search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drivers/staging: delete double assignment
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / drivers / staging / rt2860 / common / cmm_aes.c
bloba99879bada4279a5843ff3d3409b908f6c8f8a0b
1 /*
2 *************************************************************************
3 * Ralink Tech Inc.
4 * 5F., No.36, Taiyuan St., Jhubei City,
5 * Hsinchu County 302,
6 * Taiwan, R.O.C.
7 *
8 * (c) Copyright 2002-2007, Ralink Technology, Inc.
9 *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 * This program is distributed in the hope that it will be useful, *
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
18 * GNU General Public License for more details. *
19 * *
20 * You should have received a copy of the GNU General Public License *
21 * along with this program; if not, write to the *
22 * Free Software Foundation, Inc., *
23 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
24 * *
25 *************************************************************************
26
27 Module Name:
28 cmm_aes.c
29
30 Abstract:
31
32 Revision History:
33 Who When What
34 -------- ---------- ----------------------------------------------
35 Paul Wu 02-25-02 Initial
36 */
37
38 #include "../rt_config.h"
39
40 struct aes_context {
41 u32 erk[64]; /* encryption round keys */
42 u32 drk[64]; /* decryption round keys */
43 int nr; /* number of rounds */
44 };
45
46 /*****************************/
47 /******** SBOX Table *********/
48 /*****************************/
49
50 u8 SboxTable[256] = {
51 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
52 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
53 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
54 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
55 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
56 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
57 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
58 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
59 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
60 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
61 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
62 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
63 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
64 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
65 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
66 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
67 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
68 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
69 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
70 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
71 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
72 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
73 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
74 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
75 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
76 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
77 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
78 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
79 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
80 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
81 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
82 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
83 };
84
85 void xor_32(u8 *a, u8 *b, u8 *out)
86 {
87 int i;
88
89 for (i = 0; i < 4; i++) {
90 out[i] = a[i] ^ b[i];
91 }
92 }
93
94 void xor_128(u8 *a, u8 *b, u8 *out)
95 {
96 int i;
97
98 for (i = 0; i < 16; i++) {
99 out[i] = a[i] ^ b[i];
100 }
101 }
102
103 u8 RTMPCkipSbox(u8 a)
104 {
105 return SboxTable[(int)a];
106 }
107
108 void next_key(u8 *key, int round)
109 {
110 u8 rcon;
111 u8 sbox_key[4];
112 u8 rcon_table[12] = {
113 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
114 0x1b, 0x36, 0x36, 0x36
115 };
116
117 sbox_key[0] = RTMPCkipSbox(key[13]);
118 sbox_key[1] = RTMPCkipSbox(key[14]);
119 sbox_key[2] = RTMPCkipSbox(key[15]);
120 sbox_key[3] = RTMPCkipSbox(key[12]);
121
122 rcon = rcon_table[round];
123
124 xor_32(&key[0], sbox_key, &key[0]);
125 key[0] = key[0] ^ rcon;
126
127 xor_32(&key[4], &key[0], &key[4]);
128 xor_32(&key[8], &key[4], &key[8]);
129 xor_32(&key[12], &key[8], &key[12]);
130 }
131
132 void byte_sub(u8 *in, u8 *out)
133 {
134 int i;
135
136 for (i = 0; i < 16; i++) {
137 out[i] = RTMPCkipSbox(in[i]);
138 }
139 }
140
141 /************************************/
142 /* bitwise_xor() */
143 /* A 128 bit, bitwise exclusive or */
144 /************************************/
145
146 void bitwise_xor(unsigned char *ina, unsigned char *inb, unsigned char *out)
147 {
148 int i;
149 for (i = 0; i < 16; i++) {
150 out[i] = ina[i] ^ inb[i];
151 }
152 }
153
154 void shift_row(u8 *in, u8 *out)
155 {
156 out[0] = in[0];
157 out[1] = in[5];
158 out[2] = in[10];
159 out[3] = in[15];
160 out[4] = in[4];
161 out[5] = in[9];
162 out[6] = in[14];
163 out[7] = in[3];
164 out[8] = in[8];
165 out[9] = in[13];
166 out[10] = in[2];
167 out[11] = in[7];
168 out[12] = in[12];
169 out[13] = in[1];
170 out[14] = in[6];
171 out[15] = in[11];
172 }
173
174 void mix_column(u8 *in, u8 *out)
175 {
176 int i;
177 u8 add1b[4];
178 u8 add1bf7[4];
179 u8 rotl[4];
180 u8 swap_halfs[4];
181 u8 andf7[4];
182 u8 rotr[4];
183 u8 temp[4];
184 u8 tempb[4];
185
186 for (i = 0; i < 4; i++) {
187 if ((in[i] & 0x80) == 0x80)
188 add1b[i] = 0x1b;
