]> git.saurik.com Git - apple/xnu.git/blame - bsd/crypto/aes/i386/aesopt.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-1456.1.26.tar.gz
[apple/xnu.git] / bsd / crypto / aes / i386 / aesopt.h
CommitLineData
2d21ac55
A		 1/*\r
2 ---------------------------------------------------------------------------\r
3 Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved.\r
4\r
5 LICENSE TERMS\r
6\r
7 The free distribution and use of this software in both source and binary\r
8 form is allowed (with or without changes) provided that:\r
9\r
10 1. distributions of this source code include the above copyright\r
11 notice, this list of conditions and the following disclaimer;\r
12\r
13 2. distributions in binary form include the above copyright\r
14 notice, this list of conditions and the following disclaimer\r
15 in the documentation and/or other associated materials;\r
16\r
17 3. the copyright holder's name is not used to endorse products\r
18 built using this software without specific written permission.\r
19\r
20 ALTERNATIVELY, provided that this notice is retained in full, this product\r
21 may be distributed under the terms of the GNU General Public License (GPL),\r
22 in which case the provisions of the GPL apply INSTEAD OF those given above.\r
23\r
24 DISCLAIMER\r
25\r
26 This software is provided 'as is' with no explicit or implied warranties\r
27 in respect of its properties, including, but not limited to, correctness\r
28 and/or fitness for purpose.\r
29 ---------------------------------------------------------------------------\r
30 Issue 31/01/2006\r
31\r
32 This file contains the compilation options for AES (Rijndael) and code\r
33 that is common across encryption, key scheduling and table generation.\r
34\r
35 OPERATION\r
36\r
37 These source code files implement the AES algorithm Rijndael designed by\r
38 Joan Daemen and Vincent Rijmen. This version is designed for the standard\r
39 block size of 16 bytes and for key sizes of 128, 192 and 256 bits (16, 24\r
40 and 32 bytes).\r
41\r
42 This version is designed for flexibility and speed using operations on\r
43 32-bit words rather than operations on bytes. It can be compiled with\r
44 either big or little endian internal byte order but is faster when the\r
45 native byte order for the processor is used.\r
46\r
47 THE CIPHER INTERFACE\r
48\r
49 The cipher interface is implemented as an array of bytes in which lower\r
50 AES bit sequence indexes map to higher numeric significance within bytes.\r
51\r
52 uint_8t (an unsigned 8-bit type)\r
53 uint_32t (an unsigned 32-bit type)\r
54 struct aes_encrypt_ctx (structure for the cipher encryption context)\r
55 struct aes_decrypt_ctx (structure for the cipher decryption context)\r
56 aes_rval the function return type\r
57\r
58 C subroutine calls:\r
59\r
60 aes_rval aes_encrypt_key128(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
61 aes_rval aes_encrypt_key192(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
62 aes_rval aes_encrypt_key256(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
63 aes_rval aes_encrypt(const unsigned char *in, unsigned char *out,\r
64 const aes_encrypt_ctx cx[1]);\r
65\r
66 aes_rval aes_decrypt_key128(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
67 aes_rval aes_decrypt_key192(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
68 aes_rval aes_decrypt_key256(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
