Print this page
4896 Performance improvements for KCF AES modes
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/common/crypto/aes/aes_impl.c
+++ new/usr/src/common/crypto/aes/aes_impl.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 + * Copyright 2015 by Saso Kiselkov. All rights reserved.
23 24 */
24 25
25 26 #include <sys/types.h>
26 27 #include <sys/systm.h>
27 28 #include <sys/sysmacros.h>
28 29 #include <netinet/in.h>
29 30 #include "aes_impl.h"
30 31 #ifndef _KERNEL
31 32 #include <strings.h>
32 33 #include <stdlib.h>
34 +#include <sys/note.h>
33 35 #endif /* !_KERNEL */
34 36
35 37 #ifdef __amd64
36 38
37 39 #ifdef _KERNEL
38 40 #include <sys/cpuvar.h> /* cpu_t, CPU */
39 41 #include <sys/x86_archext.h> /* x86_featureset, X86FSET_AES */
40 42 #include <sys/disp.h> /* kpreempt_disable(), kpreempt_enable */
41 43
42 44 /* Workaround for no XMM kernel thread save/restore */
43 45 #define KPREEMPT_DISABLE kpreempt_disable()
44 46 #define KPREEMPT_ENABLE kpreempt_enable()
45 47
46 48 #else
47 49 #include <sys/auxv.h> /* getisax() */
48 50 #include <sys/auxv_386.h> /* AV_386_AES bit */
49 51 #define KPREEMPT_DISABLE
50 52 #define KPREEMPT_ENABLE
51 53 #endif /* _KERNEL */
52 54 #endif /* __amd64 */
53 55
54 56
55 57 /*
56 58 * This file is derived from the file rijndael-alg-fst.c taken from the
57 59 * "optimized C code v3.0" on the "rijndael home page"
58 60 * http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/~rijmen/rijndael/
59 61 * pointed by the NIST web-site http://csrc.nist.gov/archive/aes/
60 62 *
61 63 * The following note is from the original file:
62 64 */
63 65
64 66 /*
65 67 * rijndael-alg-fst.c
66 68 *
67 69 * @version 3.0 (December 2000)
68 70 *
69 71 * Optimised ANSI C code for the Rijndael cipher (now AES)
70 72 *
71 73 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
72 74 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
73 75 * @author Paulo Barreto <paulo.barreto@terra.com.br>
74 76 *
75 77 * This code is hereby placed in the public domain.
76 78 *
77 79 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
78 80 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
79 81 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
80 82 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
81 83 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
82 84 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
83 85 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
84 86 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
85 87 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
86 88 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
|
↓ open down ↓ |
44 lines elided |
↑ open up ↑ |
87 89 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
88 90 */
89 91
90 92 #if defined(sun4u)
91 93 /* External assembly functions: */
92 94 extern void aes_encrypt_impl(const uint32_t rk[], int Nr, const uint32_t pt[4],
93 95 uint32_t ct[4]);
94 96 extern void aes_decrypt_impl(const uint32_t rk[], int Nr, const uint32_t ct[4],
95 97 uint32_t pt[4]);
96 98
97 -#define AES_ENCRYPT_IMPL(a, b, c, d, e) aes_encrypt_impl(a, b, c, d)
98 -#define AES_DECRYPT_IMPL(a, b, c, d, e) aes_decrypt_impl(a, b, c, d)
99 +#define AES_ENCRYPT_IMPL(a, b, c, d) aes_encrypt_impl(a, b, c, d)
100 +#define AES_DECRYPT_IMPL(a, b, c, d) aes_decrypt_impl(a, b, c, d)
99 101
100 102 #elif defined(__amd64)
101 103
102 104 /* These functions are used to execute amd64 instructions for AMD or Intel: */
103 105 extern int rijndael_key_setup_enc_amd64(uint32_t rk[],
104 106 const uint32_t cipherKey[], int keyBits);
105 107 extern int rijndael_key_setup_dec_amd64(uint32_t rk[],
106 108 const uint32_t cipherKey[], int keyBits);
107 109 extern void aes_encrypt_amd64(const uint32_t rk[], int Nr,
108 110 const uint32_t pt[4], uint32_t ct[4]);
109 111 extern void aes_decrypt_amd64(const uint32_t rk[], int Nr,
110 112 const uint32_t ct[4], uint32_t pt[4]);
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
111 113
112 114 /* These functions are used to execute Intel-specific AES-NI instructions: */
113 115 extern int rijndael_key_setup_enc_intel(uint32_t rk[],
114 116 const uint32_t cipherKey[], uint64_t keyBits);
115 117 extern int rijndael_key_setup_dec_intel(uint32_t rk[],
116 118 const uint32_t cipherKey[], uint64_t keyBits);
117 119 extern void aes_encrypt_intel(const uint32_t rk[], int Nr,
118 120 const uint32_t pt[4], uint32_t ct[4]);
119 121 extern void aes_decrypt_intel(const uint32_t rk[], int Nr,
120 122 const uint32_t ct[4], uint32_t pt[4]);
123 +extern void aes_encrypt_intel8(const uint32_t rk[], int Nr,
124 + const void *pt, void *ct);
125 +extern void aes_decrypt_intel8(const uint32_t rk[], int Nr,
126 + const void *ct, void *pt);
127 +extern void aes_encrypt_cbc_intel8(const uint32_t rk[], int Nr,
128 + const void *pt, void *ct, const void *iv);
129 +extern void aes_ctr_intel8(const uint32_t rk[], int Nr,
130 + const void *input, void *output, uint64_t counter_upper_BE,
131 + uint64_t counter_lower_LE);
132 +extern void aes_xor_intel(const uint8_t *, uint8_t *);
121 133
122 -static int intel_aes_instructions_present(void);
134 +static inline int intel_aes_instructions_present(void);
123 135
124 -#define AES_ENCRYPT_IMPL(a, b, c, d, e) rijndael_encrypt(a, b, c, d, e)
125 -#define AES_DECRYPT_IMPL(a, b, c, d, e) rijndael_decrypt(a, b, c, d, e)
136 +#ifdef _KERNEL
137 +/*
138 + * Some form of floating-point acceleration is available, so declare these.
139 + * The implementations will be in a platform-specific assembly file (e.g.
140 + * amd64/aes_intel.s for SSE2/AES-NI).
141 + */
142 +extern void aes_accel_save(void *savestate);
143 +extern void aes_accel_restore(void *savestate);
144 +#endif /* _KERNEL */
126 145
127 146 #else /* Generic C implementation */
128 -
129 -#define AES_ENCRYPT_IMPL(a, b, c, d, e) rijndael_encrypt(a, b, c, d)
130 -#define AES_DECRYPT_IMPL(a, b, c, d, e) rijndael_decrypt(a, b, c, d)
147 +static void rijndael_encrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
148 + uint32_t ct[4]);
149 +static void rijndael_decrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
150 + uint32_t ct[4]);
131 151 #define rijndael_key_setup_enc_raw rijndael_key_setup_enc
152 +#define AES_ENCRYPT_IMPL(a, b, c, d) rijndael_encrypt(a, b, c, d)
153 +#define AES_DECRYPT_IMPL(a, b, c, d) rijndael_decrypt(a, b, c, d)
132 154 #endif /* sun4u || __amd64 */
133 155
134 156 #if defined(_LITTLE_ENDIAN) && !defined(__amd64)
135 157 #define AES_BYTE_SWAP
136 158 #endif
137 159
138 160
139 161 #if !defined(__amd64)
140 162 /*
141 163 * Constant tables
142 164 */
143 165
144 166 /*
145 167 * Te0[x] = S [x].[02, 01, 01, 03];
146 168 * Te1[x] = S [x].[03, 02, 01, 01];
147 169 * Te2[x] = S [x].[01, 03, 02, 01];
148 170 * Te3[x] = S [x].[01, 01, 03, 02];
149 171 * Te4[x] = S [x].[01, 01, 01, 01];
150 172 *
151 173 * Td0[x] = Si[x].[0e, 09, 0d, 0b];
152 174 * Td1[x] = Si[x].[0b, 0e, 09, 0d];
153 175 * Td2[x] = Si[x].[0d, 0b, 0e, 09];
154 176 * Td3[x] = Si[x].[09, 0d, 0b, 0e];
155 177 * Td4[x] = Si[x].[01, 01, 01, 01];
156 178 */
157 179
158 180 /* Encrypt Sbox constants (for the substitute bytes operation) */
159 181
160 182 #ifndef sun4u
161 183
162 184 static const uint32_t Te0[256] =
163 185 {
164 186 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
165 187 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
166 188 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
167 189 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
168 190 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
169 191 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
170 192 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
171 193 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
172 194 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
173 195 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
174 196 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
175 197 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
176 198 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
177 199 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
178 200 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
179 201 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
180 202 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
181 203 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
182 204 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
183 205 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
184 206 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
185 207 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
186 208 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
187 209 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
188 210 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
189 211 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
190 212 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
191 213 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
192 214 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
193 215 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
194 216 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
195 217 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
196 218 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
197 219 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
198 220 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
199 221 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
200 222 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
201 223 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
202 224 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
203 225 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
204 226 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
205 227 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
206 228 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
207 229 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
208 230 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
209 231 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
210 232 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
211 233 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
212 234 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
213 235 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
214 236 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
215 237 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
216 238 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
217 239 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
218 240 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
219 241 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
220 242 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
221 243 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
222 244 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
223 245 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
224 246 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
225 247 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
226 248 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
227 249 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU
228 250 };
229 251
230 252
231 253 static const uint32_t Te1[256] =
232 254 {
233 255 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
234 256 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
235 257 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
236 258 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
237 259 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
238 260 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
239 261 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
240 262 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
241 263 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
242 264 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
243 265 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
244 266 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
245 267 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
246 268 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
247 269 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
248 270 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
249 271 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
250 272 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
251 273 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
252 274 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
253 275 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
254 276 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
255 277 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
256 278 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
257 279 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
258 280 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
259 281 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
260 282 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
261 283 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
262 284 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
263 285 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
264 286 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
265 287 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
266 288 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
267 289 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
268 290 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
269 291 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
270 292 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
271 293 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
272 294 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
273 295 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
274 296 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
275 297 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
276 298 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
277 299 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
278 300 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
279 301 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
280 302 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
281 303 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
282 304 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
283 305 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
284 306 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
285 307 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
286 308 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
287 309 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
288 310 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
289 311 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
290 312 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
291 313 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
292 314 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
293 315 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
294 316 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
295 317 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
296 318 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U
297 319 };
298 320
299 321
300 322 static const uint32_t Te2[256] =
301 323 {
302 324 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
303 325 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
304 326 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
305 327 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
306 328 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
307 329 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
308 330 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
309 331 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
310 332 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
311 333 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
312 334 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
313 335 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
314 336 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
315 337 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
316 338 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
317 339 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
318 340 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
319 341 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
320 342 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
321 343 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
322 344 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
323 345 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
324 346 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
325 347 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
326 348 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
327 349 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
328 350 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
329 351 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
330 352 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
331 353 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
332 354 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
333 355 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
334 356 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
335 357 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
336 358 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
337 359 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
338 360 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
339 361 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
340 362 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
341 363 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
342 364 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
343 365 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
344 366 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
345 367 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
346 368 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
347 369 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
348 370 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
349 371 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
350 372 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
351 373 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
352 374 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
353 375 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
354 376 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
355 377 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
356 378 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
357 379 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
358 380 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
359 381 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
360 382 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
361 383 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
362 384 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
363 385 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
364 386 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
365 387 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U
366 388 };
367 389
368 390
369 391 static const uint32_t Te3[256] =
370 392 {
371 393 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
372 394 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
373 395 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
374 396 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
375 397 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
376 398 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
377 399 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
378 400 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
379 401 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
380 402 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
381 403 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
382 404 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
383 405 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
384 406 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
385 407 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
386 408 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
387 409 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
388 410 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
389 411 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
390 412 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
391 413 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
392 414 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
393 415 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
394 416 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
395 417 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
396 418 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
397 419 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
398 420 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
399 421 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
400 422 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
401 423 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
402 424 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
403 425 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
404 426 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
405 427 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
406 428 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
407 429 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
408 430 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
409 431 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
410 432 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
411 433 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
412 434 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
413 435 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
414 436 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
415 437 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
416 438 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
417 439 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
418 440 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
419 441 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
420 442 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
421 443 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
422 444 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
423 445 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
424 446 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
425 447 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
426 448 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
427 449 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
428 450 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
429 451 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
430 452 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
431 453 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
432 454 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
433 455 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
434 456 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU
435 457 };
436 458
437 459 #endif /* !sun4u */
438 460
439 461 static const uint32_t Te4[256] =
440 462 {
441 463 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
442 464 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
443 465 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
444 466 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
445 467 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
446 468 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
447 469 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
448 470 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
449 471 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
450 472 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
451 473 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
