--- /dev/null
+/*\r
+ ---------------------------------------------------------------------------\r
+ Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.\r
+\r
+ LICENSE TERMS\r
+\r
+ The redistribution and use of this software (with or without changes)\r
+ is allowed without the payment of fees or royalties provided that:\r
+\r
+ 1. source code distributions include the above copyright notice, this\r
+ list of conditions and the following disclaimer;\r
+\r
+ 2. binary distributions include the above copyright notice, this list\r
+ of conditions and the following disclaimer in their documentation;\r
+\r
+ 3. the name of the copyright holder is not used to endorse products\r
+ built using this software without specific written permission.\r
+\r
+ DISCLAIMER\r
+\r
+ This software is provided 'as is' with no explicit or implied warranties\r
+ in respect of its properties, including, but not limited to, correctness\r
+ and/or fitness for purpose.\r
+ ---------------------------------------------------------------------------\r
+ Issue Date: 20/12/2007\r
+\r
+ This file contains the compilation options for AES (Rijndael) and code\r
+ that is common across encryption, key scheduling and table generation.\r
+\r
+ OPERATION\r
+\r
+ These source code files implement the AES algorithm Rijndael designed by\r
+ Joan Daemen and Vincent Rijmen. This version is designed for the standard\r
+ block size of 16 bytes and for key sizes of 128, 192 and 256 bits (16, 24\r
+ and 32 bytes).\r
+\r
+ This version is designed for flexibility and speed using operations on\r
+ 32-bit words rather than operations on bytes. It can be compiled with\r
+ either big or little endian internal byte order but is faster when the\r
+ native byte order for the processor is used.\r
+\r
+ THE CIPHER INTERFACE\r
+\r
+ The cipher interface is implemented as an array of bytes in which lower\r
+ AES bit sequence indexes map to higher numeric significance within bytes.\r
+\r
+ uint_8t (an unsigned 8-bit type)\r
+ uint_32t (an unsigned 32-bit type)\r
+ struct aes_encrypt_ctx (structure for the cipher encryption context)\r
+ struct aes_decrypt_ctx (structure for the cipher decryption context)\r
+ AES_RETURN the function return type\r
+\r
+ C subroutine calls:\r
+\r
+ AES_RETURN aes_encrypt_key128(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
+ AES_RETURN aes_encrypt_key192(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
+ AES_RETURN aes_encrypt_key256(const unsigned char *key, aes_encrypt_ctx cx[1]);\r
+ AES_RETURN aes_encrypt(const unsigned char *in, unsigned char *out,\r
+ const aes_encrypt_ctx cx[1]);\r
+\r
+ AES_RETURN aes_decrypt_key128(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
+ AES_RETURN aes_decrypt_key192(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
+ AES_RETURN aes_decrypt_key256(const unsigned char *key, aes_decrypt_ctx cx[1]);\r
+ AES_RETURN aes_decrypt(const unsigned char *in, unsigned char *out,\r
+ const aes_decrypt_ctx cx[1]);\r
+\r
+ IMPORTANT NOTE: If you are using this C interface with dynamic tables make sure that\r
+ you call aes_init() before AES is used so that the tables are initialised.\r
+\r
+ C++ aes class subroutines:\r
+\r
+ Class AESencrypt for encryption\r
+\r
+ Construtors:\r
+ AESencrypt(void)\r
+ AESencrypt(const unsigned char *key) - 128 bit key\r
+ Members:\r
+ AES_RETURN key128(const unsigned char *key)\r
