK );
635 inv_mix_sub_columns( s1 );
636 }
637 #else
638 {
639 uint_8t s2[N_BLOCK];
640 copy_and_key( s2, s1, ctx->ksch + r * N_BLOCK );
641 inv_mix_sub_columns( s1, s2 );
642 }
643 #endif
644 copy_and_key( out, s1, ctx->ksch );
645 } else {
646 return (return_type) - 1;
647 }
648 return 0;
649 }
650
651 /* CBC decrypt a number of blocks (input and return an IV) */
652
653 return_type aes_cbc_decrypt( const unsigned char *in, unsigned char *out,
654 int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
655 {
656 while (n_block--) {
657 uint_8t tmp[N_BLOCK];
658
659 memcpy(tmp, in, N_BLOCK);
660 if (bluedroid_aes_decrypt(in, out, ctx) != EXIT_SUCCESS) {
661 return EXIT_FAILURE;
662 }
663 xor_block(out, iv);
664 memcpy(iv, tmp, N_BLOCK);
665 in += N_BLOCK;
666 out += N_BLOCK;
667 }
668 return EXIT_SUCCESS;
669 }
670
671 #endif
672
673 #if defined( AES_ENC_128_OTFK )
674
675 /* The 'on the fly' encryption key update for for 128 bit keys */
676
677 static void update_encrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
678 {
679 uint_8t cc;
680
681 k[0] ^= s_box(k[13]) ^ *rc;
682 k[1] ^= s_box(k[14]);
683 k[2] ^= s_box(k[15]);
684 k[3] ^= s_box(k[12]);
685 *rc = f2( *rc );
686
687 for (cc = 4; cc < 16; cc += 4 ) {
688 k[cc + 0] ^= k[cc - 4];
689 k[cc + 1] ^= k[cc - 3];
690 k[cc + 2] ^= k[cc - 2];
691 k[cc + 3] ^= k[cc - 1];
692 }
693 }
694
695 /* Encrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
696
697 void bluedroid_aes_encrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
698 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
699 {
700 uint_8t s1[N_BLOCK], r, rc = 1;
701
702 if (o_key != key) {
703 block_copy( o_key, key );
704 }
705 copy_and_key( s1, in, o_key );
706
707 for ( r = 1 ; r < 10 ; ++r )
708 #if defined( VERSION_1 )
709 {
710 mix_sub_columns( s1 );
711 update_encrypt_key_128( o_key, &rc );
712 add_round_key( s1, o_key );
713 }
714 #else
715 {
716 uint_8t s2[N_BLOCK];
717 mix_sub_columns( s2, s1 );
718 update_encrypt_key_128( o_key, &rc );
719 copy_and_key( s1, s2, o_key );
720 }
721 #endif
722
723 shift_sub_rows( s1 );
724 update_encrypt_key_128( o_key, &rc );
725 copy_and_key( out, s1, o_key );
726 }
727
728 #endif
729
730 #if defined( AES_DEC_128_OTFK )
731
732 /* The 'on the fly' decryption key update for for 128 bit keys */
733
734 static void update_decrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
735 {
736 uint_8t cc;
737
738 for ( cc = 12; cc > 0; cc -= 4 ) {
739 k[cc + 0] ^= k[cc - 4];
740 k[cc + 1] ^= k[cc - 3];
741 k[cc + 2] ^= k[cc - 2];
742 k[cc + 3] ^= k[cc - 1];
743 }
744 *rc = d2(*rc);
745 k[0] ^= s_box(k[13]) ^ *rc;
746 k[1] ^= s_box(k[14]);
747 k[2] ^= s_box(k[15]);
748 k[3] ^= s_box(k[12]);
749 }
750
751 /* Decrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
752
753 void bluedroid_aes_decrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
754 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
755 {
756 uint_8t s1[N_BLOCK], r, rc = 0x6c;
757 if (o_key != key) {
758 block_copy( o_key, key );
759 }
760
761 copy_and_key( s1, in, o_key );
762 inv_shift_sub_rows( s1 );
763
764 for ( r = 10 ; --r ; )
765 #if defined( VERSION_1 )
766 {
767 update_decrypt_key_128( o_key, &rc );
768 add_round_key( s1, o_key );
769 inv_mix_sub_columns( s1 );
770 }
771 #else
772 {
773 uint_8t s2[N_BLOCK];
774 update_decrypt_key_128( o_key, &rc );
775 copy_and_key( s2, s1, o_key );
776 inv_mix_sub_columns( s1, s2 );
777 }
778 #endif
779 update_decrypt_key_128( o_key, &rc );
780 copy_and_key( out, s1, o_key );
781 }
782
783 #endif
784
785 #if defined( AES_ENC_256_OTFK )
786