452 474 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
453 475 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
454 476 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
455 477 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
456 478 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
457 479 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
458 480 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
459 481 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
460 482 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
461 483 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
462 484 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
463 485 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
464 486 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
465 487 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
466 488 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
467 489 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
468 490 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
469 491 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
470 492 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
471 493 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
472 494 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
473 495 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
474 496 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
475 497 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
476 498 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
477 499 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
478 500 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
479 501 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
480 502 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
481 503 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
482 504 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
483 505 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
484 506 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
485 507 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
486 508 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
487 509 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
488 510 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
489 511 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
490 512 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
491 513 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
492 514 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
493 515 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
494 516 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
495 517 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
496 518 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
497 519 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
498 520 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
499 521 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
500 522 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
501 523 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
502 524 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
503 525 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
504 526 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U
505 527 };
506 528
507 529 /* Decrypt Sbox constants (for the substitute bytes operation) */
508 530
509 531 static const uint32_t Td0[256] =
510 532 {
511 533 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
512 534 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
513 535 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
514 536 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
515 537 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
516 538 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
517 539 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
518 540 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
519 541 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
520 542 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
521 543 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
522 544 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
523 545 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
524 546 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
525 547 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
526 548 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
527 549 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
528 550 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
529 551 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
530 552 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
531 553 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
532 554 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
533 555 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
534 556 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
535 557 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
536 558 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
537 559 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
538 560 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
539 561 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
540 562 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
541 563 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
542 564 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
543 565 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
544 566 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
545 567 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
546 568 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
547 569 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
548 570 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
549 571 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
550 572 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
551 573 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
552 574 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
553 575 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
554 576 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
555 577 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
556 578 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
557 579 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
558 580 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
559 581 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
560 582 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
561 583 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
562 584 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
563 585 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
564 586 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
565 587 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
566 588 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
567 589 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
568 590 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
569 591 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
570 592 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
571 593 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
572 594 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
573 595 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
574 596 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U
575 597 };
576 598
577 599 static const uint32_t Td1[256] =
578 600 {
579 601 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
580 602 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
581 603 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
582 604 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
583 605 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
584 606 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
585 607 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
586 608 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
587 609 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
588 610 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
589 611 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
590 612 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
591 613 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
592 614 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
593 615 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
594 616 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
595 617 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
596 618 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
597 619 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
598 620 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
599 621 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
600 622 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
601 623 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
602 624 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
603 625 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
604 626 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
605 627 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
606 628 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
607 629 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
608 630 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
609 631 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
610 632 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
611 633 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
612 634 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
613 635 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
614 636 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
615 637 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
616 638 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
617 639 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
618 640 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
619 641 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
620 642 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
621 643 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
622 644 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
623 645 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
624 646 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
625 647 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
626 648 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
627 649 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
628 650 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
629 651 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
630 652 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
631 653 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
632 654 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
633 655 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
634 656 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
635 657 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
636 658 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
637 659 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
638 660 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
639 661 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
640 662 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
641 663 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
642 664 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U
643 665 };
644 666
645 667 static const uint32_t Td2[256] =
646 668 {
647 669 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
648 670 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
649 671 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
650 672 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
651 673 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
652 674 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
653 675 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
654 676 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
655 677 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
656 678 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
657 679 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
658 680 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
659 681 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
660 682 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
661 683 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
662 684 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
663 685 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
664 686 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
665 687 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
666 688 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
667 689 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
668 690 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
669 691 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
670 692 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
671 693 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
672 694 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
673 695 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
674 696 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
675 697 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
676 698 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
677 699 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
678 700 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
679 701 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
680 702 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
681 703 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
682 704 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
683 705 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
684 706 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
685 707 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
686 708 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
687 709 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
688 710 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
689 711 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
690 712 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
691 713 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
692 714 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
693 715 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
694 716 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
695 717 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
696 718 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
697 719 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
698 720 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
699 721 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
700 722 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
701 723 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
702 724 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
703 725 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
704 726 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
705 727 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
706 728 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
707 729 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
708 730 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
709 731 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
710 732 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U
711 733 };
712 734
713 735 static const uint32_t Td3[256] =
714 736 {
715 737 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
716 738 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
717 739 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
718 740 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
719 741 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
720 742 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
721 743 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
722 744 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
723 745 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
724 746 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
725 747 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
726 748 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
727 749 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
728 750 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
729 751 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
730 752 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
731 753 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
732 754 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
733 755 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
734 756 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
735 757 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
736 758 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
737 759 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
738 760 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
739 761 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
740 762 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
741 763 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
742 764 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
743 765 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
744 766 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
745 767 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
746 768 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
747 769 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
748 770 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
749 771 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
750 772 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
751 773 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
752 774 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
753 775 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
754 776 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
755 777 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
756 778 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
757 779 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
758 780 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
759 781 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
760 782 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
761 783 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
762 784 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
763 785 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
764 786 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
765 787 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
766 788 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
767 789 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
768 790 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
769 791 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
770 792 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
771 793 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
772 794 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
773 795 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
774 796 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
775 797 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
776 798 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
777 799 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
778 800 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U
779 801 };
780 802
781 803 #ifndef sun4u
782 804
783 805 static const uint32_t Td4[256] =
784 806 {
785 807 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
786 808 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
787 809 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
788 810 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
789 811 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
790 812 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
791 813 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
792 814 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
793 815 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
794 816 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
795 817 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
796 818 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
797 819 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
798 820 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
799 821 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
800 822 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
801 823 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
802 824 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
803 825 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
804 826 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
805 827 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
806 828 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
807 829 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
808 830 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
809 831 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
810 832 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
811 833 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
812 834 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
813 835 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
814 836 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
815 837 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
816 838 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
817 839 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
818 840 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
819 841 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
820 842 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
821 843 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
822 844 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
823 845 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
824 846 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
825 847 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
826 848 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
827 849 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
828 850 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
829 851 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
830 852 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
831 853 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
832 854 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
833 855 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
834 856 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
835 857 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
836 858 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
837 859 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
838 860 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
839 861 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
840 862 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
841 863 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
842 864 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
843 865 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
844 866 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
845 867 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
846 868 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
847 869 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
848 870 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU
849 871 };
850 872
851 873 #endif /* !sun4u */
852 874
853 875 /* Rcon is Round Constant; used for encryption key expansion */
854 876 static const uint32_t rcon[RC_LENGTH] =
855 877 {
856 878 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
857 879 0x01000000, 0x02000000, 0x04000000, 0x08000000,
858 880 0x10000000, 0x20000000, 0x40000000, 0x80000000,
859 881 0x1B000000, 0x36000000
860 882 };
861 883
862 884
863 885 /*
864 886 * Expand the cipher key into the encryption key schedule.
