arne
/
cryptopp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

AES timing attack countermeasures

pull/2/head
weidai 2006-07-17 14:48:59 +00:00
parent 0156adfd5e
commit c8e2f89594
5 changed files with 449 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Readme.txt
View File

@ -350,6 +350,8 @@ the mailing list.
5.2.3 - fixed issues with FIPS algorithm test vectors
- put RSASSA-ISO into DLL
5.3 - Ported to MSVC .NET 2005 beta 2 with support for x86-64
5.3 - Ported to MSVC .NET 2005 with support for x86-64
- Added defense against AES timing attacks, and more AES test vectors
- Changed StaticAlgorithmName() of Rijndael to "AES", CTR to "CTR"
Written by Wei Dai

17
config.h
View File

@ -48,6 +48,9 @@
#define PREFER_BERKELEY_STYLE_SOCKETS
// #define PREFER_WINDOWS_STYLE_SOCKETS
// set the name of Rijndael cipher, was "Rijndael" before version 5.3
#define CRYPTOPP_RIJNDAEL_NAME "AES"
// ***************** Important Settings Again ********************
// But the defaults should be ok.
@ -155,6 +158,20 @@ const unsigned int WORD_BITS = WORD_SIZE * 8;
#define FAST_ROTATE
#endif
#ifndef CRYPTOPP_L1_CACHE_LINE_SIZE
// This should be a lower bound on the L1 cache line size. It's used for defense against timing attacks.
// L1 cache line size is 32 on Pentium III and earlier
#define CRYPTOPP_L1_CACHE_LINE_SIZE 32
#endif
#ifndef CRYPTOPP_L1_CACHE_ALIGN
#ifdef _MSC_VER
#define CRYPTOPP_L1_CACHE_ALIGN(x) __declspec(align(CRYPTOPP_L1_CACHE_LINE_SIZE)) x
#elif defined(__GNUC__)
#define CRYPTOPP_L1_CACHE_ALIGN(x) x __attribute__((aligned(CRYPTOPP_L1_CACHE_LINE_SIZE)))
#endif
#endif
NAMESPACE_END
// VC60 workaround: it doesn't allow typename in some places

266
rdtables.cpp
View File

@ -20,15 +20,80 @@ Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
Te2[x] = S [x].[01, 03, 02, 01];
Te3[x] = S [x].[01, 01, 03, 02];
Te4[x] = S [x].[01, 01, 01, 01];
Td0[x] = Si[x].[0e, 09, 0d, 0b];
Td1[x] = Si[x].[0b, 0e, 09, 0d];
Td2[x] = Si[x].[0d, 0b, 0e, 09];
Td3[x] = Si[x].[09, 0d, 0b, 0e];
Td4[x] = Si[x].[01, 01, 01, 01];
*/
const byte Rijndael::Base::Se[256] = {
0x63, 0x7c, 0x77, 0x7b,
0xf2, 0x6b, 0x6f, 0xc5,
0x30, 0x01, 0x67, 0x2b,
0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d,
0xfa, 0x59, 0x47, 0xf0,
0xad, 0xd4, 0xa2, 0xaf,
0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26,
0x36, 0x3f, 0xf7, 0xcc,
0x34, 0xa5, 0xe5, 0xf1,
0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3,
0x18, 0x96, 0x05, 0x9a,
0x07, 0x12, 0x80, 0xe2,
0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a,
0x1b, 0x6e, 0x5a, 0xa0,
0x52, 0x3b, 0xd6, 0xb3,
0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed,
0x20, 0xfc, 0xb1, 0x5b,
0x6a, 0xcb, 0xbe, 0x39,
0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb,
0x43, 0x4d, 0x33, 0x85,
0x45, 0xf9, 0x02, 0x7f,
0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f,
0x92, 0x9d, 0x38, 0xf5,
0xbc, 0xb6, 0xda, 0x21,
0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec,
0x5f, 0x97, 0x44, 0x17,
0xc4, 0xa7, 0x7e, 0x3d,
0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc,
0x22, 0x2a, 0x90, 0x88,
0x46, 0xee, 0xb8, 0x14,
0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a,
0x49, 0x06, 0x24, 0x5c,
0xc2, 0xd3, 0xac, 0x62,
0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d,
0x8d, 0xd5, 0x4e, 0xa9,
0x6c, 0x56, 0xf4, 0xea,
0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e,
0x1c, 0xa6, 0xb4, 0xc6,
0xe8, 0xdd, 0x74, 0x1f,
0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66,
0x48, 0x03, 0xf6, 0x0e,
0x61, 0x35, 0x57, 0xb9,
0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11,
0x69, 0xd9, 0x8e, 0x94,
