1/* 2 --------------------------------------------------------------------------- 3 Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved. 4 5 LICENSE TERMS 6 7 The free distribution and use of this software in both source and binary 8 form is allowed (with or without changes) provided that: 9 10 1. distributions of this source code include the above copyright 11 notice, this list of conditions and the following disclaimer; 12 13 2. distributions in binary form include the above copyright 14 notice, this list of conditions and the following disclaimer 15 in the documentation and/or other associated materials; 16 17 3. the copyright holder's name is not used to endorse products 18 built using this software without specific written permission. 19 20 ALTERNATIVELY, provided that this notice is retained in full, this product 21 may be distributed under the terms of the GNU General Public License (GPL), 22 in which case the provisions of the GPL apply INSTEAD OF those given above. 23 24 DISCLAIMER 25 26 This software is provided 'as is' with no explicit or implied warranties 27 in respect of its properties, including, but not limited to, correctness 28 and/or fitness for purpose. 29 --------------------------------------------------------------------------- 30 Issue Date: 26/08/2003 31 32 This file contains the code for implementing the key schedule for AES 33 (Rijndael) for block and key sizes of 16, 24, and 32 bytes. See aesopt.h 34 for further details including optimisation. 35*/ 36 37#include "aesopt.h" 38#include "aestab.h" 39 40#if defined(__cplusplus) 41extern "C" 42{ 43#endif 44 45/* Initialise the key schedule from the user supplied key. The key 46 length can be specified in bytes, with legal values of 16, 24 47 and 32, or in bits, with legal values of 128, 192 and 256. These 48 values correspond with Nk values of 4, 6 and 8 respectively. 49 50 The following macros implement a single cycle in the key 51 schedule generation process. The number of cycles needed 52 for each cx->n_col and nk value is: 53 54 nk = 4 5 6 7 8 55 ------------------------------ 56 cx->n_col = 4 10 9 8 7 7 57 cx->n_col = 5 14 11 10 9 9 58 cx->n_col = 6 19 15 12 11 11 59 cx->n_col = 7 21 19 16 13 14 60 cx->n_col = 8 29 23 19 17 14 61*/ 62 63#define ke4(k,i) \ 64{ k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \ 65 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \ 66} 67#define kel4(k,i) \ 68{ k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \ 69 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \ 70} 71 72#define ke6(k,i) \ 73{ k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \ 74 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \ 75 k[6*(i)+10] = ss[4] ^= ss[3]; k[6*(i)+11] = ss[5] ^= ss[4]; \ 76} 77#define kel6(k,i) \ 78{ k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \ 79 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \ 80} 81 82#define ke8(k,i) \ 83{ k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \ 84 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \ 85 k[8*(i)+12] = ss[4] ^= ls_box(ss[3],0); k[8*(i)+13] = ss[5] ^= ss[4]; \ 86 k[8*(i)+14] = ss[6] ^= ss[5]; k[8*(i)+15] = ss[7] ^= ss[6]; \ 87} 88#define kel8(k,i) \ 89{ k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \ 90 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \ 91} 92 93#if defined(ENCRYPTION_KEY_SCHEDULE) 94 95#if defined(AES_128) || defined(AES_VAR) 96 97aes_rval aes_encrypt_key128(const unsigned char *key, aes_encrypt_ctx cx[1]) 98{ aes_32t ss[4]; 99 100 cx->ks[0] = ss[0] = word_in(key, 0); 101 cx->ks[1] = ss[1] = word_in(key, 1); 102 cx->ks[2] = ss[2] = word_in(key, 2); 103 cx->ks[3] = ss[3] = word_in(key, 3); 104 105#if ENC_UNROLL == NONE 106 { aes_32t i; 107 108 for(i = 0; i < ((11 * N_COLS - 5) / 4); ++i) 109 ke4(cx->ks, i); 110 } 111#else 112 ke4(cx->ks, 0); ke4(cx->ks, 1); 113 ke4(cx->ks, 2); ke4(cx->ks, 3); 114 ke4(cx->ks, 4); ke4(cx->ks, 5); 115 ke4(cx->ks, 6); ke4(cx->ks, 7); 116 ke4(cx->ks, 8); 117#endif 118 kel4(cx->ks, 9); 119 cx->rn = 10; 120#if defined( AES_ERR_CHK ) 121 return aes_good; 122#endif 123} 124 125#endif 126 127#if defined(AES_192) || defined(AES_VAR) 128 129aes_rval aes_encrypt_key192(const unsigned char *key, aes_encrypt_ctx cx[1]) 130{ aes_32t ss[6]; 131 132 cx->ks[0] = ss[0] = word_in(key, 0); 133 cx->ks[1] = ss[1] = word_in(key, 1); 134 cx->ks[2] = ss[2] = word_in(key, 2); 135 cx->ks[3] = ss[3] = word_in(key, 3); 136 cx->ks[4] = ss[4] = word_in(key, 4); 137 cx->ks[5] = ss[5] = word_in(key, 5); 138 139#if ENC_UNROLL == NONE 140 { aes_32t i; 141 142 for(i = 0; i < (13 * N_COLS - 7) / 6; ++i) 143 ke6(cx->ks, i); 144 } 145#else 146 ke6(cx->ks, 0); ke6(cx->ks, 1); 147 ke6(cx->ks, 2); ke6(cx->ks, 3); 148 ke6(cx->ks, 4); ke6(cx->ks, 5); 149 ke6(cx->ks, 6); 150#endif 151 kel6(cx->ks, 7); 152 cx->rn = 12; 153#if defined( AES_ERR_CHK ) 154 return aes_good; 155#endif 156} 157 158#endif 159 160#if defined(AES_256) || defined(AES_VAR) 161 162aes_rval aes_encrypt_key256(const unsigned char *key, aes_encrypt_ctx cx[1]) 163{ aes_32t ss[8]; 164 165 cx->ks[0] = ss[0] = word_in(key, 0); 166 cx->ks[1] = ss[1] = word_in(key, 1); 167 cx->ks[2] = ss[2] = word_in(key, 2); 168 cx->ks[3] = ss[3] = word_in(key, 3); 169 cx->ks[4] = ss[4] = word_in(key, 4); 170 cx->ks[5] = ss[5] = word_in(key, 5); 171 cx->ks[6] = ss[6] = word_in(key, 6); 172 cx->ks[7] = ss[7] = word_in(key, 7); 173 174#if ENC_UNROLL == NONE 175 { aes_32t i; 176 177 for(i = 0; i < (15 * N_COLS - 9) / 8; ++i) 178 ke8(cx->ks, i); 179 } 180#else 181 ke8(cx->ks, 0); ke8(cx->ks, 1); 182 ke8(cx->ks, 2); ke8(cx->ks, 3); 183 ke8(cx->ks, 4); ke8(cx->ks, 5); 184#endif 185 kel8(cx->ks, 6); 186 cx->rn = 14; 187#if defined( AES_ERR_CHK ) 188 return aes_good; 189#endif 190} 191 192#endif 193 194#if defined(AES_VAR) 195 196aes_rval aes_encrypt_key(const unsigned char *key, int key_len, aes_encrypt_ctx cx[1]) 197{ 198 switch(key_len) 199 { 200#if defined( AES_ERR_CHK ) 201 case 16: case 128: return aes_encrypt_key128(key, cx); 202 case 24: case 192: return aes_encrypt_key192(key, cx); 203 case 32: case 256: return aes_encrypt_key256(key, cx); 204 default: return aes_error; 205#else 206 case 16: case 128: aes_encrypt_key128(key, cx); return; 207 case 24: case 192: aes_encrypt_key192(key, cx); return; 208 case 32: case 256: aes_encrypt_key256(key, cx); return; 209#endif 210 } 211} 212 213#endif 214 215#endif 216 217#if defined(DECRYPTION_KEY_SCHEDULE) 218 219#if DEC_ROUND == NO_TABLES 220#define ff(x) (x) 221#else 222#define ff(x) inv_mcol(x) 223#if defined( dec_imvars ) 224#define d_vars dec_imvars 225#endif 226#endif 227 228#if 1 229#define kdf4(k,i) \ 230{ ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; ss[1] = ss[1] ^ ss[3]; ss[2] = ss[2] ^ ss[3]; ss[3] = ss[3]; \ 231 ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \ 232 ss[4] ^= k[4*(i)]; k[4*(i)+4] = ff(ss[4]); ss[4] ^= k[4*(i)+1]; k[4*(i)+5] = ff(ss[4]); \ 233 ss[4] ^= k[4*(i)+2]; k[4*(i)+6] = ff(ss[4]); ss[4] ^= k[4*(i)+3]; k[4*(i)+7] = ff(ss[4]); \ 234} 235#define kd4(k,i) \ 236{ ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \ 237 k[4*(i)+4] = ss[4] ^= k[4*(i)]; k[4*(i)+5] = ss[4] ^= k[4*(i)+1]; \ 238 k[4*(i)+6] = ss[4] ^= k[4*(i)+2]; k[4*(i)+7] = ss[4] ^= k[4*(i)+3]; \ 239} 240#define kdl4(k,i) \ 241{ ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \ 242 k[4*(i)+4] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; k[4*(i)+5] = ss[1] ^ ss[3]; \ 243 k[4*(i)+6] = ss[0]; k[4*(i)+7] = ss[1]; \ 244} 245#else 246#define kdf4(k,i) \ 247{ ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ff(ss[0]); ss[1] ^= ss[0]; k[4*(i)+ 5] = ff(ss[1]); \ 248 ss[2] ^= ss[1]; k[4*(i)+ 6] = ff(ss[2]); ss[3] ^= ss[2]; k[4*(i)+ 7] = ff(ss[3]); \ 249} 250#define kd4(k,i) \ 251{ ss[4] = ls_box(ss[3],3) ^ t_use(r,c)[i]; \ 252 ss[0] ^= ss[4]; ss[4] = ff(ss[4]); k[4*(i)+ 4] = ss[4] ^= k[4*(i)]; \ 253 ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[4] ^= k[4*(i)+ 1]; \ 254 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[4] ^= k[4*(i)+ 2]; \ 255 ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[4] ^= k[4*(i)+ 3]; \ 256} 257#define kdl4(k,i) \ 258{ ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ss[0]; ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[1]; \ 259 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[2]; ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[3]; \ 260} 261#endif 262 263#define kdf6(k,i) \ 264{ ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ff(ss[0]); ss[1] ^= ss[0]; k[6*(i)+ 7] = ff(ss[1]); \ 265 ss[2] ^= ss[1]; k[6*(i)+ 8] = ff(ss[2]); ss[3] ^= ss[2]; k[6*(i)+ 9] = ff(ss[3]); \ 266 ss[4] ^= ss[3]; k[6*(i)+10] = ff(ss[4]); ss[5] ^= ss[4]; k[6*(i)+11] = ff(ss[5]); \ 267} 268#define kd6(k,i) \ 269{ ss[6] = ls_box(ss[5],3) ^ t_use(r,c)[i]; \ 270 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); k[6*(i)+ 6] = ss[6] ^= k[6*(i)]; \ 271 ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[6] ^= k[6*(i)+ 1]; \ 272 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[6] ^= k[6*(i)+ 2]; \ 273 ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[6] ^= k[6*(i)+ 3]; \ 274 ss[4] ^= ss[3]; k[6*(i)+10] = ss[6] ^= k[6*(i)+ 4]; \ 275 ss[5] ^= ss[4]; k[6*(i)+11] = ss[6] ^= k[6*(i)+ 5]; \ 276} 277#define kdl6(k,i) \ 278{ ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ss[0]; ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[1]; \ 279 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[2]; ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[3]; \ 280} 281 282#define kdf8(k,i) \ 283{ ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ff(ss[0]); ss[1] ^= ss[0]; k[8*(i)+ 9] = ff(ss[1]); \ 284 ss[2] ^= ss[1]; k[8*(i)+10] = ff(ss[2]); ss[3] ^= ss[2]; k[8*(i)+11] = ff(ss[3]); \ 285 ss[4] ^= ls_box(ss[3],0); k[8*(i)+12] = ff(ss[4]); ss[5] ^= ss[4]; k[8*(i)+13] = ff(ss[5]); \ 286 ss[6] ^= ss[5]; k[8*(i)+14] = ff(ss[6]); ss[7] ^= ss[6]; k[8*(i)+15] = ff(ss[7]); \ 287} 288#define kd8(k,i) \ 289{ aes_32t g = ls_box(ss[7],3) ^ t_use(r,c)[i]; \ 290 ss[0] ^= g; g = ff(g); k[8*(i)+ 8] = g ^= k[8*(i)]; \ 291 ss[1] ^= ss[0]; k[8*(i)+ 9] = g ^= k[8*(i)+ 1]; \ 292 ss[2] ^= ss[1]; k[8*(i)+10] = g ^= k[8*(i)+ 2]; \ 293 ss[3] ^= ss[2]; k[8*(i)+11] = g ^= k[8*(i)+ 3]; \ 294 g = ls_box(ss[3],0); \ 295 ss[4] ^= g; g = ff(g); k[8*(i)+12] = g ^= k[8*(i)+ 4]; \ 296 ss[5] ^= ss[4]; k[8*(i)+13] = g ^= k[8*(i)+ 5]; \ 297 ss[6] ^= ss[5]; k[8*(i)+14] = g ^= k[8*(i)+ 6]; \ 298 ss[7] ^= ss[6]; k[8*(i)+15] = g ^= k[8*(i)+ 7]; \ 299} 300#define kdl8(k,i) \ 301{ ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ss[0]; ss[1] ^= ss[0]; k[8*(i)+ 9] = ss[1]; \ 302 ss[2] ^= ss[1]; k[8*(i)+10] = ss[2]; ss[3] ^= ss[2]; k[8*(i)+11] = ss[3]; \ 303} 304 305#if defined(AES_128) || defined(AES_VAR) 306 307aes_rval aes_decrypt_key128(const unsigned char *key, aes_decrypt_ctx cx[1]) 308{ aes_32t ss[5]; 309#if defined( d_vars ) 310 d_vars; 311#endif 312 cx->ks[0] = ss[0] = word_in(key, 0); 313 cx->ks[1] = ss[1] = word_in(key, 1); 314 cx->ks[2] = ss[2] = word_in(key, 2); 315 cx->ks[3] = ss[3] = word_in(key, 3); 316 317#if DEC_UNROLL == NONE 318 { aes_32t i; 319 320 for(i = 0; i < (11 * N_COLS - 5) / 4; ++i) 321 ke4(cx->ks, i); 322 kel4(cx->ks, 9); 323#if !(DEC_ROUND == NO_TABLES) 324 for(i = N_COLS; i < 10 * N_COLS; ++i) 325 cx->ks[i] = inv_mcol(cx->ks[i]); 326#endif 327 } 328#else 329 kdf4(cx->ks, 0); kd4(cx->ks, 1); 330 kd4(cx->ks, 2); kd4(cx->ks, 3); 331 kd4(cx->ks, 4); kd4(cx->ks, 5); 332 kd4(cx->ks, 6); kd4(cx->ks, 7); 333 kd4(cx->ks, 8); kdl4(cx->ks, 9); 334#endif 335 cx->rn = 10; 336#if defined( AES_ERR_CHK ) 337 return aes_good; 338#endif 339} 340 341#endif 342 343#if defined(AES_192) || defined(AES_VAR) 344 345aes_rval aes_decrypt_key192(const unsigned char *key, aes_decrypt_ctx cx[1]) 346{ aes_32t ss[7]; 347#if defined( d_vars ) 348 d_vars; 349#endif 350 cx->ks[0] = ss[0] = word_in(key, 0); 351 cx->ks[1] = ss[1] = word_in(key, 1); 352 cx->ks[2] = ss[2] = word_in(key, 2); 353 cx->ks[3] = ss[3] = word_in(key, 3); 354 355#if DEC_UNROLL == NONE 356 cx->ks[4] = ss[4] = word_in(key, 4); 357 cx->ks[5] = ss[5] = word_in(key, 5); 358 { aes_32t i; 359 360 for(i = 0; i < (13 * N_COLS - 7) / 6; ++i) 361 ke6(cx->ks, i); 362 kel6(cx->ks, 7); 363#if !(DEC_ROUND == NO_TABLES) 364 for(i = N_COLS; i < 12 * N_COLS; ++i) 365 cx->ks[i] = inv_mcol(cx->ks[i]); 366#endif 367 } 368#else 369 cx->ks[4] = ff(ss[4] = word_in(key, 4)); 370 cx->ks[5] = ff(ss[5] = word_in(key, 5)); 371 kdf6(cx->ks, 0); kd6(cx->ks, 1); 372 kd6(cx->ks, 2); kd6(cx->ks, 3); 373 kd6(cx->ks, 4); kd6(cx->ks, 5); 374 kd6(cx->ks, 6); kdl6(cx->ks, 7); 375#endif 376 cx->rn = 12; 377#if defined( AES_ERR_CHK ) 378 return aes_good; 379#endif 380} 381 382#endif 383 384#if defined(AES_256) || defined(AES_VAR) 385 386aes_rval aes_decrypt_key256(const unsigned char *key, aes_decrypt_ctx cx[1]) 387{ aes_32t ss[8]; 388#if defined( d_vars ) 389 d_vars; 390#endif 391 cx->ks[0] = ss[0] = word_in(key, 0); 392 cx->ks[1] = ss[1] = word_in(key, 1); 393 cx->ks[2] = ss[2] = word_in(key, 2); 394 cx->ks[3] = ss[3] = word_in(key, 3); 395 396#if DEC_UNROLL == NONE 397 cx->ks[4] = ss[4] = word_in(key, 4); 398 cx->ks[5] = ss[5] = word_in(key, 5); 399 cx->ks[6] = ss[6] = word_in(key, 6); 400 cx->ks[7] = ss[7] = word_in(key, 7); 401 { aes_32t i; 402 403 for(i = 0; i < (15 * N_COLS - 9) / 8; ++i) 404 ke8(cx->ks, i); 405 kel8(cx->ks, i); 406#if !(DEC_ROUND == NO_TABLES) 407 for(i = N_COLS; i < 14 * N_COLS; ++i) 408 cx->ks[i] = inv_mcol(cx->ks[i]); 409 410#endif 411 } 412#else 413 cx->ks[4] = ff(ss[4] = word_in(key, 4)); 414 cx->ks[5] = ff(ss[5] = word_in(key, 5)); 415 cx->ks[6] = ff(ss[6] = word_in(key, 6)); 416 cx->ks[7] = ff(ss[7] = word_in(key, 7)); 417 kdf8(cx->ks, 0); kd8(cx->ks, 1); 418 kd8(cx->ks, 2); kd8(cx->ks, 3); 419 kd8(cx->ks, 4); kd8(cx->ks, 5); 420 kdl8(cx->ks, 6); 421#endif 422 cx->rn = 14; 423#if defined( AES_ERR_CHK ) 424 return aes_good; 425#endif 426} 427 428#endif 429 430#if defined(AES_VAR) 431 432aes_rval aes_decrypt_key(const unsigned char *key, int key_len, aes_decrypt_ctx cx[1]) 433{ 434 switch(key_len) 435 { 436#if defined( AES_ERR_CHK ) 437 case 16: case 128: return aes_decrypt_key128(key, cx); 438 case 24: case 192: return aes_decrypt_key192(key, cx); 439 case 32: case 256: return aes_decrypt_key256(key, cx); 440 default: return aes_error; 441#else 442 case 16: case 128: aes_decrypt_key128(key, cx); return; 443 case 24: case 192: aes_decrypt_key192(key, cx); return; 444 case 32: case 256: aes_decrypt_key256(key, cx); return; 445#endif 446 } 447} 448 449#endif 450 451#endif 452 453#if defined(__cplusplus) 454} 455#endif 456