+ AES_RETURN key192(const unsigned char *key)\r
+ AES_RETURN key256(const unsigned char *key)\r
+ AES_RETURN encrypt(const unsigned char *in, unsigned char *out) const\r
+\r
+ Class AESdecrypt for encryption\r
+ Construtors:\r
+ AESdecrypt(void)\r
+ AESdecrypt(const unsigned char *key) - 128 bit key\r
+ Members:\r
+ AES_RETURN key128(const unsigned char *key)\r
+ AES_RETURN key192(const unsigned char *key)\r
+ AES_RETURN key256(const unsigned char *key)\r
+ AES_RETURN decrypt(const unsigned char *in, unsigned char *out) const\r
+*/\r
+\r
+#if !defined( _AESOPT_H )\r
+#define _AESOPT_H\r
+\r
+#if defined( __cplusplus )\r
+#include "aescpp.h"\r
+#else\r
+#include "aes.h"\r
+#endif\r
+\r
+/* PLATFORM SPECIFIC INCLUDES */\r
+\r
+#include "brg_endian.h"\r
+\r
+/* CONFIGURATION - THE USE OF DEFINES\r
+\r
+ Later in this section there are a number of defines that control the\r
+ operation of the code. In each section, the purpose of each define is\r
+ explained so that the relevant form can be included or excluded by\r
+ setting either 1's or 0's respectively on the branches of the related\r
+ #if clauses. The following local defines should not be changed.\r
+*/\r
+\r
+#define ENCRYPTION_IN_C 1\r
+#define DECRYPTION_IN_C 2\r
+#define ENC_KEYING_IN_C 4\r
+#define DEC_KEYING_IN_C 8\r
+\r
+#define NO_TABLES 0\r
+#define ONE_TABLE 1\r
+#define FOUR_TABLES 4\r
+#define NONE 0\r
+#define PARTIAL 1\r
+#define FULL 2\r
+\r
+/* --- START OF USER CONFIGURED OPTIONS --- */\r
+\r
+/* 1. BYTE ORDER WITHIN 32 BIT WORDS\r
+\r
+ The fundamental data processing units in Rijndael are 8-bit bytes. The\r
+ input, output and key input are all enumerated arrays of bytes in which\r
+ bytes are numbered starting at zero and increasing to one less than the\r
+ number of bytes in the array in question. This enumeration is only used\r
+ for naming bytes and does not imply any adjacency or order relationship\r
+ from one byte to another. When these inputs and outputs are considered\r
+ as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to\r
+ byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte.\r
+ In this implementation bits are numbered from 0 to 7 starting at the\r
+ numerically least significant end of each byte (bit n represents 2^n).\r
+\r
+ However, Rijndael can be implemented more efficiently using 32-bit\r
+ words by packing bytes into words so that bytes 4*n to 4*n+3 are placed\r
+ into word[n]. While in principle these bytes can be assembled into words\r
+ in any positions, this implementation only supports the two formats in\r
+ which bytes in adjacent positions within words also have adjacent byte\r
+ numbers. This order is called big-endian if the lowest numbered bytes\r
+ in words have the highest numeric significance and little-endian if the\r
+ opposite applies.\r
+\r
+ This code can work in either order irrespective of the order used by the\r
+ machine on which it runs. Normally the internal byte order will be set\r
+ to the order of the processor on which the code is to be run but this\r
+ define can be used to reverse this in special situations\r
+\r
+ WARNING: Assembler code versions rely on PLATFORM_BYTE_ORDER being set.\r
+ This define will hence be redefined later (in section 4) if necessary\r
+*/\r
+\r
+#if 1\r
+# define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER\r
+#elif 0\r