0x9b, 0x1e, 0x87, 0xe9,
0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d,
0xbf, 0xe6, 0x42, 0x68,
0x41, 0x99, 0x2d, 0x0f,
0xb0, 0x54, 0xbb, 0x16,
};
const word32 Rijndael::Base::Te0[256] = {
0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
@ -295,71 +360,71 @@ const word32 Rijndael::Base::Te3[256] = {
0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
};
const word32 Rijndael::Base::Te4[256] = {
0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
const byte Rijndael::Base::Sd[256] = {
0x52, 0x09, 0x6a, 0xd5,
0x30, 0x36, 0xa5, 0x38,
0xbf, 0x40, 0xa3, 0x9e,
0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82,
0x9b, 0x2f, 0xff, 0x87,
0x34, 0x8e, 0x43, 0x44,
0xc4, 0xde, 0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32,
0xa6, 0xc2, 0x23, 0x3d,
0xee, 0x4c, 0x95, 0x0b,
0x42, 0xfa, 0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66,
0x28, 0xd9, 0x24, 0xb2,
0x76, 0x5b, 0xa2, 0x49,
0x6d, 0x8b, 0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64,
0x86, 0x68, 0x98, 0x16,
0xd4, 0xa4, 0x5c, 0xcc,
0x5d, 0x65, 0xb6, 0x92,
0x6c, 0x70, 0x48, 0x50,
0xfd, 0xed, 0xb9, 0xda,
0x5e, 0x15, 0x46, 0x57,
0xa7, 0x8d, 0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00,
0x8c, 0xbc, 0xd3, 0x0a,
0xf7, 0xe4, 0x58, 0x05,
0xb8, 0xb3, 0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f,
0xca, 0x3f, 0x0f, 0x02,
0xc1, 0xaf, 0xbd, 0x03,
0x01, 0x13, 0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41,
0x4f, 0x67, 0xdc, 0xea,
0x97, 0xf2, 0xcf, 0xce,
0xf0, 0xb4, 0xe6, 0x73,
0x96, 0xac, 0x74, 0x22,
0xe7, 0xad, 0x35, 0x85,
0xe2, 0xf9, 0x37, 0xe8,
0x1c, 0x75, 0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71,
0x1d, 0x29, 0xc5, 0x89,
0x6f, 0xb7, 0x62, 0x0e,
0xaa, 0x18, 0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b,
0xc6, 0xd2, 0x79, 0x20,
0x9a, 0xdb, 0xc0, 0xfe,
0x78, 0xcd, 0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33,
0x88, 0x07, 0xc7, 0x31,
0xb1, 0x12, 0x10, 0x59,
0x27, 0x80, 0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9,
0x19, 0xb5, 0x4a, 0x0d,
0x2d, 0xe5, 0x7a, 0x9f,
0x93, 0xc9, 0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d,
0xae, 0x2a, 0xf5, 0xb0,
0xc8, 0xeb, 0xbb, 0x3c,
0x83, 0x53, 0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e,
0xba, 0x77, 0xd6, 0x26,
0xe1, 0x69, 0x14, 0x63,
0x55, 0x21, 0x0c, 0x7d,
};
const word32 Rijndael::Base::Td0[256] = {
@ -631,73 +696,6 @@ const word32 Rijndael::Base::Td3[256] = {
0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
};
const word32 Rijndael::Base::Td4[256] = {
0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
};
const word32 Rijndael::Base::rcon[] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000,
0x10000000, 0x20000000, 0x40000000, 0x80000000,

513
rijndael.cpp
View File

@ -2,6 +2,23 @@
// and Wei Dai from Paulo Baretto's Rijndael implementation
// The original code and all modifications are in the public domain.
/*
Defense against timing attacks was added in July 2006 by Wei Dai.
The code now uses smaller tables in the first and last rounds,
and preloads them into L1 cache before usage (by loading at least
one element in each cache line).
We try to delay subsequent accesses to each table (used in the first
and last rounds) until all of the table has been preloaded. Hopefully
the compiler isn't smart enough to optimize that code away.
After preloading the table, we also try not to access any memory location
other than the table and the stack, in order to prevent table entries from
being unloaded from L1 cache, until that round is finished.
(Some popular CPUs have 2-way associative caches.)