189 else
190 add1b[i] = 0x00;
191 }
192
193 swap_halfs[0] = in[2]; /* Swap halfs */
194 swap_halfs[1] = in[3];
195 swap_halfs[2] = in[0];
196 swap_halfs[3] = in[1];
197
198 rotl[0] = in[3]; /* Rotate left 8 bits */
199 rotl[1] = in[0];
200 rotl[2] = in[1];
201 rotl[3] = in[2];
202
203 andf7[0] = in[0] & 0x7f;
204 andf7[1] = in[1] & 0x7f;
205 andf7[2] = in[2] & 0x7f;
206 andf7[3] = in[3] & 0x7f;
207
208 for (i = 3; i > 0; i--) { /* logical shift left 1 bit */
209 andf7[i] = andf7[i] << 1;
210 if ((andf7[i - 1] & 0x80) == 0x80) {
211 andf7[i] = (andf7[i] | 0x01);
212 }
213 }
214 andf7[0] = andf7[0] << 1;
215 andf7[0] = andf7[0] & 0xfe;
216
217 xor_32(add1b, andf7, add1bf7);
218
219 xor_32(in, add1bf7, rotr);
220
221 temp[0] = rotr[0]; /* Rotate right 8 bits */
222 rotr[0] = rotr[1];
223 rotr[1] = rotr[2];
224 rotr[2] = rotr[3];
225 rotr[3] = temp[0];
226
227 xor_32(add1bf7, rotr, temp);
228 xor_32(swap_halfs, rotl, tempb);
229 xor_32(temp, tempb, out);
230 }
231
232 /************************************************/
233 /* construct_mic_header1() */
234 /* Builds the first MIC header block from */
235 /* header fields. */
236 /************************************************/
237
238 void construct_mic_header1(unsigned char *mic_header1,
239 int header_length, unsigned char *mpdu)
240 {
241 mic_header1[0] = (unsigned char)((header_length - 2) / 256);
242 mic_header1[1] = (unsigned char)((header_length - 2) % 256);
243 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
244 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
245 mic_header1[4] = mpdu[4]; /* A1 */
246 mic_header1[5] = mpdu[5];
247 mic_header1[6] = mpdu[6];
248 mic_header1[7] = mpdu[7];
249 mic_header1[8] = mpdu[8];
250 mic_header1[9] = mpdu[9];
251 mic_header1[10] = mpdu[10]; /* A2 */
252 mic_header1[11] = mpdu[11];
253 mic_header1[12] = mpdu[12];
254 mic_header1[13] = mpdu[13];
255 mic_header1[14] = mpdu[14];
256 mic_header1[15] = mpdu[15];
257 }
258
259 /************************************************/
260 /* construct_mic_header2() */
261 /* Builds the last MIC header block from */
262 /* header fields. */
263 /************************************************/
264
265 void construct_mic_header2(unsigned char *mic_header2,
266 unsigned char *mpdu, int a4_exists, int qc_exists)
267 {
268 int i;
269
270 for (i = 0; i < 16; i++)
271 mic_header2[i] = 0x00;
272
273 mic_header2[0] = mpdu[16]; /* A3 */
274 mic_header2[1] = mpdu[17];
275 mic_header2[2] = mpdu[18];
276 mic_header2[3] = mpdu[19];
277 mic_header2[4] = mpdu[20];
278 mic_header2[5] = mpdu[21];
279
280 /* In Sequence Control field, mute sequence numer bits (12-bit) */
281 mic_header2[6] = mpdu[22] & 0x0f; /* SC */
282 mic_header2[7] = 0x00; /* mpdu[23]; */
283
284 if ((!qc_exists) && a4_exists) {
285 for (i = 0; i < 6; i++)
286 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
287
288 }
289
290 if (qc_exists && (!a4_exists)) {
291 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
292 mic_header2[9] = mpdu[25] & 0x00;
293 }
294
295 if (qc_exists && a4_exists) {
296 for (i = 0; i < 6; i++)
297 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
298
299 mic_header2[14] = mpdu[30] & 0x0f;
300 mic_header2[15] = mpdu[31] & 0x00;
301 }
302 }
303
304 /************************************************/
305 /* construct_mic_iv() */
306 /* Builds the MIC IV from header fields and PN */
307 /************************************************/
308
309 void construct_mic_iv(unsigned char *mic_iv,
310 int qc_exists,
311 int a4_exists,
312 unsigned char *mpdu,
313 unsigned int payload_length, unsigned char *pn_vector)
314 {
315 int i;
316
317 mic_iv[0] = 0x59;
318 if (qc_exists && a4_exists)
319 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
320 if (qc_exists && !a4_exists)
321 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
322 if (!qc_exists)
323 mic_iv[1] = 0x00;
324 for (i = 2; i < 8; i++)
325 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
326 #ifdef CONSISTENT_PN_ORDER
327 for (i = 8; i < 14; i++)
328 mic_iv[i] = pn_vector[i - 8]; /* mic_iv[8:13] = PN[0:5] */
329 #else
330 for (i = 8; i < 14; i++)
331 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
332 #endif
333 mic_iv[14] = (unsigned char)(payload_length / 256);
334 mic_iv[15] = (unsigned char)(payload_length % 256);
335
336 }
337
338 /****************************************/
339 /* aes128k128d() */
340 /* Performs a 128 bit AES encrypt with */
341 /* 128 bit data. */
342 /****************************************/
343 void aes128k128d(unsigned char *key, unsigned char *data,
344 unsigned char *ciphertext)
345 {
346 int round;
347 int i;
348 unsigned char intermediatea[16];
349 unsigned char intermediateb[16];
350 unsigned char round_key[16];
351
352 for (i = 0; i < 16; i++)
353 round_key[i] = key[i];
354
355 for (round = 0; round < 11; round++) {
356 if (round == 0) {
357 xor_128(round_key, data, ciphertext);
358 next_key(round_key, round);
359 } else if (round == 10) {
360 byte_sub(ciphertext, intermediatea);
361 shift_row(intermediatea, intermediateb);
362 xor_128(intermediateb, round_key, ciphertext);
363 } else { /* 1 - 9 */
364
365 byte_sub(ciphertext, intermediatea);
366 shift_row(intermediatea, intermediateb);
367 mix_column(&intermediateb[0], &intermediatea[0]);
368 mix_column(&intermediateb[4], &intermediatea[4]);
369 mix_column(&intermediateb[8], &intermediatea[8]);
370 mix_column(&intermediateb[12], &intermediatea[12]);