69 aes_rval aes_decrypt(const unsigned char *in, unsigned char *out,\r
70 const aes_decrypt_ctx cx[1]);\r
71\r
72 IMPORTANT NOTE: If you are using this C interface with dynamic tables make sure that\r
73 you call gen_tabs() before AES is used so that the tables are initialised.\r
74\r
75 C++ aes class subroutines:\r
76\r
77 Class AESencrypt for encryption\r
78\r
79 Construtors:\r
80 AESencrypt(void)\r
81 AESencrypt(const unsigned char *key) - 128 bit key\r
82 Members:\r
83 aes_rval key128(const unsigned char *key)\r
84 aes_rval key192(const unsigned char *key)\r
85 aes_rval key256(const unsigned char *key)\r
86 aes_rval encrypt(const unsigned char *in, unsigned char *out) const\r
87\r
88 Class AESdecrypt for encryption\r
89 Construtors:\r
90 AESdecrypt(void)\r
91 AESdecrypt(const unsigned char *key) - 128 bit key\r
92 Members:\r
93 aes_rval key128(const unsigned char *key)\r
94 aes_rval key192(const unsigned char *key)\r
95 aes_rval key256(const unsigned char *key)\r
96 aes_rval decrypt(const unsigned char *in, unsigned char *out) const\r
97*/\r
98\r
99#if !defined( _AESOPT_H )\r
100#define _AESOPT_H\r
101\r
102#if defined( __cplusplus )\r
103#include "aescpp.h"\r
104#else\r
105#include "crypto/aes.h"\r
106#endif\r
107\r
108/* PLATFORM SPECIFIC INCLUDES */\r
109\r
110#include "edefs.h"\r
111\r
112/* CONFIGURATION - THE USE OF DEFINES\r
113\r
114 Later in this section there are a number of defines that control the\r
115 operation of the code. In each section, the purpose of each define is\r
116 explained so that the relevant form can be included or excluded by\r
117 setting either 1's or 0's respectively on the branches of the related\r
118 #if clauses. The following local defines should not be changed.\r
119*/\r
120\r
121#define ENCRYPTION_IN_C 1\r
122#define DECRYPTION_IN_C 2\r
123#define ENC_KEYING_IN_C 4\r
124#define DEC_KEYING_IN_C 8\r
125\r
126#define NO_TABLES 0\r
127#define ONE_TABLE 1\r
128#define FOUR_TABLES 4\r
129#define NONE 0\r
130#define PARTIAL 1\r
131#define FULL 2\r
132\r
133/* --- START OF USER CONFIGURED OPTIONS --- */\r
134\r
135/* 1. BYTE ORDER WITHIN 32 BIT WORDS\r
136\r
137 The fundamental data processing units in Rijndael are 8-bit bytes. The\r
138 input, output and key input are all enumerated arrays of bytes in which\r
139 bytes are numbered starting at zero and increasing to one less than the\r
140 number of bytes in the array in question. This enumeration is only used\r
141 for naming bytes and does not imply any adjacency or order relationship\r
142 from one byte to another. When these inputs and outputs are considered\r
143 as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to\r
144 byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte.\r
145 In this implementation bits are numbered from 0 to 7 starting at the\r
146 numerically least significant end of each byte (bit n represents 2^n).\r
147\r
148 However, Rijndael can be implemented more efficiently using 32-bit\r
149 words by packing bytes into words so that bytes 4*n to 4*n+3 are placed\r
150 into word[n]. While in principle these bytes can be assembled into words\r
151 in any positions, this implementation only supports the two formats in\r
152 which bytes in adjacent positions within words also have adjacent byte\r
153 numbers. This order is called big-endian if the lowest numbered bytes\r
154 in words have the highest numeric significance and little-endian if the\r
155 opposite applies.\r
156\r