*/
// This is the original introductory comment:
/**
@ -45,80 +62,45 @@ void Rijndael::Base::UncheckedSetKey(CipherDir dir, const byte *userKey, unsigne
m_key.New(4*(m_rounds+1));
word32 temp, *rk = m_key;
const word32 *rc = rcon;
unsigned int i=0;
GetUserKey(BIG_ENDIAN_ORDER, rk, keylen/4, userKey, keylen);
switch(keylen)
while (true)
{
case 16:
while (true)
{
temp = rk[3];
rk[4] = rk[0] ^
(Te4[GETBYTE(temp, 2)] & 0xff000000) ^
(Te4[GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te4[GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te4[GETBYTE(temp, 3)] & 0x000000ff) ^
rcon[i];
rk[5] = rk[1] ^ rk[4];
rk[6] = rk[2] ^ rk[5];
rk[7] = rk[3] ^ rk[6];
if (++i == 10)
break;
rk += 4;
}
break;
temp = rk[keylen/4-1];
rk[keylen/4] = rk[0] ^
(word32(Se[GETBYTE(temp, 2)]) << 24) ^
(word32(Se[GETBYTE(temp, 1)]) << 16) ^
(word32(Se[GETBYTE(temp, 0)]) << 8) ^
Se[GETBYTE(temp, 3)] ^
*(rc++);
rk[keylen/4+1] = rk[1] ^ rk[keylen/4];
rk[keylen/4+2] = rk[2] ^ rk[keylen/4+1];
rk[keylen/4+3] = rk[3] ^ rk[keylen/4+2];
case 24:
while (true) // for (;;) here triggers a bug in VC60 SP4 w/ Processor Pack
if (rk + keylen/4 + 4 == m_key.end())
break;
if (keylen == 24)
{
temp = rk[ 5];
rk[ 6] = rk[ 0] ^
(Te4[GETBYTE(temp, 2)] & 0xff000000) ^
(Te4[GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te4[GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te4[GETBYTE(temp, 3)] & 0x000000ff) ^
rcon[i];
rk[ 7] = rk[ 1] ^ rk[ 6];
rk[ 8] = rk[ 2] ^ rk[ 7];
rk[ 9] = rk[ 3] ^ rk[ 8];
if (++i == 8)
break;
rk[10] = rk[ 4] ^ rk[ 9];
rk[11] = rk[ 5] ^ rk[10];
rk += 6;
}
break;
case 32:
while (true)
else if (keylen == 32)
{
temp = rk[ 7];
rk[ 8] = rk[ 0] ^
(Te4[GETBYTE(temp, 2)] & 0xff000000) ^
(Te4[GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te4[GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te4[GETBYTE(temp, 3)] & 0x000000ff) ^
rcon[i];
rk[ 9] = rk[ 1] ^ rk[ 8];
rk[10] = rk[ 2] ^ rk[ 9];
rk[11] = rk[ 3] ^ rk[10];
if (++i == 7)
break;
temp = rk[11];
rk[12] = rk[ 4] ^
(Te4[GETBYTE(temp, 3)] & 0xff000000) ^
(Te4[GETBYTE(temp, 2)] & 0x00ff0000) ^
(Te4[GETBYTE(temp, 1)] & 0x0000ff00) ^
(Te4[GETBYTE(temp, 0)] & 0x000000ff);
rk[13] = rk[ 5] ^ rk[12];
rk[14] = rk[ 6] ^ rk[13];
rk[15] = rk[ 7] ^ rk[14];
rk += 8;
}
break;
temp = rk[11];
rk[12] = rk[ 4] ^
(word32(Se[GETBYTE(temp, 3)]) << 24) ^
(word32(Se[GETBYTE(temp, 2)]) << 16) ^
(word32(Se[GETBYTE(temp, 1)]) << 8) ^
Se[GETBYTE(temp, 0)];
rk[13] = rk[ 5] ^ rk[12];
rk[14] = rk[ 6] ^ rk[13];
rk[15] = rk[ 7] ^ rk[14];
}
rk += keylen/4;
}
if (dir == DECRYPTION)
@ -137,50 +119,112 @@ void Rijndael::Base::UncheckedSetKey(CipherDir dir, const byte *userKey, unsigne
for (i = 1; i < m_rounds; i++) {
rk += 4;
rk[0] =
Td0[Te4[GETBYTE(rk[0], 3)] & 0xff] ^
Td1[Te4[GETBYTE(rk[0], 2)] & 0xff] ^
Td2[Te4[GETBYTE(rk[0], 1)] & 0xff] ^
Td3[Te4[GETBYTE(rk[0], 0)] & 0xff];
Td0[Se[GETBYTE(rk[0], 3)]] ^
Td1[Se[GETBYTE(rk[0], 2)]] ^
Td2[Se[GETBYTE(rk[0], 1)]] ^
Td3[Se[GETBYTE(rk[0], 0)]];
rk[1] =
Td0[Te4[GETBYTE(rk[1], 3)] & 0xff] ^
Td1[Te4[GETBYTE(rk[1], 2)] & 0xff] ^
Td2[Te4[GETBYTE(rk[1], 1)] & 0xff] ^
Td3[Te4[GETBYTE(rk[1], 0)] & 0xff];
Td0[Se[GETBYTE(rk[1], 3)]] ^
Td1[Se[GETBYTE(rk[1], 2)]] ^
Td2[Se[GETBYTE(rk[1], 1)]] ^
Td3[Se[GETBYTE(rk[1], 0)]];
rk[2] =
Td0[Te4[GETBYTE(rk[2], 3)] & 0xff] ^
Td1[Te4[GETBYTE(rk[2], 2)] & 0xff] ^
Td2[Te4[GETBYTE(rk[2], 1)] & 0xff] ^
Td3[Te4[GETBYTE(rk[2], 0)] & 0xff];
Td0[Se[GETBYTE(rk[2], 3)]] ^
Td1[Se[GETBYTE(rk[2], 2)]] ^
Td2[Se[GETBYTE(rk[2], 1)]] ^
Td3[Se[GETBYTE(rk[2], 0)]];
rk[3] =
Td0[Te4[GETBYTE(rk[3], 3)] & 0xff] ^
Td1[Te4[GETBYTE(rk[3], 2)] & 0xff] ^
Td2[Te4[GETBYTE(rk[3], 1)] & 0xff] ^
Td3[Te4[GETBYTE(rk[3], 0)] & 0xff];
Td0[Se[GETBYTE(rk[3], 3)]] ^
Td1[Se[GETBYTE(rk[3], 2)]] ^
Td2[Se[GETBYTE(rk[3], 1)]] ^
Td3[Se[GETBYTE(rk[3], 0)]];
}
}
ConditionalByteReverse(BIG_ENDIAN_ORDER, m_key.begin(), m_key.begin(), 16);
ConditionalByteReverse(BIG_ENDIAN_ORDER, m_key + m_rounds*4, m_key + m_rounds*4, 16);
}
typedef BlockGetAndPut<word32, BigEndian> Block;
const static unsigned int s_lineSizeDiv4 = CRYPTOPP_L1_CACHE_LINE_SIZE/4;
#ifdef IS_BIG_ENDIAN
const static unsigned int s_i3=3, s_i2=2, s_i1=1, s_i0=0;
#else
const static unsigned int s_i3=0, s_i2=1, s_i1=2, s_i0=3;
#endif
void Rijndael::Enc::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
{
word32 s0, s1, s2, s3, t0, t1, t2, t3;
const word32 *rk = m_key;
/*
* map byte array block to cipher state
* and add initial round key:
*/
Block::Get(inBlock)(s0)(s1)(s2)(s3);
s0 ^= rk[0];
s1 ^= rk[1];
s2 ^= rk[2];
s3 ^= rk[3];
/*
* Nr - 1 full rounds:
*/
unsigned int r = m_rounds >> 1;
for (;;) {
s0 = ((const word32 *)inBlock)[0] ^ rk[0];
s1 = ((const word32 *)inBlock)[1] ^ rk[1];
s2 = ((const word32 *)inBlock)[2] ^ rk[2];
s3 = ((const word32 *)inBlock)[3] ^ rk[3];
t0 = rk[4];
t1 = rk[5];
t2 = rk[6];
t3 = rk[7];
rk += 8;
// timing attack countermeasure. see comments at top for more details
unsigned int i;
word32 u = 0;
for (i=0; i<sizeof(Te0)/4; i+=CRYPTOPP_L1_CACHE_LINE_SIZE)
u &= (Te0[i+0*s_lineSizeDiv4] & Te0[i+2*s_lineSizeDiv4]) & (Te0[i+1*s_lineSizeDiv4] & Te0[i+3*s_lineSizeDiv4]);
s0 |= u; s1 |= u; s2 |= u; s3 |= u;
// first round
t0 ^=
Te0[GETBYTE(s0, s_i3)] ^
rotrFixed(Te0[GETBYTE(s1, s_i2)], 8) ^
rotrFixed(Te0[GETBYTE(s2, s_i1)], 16) ^
rotrFixed(Te0[GETBYTE(s3, s_i0)], 24);
t1 ^=
Te0[GETBYTE(s1, s_i3)] ^
rotrFixed(Te0[GETBYTE(s2, s_i2)], 8) ^
rotrFixed(Te0[GETBYTE(s3, s_i1)], 16) ^
rotrFixed(Te0[GETBYTE(s0, s_i0)], 24);
t2 ^=
Te0[GETBYTE(s2, s_i3)] ^
rotrFixed(Te0[GETBYTE(s3, s_i2)], 8) ^
rotrFixed(Te0[GETBYTE(s0, s_i1)], 16) ^
rotrFixed(Te0[GETBYTE(s1, s_i0)], 24);
t3 ^=
Te0[GETBYTE(s3, s_i3)] ^
rotrFixed(Te0[GETBYTE(s0, s_i2)], 8) ^
rotrFixed(Te0[GETBYTE(s1, s_i1)], 16) ^
rotrFixed(Te0[GETBYTE(s2, s_i0)], 24);
// Nr - 2 full rounds:
unsigned int r = m_rounds/2 - 1;
do
{
s0 =
Te0[GETBYTE(t0, 3)] ^
Te1[GETBYTE(t1, 2)] ^
Te2[GETBYTE(t2, 1)] ^
Te3[GETBYTE(t3, 0)] ^
rk[0];
s1 =
Te0[GETBYTE(t1, 3)] ^
Te1[GETBYTE(t2, 2)] ^
Te2[GETBYTE(t3, 1)] ^
Te3[GETBYTE(t0, 0)] ^
rk[1];
s2 =
Te0[GETBYTE(t2, 3)] ^
Te1[GETBYTE(t3, 2)] ^
Te2[GETBYTE(t0, 1)] ^
Te3[GETBYTE(t1, 0)] ^
rk[2];
s3 =
Te0[GETBYTE(t3, 3)] ^
Te1[GETBYTE(t0, 2)] ^
Te2[GETBYTE(t1, 1)] ^
Te3[GETBYTE(t2, 0)] ^
rk[3];
t0 =
Te0[GETBYTE(s0, 3)] ^
Te1[GETBYTE(s1, 2)] ^
@ -207,66 +251,51 @@ void Rijndael::Enc::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock
rk[7];
rk += 8;
if (--r == 0) {
break;
}
} while (--r);
s0 =
Te0[GETBYTE(t0, 3)] ^
Te1[GETBYTE(t1, 2)] ^
Te2[GETBYTE(t2, 1)] ^
Te3[GETBYTE(t3, 0)] ^
rk[0];
s1 =
Te0[GETBYTE(t1, 3)] ^
Te1[GETBYTE(t2, 2)] ^
Te2[GETBYTE(t3, 1)] ^
Te3[GETBYTE(t0, 0)] ^
rk[1];
s2 =
Te0[GETBYTE(t2, 3)] ^
Te1[GETBYTE(t3, 2)] ^
Te2[GETBYTE(t0, 1)] ^
Te3[GETBYTE(t1, 0)] ^
rk[2];
s3 =
Te0[GETBYTE(t3, 3)] ^
Te1[GETBYTE(t0, 2)] ^
Te2[GETBYTE(t1, 1)] ^
Te3[GETBYTE(t2, 0)] ^
rk[3];
}
/*
* apply last round and
* map cipher state to byte array block:
*/
// timing attack countermeasure. see comments at top for more details
u = 0;
for (i=0; i<sizeof(Se)/4; i+=CRYPTOPP_L1_CACHE_LINE_SIZE)
u &= (((word32*)Se)[i+0*s_lineSizeDiv4] & ((word32*)Se)[i+2*s_lineSizeDiv4]) & (((word32*)Se)[i+1*s_lineSizeDiv4] & ((word32*)Se)[i+3*s_lineSizeDiv4]);
t0 |= u; t1 |= u; t2 |= u; t3 |= u;
s0 =
(Te4[GETBYTE(t0, 3)] & 0xff000000) ^
(Te4[GETBYTE(t1, 2)] & 0x00ff0000) ^
(Te4[GETBYTE(t2, 1)] & 0x0000ff00) ^
(Te4[GETBYTE(t3, 0)] & 0x000000ff) ^
rk[0];
s1 =
(Te4[GETBYTE(t1, 3)] & 0xff000000) ^
(Te4[GETBYTE(t2, 2)] & 0x00ff0000) ^
(Te4[GETBYTE(t3, 1)] & 0x0000ff00) ^
(Te4[GETBYTE(t0, 0)] & 0x000000ff) ^
rk[1];
s2 =
(Te4[GETBYTE(t2, 3)] & 0xff000000) ^
(Te4[GETBYTE(t3, 2)] & 0x00ff0000) ^
(Te4[GETBYTE(t0, 1)] & 0x0000ff00) ^
(Te4[GETBYTE(t1, 0)] & 0x000000ff) ^
rk[2];
s3 =
(Te4[GETBYTE(t3, 3)] & 0xff000000) ^
(Te4[GETBYTE(t0, 2)] & 0x00ff0000) ^
(Te4[GETBYTE(t1, 1)] & 0x0000ff00) ^
(Te4[GETBYTE(t2, 0)] & 0x000000ff) ^
rk[3];
word32 tbw[4];
byte *const tempBlock = (byte *)tbw;
word32 *const obw = (word32 *)outBlock;
const word32 *const xbw = (const word32 *)xorBlock;
Block::Put(xorBlock, outBlock)(s0)(s1)(s2)(s3);
// last round
tempBlock[0] = Se[GETBYTE(t0, 3)];
tempBlock[1] = Se[GETBYTE(t1, 2)];
tempBlock[2] = Se[GETBYTE(t2, 1)];
tempBlock[3] = Se[GETBYTE(t3, 0)];
tempBlock[4] = Se[GETBYTE(t1, 3)];
tempBlock[5] = Se[GETBYTE(t2, 2)];
tempBlock[6] = Se[GETBYTE(t3, 1)];
tempBlock[7] = Se[GETBYTE(t0, 0)];
tempBlock[8] = Se[GETBYTE(t2, 3)];
tempBlock[9] = Se[GETBYTE(t3, 2)];
tempBlock[10] = Se[GETBYTE(t0, 1)];
tempBlock[11] = Se[GETBYTE(t1, 0)];
tempBlock[12] = Se[GETBYTE(t3, 3)];
tempBlock[13] = Se[GETBYTE(t0, 2)];
tempBlock[14] = Se[GETBYTE(t1, 1)];
tempBlock[15] = Se[GETBYTE(t2, 0)];
if (xbw)
{
obw[0] = tbw[0] ^ xbw[0] ^ rk[0];
obw[1] = tbw[1] ^ xbw[1] ^ rk[1];
obw[2] = tbw[2] ^ xbw[2] ^ rk[2];
obw[3] = tbw[3] ^ xbw[3] ^ rk[3];
}
else
{
obw[0] = tbw[0] ^ rk[0];
obw[1] = tbw[1] ^ rk[1];
obw[2] = tbw[2] ^ rk[2];
obw[3] = tbw[3] ^ rk[3];
}
}
void Rijndael::Dec::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
@ -274,20 +303,74 @@ void Rijndael::Dec::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock
word32 s0, s1, s2, s3, t0, t1, t2, t3;
const word32 *rk = m_key;
/*
* map byte array block to cipher state
* and add initial round key:
*/
Block::Get(inBlock)(s0)(s1)(s2)(s3);
s0 ^= rk[0];
s1 ^= rk[1];
s2 ^= rk[2];
s3 ^= rk[3];
/*
* Nr - 1 full rounds:
*/
unsigned int r = m_rounds >> 1;
for (;;) {
s0 = ((const word32 *)inBlock)[0] ^ rk[0];
s1 = ((const word32 *)inBlock)[1] ^ rk[1];
s2 = ((const word32 *)inBlock)[2] ^ rk[2];
s3 = ((const word32 *)inBlock)[3] ^ rk[3];
t0 = rk[4];
t1 = rk[5];
t2 = rk[6];
t3 = rk[7];
rk += 8;
// timing attack countermeasure. see comments at top for more details
unsigned int i;
word32 u = 0;
for (i=0; i<sizeof(Td0)/4; i+=CRYPTOPP_L1_CACHE_LINE_SIZE)
u &= (Td0[i+0*s_lineSizeDiv4] & Td0[i+2*s_lineSizeDiv4]) & (Td0[i+1*s_lineSizeDiv4] & Td0[i+3*s_lineSizeDiv4]);
s0 |= u; s1 |= u; s2 |= u; s3 |= u;
// first round
t0 ^=
Td0[GETBYTE(s0, s_i3)] ^
rotrFixed(Td0[GETBYTE(s3, s_i2)], 8) ^
rotrFixed(Td0[GETBYTE(s2, s_i1)], 16) ^
rotrFixed(Td0[GETBYTE(s1, s_i0)], 24);
t1 ^=
Td0[GETBYTE(s1, s_i3)] ^
rotrFixed(Td0[GETBYTE(s0, s_i2)], 8) ^
rotrFixed(Td0[GETBYTE(s3, s_i1)], 16) ^
rotrFixed(Td0[GETBYTE(s2, s_i0)], 24);
t2 ^=
Td0[GETBYTE(s2, s_i3)] ^
rotrFixed(Td0[GETBYTE(s1, s_i2)], 8) ^
rotrFixed(Td0[GETBYTE(s0, s_i1)], 16) ^
rotrFixed(Td0[GETBYTE(s3, s_i0)], 24);
t3 ^=
Td0[GETBYTE(s3, s_i3)] ^
rotrFixed(Td0[GETBYTE(s2, s_i2)], 8) ^
rotrFixed(Td0[GETBYTE(s1, s_i1)], 16) ^
rotrFixed(Td0[GETBYTE(s0, s_i0)], 24);
// Nr - 2 full rounds:
unsigned int r = m_rounds/2 - 1;
do
{
s0 =
Td0[GETBYTE(t0, 3)] ^
Td1[GETBYTE(t3, 2)] ^
Td2[GETBYTE(t2, 1)] ^
Td3[GETBYTE(t1, 0)] ^
rk[0];
s1 =
Td0[GETBYTE(t1, 3)] ^
Td1[GETBYTE(t0, 2)] ^
Td2[GETBYTE(t3, 1)] ^
Td3[GETBYTE(t2, 0)] ^
rk[1];
s2 =
Td0[GETBYTE(t2, 3)] ^
Td1[GETBYTE(t1, 2)] ^
Td2[GETBYTE(t0, 1)] ^
Td3[GETBYTE(t3, 0)] ^
rk[2];
s3 =
Td0[GETBYTE(t3, 3)] ^
Td1[GETBYTE(t2, 2)] ^
Td2[GETBYTE(t1, 1)] ^
Td3[GETBYTE(t0, 0)] ^
rk[3];
t0 =
Td0[GETBYTE(s0, 3)] ^
Td1[GETBYTE(s3, 2)] ^
@ -314,65 +397,51 @@ void Rijndael::Dec::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock
rk[7];
rk += 8;
if (--r == 0) {
break;
}
} while (--r);
s0 =
Td0[GETBYTE(t0, 3)] ^
Td1[GETBYTE(t3, 2)] ^
Td2[GETBYTE(t2, 1)] ^
Td3[GETBYTE(t1, 0)] ^
rk[0];
s1 =
Td0[GETBYTE(t1, 3)] ^
Td1[GETBYTE(t0, 2)] ^
Td2[GETBYTE(t3, 1)] ^
Td3[GETBYTE(t2, 0)] ^
rk[1];
s2 =
Td0[GETBYTE(t2, 3)] ^
Td1[GETBYTE(t1, 2)] ^
Td2[GETBYTE(t0, 1)] ^
Td3[GETBYTE(t3, 0)] ^
rk[2];
s3 =
Td0[GETBYTE(t3, 3)] ^
Td1[GETBYTE(t2, 2)] ^
Td2[GETBYTE(t1, 1)] ^
Td3[GETBYTE(t0, 0)] ^
rk[3];
}
/*
* apply last round and
* map cipher state to byte array block:
*/
s0 =
(Td4[GETBYTE(t0, 3)] & 0xff000000) ^
(Td4[GETBYTE(t3, 2)] & 0x00ff0000) ^
(Td4[GETBYTE(t2, 1)] & 0x0000ff00) ^
(Td4[GETBYTE(t1, 0)] & 0x000000ff) ^
rk[0];
s1 =
(Td4[GETBYTE(t1, 3)] & 0xff000000) ^
(Td4[GETBYTE(t0, 2)] & 0x00ff0000) ^
(Td4[GETBYTE(t3, 1)] & 0x0000ff00) ^
(Td4[GETBYTE(t2, 0)] & 0x000000ff) ^
rk[1];
s2 =
(Td4[GETBYTE(t2, 3)] & 0xff000000) ^
(Td4[GETBYTE(t1, 2)] & 0x00ff0000) ^
(Td4[GETBYTE(t0, 1)] & 0x0000ff00) ^
(Td4[GETBYTE(t3, 0)] & 0x000000ff) ^
rk[2];
s3 =
(Td4[GETBYTE(t3, 3)] & 0xff000000) ^
(Td4[GETBYTE(t2, 2)] & 0x00ff0000) ^
(Td4[GETBYTE(t1, 1)] & 0x0000ff00) ^
(Td4[GETBYTE(t0, 0)] & 0x000000ff) ^
rk[3];
// timing attack countermeasure. see comments at top for more details
u = 0;
for (i=0; i<sizeof(Sd)/4; i+=CRYPTOPP_L1_CACHE_LINE_SIZE)
