Commit fd976f57 authored by Niels Möller's avatar Niels Möller

Merged aes-reorg branch.

parents 4ae04a64 7f0c28dc
2013-09-28 Niels Möller <nisse@lysator.liu.se>
* Merge aes-reorg branch. Changes below,
dated 2013-05-17 - 2013-08-13.
2013-08-13 Niels Möller <nisse@lysator.liu.se>
* yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx.
* yarrow256.c: Adapted to use new aes256 interface.
2013-08-07 Niels Möller <nisse@lysator.liu.se>
* umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx.
* umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface.
* umac32.c (umac32_digest): Likewise.
* umac64.c (umac64_digest): Likewise.
* umac96.c (umac96_digest): Likewise.
* umac128.c (umac128_digest): Likewise.
2013-06-25 Niels Möller <nisse@lysator.liu.se>
* aes-meta.c: Deleted file.
Analogous changes for new aes192 and aes256 interface.
* aes.h (struct aes128_ctx): New aes128 declarations.
* aes-decrypt.c (aes128_decrypt): New function.
* aes-encrypt.c (aes128_encrypt): New function.
* aes128-meta.c: New file.
* aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and
function.
* aes128-set-decrypt-key.c (aes128_set_decrypt_key)
(aes128_invert_key): New file and functions.
* Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c,
aes128-set-decrypt-key.c and aes128-meta.c.
* nettle-internal.c (nettle_unified_aes128): For testing the old
AES interface.
* testsuite/aes-test.c (test_cipher2): New function.
(test_main): Test both nettle_aes128 and nettle_unified_aes128.
2013-05-22 Niels Möller <nisse@lysator.liu.se>
* Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and
aes-set-key-internal.c.
* aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants.
Similarly also for aes192 and aes256.
* aes-internal.h: Declare new functions.
* aes-set-key-internal.c (_aes_set_key): New file and funxtion
extracted from aes_set_encrypt_key.
* aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key.
* aes-invert-internal.c (_aes_invert): New file and function,
extracted from aes_invert_key.
* aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert.
* arm/v6/aes-encrypt-internal.asm: Adapted to new interface.
Unfortunately, 4% slowdown on Cortex-A9, for unknown reason.
* arm/v6/aes-decrypt-internal.asm: Likewise.
* arm/aes-encrypt-internal.asm: Adapted to new interface.
* arm/aes-decrypt-internal.asm: Likewise.
2013-05-21 Niels Möller <nisse@lysator.liu.se>
* sparc32/aes-encrypt-internal.asm: Adapted to new interface.
* sparc32/aes-decrypt-internal.asm: Likewise.
* sparc64/aes-encrypt-internal.asm: Likewise.
* sparc64/aes-decrypt-internal.asm: Likewise.
* x86/aes-encrypt-internal.asm: Adapted to new interface.
* x86/aes-decrypt-internal.asm: Likewise.
2013-05-20 Niels Möller <nisse@lysator.liu.se>
* x86_64/aes-encrypt-internal.asm: Adapted to new interface.
* x86_64/aes-decrypt-internal.asm: Likewise.
2013-05-17 Niels Möller <nisse@lysator.liu.se>
* aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved
first in the structure.
* aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming.
* aes-set-decrypt-key.c (aes_invert_key): Likewise.
* aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and
subkeys as separate arguments, not a struct aes_ctx *. Updated
callers.
* aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise.
* aes-internal.h: Updated prototypes.
* Start of aes-reorg changes.
2013-09-28 Niels Möller <nisse@lysator.liu.se>
* md4.h (struct md4_ctx): Use single uint64_t variable for block
......
......@@ -64,7 +64,14 @@ all-here: $(TARGETS) $(DOCTARGETS)
nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \
aes-set-encrypt-key.c aes-set-decrypt-key.c aes-meta.c \
aes-invert-internal.c aes-set-key-internal.c \
aes-set-encrypt-key.c aes-set-decrypt-key.c \
aes128-set-encrypt-key.c aes128-set-decrypt-key.c \
aes128-meta.c \
aes192-set-encrypt-key.c aes192-set-decrypt-key.c \
aes192-meta.c \
aes256-set-encrypt-key.c aes256-set-decrypt-key.c \
aes256-meta.c \
arcfour.c arcfour-crypt.c arcfour-meta.c \
arctwo.c arctwo-meta.c gosthash94-meta.c \
base16-encode.c base16-decode.c base16-meta.c \
......