865 887 *
866 888 * Return the number of rounds for the given cipher key size.
867 889 * The size of the key schedule depends on the number of rounds
868 890 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
869 891 *
870 892 * Parameters:
871 893 * rk AES key schedule 32-bit array to be initialized
872 894 * cipherKey User key
873 895 * keyBits AES key size (128, 192, or 256 bits)
874 896 */
875 897 static int
876 898 rijndael_key_setup_enc_raw(uint32_t rk[], const uint32_t cipherKey[],
877 899 int keyBits)
878 900 {
879 901 int i = 0;
880 902 uint32_t temp;
881 903
882 904 rk[0] = cipherKey[0];
883 905 rk[1] = cipherKey[1];
884 906 rk[2] = cipherKey[2];
885 907 rk[3] = cipherKey[3];
886 908
887 909 if (keyBits == 128) {
888 910 for (;;) {
889 911 temp = rk[3];
890 912 rk[4] = rk[0] ^
891 913 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
892 914 (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
893 915 (Te4[temp & 0xff] & 0x0000ff00) ^
894 916 (Te4[temp >> 24] & 0x000000ff) ^
895 917 rcon[i];
896 918 rk[5] = rk[1] ^ rk[4];
897 919 rk[6] = rk[2] ^ rk[5];
898 920 rk[7] = rk[3] ^ rk[6];
899 921
900 922 if (++i == 10) {
901 923 return (10);
902 924 }
903 925 rk += 4;
904 926 }
905 927 }
906 928
907 929 rk[4] = cipherKey[4];
908 930 rk[5] = cipherKey[5];
909 931
910 932 if (keyBits == 192) {
911 933 for (;;) {
912 934 temp = rk[5];
913 935 rk[6] = rk[0] ^
914 936 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
915 937 (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
916 938 (Te4[temp & 0xff] & 0x0000ff00) ^
917 939 (Te4[temp >> 24] & 0x000000ff) ^
918 940 rcon[i];
919 941 rk[7] = rk[1] ^ rk[6];
920 942 rk[8] = rk[2] ^ rk[7];
921 943 rk[9] = rk[3] ^ rk[8];
922 944
923 945 if (++i == 8) {
924 946 return (12);
925 947 }
926 948
927 949 rk[10] = rk[4] ^ rk[9];
928 950 rk[11] = rk[5] ^ rk[10];
929 951 rk += 6;
930 952 }
931 953 }
932 954
933 955 rk[6] = cipherKey[6];
934 956 rk[7] = cipherKey[7];
935 957
936 958 if (keyBits == 256) {
937 959 for (;;) {
938 960 temp = rk[7];
939 961 rk[8] = rk[0] ^
940 962 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
941 963 (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
942 964 (Te4[temp & 0xff] & 0x0000ff00) ^
943 965 (Te4[temp >> 24] & 0x000000ff) ^
944 966 rcon[i];
945 967 rk[9] = rk[1] ^ rk[8];
946 968 rk[10] = rk[2] ^ rk[9];
947 969 rk[11] = rk[3] ^ rk[10];
948 970
949 971 if (++i == 7) {
950 972 return (14);
951 973 }
952 974 temp = rk[11];
953 975 rk[12] = rk[4] ^
954 976 (Te4[temp >> 24] & 0xff000000) ^
955 977 (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
956 978 (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
957 979 (Te4[temp & 0xff] & 0x000000ff);
958 980 rk[13] = rk[5] ^ rk[12];
959 981 rk[14] = rk[6] ^ rk[13];
960 982 rk[15] = rk[7] ^ rk[14];
961 983
962 984 rk += 8;
963 985 }
964 986 }
965 987
966 988 return (0);
967 989 }
968 990 #endif /* !__amd64 */
969 991
970 992
971 993 #ifdef sun4u
972 994
973 995 /*
974 996 * Expand the cipher key into the encryption key schedule.
975 997 * by the sun4u optimized assembly implementation.
976 998 *
977 999 * Return the number of rounds for the given cipher key size.
978 1000 * The size of the key schedule depends on the number of rounds
979 1001 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
980 1002 *
981 1003 * Parameters:
982 1004 * rk AES key schedule 64-bit array to be initialized
983 1005 * cipherKey User key
984 1006 * keyBits AES key size (128, 192, or 256 bits)
985 1007 */
986 1008 static int
987 1009 rijndael_key_setup_enc(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
988 1010 {
989 1011 uint32_t rk1[4 * (MAX_AES_NR + 1)];
990 1012 uint64_t *rk64 = (uint64_t *)rk;
991 1013 uint32_t *rkt;
992 1014 uint64_t t;
993 1015 int i, Nr;
994 1016
995 1017 Nr = rijndael_key_setup_enc_raw(rk1, cipherKey, keyBits);
996 1018
997 1019 for (i = 0; i < 4 * Nr; i++) {
998 1020 t = (uint64_t)(rk1[i]);
999 1021 rk64[i] = ((t & 0xff000000) << 11) |
1000 1022 ((t & 0xff0000) << 8) |
1001 1023 ((t & 0xffff) << 3);
1002 1024 }
1003 1025
1004 1026 rkt = (uint32_t *)(&(rk64[4 * Nr]));
1005 1027
1006 1028 for (i = 0; i < 4; i++) {
1007 1029 rkt[i] = rk1[4 * Nr+i];
1008 1030 }
1009 1031
1010 1032 return (Nr);
1011 1033 }
1012 1034
1013 1035
1014 1036 /*
1015 1037 * Expand the cipher key into the decryption key schedule as used
1016 1038 * by the sun4u optimized assembly implementation.
1017 1039 *
1018 1040 * Return the number of rounds for the given cipher key size.