+# define ALGORITHM_BYTE_ORDER IS_LITTLE_ENDIAN\r
+#elif 0\r
+# define ALGORITHM_BYTE_ORDER IS_BIG_ENDIAN\r
+#else\r
+# error The algorithm byte order is not defined\r
+#endif\r
+\r
+/* 2. VIA ACE SUPPORT */\r
+\r
+#if defined( __GNUC__ ) && defined( __i386__ ) \\r
+ || defined( _WIN32 ) && defined( _M_IX86 ) \\r
+ && !(defined( _WIN64 ) || defined( _WIN32_WCE ) || defined( _MSC_VER ) && ( _MSC_VER <= 800 ))\r
+# define VIA_ACE_POSSIBLE\r
+#endif\r
+\r
+/* Define this option if support for the VIA ACE is required. This uses\r
+ inline assembler instructions and is only implemented for the Microsoft,\r
+ Intel and GCC compilers. If VIA ACE is known to be present, then defining\r
+ ASSUME_VIA_ACE_PRESENT will remove the ordinary encryption/decryption\r
+ code. If USE_VIA_ACE_IF_PRESENT is defined then VIA ACE will be used if\r
+ it is detected (both present and enabled) but the normal AES code will\r
+ also be present.\r
+\r
+ When VIA ACE is to be used, all AES encryption contexts MUST be 16 byte\r
+ aligned; other input/output buffers do not need to be 16 byte aligned\r
+ but there are very large performance gains if this can be arranged.\r
+ VIA ACE also requires the decryption key schedule to be in reverse\r
+ order (which later checks below ensure).\r
+*/\r
+\r
+#if 1 && defined( VIA_ACE_POSSIBLE ) && !defined( USE_VIA_ACE_IF_PRESENT )\r
+# define USE_VIA_ACE_IF_PRESENT\r
+#endif\r
+\r
+#if 0 && defined( VIA_ACE_POSSIBLE ) && !defined( ASSUME_VIA_ACE_PRESENT )\r
+# define ASSUME_VIA_ACE_PRESENT\r
+# endif\r
+\r
+/* 3. ASSEMBLER SUPPORT\r
+\r
+ This define (which can be on the command line) enables the use of the\r
+ assembler code routines for encryption, decryption and key scheduling\r
+ as follows:\r
+\r
+ ASM_X86_V1C uses the assembler (aes_x86_v1.asm) with large tables for\r
+ encryption and decryption and but with key scheduling in C\r
+ ASM_X86_V2 uses assembler (aes_x86_v2.asm) with compressed tables for\r
+ encryption, decryption and key scheduling\r
+ ASM_X86_V2C uses assembler (aes_x86_v2.asm) with compressed tables for\r
+ encryption and decryption and but with key scheduling in C\r
+ ASM_AMD64_C uses assembler (aes_amd64.asm) with compressed tables for\r
+ encryption and decryption and but with key scheduling in C\r
+\r
+ Change one 'if 0' below to 'if 1' to select the version or define\r
+ as a compilation option.\r
+*/\r
+\r
+#if 0 && !defined( ASM_X86_V1C )\r
+# define ASM_X86_V1C\r
+#elif 0 && !defined( ASM_X86_V2 )\r
+# define ASM_X86_V2\r
+#elif 0 && !defined( ASM_X86_V2C )\r
+# define ASM_X86_V2C\r
+#elif 0 && !defined( ASM_AMD64_C )\r
+# define ASM_AMD64_C\r
+#endif\r
+\r
+#if (defined ( ASM_X86_V1C ) || defined( ASM_X86_V2 ) || defined( ASM_X86_V2C )) \\r
+ && !defined( _M_IX86 ) || defined( ASM_AMD64_C ) && !defined( _M_X64 )\r
+# error Assembler code is only available for x86 and AMD64 systems\r
+#endif\r
+\r
+/* 4. FAST INPUT/OUTPUT OPERATIONS.\r
+\r
+ On some machines it is possible to improve speed by transferring the\r
+ bytes in the input and output arrays to and from the internal 32-bit\r
+ variables by addressing these arrays as if they are arrays of 32-bit\r
+ words. On some machines this will always be possible but there may\r
+ be a large performance penalty if the byte arrays are not aligned on\r
+ the normal word boundaries. On other machines this technique will\r
