Subversion Repositories planix.SVN

#include <u.h>

#include <libc.h>

#define FULL_UNROLL

#define const

static const u32 Td0[256];

static const u32 Td1[256];

static const u32 Td2[256];

static const u32 Td3[256];

static const u8  Te4[256];

static uchar basekey[3][16] = {

	{

	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,

	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,

	},

	{

	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,

	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,

	},

	{

	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,

	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,

	},

};

static int aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],

		int keyBits);

static int aes_setupDec(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],

		int keyBits);

void	aes_encrypt(const ulong rk[], int Nr, const uchar pt[16], uchar ct[16]);

void

setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec)

{

	memset(s, 0, sizeof(*s));

	if(keybytes > AESmaxkey)

		keybytes = AESmaxkey;

	memmove(s->key, key, keybytes);

	s->keybytes = keybytes;

	s->rounds = aes_setup(s->ekey, s->dkey, s->key, keybytes * 8);

	if(ivec != nil)

		memmove(s->ivec, ivec, AESbsize);

	if(keybytes==16 || keybytes==24 || keybytes==32)

		s->setup = 0xcafebabe;

	/* else aes_setup was invalid */

}

/*

 * AES-XCBC-MAC-96 message authentication, per rfc3566.

 */

void

setupAESXCBCstate(AESstate *s)		/* was setupmac96 */

{

	int i, j;

	uint q[16 / sizeof(uint)];

	uchar *p;

	assert(s->keybytes == 16);

	for(i = 0; i < 3; i++)

		aes_encrypt(s->ekey, s->rounds, basekey[i],

			s->mackey + AESbsize*i);

	p = s->mackey;

	memset(q, 0, AESbsize);

	/*

	 * put the in the right endian.  once figured, probably better

	 * to use some fcall macros.

	 * keys for encryption in local endianness for the algorithm...

	 * only key1 is used for encryption;

	 * BUG!!: I think this is what I got wrong.

	 */

	for(i = 0; i < 16 / sizeof(uint); i ++){

		for(j = 0; j < sizeof(uint); j++)

			q[i] |= p[sizeof(uint)-j-1] << 8*j;

		p += sizeof(uint);

	}

	memmove(s->mackey, q, 16);

}

/*

 * Not dealing with > 128-bit keys, not dealing with strange corner cases like

 * empty message.  Should be fine for AES-XCBC-MAC-96.

 */

uchar*

aesXCBCmac(uchar *p, int len, AESstate *s)

{

	uchar *p2, *ip, *eip, *mackey;

	uchar q[AESbsize];

	assert(s->keybytes == 16);	/* more complicated for bigger */

	memset(s->ivec, 0, AESbsize);	/* E[0] is 0+ */

	for(; len > AESbsize; len -= AESbsize){

		memmove(q, p, AESbsize);

		p2 = q;

		ip = s->ivec;

		for(eip = ip + AESbsize; ip < eip; )

			*p2++ ^= *ip++;

		aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);

		p += AESbsize;

	}

	/* the last one */

	memmove(q, p, len);

	p2 = q+len;

	if(len == AESbsize)

		mackey = s->mackey + AESbsize;	/* k2 */

	else{

		mackey = s->mackey+2*AESbsize;	/* k3 */

		*p2++ = 1 << 7;			/* padding */

		len = AESbsize - len - 1;

		memset(p2, 0, len);

	}

	ip = s->ivec;

	p2 = q;

	for(eip = ip + AESbsize; ip < eip; )

		*p2++ ^= *ip++ ^ *mackey++;

	aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);

	return s->ivec;			/* only the 12 bytes leftmost */

}

/*

 * Define by analogy with desCBCencrypt;  AES modes are not standardized yet.

 * Because of the way that non-multiple-of-16 buffers are handled,

 * the decryptor must be fed buffers of the same size as the encryptor.

 */

void

aesCBCencrypt(uchar *p, int len, AESstate *s)

{

	uchar *p2, *ip, *eip;

	uchar q[AESbsize];

	for(; len >= AESbsize; len -= AESbsize){

		p2 = p;

		ip = s->ivec;

		for(eip = ip+AESbsize; ip < eip; )

			*p2++ ^= *ip++;

		aes_encrypt(s->ekey, s->rounds, p, q);

		memmove(s->ivec, q, AESbsize);

		memmove(p, q, AESbsize);

		p += AESbsize;

	}

	if(len > 0){

		ip = s->ivec;

		aes_encrypt(s->ekey, s->rounds, ip, q);

		memmove(s->ivec, q, AESbsize);

		for(eip = ip+len; ip < eip; )

			*p++ ^= *ip++;

	}

}

void

aesCBCdecrypt(uchar *p, int len, AESstate *s)