1019 1041 * The size of the key schedule depends on the number of rounds
1020 1042 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1021 1043 *
1022 1044 * Parameters:
1023 1045 * rk AES key schedule 32-bit array to be initialized
1024 1046 * cipherKey User key
1025 1047 * keyBits AES key size (128, 192, or 256 bits)
1026 1048 */
1027 1049 static int
1028 1050 rijndael_key_setup_dec_raw(uint32_t rk[], const uint32_t cipherKey[],
1029 1051 int keyBits)
1030 1052 {
1031 1053 int Nr, i;
1032 1054 uint32_t temp;
1033 1055
1034 1056 /* expand the cipher key: */
1035 1057 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
1036 1058
1037 1059 /* invert the order of the round keys: */
1038 1060
1039 1061 for (i = 0; i < 2 * Nr + 2; i++) {
1040 1062 temp = rk[i];
1041 1063 rk[i] = rk[4 * Nr - i + 3];
1042 1064 rk[4 * Nr - i + 3] = temp;
1043 1065 }
1044 1066
1045 1067 /*
1046 1068 * apply the inverse MixColumn transform to all
1047 1069 * round keys but the first and the last:
1048 1070 */
1049 1071 for (i = 1; i < Nr; i++) {
1050 1072 rk += 4;
1051 1073 rk[0] = Td0[Te4[rk[0] >> 24] & 0xff] ^
1052 1074 Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
1053 1075 Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
1054 1076 Td3[Te4[rk[0] & 0xff] & 0xff];
1055 1077 rk[1] = Td0[Te4[rk[1] >> 24] & 0xff] ^
1056 1078 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1057 1079 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
1058 1080 Td3[Te4[rk[1] & 0xff] & 0xff];
1059 1081 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
1060 1082 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1061 1083 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
1062 1084 Td3[Te4[rk[2] & 0xff] & 0xff];
1063 1085 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
1064 1086 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1065 1087 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
1066 1088 Td3[Te4[rk[3] & 0xff] & 0xff];
1067 1089 }
1068 1090
1069 1091 return (Nr);
1070 1092 }
1071 1093
1072 1094
1073 1095 /*
1074 1096 * The size of the key schedule depends on the number of rounds
1075 1097 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1076 1098 *
1077 1099 * Parameters:
1078 1100 * rk AES key schedule 64-bit array to be initialized
1079 1101 * cipherKey User key
1080 1102 * keyBits AES key size (128, 192, or 256 bits)
1081 1103 */
1082 1104 static int
1083 1105 rijndael_key_setup_dec(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
1084 1106 {
1085 1107 uint32_t rk1[4 * (MAX_AES_NR + 1)];
1086 1108 uint64_t *rk64 = (uint64_t *)rk;
1087 1109 uint32_t *rkt;
1088 1110 uint64_t t;
1089 1111 int i, Nr;
1090 1112
1091 1113 Nr = rijndael_key_setup_dec_raw(rk1, cipherKey, keyBits);
1092 1114 for (i = 0; i < 4 * Nr; i++) {
1093 1115 t = (uint64_t)(rk1[i]);
1094 1116 rk64[i] = ((t & 0xff000000) << 11) |
1095 1117 ((t & 0xff0000) << 8) |
1096 1118 ((t & 0xffff) << 3);
1097 1119 }
1098 1120
1099 1121 rkt = (uint32_t *)(&(rk64[4 * Nr]));
1100 1122
1101 1123 for (i = 0; i < 4; i++) {
1102 1124 rkt[i] = rk1[4 * Nr + i];
1103 1125 }
1104 1126
1105 1127 return (Nr);
1106 1128 }
1107 1129
1108 1130
1109 1131 /*
1110 1132 * Expand the 64-bit AES cipher key array into the encryption and decryption
1111 1133 * key schedules.
1112 1134 *
1113 1135 * Parameters:
1114 1136 * key AES key schedule to be initialized
1115 1137 * keyarr32 User key
1116 1138 * keyBits AES key size (128, 192, or 256 bits)
1117 1139 */
1118 1140 static void
1119 1141 aes_setupkeys(aes_key_t *key, const uint32_t *keyarr32, int keybits)
1120 1142 {
1121 1143 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks64[0]), keyarr32,
1122 1144 keybits);
1123 1145 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks64[0]), keyarr32,
1124 1146 keybits);
1125 1147 key->type = AES_64BIT_KS;
1126 1148 }
1127 1149
1128 1150
1129 1151 #elif defined(__amd64)
1130 1152
1131 1153 /*
1132 1154 * Expand the 32-bit AES cipher key array into the encryption and decryption
|
↓ open down ↓ |
991 lines elided |
↑ open up ↑ |
1133 1155 * key schedules.
1134 1156 *
1135 1157 * Parameters:
1136 1158 * key AES key schedule to be initialized
1137 1159 * keyarr32 User key
1138 1160 * keyBits AES key size (128, 192, or 256 bits)
1139 1161 */
1140 1162 static void
1141 1163 aes_setupkeys(aes_key_t *key, const uint32_t *keyarr32, int keybits)
1142 1164 {
1165 + AES_ACCEL_SAVESTATE(savestate);
1166 + aes_accel_enter(savestate);
1167 +
1143 1168 if (intel_aes_instructions_present()) {
1144 - key->flags = INTEL_AES_NI_CAPABLE;
1145 - KPREEMPT_DISABLE;
1146 1169 key->nr = rijndael_key_setup_enc_intel(&(key->encr_ks.ks32[0]),
1147 1170 keyarr32, keybits);
1148 1171 key->nr = rijndael_key_setup_dec_intel(&(key->decr_ks.ks32[0]),
1149 1172 keyarr32, keybits);
1150 - KPREEMPT_ENABLE;
1151 1173 } else {
1152 - key->flags = 0;
1153 1174 key->nr = rijndael_key_setup_enc_amd64(&(key->encr_ks.ks32[0]),
1154 1175 keyarr32, keybits);
1155 1176 key->nr = rijndael_key_setup_dec_amd64(&(key->decr_ks.ks32[0]),
1156 1177 keyarr32, keybits);
1157 1178 }
1158 1179
1180 + aes_accel_exit(savestate);
1159 1181 key->type = AES_32BIT_KS;
1160 1182 }
1161 1183
1162 -/*
1163 - * Encrypt one block of data. The block is assumed to be an array
1164 - * of four uint32_t values, so copy for alignment (and byte-order
1165 - * reversal for little endian systems might be necessary on the
1166 - * input and output byte streams.
1167 - * The size of the key schedule depends on the number of rounds
1168 - * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1169 - *
1170 - * Parameters:
1171 - * rk Key schedule, of aes_ks_t (60 32-bit integers)
1172 - * Nr Number of rounds
1173 - * pt Input block (plain text)
1174 - * ct Output block (crypto text). Can overlap with pt
1175 - * flags Indicates whether we're on Intel AES-NI-capable hardware
1176 - */
1177 -static void
1178 -rijndael_encrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
1179 - uint32_t ct[4], int flags) {
1180 - if (flags & INTEL_AES_NI_CAPABLE) {
1181 - KPREEMPT_DISABLE;
1182 - aes_encrypt_intel(rk, Nr, pt, ct);
1183 - KPREEMPT_ENABLE;
1184 - } else {
1185 - aes_encrypt_amd64(rk, Nr, pt, ct);
1186 - }
1187 -}
1188 -
1189 -/*
1190 - * Decrypt one block of data. The block is assumed to be an array
1191 - * of four uint32_t values, so copy for alignment (and byte-order
1192 - * reversal for little endian systems might be necessary on the
1193 - * input and output byte streams.
1194 - * The size of the key schedule depends on the number of rounds
1195 - * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1196 - *
1197 - * Parameters:
1198 - * rk Key schedule, of aes_ks_t (60 32-bit integers)
1199 - * Nr Number of rounds
1200 - * ct Input block (crypto text)
1201 - * pt Output block (plain text). Can overlap with pt
1202 - * flags Indicates whether we're on Intel AES-NI-capable hardware
1203 - */
1204 -static void
1205 -rijndael_decrypt(const uint32_t rk[], int Nr, const uint32_t ct[4],
1206 - uint32_t pt[4], int flags) {
1207 - if (flags & INTEL_AES_NI_CAPABLE) {
1208 - KPREEMPT_DISABLE;
1209 - aes_decrypt_intel(rk, Nr, ct, pt);
1210 - KPREEMPT_ENABLE;
1211 - } else {
1212 - aes_decrypt_amd64(rk, Nr, ct, pt);
1213 - }
1214 -}
1215 -
1216 -
1217 1184 #else /* generic C implementation */
1218 1185
1219 1186 /*
1220 1187 * Expand the cipher key into the decryption key schedule.
1221 1188 * Return the number of rounds for the given cipher key size.
1222 1189 * The size of the key schedule depends on the number of rounds
1223 1190 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1224 1191 *
1225 1192 * Parameters:
1226 1193 * rk AES key schedule 32-bit array to be initialized
1227 1194 * cipherKey User key
1228 1195 * keyBits AES key size (128, 192, or 256 bits)
1229 1196 */
1230 1197 static int
1231 1198 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
1232 1199 {
1233 1200 int Nr, i, j;
1234 1201 uint32_t temp;
1235 1202
1236 1203 /* expand the cipher key: */
1237 1204 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
1238 1205
1239 1206 /* invert the order of the round keys: */
1240 1207 for (i = 0, j = 4 * Nr; i < j; i += 4, j -= 4) {
1241 1208 temp = rk[i];
1242 1209 rk[i] = rk[j];
1243 1210 rk[j] = temp;
1244 1211 temp = rk[i + 1];
1245 1212 rk[i + 1] = rk[j + 1];
1246 1213 rk[j + 1] = temp;
1247 1214 temp = rk[i + 2];
1248 1215 rk[i + 2] = rk[j + 2];
1249 1216 rk[j + 2] = temp;
1250 1217 temp = rk[i + 3];
1251 1218 rk[i + 3] = rk[j + 3];
1252 1219 rk[j + 3] = temp;
1253 1220 }
1254 1221
1255 1222 /*
1256 1223 * apply the inverse MixColumn transform to all
1257 1224 * round keys but the first and the last:
1258 1225 */
1259 1226 for (i = 1; i < Nr; i++) {
1260 1227 rk += 4;
1261 1228 rk[0] = Td0[Te4[rk[0] >> 24] & 0xff] ^
1262 1229 Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
1263 1230 Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
1264 1231 Td3[Te4[rk[0] & 0xff] & 0xff];
1265 1232 rk[1] = Td0[Te4[rk[1] >> 24] & 0xff] ^
1266 1233 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1267 1234 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
1268 1235 Td3[Te4[rk[1] & 0xff] & 0xff];
1269 1236 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
1270 1237 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1271 1238 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
1272 1239 Td3[Te4[rk[2] & 0xff] & 0xff];
1273 1240 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
1274 1241 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1275 1242 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
1276 1243 Td3[Te4[rk[3] & 0xff] & 0xff];
1277 1244 }
1278 1245
1279 1246 return (Nr);
1280 1247 }
1281 1248
1282 1249
1283 1250 /*
1284 1251 * Expand the 32-bit AES cipher key array into the encryption and decryption
1285 1252 * key schedules.