157 This code can work in either order irrespective of the order used by the\r
158 machine on which it runs. Normally the internal byte order will be set\r
159 to the order of the processor on which the code is to be run but this\r
160 define can be used to reverse this in special situations\r
161\r
162 WARNING: Assembler code versions rely on PLATFORM_BYTE_ORDER being set.\r
163 This define will hence be redefined later (in section 4) if necessary\r
164*/\r
165\r
166#if 1 \r
167#define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER\r
168#elif 0\r
169#define ALGORITHM_BYTE_ORDER IS_LITTLE_ENDIAN\r
170#elif 0\r
171#define ALGORITHM_BYTE_ORDER IS_BIG_ENDIAN\r
172#else\r
173#error The algorithm byte order is not defined\r
174#endif\r
175\r
176/* 2. VIA ACE SUPPORT\r
177\r
178 Define this option if support for the VIA ACE is required. This uses \r
179 inline assembler instructions and is only implemented for the Microsoft, \r
180 Intel and GCC compilers. If VIA ACE is known to be present, then defining\r
181 ASSUME_VIA_ACE_PRESENT will remove the ordinary encryption/decryption \r
182 code. If USE_VIA_ACE_IF_PRESENT is defined then VIA ACE will be used if\r
183 it is detected (both present and enabled) but the normal AES code will \r
184 also be present. \r
185 \r
186 When VIA ACE is to be used, all AES encryption contexts MUST be 16 byte \r
187 aligned; other input/output buffers do not need to be 16 byte aligned \r
188 but there are very large performance gains if this can be arranged. \r
189 VIA ACE also requires the decryption key schedule to be in reverse \r
190 order (which the following defines ensure).\r
191*/\r
192\r
193#if 0 && !defined( _WIN64 ) && !defined( USE_VIA_ACE_IF_PRESENT )\r
194#define USE_VIA_ACE_IF_PRESENT\r
195#endif\r
196\r
197#if 0 && !defined( _WIN64 ) && !defined( ASSUME_VIA_ACE_PRESENT )\r
198#define ASSUME_VIA_ACE_PRESENT\r
199#endif\r
200\r
201/* 3. ASSEMBLER SUPPORT\r
202\r
203 This define (which can be on the command line) enables the use of the\r
204 assembler code routines for encryption, decryption and key scheduling\r
205 as follows:\r
206\r
207 ASM_X86_V1C uses the assembler (aes_x86_v1.asm) with large tables for \r
208 encryption and decryption and but with key scheduling in C\r
209 ASM_X86_V2 uses assembler (aes_x86_v2.asm) with compressed tables for\r
210 encryption, decryption and key scheduling\r
211 ASM_X86_V2C uses assembler (aes_x86_v2.asm) with compressed tables for\r
212 encryption and decryption and but with key scheduling in C\r
213 ASM_AMD64_C uses assembler (aes_amd64.asm) with compressed tables for\r
214 encryption and decryption and but with key scheduling in C\r
215\r
216 Change one 'if 0' below to 'if 1' to select the version or define \r
217 as a compilation option.\r
218*/\r
219\r
220#if defined ( ASM_X86_V1C ) || defined( ASM_X86_V2 ) || defined( ASM_X86_V2C )\r
221# if defined( _M_IX86 )\r
222# if 0 && !defined( ASM_X86_V1C )\r
223# define ASM_X86_V1C\r
224# elif 0 && !defined( ASM_X86_V2 )\r
225# define ASM_X86_V2\r
226# elif 0 && !defined( ASM_X86_V2C )\r
227# define ASM_X86_V2C\r
228# endif\r
229# else\r
230# error Assembler code is only available for x86 and AMD64 systems\r
231# endif\r
232#elif defined( ASM_AMD64_C )\r
233# if defined( _M_X64 )\r
234# if 0 && !defined( ASM_AMD64_C )\r
235# define ASM_AMD64_C\r
236# endif\r
237# else\r
238# error Assembler code is only available for x86 and AMD64 systems\r
239# endif\r
240#endif\r
241\r
