Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/contrib/openzfs/module/icp/asm-x86_64/aes/aesopt.h
48775 views
1
// SPDX-License-Identifier: Brian-Gladman-3-Clause

2
/*

3
 * ---------------------------------------------------------------------------

4
 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.

5
 *

6
 * LICENSE TERMS

7
 *

8
 * The free distribution and use of this software is allowed (with or without

9
 * changes) provided that:

10
 *

11
 *  1. source code distributions include the above copyright notice, this

12
 *	list of conditions and the following disclaimer;

13
 *

14
 *  2. binary distributions include the above copyright notice, this list

15
 *	of conditions and the following disclaimer in their documentation;

16
 *

17
 *  3. the name of the copyright holder is not used to endorse products

18
 *	built using this software without specific written permission.

19
 *

20
 * DISCLAIMER

21
 *

22
 * This software is provided 'as is' with no explicit or implied warranties

23
 * in respect of its properties, including, but not limited to, correctness

24
 * and/or fitness for purpose.

25
 * ---------------------------------------------------------------------------

26
 * Issue Date: 20/12/2007

27
 *

28
 * This file contains the compilation options for AES (Rijndael) and code

29
 * that is common across encryption, key scheduling and table generation.

30
 *

31
 * OPERATION

32
 *

33
 * These source code files implement the AES algorithm Rijndael designed by

34
 * Joan Daemen and Vincent Rijmen. This version is designed for the standard

35
 * block size of 16 bytes and for key sizes of 128, 192 and 256 bits (16, 24

36
 * and 32 bytes).

37
 *

38
 * This version is designed for flexibility and speed using operations on

39
 * 32-bit words rather than operations on bytes.  It can be compiled with

40
 * either big or little endian internal byte order but is faster when the

41
 * native byte order for the processor is used.

42
 *

43
 * THE CIPHER INTERFACE

44
 *

45
 * The cipher interface is implemented as an array of bytes in which lower

46
 * AES bit sequence indexes map to higher numeric significance within bytes.

47
 */

48


49
/*

50
 * OpenSolaris changes

51
 * 1. Added __cplusplus and _AESTAB_H header guards

52
 * 2. Added header files sys/types.h and aes_impl.h

53
 * 3. Added defines for AES_ENCRYPT, AES_DECRYPT, AES_REV_DKS, and ASM_AMD64_C

54
 * 4. Moved defines for IS_BIG_ENDIAN, IS_LITTLE_ENDIAN, PLATFORM_BYTE_ORDER

55
 *    from brg_endian.h

56
 * 5. Undefined VIA_ACE_POSSIBLE and ASSUME_VIA_ACE_PRESENT

57
 * 6. Changed uint_8t and uint_32t to uint8_t and uint32_t

58
 * 7. Defined aes_sw32 as htonl() for byte swapping

59
 * 8. Cstyled and hdrchk code

60
 *

61
 */

62


63
#ifndef _AESOPT_H

64
#define	_AESOPT_H

65


66
#ifdef	__cplusplus

67
extern "C" {

68
#endif

69


70
#include <sys/zfs_context.h>

71
#include <aes/aes_impl.h>

72


73
/*  SUPPORT FEATURES */

74
#define	AES_ENCRYPT /* if support for encryption is needed */

75
#define	AES_DECRYPT /* if support for decryption is needed */

76


77
/*  PLATFORM-SPECIFIC FEATURES */

78
#define	IS_BIG_ENDIAN		4321 /* byte 0 is most significant (mc68k) */

79
#define	IS_LITTLE_ENDIAN	1234 /* byte 0 is least significant (i386) */

80
#define	PLATFORM_BYTE_ORDER	IS_LITTLE_ENDIAN

81
#define	AES_REV_DKS /* define to reverse decryption key schedule */

82


83


84
/*

85
 *  CONFIGURATION - THE USE OF DEFINES

86
 *	Later in this section there are a number of defines that control the

87
 *	operation of the code.  In each section, the purpose of each define is

88
 *	explained so that the relevant form can be included or excluded by

89
 *	setting either 1's or 0's respectively on the branches of the related

90
 *	#if clauses.  The following local defines should not be changed.