371 xor_128(intermediatea, round_key, ciphertext);
372 next_key(round_key, round);
373 }
374 }
375
376 }
377
378 void construct_ctr_preload(unsigned char *ctr_preload,
379 int a4_exists,
380 int qc_exists,
381 unsigned char *mpdu, unsigned char *pn_vector, int c)
382 {
383
384 int i = 0;
385 for (i = 0; i < 16; i++)
386 ctr_preload[i] = 0x00;
387 i = 0;
388
389 ctr_preload[0] = 0x01; /* flag */
390 if (qc_exists && a4_exists)
391 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
392 if (qc_exists && !a4_exists)
393 ctr_preload[1] = mpdu[24] & 0x0f;
394
395 for (i = 2; i < 8; i++)
396 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
397 #ifdef CONSISTENT_PN_ORDER
398 for (i = 8; i < 14; i++)
399 ctr_preload[i] = pn_vector[i - 8]; /* ctr_preload[8:13] = PN[0:5] */
400 #else
401 for (i = 8; i < 14; i++)
402 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
403 #endif
404 ctr_preload[14] = (unsigned char)(c / 256); /* Ctr */
405 ctr_preload[15] = (unsigned char)(c % 256);
406
407 }
408
409 BOOLEAN RTMPSoftDecryptAES(struct rt_rtmp_adapter *pAd,
410 u8 *pData,
411 unsigned long DataByteCnt, struct rt_cipher_key *pWpaKey)
412 {
413 u8 KeyID;
414 u32 HeaderLen;
415 u8 PN[6];
416 u32 payload_len;
417 u32 num_blocks;
418 u32 payload_remainder;
419 u16 fc;
420 u8 fc0;
421 u8 fc1;
422 u32 frame_type;
423 u32 frame_subtype;
424 u32 from_ds;
425 u32 to_ds;
426 int a4_exists;
427 int qc_exists;
428 u8 aes_out[16];
429 int payload_index;
430 u32 i;
431 u8 ctr_preload[16];
432 u8 chain_buffer[16];
433 u8 padded_buffer[16];
434 u8 mic_iv[16];
435 u8 mic_header1[16];
436 u8 mic_header2[16];
437 u8 MIC[8];
438 u8 TrailMIC[8];
439
440 fc0 = *pData;
441 fc1 = *(pData + 1);
442
443 fc = *((u16 *)pData);
444
445 frame_type = ((fc0 >> 2) & 0x03);
446 frame_subtype = ((fc0 >> 4) & 0x0f);
447
448 from_ds = (fc1 & 0x2) >> 1;
449 to_ds = (fc1 & 0x1);
450
451 a4_exists = (from_ds & to_ds);
452 qc_exists = ((frame_subtype == 0x08) || /* Assumed QoS subtypes */
453 (frame_subtype == 0x09) || /* Likely to change. */
454 (frame_subtype == 0x0a) || (frame_subtype == 0x0b)
455 );
456
457 HeaderLen = 24;
458 if (a4_exists)
459 HeaderLen += 6;
460
461 KeyID = *((u8 *)(pData + HeaderLen + 3));
462 KeyID = KeyID >> 6;
463
464 if (pWpaKey[KeyID].KeyLen == 0) {
465 DBGPRINT(RT_DEBUG_TRACE,
466 ("RTMPSoftDecryptAES failed!(KeyID[%d] Length can not be 0)\n",
467 KeyID));
468 return FALSE;
469 }
470
471 PN[0] = *(pData + HeaderLen);
472 PN[1] = *(pData + HeaderLen + 1);
473 PN[2] = *(pData + HeaderLen + 4);
474 PN[3] = *(pData + HeaderLen + 5);
475 PN[4] = *(pData + HeaderLen + 6);
476 PN[5] = *(pData + HeaderLen + 7);
477
478 payload_len = DataByteCnt - HeaderLen - 8 - 8; /* 8 bytes for CCMP header , 8 bytes for MIC */
479 payload_remainder = (payload_len) % 16;
480 num_blocks = (payload_len) / 16;
481
482 /* Find start of payload */
483 payload_index = HeaderLen + 8; /*IV+EIV */
484
485 for (i = 0; i < num_blocks; i++) {
486 construct_ctr_preload(ctr_preload,
487 a4_exists, qc_exists, pData, PN, i + 1);
488
489 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
490
491 bitwise_xor(aes_out, pData + payload_index, chain_buffer);
492 NdisMoveMemory(pData + payload_index - 8, chain_buffer, 16);
493 payload_index += 16;
494 }
495
496 /* */
497 /* If there is a short final block, then pad it */
498 /* encrypt it and copy the unpadded part back */
499 /* */
500 if (payload_remainder > 0) {
501 construct_ctr_preload(ctr_preload,
502 a4_exists,
503 qc_exists, pData, PN, num_blocks + 1);
504
505 NdisZeroMemory(padded_buffer, 16);
506 NdisMoveMemory(padded_buffer, pData + payload_index,
507 payload_remainder);
508
509 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
510
511 bitwise_xor(aes_out, padded_buffer, chain_buffer);
512 NdisMoveMemory(pData + payload_index - 8, chain_buffer,
513 payload_remainder);
514 payload_index += payload_remainder;
515 }
516 /* */
517 /* Descrypt the MIC */
518 /* */
519 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pData, PN, 0);
520 NdisZeroMemory(padded_buffer, 16);
521 NdisMoveMemory(padded_buffer, pData + payload_index, 8);
522
523 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
524
525 bitwise_xor(aes_out, padded_buffer, chain_buffer);
526
527 NdisMoveMemory(TrailMIC, chain_buffer, 8);
528
529 /* */
530 /* Calculate MIC */
531 /* */
532
533 /*Force the protected frame bit on */
534 *(pData + 1) = *(pData + 1) | 0x40;
535
536 /* Find start of payload */
537 /* Because the CCMP header has been removed */
538 payload_index = HeaderLen;
539
540 construct_mic_iv(mic_iv, qc_exists, a4_exists, pData, payload_len, PN);
541
542 construct_mic_header1(mic_header1, HeaderLen, pData);
543
544 construct_mic_header2(mic_header2, pData, a4_exists, qc_exists);
545
546 aes128k128d(pWpaKey[KeyID].Key, mic_iv, aes_out);
547 bitwise_xor(aes_out, mic_header1, chain_buffer);
548 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
549 bitwise_xor(aes_out, mic_header2, chain_buffer);
550 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
551
552 /* iterate through each 16 byte payload block */
553 for (i = 0; i < num_blocks; i++) {
554 bitwise_xor(aes_out, pData + payload_index, chain_buffer);
555 payload_index += 16;
556 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
557 }
558
559 /* Add on the final payload block if it needs padding */
560 if (payload_remainder > 0) {
561 NdisZeroMemory(padded_buffer, 16);
562 NdisMoveMemory(padded_buffer, pData + payload_index,