242/* 4. FAST INPUT/OUTPUT OPERATIONS.\r
243\r
244 On some machines it is possible to improve speed by transferring the\r
245 bytes in the input and output arrays to and from the internal 32-bit\r
246 variables by addressing these arrays as if they are arrays of 32-bit\r
247 words. On some machines this will always be possible but there may\r
248 be a large performance penalty if the byte arrays are not aligned on\r
249 the normal word boundaries. On other machines this technique will\r
250 lead to memory access errors when such 32-bit word accesses are not\r
251 properly aligned. The option SAFE_IO avoids such problems but will\r
252 often be slower on those machines that support misaligned access\r
253 (especially so if care is taken to align the input and output byte\r
254 arrays on 32-bit word boundaries). If SAFE_IO is not defined it is\r
255 assumed that access to byte arrays as if they are arrays of 32-bit\r
256 words will not cause problems when such accesses are misaligned.\r
257*/\r
258#if 1 && !defined( _MSC_VER )\r
259#define SAFE_IO\r
260#endif\r
261\r
262/* 5. LOOP UNROLLING\r
263\r
264 The code for encryption and decrytpion cycles through a number of rounds\r
265 that can be implemented either in a loop or by expanding the code into a\r
266 long sequence of instructions, the latter producing a larger program but\r
267 one that will often be much faster. The latter is called loop unrolling.\r
268 There are also potential speed advantages in expanding two iterations in\r
269 a loop with half the number of iterations, which is called partial loop\r
270 unrolling. The following options allow partial or full loop unrolling\r
271 to be set independently for encryption and decryption\r
272*/\r
273#if 1\r
274#define ENC_UNROLL FULL\r
275#elif 0\r
276#define ENC_UNROLL PARTIAL\r
277#else\r
278#define ENC_UNROLL NONE\r
279#endif\r
280\r
281#if 1\r
282#define DEC_UNROLL FULL\r
283#elif 0\r
284#define DEC_UNROLL PARTIAL\r
285#else\r
286#define DEC_UNROLL NONE\r
287#endif\r
288\r
289/* 6. FAST FINITE FIELD OPERATIONS\r
290\r
291 If this section is included, tables are used to provide faster finite\r
292 field arithmetic (this has no effect if FIXED_TABLES is defined).\r
293*/\r
294#if 1\r
295#define FF_TABLES\r
296#endif\r
297\r
298/* 7. INTERNAL STATE VARIABLE FORMAT\r
299\r
300 The internal state of Rijndael is stored in a number of local 32-bit\r
301 word varaibles which can be defined either as an array or as individual\r
302 names variables. Include this section if you want to store these local\r
303 varaibles in arrays. Otherwise individual local variables will be used.\r
304*/\r
305#if 1\r
306#define ARRAYS\r
307#endif\r
308\r
309/* 8. FIXED OR DYNAMIC TABLES\r
310\r
311 When this section is included the tables used by the code are compiled\r
312 statically into the binary file. Otherwise the subroutine gen_tabs()\r
313 must be called to compute them before the code is first used.\r
314*/\r
315#if 0 && !(defined( _MSC_VER ) && ( _MSC_VER <= 800 )) \r
316#define FIXED_TABLES\r
317#endif\r
318\r
319/* 9. TABLE ALIGNMENT\r
320\r
321 On some sytsems speed will be improved by aligning the AES large lookup\r
322 tables on particular boundaries. This define should be set to a power of\r
323 two giving the desired alignment. It can be left undefined if alignment\r
324 is not needed. This option is specific to the Microsft VC++ compiler -\r
325 it seems to sometimes cause trouble for the VC++ version 6 compiler.\r