91
 */

92


93
#define	ENCRYPTION_IN_C	1

94
#define	DECRYPTION_IN_C	2

95
#define	ENC_KEYING_IN_C	4

96
#define	DEC_KEYING_IN_C	8

97


98
#define	NO_TABLES	0

99
#define	ONE_TABLE	1

100
#define	FOUR_TABLES	4

101
#define	NONE		0

102
#define	PARTIAL		1

103
#define	FULL		2

104


105
/*  --- START OF USER CONFIGURED OPTIONS --- */

106


107
/*

108
 *  1. BYTE ORDER WITHIN 32 BIT WORDS

109
 *

110
 *	The fundamental data processing units in Rijndael are 8-bit bytes. The

111
 *	input, output and key input are all enumerated arrays of bytes in which

112
 *	bytes are numbered starting at zero and increasing to one less than the

113
 *	number of bytes in the array in question. This enumeration is only used

114
 *	for naming bytes and does not imply any adjacency or order relationship

115
 *	from one byte to another. When these inputs and outputs are considered

116
 *	as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to

117
 *	byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte.

118
 *	In this implementation bits are numbered from 0 to 7 starting at the

119
 *	numerically least significant end of each byte.  Bit n represents 2^n.

120
 *

121
 *	However, Rijndael can be implemented more efficiently using 32-bit

122
 *	words by packing bytes into words so that bytes 4*n to 4*n+3 are placed

123
 *	into word[n]. While in principle these bytes can be assembled into words

124
 *	in any positions, this implementation only supports the two formats in

125
 *	which bytes in adjacent positions within words also have adjacent byte

126
 *	numbers. This order is called big-endian if the lowest numbered bytes

127
 *	in words have the highest numeric significance and little-endian if the

128
 *	opposite applies.

129
 *

130
 *	This code can work in either order irrespective of the order used by the

131
 *	machine on which it runs. Normally the internal byte order will be set

132
 *	to the order of the processor on which the code is to be run but this

133
 *	define	can be used to reverse this in special situations

134
 *

135
 *	WARNING: Assembler code versions rely on PLATFORM_BYTE_ORDER being set.

136
 *	This define will hence be redefined later (in section 4) if necessary

137
 */

138


139
#if 1

140
#define	ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER

141
#elif 0

142
#define	ALGORITHM_BYTE_ORDER IS_LITTLE_ENDIAN

143
#elif 0

144
#define	ALGORITHM_BYTE_ORDER IS_BIG_ENDIAN

145
#else

146
#error The algorithm byte order is not defined

147
#endif

148


149
/*  2. VIA ACE SUPPORT */

150


151
#if defined(__GNUC__) && defined(__i386__) || \

152
	defined(_WIN32) && defined(_M_IX86) && \

153
	!(defined(_WIN64) || defined(_WIN32_WCE) || \

154
	defined(_MSC_VER) && (_MSC_VER <= 800))

155
#define	VIA_ACE_POSSIBLE

156
#endif

157


158
/*

159
 *  Define this option if support for the VIA ACE is required. This uses

160
 *  inline assembler instructions and is only implemented for the Microsoft,

161
 *  Intel and GCC compilers.  If VIA ACE is known to be present, then defining

162
 *  ASSUME_VIA_ACE_PRESENT will remove the ordinary encryption/decryption

163
 *  code.  If USE_VIA_ACE_IF_PRESENT is defined then VIA ACE will be used if

164
 *  it is detected (both present and enabled) but the normal AES code will

165
 *  also be present.

166
 *

167
 *  When VIA ACE is to be used, all AES encryption contexts MUST be 16 byte

168
 *  aligned; other input/output buffers do not need to be 16 byte aligned

169
 *  but there are very large performance gains if this can be arranged.

170
 *  VIA ACE also requires the decryption key schedule to be in reverse

171
 *  order (which later checks below ensure).

172
 */

173


174
/*  VIA ACE is not used here for OpenSolaris: */

175
#undef	VIA_ACE_POSSIBLE

176
#undef	ASSUME_VIA_ACE_PRESENT

177


178
#if 0 && defined(VIA_ACE_POSSIBLE) && !defined(USE_VIA_ACE_IF_PRESENT)

179
#define	USE_VIA_ACE_IF_PRESENT

180
#endif

181


182
#if 0 && defined(VIA_ACE_POSSIBLE) && !defined(ASSUME_VIA_ACE_PRESENT)

183
#define	ASSUME_VIA_ACE_PRESENT

184
#endif

185


186


187
/*

188
 *  3. ASSEMBLER SUPPORT

189
 *

190
 *	This define (which can be on the command line) enables the use of the

191
 *	assembler code routines for encryption, decryption and key scheduling

192
 *	as follows:

193
 *

194
 *	ASM_X86_V1C uses the assembler (aes_x86_v1.asm) with large tables for

195
 *		encryption and decryption and but with key scheduling in C

196
 *	ASM_X86_V2  uses assembler (aes_x86_v2.asm) with compressed tables for

197
 *		encryption, decryption and key scheduling

198
 *	ASM_X86_V2C uses assembler (aes_x86_v2.asm) with compressed tables for

199
 *		encryption and decryption and but with key scheduling in C

200
 *	ASM_AMD64_C uses assembler (aes_amd64.asm) with compressed tables for

201
 *		encryption and decryption and but with key scheduling in C

202
 *

203
 *	Change one 'if 0' below to 'if 1' to select the version or define

204
 *	as a compilation option.

205
 */

206


207
#if 0 && !defined(ASM_X86_V1C)

208
#define	ASM_X86_V1C

209
#elif 0 && !defined(ASM_X86_V2)

210
#define	ASM_X86_V2

211
#elif 0 && !defined(ASM_X86_V2C)

212
#define	ASM_X86_V2C

213
#elif 1 && !defined(ASM_AMD64_C)

214
#define	ASM_AMD64_C

215
#endif

216


217
#if (defined(ASM_X86_V1C) || defined(ASM_X86_V2) || defined(ASM_X86_V2C)) && \

218
	!defined(_M_IX86) || defined(ASM_AMD64_C) && !defined(_M_X64) && \

219
	!defined(__amd64)

220
#error Assembler code is only available for x86 and AMD64 systems

221
#endif

222


223
/*

224
 *  4. FAST INPUT/OUTPUT OPERATIONS.

225
 *

226
 *	On some machines it is possible to improve speed by transferring the

227
 *	bytes in the input and output arrays to and from the internal 32-bit

228
 *	variables by addressing these arrays as if they are arrays of 32-bit

229
 *	words.  On some machines this will always be possible but there may

230
 *	be a large performance penalty if the byte arrays are not aligned on

231
 *	the normal word boundaries. On other machines this technique will

232
 *	lead to memory access errors when such 32-bit word accesses are not

233
 *	properly aligned. The option SAFE_IO avoids such problems but will

234
 *	often be slower on those machines that support misaligned access

235
 *	(especially so if care is taken to align the input  and output byte

236
 *	arrays on 32-bit word boundaries). If SAFE_IO is not defined it is

237
 *	assumed that access to byte arrays as if they are arrays of 32-bit

238
 *	words will not cause problems when such accesses are misaligned.

239
 */

240
#if 1 && !defined(_MSC_VER)

241
#define	SAFE_IO

242
#endif

243


244
/*

245
 *  5. LOOP UNROLLING

246
 *

247
 *	The code for encryption and decryption cycles through a number of rounds

248
 *	that can be implemented either in a loop or by expanding the code into a

249
 *	long sequence of instructions, the latter producing a larger program but

250
 *	one that will often be much faster. The latter is called loop unrolling.

251
 *	There are also potential speed advantages in expanding two iterations in

252
 *	a loop with half the number of iterations, which is called partial loop

253
 *	unrolling.  The following options allow partial or full loop unrolling

254
 *	to be set independently for encryption and decryption

255
 */

256
#if 1

257
#define	ENC_UNROLL  FULL

258
#elif 0

259
#define	ENC_UNROLL  PARTIAL

260
#else

261
#define	ENC_UNROLL  NONE

262
#endif

263


264
#if 1

265
#define	DEC_UNROLL  FULL

266
#elif 0

267
#define	DEC_UNROLL  PARTIAL

268
#else

269
#define	DEC_UNROLL  NONE

270
#endif

271


272
#if 1

273
#define	ENC_KS_UNROLL

274
#endif

275


276
#if 1

277
#define	DEC_KS_UNROLL

278
#endif

279


280
/*

281
 *  6. FAST FINITE FIELD OPERATIONS

282
 *

283
 *	If this section is included, tables are used to provide faster finite

284
 *	field arithmetic.  This has no effect if FIXED_TABLES is defined.

285
 */

286
#if 1

287
#define	FF_TABLES

288
#endif

289


290
/*

291
 *  7. INTERNAL STATE VARIABLE FORMAT

292
 *

293
 *	The internal state of Rijndael is stored in a number of local 32-bit

294
 *	word variables which can be defined either as an array or as individual

295
 *	names variables. Include this section if you want to store these local

296
 *	variables in arrays. Otherwise individual local variables will be used.

297
 */

298
#if 1

299
#define	ARRAYS

300
#endif

301


302
/*

303
 *  8. FIXED OR DYNAMIC TABLES

304
 *

305
 *	When this section is included the tables used by the code are compiled

306
 *	statically into the binary file.  Otherwise the subroutine aes_init()

307
 *	must be called to compute them before the code is first used.

308
 */

309
#if 1 && !(defined(_MSC_VER) && (_MSC_VER <= 800))

310
#define	FIXED_TABLES

311
#endif

312


313
/*

314
 *  9. MASKING OR CASTING FROM LONGER VALUES TO BYTES

315
 *

316
 *	In some systems it is better to mask longer values to extract bytes

317
 *	rather than using a cast. This option allows this choice.

318
 */

319
#if 0

320
#define	to_byte(x)  ((uint8_t)(x))

321
#else

322
#define	to_byte(x)  ((x) & 0xff)

323
#endif

324


325
/*

326
 *  10. TABLE ALIGNMENT

327
 *

328
 *	On some systems speed will be improved by aligning the AES large lookup

329
 *	tables on particular boundaries. This define should be set to a power of

330
 *	two giving the desired alignment. It can be left undefined if alignment

331
 *	is not needed.  This option is specific to the Microsoft VC++ compiler -

332
 *	it seems to sometimes cause trouble for the VC++ version 6 compiler.

333
 */

334


335
#if 1 && defined(_MSC_VER) && (_MSC_VER >= 1300)

336
#define	TABLE_ALIGN 32

337
#endif

338


339
/*

340
 *  11.  REDUCE CODE AND TABLE SIZE

341
 *

342
 *	This replaces some expanded macros with function calls if AES_ASM_V2 or

343
 *	AES_ASM_V2C are defined

344
 */

345


346
#if 1 && (defined(ASM_X86_V2) || defined(ASM_X86_V2C))

347
#define	REDUCE_CODE_SIZE

348
#endif

349


350
/*

351
 *  12. TABLE OPTIONS

352
 *

353
 *	This cipher proceeds by repeating in a number of cycles known as rounds

354
 *	which are implemented by a round function which is optionally be speeded

355
 *	up using tables.  The basic tables are 256 32-bit words, with either

356
 *	one or four tables being required for each round function depending on

357
 *	how much speed is required. Encryption and decryption round functions

358
 *	are different and the last encryption and decryption round functions are

359
 *	different again making four different round functions in all.

360
 *

361
 *	This means that:

362
 *	1. Normal encryption and decryption rounds can each use either 0, 1

363
 *		or 4 tables and table spaces of 0, 1024 or 4096 bytes each.

364
 *	2. The last encryption and decryption rounds can also use either 0, 1

365
 *		or 4 tables and table spaces of 0, 1024 or 4096 bytes each.

366
 *

367
 *	Include or exclude the appropriate definitions below to set the number

368
 *	of tables used by this implementation.

369
 */

370


371
#if 1   /* set tables for the normal encryption round */

372
#define	ENC_ROUND   FOUR_TABLES

373
#elif 0

374
#define	ENC_ROUND   ONE_TABLE

375
#else

376
#define	ENC_ROUND   NO_TABLES

377
#endif

378


379
#if 1   /* set tables for the last encryption round */

380
#define	LAST_ENC_ROUND  FOUR_TABLES

381
#elif 0

382
#define	LAST_ENC_ROUND  ONE_TABLE

383
#else

384
#define	LAST_ENC_ROUND  NO_TABLES

385
#endif

386


387
#if 1   /* set tables for the normal decryption round */

388
#define	DEC_ROUND   FOUR_TABLES

389
#elif 0

390
#define	DEC_ROUND   ONE_TABLE

391
#else

392
#define	DEC_ROUND   NO_TABLES

393
#endif

394


395
#if 1   /* set tables for the last decryption round */

396
#define	LAST_DEC_ROUND  FOUR_TABLES

397
#elif 0

398
#define	LAST_DEC_ROUND  ONE_TABLE

399
#else

400
#define	LAST_DEC_ROUND  NO_TABLES

401
#endif

402


403
/*

404
 *  The decryption key schedule can be speeded up with tables in the same

405
 *	way that the round functions can.  Include or exclude the following

406
 *	defines to set this requirement.

407
 */

408
#if 1

409
#define	KEY_SCHED   FOUR_TABLES

410
#elif 0

411
#define	KEY_SCHED   ONE_TABLE

412
#else

413
#define	KEY_SCHED   NO_TABLES

414
#endif

415


416
/*  ---- END OF USER CONFIGURED OPTIONS ---- */

417


418
/* VIA ACE support is only available for VC++ and GCC */

419


420
#if !defined(_MSC_VER) && !defined(__GNUC__)

421
#if defined(ASSUME_VIA_ACE_PRESENT)

422
#undef ASSUME_VIA_ACE_PRESENT

423
#endif

424
#if defined(USE_VIA_ACE_IF_PRESENT)

425
#undef USE_VIA_ACE_IF_PRESENT

426
#endif

427
#endif

428


429
#if defined(ASSUME_VIA_ACE_PRESENT) && !defined(USE_VIA_ACE_IF_PRESENT)

430
#define	USE_VIA_ACE_IF_PRESENT

431
#endif

432


433
#if defined(USE_VIA_ACE_IF_PRESENT) && !defined(AES_REV_DKS)

434
#define	AES_REV_DKS

435
#endif

436


437
/* Assembler support requires the use of platform byte order */

438


439
#if (defined(ASM_X86_V1C) || defined(ASM_X86_V2C) || defined(ASM_AMD64_C)) && \

440
	(ALGORITHM_BYTE_ORDER != PLATFORM_BYTE_ORDER)

441
#undef  ALGORITHM_BYTE_ORDER

442
#define	ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER

443
#endif

444


445
/*

446
 * In this implementation the columns of the state array are each held in

447
 *	32-bit words. The state array can be held in various ways: in an array

448
 *	of words, in a number of individual word variables or in a number of

449
 *	processor registers. The following define maps a variable name x and

450
 *	a column number c to the way the state array variable is to be held.

451
 *	The first define below maps the state into an array x[c] whereas the

452
 *	second form maps the state into a number of individual variables x0,

453
 *	x1, etc.  Another form could map individual state columns to machine

454
 *	register names.

455
 */

456


457
#if defined(ARRAYS)

458
#define	s(x, c) x[c]

459
#else

460
#define	s(x, c) x##c

461
#endif

462


463
/*

464
 *  This implementation provides subroutines for encryption, decryption

465
 *	and for setting the three key lengths (separately) for encryption

466
 *	and decryption. Since not all functions are needed, masks are set

467
 *	up here to determine which will be implemented in C

468
 */

469


470
#if !defined(AES_ENCRYPT)

471
#define	EFUNCS_IN_C   0

472
#elif defined(ASSUME_VIA_ACE_PRESENT) || defined(ASM_X86_V1C) || \

473
	defined(ASM_X86_V2C) || defined(ASM_AMD64_C)

474
#define	EFUNCS_IN_C   ENC_KEYING_IN_C

475
#elif !defined(ASM_X86_V2)

476
#define	EFUNCS_IN_C   (ENCRYPTION_IN_C | ENC_KEYING_IN_C)

477
#else

478
#define	EFUNCS_IN_C   0

479
#endif

480


481
#if !defined(AES_DECRYPT)

482
#define	DFUNCS_IN_C   0

483
#elif defined(ASSUME_VIA_ACE_PRESENT) || defined(ASM_X86_V1C) || \

484
	defined(ASM_X86_V2C) || defined(ASM_AMD64_C)

485
#define	DFUNCS_IN_C   DEC_KEYING_IN_C

486
#elif !defined(ASM_X86_V2)

487
#define	DFUNCS_IN_C   (DECRYPTION_IN_C | DEC_KEYING_IN_C)

488
#else

489
#define	DFUNCS_IN_C   0

490
#endif

491


492
#define	FUNCS_IN_C  (EFUNCS_IN_C | DFUNCS_IN_C)

493


494
/* END OF CONFIGURATION OPTIONS */

495


496
/* Disable or report errors on some combinations of options */

497


498
#if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES

499
#undef  LAST_ENC_ROUND

500
#define	LAST_ENC_ROUND  NO_TABLES

501
#elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES

502
#undef  LAST_ENC_ROUND

503
#define	LAST_ENC_ROUND  ONE_TABLE

504
#endif

505


506
#if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE

507
#undef  ENC_UNROLL

508
#define	ENC_UNROLL  NONE

509
#endif

510


511
#if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES

512
#undef  LAST_DEC_ROUND

513
#define	LAST_DEC_ROUND  NO_TABLES

514
#elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES

515
#undef  LAST_DEC_ROUND

516
#define	LAST_DEC_ROUND  ONE_TABLE

517
#endif

518


519
#if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE

520
#undef  DEC_UNROLL

521
#define	DEC_UNROLL  NONE

522
#endif

523


524
#if (ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN)

525
#define	aes_sw32	htonl

526
#elif defined(bswap32)

527
#define	aes_sw32	bswap32

528
#elif defined(bswap_32)

529
#define	aes_sw32	bswap_32

530
#else

531
#define	brot(x, n)  (((uint32_t)(x) << (n)) | ((uint32_t)(x) >> (32 - (n))))

532
#define	aes_sw32(x) ((brot((x), 8) & 0x00ff00ff) | (brot((x), 24) & 0xff00ff00))

533
#endif

534


535


536
/*

537
 *	upr(x, n):  rotates bytes within words by n positions, moving bytes to

538
 *		higher index positions with wrap around into low positions

539
 *	ups(x, n):  moves bytes by n positions to higher index positions in

540
 *		words but without wrap around

541
 *	bval(x, n): extracts a byte from a word

542
 *

543
 *	WARNING:   The definitions given here are intended only for use with

544
 *		unsigned variables and with shift counts that are compile

545
 *		time constants

546
 */

547


548
#if (ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN)

549
#define	upr(x, n)	(((uint32_t)(x) << (8 * (n))) | \

550
			((uint32_t)(x) >> (32 - 8 * (n))))

551
#define	ups(x, n)	((uint32_t)(x) << (8 * (n)))

552
#define	bval(x, n)	to_byte((x) >> (8 * (n)))

553
#define	bytes2word(b0, b1, b2, b3)  \

554
		(((uint32_t)(b3) << 24) | ((uint32_t)(b2) << 16) | \

555
		((uint32_t)(b1) << 8) | (b0))

556
#endif

557


558
#if (ALGORITHM_BYTE_ORDER == IS_BIG_ENDIAN)

559
#define	upr(x, n)	(((uint32_t)(x) >> (8 * (n))) | \

560
			((uint32_t)(x) << (32 - 8 * (n))))

561
#define	ups(x, n)	((uint32_t)(x) >> (8 * (n)))

562
#define	bval(x, n)	to_byte((x) >> (24 - 8 * (n)))

563
#define	bytes2word(b0, b1, b2, b3)  \

564
		(((uint32_t)(b0) << 24) | ((uint32_t)(b1) << 16) | \

565
		((uint32_t)(b2) << 8) | (b3))

566
#endif

567


568
#if defined(SAFE_IO)

569
#define	word_in(x, c)	bytes2word(((const uint8_t *)(x) + 4 * c)[0], \

570
				((const uint8_t *)(x) + 4 * c)[1], \

571
				((const uint8_t *)(x) + 4 * c)[2], \

572
				((const uint8_t *)(x) + 4 * c)[3])

573
#define	word_out(x, c, v) { ((uint8_t *)(x) + 4 * c)[0] = bval(v, 0); \

574
			((uint8_t *)(x) + 4 * c)[1] = bval(v, 1); \

575
			((uint8_t *)(x) + 4 * c)[2] = bval(v, 2); \

576
			((uint8_t *)(x) + 4 * c)[3] = bval(v, 3); }

577
#elif (ALGORITHM_BYTE_ORDER == PLATFORM_BYTE_ORDER)

578
#define	word_in(x, c)	(*((uint32_t *)(x) + (c)))

579
#define	word_out(x, c, v) (*((uint32_t *)(x) + (c)) = (v))

580
#else

581
#define	word_in(x, c)	aes_sw32(*((uint32_t *)(x) + (c)))

582
#define	word_out(x, c, v) (*((uint32_t *)(x) + (c)) = aes_sw32(v))

583
#endif

584


585
/* the finite field modular polynomial and elements */

586


587
#define	WPOLY   0x011b

588
#define	BPOLY	0x1b

589


590
/* multiply four bytes in GF(2^8) by 'x' {02} in parallel */

591


592
#define	m1  0x80808080

593
#define	m2  0x7f7f7f7f

594
#define	gf_mulx(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY))

595


596
/*

597
 * The following defines provide alternative definitions of gf_mulx that might

598
 * give improved performance if a fast 32-bit multiply is not available. Note

599
 * that a temporary variable u needs to be defined where gf_mulx is used.

600
 *

601
 * #define	gf_mulx(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ \

602
 *			((u >> 3) | (u >> 6))

603
 * #define	m4  (0x01010101 * BPOLY)

604
 * #define	gf_mulx(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) \

605
 *			& m4)

606
 */

607


608
/* Work out which tables are needed for the different options   */

609


610
#if defined(ASM_X86_V1C)

611
#if defined(ENC_ROUND)

612
#undef  ENC_ROUND

613
#endif

614
#define	ENC_ROUND   FOUR_TABLES

615
#if defined(LAST_ENC_ROUND)

616
#undef  LAST_ENC_ROUND

617
#endif

618
#define	LAST_ENC_ROUND  FOUR_TABLES

619
#if defined(DEC_ROUND)

620
#undef  DEC_ROUND

621
#endif

622
#define	DEC_ROUND   FOUR_TABLES

623
#if defined(LAST_DEC_ROUND)

624
#undef  LAST_DEC_ROUND

625
#endif

626
#define	LAST_DEC_ROUND  FOUR_TABLES

627
#if defined(KEY_SCHED)

628
#undef  KEY_SCHED

629
#define	KEY_SCHED   FOUR_TABLES

630
#endif

631
#endif

632


633
#if (FUNCS_IN_C & ENCRYPTION_IN_C) || defined(ASM_X86_V1C)

634
#if ENC_ROUND == ONE_TABLE

635
#define	FT1_SET

636
#elif ENC_ROUND == FOUR_TABLES

637
#define	FT4_SET

638
#else

639
#define	SBX_SET

640
#endif

641
#if LAST_ENC_ROUND == ONE_TABLE

642
#define	FL1_SET

643
#elif LAST_ENC_ROUND == FOUR_TABLES

644
#define	FL4_SET

645
#elif !defined(SBX_SET)

646
#define	SBX_SET

647
#endif

648
#endif

649


650
#if (FUNCS_IN_C & DECRYPTION_IN_C) || defined(ASM_X86_V1C)

651
#if DEC_ROUND == ONE_TABLE

652
#define	IT1_SET

653
#elif DEC_ROUND == FOUR_TABLES

654
#define	IT4_SET

655
#else

656
#define	ISB_SET

657
#endif

658
#if LAST_DEC_ROUND == ONE_TABLE

659
#define	IL1_SET

660
#elif LAST_DEC_ROUND == FOUR_TABLES

661
#define	IL4_SET

662
#elif !defined(ISB_SET)

663
#define	ISB_SET

664
#endif

665
#endif

666


667


668
#if !(defined(REDUCE_CODE_SIZE) && (defined(ASM_X86_V2) || \

669
	defined(ASM_X86_V2C)))

670
#if ((FUNCS_IN_C & ENC_KEYING_IN_C) || (FUNCS_IN_C & DEC_KEYING_IN_C))

671
#if KEY_SCHED == ONE_TABLE

672
#if !defined(FL1_SET) && !defined(FL4_SET)

673
#define	LS1_SET

674
#endif

675
#elif KEY_SCHED == FOUR_TABLES

676
#if !defined(FL4_SET)

677
#define	LS4_SET

678
#endif

679
#elif !defined(SBX_SET)

680
#define	SBX_SET

681
#endif

682
#endif

683
#if (FUNCS_IN_C & DEC_KEYING_IN_C)

684
#if KEY_SCHED == ONE_TABLE

685
#define	IM1_SET

686
#elif KEY_SCHED == FOUR_TABLES

687
#define	IM4_SET

688
#elif !defined(SBX_SET)

689
#define	SBX_SET

690
#endif

691
#endif

692
#endif

693


694
/* generic definitions of Rijndael macros that use tables */

695


696
#define	no_table(x, box, vf, rf, c) bytes2word(\

697
	box[bval(vf(x, 0, c), rf(0, c))], \

698
	box[bval(vf(x, 1, c), rf(1, c))], \

699
	box[bval(vf(x, 2, c), rf(2, c))], \

700
	box[bval(vf(x, 3, c), rf(3, c))])

701


702
#define	one_table(x, op, tab, vf, rf, c) \

703
	(tab[bval(vf(x, 0, c), rf(0, c))] \

704
	^ op(tab[bval(vf(x, 1, c), rf(1, c))], 1) \

705
	^ op(tab[bval(vf(x, 2, c), rf(2, c))], 2) \

706
	^ op(tab[bval(vf(x, 3, c), rf(3, c))], 3))

707


708
#define	four_tables(x, tab, vf, rf, c) \

709
	(tab[0][bval(vf(x, 0, c), rf(0, c))] \

710
	^ tab[1][bval(vf(x, 1, c), rf(1, c))] \

711
	^ tab[2][bval(vf(x, 2, c), rf(2, c))] \

712
	^ tab[3][bval(vf(x, 3, c), rf(3, c))])

713


714
#define	vf1(x, r, c)	(x)

715
#define	rf1(r, c)	(r)

716
#define	rf2(r, c)	((8+r-c)&3)

717


718
/*

719
 * Perform forward and inverse column mix operation on four bytes in long word

720
 * x in parallel. NOTE: x must be a simple variable, NOT an expression in

721
 * these macros.

722
 */

723


724
#if !(defined(REDUCE_CODE_SIZE) && (defined(ASM_X86_V2) || \

725
	defined(ASM_X86_V2C)))

726


727
#if defined(FM4_SET)	/* not currently used */

728
#define	fwd_mcol(x)	four_tables(x, t_use(f, m), vf1, rf1, 0)

729
#elif defined(FM1_SET)	/* not currently used */

730
#define	fwd_mcol(x)	one_table(x, upr, t_use(f, m), vf1, rf1, 0)

731
#else

732
#define	dec_fmvars	uint32_t g2

733
#define	fwd_mcol(x)	(g2 = gf_mulx(x), g2 ^ upr((x) ^ g2, 3) ^ \

734
				upr((x), 2) ^ upr((x), 1))

735
#endif

736


737
#if defined(IM4_SET)

738
#define	inv_mcol(x)	four_tables(x, t_use(i, m), vf1, rf1, 0)

739
#elif defined(IM1_SET)

740
#define	inv_mcol(x)	one_table(x, upr, t_use(i, m), vf1, rf1, 0)

741
#else

742
#define	dec_imvars	uint32_t g2, g4, g9

743
#define	inv_mcol(x)	(g2 = gf_mulx(x), g4 = gf_mulx(g2), g9 = \

744
				(x) ^ gf_mulx(g4), g4 ^= g9, \

745
				(x) ^ g2 ^ g4 ^ upr(g2 ^ g9, 3) ^ \

746
				upr(g4, 2) ^ upr(g9, 1))

747
#endif

748


749
#if defined(FL4_SET)

750
#define	ls_box(x, c)	four_tables(x, t_use(f, l), vf1, rf2, c)

751
#elif defined(LS4_SET)

752
#define	ls_box(x, c)	four_tables(x, t_use(l, s), vf1, rf2, c)

753
#elif defined(FL1_SET)

754
#define	ls_box(x, c)	one_table(x, upr, t_use(f, l), vf1, rf2, c)

755
#elif defined(LS1_SET)

756
#define	ls_box(x, c)	one_table(x, upr, t_use(l, s), vf1, rf2, c)

757
#else

758
#define	ls_box(x, c)	no_table(x, t_use(s, box), vf1, rf2, c)

759
#endif

760


761
#endif

762


763
#if defined(ASM_X86_V1C) && defined(AES_DECRYPT) && !defined(ISB_SET)

764
#define	ISB_SET

765
#endif

766


767
#ifdef	__cplusplus

768
}

769
#endif

770


771
#endif	/* _AESOPT_H */

772


773