1 /* Modified for SILC -Pekka */
2 /* Includes key scheduling in C always, and encryption and decryption in C
3 when assembler optimized version cannot be used. */
5 ---------------------------------------------------------------------------
6 Copyright (c) 1998-2006, Brian Gladman, Worcester, UK. All rights reserved.
10 The free distribution and use of this software in both source and binary
11 form is allowed (with or without changes) provided that:
13 1. distributions of this source code include the above copyright
14 notice, this list of conditions and the following disclaimer;
16 2. distributions in binary form include the above copyright
17 notice, this list of conditions and the following disclaimer
18 in the documentation and/or other associated materials;
20 3. the copyright holder's name is not used to endorse products
21 built using this software without specific written permission.
23 ALTERNATIVELY, provided that this notice is retained in full, this product
24 may be distributed under the terms of the GNU General Public License (GPL),
25 in which case the provisions of the GPL apply INSTEAD OF those given above.
29 This software is provided 'as is' with no explicit or implied warranties
30 in respect of its properties, including, but not limited to, correctness
31 and/or fitness for purpose.
32 ---------------------------------------------------------------------------
37 #include "rijndael_internal.h"
41 * SILC Crypto API for AES
44 /* Sets the key for the cipher. */
46 SILC_CIPHER_API_SET_KEY(aes)
48 switch (cipher->mode) {
49 case SILC_CIPHER_MODE_CBC:
51 aes_encrypt_key(key, keylen, &((AesContext *)context)->u.enc);
53 aes_decrypt_key(key, keylen, &((AesContext *)context)->u.dec);
56 case SILC_CIPHER_MODE_CTR:
57 aes_encrypt_key(key, keylen, &((AesContext *)context)->u.enc);
66 /* Sets IV for the cipher. */
68 SILC_CIPHER_API_SET_IV(aes)
70 if (cipher->mode == SILC_CIPHER_MODE_CTR) {
71 AesContext *aes = context;
73 /* Starts new block. */
74 aes->u.enc.inf.b[2] = 0;
78 /* Returns the size of the cipher context. */
80 SILC_CIPHER_API_CONTEXT_LEN(aes)
82 return sizeof(AesContext);
85 /* Encrypts with the cipher. Source and destination buffers maybe one and
88 SILC_CIPHER_API_ENCRYPT(aes)
90 AesContext *aes = context;
93 switch (cipher->mode) {
94 case SILC_CIPHER_MODE_CBC:
98 SILC_ASSERT((len & (16 - 1)) == 0);
103 lp32(iv)[0] ^= lp32(src)[0];
104 lp32(iv)[1] ^= lp32(src)[1];
105 lp32(iv)[2] ^= lp32(src)[2];
106 lp32(iv)[3] ^= lp32(src)[3];
107 aes_encrypt(iv, iv, &aes->u.enc);
115 case SILC_CIPHER_MODE_CTR:
119 SILC_GET32_MSB(ctr[0], iv);
120 SILC_GET32_MSB(ctr[1], iv + 4);
121 SILC_GET32_MSB(ctr[2], iv + 8);
122 SILC_GET32_MSB(ctr[3], iv + 12);
124 i = aes->u.enc.inf.b[2];
135 SILC_PUT32_MSB(ctr[0], iv);
136 SILC_PUT32_MSB(ctr[1], iv + 4);
137 SILC_PUT32_MSB(ctr[2], iv + 8);