563 payload_remainder);
564
565 bitwise_xor(aes_out, padded_buffer, chain_buffer);
566 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
567 }
568 /* aes_out contains padded mic, discard most significant */
569 /* 8 bytes to generate 64 bit MIC */
570 for (i = 0; i < 8; i++)
571 MIC[i] = aes_out[i];
572
573 if (!NdisEqualMemory(MIC, TrailMIC, 8)) {
574 DBGPRINT(RT_DEBUG_ERROR, ("RTMPSoftDecryptAES, MIC Error !\n")); /*MIC error. */
575 return FALSE;
576 }
577
578 return TRUE;
579 }
580
581 /* ========================= AES En/Decryption ========================== */
582 #ifndef uint8
583 #define uint8 unsigned char
584 #endif
585
586 #ifndef uint32
587 #define uint32 unsigned int
588 #endif
589
590 /* forward S-box */
591 static uint32 FSb[256] = {
592 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
593 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
594 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
595 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
596 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
597 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
598 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
599 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
600 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
601 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
602 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
603 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
604 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
605 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
606 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
607 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
608 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
609 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
610 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
611 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
612 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
613 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
614 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
615 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
616 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
617 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
618 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
619 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
620 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
621 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
622 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
623 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
624 };
625
626 /* forward table */
627 #define FT \
628 \
629 V(C6,63,63,A5), V(F8,7C,7C,84), V(EE,77,77,99), V(F6,7B,7B,8D), \
630 V(FF,F2,F2,0D), V(D6,6B,6B,BD), V(DE,6F,6F,B1), V(91,C5,C5,54), \
631 V(60,30,30,50), V(02,01,01,03), V(CE,67,67,A9), V(56,2B,2B,7D), \
632 V(E7,FE,FE,19), V(B5,D7,D7,62), V(4D,AB,AB,E6), V(EC,76,76,9A), \
633 V(8F,CA,CA,45), V(1F,82,82,9D), V(89,C9,C9,40), V(FA,7D,7D,87), \
634 V(EF,FA,FA,15), V(B2,59,59,EB), V(8E,47,47,C9), V(FB,F0,F0,0B), \
635 V(41,AD,AD,EC), V(B3,D4,D4,67), V(5F,A2,A2,FD), V(45,AF,AF,EA), \
636 V(23,9C,9C,BF), V(53,A4,A4,F7), V(E4,72,72,96), V(9B,C0,C0,5B), \
637 V(75,B7,B7,C2), V(E1,FD,FD,1C), V(3D,93,93,AE), V(4C,26,26,6A), \
638 V(6C,36,36,5A), V(7E,3F,3F,41), V(F5,F7,F7,02), V(83,CC,CC,4F), \
639 V(68,34,34,5C), V(51,A5,A5,F4), V(D1,E5,E5,34), V(F9,F1,F1,08), \
640 V(E2,71,71,93), V(AB,D8,D8,73), V(62,31,31,53), V(2A,15,15,3F), \
641 V(08,04,04,0C), V(95,C7,C7,52), V(46,23,23,65), V(9D,C3,C3,5E), \
642 V(30,18,18,28), V(37,96,96,A1), V(0A,05,05,0F), V(2F,9A,9A,B5), \
643 V(0E,07,07,09), V(24,12,12,36), V(1B,80,80,9B), V(DF,E2,E2,3D), \
644 V(CD,EB,EB,26), V(4E,27,27,69), V(7F,B2,B2,CD), V(EA,75,75,9F), \
645 V(12,09,09,1B), V(1D,83,83,9E), V(58,2C,2C,74), V(34,1A,1A,2E), \
646 V(36,1B,1B,2D), V(DC,6E,6E,B2), V(B4,5A,5A,EE), V(5B,A0,A0,FB), \
647 V(A4,52,52,F6), V(76,3B,3B,4D), V(B7,D6,D6,61), V(7D,B3,B3,CE), \
648 V(52,29,29,7B), V(DD,E3,E3,3E), V(5E,2F,2F,71), V(13,84,84,97), \
649 V(A6,53,53,F5), V(B9,D1,D1,68), V(00,00,00,00), V(C1,ED,ED,2C), \
650 V(40,20,20,60), V(E3,FC,FC,1F), V(79,B1,B1,C8), V(B6,5B,5B,ED), \
651 V(D4,6A,6A,BE), V(8D,CB,CB,46), V(67,BE,BE,D9), V(72,39,39,4B), \
652 V(94,4A,4A,DE), V(98,4C,4C,D4), V(B0,58,58,E8), V(85,CF,CF,4A), \
653 V(BB,D0,D0,6B), V(C5,EF,EF,2A), V(4F,AA,AA,E5), V(ED,FB,FB,16), \
654 V(86,43,43,C5), V(9A,4D,4D,D7), V(66,33,33,55), V(11,85,85,94), \
655 V(8A,45,45,CF), V(E9,F9,F9,10), V(04,02,02,06), V(FE,7F,7F,81), \
656 V(A0,50,50,F0), V(78,3C,3C,44), V(25,9F,9F,BA), V(4B,A8,A8,E3), \
657 V(A2,51,51,F3), V(5D,A3,A3,FE), V(80,40,40,C0), V(05,8F,8F,8A), \
658 V(3F,92,92,AD), V(21,9D,9D,BC), V(70,38,38,48), V(F1,F5,F5,04), \
659 V(63,BC,BC,DF), V(77,B6,B6,C1), V(AF,DA,DA,75), V(42,21,21,63), \
660 V(20,10,10,30), V(E5,FF,FF,1A), V(FD,F3,F3,0E), V(BF,D2,D2,6D), \
661 V(81,CD,CD,4C), V(18,0C,0C,14), V(26,13,13,35), V(C3,EC,EC,2F), \
662 V(BE,5F,5F,E1), V(35,97,97,A2), V(88,44,44,CC), V(2E,17,17,39), \
663 V(93,C4,C4,57), V(55,A7,A7,F2), V(FC,7E,7E,82), V(7A,3D,3D,47), \
664 V(C8,64,64,AC), V(BA,5D,5D,E7), V(32,19,19,2B), V(E6,73,73,95), \
665 V(C0,60,60,A0), V(19,81,81,98), V(9E,4F,4F,D1), V(A3,DC,DC,7F), \
666 V(44,22,22,66), V(54,2A,2A,7E), V(3B,90,90,AB), V(0B,88,88,83), \
667 V(8C,46,46,CA), V(C7,EE,EE,29), V(6B,B8,B8,D3), V(28,14,14,3C), \