......@@ -5,7 +5,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
* Copyright (C) 2002, 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -33,7 +33,7 @@
#include "macros.h"
void
_nettle_aes_decrypt(const struct aes_ctx *ctx,
_nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
size_t length, uint8_t *dst,
const uint8_t *src)
......@@ -42,22 +42,22 @@ _nettle_aes_decrypt(const struct aes_ctx *ctx,
{
uint32_t w0, w1, w2, w3; /* working ciphertext */
uint32_t t0, t1, t2, t3;
unsigned round;
unsigned i;
/* Get clear text, using little-endian byte order.
* Also XOR with the first subkey. */
w0 = LE_READ_UINT32(src) ^ ctx->keys[0];
w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1];
w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2];
w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3];
w0 = LE_READ_UINT32(src) ^ keys[0];
w1 = LE_READ_UINT32(src + 4) ^ keys[1];
w2 = LE_READ_UINT32(src + 8) ^ keys[2];
w3 = LE_READ_UINT32(src + 12) ^ keys[3];
for (round = 1; round < ctx->nrounds; round++)
for (i = 1; i < rounds; i++)
{
t0 = AES_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]);
t1 = AES_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]);
t2 = AES_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]);
t3 = AES_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]);
t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]);
t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
t2 = AES_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]);
t3 = AES_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]);
/* We could unroll the loop twice, to avoid these
assignments. If all eight variables fit in registers,
......@@ -70,14 +70,14 @@ _nettle_aes_decrypt(const struct aes_ctx *ctx,
/* Final round */
t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]);
t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]);
t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]);
t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]);
t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]);
t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]);
t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]);
LE_WRITE_UINT32(dst, t0);
LE_WRITE_UINT32(dst + 8, t2);
LE_WRITE_UINT32(dst + 4, t1);
LE_WRITE_UINT32(dst + 8, t2);
LE_WRITE_UINT32(dst + 12, t3);
}
}
......@@ -5,7 +5,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
* Copyright (C) 2002, 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -342,6 +342,36 @@ aes_decrypt(const struct aes_ctx *ctx,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(ctx, &_aes_decrypt_table,
_aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table,
length, dst, src);
}
void
aes128_decrypt(const struct aes128_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
}
void
aes192_decrypt(const struct aes192_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
}
void
aes256_decrypt(const struct aes256_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
}
......@@ -5,7 +5,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
* Copyright (C) 2002, 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -33,7 +33,7 @@
#include "macros.h"
void
_nettle_aes_encrypt(const struct aes_ctx *ctx,
_nettle_aes_encrypt(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
size_t length, uint8_t *dst,
const uint8_t *src)
......@@ -42,22 +42,22 @@ _nettle_aes_encrypt(const struct aes_ctx *ctx,
{
uint32_t w0, w1, w2, w3; /* working ciphertext */
uint32_t t0, t1, t2, t3;
unsigned round;
unsigned i;
/* Get clear text, using little-endian byte order.
* Also XOR with the first subkey. */
w0 = LE_READ_UINT32(src) ^ ctx->keys[0];
w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1];
w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2];
w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3];
w0 = LE_READ_UINT32(src) ^ keys[0];
w1 = LE_READ_UINT32(src + 4) ^ keys[1];
w2 = LE_READ_UINT32(src + 8) ^ keys[2];
w3 = LE_READ_UINT32(src + 12) ^ keys[3];
for (round = 1; round < ctx->nrounds; round++)
for (i = 1; i < rounds; i++)
{
t0 = AES_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]);
t1 = AES_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]);
t2 = AES_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]);
t3 = AES_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]);
t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]);
t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]);
t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]);
t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]);
/* We could unroll the loop twice, to avoid these
assignments. If all eight variables fit in registers,
......@@ -70,14 +70,14 @@ _nettle_aes_encrypt(const struct aes_ctx *ctx,
/* Final round */
t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]);
t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]);
t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]);
t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]);
t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]);
t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]);
t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]);
t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]);
LE_WRITE_UINT32(dst, t0);
LE_WRITE_UINT32(dst + 8, t2);
LE_WRITE_UINT32(dst + 4, t1);
LE_WRITE_UINT32(dst + 8, t2);
LE_WRITE_UINT32(dst + 12, t3);
}
}
......
......@@ -5,7 +5,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2002 Niels Möller
* Copyright (C) 2002, 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -40,6 +40,36 @@ aes_encrypt(const struct aes_ctx *ctx,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_encrypt(ctx, &_aes_encrypt_table,
_aes_encrypt(ctx->rounds, ctx->keys, &_aes_encrypt_table,
length, dst, src);
}
void
aes128_encrypt(const struct aes128_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_encrypt(_AES128_ROUNDS, ctx->keys, &_aes_encrypt_table,
length, dst, src);
}
void
aes192_encrypt(const struct aes192_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_encrypt(_AES192_ROUNDS, ctx->keys, &_aes_encrypt_table,
length, dst, src);
}
void
aes256_encrypt(const struct aes256_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
{
assert(!(length % AES_BLOCK_SIZE) );
_aes_encrypt(_AES256_ROUNDS, ctx->keys, &_aes_encrypt_table,
length, dst, src);
}
......@@ -5,7 +5,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2001 Niels Möller
* Copyright (C) 2001, 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -29,6 +29,8 @@
#include "aes.h"
/* Name mangling */
#define _aes_set_key _nettle_aes_set_key
#define _aes_invert _nettle_aes_invert
#define _aes_encrypt _nettle_aes_encrypt
#define _aes_decrypt _nettle_aes_decrypt
#define _aes_encrypt_table _nettle_aes_encrypt_table
......@@ -51,13 +53,20 @@ struct aes_table
};
void
_aes_encrypt(const struct aes_ctx *ctx,
_aes_set_key(unsigned nr, unsigned nk,
uint32_t *subkeys, const uint8_t *key);
void
_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src);
void
_aes_encrypt(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
size_t length, uint8_t *dst,
const uint8_t *src);
void
_aes_decrypt(const struct aes_ctx *ctx,
_aes_decrypt(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
size_t length, uint8_t *dst,
const uint8_t *src);
......
/* aes-invert-internal.c
*
* Inverse key setup for the aes/rijndael block cipher.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2000, 2001, 2002, Rafael R. Sevilla, Niels Möller
* Copyright (C) 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
/* Originally written by Rafael R. Sevilla <dido@pacific.net.ph> */
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "aes-internal.h"
#include "macros.h"
/* NOTE: We don't include rotated versions of the table. */
static const uint32_t mtable[0x100] =
{
0x00000000,0x0b0d090e,0x161a121c,0x1d171b12,
0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a,
0x58684870,0x5365417e,0x4e725a6c,0x457f5362,
0x745c6c48,0x7f516546,0x62467e54,0x694b775a,
0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2,
0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca,
0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382,
0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba,
0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9,
0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1,
0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9,
0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81,
0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029,
0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411,
0x9303e34b,0x980eea45,0x8519f157,0x8e14f859,
0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61,
0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf,
0xda595295,0xd1545b9b,0xcc434089,0xc74e4987,
0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf,
0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7,
0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f,
0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967,
0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f,
0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117,
0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664,
0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c,
0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14,
0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c,
0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684,
0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc,
0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4,
0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc,
0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753,
0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b,
0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23,
0x83868009,0x888b8907,0x959c9215,0x9e919b1b,
0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3,
0x6b3e5899,0x60335197,0x7d244a85,0x7629438b,
0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3,
0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb,
0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88,
0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0,
0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8,
0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0,
0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68,
0x10856342,0x1b886a4c,0x069f715e,0x0d927850,
0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418,
0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020,
0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe,
0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6,
0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e,
0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6,
0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e,
0x9d532e34,0x965e273a,0x8b493c28,0x80443526,
0xe90f427c,0xe2024b72,0xff155060,0xf418596e,
0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56,
0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25,
0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d,
0x2264e947,0x2969e049,0x347efb5b,0x3f73f255,
0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d,
0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5,
0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd,