138 SILC_PUT32_MSB(ctr[3], iv + 12);
140 aes_encrypt(iv, iv, &aes->u.enc);
143 *dst++ = *src++ ^ iv[i++];
145 aes->u.enc.inf.b[2] = i;
147 SILC_PUT32_MSB(ctr[0], iv);
148 SILC_PUT32_MSB(ctr[1], iv + 4);
149 SILC_PUT32_MSB(ctr[2], iv + 8);
150 SILC_PUT32_MSB(ctr[3], iv + 12);
161 /* Decrypts with the cipher. Source and destination buffers maybe one
164 SILC_CIPHER_API_DECRYPT(aes)
166 switch (cipher->mode) {
167 case SILC_CIPHER_MODE_CBC:
169 unsigned char tmp[16];
176 memcpy(tmp, src, 16);
177 aes_decrypt(src, dst, &((AesContext *)context)->u.dec);
178 lp32(dst)[0] ^= lp32(iv)[0];
179 lp32(dst)[1] ^= lp32(iv)[1];
180 lp32(dst)[2] ^= lp32(iv)[2];
181 lp32(dst)[3] ^= lp32(iv)[3];
189 case SILC_CIPHER_MODE_CTR:
190 return silc_aes_encrypt(cipher, context, src, dst, len, iv);
200 /****************************************************************************/
202 #if defined(__cplusplus)
207 #if defined( __WATCOMC__ ) && ( __WATCOMC__ >= 1100 )
208 # define XP_DIR __cdecl
213 #define d_1(t,n,b,e) ALIGN const XP_DIR t n[256] = b(e)
214 #define d_4(t,n,b,e,f,g,h) ALIGN const XP_DIR t n[4][256] = { b(e), b(f), b(g), b(h) }
215 ALIGN const uint_32t t_dec(r,c)[RC_LENGTH] = rc_data(w0);
218 d_1(uint_8t, t_dec(i,box), isb_data, h0);
219 #endif /* SILC_AES_ASM */
220 d_4(uint_32t, t_dec(f,n), sb_data, u0, u1, u2, u3);
221 d_4(uint_32t, t_dec(f,l), sb_data, w0, w1, w2, w3);
222 d_4(uint_32t, t_dec(i,n), isb_data, v0, v1, v2, v3);
223 d_4(uint_32t, t_dec(i,l), isb_data, w0, w1, w2, w3);
224 d_4(uint_32t, t_dec(i,m), mm_data, v0, v1, v2, v3);
227 { k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; \
228 k[4*(i)+5] = ss[1] ^= ss[0]; \
229 k[4*(i)+6] = ss[2] ^= ss[1]; \
230 k[4*(i)+7] = ss[3] ^= ss[2]; \
233 AES_RETURN aes_encrypt_key128(const unsigned char *key, aes_encrypt_ctx cx[1])
236 cx->ks[0] = ss[0] = word_in(key, 0);
237 cx->ks[1] = ss[1] = word_in(key, 1);
238 cx->ks[2] = ss[2] = word_in(key, 2);
239 cx->ks[3] = ss[3] = word_in(key, 3);
241 ke4(cx->ks, 0); ke4(cx->ks, 1);
242 ke4(cx->ks, 2); ke4(cx->ks, 3);
243 ke4(cx->ks, 4); ke4(cx->ks, 5);
244 ke4(cx->ks, 6); ke4(cx->ks, 7);
248 cx->inf.b[0] = 10 * 16;
252 { k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; \
253 k[6*(i)+ 7] = ss[1] ^= ss[0]; \
254 k[6*(i)+ 8] = ss[2] ^= ss[1]; \
255 k[6*(i)+ 9] = ss[3] ^= ss[2]; \
260 k[6*(i)+10] = ss[4] ^= ss[3]; \
261 k[6*(i)+11] = ss[5] ^= ss[4]; \
264 AES_RETURN aes_encrypt_key192(const unsigned char *key, aes_encrypt_ctx cx[1])
267 cx->ks[0] = ss[0] = word_in(key, 0);
268 cx->ks[1] = ss[1] = word_in(key, 1);
269 cx->ks[2] = ss[2] = word_in(key, 2);
270 cx->ks[3] = ss[3] = word_in(key, 3);
271 cx->ks[4] = ss[4] = word_in(key, 4);
272 cx->ks[5] = ss[5] = word_in(key, 5);
274 ke6(cx->ks, 0); ke6(cx->ks, 1);
275 ke6(cx->ks, 2); ke6(cx->ks, 3);
276 ke6(cx->ks, 4); ke6(cx->ks, 5);