{

	uchar *ip, *eip, *tp;

	uchar tmp[AESbsize], q[AESbsize];

	for(; len >= AESbsize; len -= AESbsize){

		memmove(tmp, p, AESbsize);

		aes_decrypt(s->dkey, s->rounds, p, q);

		memmove(p, q, AESbsize);

		tp = tmp;

		ip = s->ivec;

		for(eip = ip+AESbsize; ip < eip; ){

			*p++ ^= *ip;

			*ip++ = *tp++;

		}

	}

	if(len > 0){

		ip = s->ivec;

		aes_encrypt(s->ekey, s->rounds, ip, q);

		memmove(s->ivec, q, AESbsize);

		for(eip = ip+len; ip < eip; )

			*p++ ^= *ip++;

	}

}

/*

 * AES-CTR mode, per rfc3686.

 * CTRs could be precalculated for efficiency

 * and there would also be less back and forth mp

 */

static void

incrementCTR(uchar *p, uint ctrsz)

{

	int len;

	uchar *ctr;

	mpint *mpctr, *mpctrsz;

	ctr = p + AESbsize - ctrsz;

	mpctr = betomp(ctr, ctrsz, nil);

	mpadd(mpctr, mpone, mpctr);

	mpmod(mpctr, mpctrsz, mpctr);

	len = mptobe(mpctr, ctr, ctrsz, nil);

	assert(len == ctrsz);

	mpfree(mpctrsz);

	mpfree(mpctr);

}

void

aesCTRencrypt(uchar *p, int len, AESstate *s)

{

	uchar q[AESbsize];

	uchar *ip, *eip, *ctr;

	ctr = s->ivec;

	for(; len >= AESbsize; len -= AESbsize){

		ip = q;

		aes_encrypt(s->ekey, s->rounds, ctr, q);

		for(eip = p + AESbsize; p < eip; )

			*p++ ^= *ip++;

		incrementCTR(ctr, s->ctrsz);

	}

	if(len > 0){

		ip = q;

		aes_encrypt(s->ekey, s->rounds, ctr, q);

		for(eip = p + len; p < eip; )

			*p++ ^= *ip++;

		incrementCTR(ctr, s->ctrsz);

	}

}

void

aesCTRdecrypt(uchar *p, int len, AESstate *s)

{

	aesCTRencrypt(p, len, s);

}

/* taken from sha1; TODO: verify suitability (esp. byte order) for aes */

/*

 *	encodes input (ulong) into output (uchar). Assumes len is

 *	a multiple of 4.

 */

static void

encode(uchar *output, ulong *input, ulong len)

{

	ulong x;

	uchar *e;

	for(e = output + len; output < e;) {

		x = *input++;

		*output++ = x >> 24;

		*output++ = x >> 16;

		*output++ = x >> 8;

		*output++ = x;

	}

}

/* TODO: verify use of aes_encrypt here */

AEShstate*

aes(uchar *p, ulong len, uchar *digest, AEShstate *s)

{

	uchar buf[128];

	ulong x[16];

	int i;

	uchar *e;

	if(s == nil){

		s = malloc(sizeof(*s));

		if(s == nil)

			return nil;

		memset(s, 0, sizeof(*s));

		s->malloced = 1;

	}

	if(s->seeded == 0){

		/* seed the state, these constants would look nicer big-endian */

		s->state[0] = 0x67452301;

		s->state[1] = 0xefcdab89;

		s->state[2] = 0x98badcfe;

		s->state[3] = 0x10325476;

		/* in sha1 (20-byte digest), but not md5 (16 bytes)*/

		s->state[4] = 0xc3d2e1f0;

		s->seeded = 1;

	}

	/* fill out the partial 64 byte block from previous calls */

	if(s->blen){

		i = 64 - s->blen;

		if(len < i)

			i = len;

		memmove(s->buf + s->blen, p, i);

		len -= i;

		s->blen += i;

		p += i;

		if(s->blen == 64){

			/* encrypt s->buf into s->state */

			// _sha1block(s->buf, s->blen, s->state);

			aes_encrypt((ulong *)s->buf, 1, s->buf, (uchar *)s->state);

			s->len += s->blen;

			s->blen = 0;

		}

	}

	/* do 64 byte blocks */

	i = len & ~0x3f;

	if(i){

		/* encrypt p into s->state */

		// _sha1block(p, i, s->state);

		aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state);

		s->len += i;

		len -= i;

		p += i;

	}

	/* save the left overs if not last call */

	if(digest == 0){

		if(len){

			memmove(s->buf, p, len);

			s->blen += len;

		}

		return s;