+ lead to memory access errors when such 32-bit word accesses are not\r
+ properly aligned. The option SAFE_IO avoids such problems but will\r
+ often be slower on those machines that support misaligned access\r
+ (especially so if care is taken to align the input and output byte\r
+ arrays on 32-bit word boundaries). If SAFE_IO is not defined it is\r
+ assumed that access to byte arrays as if they are arrays of 32-bit\r
+ words will not cause problems when such accesses are misaligned.\r
+*/\r
+#if 1 && !defined( _MSC_VER )\r
+# define SAFE_IO\r
+#endif\r
+\r
+/* 5. LOOP UNROLLING\r
+\r
+ The code for encryption and decrytpion cycles through a number of rounds\r
+ that can be implemented either in a loop or by expanding the code into a\r
+ long sequence of instructions, the latter producing a larger program but\r
+ one that will often be much faster. The latter is called loop unrolling.\r
+ There are also potential speed advantages in expanding two iterations in\r
+ a loop with half the number of iterations, which is called partial loop\r
+ unrolling. The following options allow partial or full loop unrolling\r
+ to be set independently for encryption and decryption\r
+*/\r
+#if 1\r
+# define ENC_UNROLL FULL\r
+#elif 0\r
+# define ENC_UNROLL PARTIAL\r
+#else\r
+# define ENC_UNROLL NONE\r
+#endif\r
+\r
+#if 1\r
+# define DEC_UNROLL FULL\r
+#elif 0\r
+# define DEC_UNROLL PARTIAL\r
+#else\r
+# define DEC_UNROLL NONE\r
+#endif\r
+\r
+#if 1\r
+# define ENC_KS_UNROLL\r
+#endif\r
+\r
+#if 1\r
+# define DEC_KS_UNROLL\r
+#endif\r
+\r
+/* 6. FAST FINITE FIELD OPERATIONS\r
+\r
+ If this section is included, tables are used to provide faster finite\r
+ field arithmetic (this has no effect if FIXED_TABLES is defined).\r
+*/\r
+#if 1\r
+# define FF_TABLES\r
+#endif\r
+\r
+/* 7. INTERNAL STATE VARIABLE FORMAT\r
+\r
+ The internal state of Rijndael is stored in a number of local 32-bit\r
+ word varaibles which can be defined either as an array or as individual\r
+ names variables. Include this section if you want to store these local\r
+ varaibles in arrays. Otherwise individual local variables will be used.\r
+*/\r
+#if 1\r
+# define ARRAYS\r
+#endif\r
+\r
+/* 8. FIXED OR DYNAMIC TABLES\r
+\r
+ When this section is included the tables used by the code are compiled\r
+ statically into the binary file. Otherwise the subroutine aes_init()\r
+ must be called to compute them before the code is first used.\r
+*/\r
+#if 1 && !(defined( _MSC_VER ) && ( _MSC_VER <= 800 ))\r
+# define FIXED_TABLES\r
+#endif\r
+\r
+/* 9. MASKING OR CASTING FROM LONGER VALUES TO BYTES\r
+\r
+ In some systems it is better to mask longer values to extract bytes \r
+ rather than using a cast. This option allows this choice.\r
+*/\r
+#if 0\r
+# define to_byte(x) ((uint_8t)(x))\r
+#else\r
+# define to_byte(x) ((x) & 0xff)\r
+#endif\r
+\r
+/* 10. TABLE ALIGNMENT\r
+\r
+ On some sytsems speed will be improved by aligning the AES large lookup\r
+ tables on particular boundaries. This define should be set to a power of\r
+ two giving the desired alignment. It can be left undefined if alignment\r
+ is not needed. This option is specific to the Microsft VC++ compiler -\r
+ it seems to sometimes cause trouble for the VC++ version 6 compiler.\r
+*/\r
+\r
+#if 1 && defined( _MSC_VER ) && ( _MSC_VER >= 1300 )\r
+# define TABLE_ALIGN 32\r
+#endif\r
+\r
+/* 11. REDUCE CODE AND TABLE SIZE\r