280 cx->inf.b[0] = 12 * 16;
284 { k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; \
285 k[8*(i)+ 9] = ss[1] ^= ss[0]; \
286 k[8*(i)+10] = ss[2] ^= ss[1]; \
287 k[8*(i)+11] = ss[3] ^= ss[2]; \
292 k[8*(i)+12] = ss[4] ^= ls_box(ss[3],0); \
293 k[8*(i)+13] = ss[5] ^= ss[4]; \
294 k[8*(i)+14] = ss[6] ^= ss[5]; \
295 k[8*(i)+15] = ss[7] ^= ss[6]; \
298 AES_RETURN aes_encrypt_key256(const unsigned char *key, aes_encrypt_ctx cx[1])
301 cx->ks[0] = ss[0] = word_in(key, 0);
302 cx->ks[1] = ss[1] = word_in(key, 1);
303 cx->ks[2] = ss[2] = word_in(key, 2);
304 cx->ks[3] = ss[3] = word_in(key, 3);
305 cx->ks[4] = ss[4] = word_in(key, 4);
306 cx->ks[5] = ss[5] = word_in(key, 5);
307 cx->ks[6] = ss[6] = word_in(key, 6);
308 cx->ks[7] = ss[7] = word_in(key, 7);
310 ke8(cx->ks, 0); ke8(cx->ks, 1);
311 ke8(cx->ks, 2); ke8(cx->ks, 3);
312 ke8(cx->ks, 4); ke8(cx->ks, 5);
315 cx->inf.b[0] = 14 * 16;
318 AES_RETURN aes_encrypt_key(const unsigned char *key, int key_len, aes_encrypt_ctx cx[1])
322 case 16: case 128: aes_encrypt_key128(key, cx); return;
323 case 24: case 192: aes_encrypt_key192(key, cx); return;
324 case 32: case 256: aes_encrypt_key256(key, cx); return;
328 #define v(n,i) ((n) - (i) + 2 * ((i) & 3))
330 { k[v(40,(4*(i))+4)] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; \
331 k[v(40,(4*(i))+5)] = ss[1] ^= ss[0]; \
332 k[v(40,(4*(i))+6)] = ss[2] ^= ss[1]; \
333 k[v(40,(4*(i))+7)] = ss[3] ^= ss[2]; \
337 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
338 ss[1] = ss[1] ^ ss[3]; \
339 ss[2] = ss[2] ^ ss[3]; \
340 ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; \
341 ss[i % 4] ^= ss[4]; \
342 ss[4] ^= k[v(40,(4*(i)))]; k[v(40,(4*(i))+4)] = ff(ss[4]); \
343 ss[4] ^= k[v(40,(4*(i))+1)]; k[v(40,(4*(i))+5)] = ff(ss[4]); \
344 ss[4] ^= k[v(40,(4*(i))+2)]; k[v(40,(4*(i))+6)] = ff(ss[4]); \
345 ss[4] ^= k[v(40,(4*(i))+3)]; k[v(40,(4*(i))+7)] = ff(ss[4]); \
349 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; \
350 ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
351 k[v(40,(4*(i))+4)] = ss[4] ^= k[v(40,(4*(i)))]; \
352 k[v(40,(4*(i))+5)] = ss[4] ^= k[v(40,(4*(i))+1)]; \
353 k[v(40,(4*(i))+6)] = ss[4] ^= k[v(40,(4*(i))+2)]; \
354 k[v(40,(4*(i))+7)] = ss[4] ^= k[v(40,(4*(i))+3)]; \
358 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \
359 k[v(40,(4*(i))+4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
360 k[v(40,(4*(i))+5)] = ss[1] ^ ss[3]; \
361 k[v(40,(4*(i))+6)] = ss[0]; \
362 k[v(40,(4*(i))+7)] = ss[1]; \
365 AES_RETURN aes_decrypt_key128(const unsigned char *key, aes_decrypt_ctx cx[1])
367 #if defined( d_vars )
370 cx->ks[v(40,(0))] = ss[0] = word_in(key, 0);
371 cx->ks[v(40,(1))] = ss[1] = word_in(key, 1);
372 cx->ks[v(40,(2))] = ss[2] = word_in(key, 2);
373 cx->ks[v(40,(3))] = ss[3] = word_in(key, 3);
375 kdf4(cx->ks, 0); kd4(cx->ks, 1);
376 kd4(cx->ks, 2); kd4(cx->ks, 3);
377 kd4(cx->ks, 4); kd4(cx->ks, 5);
378 kd4(cx->ks, 6); kd4(cx->ks, 7);
379 kd4(cx->ks, 8); kdl4(cx->ks, 9);
381 cx->inf.b[0] = 10 * 16;
385 { k[v(48,(6*(i))+ 6)] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; \
386 k[v(48,(6*(i))+ 7)] = ss[1] ^= ss[0]; \
387 k[v(48,(6*(i))+ 8)] = ss[2] ^= ss[1]; \
388 k[v(48,(6*(i))+ 9)] = ss[3] ^= ss[2]; \
393 k[v(48,(6*(i))+10)] = ss[4] ^= ss[3]; \
394 k[v(48,(6*(i))+11)] = ss[5] ^= ss[4]; \
398 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[v(48,(6*(i))+ 6)] = ff(ss[0]); \
399 ss[1] ^= ss[0]; k[v(48,(6*(i))+ 7)] = ff(ss[1]); \
400 ss[2] ^= ss[1]; k[v(48,(6*(i))+ 8)] = ff(ss[2]); \
401 ss[3] ^= ss[2]; k[v(48,(6*(i))+ 9)] = ff(ss[3]); \
402 ss[4] ^= ss[3]; k[v(48,(6*(i))+10)] = ff(ss[4]); \
403 ss[5] ^= ss[4]; k[v(48,(6*(i))+11)] = ff(ss[5]); \
407 { ss[6] = ls_box(ss[5],3) ^ t_use(r,c)[i]; \
408 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); k[v(48,(6*(i))+ 6)] = ss[6] ^= k[v(48,(6*(i)))]; \
409 ss[1] ^= ss[0]; k[v(48,(6*(i))+ 7)] = ss[6] ^= k[v(48,(6*(i))+ 1)]; \
410 ss[2] ^= ss[1]; k[v(48,(6*(i))+ 8)] = ss[6] ^= k[v(48,(6*(i))+ 2)]; \
411 ss[3] ^= ss[2]; k[v(48,(6*(i))+ 9)] = ss[6] ^= k[v(48,(6*(i))+ 3)]; \
412 ss[4] ^= ss[3]; k[v(48,(6*(i))+10)] = ss[6] ^= k[v(48,(6*(i))+ 4)]; \
413 ss[5] ^= ss[4]; k[v(48,(6*(i))+11)] = ss[6] ^= k[v(48,(6*(i))+ 5)]; \
417 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[v(48,(6*(i))+ 6)] = ss[0]; \
418 ss[1] ^= ss[0]; k[v(48,(6*(i))+ 7)] = ss[1]; \
419 ss[2] ^= ss[1]; k[v(48,(6*(i))+ 8)] = ss[2]; \
420 ss[3] ^= ss[2]; k[v(48,(6*(i))+ 9)] = ss[3]; \
423 AES_RETURN aes_decrypt_key192(const unsigned char *key, aes_decrypt_ctx cx[1])
425 #if defined( d_vars )
428 cx->ks[v(48,(0))] = ss[0] = word_in(key, 0);
429 cx->ks[v(48,(1))] = ss[1] = word_in(key, 1);
430 cx->ks[v(48,(2))] = ss[2] = word_in(key, 2);
431 cx->ks[v(48,(3))] = ss[3] = word_in(key, 3);
433 cx->ks[v(48,(4))] = ff(ss[4] = word_in(key, 4));
434 cx->ks[v(48,(5))] = ff(ss[5] = word_in(key, 5));
435 kdf6(cx->ks, 0); kd6(cx->ks, 1);
436 kd6(cx->ks, 2); kd6(cx->ks, 3);
437 kd6(cx->ks, 4); kd6(cx->ks, 5);
438 kd6(cx->ks, 6); kdl6(cx->ks, 7);
440 cx->inf.b[0] = 12 * 16;
444 { k[v(56,(8*(i))+ 8)] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; \
445 k[v(56,(8*(i))+ 9)] = ss[1] ^= ss[0]; \
446 k[v(56,(8*(i))+10)] = ss[2] ^= ss[1]; \
447 k[v(56,(8*(i))+11)] = ss[3] ^= ss[2]; \
452 k[v(56,(8*(i))+12)] = ss[4] ^= ls_box(ss[3],0); \
453 k[v(56,(8*(i))+13)] = ss[5] ^= ss[4]; \
454 k[v(56,(8*(i))+14)] = ss[6] ^= ss[5]; \
455 k[v(56,(8*(i))+15)] = ss[7] ^= ss[6]; \
459 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[v(56,(8*(i))+ 8)] = ff(ss[0]); \
460 ss[1] ^= ss[0]; k[v(56,(8*(i))+ 9)] = ff(ss[1]); \
461 ss[2] ^= ss[1]; k[v(56,(8*(i))+10)] = ff(ss[2]); \
462 ss[3] ^= ss[2]; k[v(56,(8*(i))+11)] = ff(ss[3]); \
463 ss[4] ^= ls_box(ss[3],0); k[v(56,(8*(i))+12)] = ff(ss[4]); \
464 ss[5] ^= ss[4]; k[v(56,(8*(i))+13)] = ff(ss[5]); \
465 ss[6] ^= ss[5]; k[v(56,(8*(i))+14)] = ff(ss[6]); \
466 ss[7] ^= ss[6]; k[v(56,(8*(i))+15)] = ff(ss[7]); \
470 { ss[8] = ls_box(ss[7],3) ^ t_use(r,c)[i]; \
471 ss[0] ^= ss[8]; ss[8] = ff(ss[8]); k[v(56,(8*(i))+ 8)] = ss[8] ^= k[v(56,(8*(i)))]; \
472 ss[1] ^= ss[0]; k[v(56,(8*(i))+ 9)] = ss[8] ^= k[v(56,(8*(i))+ 1)]; \
473 ss[2] ^= ss[1]; k[v(56,(8*(i))+10)] = ss[8] ^= k[v(56,(8*(i))+ 2)]; \
474 ss[3] ^= ss[2]; k[v(56,(8*(i))+11)] = ss[8] ^= k[v(56,(8*(i))+ 3)]; \
475 ss[8] = ls_box(ss[3],0); \
476 ss[4] ^= ss[8]; ss[8] = ff(ss[8]); k[v(56,(8*(i))+12)] = ss[8] ^= k[v(56,(8*(i))+ 4)]; \
477 ss[5] ^= ss[4]; k[v(56,(8*(i))+13)] = ss[8] ^= k[v(56,(8*(i))+ 5)]; \
478 ss[6] ^= ss[5]; k[v(56,(8*(i))+14)] = ss[8] ^= k[v(56,(8*(i))+ 6)]; \
479 ss[7] ^= ss[6]; k[v(56,(8*(i))+15)] = ss[8] ^= k[v(56,(8*(i))+ 7)]; \
483 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[v(56,(8*(i))+ 8)] = ss[0]; \
484 ss[1] ^= ss[0]; k[v(56,(8*(i))+ 9)] = ss[1]; \
485 ss[2] ^= ss[1]; k[v(56,(8*(i))+10)] = ss[2]; \
486 ss[3] ^= ss[2]; k[v(56,(8*(i))+11)] = ss[3]; \
489 AES_RETURN aes_decrypt_key256(const unsigned char *key, aes_decrypt_ctx cx[1])
491 #if defined( d_vars )
494 cx->ks[v(56,(0))] = ss[0] = word_in(key, 0);
495 cx->ks[v(56,(1))] = ss[1] = word_in(key, 1);
496 cx->ks[v(56,(2))] = ss[2] = word_in(key, 2);
497 cx->ks[v(56,(3))] = ss[3] = word_in(key, 3);
499 cx->ks[v(56,(4))] = ff(ss[4] = word_in(key, 4));
500 cx->ks[v(56,(5))] = ff(ss[5] = word_in(key, 5));
501 cx->ks[v(56,(6))] = ff(ss[6] = word_in(key, 6));
502 cx->ks[v(56,(7))] = ff(ss[7] = word_in(key, 7));
503 kdf8(cx->ks, 0); kd8(cx->ks, 1);
504 kd8(cx->ks, 2); kd8(cx->ks, 3);
505 kd8(cx->ks, 4); kd8(cx->ks, 5);
508 cx->inf.b[0] = 14 * 16;
511 AES_RETURN aes_decrypt_key(const unsigned char *key, int key_len, aes_decrypt_ctx cx[1])
515 case 16: case 128: aes_decrypt_key128(key, cx); return;
516 case 24: case 192: aes_decrypt_key192(key, cx); return;
517 case 32: case 256: aes_decrypt_key256(key, cx); return;
522 /* C version of AES */
524 #define si(y,x,k,c) (s(y,c) = word_in(x, c) ^ (k)[c])
525 #define so(y,x,c) word_out(y, c, s(x,c))
526 #define locals(y,x) x[4],y[4]
527 #define l_copy(y, x) s(y,0) = s(x,0); s(y,1) = s(x,1); \
528 s(y,2) = s(x,2); s(y,3) = s(x,3);
529 #define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
530 #define state_out(y,x) so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
531 #define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
533 /* Visual C++ .Net v7.1 provides the fastest encryption code when using
534 Pentium optimiation with small code but this is poor for decryption
535 so we need to control this with the following VC++ pragmas
538 #if defined( _MSC_VER ) && !defined( _WIN64 )
539 #pragma optimize( "s", on )
542 #define fwd_var(x,r,c)\
543 ( r == 0 ? ( c == 0 ? s(x,0) : c == 1 ? s(x,1) : c == 2 ? s(x,2) : s(x,3))\
544 : r == 1 ? ( c == 0 ? s(x,1) : c == 1 ? s(x,2) : c == 2 ? s(x,3) : s(x,0))\
545 : r == 2 ? ( c == 0 ? s(x,2) : c == 1 ? s(x,3) : c == 2 ? s(x,0) : s(x,1))\
546 : ( c == 0 ? s(x,3) : c == 1 ? s(x,0) : c == 2 ? s(x,1) : s(x,2)))
547 #define fwd_rnd(y,x,k,c) (s(y,c) = (k)[c] ^ four_tables(x,t_use(f,n),fwd_var,rf1,c))
548 #define fwd_lrnd(y,x,k,c) (s(y,c) = (k)[c] ^ four_tables(x,t_use(f,l),fwd_var,rf1,c))
550 AES_RETURN aes_encrypt(const unsigned char *in, unsigned char *out, const aes_encrypt_ctx cx[1])
551 { uint_32t locals(b0, b1);
555 state_in(b0, in, kp);
560 round(fwd_rnd, b1, b0, kp + 1 * N_COLS);
561 round(fwd_rnd, b0, b1, kp + 2 * N_COLS);
564 round(fwd_rnd, b1, b0, kp + 1 * N_COLS);
565 round(fwd_rnd, b0, b1, kp + 2 * N_COLS);
568 round(fwd_rnd, b1, b0, kp + 1 * N_COLS);
569 round(fwd_rnd, b0, b1, kp + 2 * N_COLS);
570 round(fwd_rnd, b1, b0, kp + 3 * N_COLS);
571 round(fwd_rnd, b0, b1, kp + 4 * N_COLS);
572 round(fwd_rnd, b1, b0, kp + 5 * N_COLS);
573 round(fwd_rnd, b0, b1, kp + 6 * N_COLS);
574 round(fwd_rnd, b1, b0, kp + 7 * N_COLS);
575 round(fwd_rnd, b0, b1, kp + 8 * N_COLS);
576 round(fwd_rnd, b1, b0, kp + 9 * N_COLS);
577 round(fwd_lrnd, b0, b1, kp +10 * N_COLS);
583 #define inv_var(x,r,c)\
584 ( r == 0 ? ( c == 0 ? s(x,0) : c == 1 ? s(x,1) : c == 2 ? s(x,2) : s(x,3))\
585 : r == 1 ? ( c == 0 ? s(x,3) : c == 1 ? s(x,0) : c == 2 ? s(x,1) : s(x,2))\
586 : r == 2 ? ( c == 0 ? s(x,2) : c == 1 ? s(x,3) : c == 2 ? s(x,0) : s(x,1))\
587 : ( c == 0 ? s(x,1) : c == 1 ? s(x,2) : c == 2 ? s(x,3) : s(x,0)))
589 #define inv_rnd(y,x,k,c) (s(y,c) = (k)[c] ^ four_tables(x,t_use(i,n),inv_var,rf1,c))
590 #define inv_lrnd(y,x,k,c) (s(y,c) = (k)[c] ^ four_tables(x,t_use(i,l),inv_var,rf1,c))
592 #define rnd_key(n) (kp + n * N_COLS)
594 AES_RETURN aes_decrypt(const unsigned char *in, unsigned char *out, const aes_decrypt_ctx cx[1])
595 { uint_32t locals(b0, b1);
598 kp = cx->ks + (key_ofs ? (cx->inf.b[0] >> 2) : 0);
599 state_in(b0, in, kp);
601 kp = cx->ks + (key_ofs ? 0 : (cx->inf.b[0] >> 2));
605 round(inv_rnd, b1, b0, rnd_key(-13));
606 round(inv_rnd, b0, b1, rnd_key(-12));
608 round(inv_rnd, b1, b0, rnd_key(-11));
609 round(inv_rnd, b0, b1, rnd_key(-10));
611 round(inv_rnd, b1, b0, rnd_key(-9));
612 round(inv_rnd, b0, b1, rnd_key(-8));
613 round(inv_rnd, b1, b0, rnd_key(-7));
614 round(inv_rnd, b0, b1, rnd_key(-6));
615 round(inv_rnd, b1, b0, rnd_key(-5));
616 round(inv_rnd, b0, b1, rnd_key(-4));
617 round(inv_rnd, b1, b0, rnd_key(-3));
618 round(inv_rnd, b0, b1, rnd_key(-2));
619 round(inv_rnd, b1, b0, rnd_key(-1));
620 round(inv_lrnd, b0, b1, rnd_key( 0));
626 #if defined(__cplusplus)
630 #endif /* SILC_AES_ASM */