1286 1253 *
1287 1254 * Parameters:
1288 1255 * key AES key schedule to be initialized
1289 1256 * keyarr32 User key
1290 1257 * keyBits AES key size (128, 192, or 256 bits)
1291 1258 */
1292 1259 static void
1293 1260 aes_setupkeys(aes_key_t *key, const uint32_t *keyarr32, int keybits)
1294 1261 {
1295 1262 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks32[0]), keyarr32,
1296 1263 keybits);
1297 1264 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks32[0]), keyarr32,
1298 1265 keybits);
1299 1266 key->type = AES_32BIT_KS;
1300 1267 }
1301 1268
1302 1269
1303 1270 /*
1304 1271 * Encrypt one block of data. The block is assumed to be an array
1305 1272 * of four uint32_t values, so copy for alignment (and byte-order
1306 1273 * reversal for little endian systems might be necessary on the
1307 1274 * input and output byte streams.
1308 1275 * The size of the key schedule depends on the number of rounds
1309 1276 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1310 1277 *
1311 1278 * Parameters:
1312 1279 * rk Key schedule, of aes_ks_t (60 32-bit integers)
1313 1280 * Nr Number of rounds
1314 1281 * pt Input block (plain text)
1315 1282 * ct Output block (crypto text). Can overlap with pt
1316 1283 */
1317 1284 static void
1318 1285 rijndael_encrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
1319 1286 uint32_t ct[4])
1320 1287 {
1321 1288 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1322 1289 int r;
1323 1290
1324 1291 /*
1325 1292 * map byte array block to cipher state
1326 1293 * and add initial round key:
1327 1294 */
1328 1295
1329 1296 s0 = pt[0] ^ rk[0];
1330 1297 s1 = pt[1] ^ rk[1];
1331 1298 s2 = pt[2] ^ rk[2];
1332 1299 s3 = pt[3] ^ rk[3];
1333 1300
1334 1301 /*
1335 1302 * Nr - 1 full rounds:
1336 1303 */
1337 1304
1338 1305 r = Nr >> 1;
1339 1306
1340 1307 for (;;) {
1341 1308 t0 = Te0[s0 >> 24] ^
1342 1309 Te1[(s1 >> 16) & 0xff] ^
1343 1310 Te2[(s2 >> 8) & 0xff] ^
1344 1311 Te3[s3 & 0xff] ^
1345 1312 rk[4];
1346 1313
1347 1314 t1 = Te0[s1 >> 24] ^
1348 1315 Te1[(s2 >> 16) & 0xff] ^
1349 1316 Te2[(s3 >> 8) & 0xff] ^
1350 1317 Te3[s0 & 0xff] ^
1351 1318 rk[5];
1352 1319
1353 1320 t2 = Te0[s2 >> 24] ^
1354 1321 Te1[(s3 >> 16) & 0xff] ^
1355 1322 Te2[(s0 >> 8) & 0xff] ^
1356 1323 Te3[s1 & 0xff] ^
1357 1324 rk[6];
1358 1325
1359 1326 t3 = Te0[s3 >> 24] ^
1360 1327 Te1[(s0 >> 16) & 0xff] ^
1361 1328 Te2[(s1 >> 8) & 0xff] ^
1362 1329 Te3[s2 & 0xff] ^
1363 1330 rk[7];
1364 1331
1365 1332 rk += 8;
1366 1333
1367 1334 if (--r == 0) {
1368 1335 break;
1369 1336 }
1370 1337
1371 1338 s0 = Te0[t0 >> 24] ^
1372 1339 Te1[(t1 >> 16) & 0xff] ^
1373 1340 Te2[(t2 >> 8) & 0xff] ^
1374 1341 Te3[t3 & 0xff] ^
1375 1342 rk[0];
1376 1343
1377 1344 s1 = Te0[t1 >> 24] ^
1378 1345 Te1[(t2 >> 16) & 0xff] ^
1379 1346 Te2[(t3 >> 8) & 0xff] ^
1380 1347 Te3[t0 & 0xff] ^
1381 1348 rk[1];
1382 1349
1383 1350 s2 = Te0[t2 >> 24] ^
1384 1351 Te1[(t3 >> 16) & 0xff] ^
1385 1352 Te2[(t0 >> 8) & 0xff] ^
1386 1353 Te3[t1 & 0xff] ^
1387 1354 rk[2];
1388 1355
1389 1356 s3 = Te0[t3 >> 24] ^
1390 1357 Te1[(t0 >> 16) & 0xff] ^
1391 1358 Te2[(t1 >> 8) & 0xff] ^
1392 1359 Te3[t2 & 0xff] ^
1393 1360 rk[3];
1394 1361 }
1395 1362
1396 1363 /*
1397 1364 * apply last round and
1398 1365 * map cipher state to byte array block:
1399 1366 */
1400 1367
1401 1368 s0 = (Te4[(t0 >> 24)] & 0xff000000) ^
1402 1369 (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1403 1370 (Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
1404 1371 (Te4[t3 & 0xff] & 0x000000ff) ^
1405 1372 rk[0];
1406 1373 ct[0] = s0;
1407 1374
1408 1375 s1 = (Te4[(t1 >> 24)] & 0xff000000) ^
1409 1376 (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1410 1377 (Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
1411 1378 (Te4[t0 & 0xff] & 0x000000ff) ^
1412 1379 rk[1];
1413 1380 ct[1] = s1;
1414 1381
1415 1382 s2 = (Te4[(t2 >> 24)] & 0xff000000) ^
1416 1383 (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
1417 1384 (Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
1418 1385 (Te4[t1 & 0xff] & 0x000000ff) ^
1419 1386 rk[2];
1420 1387 ct[2] = s2;
1421 1388
1422 1389 s3 = (Te4[(t3 >> 24)] & 0xff000000) ^
1423 1390 (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1424 1391 (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1425 1392 (Te4[t2 & 0xff] & 0x000000ff) ^
1426 1393 rk[3];
1427 1394 ct[3] = s3;
1428 1395 }
1429 1396
1430 1397
1431 1398 /*
1432 1399 * Decrypt one block of data. The block is assumed to be an array
1433 1400 * of four uint32_t values, so copy for alignment (and byte-order
1434 1401 * reversal for little endian systems might be necessary on the
1435 1402 * input and output byte streams.
1436 1403 * The size of the key schedule depends on the number of rounds
1437 1404 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1438 1405 *
1439 1406 * Parameters:
1440 1407 * rk Key schedule, of aes_ks_t (60 32-bit integers)
1441 1408 * Nr Number of rounds
1442 1409 * ct Input block (crypto text)
1443 1410 * pt Output block (plain text). Can overlap with pt
1444 1411 */
1445 1412 static void
1446 1413 rijndael_decrypt(const uint32_t rk[], int Nr, const uint32_t ct[4],
1447 1414 uint32_t pt[4])
1448 1415 {
1449 1416 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1450 1417 int r;
1451 1418
1452 1419 /*
1453 1420 * map byte array block to cipher state
1454 1421 * and add initial round key:
1455 1422 */
1456 1423 s0 = ct[0] ^ rk[0];
1457 1424 s1 = ct[1] ^ rk[1];
1458 1425 s2 = ct[2] ^ rk[2];
1459 1426 s3 = ct[3] ^ rk[3];
1460 1427
1461 1428 /*
1462 1429 * Nr - 1 full rounds:
1463 1430 */
1464 1431
1465 1432 r = Nr >> 1;
1466 1433
1467 1434 for (;;) {
1468 1435 t0 = Td0[s0 >> 24] ^
1469 1436 Td1[(s3 >> 16) & 0xff] ^
1470 1437 Td2[(s2 >> 8) & 0xff] ^
1471 1438 Td3[s1 & 0xff] ^
1472 1439 rk[4];
1473 1440
1474 1441 t1 = Td0[s1 >> 24] ^
1475 1442 Td1[(s0 >> 16) & 0xff] ^
1476 1443 Td2[(s3 >> 8) & 0xff] ^
1477 1444 Td3[s2 & 0xff] ^
1478 1445 rk[5];
1479 1446
1480 1447 t2 = Td0[s2 >> 24] ^
1481 1448 Td1[(s1 >> 16) & 0xff] ^
1482 1449 Td2[(s0 >> 8) & 0xff] ^
1483 1450 Td3[s3 & 0xff] ^
1484 1451 rk[6];
1485 1452
1486 1453 t3 = Td0[s3 >> 24] ^
1487 1454 Td1[(s2 >> 16) & 0xff] ^
1488 1455 Td2[(s1 >> 8) & 0xff] ^
1489 1456 Td3[s0 & 0xff] ^
1490 1457 rk[7];
1491 1458
1492 1459 rk += 8;
1493 1460
1494 1461 if (--r == 0) {
1495 1462 break;
1496 1463 }
1497 1464
1498 1465 s0 = Td0[t0 >> 24] ^
1499 1466 Td1[(t3 >> 16) & 0xff] ^
1500 1467 Td2[(t2 >> 8) & 0xff] ^
1501 1468 Td3[t1 & 0xff] ^
1502 1469 rk[0];
1503 1470
1504 1471 s1 = Td0[t1 >> 24] ^
1505 1472 Td1[(t0 >> 16) & 0xff] ^
1506 1473 Td2[(t3 >> 8) & 0xff] ^
1507 1474 Td3[t2 & 0xff] ^
1508 1475 rk[1];
1509 1476
1510 1477 s2 = Td0[t2 >> 24] ^
1511 1478 Td1[(t1 >> 16) & 0xff] ^
1512 1479 Td2[(t0 >> 8) & 0xff] ^
1513 1480 Td3[t3 & 0xff] ^
1514 1481 rk[2];
1515 1482
1516 1483 s3 = Td0[t3 >> 24] ^
1517 1484 Td1[(t2 >> 16) & 0xff] ^
1518 1485 Td2[(t1 >> 8) & 0xff] ^
1519 1486 Td3[t0 & 0xff] ^
1520 1487 rk[3];
1521 1488 }
1522 1489
1523 1490 /*
1524 1491 * apply last round and
1525 1492 * map cipher state to byte array block:
1526 1493 */
1527 1494
1528 1495 s0 = (Td4[t0 >> 24] & 0xff000000) ^
1529 1496 (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
1530 1497 (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
1531 1498 (Td4[t1 & 0xff] & 0x000000ff) ^
1532 1499 rk[0];
1533 1500 pt[0] = s0;
1534 1501
1535 1502 s1 = (Td4[t1 >> 24] & 0xff000000) ^
1536 1503 (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1537 1504 (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
1538 1505 (Td4[t2 & 0xff] & 0x000000ff) ^
1539 1506 rk[1];
1540 1507 pt[1] = s1;
1541 1508
1542 1509 s2 = (Td4[t2 >> 24] & 0xff000000) ^
1543 1510 (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1544 1511 (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
1545 1512 (Td4[t3 & 0xff] & 0x000000ff) ^
1546 1513 rk[2];
1547 1514 pt[2] = s2;
1548 1515
1549 1516 s3 = (Td4[t3 >> 24] & 0xff000000) ^
1550 1517 (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1551 1518 (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1552 1519 (Td4[t0 & 0xff] & 0x000000ff) ^
1553 1520 rk[3];
1554 1521 pt[3] = s3;
1555 1522 }
1556 1523 #endif /* sun4u, __amd64 */
1557 1524
1558 1525
1559 1526 /*
1560 1527 * Initialize AES encryption and decryption key schedules.
1561 1528 *
1562 1529 * Parameters:
1563 1530 * cipherKey User key
1564 1531 * keyBits AES key size (128, 192, or 256 bits)
1565 1532 * keysched AES key schedule to be initialized, of type aes_key_t.
1566 1533 * Allocated by aes_alloc_keysched().
1567 1534 */
1568 1535 void
1569 1536 aes_init_keysched(const uint8_t *cipherKey, uint_t keyBits, void *keysched)
1570 1537 {
1571 1538 aes_key_t *newbie = keysched;
1572 1539 uint_t keysize, i, j;
1573 1540 union {
1574 1541 uint64_t ka64[4];
1575 1542 uint32_t ka32[8];
1576 1543 } keyarr;
1577 1544
1578 1545 switch (keyBits) {
1579 1546 case 128:
1580 1547 newbie->nr = 10;
1581 1548 break;
1582 1549
1583 1550 case 192:
1584 1551 newbie->nr = 12;
1585 1552 break;
1586 1553
1587 1554 case 256:
1588 1555 newbie->nr = 14;
1589 1556 break;
1590 1557
1591 1558 default:
1592 1559 /* should never get here */
1593 1560 return;
1594 1561 }
1595 1562 keysize = CRYPTO_BITS2BYTES(keyBits);
1596 1563
1597 1564 /*
1598 1565 * For _LITTLE_ENDIAN machines (except AMD64), reverse every
1599 1566 * 4 bytes in the key. On _BIG_ENDIAN and AMD64, copy the key
1600 1567 * without reversing bytes.
1601 1568 * For AMD64, do not byte swap for aes_setupkeys().
1602 1569 *
1603 1570 * SPARCv8/v9 uses a key schedule array with 64-bit elements.
1604 1571 * X86/AMD64 uses a key schedule array with 32-bit elements.
1605 1572 */
1606 1573 #ifndef AES_BYTE_SWAP
1607 1574 if (IS_P2ALIGNED(cipherKey, sizeof (uint64_t))) {
1608 1575 for (i = 0, j = 0; j < keysize; i++, j += 8) {
1609 1576 /* LINTED: pointer alignment */
1610 1577 keyarr.ka64[i] = *((uint64_t *)&cipherKey[j]);
1611 1578 }
1612 1579 } else {
1613 1580 bcopy(cipherKey, keyarr.ka32, keysize);
1614 1581 }
|
↓ open down ↓ |
388 lines elided |
↑ open up ↑ |
1615 1582
1616 1583 #else /* byte swap */
1617 1584 for (i = 0, j = 0; j < keysize; i++, j += 4) {
1618 1585 keyarr.ka32[i] = htonl(*(uint32_t *)(void *)&cipherKey[j]);
1619 1586 }
1620 1587 #endif
1621 1588
1622 1589 aes_setupkeys(newbie, keyarr.ka32, keyBits);
1623 1590 }
1624 1591
1592 +#if defined(__amd64) && defined(_KERNEL)
1593 +void
1594 +aes_accel_enter(void *savestate)
1595 +{
1596 + KPREEMPT_DISABLE;
1597 + aes_accel_save(savestate);
1598 +}
1625 1599
1600 +void
1601 +aes_accel_exit(void *savestate)
1602 +{
1603 + aes_accel_restore(savestate);
1604 + KPREEMPT_ENABLE;
1605 +}
1606 +#endif /* defined(__amd64) && defined(_KERNEL) */
1607 +
1626 1608 /*
1627 1609 * Encrypt one block using AES.
1628 1610 * Align if needed and (for x86 32-bit only) byte-swap.
1629 1611 *
1630 1612 * Parameters:
1631 1613 * ks Key schedule, of type aes_key_t
1632 1614 * pt Input block (plain text)
1633 1615 * ct Output block (crypto text). Can overlap with pt
1634 1616 */
1635 1617 int
1636 1618 aes_encrypt_block(const void *ks, const uint8_t *pt, uint8_t *ct)
1637 1619 {
1638 1620 aes_key_t *ksch = (aes_key_t *)ks;
1639 1621
1622 +#ifdef __amd64
1623 + if (intel_aes_instructions_present())
1624 + aes_encrypt_intel(&ksch->encr_ks.ks32[0], ksch->nr,
1625 + /* LINTED: pointer alignment */
1626 + (uint32_t *)pt, (uint32_t *)ct);
1627 + else
1628 + aes_encrypt_amd64(&ksch->encr_ks.ks32[0], ksch->nr,
1629 + /* LINTED: pointer alignment */
1630 + (uint32_t *)pt, (uint32_t *)ct);
1631 +#else /* !__amd64 */
1640 1632 #ifndef AES_BYTE_SWAP
1641 1633 if (IS_P2ALIGNED2(pt, ct, sizeof (uint32_t))) {
1642 - /* LINTED: pointer alignment */
1643 1634 AES_ENCRYPT_IMPL(&ksch->encr_ks.ks32[0], ksch->nr,
1644 1635 /* LINTED: pointer alignment */
1645 - (uint32_t *)pt, (uint32_t *)ct, ksch->flags);
1636 + (uint32_t *)pt, (uint32_t *)ct);
1646 1637 } else {
1647 1638 #endif
1648 1639 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1649 1640
1650 1641 /* Copy input block into buffer */
1651 1642 #ifndef AES_BYTE_SWAP
1652 1643 bcopy(pt, &buffer, AES_BLOCK_LEN);
1653 1644
1654 1645 #else /* byte swap */
1655 1646 buffer[0] = htonl(*(uint32_t *)(void *)&pt[0]);
1656 1647 buffer[1] = htonl(*(uint32_t *)(void *)&pt[4]);
1657 1648 buffer[2] = htonl(*(uint32_t *)(void *)&pt[8]);
1658 1649 buffer[3] = htonl(*(uint32_t *)(void *)&pt[12]);
1659 -#endif
1650 +#endif /* byte swap */
1660 1651
1661 1652 AES_ENCRYPT_IMPL(&ksch->encr_ks.ks32[0], ksch->nr,
1662 - buffer, buffer, ksch->flags);
1653 + buffer, buffer);
1663 1654
1664 1655 /* Copy result from buffer to output block */
1665 1656 #ifndef AES_BYTE_SWAP
1666 1657 bcopy(&buffer, ct, AES_BLOCK_LEN);
1667 1658 }
1668 1659
1669 1660 #else /* byte swap */
1670 1661 *(uint32_t *)(void *)&ct[0] = htonl(buffer[0]);
1671 1662 *(uint32_t *)(void *)&ct[4] = htonl(buffer[1]);
1672 1663 *(uint32_t *)(void *)&ct[8] = htonl(buffer[2]);
1673 1664 *(uint32_t *)(void *)&ct[12] = htonl(buffer[3]);
1674 -#endif
1665 +#endif /* byte swap */
1666 +#endif /* !__amd64 */
1667 +
1675 1668 return (CRYPTO_SUCCESS);
1676 1669 }
1677 1670
1678 1671
1679 1672 /*
1680 1673 * Decrypt one block using AES.