0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5,
0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d,
};
#define MIX_COLUMN(T, key) do { \
uint32_t _k, _nk, _t; \
_k = (key); \
_nk = T[_k & 0xff]; \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(8, _t); \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(16, _t); \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(24, _t); \
(key) = _nk; \
} while(0)
#define SWAP(a, b) \
do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0)
void
_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src)
{
unsigned i;
/* Reverse the order of subkeys, in groups of 4. */
/* FIXME: Instead of reordering the subkeys, change the access order
of aes_decrypt, since it's a separate function anyway? */
if (src == dst)
{
unsigned j, k;
for (i = 0, j = rounds * 4;
i < j;
i += 4, j -= 4)
for (k = 0; k<4; k++)
SWAP(dst[i+k], dst[j+k]);
}
else
{
unsigned k;
for (i = 0; i <= rounds * 4; i += 4)
for (k = 0; k < 4; k++)
dst[i+k] = src[rounds * 4 - i + k];
}
/* Transform all subkeys but the first and last. */
for (i = 4; i < 4 * rounds; i++)
MIX_COLUMN (mtable, dst[i]);
}
......@@ -6,6 +6,7 @@
/* nettle, low-level cryptographics library
*
* Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller
* Copyright (C) 2013 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
......@@ -31,132 +32,12 @@
#include "aes-internal.h"
#include "macros.h"
/* NOTE: We don't include rotated versions of the table. */
static const uint32_t mtable[0x100] =
{
0x00000000,0x0b0d090e,0x161a121c,0x1d171b12,
0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a,
0x58684870,0x5365417e,0x4e725a6c,0x457f5362,
0x745c6c48,0x7f516546,0x62467e54,0x694b775a,
0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2,
0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca,
0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382,
0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba,
0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9,
0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1,
0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9,
0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81,
0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029,
0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411,
0x9303e34b,0x980eea45,0x8519f157,0x8e14f859,
0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61,
0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf,
0xda595295,0xd1545b9b,0xcc434089,0xc74e4987,
0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf,
0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7,
0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f,
0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967,
0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f,
0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117,
0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664,
0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c,
0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14,
0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c,
0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684,
0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc,
0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4,
0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc,
0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753,
0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b,
0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23,
0x83868009,0x888b8907,0x959c9215,0x9e919b1b,
0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3,
0x6b3e5899,0x60335197,0x7d244a85,0x7629438b,
0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3,
0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb,
0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88,
0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0,
0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8,
0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0,
0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68,
0x10856342,0x1b886a4c,0x069f715e,0x0d927850,
0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418,
0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020,
0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe,
0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6,
0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e,
0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6,
0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e,
0x9d532e34,0x965e273a,0x8b493c28,0x80443526,
0xe90f427c,0xe2024b72,0xff155060,0xf418596e,
0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56,
0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25,
0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d,
0x2264e947,0x2969e049,0x347efb5b,0x3f73f255,
0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d,
0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5,
0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd,
0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5,
0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d,
};
#define MIX_COLUMN(T, key) do { \
uint32_t _k, _nk, _t; \
_k = (key); \
_nk = T[_k & 0xff]; \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(8, _t); \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(16, _t); \
_k >>= 8; \
_t = T[_k & 0xff]; \
_nk ^= ROTL32(24, _t); \
(key) = _nk; \
} while(0)
#define SWAP(a, b) \
do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0)
void
aes_invert_key(struct aes_ctx *dst,
const struct aes_ctx *src)
{
unsigned nrounds;
unsigned i;
nrounds = src->nrounds;
/* Reverse the order of subkeys, in groups of 4. */
/* FIXME: Instead of reordering the subkeys, change the access order
of aes_decrypt, since it's a separate function anyway? */
if (src == dst)
{
unsigned j, k;
for (i = 0, j = nrounds * 4;
i < j;
i += 4, j -= 4)
for (k = 0; k<4; k++)