	}

	/*

	 *  this is the last time through, pad what's left with 0x80,

	 *  0's, and the input count to create a multiple of 64 bytes

	 */

	if(s->blen){

		p = s->buf;

		len = s->blen;

	} else {

		memmove(buf, p, len);

		p = buf;

	}

	s->len += len;

	e = p + len;

	if(len < 56)

		i = 56 - len;

	else

		i = 120 - len;

	*e = 0x80;

	len += i;

	/* append the count */

	x[0] = s->len>>29;		/* byte-order dependent */

	x[1] = s->len<<3;

	encode(p+len, x, 8);

	/* digest the last part */

	/* encrypt p into s->state */

	// _sha1block(p, len+8, s->state);

	aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state);

	s->len += len+8;		/* sha1: +8 */

	/* return result and free state */

	encode((uchar *)digest, (ulong *)s->state, AESdlen);

	if(s->malloced == 1)

		free(s);

	return nil;

}

DigestState*

hmac_aes(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,

	DigestState *s)

{

	return hmac_x(p, len, key, klen, digest, s, aes, AESdlen);

}

/*

 * this function has been changed for plan 9.

 * Expand the cipher key into the encryption and decryption key schedules.

 *

 * @return	the number of rounds for the given cipher key size.

 */

static int

aes_setup(ulong erk[/* 4*(Nr + 1) */], ulong drk[/* 4*(Nr + 1) */],

	const uchar cipherKey[], int keyBits)

{

	int Nr, i;

	/* expand the cipher key: */

	Nr = aes_setupEnc(erk, cipherKey, keyBits);

	/*

	 * invert the order of the round keys and apply the inverse MixColumn

	 * transform to all round keys but the first and the last

	 */

	drk[0       ] = erk[4*Nr    ];

	drk[1       ] = erk[4*Nr + 1];

	drk[2       ] = erk[4*Nr + 2];

	drk[3       ] = erk[4*Nr + 3];

	drk[4*Nr    ] = erk[0       ];

	drk[4*Nr + 1] = erk[1       ];

	drk[4*Nr + 2] = erk[2       ];

	drk[4*Nr + 3] = erk[3       ];

	erk += 4 * Nr;

	for (i = 1; i < Nr; i++) {

		drk += 4;

		erk -= 4;

		drk[0] =

		    Td0[Te4[(erk[0] >> 24)       ]] ^

		    Td1[Te4[(erk[0] >> 16) & 0xff]] ^

		    Td2[Te4[(erk[0] >>  8) & 0xff]] ^

		    Td3[Te4[(erk[0]      ) & 0xff]];

		drk[1] =

		    Td0[Te4[(erk[1] >> 24)       ]] ^

		    Td1[Te4[(erk[1] >> 16) & 0xff]] ^

		    Td2[Te4[(erk[1] >>  8) & 0xff]] ^

		    Td3[Te4[(erk[1]      ) & 0xff]];

		drk[2] =

		    Td0[Te4[(erk[2] >> 24)       ]] ^

		    Td1[Te4[(erk[2] >> 16) & 0xff]] ^

		    Td2[Te4[(erk[2] >>  8) & 0xff]] ^

		    Td3[Te4[(erk[2]      ) & 0xff]];

		drk[3] =

		    Td0[Te4[(erk[3] >> 24)       ]] ^

		    Td1[Te4[(erk[3] >> 16) & 0xff]] ^

		    Td2[Te4[(erk[3] >>  8) & 0xff]] ^

		    Td3[Te4[(erk[3]      ) & 0xff]];

	}

	return Nr;

}

static const u32 Te3[256] = {

    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,

    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,

    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,

    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,

    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,

    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,

    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,

    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,

    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,

    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,

    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,

    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,

    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,

    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,

    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,

    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,

    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,

    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,

    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,

    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,

    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,

    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,

    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,

    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,

    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,

    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,

    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,

    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,

    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,

    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,

    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,

    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,

    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,

    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,

    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,

    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,

    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,

    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,

    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,

    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,

    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,

    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,

    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,

    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,

    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,

    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,

    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,

    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,

    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,

    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,

    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,

    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,

    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,

    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,

    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,

    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,

    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,

    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,

    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,

    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,

    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,

    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,

    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,

    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,

};

