"Fossies" - the Fresh Open Source Software Archive

Member "src/Crypto/Aesopt.h" (10 Oct 2018, 25361 Bytes) of package /windows/misc/VeraCrypt_1.23-Hotfix-2_Source.zip:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "Aesopt.h" see the Fossies "Dox" file reference documentation.

    1 /*
    2  ---------------------------------------------------------------------------
    3  Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
    4 
    5  LICENSE TERMS
    6 
    7  The free distribution and use of this software is allowed (with or without
    8  changes) provided that:
    9 
   10   1. source code distributions include the above copyright notice, this
   11      list of conditions and the following disclaimer;
   12 
   13   2. binary distributions include the above copyright notice, this list
   14      of conditions and the following disclaimer in their documentation;
   15 
   16   3. the name of the copyright holder is not used to endorse products
   17      built using this software without specific written permission.
   18 
   19  DISCLAIMER
   20 
   21  This software is provided 'as is' with no explicit or implied warranties
   22  in respect of its properties, including, but not limited to, correctness
   23  and/or fitness for purpose.
   24  ---------------------------------------------------------------------------
   25  Issue Date: 20/12/2007
   26 
   27  This file contains the compilation options for AES (Rijndael) and code
   28  that is common across encryption, key scheduling and table generation.
   29 
   30  OPERATION
   31 
   32  These source code files implement the AES algorithm Rijndael designed by
   33  Joan Daemen and Vincent Rijmen. This version is designed for the standard
   34  block size of 16 bytes and for key sizes of 128, 192 and 256 bits (16, 24
   35  and 32 bytes).
   36 
   37  This version is designed for flexibility and speed using operations on
   38  32-bit words rather than operations on bytes.  It can be compiled with
   39  either big or little endian internal byte order but is faster when the
   40  native byte order for the processor is used.
   41 
   42  THE CIPHER INTERFACE
   43 
   44  The cipher interface is implemented as an array of bytes in which lower
   45  AES bit sequence indexes map to higher numeric significance within bytes.
   46 
   47   uint_8t                 (an unsigned  8-bit type)
   48   uint_32t                (an unsigned 32-bit type)
   49   struct aes_encrypt_ctx  (structure for the cipher encryption context)
   50   struct aes_decrypt_ctx  (structure for the cipher decryption context)
   51   AES_RETURN                the function return type
   52 
   53   C subroutine calls:
   54 
   55   AES_RETURN aes_encrypt_key128(const unsigned char *key, aes_encrypt_ctx cx[1]);
   56   AES_RETURN aes_encrypt_key192(const unsigned char *key, aes_encrypt_ctx cx[1]);
   57   AES_RETURN aes_encrypt_key256(const unsigned char *key, aes_encrypt_ctx cx[1]);
   58   AES_RETURN aes_encrypt(const unsigned char *in, unsigned char *out,
   59                                                   const aes_encrypt_ctx cx[1]);
   60 
   61   AES_RETURN aes_decrypt_key128(const unsigned char *key, aes_decrypt_ctx cx[1]);
   62   AES_RETURN aes_decrypt_key192(const unsigned char *key, aes_decrypt_ctx cx[1]);
   63   AES_RETURN aes_decrypt_key256(const unsigned char *key, aes_decrypt_ctx cx[1]);
   64   AES_RETURN aes_decrypt(const unsigned char *in, unsigned char *out,
   65                                                   const aes_decrypt_ctx cx[1]);
   66 
   67  IMPORTANT NOTE: If you are using this C interface with dynamic tables make sure that
   68  you call aes_init() before AES is used so that the tables are initialised.
   69 
   70  C++ aes class subroutines:
   71 
   72      Class AESencrypt  for encryption
   73 
   74       Construtors:
   75           AESencrypt(void)
   76           AESencrypt(const unsigned char *key) - 128 bit key
   77       Members:
   78           AES_RETURN key128(const unsigned char *key)
   79           AES_RETURN key192(const unsigned char *key)
   80           AES_RETURN key256(const unsigned char *key)
   81           AES_RETURN encrypt(const unsigned char *in, unsigned char *out) const
   82 
   83       Class AESdecrypt  for encryption
   84       Construtors:
   85           AESdecrypt(void)
   86           AESdecrypt(const unsigned char *key) - 128 bit key
   87       Members:
   88           AES_RETURN key128(const unsigned char *key)
   89           AES_RETURN key192(const unsigned char *key)
   90           AES_RETURN key256(const unsigned char *key)
   91           AES_RETURN decrypt(const unsigned char *in, unsigned char *out) const
   92 */
   93 
   94 /* Adapted for TrueCrypt */
   95 
   96 #if !defined( _AESOPT_H )
   97 #define _AESOPT_H
   98 
   99 #ifdef TC_WINDOWS_BOOT
  100 #define ASM_X86_V2
  101 #endif
  102 
  103 #if defined( __cplusplus )
  104 #include "Aescpp.h"
  105 #else
  106 #include "Aes.h"
  107 #endif
  108 
  109 
  110 #include "Common/Endian.h"
  111 #define IS_LITTLE_ENDIAN   1234 /* byte 0 is least significant (i386) */
  112 #define IS_BIG_ENDIAN      4321 /* byte 0 is most significant (mc68k) */
  113 
  114 #if BYTE_ORDER == LITTLE_ENDIAN
  115 #  define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
  116 #endif
  117 
  118 #if BYTE_ORDER == BIG_ENDIAN
  119 #  define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
  120 #endif
  121 
  122 
  123 /*  CONFIGURATION - THE USE OF DEFINES
  124 
  125     Later in this section there are a number of defines that control the
  126     operation of the code.  In each section, the purpose of each define is
  127     explained so that the relevant form can be included or excluded by
  128     setting either 1's or 0's respectively on the branches of the related
  129     #if clauses.  The following local defines should not be changed.
  130 */
  131 
  132 #define ENCRYPTION_IN_C     1
  133 #define DECRYPTION_IN_C     2
  134 #define ENC_KEYING_IN_C     4
  135 #define DEC_KEYING_IN_C     8
  136 
  137 #define NO_TABLES           0
  138 #define ONE_TABLE           1
  139 #define FOUR_TABLES         4
  140 #define NONE                0
  141 #define PARTIAL             1
  142 #define FULL                2
  143 
  144 /*  --- START OF USER CONFIGURED OPTIONS --- */
  145 
  146 /*  1. BYTE ORDER WITHIN 32 BIT WORDS
  147 
  148     The fundamental data processing units in Rijndael are 8-bit bytes. The
  149     input, output and key input are all enumerated arrays of bytes in which
  150     bytes are numbered starting at zero and increasing to one less than the
  151     number of bytes in the array in question. This enumeration is only used
  152     for naming bytes and does not imply any adjacency or order relationship
  153     from one byte to another. When these inputs and outputs are considered
  154     as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to
  155     byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte.
  156     In this implementation bits are numbered from 0 to 7 starting at the
  157     numerically least significant end of each byte (bit n represents 2^n).
  158 
  159     However, Rijndael can be implemented more efficiently using 32-bit
  160     words by packing bytes into words so that bytes 4*n to 4*n+3 are placed
  161     into word[n]. While in principle these bytes can be assembled into words
  162     in any positions, this implementation only supports the two formats in
  163     which bytes in adjacent positions within words also have adjacent byte
  164     numbers. This order is called big-endian if the lowest numbered bytes
  165     in words have the highest numeric significance and little-endian if the
  166     opposite applies.
  167 
  168     This code can work in either order irrespective of the order used by the
  169     machine on which it runs. Normally the internal byte order will be set
  170     to the order of the processor on which the code is to be run but this
  171     define can be used to reverse this in special situations
  172 
  173     WARNING: Assembler code versions rely on PLATFORM_BYTE_ORDER being set.
  174     This define will hence be redefined later (in section 4) if necessary
  175 */
  176 
  177 #if 1
  178 #define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER
  179 #elif 0
  180 #define ALGORITHM_BYTE_ORDER IS_LITTLE_ENDIAN
  181 #elif 0
  182 #define ALGORITHM_BYTE_ORDER IS_BIG_ENDIAN
  183 #else
  184 #error The algorithm byte order is not defined
  185 #endif
  186 
  187 /*  2. VIA ACE SUPPORT
  188 
  189     Define this option if support for the VIA ACE is required. This uses
  190     inline assembler instructions and is only implemented for the Microsoft,
  191     Intel and GCC compilers.  If VIA ACE is known to be present, then defining
  192     ASSUME_VIA_ACE_PRESENT will remove the ordinary encryption/decryption
  193     code.  If USE_VIA_ACE_IF_PRESENT is defined then VIA ACE will be used if
  194     it is detected (both present and enabled) but the normal AES code will
  195     also be present.
  196 
  197     When VIA ACE is to be used, all AES encryption contexts MUST be 16 byte
  198     aligned; other input/output buffers do not need to be 16 byte aligned
  199     but there are very large performance gains if this can be arranged.
  200     VIA ACE also requires the decryption key schedule to be in reverse
  201     order (which later checks below ensure).
  202 */
  203 
  204 #if 0 && !defined( USE_VIA_ACE_IF_PRESENT )
  205 #  define USE_VIA_ACE_IF_PRESENT
  206 #endif
  207 
  208 #if 0 && !defined( ASSUME_VIA_ACE_PRESENT )
  209 #  define ASSUME_VIA_ACE_PRESENT
  210 #  endif
  211 
  212 #if defined ( _WIN64 ) || defined( _WIN32_WCE ) || \
  213                     defined( _MSC_VER ) && ( _MSC_VER <= 800 )
  214 #  if defined( USE_VIA_ACE_IF_PRESENT )
  215 #    undef USE_VIA_ACE_IF_PRESENT
  216 #  endif
  217 #  if defined( ASSUME_VIA_ACE_PRESENT )
  218 #    undef ASSUME_VIA_ACE_PRESENT
  219 #  endif
  220 #endif
  221 
  222 /*  3. ASSEMBLER SUPPORT
  223 
  224     This define (which can be on the command line) enables the use of the
  225     assembler code routines for encryption, decryption and key scheduling
  226     as follows:
  227 
  228     ASM_X86_V1C uses the assembler (aes_x86_v1.asm) with large tables for
  229                 encryption and decryption and but with key scheduling in C
  230     ASM_X86_V2  uses assembler (aes_x86_v2.asm) with compressed tables for
  231                 encryption, decryption and key scheduling
  232     ASM_X86_V2C uses assembler (aes_x86_v2.asm) with compressed tables for
  233                 encryption and decryption and but with key scheduling in C
  234     ASM_AMD64_C uses assembler (aes_amd64.asm) with compressed tables for
  235                 encryption and decryption and but with key scheduling in C
  236 
  237     Change one 'if 0' below to 'if 1' to select the version or define
  238     as a compilation option.
  239 */
  240 
  241 #if 0 && !defined( ASM_X86_V1C )
  242 #  define ASM_X86_V1C
  243 #elif 0 && !defined( ASM_X86_V2  )
  244 #  define ASM_X86_V2
  245 #elif 0 && !defined( ASM_X86_V2C )
  246 #  define ASM_X86_V2C
  247 #elif 0 && !defined( ASM_AMD64_C )
  248 #  define ASM_AMD64_C
  249 #endif
  250 
  251 #if (defined ( ASM_X86_V1C ) || defined( ASM_X86_V2 ) || defined( ASM_X86_V2C )) \
  252       && !defined( _M_IX86 ) || defined( ASM_AMD64_C ) && !defined( _M_X64 )
  253 //#  error Assembler code is only available for x86 and AMD64 systems
  254 #endif
  255 
  256 /*  4. FAST INPUT/OUTPUT OPERATIONS.
  257 
  258     On some machines it is possible to improve speed by transferring the
  259     bytes in the input and output arrays to and from the internal 32-bit
  260     variables by addressing these arrays as if they are arrays of 32-bit
  261     words.  On some machines this will always be possible but there may
  262     be a large performance penalty if the byte arrays are not aligned on
  263     the normal word boundaries. On other machines this technique will
  264     lead to memory access errors when such 32-bit word accesses are not
  265     properly aligned. The option SAFE_IO avoids such problems but will
  266     often be slower on those machines that support misaligned access
  267     (especially so if care is taken to align the input  and output byte
  268     arrays on 32-bit word boundaries). If SAFE_IO is not defined it is
  269     assumed that access to byte arrays as if they are arrays of 32-bit
  270     words will not cause problems when such accesses are misaligned.
  271 */
  272 #if 1 && !defined( _MSC_VER )
  273 #define SAFE_IO
  274 #endif
  275 
  276 /*  5. LOOP UNROLLING
  277 
  278     The code for encryption and decrytpion cycles through a number of rounds
  279     that can be implemented either in a loop or by expanding the code into a
  280     long sequence of instructions, the latter producing a larger program but
  281     one that will often be much faster. The latter is called loop unrolling.
  282     There are also potential speed advantages in expanding two iterations in
  283     a loop with half the number of iterations, which is called partial loop
  284     unrolling.  The following options allow partial or full loop unrolling
  285     to be set independently for encryption and decryption
  286 */
  287 #if 1
  288 #define ENC_UNROLL  FULL
  289 #elif 0
  290 #define ENC_UNROLL  PARTIAL
  291 #else
  292 #define ENC_UNROLL  NONE
  293 #endif
  294 
  295 #if 1
  296 #define DEC_UNROLL  FULL
  297 #elif 0
  298 #define DEC_UNROLL  PARTIAL
  299 #else
  300 #define DEC_UNROLL  NONE
  301 #endif
  302 
  303 /*  6. FAST FINITE FIELD OPERATIONS
  304 
  305     If this section is included, tables are used to provide faster finite
  306     field arithmetic (this has no effect if FIXED_TABLES is defined).
  307 */
  308 #if !defined (TC_WINDOWS_BOOT)
  309 #define FF_TABLES
  310 #endif
  311 
  312 /*  7. INTERNAL STATE VARIABLE FORMAT
  313 
  314     The internal state of Rijndael is stored in a number of local 32-bit
  315     word varaibles which can be defined either as an array or as individual
  316     names variables. Include this section if you want to store these local
  317     varaibles in arrays. Otherwise individual local variables will be used.
  318 */
  319 #if 1
  320 #define ARRAYS
  321 #endif
  322 
  323 /*  8. FIXED OR DYNAMIC TABLES
  324 
  325     When this section is included the tables used by the code are compiled
  326     statically into the binary file.  Otherwise the subroutine aes_init()
  327     must be called to compute them before the code is first used.
  328 */
  329 #if !defined (TC_WINDOWS_BOOT) && !(defined( _MSC_VER ) && ( _MSC_VER <= 800 ))
  330 #define FIXED_TABLES
  331 #endif
  332 
  333 /*  9. TABLE ALIGNMENT
  334 
  335     On some sytsems speed will be improved by aligning the AES large lookup
  336     tables on particular boundaries. This define should be set to a power of
  337     two giving the desired alignment. It can be left undefined if alignment
  338     is not needed.  This option is specific to the Microsft VC++ compiler -
  339     it seems to sometimes cause trouble for the VC++ version 6 compiler.
  340 */
  341 
  342 #if 1 && defined( _MSC_VER ) && ( _MSC_VER >= 1300 )
  343 #define TABLE_ALIGN 32
  344 #endif
  345 
  346 /*  10. TABLE OPTIONS
  347 
  348     This cipher proceeds by repeating in a number of cycles known as 'rounds'
  349     which are implemented by a round function which can optionally be speeded
  350     up using tables.  The basic tables are each 256 32-bit words, with either
  351     one or four tables being required for each round function depending on
  352     how much speed is required. The encryption and decryption round functions
  353     are different and the last encryption and decrytpion round functions are
  354     different again making four different round functions in all.
  355 
  356     This means that:
  357       1. Normal encryption and decryption rounds can each use either 0, 1
  358          or 4 tables and table spaces of 0, 1024 or 4096 bytes each.
  359       2. The last encryption and decryption rounds can also use either 0, 1
  360          or 4 tables and table spaces of 0, 1024 or 4096 bytes each.
  361 
  362     Include or exclude the appropriate definitions below to set the number
  363     of tables used by this implementation.
  364 */
  365 
  366 #if 1   /* set tables for the normal encryption round */
  367 #define ENC_ROUND   FOUR_TABLES
  368 #elif 0
  369 #define ENC_ROUND   ONE_TABLE
  370 #else
  371 #define ENC_ROUND   NO_TABLES
  372 #endif
  373 
  374 #if 1   /* set tables for the last encryption round */
  375 #define LAST_ENC_ROUND  FOUR_TABLES
  376 #elif 0
  377 #define LAST_ENC_ROUND  ONE_TABLE
  378 #else
  379 #define LAST_ENC_ROUND  NO_TABLES
  380 #endif
  381 
  382 #if 1   /* set tables for the normal decryption round */
  383 #define DEC_ROUND   FOUR_TABLES
  384 #elif 0
  385 #define DEC_ROUND   ONE_TABLE
  386 #else
  387 #define DEC_ROUND   NO_TABLES
  388 #endif
  389 
  390 #if 1   /* set tables for the last decryption round */
  391 #define LAST_DEC_ROUND  FOUR_TABLES
  392 #elif 0
  393 #define LAST_DEC_ROUND  ONE_TABLE
  394 #else
  395 #define LAST_DEC_ROUND  NO_TABLES
  396 #endif
  397 
  398 /*  The decryption key schedule can be speeded up with tables in the same
  399     way that the round functions can.  Include or exclude the following
  400     defines to set this requirement.
  401 */
  402 #if 1
  403 #define KEY_SCHED   FOUR_TABLES
  404 #elif 0
  405 #define KEY_SCHED   ONE_TABLE
  406 #else
  407 #define KEY_SCHED   NO_TABLES
  408 #endif
  409 
  410 /*  ---- END OF USER CONFIGURED OPTIONS ---- */
  411 
  412 /* VIA ACE support is only available for VC++ and GCC */
  413 
  414 #if !defined( _MSC_VER ) && !defined( __GNUC__ )
  415 #  if defined( ASSUME_VIA_ACE_PRESENT )
  416 #    undef ASSUME_VIA_ACE_PRESENT
  417 #  endif
  418 #  if defined( USE_VIA_ACE_IF_PRESENT )
  419 #    undef USE_VIA_ACE_IF_PRESENT
  420 #  endif
  421 #endif
  422 
  423 #if defined( ASSUME_VIA_ACE_PRESENT ) && !defined( USE_VIA_ACE_IF_PRESENT )
  424 #define USE_VIA_ACE_IF_PRESENT
  425 #endif
  426 
  427 #if defined( USE_VIA_ACE_IF_PRESENT ) && !defined ( AES_REV_DKS )
  428 #define AES_REV_DKS
  429 #endif
  430 
  431 /* Assembler support requires the use of platform byte order */
  432 
  433 #if ( defined( ASM_X86_V1C ) || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C ) ) \
  434     && (ALGORITHM_BYTE_ORDER != PLATFORM_BYTE_ORDER)
  435 #undef  ALGORITHM_BYTE_ORDER
  436 #define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER
  437 #endif
  438 
  439 /* In this implementation the columns of the state array are each held in
  440    32-bit words. The state array can be held in various ways: in an array
  441    of words, in a number of individual word variables or in a number of
  442    processor registers. The following define maps a variable name x and
  443    a column number c to the way the state array variable is to be held.
  444    The first define below maps the state into an array x[c] whereas the
  445    second form maps the state into a number of individual variables x0,
  446    x1, etc.  Another form could map individual state colums to machine
  447    register names.
  448 */
  449 
  450 #if defined( ARRAYS )
  451 #define s(x,c) x[c]
  452 #else
  453 #define s(x,c) x##c
  454 #endif
  455 
  456 /*  This implementation provides subroutines for encryption, decryption
  457     and for setting the three key lengths (separately) for encryption
  458     and decryption. Since not all functions are needed, masks are set
  459     up here to determine which will be implemented in C
  460 */
  461 
  462 #if !defined( AES_ENCRYPT )
  463 #  define EFUNCS_IN_C   0
  464 #elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C ) \
  465     || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C )
  466 #  define EFUNCS_IN_C   ENC_KEYING_IN_C
  467 #elif !defined( ASM_X86_V2 )
  468 #  define EFUNCS_IN_C   ( ENCRYPTION_IN_C | ENC_KEYING_IN_C )
  469 #else
  470 #  define EFUNCS_IN_C   0
  471 #endif
  472 
  473 #if !defined( AES_DECRYPT )
  474 #  define DFUNCS_IN_C   0
  475 #elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C ) \
  476     || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C )
  477 #  define DFUNCS_IN_C   DEC_KEYING_IN_C
  478 #elif !defined( ASM_X86_V2 )
  479 #  define DFUNCS_IN_C   ( DECRYPTION_IN_C | DEC_KEYING_IN_C )
  480 #else
  481 #  define DFUNCS_IN_C   0
  482 #endif
  483 
  484 #define FUNCS_IN_C  ( EFUNCS_IN_C | DFUNCS_IN_C )
  485 
  486 /* END OF CONFIGURATION OPTIONS */
  487 
  488 #define RC_LENGTH   (5 * (AES_BLOCK_SIZE / 4 - 2))
  489 
  490 /* Disable or report errors on some combinations of options */
  491 
  492 #if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES
  493 #undef  LAST_ENC_ROUND
  494 #define LAST_ENC_ROUND  NO_TABLES
  495 #elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES
  496 #undef  LAST_ENC_ROUND
  497 #define LAST_ENC_ROUND  ONE_TABLE
  498 #endif
  499 
  500 #if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE
  501 #undef  ENC_UNROLL
  502 #define ENC_UNROLL  NONE
  503 #endif
  504 
  505 #if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES
  506 #undef  LAST_DEC_ROUND
  507 #define LAST_DEC_ROUND  NO_TABLES
  508 #elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES
  509 #undef  LAST_DEC_ROUND
  510 #define LAST_DEC_ROUND  ONE_TABLE
  511 #endif
  512 
  513 #if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE
  514 #undef  DEC_UNROLL
  515 #define DEC_UNROLL  NONE
  516 #endif
  517 
  518 #if defined( bswap32 )
  519 #define aes_sw32    bswap32
  520 #elif defined( bswap_32 )
  521 #define aes_sw32    bswap_32
  522 #else
  523 #define brot(x,n)   (((uint_32t)(x) <<  n) | ((uint_32t)(x) >> (32 - n)))
  524 #define aes_sw32(x) ((brot((x),8) & 0x00ff00ff) | (brot((x),24) & 0xff00ff00))
  525 #endif
  526 
  527 /*  upr(x,n):  rotates bytes within words by n positions, moving bytes to
  528                higher index positions with wrap around into low positions
  529     ups(x,n):  moves bytes by n positions to higher index positions in
  530                words but without wrap around
  531     bval(x,n): extracts a byte from a word
  532 
  533     WARNING:   The definitions given here are intended only for use with
  534                unsigned variables and with shift counts that are compile
  535                time constants
  536 */
  537 
  538 #if ( ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN )
  539 #define upr(x,n)        (((uint_32t)(x) << (8 * (n))) | ((uint_32t)(x) >> (32 - 8 * (n))))
  540 #define ups(x,n)        ((uint_32t) (x) << (8 * (n)))
  541 #define bval(x,n)       ((uint_8t)((x) >> (8 * (n))))
  542 #define bytes2word(b0, b1, b2, b3)  \
  543         (((uint_32t)(b3) << 24) | ((uint_32t)(b2) << 16) | ((uint_32t)(b1) << 8) | (b0))
  544 #endif
  545 
  546 #if ( ALGORITHM_BYTE_ORDER == IS_BIG_ENDIAN )
  547 #define upr(x,n)        (((uint_32t)(x) >> (8 * (n))) | ((uint_32t)(x) << (32 - 8 * (n))))
  548 #define ups(x,n)        ((uint_32t) (x) >> (8 * (n)))
  549 #define bval(x,n)       ((uint_8t)((x) >> (24 - 8 * (n))))
  550 #define bytes2word(b0, b1, b2, b3)  \
  551         (((uint_32t)(b0) << 24) | ((uint_32t)(b1) << 16) | ((uint_32t)(b2) << 8) | (b3))
  552 #endif
  553 
  554 #if defined( SAFE_IO )
  555 
  556 #define word_in(x,c)    bytes2word(((const uint_8t*)(x)+4*c)[0], ((const uint_8t*)(x)+4*c)[1], \
  557                                    ((const uint_8t*)(x)+4*c)[2], ((const uint_8t*)(x)+4*c)[3])
  558 #define word_out(x,c,v) { ((uint_8t*)(x)+4*c)[0] = bval(v,0); ((uint_8t*)(x)+4*c)[1] = bval(v,1); \
  559                           ((uint_8t*)(x)+4*c)[2] = bval(v,2); ((uint_8t*)(x)+4*c)[3] = bval(v,3); }
  560 
  561 #elif ( ALGORITHM_BYTE_ORDER == PLATFORM_BYTE_ORDER )
  562 
  563 #define word_in(x,c)    (*((uint_32t*)(x)+(c)))
  564 #define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = (v))
  565 
  566 #else
  567 
  568 #define word_in(x,c)    aes_sw32(*((uint_32t*)(x)+(c)))
  569 #define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = aes_sw32(v))
  570 
  571 #endif
  572 
  573 /* the finite field modular polynomial and elements */
  574 
  575 #define WPOLY   0x011b
  576 #define BPOLY     0x1b
  577 
  578 /* multiply four bytes in GF(2^8) by 'x' {02} in parallel */
  579 
  580 #define m1  0x80808080
  581 #define m2  0x7f7f7f7f
  582 #define gf_mulx(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY))
  583 
  584 /* The following defines provide alternative definitions of gf_mulx that might
  585    give improved performance if a fast 32-bit multiply is not available. Note
  586    that a temporary variable u needs to be defined where gf_mulx is used.
  587 
  588 #define gf_mulx(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
  589 #define m4  (0x01010101 * BPOLY)
  590 #define gf_mulx(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
  591 */
  592 
  593 /* Work out which tables are needed for the different options   */
  594 
  595 #if defined( ASM_X86_V1C )
  596 #if defined( ENC_ROUND )
  597 #undef  ENC_ROUND
  598 #endif
  599 #define ENC_ROUND   FOUR_TABLES
  600 #if defined( LAST_ENC_ROUND )
  601 #undef  LAST_ENC_ROUND
  602 #endif
  603 #define LAST_ENC_ROUND  FOUR_TABLES
  604 #if defined( DEC_ROUND )
  605 #undef  DEC_ROUND
  606 #endif
  607 #define DEC_ROUND   FOUR_TABLES
  608 #if defined( LAST_DEC_ROUND )
  609 #undef  LAST_DEC_ROUND
  610 #endif
  611 #define LAST_DEC_ROUND  FOUR_TABLES
  612 #if defined( KEY_SCHED )
  613 #undef  KEY_SCHED
  614 #define KEY_SCHED   FOUR_TABLES
  615 #endif
  616 #endif
  617 
  618 #if ( FUNCS_IN_C & ENCRYPTION_IN_C ) || defined( ASM_X86_V1C )
  619 #if ENC_ROUND == ONE_TABLE
  620 #define FT1_SET
  621 #elif ENC_ROUND == FOUR_TABLES
  622 #define FT4_SET
  623 #else
  624 #define SBX_SET
  625 #endif
  626 #if LAST_ENC_ROUND == ONE_TABLE
  627 #define FL1_SET
  628 #elif LAST_ENC_ROUND == FOUR_TABLES
  629 #define FL4_SET
  630 #elif !defined( SBX_SET )
  631 #define SBX_SET
  632 #endif
  633 #endif
  634 
  635 #if ( FUNCS_IN_C & DECRYPTION_IN_C ) || defined( ASM_X86_V1C )
  636 #if DEC_ROUND == ONE_TABLE
  637 #define IT1_SET
  638 #elif DEC_ROUND == FOUR_TABLES
  639 #define IT4_SET
  640 #else
  641 #define ISB_SET
  642 #endif
  643 #if LAST_DEC_ROUND == ONE_TABLE
  644 #define IL1_SET
  645 #elif LAST_DEC_ROUND == FOUR_TABLES
  646 #define IL4_SET
  647 #elif !defined(ISB_SET)
  648 #define ISB_SET
  649 #endif
  650 #endif
  651 
  652 #if (FUNCS_IN_C & ENC_KEYING_IN_C) || (FUNCS_IN_C & DEC_KEYING_IN_C)
  653 #if KEY_SCHED == ONE_TABLE
  654 #define LS1_SET
  655 #elif KEY_SCHED == FOUR_TABLES
  656 #define LS4_SET
  657 #elif !defined( SBX_SET )
  658 #define SBX_SET
  659 #endif
  660 #endif
  661 
  662 #if (FUNCS_IN_C & DEC_KEYING_IN_C)
  663 #if KEY_SCHED == ONE_TABLE
  664 #define IM1_SET
  665 #elif KEY_SCHED == FOUR_TABLES
  666 #define IM4_SET
  667 #elif !defined( SBX_SET )
  668 #define SBX_SET
  669 #endif
  670 #endif
  671 
  672 /* generic definitions of Rijndael macros that use tables    */
  673 
  674 #define no_table(x,box,vf,rf,c) bytes2word( \
  675     box[bval(vf(x,0,c),rf(0,c))], \
  676     box[bval(vf(x,1,c),rf(1,c))], \
  677     box[bval(vf(x,2,c),rf(2,c))], \
  678     box[bval(vf(x,3,c),rf(3,c))])
  679 
  680 #define one_table(x,op,tab,vf,rf,c) \
  681  (     tab[bval(vf(x,0,c),rf(0,c))] \
  682   ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
  683   ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
  684   ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
  685 
  686 #define four_tables(x,tab,vf,rf,c) \
  687  (  tab[0][bval(vf(x,0,c),rf(0,c))] \
  688   ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
  689   ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
  690   ^ tab[3][bval(vf(x,3,c),rf(3,c))])
  691 
  692 #define vf1(x,r,c)  (x)
  693 #define rf1(r,c)    (r)
  694 #define rf2(r,c)    ((8+r-c)&3)
  695 
  696 /* perform forward and inverse column mix operation on four bytes in long word x in */
  697 /* parallel. NOTE: x must be a simple variable, NOT an expression in these macros.  */
  698 
  699 #if defined( FM4_SET )    /* not currently used */
  700 #define fwd_mcol(x)       four_tables(x,t_use(f,m),vf1,rf1,0)
  701 #elif defined( FM1_SET )  /* not currently used */
  702 #define fwd_mcol(x)       one_table(x,upr,t_use(f,m),vf1,rf1,0)
  703 #else
  704 #define dec_fmvars        uint_32t g2
  705 #define fwd_mcol(x)       (g2 = gf_mulx(x), g2 ^ upr((x) ^ g2, 3) ^ upr((x), 2) ^ upr((x), 1))
  706 #endif
  707 
  708 #if defined( IM4_SET )
  709 #define inv_mcol(x)       four_tables(x,t_use(i,m),vf1,rf1,0)
  710 #elif defined( IM1_SET )
  711 #define inv_mcol(x)       one_table(x,upr,t_use(i,m),vf1,rf1,0)
  712 #else
  713 #define dec_imvars        uint_32t g2, g4, g9
  714 #define inv_mcol(x)       (g2 = gf_mulx(x), g4 = gf_mulx(g2), g9 = (x) ^ gf_mulx(g4), g4 ^= g9, \
  715                           (x) ^ g2 ^ g4 ^ upr(g2 ^ g9, 3) ^ upr(g4, 2) ^ upr(g9, 1))
  716 #endif
  717 
  718 #if defined( FL4_SET )
  719 #define ls_box(x,c)       four_tables(x,t_use(f,l),vf1,rf2,c)
  720 #elif   defined( LS4_SET )
  721 #define ls_box(x,c)       four_tables(x,t_use(l,s),vf1,rf2,c)
  722 #elif defined( FL1_SET )
  723 #define ls_box(x,c)       one_table(x,upr,t_use(f,l),vf1,rf2,c)
  724 #elif defined( LS1_SET )
  725 #define ls_box(x,c)       one_table(x,upr,t_use(l,s),vf1,rf2,c)
  726 #else
  727 #define ls_box(x,c)     no_table(x,t_use(s,box),vf1,rf2,c)
  728 #endif
  729 
  730 #if defined( ASM_X86_V1C ) && defined( AES_DECRYPT ) && !defined( ISB_SET )
  731 #define ISB_SET
  732 #endif
  733 
  734 #endif