668 V(A7,DE,DE,79), V(BC,5E,5E,E2), V(16,0B,0B,1D), V(AD,DB,DB,76), \
669 V(DB,E0,E0,3B), V(64,32,32,56), V(74,3A,3A,4E), V(14,0A,0A,1E), \
670 V(92,49,49,DB), V(0C,06,06,0A), V(48,24,24,6C), V(B8,5C,5C,E4), \
671 V(9F,C2,C2,5D), V(BD,D3,D3,6E), V(43,AC,AC,EF), V(C4,62,62,A6), \
672 V(39,91,91,A8), V(31,95,95,A4), V(D3,E4,E4,37), V(F2,79,79,8B), \
673 V(D5,E7,E7,32), V(8B,C8,C8,43), V(6E,37,37,59), V(DA,6D,6D,B7), \
674 V(01,8D,8D,8C), V(B1,D5,D5,64), V(9C,4E,4E,D2), V(49,A9,A9,E0), \
675 V(D8,6C,6C,B4), V(AC,56,56,FA), V(F3,F4,F4,07), V(CF,EA,EA,25), \
676 V(CA,65,65,AF), V(F4,7A,7A,8E), V(47,AE,AE,E9), V(10,08,08,18), \
677 V(6F,BA,BA,D5), V(F0,78,78,88), V(4A,25,25,6F), V(5C,2E,2E,72), \
678 V(38,1C,1C,24), V(57,A6,A6,F1), V(73,B4,B4,C7), V(97,C6,C6,51), \
679 V(CB,E8,E8,23), V(A1,DD,DD,7C), V(E8,74,74,9C), V(3E,1F,1F,21), \
680 V(96,4B,4B,DD), V(61,BD,BD,DC), V(0D,8B,8B,86), V(0F,8A,8A,85), \
681 V(E0,70,70,90), V(7C,3E,3E,42), V(71,B5,B5,C4), V(CC,66,66,AA), \
682 V(90,48,48,D8), V(06,03,03,05), V(F7,F6,F6,01), V(1C,0E,0E,12), \
683 V(C2,61,61,A3), V(6A,35,35,5F), V(AE,57,57,F9), V(69,B9,B9,D0), \
684 V(17,86,86,91), V(99,C1,C1,58), V(3A,1D,1D,27), V(27,9E,9E,B9), \
685 V(D9,E1,E1,38), V(EB,F8,F8,13), V(2B,98,98,B3), V(22,11,11,33), \
686 V(D2,69,69,BB), V(A9,D9,D9,70), V(07,8E,8E,89), V(33,94,94,A7), \
687 V(2D,9B,9B,B6), V(3C,1E,1E,22), V(15,87,87,92), V(C9,E9,E9,20), \
688 V(87,CE,CE,49), V(AA,55,55,FF), V(50,28,28,78), V(A5,DF,DF,7A), \
689 V(03,8C,8C,8F), V(59,A1,A1,F8), V(09,89,89,80), V(1A,0D,0D,17), \
690 V(65,BF,BF,DA), V(D7,E6,E6,31), V(84,42,42,C6), V(D0,68,68,B8), \
691 V(82,41,41,C3), V(29,99,99,B0), V(5A,2D,2D,77), V(1E,0F,0F,11), \
692 V(7B,B0,B0,CB), V(A8,54,54,FC), V(6D,BB,BB,D6), V(2C,16,16,3A)
693
694 #define V(a,b,c,d) 0x##a##b##c##d
695 static uint32 FT0[256] = { FT };
696
697 #undef V
698
699 #define V(a,b,c,d) 0x##d##a##b##c
700 static uint32 FT1[256] = { FT };
701
702 #undef V
703
704 #define V(a,b,c,d) 0x##c##d##a##b
705 static uint32 FT2[256] = { FT };
706
707 #undef V
708
709 #define V(a,b,c,d) 0x##b##c##d##a
710 static uint32 FT3[256] = { FT };
711
712 #undef V
713
714 #undef FT
715
716 /* reverse S-box */
717
718 static uint32 RSb[256] = {
719 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
720 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
721 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
722 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
723 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
724 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
725 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
726 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
727 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
728 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
729 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
730 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
731 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
732 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
733 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
734 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
735 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
736 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
737 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
738 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
739 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
740 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
741 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
742 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
743 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
744 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
745 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
746 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
747 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
748 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
749 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
750 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
751 };
752
753 /* reverse table */
754
755 #define RT \
756 \
757 V(51,F4,A7,50), V(7E,41,65,53), V(1A,17,A4,C3), V(3A,27,5E,96), \
758 V(3B,AB,6B,CB), V(1F,9D,45,F1), V(AC,FA,58,AB), V(4B,E3,03,93), \
759 V(20,30,FA,55), V(AD,76,6D,F6), V(88,CC,76,91), V(F5,02,4C,25), \
760 V(4F,E5,D7,FC), V(C5,2A,CB,D7), V(26,35,44,80), V(B5,62,A3,8F), \
761 V(DE,B1,5A,49), V(25,BA,1B,67), V(45,EA,0E,98), V(5D,FE,C0,E1), \
762 V(C3,2F,75,02), V(81,4C,F0,12), V(8D,46,97,A3), V(6B,D3,F9,C6), \
763 V(03,8F,5F,E7), V(15,92,9C,95), V(BF,6D,7A,EB), V(95,52,59,DA), \
764 V(D4,BE,83,2D), V(58,74,21,D3), V(49,E0,69,29), V(8E,C9,C8,44), \
765 V(75,C2,89,6A), V(F4,8E,79,78), V(99,58,3E,6B), V(27,B9,71,DD), \
766 V(BE,E1,4F,B6), V(F0,88,AD,17), V(C9,20,AC,66), V(7D,CE,3A,B4), \
767 V(63,DF,4A,18), V(E5,1A,31,82), V(97,51,33,60), V(62,53,7F,45), \
768 V(B1,64,77,E0), V(BB,6B,AE,84), V(FE,81,A0,1C), V(F9,08,2B,94), \
769 V(70,48,68,58), V(8F,45,FD,19), V(94,DE,6C,87), V(52,7B,F8,B7), \
770 V(AB,73,D3,23), V(72,4B,02,E2), V(E3,1F,8F,57), V(66,55,AB,2A), \
771 V(B2,EB,28,07), V(2F,B5,C2,03), V(86,C5,7B,9A), V(D3,37,08,A5), \
772 V(30,28,87,F2), V(23,BF,A5,B2), V(02,03,6A,BA), V(ED,16,82,5C), \
773 V(8A,CF,1C,2B), V(A7,79,B4,92), V(F3,07,F2,F0), V(4E,69,E2,A1), \
774 V(65,DA,F4,CD), V(06,05,BE,D5), V(D1,34,62,1F), V(C4,A6,FE,8A), \
775 V(34,2E,53,9D), V(A2,F3,55,A0), V(05,8A,E1,32), V(A4,F6,EB,75), \