+\r
+ This replaces some expanded macros with function calls if AES_ASM_V2 or\r
+ AES_ASM_V2C are defined\r
+*/\r
+\r
+#if 1 && (defined( ASM_X86_V2 ) || defined( ASM_X86_V2C ))\r
+# define REDUCE_CODE_SIZE\r
+#endif\r
+\r
+/* 12. TABLE OPTIONS\r
+\r
+ This cipher proceeds by repeating in a number of cycles known as 'rounds'\r
+ which are implemented by a round function which can optionally be speeded\r
+ up using tables. The basic tables are each 256 32-bit words, with either\r
+ one or four tables being required for each round function depending on\r
+ how much speed is required. The encryption and decryption round functions\r
+ are different and the last encryption and decrytpion round functions are\r
+ different again making four different round functions in all.\r
+\r
+ This means that:\r
+ 1. Normal encryption and decryption rounds can each use either 0, 1\r
+ or 4 tables and table spaces of 0, 1024 or 4096 bytes each.\r
+ 2. The last encryption and decryption rounds can also use either 0, 1\r
+ or 4 tables and table spaces of 0, 1024 or 4096 bytes each.\r
+\r
+ Include or exclude the appropriate definitions below to set the number\r
+ of tables used by this implementation.\r
+*/\r
+\r
+#if 1 /* set tables for the normal encryption round */\r
+# define ENC_ROUND FOUR_TABLES\r
+#elif 0\r
+# define ENC_ROUND ONE_TABLE\r
+#else\r
+# define ENC_ROUND NO_TABLES\r
+#endif\r
+\r
+#if 1 /* set tables for the last encryption round */\r
+# define LAST_ENC_ROUND FOUR_TABLES\r
+#elif 0\r
+# define LAST_ENC_ROUND ONE_TABLE\r
+#else\r
+# define LAST_ENC_ROUND NO_TABLES\r
+#endif\r
+\r
+#if 1 /* set tables for the normal decryption round */\r
+# define DEC_ROUND FOUR_TABLES\r
+#elif 0\r
+# define DEC_ROUND ONE_TABLE\r
+#else\r
+# define DEC_ROUND NO_TABLES\r
+#endif\r
+\r
+#if 1 /* set tables for the last decryption round */\r
+# define LAST_DEC_ROUND FOUR_TABLES\r
+#elif 0\r
+# define LAST_DEC_ROUND ONE_TABLE\r
+#else\r
+# define LAST_DEC_ROUND NO_TABLES\r
+#endif\r
+\r
+/* The decryption key schedule can be speeded up with tables in the same\r
+ way that the round functions can. Include or exclude the following\r
+ defines to set this requirement.\r
+*/\r
+#if 1\r
+# define KEY_SCHED FOUR_TABLES\r
+#elif 0\r
+# define KEY_SCHED ONE_TABLE\r
+#else\r
+# define KEY_SCHED NO_TABLES\r
+#endif\r
+\r
+/* ---- END OF USER CONFIGURED OPTIONS ---- */\r
+\r
+/* VIA ACE support is only available for VC++ and GCC */\r
+\r
+#if !defined( _MSC_VER ) && !defined( __GNUC__ )\r
+# if defined( ASSUME_VIA_ACE_PRESENT )\r
+# undef ASSUME_VIA_ACE_PRESENT\r
+# endif\r
+# if defined( USE_VIA_ACE_IF_PRESENT )\r
+# undef USE_VIA_ACE_IF_PRESENT\r
+# endif\r
+#endif\r
+\r
+#if defined( ASSUME_VIA_ACE_PRESENT ) && !defined( USE_VIA_ACE_IF_PRESENT )\r
+# define USE_VIA_ACE_IF_PRESENT\r
+#endif\r
+\r
+#if defined( USE_VIA_ACE_IF_PRESENT ) && !defined ( AES_REV_DKS )\r
+# define AES_REV_DKS\r
+#endif\r
+\r
+/* Assembler support requires the use of platform byte order */\r
+\r
+#if ( defined( ASM_X86_V1C ) || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C ) ) \\r
+ && (ALGORITHM_BYTE_ORDER != PLATFORM_BYTE_ORDER)\r
+# undef ALGORITHM_BYTE_ORDER\r
+# define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER\r
+#endif\r
+\r
+/* In this implementation the columns of the state array are each held in\r
+ 32-bit words. The state array can be held in various ways: in an array\r