static const u8 Te4[256] = {

    0x63U, 0x7cU, 0x77U, 0x7bU,

    0xf2U, 0x6bU, 0x6fU, 0xc5U,

    0x30U, 0x01U, 0x67U, 0x2bU,

    0xfeU, 0xd7U, 0xabU, 0x76U,

    0xcaU, 0x82U, 0xc9U, 0x7dU,

    0xfaU, 0x59U, 0x47U, 0xf0U,

    0xadU, 0xd4U, 0xa2U, 0xafU,

    0x9cU, 0xa4U, 0x72U, 0xc0U,

    0xb7U, 0xfdU, 0x93U, 0x26U,

    0x36U, 0x3fU, 0xf7U, 0xccU,

    0x34U, 0xa5U, 0xe5U, 0xf1U,

    0x71U, 0xd8U, 0x31U, 0x15U,

    0x04U, 0xc7U, 0x23U, 0xc3U,

    0x18U, 0x96U, 0x05U, 0x9aU,

    0x07U, 0x12U, 0x80U, 0xe2U,

    0xebU, 0x27U, 0xb2U, 0x75U,

    0x09U, 0x83U, 0x2cU, 0x1aU,

    0x1bU, 0x6eU, 0x5aU, 0xa0U,

    0x52U, 0x3bU, 0xd6U, 0xb3U,

    0x29U, 0xe3U, 0x2fU, 0x84U,

    0x53U, 0xd1U, 0x00U, 0xedU,

    0x20U, 0xfcU, 0xb1U, 0x5bU,

    0x6aU, 0xcbU, 0xbeU, 0x39U,

    0x4aU, 0x4cU, 0x58U, 0xcfU,

    0xd0U, 0xefU, 0xaaU, 0xfbU,

    0x43U, 0x4dU, 0x33U, 0x85U,

    0x45U, 0xf9U, 0x02U, 0x7fU,

    0x50U, 0x3cU, 0x9fU, 0xa8U,

    0x51U, 0xa3U, 0x40U, 0x8fU,

    0x92U, 0x9dU, 0x38U, 0xf5U,

    0xbcU, 0xb6U, 0xdaU, 0x21U,

    0x10U, 0xffU, 0xf3U, 0xd2U,

    0xcdU, 0x0cU, 0x13U, 0xecU,

    0x5fU, 0x97U, 0x44U, 0x17U,

    0xc4U, 0xa7U, 0x7eU, 0x3dU,

    0x64U, 0x5dU, 0x19U, 0x73U,

    0x60U, 0x81U, 0x4fU, 0xdcU,

    0x22U, 0x2aU, 0x90U, 0x88U,

    0x46U, 0xeeU, 0xb8U, 0x14U,

    0xdeU, 0x5eU, 0x0bU, 0xdbU,

    0xe0U, 0x32U, 0x3aU, 0x0aU,

    0x49U, 0x06U, 0x24U, 0x5cU,

    0xc2U, 0xd3U, 0xacU, 0x62U,

    0x91U, 0x95U, 0xe4U, 0x79U,

    0xe7U, 0xc8U, 0x37U, 0x6dU,

    0x8dU, 0xd5U, 0x4eU, 0xa9U,

    0x6cU, 0x56U, 0xf4U, 0xeaU,

    0x65U, 0x7aU, 0xaeU, 0x08U,

    0xbaU, 0x78U, 0x25U, 0x2eU,

    0x1cU, 0xa6U, 0xb4U, 0xc6U,

    0xe8U, 0xddU, 0x74U, 0x1fU,

    0x4bU, 0xbdU, 0x8bU, 0x8aU,

    0x70U, 0x3eU, 0xb5U, 0x66U,

    0x48U, 0x03U, 0xf6U, 0x0eU,

    0x61U, 0x35U, 0x57U, 0xb9U,

    0x86U, 0xc1U, 0x1dU, 0x9eU,

    0xe1U, 0xf8U, 0x98U, 0x11U,

    0x69U, 0xd9U, 0x8eU, 0x94U,

    0x9bU, 0x1eU, 0x87U, 0xe9U,

    0xceU, 0x55U, 0x28U, 0xdfU,

    0x8cU, 0xa1U, 0x89U, 0x0dU,

    0xbfU, 0xe6U, 0x42U, 0x68U,

    0x41U, 0x99U, 0x2dU, 0x0fU,

    0xb0U, 0x54U, 0xbbU, 0x16U,

};

static const u32 Td0[256] = {

    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,

    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,

    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,

    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,

    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,

    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,

    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,

    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,

    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,

    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,

    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,

    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,

    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,

    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,

    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,

    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,

    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,

    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,

    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,

    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,

    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,

    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,

    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,

    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,

    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,

    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,

    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,

    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,

    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,

    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,

    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,

    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,

    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,

    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,

    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,

    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,

    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,

    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,

    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,

    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,

    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,

    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,

    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,

    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,

    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,

    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,

    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,

    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,

    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,

    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,

    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,

    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,

    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,

    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,

    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,

    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,

    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,

    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,

    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,

    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,

    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,

    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,

    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,

    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,

};

static const u32 Td1[256] = {

    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,

    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,

    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,

    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,

    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,