1681 1674 * Align and byte-swap if needed.
1682 1675 *
1683 1676 * Parameters:
1684 1677 * ks Key schedule, of type aes_key_t
1685 1678 * ct Input block (crypto text)
1686 1679 * pt Output block (plain text). Can overlap with pt
1687 1680 */
1688 1681 int
1689 1682 aes_decrypt_block(const void *ks, const uint8_t *ct, uint8_t *pt)
1690 1683 {
1691 1684 aes_key_t *ksch = (aes_key_t *)ks;
1692 1685
1686 +#ifdef __amd64
1687 + if (intel_aes_instructions_present())
1688 + aes_decrypt_intel(&ksch->decr_ks.ks32[0], ksch->nr,
1689 + /* LINTED: pointer alignment */
1690 + (uint32_t *)ct, (uint32_t *)pt);
1691 + else
1692 + aes_decrypt_amd64(&ksch->decr_ks.ks32[0], ksch->nr,
1693 + /* LINTED: pointer alignment */
1694 + (uint32_t *)ct, (uint32_t *)pt);
1695 +#else /* !__amd64 */
1693 1696 #ifndef AES_BYTE_SWAP
1694 1697 if (IS_P2ALIGNED2(ct, pt, sizeof (uint32_t))) {
1695 - /* LINTED: pointer alignment */
1696 1698 AES_DECRYPT_IMPL(&ksch->decr_ks.ks32[0], ksch->nr,
1697 1699 /* LINTED: pointer alignment */
1698 - (uint32_t *)ct, (uint32_t *)pt, ksch->flags);
1700 + (uint32_t *)ct, (uint32_t *)pt);
1699 1701 } else {
1700 1702 #endif
1701 1703 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1702 1704
1703 1705 /* Copy input block into buffer */
1704 1706 #ifndef AES_BYTE_SWAP
1705 1707 bcopy(ct, &buffer, AES_BLOCK_LEN);
1706 1708
1707 1709 #else /* byte swap */
1708 1710 buffer[0] = htonl(*(uint32_t *)(void *)&ct[0]);
1709 1711 buffer[1] = htonl(*(uint32_t *)(void *)&ct[4]);
1710 1712 buffer[2] = htonl(*(uint32_t *)(void *)&ct[8]);
1711 1713 buffer[3] = htonl(*(uint32_t *)(void *)&ct[12]);
1712 -#endif
1714 +#endif /* byte swap */
1713 1715
1714 1716 AES_DECRYPT_IMPL(&ksch->decr_ks.ks32[0], ksch->nr,
1715 - buffer, buffer, ksch->flags);
1717 + buffer, buffer);
1716 1718
1717 1719 /* Copy result from buffer to output block */
1718 1720 #ifndef AES_BYTE_SWAP
1719 1721 bcopy(&buffer, pt, AES_BLOCK_LEN);
1720 1722 }
1721 1723
1722 1724 #else /* byte swap */
1723 1725 *(uint32_t *)(void *)&pt[0] = htonl(buffer[0]);
1724 1726 *(uint32_t *)(void *)&pt[4] = htonl(buffer[1]);
1725 1727 *(uint32_t *)(void *)&pt[8] = htonl(buffer[2]);
1726 1728 *(uint32_t *)(void *)&pt[12] = htonl(buffer[3]);
1727 -#endif
1729 +#endif /* byte swap */
1730 +#endif /* !__amd64 */
1728 1731
1729 1732 return (CRYPTO_SUCCESS);
1730 1733 }
1731 1734
1735 +#define ECB_LOOP(ciph_func) \
1736 + do { \
1737 + for (; i < length; i += AES_BLOCK_LEN) \
1738 + ciph_func; \
1739 + _NOTE(CONSTCOND) \
1740 + } while (0)
1741 +#define ECB_LOOP_4P(ciph_func, enc_or_dec, in, out) \
1742 + ECB_LOOP(ciph_func(&ksch->enc_or_dec ## r_ks.ks32[0], \
1743 + ksch->nr, (void *)&in[i], (void *)&out[i]))
1744 +#define ECB_LOOP_3P(ciph_func, in, out) \
1745 + ECB_LOOP(ciph_func(ksch, (void *)&in[i], (void *)&out[i]))
1732 1746
1747 +#ifdef __amd64
1748 +#define ECB_INTEL_IMPL(enc_or_dec, in, out) \
1749 + do { \
1750 + if (intel_aes_instructions_present()) { \
1751 + /* first use the accelerated function */ \
1752 + for (; i + 8 * AES_BLOCK_LEN <= length; \
1753 + i += 8 * AES_BLOCK_LEN) \
1754 + aes_ ## enc_or_dec ## rypt_intel8( \
1755 + &ksch->enc_or_dec ## r_ks.ks32[0], \
1756 + ksch->nr, &in[i], &out[i]); \
1757 + /* finish off the remainder per-block */ \
1758 + ECB_LOOP_4P(aes_ ## enc_or_dec ## rypt_intel, \
1759 + enc_or_dec, in, out); \
1760 + } else { \
1761 + ECB_LOOP_4P(aes_ ## enc_or_dec ## rypt_amd64, \
1762 + enc_or_dec, in, out); \
1763 + } \
1764 + _NOTE(CONSTCOND) \
1765 + } while (0)
1766 +#endif /* __amd64 */
1767 +
1733 1768 /*
1769 + * Perform AES ECB encryption on a sequence of blocks. On x86-64 CPUs with
1770 + * the AES-NI extension, this performs the encryption in increments of 8
1771 + * blocks at a time, exploiting instruction parallelism more efficiently.
1772 + * On other platforms, this simply encrypts the blocks in sequence.
1773 + */
1774 +int
1775 +aes_encrypt_ecb(const void *ks, const uint8_t *pt, uint8_t *ct, uint64_t length)
1776 +{
1777 + aes_key_t *ksch = (aes_key_t *)ks;
1778 + uint64_t i = 0;
1779 +
1780 +#ifdef __amd64
1781 + ECB_INTEL_IMPL(enc, pt, ct);
1782 +#elif defined(sun4u)
1783 + ECB_LOOP_4P(aes_encrypt_impl, enc, pt, ct);
1784 +#else /* Generic C implementation */
1785 + ECB_LOOP_3P((void) aes_encrypt_block, pt, ct);
1786 +#endif /* Generic C implementation */
1787 +
1788 + return (CRYPTO_SUCCESS);
1789 +}
1790 +
1791 +/*
1792 + * Same as aes_encrypt_ecb, but performs decryption.
1793 + */
1794 +int
1795 +aes_decrypt_ecb(const void *ks, const uint8_t *ct, uint8_t *pt, uint64_t length)
1796 +{
1797 + aes_key_t *ksch = (aes_key_t *)ks;
1798 + uint64_t i = 0;
1799 +
1800 +#ifdef __amd64
1801 + ECB_INTEL_IMPL(dec, ct, pt);
1802 +#elif defined(sun4u)
1803 + ECB_LOOP_4P(aes_decrypt_impl, dec, ct, pt);
1804 +#else /* Generic C implementation */
1805 + ECB_LOOP_3P((void) aes_decrypt_block, ct, pt);
1806 +#endif /* Generic C implementation */
1807 +
1808 + return (CRYPTO_SUCCESS);
1809 +}
1810 +#ifdef __amd64
1811 +#undef ECB_INTEL_IMPL
1812 +#endif /* __amd64 */
1813 +
1814 +#undef ECB_LOOP
1815 +#undef ECB_LOOP_4P
1816 +#undef ECB_LOOP_3P
1817 +
1818 +#define CBC_LOOP(enc_func, xor_func) \
1819 + do { \
1820 + for (; i < length; i += AES_BLOCK_LEN) { \
1821 + /* copy IV to ciphertext */ \
1822 + bcopy(iv, &ct[i], AES_BLOCK_LEN); \
1823 + /* XOR IV with plaintext with input */ \
1824 + xor_func(&pt[i], &ct[i]); \
1825 + /* encrypt counter in output region */ \
1826 + enc_func; \
1827 + iv = &ct[i]; \
1828 + } \
1829 + _NOTE(CONSTCOND) \
1830 + } while (0)
1831 +#define CBC_LOOP_4P(enc_func, xor_func) \
1832 + CBC_LOOP(enc_func(&ksch->encr_ks.ks32[0], \
1833 + ksch->nr, (void *)&ct[i], (void *)&ct[i]), xor_func)
1834 +#define CBC_LOOP_3P(enc_func, xor_func) \
1835 + CBC_LOOP(enc_func(ksch, (void *)&ct[i], (void *)&ct[i]), xor_func)
1836 +
1837 +/*
1838 + * Encrypts a sequence of consecutive AES blocks in CBC mode. On x86-64
1839 + * with the AES-NI extension, the encryption is performed on 8 blocks at
1840 + * a time using an optimized assembly implementation, giving a speed boost
1841 + * of around 75%. On other platforms, this simply performs CBC encryption
1842 + * in sequence on the blocks.
1843 + *
1844 + * Decryption acceleration is implemented in the kernel kcf block cipher
1845 + * modes code (cbc.c), because that doesn't require a complete hand-tuned
1846 + * CBC implementation in assembly.
1847 + */
1848 +int
1849 +aes_encrypt_cbc(const void *ks, const uint8_t *pt, uint8_t *ct,
1850 + const uint8_t *iv, uint64_t length)
1851 +{
1852 + aes_key_t *ksch = (aes_key_t *)ks;
1853 + size_t i = 0;
1854 +
1855 +#ifdef __amd64
1856 + if (intel_aes_instructions_present()) {
1857 + for (; i + 8 * AES_BLOCK_LEN <= length;
1858 + i += 8 * AES_BLOCK_LEN) {
1859 + aes_encrypt_cbc_intel8(&ksch->encr_ks.ks32[0],
1860 + ksch->nr, &ct[i], &ct[i], iv);
1861 + iv = &ct[7 * AES_BLOCK_LEN];
1862 + }
1863 + CBC_LOOP_4P(aes_encrypt_intel, aes_xor_intel);
1864 + } else {
1865 + CBC_LOOP_4P(aes_encrypt_amd64, aes_xor_intel);
1866 + }
1867 +#elif defined(sun4u)
1868 + CBC_LOOP_4P(aes_encrypt_impl, aes_xor_block);
1869 +#else /* Generic C implementation */
1870 + CBC_LOOP_3P((void) aes_encrypt_block, aes_xor_block);
1871 +#endif /* Generic C implementation */
1872 +
1873 + return (CRYPTO_SUCCESS);
1874 +}
1875 +#undef CBC_LOOP
1876 +#undef CBC_LOOP_4P
1877 +#undef CBC_LOOP_3P
1878 +
1879 +#define CTR_LOOP(enc_func, xor_func) \
1880 + do { \
1881 + for (; i < length; i += AES_BLOCK_LEN) { \
1882 + /* set up counter in output region */ \
1883 + *(uint64_t *)(void *)&output[i] = counter[0]; \
1884 + *(uint64_t *)(void *)&output[i + 8] = \
1885 + htonll(counter[1]++); \
1886 + /* encrypt counter in output region */ \
1887 + enc_func; \
1888 + /* XOR encrypted counter with input */ \
1889 + xor_func(&input[i], &output[i]); \
1890 + } \
1891 + _NOTE(CONSTCOND) \
1892 + } while (0)
1893 +#define CTR_LOOP_4P(enc_func, xor_func) \
1894 + CTR_LOOP(enc_func(&ksch->encr_ks.ks32[0], ksch->nr, \
1895 + (void *)&output[i], (void *)&output[i]), xor_func)
1896 +#define CTR_LOOP_3P(enc_func, xor_func) \
1897 + CTR_LOOP(enc_func(ksch, (void *)&output[i], (void *)&output[i]),\
1898 + xor_func)
1899 +/*
1900 + * Performs high-performance counter mode encryption and decryption on
1901 + * a sequence of blocks. In CTR mode, encryption and decryption are the
1902 + * same operation, just with the plaintext and ciphertext reversed:
1903 + * plaintext = CTR(CTR(plaintext, K), K)
1904 + * Blocks also do not interdepend on each other, so it is an excellent
1905 + * mode when high performance is required and data authentication/integrity
1906 + * checking is provided via some other means, or isn't necessary.
1907 + *
1908 + * On x86-64 with the AES-NI extension, this code performs CTR mode
1909 + * encryption in parallel on 8 blocks at a time and can provide in
1910 + * excess of 3GB/s/core of encryption/decryption performance (<1 CPB).
1911 + */
1912 +int
1913 +aes_ctr_mode(const void *ks, const uint8_t *input, uint8_t *output,
1914 + uint64_t length, uint64_t counter[2])
1915 +{
1916 + aes_key_t *ksch = (aes_key_t *)ks;
1917 + uint64_t i = 0;
1918 +
1919 + // swap lower part to host order for computations
1920 + counter[1] = ntohll(counter[1]);
1921 +
1922 +#ifdef __amd64
1923 + if (intel_aes_instructions_present()) {
1924 + /* first use the wide-register accelerated function */
1925 + for (; i + 8 * AES_BLOCK_LEN <= length;
1926 + i += 8 * AES_BLOCK_LEN) {
1927 + aes_ctr_intel8(&ksch->encr_ks.ks32[0], ksch->nr,
1928 + &input[i], &output[i], counter[0], counter[1]);
1929 + counter[1] += 8;
1930 + }
1931 + /* finish off the remainder using the slow per-block method */
1932 + CTR_LOOP_4P(aes_encrypt_intel, aes_xor_intel);
1933 + } else {
1934 + CTR_LOOP_4P(aes_encrypt_amd64, aes_xor_intel);
1935 + }
1936 +#elif defined(sun4u)
1937 + CTR_LOOP_4P(aes_encrypt_impl, aes_xor_block);
1938 +#else /* Generic C implementation */
1939 + CTR_LOOP_3P((void) aes_encrypt_block, aes_xor_block);
1940 +#endif /* Generic C implementation */
1941 +
1942 + // swap lower part back to big endian
1943 + counter[1] = htonll(counter[1]);
1944 +
1945 + return (CRYPTO_SUCCESS);
1946 +}
1947 +#undef CTR_LOOP
1948 +
1949 +/*
1734 1950 * Allocate key schedule for AES.
1735 1951 *
1736 1952 * Return the pointer and set size to the number of bytes allocated.
1737 1953 * Memory allocated must be freed by the caller when done.
1738 1954 *
1739 1955 * Parameters:
1740 1956 * size Size of key schedule allocated, in bytes
1741 1957 * kmflag Flag passed to kmem_alloc(9F); ignored in userland.
1742 1958 */
1743 1959 /* ARGSUSED */
1744 1960 void *
1745 1961 aes_alloc_keysched(size_t *size, int kmflag)
1746 1962 {
1747 1963 aes_key_t *keysched;
1748 1964
1749 1965 #ifdef _KERNEL
1750 1966 keysched = (aes_key_t *)kmem_alloc(sizeof (aes_key_t), kmflag);
1751 1967 #else /* !_KERNEL */
1752 1968 keysched = (aes_key_t *)malloc(sizeof (aes_key_t));
1753 1969 #endif /* _KERNEL */
1754 1970
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
1755 1971 if (keysched != NULL) {
1756 1972 *size = sizeof (aes_key_t);
1757 1973 return (keysched);
1758 1974 }
1759 1975 return (NULL);
1760 1976 }
1761 1977
1762 1978
1763 1979 #ifdef __amd64
1764 1980 /*
1765 - * Return 1 if executing on Intel with AES-NI instructions,
1766 - * otherwise 0 (i.e., Intel without AES-NI or AMD64).
1981 + * Return 1 if executing on x86-64 with AES-NI instructions, otherwise 0.
1767 1982 * Cache the result, as the CPU can't change.
1768 1983 *
1769 1984 * Note: the userland version uses getisax(). The kernel version uses
1770 1985 * global variable x86_featureset.
1771 1986 */
1772 -static int
1987 +static inline int
1773 1988 intel_aes_instructions_present(void)
1774 1989 {
1775 1990 static int cached_result = -1;
1776 1991
1777 1992 if (cached_result == -1) { /* first time */
1778 1993 #ifdef _KERNEL
1779 1994 cached_result = is_x86_feature(x86_featureset, X86FSET_AES);
1780 1995 #else
1781 1996 uint_t ui = 0;
1782 1997
1783 1998 (void) getisax(&ui, 1);
1784 1999 cached_result = (ui & AV_386_AES) != 0;
1785 2000 #endif /* _KERNEL */
1786 2001 }
1787 2002
1788 2003 return (cached_result);
1789 2004 }
1790 2005 #endif /* __amd64 */
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX