• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  ---------------------------------------------------------------------------
3  Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.
4 
5  LICENSE TERMS
6 
7  The redistribution and use of this software (with or without changes)
8  is allowed without the payment of fees or royalties provided that:
9 
10   1. source code distributions include the above copyright notice, this
11      list of conditions and the following disclaimer;
12 
13   2. binary distributions include the above copyright notice, this list
14      of conditions and the following disclaimer in their documentation;
15 
16   3. the name of the copyright holder is not used to endorse products
17      built using this software without specific written permission.
18 
19  DISCLAIMER
20 
21  This software is provided 'as is' with no explicit or implied warranties
22  in respect of its properties, including, but not limited to, correctness
23  and/or fitness for purpose.
24  ---------------------------------------------------------------------------
25  Issue 09/09/2006
26 
27  This is an AES implementation that uses only 8-bit byte operations on the
28  cipher state (there are options to use 32-bit types if available).
29 
30  The combination of mix columns and byte substitution used here is based on
31  that developed by Karl Malbrain. His contribution is acknowledged.
32  */
33 
34 /* define if you have a fast memcpy function on your system */
35 #if 1
36 #  define HAVE_MEMCPY
37 #  include <string.h>
38 #if 0
39 #  if defined( _MSC_VER )
40 #    include <intrin.h>
41 #    pragma intrinsic( memcpy )
42 #  endif
43 #endif
44 #endif
45 
46 #include <stdlib.h>
47 
48 /* add the target configuration to allow using internal data types and compilation options */
49 #include "common/bt_target.h"
50 
51 /* define if you have fast 32-bit types on your system */
52 #if 1
53 #  define HAVE_UINT_32T
54 #endif
55 
56 /* define if you don't want any tables */
57 #if 1
58 #  define USE_TABLES
59 #endif
60 
61 /*  On Intel Core 2 duo VERSION_1 is faster */
62 
63 /* alternative versions (test for performance on your system) */
64 #if 1
65 #  define VERSION_1
66 #endif
67 
68 #include "aes.h"
69 
70 #if defined( HAVE_UINT_32T )
71 typedef UINT32 uint_32t;
72 #endif
73 
74 /* functions for finite field multiplication in the AES Galois field    */
75 
76 #define WPOLY   0x011b
77 #define BPOLY     0x1b
78 #define DPOLY   0x008d
79 
80 #define f1(x)   (x)
81 #define f2(x)   ((x << 1) ^ (((x >> 7) & 1) * WPOLY))
82 #define f4(x)   ((x << 2) ^ (((x >> 6) & 1) * WPOLY) ^ (((x >> 6) & 2) * WPOLY))
83 #define f8(x)   ((x << 3) ^ (((x >> 5) & 1) * WPOLY) ^ (((x >> 5) & 2) * WPOLY) \
84                           ^ (((x >> 5) & 4) * WPOLY))
85 #define d2(x)   (((x) >> 1) ^ ((x) & 1 ? DPOLY : 0))
86 
87 #define f3(x)   (f2(x) ^ x)
88 #define f9(x)   (f8(x) ^ x)
89 #define fb(x)   (f8(x) ^ f2(x) ^ x)
90 #define fd(x)   (f8(x) ^ f4(x) ^ x)
91 #define fe(x)   (f8(x) ^ f4(x) ^ f2(x))
92 
93 #if defined( USE_TABLES )
94 
95 #define sb_data(w) {    /* S Box data values */                            \
96     w(0x63), w(0x7c), w(0x77), w(0x7b), w(0xf2), w(0x6b), w(0x6f), w(0xc5),\
97     w(0x30), w(0x01), w(0x67), w(0x2b), w(0xfe), w(0xd7), w(0xab), w(0x76),\
98     w(0xca), w(0x82), w(0xc9), w(0x7d), w(0xfa), w(0x59), w(0x47), w(0xf0),\
99     w(0xad), w(0xd4), w(0xa2), w(0xaf), w(0x9c), w(0xa4), w(0x72), w(0xc0),\
100     w(0xb7), w(0xfd), w(0x93), w(0x26), w(0x36), w(0x3f), w(0xf7), w(0xcc),\
101     w(0x34), w(0xa5), w(0xe5), w(0xf1), w(0x71), w(0xd8), w(0x31), w(0x15),\
102     w(0x04), w(0xc7), w(0x23), w(0xc3), w(0x18), w(0x96), w(0x05), w(0x9a),\
103     w(0x07), w(0x12), w(0x80), w(0xe2), w(0xeb), w(0x27), w(0xb2), w(0x75),\
104     w(0x09), w(0x83), w(0x2c), w(0x1a), w(0x1b), w(0x6e), w(0x5a), w(0xa0),\
105     w(0x52), w(0x3b), w(0xd6), w(0xb3), w(0x29), w(0xe3), w(0x2f), w(0x84),\
106     w(0x53), w(0xd1), w(0x00), w(0xed), w(0x20), w(0xfc), w(0xb1), w(0x5b),\
107     w(0x6a), w(0xcb), w(0xbe), w(0x39), w(0x4a), w(0x4c), w(0x58), w(0xcf),\
108     w(0xd0), w(0xef), w(0xaa), w(0xfb), w(0x43), w(0x4d), w(0x33), w(0x85),\
109     w(0x45), w(0xf9), w(0x02), w(0x7f), w(0x50), w(0x3c), w(0x9f), w(0xa8),\
110     w(0x51), w(0xa3), w(0x40), w(0x8f), w(0x92), w(0x9d), w(0x38), w(0xf5),\
111     w(0xbc), w(0xb6), w(0xda), w(0x21), w(0x10), w(0xff), w(0xf3), w(0xd2),\
112     w(0xcd), w(0x0c), w(0x13), w(0xec), w(0x5f), w(0x97), w(0x44), w(0x17),\
113     w(0xc4), w(0xa7), w(0x7e), w(0x3d), w(0x64), w(0x5d), w(0x19), w(0x73),\
114     w(0x60), w(0x81), w(0x4f), w(0xdc), w(0x22), w(0x2a), w(0x90), w(0x88),\
115     w(0x46), w(0xee), w(0xb8), w(0x14), w(0xde), w(0x5e), w(0x0b), w(0xdb),\
116     w(0xe0), w(0x32), w(0x3a), w(0x0a), w(0x49), w(0x06), w(0x24), w(0x5c),\
117     w(0xc2), w(0xd3), w(0xac), w(0x62), w(0x91), w(0x95), w(0xe4), w(0x79),\
118     w(0xe7), w(0xc8), w(0x37), w(0x6d), w(0x8d), w(0xd5), w(0x4e), w(0xa9),\
119     w(0x6c), w(0x56), w(0xf4), w(0xea), w(0x65), w(0x7a), w(0xae), w(0x08),\
120     w(0xba), w(0x78), w(0x25), w(0x2e), w(0x1c), w(0xa6), w(0xb4), w(0xc6),\
121     w(0xe8), w(0xdd), w(0x74), w(0x1f), w(0x4b), w(0xbd), w(0x8b), w(0x8a),\
122     w(0x70), w(0x3e), w(0xb5), w(0x66), w(0x48), w(0x03), w(0xf6), w(0x0e),\
123     w(0x61), w(0x35), w(0x57), w(0xb9), w(0x86), w(0xc1), w(0x1d), w(0x9e),\
124     w(0xe1), w(0xf8), w(0x98), w(0x11), w(0x69), w(0xd9), w(0x8e), w(0x94),\
125     w(0x9b), w(0x1e), w(0x87), w(0xe9), w(0xce), w(0x55), w(0x28), w(0xdf),\
126     w(0x8c), w(0xa1), w(0x89), w(0x0d), w(0xbf), w(0xe6), w(0x42), w(0x68),\
127     w(0x41), w(0x99), w(0x2d), w(0x0f), w(0xb0), w(0x54), w(0xbb), w(0x16) }
128 
129 #define isb_data(w) {   /* inverse S Box data values */                    \
130     w(0x52), w(0x09), w(0x6a), w(0xd5), w(0x30), w(0x36), w(0xa5), w(0x38),\
131     w(0xbf), w(0x40), w(0xa3), w(0x9e), w(0x81), w(0xf3), w(0xd7), w(0xfb),\
132     w(0x7c), w(0xe3), w(0x39), w(0x82), w(0x9b), w(0x2f), w(0xff), w(0x87),\
133     w(0x34), w(0x8e), w(0x43), w(0x44), w(0xc4), w(0xde), w(0xe9), w(0xcb),\
134     w(0x54), w(0x7b), w(0x94), w(0x32), w(0xa6), w(0xc2), w(0x23), w(0x3d),\
135     w(0xee), w(0x4c), w(0x95), w(0x0b), w(0x42), w(0xfa), w(0xc3), w(0x4e),\
136     w(0x08), w(0x2e), w(0xa1), w(0x66), w(0x28), w(0xd9), w(0x24), w(0xb2),\
137     w(0x76), w(0x5b), w(0xa2), w(0x49), w(0x6d), w(0x8b), w(0xd1), w(0x25),\
138     w(0x72), w(0xf8), w(0xf6), w(0x64), w(0x86), w(0x68), w(0x98), w(0x16),\
139     w(0xd4), w(0xa4), w(0x5c), w(0xcc), w(0x5d), w(0x65), w(0xb6), w(0x92),\
140     w(0x6c), w(0x70), w(0x48), w(0x50), w(0xfd), w(0xed), w(0xb9), w(0xda),\
141     w(0x5e), w(0x15), w(0x46), w(0x57), w(0xa7), w(0x8d), w(0x9d), w(0x84),\
142     w(0x90), w(0xd8), w(0xab), w(0x00), w(0x8c), w(0xbc), w(0xd3), w(0x0a),\
143     w(0xf7), w(0xe4), w(0x58), w(0x05), w(0xb8), w(0xb3), w(0x45), w(0x06),\
144     w(0xd0), w(0x2c), w(0x1e), w(0x8f), w(0xca), w(0x3f), w(0x0f), w(0x02),\
145     w(0xc1), w(0xaf), w(0xbd), w(0x03), w(0x01), w(0x13), w(0x8a), w(0x6b),\
146     w(0x3a), w(0x91), w(0x11), w(0x41), w(0x4f), w(0x67), w(0xdc), w(0xea),\
147     w(0x97), w(0xf2), w(0xcf), w(0xce), w(0xf0), w(0xb4), w(0xe6), w(0x73),\
148     w(0x96), w(0xac), w(0x74), w(0x22), w(0xe7), w(0xad), w(0x35), w(0x85),\
149     w(0xe2), w(0xf9), w(0x37), w(0xe8), w(0x1c), w(0x75), w(0xdf), w(0x6e),\
150     w(0x47), w(0xf1), w(0x1a), w(0x71), w(0x1d), w(0x29), w(0xc5), w(0x89),\
151     w(0x6f), w(0xb7), w(0x62), w(0x0e), w(0xaa), w(0x18), w(0xbe), w(0x1b),\
152     w(0xfc), w(0x56), w(0x3e), w(0x4b), w(0xc6), w(0xd2), w(0x79), w(0x20),\
153     w(0x9a), w(0xdb), w(0xc0), w(0xfe), w(0x78), w(0xcd), w(0x5a), w(0xf4),\
154     w(0x1f), w(0xdd), w(0xa8), w(0x33), w(0x88), w(0x07), w(0xc7), w(0x31),\
155     w(0xb1), w(0x12), w(0x10), w(0x59), w(0x27), w(0x80), w(0xec), w(0x5f),\
156     w(0x60), w(0x51), w(0x7f), w(0xa9), w(0x19), w(0xb5), w(0x4a), w(0x0d),\
157     w(0x2d), w(0xe5), w(0x7a), w(0x9f), w(0x93), w(0xc9), w(0x9c), w(0xef),\
158     w(0xa0), w(0xe0), w(0x3b), w(0x4d), w(0xae), w(0x2a), w(0xf5), w(0xb0),\
159     w(0xc8), w(0xeb), w(0xbb), w(0x3c), w(0x83), w(0x53), w(0x99), w(0x61),\
160     w(0x17), w(0x2b), w(0x04), w(0x7e), w(0xba), w(0x77), w(0xd6), w(0x26),\
161     w(0xe1), w(0x69), w(0x14), w(0x63), w(0x55), w(0x21), w(0x0c), w(0x7d) }
162 
163 #define mm_data(w) {    /* basic data for forming finite field tables */   \
164     w(0x00), w(0x01), w(0x02), w(0x03), w(0x04), w(0x05), w(0x06), w(0x07),\
165     w(0x08), w(0x09), w(0x0a), w(0x0b), w(0x0c), w(0x0d), w(0x0e), w(0x0f),\
166     w(0x10), w(0x11), w(0x12), w(0x13), w(0x14), w(0x15), w(0x16), w(0x17),\
167     w(0x18), w(0x19), w(0x1a), w(0x1b), w(0x1c), w(0x1d), w(0x1e), w(0x1f),\
168     w(0x20), w(0x21), w(0x22), w(0x23), w(0x24), w(0x25), w(0x26), w(0x27),\
169     w(0x28), w(0x29), w(0x2a), w(0x2b), w(0x2c), w(0x2d), w(0x2e), w(0x2f),\
170     w(0x30), w(0x31), w(0x32), w(0x33), w(0x34), w(0x35), w(0x36), w(0x37),\
171     w(0x38), w(0x39), w(0x3a), w(0x3b), w(0x3c), w(0x3d), w(0x3e), w(0x3f),\
172     w(0x40), w(0x41), w(0x42), w(0x43), w(0x44), w(0x45), w(0x46), w(0x47),\
173     w(0x48), w(0x49), w(0x4a), w(0x4b), w(0x4c), w(0x4d), w(0x4e), w(0x4f),\
174     w(0x50), w(0x51), w(0x52), w(0x53), w(0x54), w(0x55), w(0x56), w(0x57),\
175     w(0x58), w(0x59), w(0x5a), w(0x5b), w(0x5c), w(0x5d), w(0x5e), w(0x5f),\
176     w(0x60), w(0x61), w(0x62), w(0x63), w(0x64), w(0x65), w(0x66), w(0x67),\
177     w(0x68), w(0x69), w(0x6a), w(0x6b), w(0x6c), w(0x6d), w(0x6e), w(0x6f),\
178     w(0x70), w(0x71), w(0x72), w(0x73), w(0x74), w(0x75), w(0x76), w(0x77),\
179     w(0x78), w(0x79), w(0x7a), w(0x7b), w(0x7c), w(0x7d), w(0x7e), w(0x7f),\
180     w(0x80), w(0x81), w(0x82), w(0x83), w(0x84), w(0x85), w(0x86), w(0x87),\
181     w(0x88), w(0x89), w(0x8a), w(0x8b), w(0x8c), w(0x8d), w(0x8e), w(0x8f),\
182     w(0x90), w(0x91), w(0x92), w(0x93), w(0x94), w(0x95), w(0x96), w(0x97),\
183     w(0x98), w(0x99), w(0x9a), w(0x9b), w(0x9c), w(0x9d), w(0x9e), w(0x9f),\
184     w(0xa0), w(0xa1), w(0xa2), w(0xa3), w(0xa4), w(0xa5), w(0xa6), w(0xa7),\
185     w(0xa8), w(0xa9), w(0xaa), w(0xab), w(0xac), w(0xad), w(0xae), w(0xaf),\
186     w(0xb0), w(0xb1), w(0xb2), w(0xb3), w(0xb4), w(0xb5), w(0xb6), w(0xb7),\
187     w(0xb8), w(0xb9), w(0xba), w(0xbb), w(0xbc), w(0xbd), w(0xbe), w(0xbf),\
188     w(0xc0), w(0xc1), w(0xc2), w(0xc3), w(0xc4), w(0xc5), w(0xc6), w(0xc7),\
189     w(0xc8), w(0xc9), w(0xca), w(0xcb), w(0xcc), w(0xcd), w(0xce), w(0xcf),\
190     w(0xd0), w(0xd1), w(0xd2), w(0xd3), w(0xd4), w(0xd5), w(0xd6), w(0xd7),\
191     w(0xd8), w(0xd9), w(0xda), w(0xdb), w(0xdc), w(0xdd), w(0xde), w(0xdf),\
192     w(0xe0), w(0xe1), w(0xe2), w(0xe3), w(0xe4), w(0xe5), w(0xe6), w(0xe7),\
193     w(0xe8), w(0xe9), w(0xea), w(0xeb), w(0xec), w(0xed), w(0xee), w(0xef),\
194     w(0xf0), w(0xf1), w(0xf2), w(0xf3), w(0xf4), w(0xf5), w(0xf6), w(0xf7),\
195     w(0xf8), w(0xf9), w(0xfa), w(0xfb), w(0xfc), w(0xfd), w(0xfe), w(0xff) }
196 
197 static const uint_8t sbox[256]  =  sb_data(f1);
198 static const uint_8t isbox[256] = isb_data(f1);
199 
200 static const uint_8t gfm2_sbox[256] = sb_data(f2);
201 static const uint_8t gfm3_sbox[256] = sb_data(f3);
202 
203 static const uint_8t gfmul_9[256] = mm_data(f9);
204 static const uint_8t gfmul_b[256] = mm_data(fb);
205 static const uint_8t gfmul_d[256] = mm_data(fd);
206 static const uint_8t gfmul_e[256] = mm_data(fe);
207 
208 #define s_box(x)     sbox[(x)]
209 #define is_box(x)    isbox[(x)]
210 #define gfm2_sb(x)   gfm2_sbox[(x)]
211 #define gfm3_sb(x)   gfm3_sbox[(x)]
212 #define gfm_9(x)     gfmul_9[(x)]
213 #define gfm_b(x)     gfmul_b[(x)]
214 #define gfm_d(x)     gfmul_d[(x)]
215 #define gfm_e(x)     gfmul_e[(x)]
216 
217 #else
218 
219 /* this is the high bit of x right shifted by 1 */
220 /* position. Since the starting polynomial has  */
221 /* 9 bits (0x11b), this right shift keeps the   */
222 /* values of all top bits within a byte         */
223 
hibit(const uint_8t x)224 static uint_8t hibit(const uint_8t x)
225 {
226     uint_8t r = (uint_8t)((x >> 1) | (x >> 2));
227 
228     r |= (r >> 2);
229     r |= (r >> 4);
230     return (r + 1) >> 1;
231 }
232 
233 /* return the inverse of the finite field element x */
234 
gf_inv(const uint_8t x)235 static uint_8t gf_inv(const uint_8t x)
236 {
237     uint_8t p1 = x, p2 = BPOLY, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
238 
239     if (x < 2) {
240         return x;
241     }
242 
243     for ( ; ; ) {
244         if (n1) {
245             while (n2 >= n1) {          /* divide polynomial p2 by p1    */
246                 n2 /= n1;               /* shift smaller polynomial left */
247                 p2 ^= (p1 * n2) & 0xff; /* and remove from larger one    */
248                 v2 ^= (v1 * n2);        /* shift accumulated value and   */
249                 n2 = hibit(p2);         /* add into result               */
250             }
251         } else {
252             return v1;
253         }
254 
255         if (n2) {                         /* repeat with values swapped    */
256             while (n1 >= n2) {
257                 n1 /= n2;
258                 p1 ^= p2 * n1;
259                 v1 ^= v2 * n1;
260                 n1 = hibit(p1);
261             }
262         } else {
263             return v2;
264         }
265     }
266 }
267 
268 /* The forward and inverse affine transformations used in the S-box */
fwd_affine(const uint_8t x)269 uint_8t fwd_affine(const uint_8t x)
270 {
271 #if defined( HAVE_UINT_32T )
272     uint_32t w = x;
273     w ^= (w << 1) ^ (w << 2) ^ (w << 3) ^ (w << 4);
274     return 0x63 ^ ((w ^ (w >> 8)) & 0xff);
275 #else
276     return 0x63 ^ x ^ (x << 1) ^ (x << 2) ^ (x << 3) ^ (x << 4)
277            ^ (x >> 7) ^ (x >> 6) ^ (x >> 5) ^ (x >> 4);
278 #endif
279 }
280 
inv_affine(const uint_8t x)281 uint_8t inv_affine(const uint_8t x)
282 {
283 #if defined( HAVE_UINT_32T )
284     uint_32t w = x;
285     w = (w << 1) ^ (w << 3) ^ (w << 6);
286     return 0x05 ^ ((w ^ (w >> 8)) & 0xff);
287 #else
288     return 0x05 ^ (x << 1) ^ (x << 3) ^ (x << 6)
289            ^ (x >> 7) ^ (x >> 5) ^ (x >> 2);
290 #endif
291 }
292 
293 #define s_box(x)   fwd_affine(gf_inv(x))
294 #define is_box(x)  gf_inv(inv_affine(x))
295 #define gfm2_sb(x) f2(s_box(x))
296 #define gfm3_sb(x) f3(s_box(x))
297 #define gfm_9(x)   f9(x)
298 #define gfm_b(x)   fb(x)
299 #define gfm_d(x)   fd(x)
300 #define gfm_e(x)   fe(x)
301 
302 #endif
303 
304 #if defined( HAVE_MEMCPY )
305 #  define block_copy_nn(d, s, l)    memcpy(d, s, l)
306 #  define block_copy(d, s)          memcpy(d, s, N_BLOCK)
307 #else
308 #  define block_copy_nn(d, s, l)    copy_block_nn(d, s, l)
309 #  define block_copy(d, s)          copy_block(d, s)
310 #endif
311 
312 #if !defined( HAVE_MEMCPY )
copy_block(void * d,const void * s)313 static void copy_block( void *d, const void *s )
314 {
315 #if defined( HAVE_UINT_32T )
316     ((uint_32t *)d)[ 0] = ((uint_32t *)s)[ 0];
317     ((uint_32t *)d)[ 1] = ((uint_32t *)s)[ 1];
318     ((uint_32t *)d)[ 2] = ((uint_32t *)s)[ 2];
319     ((uint_32t *)d)[ 3] = ((uint_32t *)s)[ 3];
320 #else
321     ((uint_8t *)d)[ 0] = ((uint_8t *)s)[ 0];
322     ((uint_8t *)d)[ 1] = ((uint_8t *)s)[ 1];
323     ((uint_8t *)d)[ 2] = ((uint_8t *)s)[ 2];
324     ((uint_8t *)d)[ 3] = ((uint_8t *)s)[ 3];
325     ((uint_8t *)d)[ 4] = ((uint_8t *)s)[ 4];
326     ((uint_8t *)d)[ 5] = ((uint_8t *)s)[ 5];
327     ((uint_8t *)d)[ 6] = ((uint_8t *)s)[ 6];
328     ((uint_8t *)d)[ 7] = ((uint_8t *)s)[ 7];
329     ((uint_8t *)d)[ 8] = ((uint_8t *)s)[ 8];
330     ((uint_8t *)d)[ 9] = ((uint_8t *)s)[ 9];
331     ((uint_8t *)d)[10] = ((uint_8t *)s)[10];
332     ((uint_8t *)d)[11] = ((uint_8t *)s)[11];
333     ((uint_8t *)d)[12] = ((uint_8t *)s)[12];
334     ((uint_8t *)d)[13] = ((uint_8t *)s)[13];
335     ((uint_8t *)d)[14] = ((uint_8t *)s)[14];
336     ((uint_8t *)d)[15] = ((uint_8t *)s)[15];
337 #endif
338 }
339 
copy_block_nn(void * d,const void * s,uint_8t nn)340 static void copy_block_nn( void *d, const void *s, uint_8t nn )
341 {
342     while ( nn-- ) {
343         *((uint_8t *)d)++ = *((uint_8t *)s)++;
344     }
345 }
346 #endif
347 
xor_block(void * d,const void * s)348 static void xor_block( void *d, const void *s )
349 {
350 #if defined( HAVE_UINT_32T )
351     ((uint_32t *)d)[ 0] ^= ((uint_32t *)s)[ 0];
352     ((uint_32t *)d)[ 1] ^= ((uint_32t *)s)[ 1];
353     ((uint_32t *)d)[ 2] ^= ((uint_32t *)s)[ 2];
354     ((uint_32t *)d)[ 3] ^= ((uint_32t *)s)[ 3];
355 #else
356     ((uint_8t *)d)[ 0] ^= ((uint_8t *)s)[ 0];
357     ((uint_8t *)d)[ 1] ^= ((uint_8t *)s)[ 1];
358     ((uint_8t *)d)[ 2] ^= ((uint_8t *)s)[ 2];
359     ((uint_8t *)d)[ 3] ^= ((uint_8t *)s)[ 3];
360     ((uint_8t *)d)[ 4] ^= ((uint_8t *)s)[ 4];
361     ((uint_8t *)d)[ 5] ^= ((uint_8t *)s)[ 5];
362     ((uint_8t *)d)[ 6] ^= ((uint_8t *)s)[ 6];
363     ((uint_8t *)d)[ 7] ^= ((uint_8t *)s)[ 7];
364     ((uint_8t *)d)[ 8] ^= ((uint_8t *)s)[ 8];
365     ((uint_8t *)d)[ 9] ^= ((uint_8t *)s)[ 9];
366     ((uint_8t *)d)[10] ^= ((uint_8t *)s)[10];
367     ((uint_8t *)d)[11] ^= ((uint_8t *)s)[11];
368     ((uint_8t *)d)[12] ^= ((uint_8t *)s)[12];
369     ((uint_8t *)d)[13] ^= ((uint_8t *)s)[13];
370     ((uint_8t *)d)[14] ^= ((uint_8t *)s)[14];
371     ((uint_8t *)d)[15] ^= ((uint_8t *)s)[15];
372 #endif
373 }
374 
copy_and_key(void * d,const void * s,const void * k)375 static void copy_and_key( void *d, const void *s, const void *k )
376 {
377 #if defined( HAVE_UINT_32T )
378     ((uint_32t *)d)[ 0] = ((uint_32t *)s)[ 0] ^ ((uint_32t *)k)[ 0];
379     ((uint_32t *)d)[ 1] = ((uint_32t *)s)[ 1] ^ ((uint_32t *)k)[ 1];
380     ((uint_32t *)d)[ 2] = ((uint_32t *)s)[ 2] ^ ((uint_32t *)k)[ 2];
381     ((uint_32t *)d)[ 3] = ((uint_32t *)s)[ 3] ^ ((uint_32t *)k)[ 3];
382 #elif 1
383     ((uint_8t *)d)[ 0] = ((uint_8t *)s)[ 0] ^ ((uint_8t *)k)[ 0];
384     ((uint_8t *)d)[ 1] = ((uint_8t *)s)[ 1] ^ ((uint_8t *)k)[ 1];
385     ((uint_8t *)d)[ 2] = ((uint_8t *)s)[ 2] ^ ((uint_8t *)k)[ 2];
386     ((uint_8t *)d)[ 3] = ((uint_8t *)s)[ 3] ^ ((uint_8t *)k)[ 3];
387     ((uint_8t *)d)[ 4] = ((uint_8t *)s)[ 4] ^ ((uint_8t *)k)[ 4];
388     ((uint_8t *)d)[ 5] = ((uint_8t *)s)[ 5] ^ ((uint_8t *)k)[ 5];
389     ((uint_8t *)d)[ 6] = ((uint_8t *)s)[ 6] ^ ((uint_8t *)k)[ 6];
390     ((uint_8t *)d)[ 7] = ((uint_8t *)s)[ 7] ^ ((uint_8t *)k)[ 7];
391     ((uint_8t *)d)[ 8] = ((uint_8t *)s)[ 8] ^ ((uint_8t *)k)[ 8];
392     ((uint_8t *)d)[ 9] = ((uint_8t *)s)[ 9] ^ ((uint_8t *)k)[ 9];
393     ((uint_8t *)d)[10] = ((uint_8t *)s)[10] ^ ((uint_8t *)k)[10];
394     ((uint_8t *)d)[11] = ((uint_8t *)s)[11] ^ ((uint_8t *)k)[11];
395     ((uint_8t *)d)[12] = ((uint_8t *)s)[12] ^ ((uint_8t *)k)[12];
396     ((uint_8t *)d)[13] = ((uint_8t *)s)[13] ^ ((uint_8t *)k)[13];
397     ((uint_8t *)d)[14] = ((uint_8t *)s)[14] ^ ((uint_8t *)k)[14];
398     ((uint_8t *)d)[15] = ((uint_8t *)s)[15] ^ ((uint_8t *)k)[15];
399 #else
400     block_copy(d, s);
401     xor_block(d, k);
402 #endif
403 }
404 
add_round_key(uint_8t d[N_BLOCK],const uint_8t k[N_BLOCK])405 static void add_round_key( uint_8t d[N_BLOCK], const uint_8t k[N_BLOCK] )
406 {
407     xor_block(d, k);
408 }
409 
shift_sub_rows(uint_8t st[N_BLOCK])410 static void shift_sub_rows( uint_8t st[N_BLOCK] )
411 {
412     uint_8t tt;
413 
414     st[ 0] = s_box(st[ 0]); st[ 4] = s_box(st[ 4]);
415     st[ 8] = s_box(st[ 8]); st[12] = s_box(st[12]);
416 
417     tt = st[1]; st[ 1] = s_box(st[ 5]); st[ 5] = s_box(st[ 9]);
418     st[ 9] = s_box(st[13]); st[13] = s_box( tt );
419 
420     tt = st[2]; st[ 2] = s_box(st[10]); st[10] = s_box( tt );
421     tt = st[6]; st[ 6] = s_box(st[14]); st[14] = s_box( tt );
422 
423     tt = st[15]; st[15] = s_box(st[11]); st[11] = s_box(st[ 7]);
424     st[ 7] = s_box(st[ 3]); st[ 3] = s_box( tt );
425 }
426 
inv_shift_sub_rows(uint_8t st[N_BLOCK])427 static void inv_shift_sub_rows( uint_8t st[N_BLOCK] )
428 {
429     uint_8t tt;
430 
431     st[ 0] = is_box(st[ 0]); st[ 4] = is_box(st[ 4]);
432     st[ 8] = is_box(st[ 8]); st[12] = is_box(st[12]);
433 
434     tt = st[13]; st[13] = is_box(st[9]); st[ 9] = is_box(st[5]);
435     st[ 5] = is_box(st[1]); st[ 1] = is_box( tt );
436 
437     tt = st[2]; st[ 2] = is_box(st[10]); st[10] = is_box( tt );
438     tt = st[6]; st[ 6] = is_box(st[14]); st[14] = is_box( tt );
439 
440     tt = st[3]; st[ 3] = is_box(st[ 7]); st[ 7] = is_box(st[11]);
441     st[11] = is_box(st[15]); st[15] = is_box( tt );
442 }
443 
444 #if defined( VERSION_1 )
mix_sub_columns(uint_8t dt[N_BLOCK])445 static void mix_sub_columns( uint_8t dt[N_BLOCK] )
446 {
447     uint_8t st[N_BLOCK];
448     block_copy(st, dt);
449 #else
450 static void mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
451 {
452 #endif
453     dt[ 0] = gfm2_sb(st[0]) ^ gfm3_sb(st[5]) ^ s_box(st[10]) ^ s_box(st[15]);
454     dt[ 1] = s_box(st[0]) ^ gfm2_sb(st[5]) ^ gfm3_sb(st[10]) ^ s_box(st[15]);
455     dt[ 2] = s_box(st[0]) ^ s_box(st[5]) ^ gfm2_sb(st[10]) ^ gfm3_sb(st[15]);
456     dt[ 3] = gfm3_sb(st[0]) ^ s_box(st[5]) ^ s_box(st[10]) ^ gfm2_sb(st[15]);
457 
458     dt[ 4] = gfm2_sb(st[4]) ^ gfm3_sb(st[9]) ^ s_box(st[14]) ^ s_box(st[3]);
459     dt[ 5] = s_box(st[4]) ^ gfm2_sb(st[9]) ^ gfm3_sb(st[14]) ^ s_box(st[3]);
460     dt[ 6] = s_box(st[4]) ^ s_box(st[9]) ^ gfm2_sb(st[14]) ^ gfm3_sb(st[3]);
461     dt[ 7] = gfm3_sb(st[4]) ^ s_box(st[9]) ^ s_box(st[14]) ^ gfm2_sb(st[3]);
462 
463     dt[ 8] = gfm2_sb(st[8]) ^ gfm3_sb(st[13]) ^ s_box(st[2]) ^ s_box(st[7]);
464     dt[ 9] = s_box(st[8]) ^ gfm2_sb(st[13]) ^ gfm3_sb(st[2]) ^ s_box(st[7]);
465     dt[10] = s_box(st[8]) ^ s_box(st[13]) ^ gfm2_sb(st[2]) ^ gfm3_sb(st[7]);
466     dt[11] = gfm3_sb(st[8]) ^ s_box(st[13]) ^ s_box(st[2]) ^ gfm2_sb(st[7]);
467 
468     dt[12] = gfm2_sb(st[12]) ^ gfm3_sb(st[1]) ^ s_box(st[6]) ^ s_box(st[11]);
469     dt[13] = s_box(st[12]) ^ gfm2_sb(st[1]) ^ gfm3_sb(st[6]) ^ s_box(st[11]);
470     dt[14] = s_box(st[12]) ^ s_box(st[1]) ^ gfm2_sb(st[6]) ^ gfm3_sb(st[11]);
471     dt[15] = gfm3_sb(st[12]) ^ s_box(st[1]) ^ s_box(st[6]) ^ gfm2_sb(st[11]);
472 }
473 
474 #if defined( VERSION_1 )
475 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK] )
476 {
477     uint_8t st[N_BLOCK];
478     block_copy(st, dt);
479 #else
480 static void inv_mix_sub_columns( uint_8t dt[N_BLOCK], uint_8t st[N_BLOCK] )
481 {
482 #endif
483     dt[ 0] = is_box(gfm_e(st[ 0]) ^ gfm_b(st[ 1]) ^ gfm_d(st[ 2]) ^ gfm_9(st[ 3]));
484     dt[ 5] = is_box(gfm_9(st[ 0]) ^ gfm_e(st[ 1]) ^ gfm_b(st[ 2]) ^ gfm_d(st[ 3]));
485     dt[10] = is_box(gfm_d(st[ 0]) ^ gfm_9(st[ 1]) ^ gfm_e(st[ 2]) ^ gfm_b(st[ 3]));
486     dt[15] = is_box(gfm_b(st[ 0]) ^ gfm_d(st[ 1]) ^ gfm_9(st[ 2]) ^ gfm_e(st[ 3]));
487 
488     dt[ 4] = is_box(gfm_e(st[ 4]) ^ gfm_b(st[ 5]) ^ gfm_d(st[ 6]) ^ gfm_9(st[ 7]));
489     dt[ 9] = is_box(gfm_9(st[ 4]) ^ gfm_e(st[ 5]) ^ gfm_b(st[ 6]) ^ gfm_d(st[ 7]));
490     dt[14] = is_box(gfm_d(st[ 4]) ^ gfm_9(st[ 5]) ^ gfm_e(st[ 6]) ^ gfm_b(st[ 7]));
491     dt[ 3] = is_box(gfm_b(st[ 4]) ^ gfm_d(st[ 5]) ^ gfm_9(st[ 6]) ^ gfm_e(st[ 7]));
492 
493     dt[ 8] = is_box(gfm_e(st[ 8]) ^ gfm_b(st[ 9]) ^ gfm_d(st[10]) ^ gfm_9(st[11]));
494     dt[13] = is_box(gfm_9(st[ 8]) ^ gfm_e(st[ 9]) ^ gfm_b(st[10]) ^ gfm_d(st[11]));
495     dt[ 2] = is_box(gfm_d(st[ 8]) ^ gfm_9(st[ 9]) ^ gfm_e(st[10]) ^ gfm_b(st[11]));
496     dt[ 7] = is_box(gfm_b(st[ 8]) ^ gfm_d(st[ 9]) ^ gfm_9(st[10]) ^ gfm_e(st[11]));
497 
498     dt[12] = is_box(gfm_e(st[12]) ^ gfm_b(st[13]) ^ gfm_d(st[14]) ^ gfm_9(st[15]));
499     dt[ 1] = is_box(gfm_9(st[12]) ^ gfm_e(st[13]) ^ gfm_b(st[14]) ^ gfm_d(st[15]));
500     dt[ 6] = is_box(gfm_d(st[12]) ^ gfm_9(st[13]) ^ gfm_e(st[14]) ^ gfm_b(st[15]));
501     dt[11] = is_box(gfm_b(st[12]) ^ gfm_d(st[13]) ^ gfm_9(st[14]) ^ gfm_e(st[15]));
502 }
503 
504 #if defined( AES_ENC_PREKEYED ) || defined( AES_DEC_PREKEYED )
505 
506 /*  Set the cipher key for the pre-keyed version */
507 /*  NOTE: If the length_type used for the key length is an
508     unsigned 8-bit character, a key length of 256 bits must
509     be entered as a length in bytes (valid inputs are hence
510     128, 192, 16, 24 and 32).
511 */
512 
513 return_type aes_set_key( const unsigned char key[], length_type keylen, aes_context ctx[1] )
514 {
515     uint_8t cc, rc, hi;
516 
517     switch ( keylen ) {
518     case 16:
519     case 128:           /* length in bits (128 = 8*16) */
520         keylen = 16;
521         break;
522     case 24:
523     case 192:           /* length in bits (192 = 8*24) */
524         keylen = 24;
525         break;
526     case 32:
527         /*    case 256:           length in bits (256 = 8*32) */
528         keylen = 32;
529         break;
530     default:
531         ctx->rnd = 0;
532         return (return_type) - 1;
533     }
534     block_copy_nn(ctx->ksch, key, keylen);
535     hi = (keylen + 28) << 2;
536     ctx->rnd = (hi >> 4) - 1;
537     for ( cc = keylen, rc = 1; cc < hi; cc += 4 ) {
538         uint_8t tt, t0, t1, t2, t3;
539 
540         t0 = ctx->ksch[cc - 4];
541         t1 = ctx->ksch[cc - 3];
542         t2 = ctx->ksch[cc - 2];
543         t3 = ctx->ksch[cc - 1];
544         if ( cc % keylen == 0 ) {
545             tt = t0;
546             t0 = s_box(t1) ^ rc;
547             t1 = s_box(t2);
548             t2 = s_box(t3);
549             t3 = s_box(tt);
550             rc = f2(rc);
551         } else if ( keylen > 24 && cc % keylen == 16 ) {
552             t0 = s_box(t0);
553             t1 = s_box(t1);
554             t2 = s_box(t2);
555             t3 = s_box(t3);
556         }
557         tt = cc - keylen;
558         ctx->ksch[cc + 0] = ctx->ksch[tt + 0] ^ t0;
559         ctx->ksch[cc + 1] = ctx->ksch[tt + 1] ^ t1;
560         ctx->ksch[cc + 2] = ctx->ksch[tt + 2] ^ t2;
561         ctx->ksch[cc + 3] = ctx->ksch[tt + 3] ^ t3;
562     }
563     return 0;
564 }
565 
566 #endif
567 
568 #if defined( AES_ENC_PREKEYED )
569 
570 /*  Encrypt a single block of 16 bytes */
571 
572 /* @breif change the name by snake for avoid the conflict with libcrypto */
573 return_type bluedroid_aes_encrypt( const unsigned char in[N_BLOCK], unsigned char  out[N_BLOCK], const aes_context ctx[1] )
574 {
575     if ( ctx->rnd ) {
576         uint_8t s1[N_BLOCK], r;
577         copy_and_key( s1, in, ctx->ksch );
578 
579         for ( r = 1 ; r < ctx->rnd ; ++r )
580 #if defined( VERSION_1 )
581         {
582             mix_sub_columns( s1 );
583             add_round_key( s1, ctx->ksch + r * N_BLOCK);
584         }
585 #else
586         {
587             uint_8t s2[N_BLOCK];
588             mix_sub_columns( s2, s1 );
589             copy_and_key( s1, s2, ctx->ksch + r * N_BLOCK);
590         }
591 #endif
592         shift_sub_rows( s1 );
593         copy_and_key( out, s1, ctx->ksch + r * N_BLOCK );
594     } else {
595         return (return_type) - 1;
596     }
597     return 0;
598 }
599 
600 /* CBC encrypt a number of blocks (input and return an IV) */
601 
602 return_type aes_cbc_encrypt( const unsigned char *in, unsigned char *out,
603                              int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
604 {
605 
606     while (n_block--) {
607         xor_block(iv, in);
608         if (bluedroid_aes_encrypt(iv, iv, ctx) != EXIT_SUCCESS) {
609             return EXIT_FAILURE;
610         }
611         memcpy(out, iv, N_BLOCK);
612         in += N_BLOCK;
613         out += N_BLOCK;
614     }
615     return EXIT_SUCCESS;
616 }
617 
618 #endif
619 
620 #if defined( AES_DEC_PREKEYED )
621 
622 /*  Decrypt a single block of 16 bytes */
623 
624 return_type bluedroid_aes_decrypt( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK], const aes_context ctx[1] )
625 {
626     if ( ctx->rnd ) {
627         uint_8t s1[N_BLOCK], r;
628         copy_and_key( s1, in, ctx->ksch + ctx->rnd * N_BLOCK );
629         inv_shift_sub_rows( s1 );
630 
631         for ( r = ctx->rnd ; --r ; )
632 #if defined( VERSION_1 )
633         {
634             add_round_key( s1, ctx->ksch + r * N_BLOCK );
635             inv_mix_sub_columns( s1 );
636         }
637 #else
638         {
639             uint_8t s2[N_BLOCK];
640             copy_and_key( s2, s1, ctx->ksch + r * N_BLOCK );
641             inv_mix_sub_columns( s1, s2 );
642         }
643 #endif
644         copy_and_key( out, s1, ctx->ksch );
645     } else {
646         return (return_type) - 1;
647     }
648     return 0;
649 }
650 
651 /* CBC decrypt a number of blocks (input and return an IV) */
652 
653 return_type aes_cbc_decrypt( const unsigned char *in, unsigned char *out,
654                              int n_block, unsigned char iv[N_BLOCK], const aes_context ctx[1] )
655 {
656     while (n_block--) {
657         uint_8t tmp[N_BLOCK];
658 
659         memcpy(tmp, in, N_BLOCK);
660         if (bluedroid_aes_decrypt(in, out, ctx) != EXIT_SUCCESS) {
661             return EXIT_FAILURE;
662         }
663         xor_block(out, iv);
664         memcpy(iv, tmp, N_BLOCK);
665         in += N_BLOCK;
666         out += N_BLOCK;
667     }
668     return EXIT_SUCCESS;
669 }
670 
671 #endif
672 
673 #if defined( AES_ENC_128_OTFK )
674 
675 /*  The 'on the fly' encryption key update for for 128 bit keys */
676 
677 static void update_encrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
678 {
679     uint_8t cc;
680 
681     k[0] ^= s_box(k[13]) ^ *rc;
682     k[1] ^= s_box(k[14]);
683     k[2] ^= s_box(k[15]);
684     k[3] ^= s_box(k[12]);
685     *rc = f2( *rc );
686 
687     for (cc = 4; cc < 16; cc += 4 ) {
688         k[cc + 0] ^= k[cc - 4];
689         k[cc + 1] ^= k[cc - 3];
690         k[cc + 2] ^= k[cc - 2];
691         k[cc + 3] ^= k[cc - 1];
692     }
693 }
694 
695 /*  Encrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
696 
697 void bluedroid_aes_encrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
698                                 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
699 {
700     uint_8t s1[N_BLOCK], r, rc = 1;
701 
702     if (o_key != key) {
703         block_copy( o_key, key );
704     }
705     copy_and_key( s1, in, o_key );
706 
707     for ( r = 1 ; r < 10 ; ++r )
708 #if defined( VERSION_1 )
709     {
710         mix_sub_columns( s1 );
711         update_encrypt_key_128( o_key, &rc );
712         add_round_key( s1, o_key );
713     }
714 #else
715     {
716         uint_8t s2[N_BLOCK];
717         mix_sub_columns( s2, s1 );
718         update_encrypt_key_128( o_key, &rc );
719         copy_and_key( s1, s2, o_key );
720     }
721 #endif
722 
723     shift_sub_rows( s1 );
724     update_encrypt_key_128( o_key, &rc );
725     copy_and_key( out, s1, o_key );
726 }
727 
728 #endif
729 
730 #if defined( AES_DEC_128_OTFK )
731 
732 /*  The 'on the fly' decryption key update for for 128 bit keys */
733 
734 static void update_decrypt_key_128( uint_8t k[N_BLOCK], uint_8t *rc )
735 {
736     uint_8t cc;
737 
738     for ( cc = 12; cc > 0; cc -= 4 ) {
739         k[cc + 0] ^= k[cc - 4];
740         k[cc + 1] ^= k[cc - 3];
741         k[cc + 2] ^= k[cc - 2];
742         k[cc + 3] ^= k[cc - 1];
743     }
744     *rc = d2(*rc);
745     k[0] ^= s_box(k[13]) ^ *rc;
746     k[1] ^= s_box(k[14]);
747     k[2] ^= s_box(k[15]);
748     k[3] ^= s_box(k[12]);
749 }
750 
751 /*  Decrypt a single block of 16 bytes with 'on the fly' 128 bit keying */
752 
753 void bluedroid_aes_decrypt_128( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
754                                 const unsigned char key[N_BLOCK], unsigned char o_key[N_BLOCK] )
755 {
756     uint_8t s1[N_BLOCK], r, rc = 0x6c;
757     if (o_key != key) {
758         block_copy( o_key, key );
759     }
760 
761     copy_and_key( s1, in, o_key );
762     inv_shift_sub_rows( s1 );
763 
764     for ( r = 10 ; --r ; )
765 #if defined( VERSION_1 )
766     {
767         update_decrypt_key_128( o_key, &rc );
768         add_round_key( s1, o_key );
769         inv_mix_sub_columns( s1 );
770     }
771 #else
772     {
773         uint_8t s2[N_BLOCK];
774         update_decrypt_key_128( o_key, &rc );
775         copy_and_key( s2, s1, o_key );
776         inv_mix_sub_columns( s1, s2 );
777     }
778 #endif
779     update_decrypt_key_128( o_key, &rc );
780     copy_and_key( out, s1, o_key );
781 }
782 
783 #endif
784 
785 #if defined( AES_ENC_256_OTFK )
786 
787 /*  The 'on the fly' encryption key update for for 256 bit keys */
788 
789 static void update_encrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
790 {
791     uint_8t cc;
792 
793     k[0] ^= s_box(k[29]) ^ *rc;
794     k[1] ^= s_box(k[30]);
795     k[2] ^= s_box(k[31]);
796     k[3] ^= s_box(k[28]);
797     *rc = f2( *rc );
798 
799     for (cc = 4; cc < 16; cc += 4) {
800         k[cc + 0] ^= k[cc - 4];
801         k[cc + 1] ^= k[cc - 3];
802         k[cc + 2] ^= k[cc - 2];
803         k[cc + 3] ^= k[cc - 1];
804     }
805 
806     k[16] ^= s_box(k[12]);
807     k[17] ^= s_box(k[13]);
808     k[18] ^= s_box(k[14]);
809     k[19] ^= s_box(k[15]);
810 
811     for ( cc = 20; cc < 32; cc += 4 ) {
812         k[cc + 0] ^= k[cc - 4];
813         k[cc + 1] ^= k[cc - 3];
814         k[cc + 2] ^= k[cc - 2];
815         k[cc + 3] ^= k[cc - 1];
816     }
817 }
818 
819 /*  Encrypt a single block of 16 bytes with 'on the fly' 256 bit keying */
820 
821 void bluedroid_aes_encrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
822                                 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
823 {
824     uint_8t s1[N_BLOCK], r, rc = 1;
825     if (o_key != key) {
826         block_copy( o_key, key );
827         block_copy( o_key + 16, key + 16 );
828     }
829     copy_and_key( s1, in, o_key );
830 
831     for ( r = 1 ; r < 14 ; ++r )
832 #if defined( VERSION_1 )
833     {
834         mix_sub_columns(s1);
835         if ( r & 1 ) {
836             add_round_key( s1, o_key + 16 );
837         } else {
838             update_encrypt_key_256( o_key, &rc );
839             add_round_key( s1, o_key );
840         }
841     }
842 #else
843     {
844         uint_8t s2[N_BLOCK];
845         mix_sub_columns( s2, s1 );
846         if ( r & 1 ) {
847             copy_and_key( s1, s2, o_key + 16 );
848         } else {
849             update_encrypt_key_256( o_key, &rc );
850             copy_and_key( s1, s2, o_key );
851         }
852     }
853 #endif
854 
855     shift_sub_rows( s1 );
856     update_encrypt_key_256( o_key, &rc );
857     copy_and_key( out, s1, o_key );
858 }
859 
860 #endif
861 
862 #if defined( AES_DEC_256_OTFK )
863 
864 /*  The 'on the fly' encryption key update for for 256 bit keys */
865 
866 static void update_decrypt_key_256( uint_8t k[2 * N_BLOCK], uint_8t *rc )
867 {
868     uint_8t cc;
869 
870     for (cc = 28; cc > 16; cc -= 4) {
871         k[cc + 0] ^= k[cc - 4];
872         k[cc + 1] ^= k[cc - 3];
873         k[cc + 2] ^= k[cc - 2];
874         k[cc + 3] ^= k[cc - 1];
875     }
876 
877     k[16] ^= s_box(k[12]);
878     k[17] ^= s_box(k[13]);
879     k[18] ^= s_box(k[14]);
880     k[19] ^= s_box(k[15]);
881 
882     for (cc = 12; cc > 0; cc -= 4) {
883         k[cc + 0] ^= k[cc - 4];
884         k[cc + 1] ^= k[cc - 3];
885         k[cc + 2] ^= k[cc - 2];
886         k[cc + 3] ^= k[cc - 1];
887     }
888 
889     *rc = d2(*rc);
890     k[0] ^= s_box(k[29]) ^ *rc;
891     k[1] ^= s_box(k[30]);
892     k[2] ^= s_box(k[31]);
893     k[3] ^= s_box(k[28]);
894 }
895 
896 /*  Decrypt a single block of 16 bytes with 'on the fly'
897     256 bit keying
898 */
899 void bluedroid_aes_decrypt_256( const unsigned char in[N_BLOCK], unsigned char out[N_BLOCK],
900                                 const unsigned char key[2 * N_BLOCK], unsigned char o_key[2 * N_BLOCK] )
901 {
902     uint_8t s1[N_BLOCK], r, rc = 0x80;
903 
904     if (o_key != key) {
905         block_copy( o_key, key );
906         block_copy( o_key + 16, key + 16 );
907     }
908 
909     copy_and_key( s1, in, o_key );
910     inv_shift_sub_rows( s1 );
911 
912     for ( r = 14 ; --r ; )
913 #if defined( VERSION_1 )
914     {
915         if ( ( r & 1 ) ) {
916             update_decrypt_key_256( o_key, &rc );
917             add_round_key( s1, o_key + 16 );
918         } else {
919             add_round_key( s1, o_key );
920         }
921         inv_mix_sub_columns( s1 );
922     }
923 #else
924     {
925         uint_8t s2[N_BLOCK];
926         if ( ( r & 1 ) ) {
927             update_decrypt_key_256( o_key, &rc );
928             copy_and_key( s2, s1, o_key + 16 );
929         } else {
930             copy_and_key( s2, s1, o_key );
931         }
932         inv_mix_sub_columns( s1, s2 );
933     }
934 #endif
935     copy_and_key( out, s1, o_key );
936 }
937 
938 #endif
939