326*/\r
327\r
328#if 1 && defined( _MSC_VER ) && ( _MSC_VER >= 1300 )\r
329#define TABLE_ALIGN 32\r
330#endif\r
331\r
332/* 10. TABLE OPTIONS\r
333 \r
334 This cipher proceeds by repeating in a number of cycles known as 'rounds'\r
335 which are implemented by a round function which can optionally be speeded\r
336 up using tables. The basic tables are each 256 32-bit words, with either\r
337 one or four tables being required for each round function depending on\r
338 how much speed is required. The encryption and decryption round functions\r
339 are different and the last encryption and decrytpion round functions are\r
340 different again making four different round functions in all.\r
341\r
342 This means that:\r
343 1. Normal encryption and decryption rounds can each use either 0, 1\r
344 or 4 tables and table spaces of 0, 1024 or 4096 bytes each.\r
345 2. The last encryption and decryption rounds can also use either 0, 1\r
346 or 4 tables and table spaces of 0, 1024 or 4096 bytes each.\r
347\r
348 Include or exclude the appropriate definitions below to set the number\r
349 of tables used by this implementation.\r
350*/\r
351\r
352#if 1 /* set tables for the normal encryption round */\r
353#define ENC_ROUND FOUR_TABLES\r
354#elif 0\r
355#define ENC_ROUND ONE_TABLE\r
356#else\r
357#define ENC_ROUND NO_TABLES\r
358#endif\r
359\r
360#if 1 /* set tables for the last encryption round */\r
361#define LAST_ENC_ROUND FOUR_TABLES\r
362#elif 0\r
363#define LAST_ENC_ROUND ONE_TABLE\r
364#else\r
365#define LAST_ENC_ROUND NO_TABLES\r
366#endif\r
367\r
368#if 1 /* set tables for the normal decryption round */\r
369#define DEC_ROUND FOUR_TABLES\r
370#elif 0\r
371#define DEC_ROUND ONE_TABLE\r
372#else\r
373#define DEC_ROUND NO_TABLES\r
374#endif\r
375\r
376#if 1 /* set tables for the last decryption round */\r
377#define LAST_DEC_ROUND FOUR_TABLES\r
378#elif 0\r
379#define LAST_DEC_ROUND ONE_TABLE\r
380#else\r
381#define LAST_DEC_ROUND NO_TABLES\r
382#endif\r
383\r
384/* The decryption key schedule can be speeded up with tables in the same\r
385 way that the round functions can. Include or exclude the following\r
386 defines to set this requirement.\r
387*/\r
388#if 1\r
389#define KEY_SCHED FOUR_TABLES\r
390#elif 0\r
391#define KEY_SCHED ONE_TABLE\r
392#else\r
393#define KEY_SCHED NO_TABLES\r
394#endif\r
395\r
396/* ---- END OF USER CONFIGURED OPTIONS ---- */\r
397\r
398/* VIA ACE support is only available for VC++ and GCC */\r
399\r
400#if !defined( _MSC_VER ) && !defined( __GNUC__ )\r
401# if defined( ASSUME_VIA_ACE_PRESENT )\r
402# undef ASSUME_VIA_ACE_PRESENT\r
403# endif\r
404# if defined( USE_VIA_ACE_IF_PRESENT )\r
405# undef USE_VIA_ACE_IF_PRESENT\r
406# endif\r
407#endif\r
408\r
409#if defined( ASSUME_VIA_ACE_PRESENT ) && !defined( USE_VIA_ACE_IF_PRESENT )\r
410#define USE_VIA_ACE_IF_PRESENT\r
411#endif\r
412\r
413#if defined( USE_VIA_ACE_IF_PRESENT ) && !defined ( AES_REV_DKS )\r
414#define AES_REV_DKS\r
415#endif\r
416\r
417/* Assembler support requires the use of platform byte order */\r
418\r
419#if ( defined( ASM_X86_V1C ) || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C ) ) && (ALGORITHM_BYTE_ORDER != PLATFORM_BYTE_ORDER)\r
420#undef ALGORITHM_BYTE_ORDER\r
421#define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER\r
422#endif\r
423\r
424/* In this implementation the columns of the state array are each held in\r
425 32-bit words. The state array can be held in various ways: in an array\r
426 of words, in a number of individual word variables or in a number of\r
427 processor registers. The following define maps a variable name x and\r
428 a column number c to the way the state array variable is to be held.\r
429 The first define below maps the state into an array x[c] whereas the\r
430 second form maps the state into a number of individual variables x0,\r
431 x1, etc. Another form could map individual state colums to machine\r
432 register names.\r
433*/\r
434\r
435#if defined( ARRAYS )\r
436#define s(x,c) x[c]\r
437#else\r
438#define s(x,c) x##c\r
439#endif\r
440\r
441/* This implementation provides subroutines for encryption, decryption\r
442 and for setting the three key lengths (separately) for encryption\r
443 and decryption. Since not all functions are needed, masks are set \r
444 up here to determine which will be implemented in C\r
445*/\r
446\r
447#if !defined( AES_ENCRYPT )\r
448# define EFUNCS_IN_C 0\r
449#elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C )\r
450 || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C )\r
451# define EFUNCS_IN_C ENC_KEYING_IN_C\r
452#elif !defined( ASM_X86_V2 )\r
453# define EFUNCS_IN_C ( ENCRYPTION_IN_C | ENC_KEYING_IN_C )\r
454#else\r
455# define EFUNCS_IN_C 0\r
456#endif\r
457\r
458#if !defined( AES_DECRYPT )\r
459# define DFUNCS_IN_C 0\r
460#elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C )\r
461 || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C ) \r
462# define DFUNCS_IN_C DEC_KEYING_IN_C\r
463#elif !defined( ASM_X86_V2 )\r
464# define DFUNCS_IN_C ( DECRYPTION_IN_C | DEC_KEYING_IN_C )\r
465#else\r
466# define DFUNCS_IN_C 0\r
467#endif\r
468\r
469#define FUNCS_IN_C ( EFUNCS_IN_C | DFUNCS_IN_C )\r
470\r
471/* END OF CONFIGURATION OPTIONS */\r
472\r
473#define RC_LENGTH (5 * (AES_BLOCK_SIZE / 4 - 2))\r
474\r
475/* Disable or report errors on some combinations of options */\r
476\r
477#if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES\r
478#undef LAST_ENC_ROUND\r
479#define LAST_ENC_ROUND NO_TABLES\r
480#elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES\r
481#undef LAST_ENC_ROUND\r
482#define LAST_ENC_ROUND ONE_TABLE\r
483#endif\r
484\r
485#if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE\r
486#undef ENC_UNROLL\r
487#define ENC_UNROLL NONE\r
488#endif\r
489\r
490#if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES\r
491#undef LAST_DEC_ROUND\r
492#define LAST_DEC_ROUND NO_TABLES\r
493#elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES\r
494#undef LAST_DEC_ROUND\r
495#define LAST_DEC_ROUND ONE_TABLE\r
496#endif\r
497\r
498#if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE\r
499#undef DEC_UNROLL\r
500#define DEC_UNROLL NONE\r
501#endif\r
502\r
503#if defined( bswap32 )\r
504#define aes_sw32 bswap32\r
505#elif defined( bswap_32 )\r
506#define aes_sw32 bswap_32\r
507#else\r
508#define brot(x,n) (((uint_32t)(x) << n) | ((uint_32t)(x) >> (32 - n)))\r
509#define aes_sw32(x) ((brot((x),8) & 0x00ff00ff) | (brot((x),24) & 0xff00ff00))\r
510#endif\r
511\r
512/* upr(x,n): rotates bytes within words by n positions, moving bytes to\r
513 higher index positions with wrap around into low positions\r
514 ups(x,n): moves bytes by n positions to higher index positions in\r
515 words but without wrap around\r
516 bval(x,n): extracts a byte from a word\r
517\r
518 WARNING: The definitions given here are intended only for use with\r
519 unsigned variables and with shift counts that are compile\r
520 time constants\r
521*/\r
522\r
523#if ( ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN )\r
524#define upr(x,n) (((uint_32t)(x) << (8 * (n))) | ((uint_32t)(x) >> (32 - 8 * (n))))\r
525#define ups(x,n) ((uint_32t) (x) << (8 * (n)))\r
526#define bval(x,n) ((uint_8t)((x) >> (8 * (n))))\r
527#define bytes2word(b0, b1, b2, b3) \\r
528 (((uint_32t)(b3) << 24) | ((uint_32t)(b2) << 16) | ((uint_32t)(b1) << 8) | (b0))\r
529#endif\r
530\r
531#if ( ALGORITHM_BYTE_ORDER == IS_BIG_ENDIAN )\r
532#define upr(x,n) (((uint_32t)(x) >> (8 * (n))) | ((uint_32t)(x) << (32 - 8 * (n))))\r
533#define ups(x,n) ((uint_32t) (x) >> (8 * (n)))\r
534#define bval(x,n) ((uint_8t)((x) >> (24 - 8 * (n))))\r
535#define bytes2word(b0, b1, b2, b3) \\r
536 (((uint_32t)(b0) << 24) | ((uint_32t)(b1) << 16) | ((uint_32t)(b2) << 8) | (b3))\r
537#endif\r
538\r
539#if defined( SAFE_IO )\r
540\r
541#define word_in(x,c) bytes2word(((const uint_8t*)(x)+4*c)[0], ((const uint_8t*)(x)+4*c)[1], \\r
542 ((const uint_8t*)(x)+4*c)[2], ((const uint_8t*)(x)+4*c)[3])\r
543#define word_out(x,c,v) { ((uint_8t*)(x)+4*c)[0] = bval(v,0); ((uint_8t*)(x)+4*c)[1] = bval(v,1); \\r
544 ((uint_8t*)(x)+4*c)[2] = bval(v,2); ((uint_8t*)(x)+4*c)[3] = bval(v,3); }\r
545\r
546#elif ( ALGORITHM_BYTE_ORDER == PLATFORM_BYTE_ORDER )\r
547\r
548#define word_in(x,c) (*((uint_32t*)(x)+(c)))\r
549#define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = (v))\r
550\r
551#else\r
552\r
553#define word_in(x,c) aes_sw32(*((uint_32t*)(x)+(c)))\r
554#define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = aes_sw32(v))\r
555\r
556#endif\r
557\r
558/* the finite field modular polynomial and elements */\r
559\r
560#define WPOLY 0x011b\r
561#define BPOLY 0x1b\r
562\r
563/* multiply four bytes in GF(2^8) by 'x' {02} in parallel */\r
564\r
565#define m1 0x80808080\r
566#define m2 0x7f7f7f7f\r
567#define gf_mulx(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY))\r
568\r
569/* The following defines provide alternative definitions of gf_mulx that might\r
570 give improved performance if a fast 32-bit multiply is not available. Note\r
571 that a temporary variable u needs to be defined where gf_mulx is used.\r
572\r
573#define gf_mulx(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))\r
574#define m4 (0x01010101 * BPOLY)\r
575#define gf_mulx(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)\r
576*/\r
577\r
578/* Work out which tables are needed for the different options */\r
579\r
580#if defined( ASM_X86_V1C )\r
581#if defined( ENC_ROUND )\r
582#undef ENC_ROUND\r
583#endif\r
584#define ENC_ROUND FOUR_TABLES\r
585#if defined( LAST_ENC_ROUND )\r
586#undef LAST_ENC_ROUND\r
587#endif\r
588#define LAST_ENC_ROUND FOUR_TABLES\r
589#if defined( DEC_ROUND )\r
590#undef DEC_ROUND\r
591#endif\r
592#define DEC_ROUND FOUR_TABLES\r
593#if defined( LAST_DEC_ROUND )\r
594#undef LAST_DEC_ROUND\r
595#endif\r
596#define LAST_DEC_ROUND FOUR_TABLES\r
597#if defined( KEY_SCHED )\r
598#undef KEY_SCHED\r
599#define KEY_SCHED FOUR_TABLES\r
600#endif\r
601#endif\r
602\r
603#if ( FUNCS_IN_C & ENCRYPTION_IN_C ) || defined( ASM_X86_V1C )\r
604#if ENC_ROUND == ONE_TABLE\r
605#define FT1_SET\r
606#elif ENC_ROUND == FOUR_TABLES\r
607#define FT4_SET\r
608#else\r
609#define SBX_SET\r
610#endif\r
611#if LAST_ENC_ROUND == ONE_TABLE\r
612#define FL1_SET\r
613#elif LAST_ENC_ROUND == FOUR_TABLES\r
614#define FL4_SET\r
615#elif !defined( SBX_SET )\r
616#define SBX_SET\r
617#endif\r
618#endif\r
619\r
620#if ( FUNCS_IN_C & DECRYPTION_IN_C ) || defined( ASM_X86_V1C )\r
621#if DEC_ROUND == ONE_TABLE\r
622#define IT1_SET\r
623#elif DEC_ROUND == FOUR_TABLES\r
624#define IT4_SET\r
625#else\r
626#define ISB_SET\r
627#endif\r
628#if LAST_DEC_ROUND == ONE_TABLE\r
629#define IL1_SET\r
630#elif LAST_DEC_ROUND == FOUR_TABLES\r
631#define IL4_SET\r
632#elif !defined(ISB_SET)\r
633#define ISB_SET\r
634#endif\r
635#endif\r
636\r
637#if (FUNCS_IN_C & ENC_KEYING_IN_C) || (FUNCS_IN_C & DEC_KEYING_IN_C)\r
638#if KEY_SCHED == ONE_TABLE\r
639#define LS1_SET\r
640#elif KEY_SCHED == FOUR_TABLES\r
641#define LS4_SET\r
642#elif !defined( SBX_SET )\r
643#define SBX_SET\r
644#endif\r
645#endif\r
646\r
647#if (FUNCS_IN_C & DEC_KEYING_IN_C)\r
648#if KEY_SCHED == ONE_TABLE\r
649#define IM1_SET\r
650#elif KEY_SCHED == FOUR_TABLES\r
651#define IM4_SET\r
652#elif !defined( SBX_SET )\r
653#define SBX_SET\r
654#endif\r
655#endif\r
656\r
657/* generic definitions of Rijndael macros that use tables */\r
658\r
659#define no_table(x,box,vf,rf,c) bytes2word( \\r
660 box[bval(vf(x,0,c),rf(0,c))], \\r
661 box[bval(vf(x,1,c),rf(1,c))], \\r
662 box[bval(vf(x,2,c),rf(2,c))], \\r
663 box[bval(vf(x,3,c),rf(3,c))])\r
664\r
665#define one_table(x,op,tab,vf,rf,c) \\r
666 ( tab[bval(vf(x,0,c),rf(0,c))] \\r
667 ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \\r
668 ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \\r
669 ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))\r
670\r
671#define four_tables(x,tab,vf,rf,c) \\r
672 ( tab[0][bval(vf(x,0,c),rf(0,c))] \\r
673 ^ tab[1][bval(vf(x,1,c),rf(1,c))] \\r
674 ^ tab[2][bval(vf(x,2,c),rf(2,c))] \\r
675 ^ tab[3][bval(vf(x,3,c),rf(3,c))])\r
676\r
677#define vf1(x,r,c) (x)\r
678#define rf1(r,c) (r)\r
679#define rf2(r,c) ((8+r-c)&3)\r
680\r
681/* perform forward and inverse column mix operation on four bytes in long word x in */\r
682/* parallel. NOTE: x must be a simple variable, NOT an expression in these macros. */\r
683\r
684#if defined( FM4_SET ) /* not currently used */\r
685#define fwd_mcol(x) four_tables(x,t_use(f,m),vf1,rf1,0)\r
686#elif defined( FM1_SET ) /* not currently used */\r
687#define fwd_mcol(x) one_table(x,upr,t_use(f,m),vf1,rf1,0)\r
688#else\r
689#define dec_fmvars uint_32t g2\r
690#define fwd_mcol(x) (g2 = gf_mulx(x), g2 ^ upr((x) ^ g2, 3) ^ upr((x), 2) ^ upr((x), 1))\r
691#endif\r
692\r
693#if defined( IM4_SET )\r
694#define inv_mcol(x) four_tables(x,t_use(i,m),vf1,rf1,0)\r
695#elif defined( IM1_SET )\r
696#define inv_mcol(x) one_table(x,upr,t_use(i,m),vf1,rf1,0)\r
697#else\r
698#define dec_imvars uint_32t g2, g4, g9\r
699#define inv_mcol(x) (g2 = gf_mulx(x), g4 = gf_mulx(g2), g9 = (x) ^ gf_mulx(g4), g4 ^= g9, \\r
700 (x) ^ g2 ^ g4 ^ upr(g2 ^ g9, 3) ^ upr(g4, 2) ^ upr(g9, 1))\r
701#endif\r
702\r
703#if defined( FL4_SET )\r
704#define ls_box(x,c) four_tables(x,t_use(f,l),vf1,rf2,c)\r
705#elif defined( LS4_SET )\r
706#define ls_box(x,c) four_tables(x,t_use(l,s),vf1,rf2,c)\r
707#elif defined( FL1_SET )\r
708#define ls_box(x,c) one_table(x,upr,t_use(f,l),vf1,rf2,c)\r
709#elif defined( LS1_SET )\r
710#define ls_box(x,c) one_table(x,upr,t_use(l,s),vf1,rf2,c)\r
711#else\r
712#define ls_box(x,c) no_table(x,t_use(s,box),vf1,rf2,c)\r
713#endif\r
714\r
715#if defined( ASM_X86_V1C ) && defined( AES_DECRYPT ) && !defined( ISB_SET )\r
716#define ISB_SET\r
717#endif\r
718\r
719#endif\r
mirror of XNU