787 /* The 'on the fly' encryption key update for for 256 bit keys */
788
789 static void update_encrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
790 {
791 uint_8t cc;
792
793 k[0] ^= s_box(k[29]) ^ *rc;
794 k[1] ^= s_box(k[30]);
795 k[2] ^= s_box(k[31]);
796 k[3] ^= s_box(k[28]);
797 *rc = f2( *rc );
798
799 for (cc = 4; cc < 16; cc += 4) {
800 k[cc + 0] ^= k[cc - 4];
801 k[cc + 1] ^= k[cc - 3];
802 k[cc + 2] ^= k[cc - 2];
803 k[cc + 3] ^= k[cc - 1];
804 }
805
806 k[16] ^= s_box(k[12]);
807 k[17] ^= s_box(k[13]);
808 k[18] ^= s_box(k[14]);
809 k[19] ^= s_box(k[15]);
810
811 for ( cc = 20; cc < 32; cc += 4 ) {
812 k[cc + 0] ^= k[cc - 4];
813 k[cc + 1] ^= k[cc - 3];
814 k[cc + 2] ^= k[cc - 2];
815 k[cc + 3] ^= k[cc - 1];
816 }
817 }
818
819 /* Encrypt a single block of 16 bytes with 'on the fly' 256 bit keying */
820
821 void bluedroid_aes_encrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
822 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
823 {
824 uint_8t s1[N_BLOCK], r, rc = 1;
825 if (o_key != key) {
826 block_copy( o_key, key );
827 block_copy( o_key + 16, key + 16 );
828 }
829 copy_and_key( s1, in, o_key );
830
831 for ( r = 1 ; r < 14 ; ++r )
832 #if defined( VERSION_1 )
833 {
834 mix_sub_columns(s1);
835 if ( r & 1 ) {
836 add_round_key( s1, o_key + 16 );
837 } else {
838 update_encrypt_key_256( o_key, &rc );
839 add_round_key( s1, o_key );
840 }
841 }
842 #else
843 {
844 uint_8t s2[N_BLOCK];
845 mix_sub_columns( s2, s1 );
846 if ( r & 1 ) {
847 copy_and_key( s1, s2, o_key + 16 );
848 } else {
849 update_encrypt_key_256( o_key, &rc );
850 copy_and_key( s1, s2, o_key );
851 }
852 }
853 #endif
854
855 shift_sub_rows( s1 );
856 update_encrypt_key_256( o_key, &rc );
857 copy_and_key( out, s1, o_key );
858 }
859
860 #endif
861
862 #if defined( AES_DEC_256_OTFK )
863
864 /* The 'on the fly' encryption key update for for 256 bit keys */
865
866 static void update_decrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
867 {
868 uint_8t cc;
869
870 for (cc = 28; cc > 16; cc -= 4) {
871 k[cc + 0] ^= k[cc - 4];
872 k[cc + 1] ^= k[cc - 3];
873 k[cc + 2] ^= k[cc - 2];
874 k[cc + 3] ^= k[cc - 1];
875 }
876
877 k[16] ^= s_box(k[12]);
878 k[17] ^= s_box(k[13]);
879 k[18] ^= s_box(k[14]);
880 k[19] ^= s_box(k[15]);
881
882 for (cc = 12; cc > 0; cc -= 4) {
883 k[cc + 0] ^= k[cc - 4];
884 k[cc + 1] ^= k[cc - 3];
885 k[cc + 2] ^= k[cc - 2];
886 k[cc + 3] ^= k[cc - 1];
887 }
888
889 *rc = d2(*rc);
890 k[0] ^= s_box(k[29]) ^ *rc;
891 k[1] ^= s_box(k[30]);
892 k[2] ^= s_box(k[31]);
893 k[3] ^= s_box(k[28]);
894 }
895
896 /* Decrypt a single block of 16 bytes with 'on the fly'
897 256 bit keying
898 */
899 void bluedroid_aes_decrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
900 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
901 {
902 uint_8t s1[N_BLOCK], r, rc = 0x80;
903
904 if (o_key != key) {
905 block_copy( o_key, key );
906 block_copy( o_key + 16, key + 16 );
907 }
908
909 copy_and_key( s1, in, o_key );
910 inv_shift_sub_rows( s1 );
911
912 for ( r = 14 ; --r ; )
913 #if defined( VERSION_1 )
914 {
915 if ( ( r & 1 ) ) {
916 update_decrypt_key_256( o_key, &rc );
917 add_round_key( s1, o_key + 16 );
918 } else {
919 add_round_key( s1, o_key );
920 }
921 inv_mix_sub_columns( s1 );
922 }
923 #else
924 {
925 uint_8t s2[N_BLOCK];
926 if ( ( r & 1 ) ) {
927 update_decrypt_key_256( o_key, &rc );
928 copy_and_key( s2, s1, o_key + 16 );
929 } else {
930 copy_and_key( s2, s1, o_key );
931 }
932 inv_mix_sub_columns( s1, s2 );
933 }
934 #endif
935 copy_and_key( out, s1, o_key );
936 }
937
938 #endif
939