776 V(0B,83,EC,39), V(40,60,EF,AA), V(5E,71,9F,06), V(BD,6E,10,51), \
777 V(3E,21,8A,F9), V(96,DD,06,3D), V(DD,3E,05,AE), V(4D,E6,BD,46), \
778 V(91,54,8D,B5), V(71,C4,5D,05), V(04,06,D4,6F), V(60,50,15,FF), \
779 V(19,98,FB,24), V(D6,BD,E9,97), V(89,40,43,CC), V(67,D9,9E,77), \
780 V(B0,E8,42,BD), V(07,89,8B,88), V(E7,19,5B,38), V(79,C8,EE,DB), \
781 V(A1,7C,0A,47), V(7C,42,0F,E9), V(F8,84,1E,C9), V(00,00,00,00), \
782 V(09,80,86,83), V(32,2B,ED,48), V(1E,11,70,AC), V(6C,5A,72,4E), \
783 V(FD,0E,FF,FB), V(0F,85,38,56), V(3D,AE,D5,1E), V(36,2D,39,27), \
784 V(0A,0F,D9,64), V(68,5C,A6,21), V(9B,5B,54,D1), V(24,36,2E,3A), \
785 V(0C,0A,67,B1), V(93,57,E7,0F), V(B4,EE,96,D2), V(1B,9B,91,9E), \
786 V(80,C0,C5,4F), V(61,DC,20,A2), V(5A,77,4B,69), V(1C,12,1A,16), \
787 V(E2,93,BA,0A), V(C0,A0,2A,E5), V(3C,22,E0,43), V(12,1B,17,1D), \
788 V(0E,09,0D,0B), V(F2,8B,C7,AD), V(2D,B6,A8,B9), V(14,1E,A9,C8), \
789 V(57,F1,19,85), V(AF,75,07,4C), V(EE,99,DD,BB), V(A3,7F,60,FD), \
790 V(F7,01,26,9F), V(5C,72,F5,BC), V(44,66,3B,C5), V(5B,FB,7E,34), \
791 V(8B,43,29,76), V(CB,23,C6,DC), V(B6,ED,FC,68), V(B8,E4,F1,63), \
792 V(D7,31,DC,CA), V(42,63,85,10), V(13,97,22,40), V(84,C6,11,20), \
793 V(85,4A,24,7D), V(D2,BB,3D,F8), V(AE,F9,32,11), V(C7,29,A1,6D), \
794 V(1D,9E,2F,4B), V(DC,B2,30,F3), V(0D,86,52,EC), V(77,C1,E3,D0), \
795 V(2B,B3,16,6C), V(A9,70,B9,99), V(11,94,48,FA), V(47,E9,64,22), \
796 V(A8,FC,8C,C4), V(A0,F0,3F,1A), V(56,7D,2C,D8), V(22,33,90,EF), \
797 V(87,49,4E,C7), V(D9,38,D1,C1), V(8C,CA,A2,FE), V(98,D4,0B,36), \
798 V(A6,F5,81,CF), V(A5,7A,DE,28), V(DA,B7,8E,26), V(3F,AD,BF,A4), \
799 V(2C,3A,9D,E4), V(50,78,92,0D), V(6A,5F,CC,9B), V(54,7E,46,62), \
800 V(F6,8D,13,C2), V(90,D8,B8,E8), V(2E,39,F7,5E), V(82,C3,AF,F5), \
801 V(9F,5D,80,BE), V(69,D0,93,7C), V(6F,D5,2D,A9), V(CF,25,12,B3), \
802 V(C8,AC,99,3B), V(10,18,7D,A7), V(E8,9C,63,6E), V(DB,3B,BB,7B), \
803 V(CD,26,78,09), V(6E,59,18,F4), V(EC,9A,B7,01), V(83,4F,9A,A8), \
804 V(E6,95,6E,65), V(AA,FF,E6,7E), V(21,BC,CF,08), V(EF,15,E8,E6), \
805 V(BA,E7,9B,D9), V(4A,6F,36,CE), V(EA,9F,09,D4), V(29,B0,7C,D6), \
806 V(31,A4,B2,AF), V(2A,3F,23,31), V(C6,A5,94,30), V(35,A2,66,C0), \
807 V(74,4E,BC,37), V(FC,82,CA,A6), V(E0,90,D0,B0), V(33,A7,D8,15), \
808 V(F1,04,98,4A), V(41,EC,DA,F7), V(7F,CD,50,0E), V(17,91,F6,2F), \
809 V(76,4D,D6,8D), V(43,EF,B0,4D), V(CC,AA,4D,54), V(E4,96,04,DF), \
810 V(9E,D1,B5,E3), V(4C,6A,88,1B), V(C1,2C,1F,B8), V(46,65,51,7F), \
811 V(9D,5E,EA,04), V(01,8C,35,5D), V(FA,87,74,73), V(FB,0B,41,2E), \
812 V(B3,67,1D,5A), V(92,DB,D2,52), V(E9,10,56,33), V(6D,D6,47,13), \
813 V(9A,D7,61,8C), V(37,A1,0C,7A), V(59,F8,14,8E), V(EB,13,3C,89), \
814 V(CE,A9,27,EE), V(B7,61,C9,35), V(E1,1C,E5,ED), V(7A,47,B1,3C), \
815 V(9C,D2,DF,59), V(55,F2,73,3F), V(18,14,CE,79), V(73,C7,37,BF), \
816 V(53,F7,CD,EA), V(5F,FD,AA,5B), V(DF,3D,6F,14), V(78,44,DB,86), \
817 V(CA,AF,F3,81), V(B9,68,C4,3E), V(38,24,34,2C), V(C2,A3,40,5F), \
818 V(16,1D,C3,72), V(BC,E2,25,0C), V(28,3C,49,8B), V(FF,0D,95,41), \
819 V(39,A8,01,71), V(08,0C,B3,DE), V(D8,B4,E4,9C), V(64,56,C1,90), \
820 V(7B,CB,84,61), V(D5,32,B6,70), V(48,6C,5C,74), V(D0,B8,57,42)
821
822 #define V(a,b,c,d) 0x##a##b##c##d
823 static uint32 RT0[256] = { RT };
824
825 #undef V
826
827 #define V(a,b,c,d) 0x##d##a##b##c
828 static uint32 RT1[256] = { RT };
829
830 #undef V
831
832 #define V(a,b,c,d) 0x##c##d##a##b
833 static uint32 RT2[256] = { RT };
834
835 #undef V
836
837 #define V(a,b,c,d) 0x##b##c##d##a
838 static uint32 RT3[256] = { RT };
839
840 #undef V
841
842 #undef RT
843
844 /* round constants */
845
846 static uint32 RCON[10] = {
847 0x01000000, 0x02000000, 0x04000000, 0x08000000,
848 0x10000000, 0x20000000, 0x40000000, 0x80000000,
849 0x1B000000, 0x36000000
850 };
851
852 /* key schedule tables */
853
854 static int KT_init = 1;
855
856 static uint32 KT0[256];
857 static uint32 KT1[256];
858 static uint32 KT2[256];
859 static uint32 KT3[256];
860
861 /* platform-independant 32-bit integer manipulation macros */
862
863 #define GET_UINT32(n,b,i) \
864 { \
865 (n) = ( (uint32) (b)[(i) ] << 24 ) \
866 | ( (uint32) (b)[(i) + 1] << 16 ) \
867 | ( (uint32) (b)[(i) + 2] << 8 ) \
868 | ( (uint32) (b)[(i) + 3] ); \
869 }
870
871 #define PUT_UINT32(n,b,i) \
872 { \
873 (b)[(i) ] = (uint8) ( (n) >> 24 ); \
874 (b)[(i) + 1] = (uint8) ( (n) >> 16 ); \
875 (b)[(i) + 2] = (uint8) ( (n) >> 8 ); \
876 (b)[(i) + 3] = (uint8) ( (n) ); \
877 }
878
879 int rt_aes_set_key(struct aes_context * ctx, uint8 * key, int nbits)
880 {
881 int i;
882 uint32 *RK, *SK;
883
884 switch (nbits) {
885 case 128:
886 ctx->nr = 10;
887 break;
888 case 192:
889 ctx->nr = 12;
890 break;
891 case 256:
892 ctx->nr = 14;
893 break;
894 default:
895 return (1);
896 }
897
898 RK = (uint32 *) ctx->erk;
899
900 for (i = 0; i < (nbits >> 5); i++) {
901 GET_UINT32(RK[i], key, i * 4);
902 }
903
904 /* setup encryption round keys */
905
906 switch (nbits) {
907 case 128:
908
909 for (i = 0; i < 10; i++, RK += 4) {
910 RK[4] = RK[0] ^ RCON[i] ^
911 (FSb[(uint8) (RK[3] >> 16)] << 24) ^
912 (FSb[(uint8) (RK[3] >> 8)] << 16) ^
913 (FSb[(uint8) (RK[3])] << 8) ^
914 (FSb[(uint8) (RK[3] >> 24)]);
915
916 RK[5] = RK[1] ^ RK[4];
917 RK[6] = RK[2] ^ RK[5];
918 RK[7] = RK[3] ^ RK[6];
919 }
920 break;
921
922 case 192:
923
924 for (i = 0; i < 8; i++, RK += 6) {
925 RK[6] = RK[0] ^ RCON[i] ^
926 (FSb[(uint8) (RK[5] >> 16)] << 24) ^
927 (FSb[(uint8) (RK[5] >> 8)] << 16) ^
928 (FSb[(uint8) (RK[5])] << 8) ^
929 (FSb[(uint8) (RK[5] >> 24)]);
930
931 RK[7] = RK[1] ^ RK[6];
932 RK[8] = RK[2] ^ RK[7];
933 RK[9] = RK[3] ^ RK[8];
934 RK[10] = RK[4] ^ RK[9];
935 RK[11] = RK[5] ^ RK[10];
936 }
937 break;
938
939 case 256:
940
941 for (i = 0; i < 7; i++, RK += 8) {
942 RK[8] = RK[0] ^ RCON[i] ^
943 (FSb[(uint8) (RK[7] >> 16)] << 24) ^
944 (FSb[(uint8) (RK[7] >> 8)] << 16) ^
945 (FSb[(uint8) (RK[7])] << 8) ^
946 (FSb[(uint8) (RK[7] >> 24)]);
947
948 RK[9] = RK[1] ^ RK[8];
949 RK[10] = RK[2] ^ RK[9];
950 RK[11] = RK[3] ^ RK[10];
951
952 RK[12] = RK[4] ^
953 (FSb[(uint8) (RK[11] >> 24)] << 24) ^
954 (FSb[(uint8) (RK[11] >> 16)] << 16) ^
955 (FSb[(uint8) (RK[11] >> 8)] << 8) ^
956 (FSb[(uint8) (RK[11])]);
957
958 RK[13] = RK[5] ^ RK[12];
959 RK[14] = RK[6] ^ RK[13];
960 RK[15] = RK[7] ^ RK[14];
961 }
962 break;
963 }
964
965 /* setup decryption round keys */
966
967 if (KT_init) {
968 for (i = 0; i < 256; i++) {
969 KT0[i] = RT0[FSb[i]];
970 KT1[i] = RT1[FSb[i]];
971 KT2[i] = RT2[FSb[i]];
972 KT3[i] = RT3[FSb[i]];
973 }
974
975 KT_init = 0;
976 }
977
978 SK = (uint32 *) ctx->drk;
979
980 *SK++ = *RK++;
981 *SK++ = *RK++;
982 *SK++ = *RK++;
983 *SK++ = *RK++;
984
985 for (i = 1; i < ctx->nr; i++) {
986 RK -= 8;
987
988 *SK++ = KT0[(uint8) (*RK >> 24)] ^
989 KT1[(uint8) (*RK >> 16)] ^
990 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
991 RK++;
992
993 *SK++ = KT0[(uint8) (*RK >> 24)] ^
994 KT1[(uint8) (*RK >> 16)] ^
995 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
996 RK++;
997
998 *SK++ = KT0[(uint8) (*RK >> 24)] ^
999 KT1[(uint8) (*RK >> 16)] ^
1000 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
1001 RK++;
1002
1003 *SK++ = KT0[(uint8) (*RK >> 24)] ^
1004 KT1[(uint8) (*RK >> 16)] ^
1005 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
1006 RK++;
1007 }
1008
1009 RK -= 8;
1010
1011 *SK++ = *RK++;
1012 *SK++ = *RK++;
1013 *SK++ = *RK++;
1014 *SK++ = *RK++;
1015
1016 return (0);
1017 }
1018
1019 /* AES 128-bit block encryption routine */
1020
1021 void rt_aes_encrypt(struct aes_context * ctx, uint8 input[16], uint8 output[16])
1022 {
1023 uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
1024
1025 RK = (uint32 *) ctx->erk;
1026 GET_UINT32(X0, input, 0);
1027 X0 ^= RK[0];
1028 GET_UINT32(X1, input, 4);
1029 X1 ^= RK[1];
1030 GET_UINT32(X2, input, 8);
1031 X2 ^= RK[2];
1032 GET_UINT32(X3, input, 12);
1033 X3 ^= RK[3];
1034
1035 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
1036 { \
1037 RK += 4; \
1038 \
1039 X0 = RK[0] ^ FT0[ (uint8) ( Y0 >> 24 ) ] ^ \
1040 FT1[ (uint8) ( Y1 >> 16 ) ] ^ \
1041 FT2[ (uint8) ( Y2 >> 8 ) ] ^ \
1042 FT3[ (uint8) ( Y3 ) ]; \
1043 \
1044 X1 = RK[1] ^ FT0[ (uint8) ( Y1 >> 24 ) ] ^ \
1045 FT1[ (uint8) ( Y2 >> 16 ) ] ^ \
1046 FT2[ (uint8) ( Y3 >> 8 ) ] ^ \
1047 FT3[ (uint8) ( Y0 ) ]; \
1048 \
1049 X2 = RK[2] ^ FT0[ (uint8) ( Y2 >> 24 ) ] ^ \
1050 FT1[ (uint8) ( Y3 >> 16 ) ] ^ \
1051 FT2[ (uint8) ( Y0 >> 8 ) ] ^ \
1052 FT3[ (uint8) ( Y1 ) ]; \
1053 \
1054 X3 = RK[3] ^ FT0[ (uint8) ( Y3 >> 24 ) ] ^ \
1055 FT1[ (uint8) ( Y0 >> 16 ) ] ^ \
1056 FT2[ (uint8) ( Y1 >> 8 ) ] ^ \
1057 FT3[ (uint8) ( Y2 ) ]; \
1058 }
1059
1060 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 1 */
1061 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 2 */
1062 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 3 */
1063 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 4 */
1064 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 5 */
1065 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 6 */
1066 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 7 */
1067 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 8 */
1068 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 9 */
1069
1070 if (ctx->nr > 10) {
1071 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 10 */
1072 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 11 */
1073 }
1074
1075 if (ctx->nr > 12) {
1076 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 12 */
1077 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 13 */
1078 }
1079
1080 /* last round */
1081
1082 RK += 4;
1083
1084 X0 = RK[0] ^ (FSb[(uint8) (Y0 >> 24)] << 24) ^
1085 (FSb[(uint8) (Y1 >> 16)] << 16) ^
1086 (FSb[(uint8) (Y2 >> 8)] << 8) ^ (FSb[(uint8) (Y3)]);
1087
1088 X1 = RK[1] ^ (FSb[(uint8) (Y1 >> 24)] << 24) ^
1089 (FSb[(uint8) (Y2 >> 16)] << 16) ^
1090 (FSb[(uint8) (Y3 >> 8)] << 8) ^ (FSb[(uint8) (Y0)]);
1091
1092 X2 = RK[2] ^ (FSb[(uint8) (Y2 >> 24)] << 24) ^
1093 (FSb[(uint8) (Y3 >> 16)] << 16) ^
1094 (FSb[(uint8) (Y0 >> 8)] << 8) ^ (FSb[(uint8) (Y1)]);
1095
1096 X3 = RK[3] ^ (FSb[(uint8) (Y3 >> 24)] << 24) ^
1097 (FSb[(uint8) (Y0 >> 16)] << 16) ^
1098 (FSb[(uint8) (Y1 >> 8)] << 8) ^ (FSb[(uint8) (Y2)]);
1099
1100 PUT_UINT32(X0, output, 0);
1101 PUT_UINT32(X1, output, 4);
1102 PUT_UINT32(X2, output, 8);
1103 PUT_UINT32(X3, output, 12);
1104 }
1105
1106 /* AES 128-bit block decryption routine */
1107
1108 void rt_aes_decrypt(struct aes_context * ctx, uint8 input[16], uint8 output[16])
1109 {
1110 uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
1111
1112 RK = (uint32 *) ctx->drk;
1113
1114 GET_UINT32(X0, input, 0);
1115 X0 ^= RK[0];
1116 GET_UINT32(X1, input, 4);
1117 X1 ^= RK[1];
1118 GET_UINT32(X2, input, 8);
1119 X2 ^= RK[2];
1120 GET_UINT32(X3, input, 12);
1121 X3 ^= RK[3];
1122
1123 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
1124 { \
1125 RK += 4; \
1126 \
1127 X0 = RK[0] ^ RT0[ (uint8) ( Y0 >> 24 ) ] ^ \
1128 RT1[ (uint8) ( Y3 >> 16 ) ] ^ \
1129 RT2[ (uint8) ( Y2 >> 8 ) ] ^ \
1130 RT3[ (uint8) ( Y1 ) ]; \
1131 \
1132 X1 = RK[1] ^ RT0[ (uint8) ( Y1 >> 24 ) ] ^ \
1133 RT1[ (uint8) ( Y0 >> 16 ) ] ^ \
1134 RT2[ (uint8) ( Y3 >> 8 ) ] ^ \
1135 RT3[ (uint8) ( Y2 ) ]; \
1136 \
1137 X2 = RK[2] ^ RT0[ (uint8) ( Y2 >> 24 ) ] ^ \
1138 RT1[ (uint8) ( Y1 >> 16 ) ] ^ \
1139 RT2[ (uint8) ( Y0 >> 8 ) ] ^ \
1140 RT3[ (uint8) ( Y3 ) ]; \
1141 \
1142 X3 = RK[3] ^ RT0[ (uint8) ( Y3 >> 24 ) ] ^ \
1143 RT1[ (uint8) ( Y2 >> 16 ) ] ^ \
1144 RT2[ (uint8) ( Y1 >> 8 ) ] ^ \
1145 RT3[ (uint8) ( Y0 ) ]; \
1146 }
1147
1148 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 1 */
1149 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 2 */
1150 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 3 */
1151 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 4 */
1152 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 5 */
1153 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 6 */
1154 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 7 */
1155 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 8 */
1156 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 9 */
1157
1158 if (ctx->nr > 10) {
1159 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 10 */
1160 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 11 */
1161 }
1162
1163 if (ctx->nr > 12) {
1164 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 12 */
1165 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 13 */
1166 }
1167
1168 /* last round */
1169
1170 RK += 4;
1171
1172 X0 = RK[0] ^ (RSb[(uint8) (Y0 >> 24)] << 24) ^
1173 (RSb[(uint8) (Y3 >> 16)] << 16) ^
1174 (RSb[(uint8) (Y2 >> 8)] << 8) ^ (RSb[(uint8) (Y1)]);
1175
1176 X1 = RK[1] ^ (RSb[(uint8) (Y1 >> 24)] << 24) ^
1177 (RSb[(uint8) (Y0 >> 16)] << 16) ^
1178 (RSb[(uint8) (Y3 >> 8)] << 8) ^ (RSb[(uint8) (Y2)]);
1179
1180 X2 = RK[2] ^ (RSb[(uint8) (Y2 >> 24)] << 24) ^
1181 (RSb[(uint8) (Y1 >> 16)] << 16) ^
1182 (RSb[(uint8) (Y0 >> 8)] << 8) ^ (RSb[(uint8) (Y3)]);
1183
1184 X3 = RK[3] ^ (RSb[(uint8) (Y3 >> 24)] << 24) ^
1185 (RSb[(uint8) (Y2 >> 16)] << 16) ^
1186 (RSb[(uint8) (Y1 >> 8)] << 8) ^ (RSb[(uint8) (Y0)]);
1187
1188 PUT_UINT32(X0, output, 0);
1189 PUT_UINT32(X1, output, 4);
1190 PUT_UINT32(X2, output, 8);
1191 PUT_UINT32(X3, output, 12);
1192 }
1193
1194 /*
1195 ==========================================================================
1196 Description:
1197 ENCRYPT AES GTK before sending in EAPOL frame.
1198 AES GTK length = 128 bit, so fix blocks for aes-key-wrap as 2 in this function.
1199 This function references to RFC 3394 for aes key wrap algorithm.
1200 Return:
1201 ==========================================================================
1202 */
1203 void AES_GTK_KEY_WRAP(u8 * key,
1204 u8 * plaintext,
1205 u32 p_len, u8 * ciphertext)
1206 {
1207 u8 A[8], BIN[16], BOUT[16];
1208 u8 R[512];
1209 int num_blocks = p_len / 8; /* unit:64bits */
1210 int i, j;
1211 struct aes_context aesctx;
1212 u8 xor;
1213
1214 rt_aes_set_key(&aesctx, key, 128);
1215
1216 /* Init IA */
1217 for (i = 0; i < 8; i++)
1218 A[i] = 0xa6;
1219
1220 /*Input plaintext */
1221 for (i = 0; i < num_blocks; i++) {
1222 for (j = 0; j < 8; j++)
1223 R[8 * (i + 1) + j] = plaintext[8 * i + j];
1224 }
1225
1226 /* Key Mix */
1227 for (j = 0; j < 6; j++) {
1228 for (i = 1; i <= num_blocks; i++) {
1229 /*phase 1 */
1230 NdisMoveMemory(BIN, A, 8);
1231 NdisMoveMemory(&BIN[8], &R[8 * i], 8);
1232 rt_aes_encrypt(&aesctx, BIN, BOUT);
1233
1234 NdisMoveMemory(A, &BOUT[0], 8);
1235 xor = num_blocks * j + i;
1236 A[7] = BOUT[7] ^ xor;
1237 NdisMoveMemory(&R[8 * i], &BOUT[8], 8);
1238 }
1239 }
1240
1241 /* Output ciphertext */
1242 NdisMoveMemory(ciphertext, A, 8);
1243
1244 for (i = 1; i <= num_blocks; i++) {
1245 for (j = 0; j < 8; j++)
1246 ciphertext[8 * i + j] = R[8 * i + j];
1247 }
1248 }
1249
1250 /*
1251 ========================================================================
1252
1253 Routine Description:
1254 Misc function to decrypt AES body
1255
1256 Arguments:
1257
1258 Return Value:
1259
1260 Note:
1261 This function references to RFC 3394 for aes key unwrap algorithm.
1262
1263 ========================================================================
1264 */
1265 void AES_GTK_KEY_UNWRAP(u8 * key,
1266 u8 * plaintext,
1267 u32 c_len, u8 * ciphertext)
1268 {
1269 u8 A[8], BIN[16], BOUT[16];
1270 u8 xor;
1271 int i, j;
1272 struct aes_context aesctx;
1273 u8 *R;
1274 int num_blocks = c_len / 8; /* unit:64bits */
1275
1276 os_alloc_mem(NULL, (u8 **) & R, 512);
1277
1278 if (R == NULL) {
1279 DBGPRINT(RT_DEBUG_ERROR,
1280 ("AES_GTK_KEY_UNWRAP: no memory!\n"));
1281 return;
1282 }
1283 /* End of if */
1284 /* Initialize */
1285 NdisMoveMemory(A, ciphertext, 8);
1286 /*Input plaintext */
1287 for (i = 0; i < (c_len - 8); i++) {
1288 R[i] = ciphertext[i + 8];
1289 }
1290
1291 rt_aes_set_key(&aesctx, key, 128);
1292
1293 for (j = 5; j >= 0; j--) {
1294 for (i = (num_blocks - 1); i > 0; i--) {
1295 xor = (num_blocks - 1) * j + i;
1296 NdisMoveMemory(BIN, A, 8);
1297 BIN[7] = A[7] ^ xor;
1298 NdisMoveMemory(&BIN[8], &R[(i - 1) * 8], 8);
1299 rt_aes_decrypt(&aesctx, BIN, BOUT);
1300 NdisMoveMemory(A, &BOUT[0], 8);
1301 NdisMoveMemory(&R[(i - 1) * 8], &BOUT[8], 8);
1302 }
1303 }
1304
1305 /* OUTPUT */
1306 for (i = 0; i < c_len; i++) {
1307 plaintext[i] = R[i];
1308 }
1309
1310 os_free_mem(NULL, R);
1311 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree