]> andersk Git - openssh.git/blame - rijndael.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (stevesk) Include config.h in rijndael.c so we define intXX_t and
[openssh.git] / rijndael.c
CommitLineData
94ec8c6b 1/* $OpenBSD: rijndael.c,v 1.1 2000/10/13 18:59:14 markus Exp $ */
2
3/* This is an independent implementation of the encryption algorithm: */
4/* */
5/* RIJNDAEL by Joan Daemen and Vincent Rijmen */
6/* */
7/* which is a candidate algorithm in the Advanced Encryption Standard */
8/* programme of the US National Institute of Standards and Technology. */
9/* */
10/* Copyright in this implementation is held by Dr B R Gladman but I */
11/* hereby give permission for its free direct or derivative use subject */
12/* to acknowledgment of its origin and compliance with any conditions */
13/* that the originators of the algorithm place on its exploitation. */
14/* */
15/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */
16
17/* Timing data for Rijndael (rijndael.c)
18
19Algorithm: rijndael (rijndael.c)
20
21128 bit key:
22Key Setup: 305/1389 cycles (encrypt/decrypt)
23Encrypt: 374 cycles = 68.4 mbits/sec
24Decrypt: 352 cycles = 72.7 mbits/sec
25Mean: 363 cycles = 70.5 mbits/sec
26
27192 bit key:
28Key Setup: 277/1595 cycles (encrypt/decrypt)
29Encrypt: 439 cycles = 58.3 mbits/sec
30Decrypt: 425 cycles = 60.2 mbits/sec
31Mean: 432 cycles = 59.3 mbits/sec
32
33256 bit key:
34Key Setup: 374/1960 cycles (encrypt/decrypt)
35Encrypt: 502 cycles = 51.0 mbits/sec
36Decrypt: 498 cycles = 51.4 mbits/sec
37Mean: 500 cycles = 51.2 mbits/sec
38
39*/
40
6bcf7caa 41#include "config.h"
94ec8c6b 42#include "rijndael.h"
43
44void gen_tabs __P((void));
45
46/* 3. Basic macros for speeding up generic operations */
47
48/* Circular rotate of 32 bit values */
49
50#define rotr(x,n) (((x) >> ((int)(n))) | ((x) << (32 - (int)(n))))
51#define rotl(x,n) (((x) << ((int)(n))) | ((x) >> (32 - (int)(n))))
52
53/* Invert byte order in a 32 bit variable */
54
55#define bswap(x) (rotl(x, 8) & 0x00ff00ff | rotr(x, 8) & 0xff00ff00)
56
57/* Extract byte from a 32 bit quantity (little endian notation) */
58
59#define byte(x,n) ((u1byte)((x) >> (8 * n)))
60
61#if BYTE_ORDER != LITTLE_ENDIAN
62#define BLOCK_SWAP
63#endif
64
65/* For inverting byte order in input/output 32 bit words if needed */
66
67#ifdef BLOCK_SWAP
68#define BYTE_SWAP
69#define WORD_SWAP
70#endif
71
72#ifdef BYTE_SWAP
73#define io_swap(x) bswap(x)
74#else
75#define io_swap(x) (x)
76#endif
77
78/* For inverting the byte order of input/output blocks if needed */
79
80#ifdef WORD_SWAP
81
82#define get_block(x) \
83 ((u4byte*)(x))[0] = io_swap(in_blk[3]); \
84 ((u4byte*)(x))[1] = io_swap(in_blk[2]); \
85 ((u4byte*)(x))[2] = io_swap(in_blk[1]); \
86 ((u4byte*)(x))[3] = io_swap(in_blk[0])
87
88#define put_block(x) \
89 out_blk[3] = io_swap(((u4byte*)(x))[0]); \
90 out_blk[2] = io_swap(((u4byte*)(x))[1]); \
91 out_blk[1] = io_swap(((u4byte*)(x))[2]); \
92 out_blk[0] = io_swap(((u4byte*)(x))[3])
93
94#define get_key(x,len) \
95 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
96 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
97 switch((((len) + 63) / 64)) { \
98 case 2: \
99 ((u4byte*)(x))[0] = io_swap(in_key[3]); \
100 ((u4byte*)(x))[1] = io_swap(in_key[2]); \
101 ((u4byte*)(x))[2] = io_swap(in_key[1]); \
102 ((u4byte*)(x))[3] = io_swap(in_key[0]); \
103 break; \
104 case 3: \
105 ((u4byte*)(x))[0] = io_swap(in_key[5]); \
106 ((u4byte*)(x))[1] = io_swap(in_key[4]); \
107 ((u4byte*)(x))[2] = io_swap(in_key[3]); \
108 ((u4byte*)(x))[3] = io_swap(in_key[2]); \
109 ((u4byte*)(x))[4] = io_swap(in_key[1]); \
110 ((u4byte*)(x))[5] = io_swap(in_key[0]); \
111 break; \
112 case 4: \