+ of words, in a number of individual word variables or in a number of\r
+ processor registers. The following define maps a variable name x and\r
+ a column number c to the way the state array variable is to be held.\r
+ The first define below maps the state into an array x[c] whereas the\r
+ second form maps the state into a number of individual variables x0,\r
+ x1, etc. Another form could map individual state colums to machine\r
+ register names.\r
+*/\r
+\r
+#if defined( ARRAYS )\r
+# define s(x,c) x[c]\r
+#else\r
+# define s(x,c) x##c\r
+#endif\r
+\r
+/* This implementation provides subroutines for encryption, decryption\r
+ and for setting the three key lengths (separately) for encryption\r
+ and decryption. Since not all functions are needed, masks are set\r
+ up here to determine which will be implemented in C\r
+*/\r
+\r
+#if !defined( AES_ENCRYPT )\r
+# define EFUNCS_IN_C 0\r
+#elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C ) \\r
+ || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C )\r
+# define EFUNCS_IN_C ENC_KEYING_IN_C\r
+#elif !defined( ASM_X86_V2 )\r
+# define EFUNCS_IN_C ( ENCRYPTION_IN_C | ENC_KEYING_IN_C )\r
+#else\r
+# define EFUNCS_IN_C 0\r
+#endif\r
+\r
+#if !defined( AES_DECRYPT )\r
+# define DFUNCS_IN_C 0\r
+#elif defined( ASSUME_VIA_ACE_PRESENT ) || defined( ASM_X86_V1C ) \\r
+ || defined( ASM_X86_V2C ) || defined( ASM_AMD64_C )\r
+# define DFUNCS_IN_C DEC_KEYING_IN_C\r
+#elif !defined( ASM_X86_V2 )\r
+# define DFUNCS_IN_C ( DECRYPTION_IN_C | DEC_KEYING_IN_C )\r
+#else\r
+# define DFUNCS_IN_C 0\r
+#endif\r
+\r
+#define FUNCS_IN_C ( EFUNCS_IN_C | DFUNCS_IN_C )\r
+\r
+/* END OF CONFIGURATION OPTIONS */\r
+\r
+#define RC_LENGTH (5 * (AES_BLOCK_SIZE / 4 - 2))\r
+\r
+/* Disable or report errors on some combinations of options */\r
+\r
+#if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES\r
+# undef LAST_ENC_ROUND\r
+# define LAST_ENC_ROUND NO_TABLES\r
+#elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES\r
+# undef LAST_ENC_ROUND\r
+# define LAST_ENC_ROUND ONE_TABLE\r
+#endif\r
+\r
+#if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE\r
+# undef ENC_UNROLL\r
+# define ENC_UNROLL NONE\r
+#endif\r
+\r
+#if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES\r
+# undef LAST_DEC_ROUND\r
+# define LAST_DEC_ROUND NO_TABLES\r
+#elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES\r
+# undef LAST_DEC_ROUND\r
+# define LAST_DEC_ROUND ONE_TABLE\r
+#endif\r
+\r
+#if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE\r
+# undef DEC_UNROLL\r
+# define DEC_UNROLL NONE\r
+#endif\r
+\r
+#if defined( bswap32 )\r
+# define aes_sw32 bswap32\r
+#elif defined( bswap_32 )\r
+# define aes_sw32 bswap_32\r
+#else\r
+# define brot(x,n) (((uint_32t)(x) << n) | ((uint_32t)(x) >> (32 - n)))\r
+# define aes_sw32(x) ((brot((x),8) & 0x00ff00ff) | (brot((x),24) & 0xff00ff00))\r
+#endif\r
+\r
+/* upr(x,n): rotates bytes within words by n positions, moving bytes to\r
+ higher index positions with wrap around into low positions\r
+ ups(x,n): moves bytes by n positions to higher index positions in\r
+ words but without wrap around\r
+ bval(x,n): extracts a byte from a word\r
+\r
+ WARNING: The definitions given here are intended only for use with\r
+ unsigned variables and with shift counts that are compile\r
+ time constants\r
+*/\r
+\r
+#if ( ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN )\r
+# define upr(x,n) (((uint_32t)(x) << (8 * (n))) | ((uint_32t)(x) >> (32 - 8 * (n))))\r
+# define ups(x,n) ((uint_32t) (x) << (8 * (n)))\r
+# define bval(x,n) to_byte((x) >> (8 * (n)))\r
+# define bytes2word(b0, b1, b2, b3) \\r
+ (((uint_32t)(b3) << 24) | ((uint_32t)(b2) << 16) | ((uint_32t)(b1) << 8) | (b0))\r
+#endif\r
+\r
+#if ( ALGORITHM_BYTE_ORDER == IS_BIG_ENDIAN )\r
+# define upr(x,n) (((uint_32t)(x) >> (8 * (n))) | ((uint_32t)(x) << (32 - 8 * (n))))\r
+# define ups(x,n) ((uint_32t) (x) >> (8 * (n)))\r
+# define bval(x,n) to_byte((x) >> (24 - 8 * (n)))\r
+# define bytes2word(b0, b1, b2, b3) \\r
+ (((uint_32t)(b0) << 24) | ((uint_32t)(b1) << 16) | ((uint_32t)(b2) << 8) | (b3))\r
+#endif\r
+\r
+#if defined( SAFE_IO )\r
+# define word_in(x,c) bytes2word(((const uint_8t*)(x)+4*c)[0], ((const uint_8t*)(x)+4*c)[1], \\r
+ ((const uint_8t*)(x)+4*c)[2], ((const uint_8t*)(x)+4*c)[3])\r
+# define word_out(x,c,v) { ((uint_8t*)(x)+4*c)[0] = bval(v,0); ((uint_8t*)(x)+4*c)[1] = bval(v,1); \\r
+ ((uint_8t*)(x)+4*c)[2] = bval(v,2); ((uint_8t*)(x)+4*c)[3] = bval(v,3); }\r
+#elif ( ALGORITHM_BYTE_ORDER == PLATFORM_BYTE_ORDER )\r
+# define word_in(x,c) (*((uint_32t*)(x)+(c)))\r
+# define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = (v))\r
+#else\r
+# define word_in(x,c) aes_sw32(*((uint_32t*)(x)+(c)))\r
+# define word_out(x,c,v) (*((uint_32t*)(x)+(c)) = aes_sw32(v))\r
+#endif\r
+\r
+/* the finite field modular polynomial and elements */\r
+\r
+#define WPOLY 0x011b\r
+#define BPOLY 0x1b\r
+\r
+/* multiply four bytes in GF(2^8) by 'x' {02} in parallel */\r
+\r
+#define m1 0x80808080\r
+#define m2 0x7f7f7f7f\r
+#define gf_mulx(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY))\r
+\r
+/* The following defines provide alternative definitions of gf_mulx that might\r
+ give improved performance if a fast 32-bit multiply is not available. Note\r
+ that a temporary variable u needs to be defined where gf_mulx is used.\r
+\r
+#define gf_mulx(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))\r
+#define m4 (0x01010101 * BPOLY)\r
+#define gf_mulx(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)\r
+*/\r
+\r
+/* Work out which tables are needed for the different options */\r
+\r
+#if defined( ASM_X86_V1C )\r
+# if defined( ENC_ROUND )\r
+# undef ENC_ROUND\r
+# endif\r
+# define ENC_ROUND FOUR_TABLES\r
+# if defined( LAST_ENC_ROUND )\r
+# undef LAST_ENC_ROUND\r
+# endif\r
+# define LAST_ENC_ROUND FOUR_TABLES\r
+# if defined( DEC_ROUND )\r
+# undef DEC_ROUND\r
+# endif\r
+# define DEC_ROUND FOUR_TABLES\r
+# if defined( LAST_DEC_ROUND )\r
+# undef LAST_DEC_ROUND\r
+# endif\r
+# define LAST_DEC_ROUND FOUR_TABLES\r
+# if defined( KEY_SCHED )\r
+# undef KEY_SCHED\r
+# define KEY_SCHED FOUR_TABLES\r
+# endif\r
+#endif\r
+\r
+#if ( FUNCS_IN_C & ENCRYPTION_IN_C ) || defined( ASM_X86_V1C )\r
+# if ENC_ROUND == ONE_TABLE\r
+# define FT1_SET\r
+# elif ENC_ROUND == FOUR_TABLES\r
+# define FT4_SET\r
+# else\r
+# define SBX_SET\r
+# endif\r
+# if LAST_ENC_ROUND == ONE_TABLE\r
+# define FL1_SET\r
+# elif LAST_ENC_ROUND == FOUR_TABLES\r
+# define FL4_SET\r
+# elif !defined( SBX_SET )\r
+# define SBX_SET\r
+# endif\r
+#endif\r
+\r
+#if ( FUNCS_IN_C & DECRYPTION_IN_C ) || defined( ASM_X86_V1C )\r
+# if DEC_ROUND == ONE_TABLE\r
+# define IT1_SET\r
+# elif DEC_ROUND == FOUR_TABLES\r