u &= (((word32*)Sd)[i+0*s_lineSizeDiv4] & ((word32*)Sd)[i+2*s_lineSizeDiv4]) & (((word32*)Sd)[i+1*s_lineSizeDiv4] & ((word32*)Sd)[i+3*s_lineSizeDiv4]);
t0 |= u; t1 |= u; t2 |= u; t3 |= u;
Block::Put(xorBlock, outBlock)(s0)(s1)(s2)(s3);
word32 tbw[4];
byte *const tempBlock = (byte *)tbw;
word32 *const obw = (word32 *)outBlock;
const word32 *const xbw = (const word32 *)xorBlock;
// last round
tempBlock[0] = Sd[GETBYTE(t0, 3)];
tempBlock[1] = Sd[GETBYTE(t3, 2)];
tempBlock[2] = Sd[GETBYTE(t2, 1)];
tempBlock[3] = Sd[GETBYTE(t1, 0)];
tempBlock[4] = Sd[GETBYTE(t1, 3)];
tempBlock[5] = Sd[GETBYTE(t0, 2)];
tempBlock[6] = Sd[GETBYTE(t3, 1)];
tempBlock[7] = Sd[GETBYTE(t2, 0)];
tempBlock[8] = Sd[GETBYTE(t2, 3)];
tempBlock[9] = Sd[GETBYTE(t1, 2)];
tempBlock[10] = Sd[GETBYTE(t0, 1)];
tempBlock[11] = Sd[GETBYTE(t3, 0)];
tempBlock[12] = Sd[GETBYTE(t3, 3)];
tempBlock[13] = Sd[GETBYTE(t2, 2)];
tempBlock[14] = Sd[GETBYTE(t1, 1)];
tempBlock[15] = Sd[GETBYTE(t0, 0)];
if (xbw)
{
obw[0] = tbw[0] ^ xbw[0] ^ rk[0];
obw[1] = tbw[1] ^ xbw[1] ^ rk[1];
obw[2] = tbw[2] ^ xbw[2] ^ rk[2];
obw[3] = tbw[3] ^ xbw[3] ^ rk[3];
}
else
{
obw[0] = tbw[0] ^ rk[0];
obw[1] = tbw[1] ^ rk[1];
obw[2] = tbw[2] ^ rk[2];
obw[3] = tbw[3] ^ rk[3];
}
}
NAMESPACE_END

12
rijndael.h
View File

@ -12,7 +12,7 @@ NAMESPACE_BEGIN(CryptoPP)
//! _
struct Rijndael_Info : public FixedBlockSize<16>, public VariableKeyLength<16, 16, 32, 8>
{
CRYPTOPP_DLL static const char * CRYPTOPP_API StaticAlgorithmName() {return "Rijndael";}
CRYPTOPP_DLL static const char * CRYPTOPP_API StaticAlgorithmName() {return CRYPTOPP_RIJNDAEL_NAME;}
};
/// <a href="http://www.weidai.com/scan-mirror/cs.html#Rijndael">Rijndael</a>
@ -24,17 +24,17 @@ class CRYPTOPP_DLL Rijndael : public Rijndael_Info, public BlockCipherDocumentat
void UncheckedSetKey(CipherDir direction, const byte *userKey, unsigned int length);
protected:
static const word32 Te0[256];
// VS2005 workaround: have to put these on seperate lines, or error C2487 is triggered in DLL build
CRYPTOPP_L1_CACHE_ALIGN(static const byte Se[256]);
CRYPTOPP_L1_CACHE_ALIGN(static const byte Sd[256]);
CRYPTOPP_L1_CACHE_ALIGN(static const word32 Te0[256]);
static const word32 Te1[256];
static const word32 Te2[256];
static const word32 Te3[256];
static const word32 Te4[256];
static const word32 Td0[256];
CRYPTOPP_L1_CACHE_ALIGN(static const word32 Td0[256]);
static const word32 Td1[256];
static const word32 Td2[256];
static const word32 Td3[256];
static const word32 Td4[256];
static const word32 rcon[];