113 ((u4byte*)(x))[0] = io_swap(in_key[7]); \
114 ((u4byte*)(x))[1] = io_swap(in_key[6]); \
115 ((u4byte*)(x))[2] = io_swap(in_key[5]); \
116 ((u4byte*)(x))[3] = io_swap(in_key[4]); \
117 ((u4byte*)(x))[4] = io_swap(in_key[3]); \
118 ((u4byte*)(x))[5] = io_swap(in_key[2]); \
119 ((u4byte*)(x))[6] = io_swap(in_key[1]); \
120 ((u4byte*)(x))[7] = io_swap(in_key[0]); \
121 }
122
123#else
124
125#define get_block(x) \
126 ((u4byte*)(x))[0] = io_swap(in_blk[0]); \
127 ((u4byte*)(x))[1] = io_swap(in_blk[1]); \
128 ((u4byte*)(x))[2] = io_swap(in_blk[2]); \
129 ((u4byte*)(x))[3] = io_swap(in_blk[3])
130
131#define put_block(x) \
132 out_blk[0] = io_swap(((u4byte*)(x))[0]); \
133 out_blk[1] = io_swap(((u4byte*)(x))[1]); \
134 out_blk[2] = io_swap(((u4byte*)(x))[2]); \
135 out_blk[3] = io_swap(((u4byte*)(x))[3])
136
137#define get_key(x,len) \
138 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
139 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
140 switch((((len) + 63) / 64)) { \
141 case 4: \
142 ((u4byte*)(x))[6] = io_swap(in_key[6]); \
143 ((u4byte*)(x))[7] = io_swap(in_key[7]); \
144 case 3: \
145 ((u4byte*)(x))[4] = io_swap(in_key[4]); \
146 ((u4byte*)(x))[5] = io_swap(in_key[5]); \
147 case 2: \
148 ((u4byte*)(x))[0] = io_swap(in_key[0]); \
149 ((u4byte*)(x))[1] = io_swap(in_key[1]); \
150 ((u4byte*)(x))[2] = io_swap(in_key[2]); \
151 ((u4byte*)(x))[3] = io_swap(in_key[3]); \
152 }
153
154#endif
155
156#define LARGE_TABLES
157
158u1byte pow_tab[256];
159u1byte log_tab[256];
160u1byte sbx_tab[256];
161u1byte isb_tab[256];
162u4byte rco_tab[ 10];
163u4byte ft_tab[4][256];
164u4byte it_tab[4][256];
165
166#ifdef LARGE_TABLES
167 u4byte fl_tab[4][256];
168 u4byte il_tab[4][256];
169#endif
170
171u4byte tab_gen = 0;
172
173#define ff_mult(a,b) (a && b ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0)
174
175#define f_rn(bo, bi, n, k) \
176 bo[n] = ft_tab[0][byte(bi[n],0)] ^ \
177 ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
178 ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
179 ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
180
181#define i_rn(bo, bi, n, k) \
182 bo[n] = it_tab[0][byte(bi[n],0)] ^ \
183 it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
184 it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
185 it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
186
187#ifdef LARGE_TABLES
188
189#define ls_box(x) \
190 ( fl_tab[0][byte(x, 0)] ^ \
191 fl_tab[1][byte(x, 1)] ^ \
192 fl_tab[2][byte(x, 2)] ^ \
193 fl_tab[3][byte(x, 3)] )
194
195#define f_rl(bo, bi, n, k) \
196 bo[n] = fl_tab[0][byte(bi[n],0)] ^ \
197 fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
198 fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
199 fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
200
201#define i_rl(bo, bi, n, k) \
202 bo[n] = il_tab[0][byte(bi[n],0)] ^ \
203 il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
204 il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
205 il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
206
207#else
208
209#define ls_box(x) \
210 ((u4byte)sbx_tab[byte(x, 0)] << 0) ^ \
211 ((u4byte)sbx_tab[byte(x, 1)] << 8) ^ \
212 ((u4byte)sbx_tab[byte(x, 2)] << 16) ^ \
213 ((u4byte)sbx_tab[byte(x, 3)] << 24)
214
215#define f_rl(bo, bi, n, k) \
216 bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^ \
217 rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \
218 rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
219 rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n)
220
221#define i_rl(bo, bi, n, k) \
222 bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^ \
223 rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \
224 rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
225 rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n)
226
227#endif
228
229void
230gen_tabs(void)
231{
232 u4byte i, t;
233 u1byte p, q;
234
235 /* log and power tables for GF(2**8) finite field with */
236 /* 0x11b as modular polynomial - the simplest prmitive */
237 /* root is 0x11, used here to generate the tables */
238
239 for(i = 0,p = 1; i < 256; ++i) {
240 pow_tab[i] = (u1byte)p; log_tab[p] = (u1byte)i;
241
242 p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0);
243 }
244
245 log_tab[1] = 0; p = 1;
246
247 for(i = 0; i < 10; ++i) {
248 rco_tab[i] = p;
249
250 p = (p << 1) ^ (p & 0x80 ? 0x1b : 0);
251 }
252
253 /* note that the affine byte transformation matrix in */
254 /* rijndael specification is in big endian format with */
255 /* bit 0 as the most significant bit. In the remainder */
256 /* of the specification the bits are numbered from the */
257 /* least significant end of a byte. */
258
259 for(i = 0; i < 256; ++i) {
260 p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p;
261 q = (q >> 7) | (q << 1); p ^= q;
262 q = (q >> 7) | (q << 1); p ^= q;
263 q = (q >> 7) | (q << 1); p ^= q;
264 q = (q >> 7) | (q << 1); p ^= q ^ 0x63;
265 sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i;
266 }
267
268 for(i = 0; i < 256; ++i) {
269 p = sbx_tab[i];
270
271#ifdef LARGE_TABLES
272
273 t = p; fl_tab[0][i] = t;
274 fl_tab[1][i] = rotl(t, 8);
275 fl_tab[2][i] = rotl(t, 16);
276 fl_tab[3][i] = rotl(t, 24);
277#endif
278 t = ((u4byte)ff_mult(2, p)) |
279 ((u4byte)p << 8) |
280 ((u4byte)p << 16) |
281 ((u4byte)ff_mult(3, p) << 24);
282
283 ft_tab[0][i] = t;
284 ft_tab[1][i] = rotl(t, 8);
285 ft_tab[2][i] = rotl(t, 16);
286 ft_tab[3][i] = rotl(t, 24);
287
288 p = isb_tab[i];
289
290#ifdef LARGE_TABLES
291
292 t = p; il_tab[0][i] = t;
293 il_tab[1][i] = rotl(t, 8);
294 il_tab[2][i] = rotl(t, 16);
295 il_tab[3][i] = rotl(t, 24);
296#endif
297 t = ((u4byte)ff_mult(14, p)) |
298 ((u4byte)ff_mult( 9, p) << 8) |
299 ((u4byte)ff_mult(13, p) << 16) |
300 ((u4byte)ff_mult(11, p) << 24);
301
302 it_tab[0][i] = t;
303 it_tab[1][i] = rotl(t, 8);
304 it_tab[2][i] = rotl(t, 16);
305 it_tab[3][i] = rotl(t, 24);
306 }
307
308 tab_gen = 1;
309};
310
311#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
312
313#define imix_col(y,x) \
314 u = star_x(x); \
315 v = star_x(u); \
316 w = star_x(v); \
317 t = w ^ (x); \
318 (y) = u ^ v ^ w; \
319 (y) ^= rotr(u ^ t, 8) ^ \
320 rotr(v ^ t, 16) ^ \
321 rotr(t,24)
322
323/* initialise the key schedule from the user supplied key */
324
325#define loop4(i) \
326{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
327 t ^= e_key[4 * i]; e_key[4 * i + 4] = t; \
328 t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t; \
329 t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t; \
330 t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t; \
331}
332
333#define loop6(i) \
334{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
335 t ^= e_key[6 * i]; e_key[6 * i + 6] = t; \
336 t ^= e_key[6 * i + 1]; e_key[6 * i + 7] = t; \
337 t ^= e_key[6 * i + 2]; e_key[6 * i + 8] = t; \
338 t ^= e_key[6 * i + 3]; e_key[6 * i + 9] = t; \
339 t ^= e_key[6 * i + 4]; e_key[6 * i + 10] = t; \
340 t ^= e_key[6 * i + 5]; e_key[6 * i + 11] = t; \
341}
342
343#define loop8(i) \
344{ t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
345 t ^= e_key[8 * i]; e_key[8 * i + 8] = t; \
346 t ^= e_key[8 * i + 1]; e_key[8 * i + 9] = t; \
347 t ^= e_key[8 * i + 2]; e_key[8 * i + 10] = t; \
348 t ^= e_key[8 * i + 3]; e_key[8 * i + 11] = t; \
349 t = e_key[8 * i + 4] ^ ls_box(t); \
350 e_key[8 * i + 12] = t; \
351 t ^= e_key[8 * i + 5]; e_key[8 * i + 13] = t; \
352 t ^= e_key[8 * i + 6]; e_key[8 * i + 14] = t; \
353 t ^= e_key[8 * i + 7]; e_key[8 * i + 15] = t; \
354}
355
356rijndael_ctx *
357rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len,
358 int encrypt)
359{
360 u4byte i, t, u, v, w;
361 u4byte *e_key = ctx->e_key;
362 u4byte *d_key = ctx->d_key;
363
364 ctx->decrypt = !encrypt;
365
366 if(!tab_gen)
367 gen_tabs();
368
369 ctx->k_len = (key_len + 31) / 32;
370
371 e_key[0] = in_key[0]; e_key[1] = in_key[1];
372 e_key[2] = in_key[2]; e_key[3] = in_key[3];
373
374 switch(ctx->k_len) {
375 case 4: t = e_key[3];
376 for(i = 0; i < 10; ++i)
377 loop4(i);
378 break;
379
380 case 6: e_key[4] = in_key[4]; t = e_key[5] = in_key[5];
381 for(i = 0; i < 8; ++i)
382 loop6(i);
383 break;
384
385 case 8: e_key[4] = in_key[4]; e_key[5] = in_key[5];
386 e_key[6] = in_key[6]; t = e_key[7] = in_key[7];
387 for(i = 0; i < 7; ++i)
388 loop8(i);
389 break;
390 }
391
392 if (!encrypt) {
393 d_key[0] = e_key[0]; d_key[1] = e_key[1];
394 d_key[2] = e_key[2]; d_key[3] = e_key[3];
395
396 for(i = 4; i < 4 * ctx->k_len + 24; ++i) {
397 imix_col(d_key[i], e_key[i]);
398 }
399 }
400
401 return ctx;
402};
403
404/* encrypt a block of text */
405
406#define f_nround(bo, bi, k) \
407 f_rn(bo, bi, 0, k); \
408 f_rn(bo, bi, 1, k); \
409 f_rn(bo, bi, 2, k); \
410 f_rn(bo, bi, 3, k); \
411 k += 4
412
413#define f_lround(bo, bi, k) \
414 f_rl(bo, bi, 0, k); \
415 f_rl(bo, bi, 1, k); \
416 f_rl(bo, bi, 2, k); \
417 f_rl(bo, bi, 3, k)
418
419void
420rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
421{
422 u4byte k_len = ctx->k_len;
423 u4byte *e_key = ctx->e_key;
424 u4byte b0[4], b1[4], *kp;
425
426 b0[0] = in_blk[0] ^ e_key[0]; b0[1] = in_blk[1] ^ e_key[1];
427 b0[2] = in_blk[2] ^ e_key[2]; b0[3] = in_blk[3] ^ e_key[3];
428
429 kp = e_key + 4;
430
431 if(k_len > 6) {
432 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
433 }
434
435 if(k_len > 4) {
436 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
437 }
438
439 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
440 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
441 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
442 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
443 f_nround(b1, b0, kp); f_lround(b0, b1, kp);
444
445 out_blk[0] = b0[0]; out_blk[1] = b0[1];
446 out_blk[2] = b0[2]; out_blk[3] = b0[3];
447};
448
449/* decrypt a block of text */
450
451#define i_nround(bo, bi, k) \
452 i_rn(bo, bi, 0, k); \
453 i_rn(bo, bi, 1, k); \
454 i_rn(bo, bi, 2, k); \
455 i_rn(bo, bi, 3, k); \
456 k -= 4
457
458#define i_lround(bo, bi, k) \
459 i_rl(bo, bi, 0, k); \
460 i_rl(bo, bi, 1, k); \
461 i_rl(bo, bi, 2, k); \
462 i_rl(bo, bi, 3, k)
463
464void
465rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
466{
467 u4byte b0[4], b1[4], *kp;
468 u4byte k_len = ctx->k_len;
469 u4byte *e_key = ctx->e_key;
470 u4byte *d_key = ctx->d_key;
471
472 b0[0] = in_blk[0] ^ e_key[4 * k_len + 24]; b0[1] = in_blk[1] ^ e_key[4 * k_len + 25];
473 b0[2] = in_blk[2] ^ e_key[4 * k_len + 26]; b0[3] = in_blk[3] ^ e_key[4 * k_len + 27];
474
475 kp = d_key + 4 * (k_len + 5);
476
477 if(k_len > 6) {
478 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
479 }
480
481 if(k_len > 4) {
482 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
483 }
484
485 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
486 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
487 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
488 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
489 i_nround(b1, b0, kp); i_lround(b0, b1, kp);
490
491 out_blk[0] = b0[0]; out_blk[1] = b0[1];
492 out_blk[2] = b0[2]; out_blk[3] = b0[3];
493};
git-cvsimport mirror of OpenSSH
This page took 1.061993 seconds and 5 git commands to generate.