+# define IT4_SET\r
+# else\r
+# define ISB_SET\r
+# endif\r
+# if LAST_DEC_ROUND == ONE_TABLE\r
+# define IL1_SET\r
+# elif LAST_DEC_ROUND == FOUR_TABLES\r
+# define IL4_SET\r
+# elif !defined(ISB_SET)\r
+# define ISB_SET\r
+# endif\r
+#endif\r
+\r
+#if !(defined( REDUCE_CODE_SIZE ) && (defined( ASM_X86_V2 ) || defined( ASM_X86_V2C )))\r
+# if ((FUNCS_IN_C & ENC_KEYING_IN_C) || (FUNCS_IN_C & DEC_KEYING_IN_C))\r
+# if KEY_SCHED == ONE_TABLE\r
+# if !defined( FL1_SET ) && !defined( FL4_SET ) \r
+# define LS1_SET\r
+# endif\r
+# elif KEY_SCHED == FOUR_TABLES\r
+# if !defined( FL4_SET )\r
+# define LS4_SET\r
+# endif\r
+# elif !defined( SBX_SET )\r
+# define SBX_SET\r
+# endif\r
+# endif\r
+# if (FUNCS_IN_C & DEC_KEYING_IN_C)\r
+# if KEY_SCHED == ONE_TABLE\r
+# define IM1_SET\r
+# elif KEY_SCHED == FOUR_TABLES\r
+# define IM4_SET\r
+# elif !defined( SBX_SET )\r
+# define SBX_SET\r
+# endif\r
+# endif\r
+#endif\r
+\r
+/* generic definitions of Rijndael macros that use tables */\r
+\r
+#define no_table(x,box,vf,rf,c) bytes2word( \\r
+ box[bval(vf(x,0,c),rf(0,c))], \\r
+ box[bval(vf(x,1,c),rf(1,c))], \\r
+ box[bval(vf(x,2,c),rf(2,c))], \\r
+ box[bval(vf(x,3,c),rf(3,c))])\r
+\r
+#define one_table(x,op,tab,vf,rf,c) \\r
+ ( tab[bval(vf(x,0,c),rf(0,c))] \\r
+ ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \\r
+ ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \\r
+ ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))\r
+\r
+#define four_tables(x,tab,vf,rf,c) \\r
+ ( tab[0][bval(vf(x,0,c),rf(0,c))] \\r
+ ^ tab[1][bval(vf(x,1,c),rf(1,c))] \\r
+ ^ tab[2][bval(vf(x,2,c),rf(2,c))] \\r
+ ^ tab[3][bval(vf(x,3,c),rf(3,c))])\r
+\r
+#define vf1(x,r,c) (x)\r
+#define rf1(r,c) (r)\r
+#define rf2(r,c) ((8+r-c)&3)\r
+\r
+/* perform forward and inverse column mix operation on four bytes in long word x in */\r
+/* parallel. NOTE: x must be a simple variable, NOT an expression in these macros. */\r
+\r
+#if !(defined( REDUCE_CODE_SIZE ) && (defined( ASM_X86_V2 ) || defined( ASM_X86_V2C ))) \r
+\r
+#if defined( FM4_SET ) /* not currently used */\r
+# define fwd_mcol(x) four_tables(x,t_use(f,m),vf1,rf1,0)\r
+#elif defined( FM1_SET ) /* not currently used */\r
+# define fwd_mcol(x) one_table(x,upr,t_use(f,m),vf1,rf1,0)\r
+#else\r
+# define dec_fmvars uint_32t g2\r
+# define fwd_mcol(x) (g2 = gf_mulx(x), g2 ^ upr((x) ^ g2, 3) ^ upr((x), 2) ^ upr((x), 1))\r
+#endif\r
+\r
+#if defined( IM4_SET )\r
+# define inv_mcol(x) four_tables(x,t_use(i,m),vf1,rf1,0)\r
+#elif defined( IM1_SET )\r
+# define inv_mcol(x) one_table(x,upr,t_use(i,m),vf1,rf1,0)\r
+#else\r
+# define dec_imvars uint_32t g2, g4, g9\r
+# define inv_mcol(x) (g2 = gf_mulx(x), g4 = gf_mulx(g2), g9 = (x) ^ gf_mulx(g4), g4 ^= g9, \\r
+ (x) ^ g2 ^ g4 ^ upr(g2 ^ g9, 3) ^ upr(g4, 2) ^ upr(g9, 1))\r
+#endif\r
+\r
+#if defined( FL4_SET )\r
+# define ls_box(x,c) four_tables(x,t_use(f,l),vf1,rf2,c)\r
+#elif defined( LS4_SET )\r
+# define ls_box(x,c) four_tables(x,t_use(l,s),vf1,rf2,c)\r
+#elif defined( FL1_SET )\r
+# define ls_box(x,c) one_table(x,upr,t_use(f,l),vf1,rf2,c)\r
+#elif defined( LS1_SET )\r
+# define ls_box(x,c) one_table(x,upr,t_use(l,s),vf1,rf2,c)\r
+#else\r
+# define ls_box(x,c) no_table(x,t_use(s,box),vf1,rf2,c)\r
+#endif\r
+\r
+#endif\r
+\r
+#if defined( ASM_X86_V1C ) && defined( AES_DECRYPT ) && !defined( ISB_SET )\r
+# define ISB_SET\r
+#endif\r
+\r
+#endif\r