Remote Access Control

aes.c

Go to the documentation of this file.

// This file has been prepared for Doxygen automatic documentation generation.
#include "aes.h"
#include "common.h"
#include "config.h"



#define BPOLY 0x1b



const byte __flash sBox[256] = {
        0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
        0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
        0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
        0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
        0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
        0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
        0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
        0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
        0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
        0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
        0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
        0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
        0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
        0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
        0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
        0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
        0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
        0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
        0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
        0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
        0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
        0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
        0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
        0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
        0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
        0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
        0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
        0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
        0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
        0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
        0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
        0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
};

const byte __flash sBoxInv[256] = {
        0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
        0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
        0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
        0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
        0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
        0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
        0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
        0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
        0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
        0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
        0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
        0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
        0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
        0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
        0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
        0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
        0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
        0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
        0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
        0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
        0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
        0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
        0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
        0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
        0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
        0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
        0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
        0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
        0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
        0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
        0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
        0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
};



static void cycleLeft( byte * row )
{
        // Cycle 4 bytes in an array left once.
        byte temp = row[0];
        row[0] = row[1];
        row[1] = row[2];
        row[2] = row[3];
        row[3] = temp;
}



static void mixColumn( byte * column )
{
        byte result0, result1, result2, result3;
        byte column0, column1, column2, column3;

        // This generates more effective code, at least
        // with the IAR C compiler.
        column0 = column[0];
        column1 = column[1];
        column2 = column[2];
        column3 = column[3];

        // Partial sums (modular addition using XOR).
        result0 = column1 ^ column2 ^ column3;
        result1 = column0 ^ column2 ^ column3;
        result2 = column0 ^ column1 ^ column3;
        result3 = column0 ^ column1 ^ column2;

        // Multiply column bytes by 2 modulo BPOLY.
        // This operation is done the following way to ensure cycle count
        // independent from data contents. Take care when changing this code.
        xor = 0;
        if (column0 & 0x80) {
                xor = BPOLY;
        }
        column0 <<= 1;
        column0  ^= xor;
        
        xor = 0;
        if (column1 & 0x80) {
                xor = BPOLY;
        }
        column1 <<= 1;
        column1  ^= xor;
        
        xor = 0;
        if (column2 & 0x80) {
                xor = BPOLY;
        }
        column2 <<= 1;
        column2  ^= xor;
        
        xor = 0;
        if (column3 & 0x80) {
                xor = BPOLY;
        }
        column3 <<= 1;
        column3  ^= xor;

        // Final sums stored into original column bytes.
        column[0] = result0 ^ column0 ^ column1;
        column[1] = result1 ^ column1 ^ column2;
        column[2] = result2 ^ column2 ^ column3;
        column[3] = result3 ^ column0 ^ column3;
}



static void mixColumns( byte * state )
{
        mixColumn( state + 0*4 );
        mixColumn( state + 1*4 );
        mixColumn( state + 2*4 );
        mixColumn( state + 3*4 );
}



static void subBytes( byte * bytes, byte count )
{
        // Copy to temporary variables for optimization.
        byte * tempPtr = bytes;
        byte tempCount = count;

        do {
                *tempPtr = sBox[ *tempPtr ]; // Substitute every byte in state.
                ++tempPtr;
        } while( --tempCount );
}



static void shiftRows( byte * state )
{
        byte temp;

        // Note: State is arranged column by column.

        // Cycle second row left one time.
        temp = state[ 1 + 0*4 ];
        state[ 1 + 0*4 ] = state[ 1 + 1*4 ];
        state[ 1 + 1*4 ] = state[ 1 + 2*4 ];
        state[ 1 + 2*4 ] = state[ 1 + 3*4 ];
        state[ 1 + 3*4 ] = temp;

        // Cycle third row left two times.
        temp = state[ 2 + 0*4 ];
        state[ 2 + 0*4 ] = state[ 2 + 2*4 ];
        state[ 2 + 2*4 ] = temp;
        temp = state[ 2 + 1*4 ];
        state[ 2 + 1*4 ] = state[ 2 + 3*4 ];
        state[ 2 + 3*4 ] = temp;

        // Cycle fourth row left three times, ie. right once.
        temp = state[ 3 + 3*4 ];
        state[ 3 + 3*4 ] = state[ 3 + 2*4 ];
        state[ 3 + 2*4 ] = state[ 3 + 1*4 ];
        state[ 3 + 1*4 ] = state[ 3 + 0*4 ];
        state[ 3 + 0*4 ] = temp;
}



static void invMixColumn( byte * column )
{
        byte result0, result1, result2, result3;
        byte column0, column1, column2, column3;
        byte xor;

        // This generates more effective code, at least
        // with the IAR C compiler.
        column0 = column[0];
        column1 = column[1];
        column2 = column[2];
        column3 = column[3];

        // Partial sums (modular addition using XOR).
        result0 = column1 ^ column2 ^ column3;
        result1 = column0 ^ column2 ^ column3;
        result2 = column0 ^ column1 ^ column3;
        result3 = column0 ^ column1 ^ column2;

        // Multiply column bytes by 2 modulo BPOLY.
        // This operation is done the following way to ensure cycle count
        // independent from data contents. Take care when changing this code.
        xor = 0;
        if (column0 & 0x80) {
                xor = BPOLY;
        }
        column0 <<= 1;
        column0  ^= xor;
        
        xor = 0;
        if (column1 & 0x80) {
                xor = BPOLY;
        }
        column1 <<= 1;
        column1  ^= xor;
        
        xor = 0;
        if (column2 & 0x80) {
                xor = BPOLY;
        }
        column2 <<= 1;
        column2  ^= xor;
        
        xor = 0;
        if (column3 & 0x80) {
                xor = BPOLY;
        }
        column3 <<= 1;
        column3  ^= xor;

        // More partial sums.
        result0 ^= column0 ^ column1;
        result1 ^= column1 ^ column2;
        result2 ^= column2 ^ column3;
        result3 ^= column0 ^ column3;

        // Multiply column bytes by 2 modulo BPOLY.
        // This operation is done the following way to ensure cycle count
        // independent from data contents. Take care when changing this code.
        xor = 0;
        if (column0 & 0x80) {
                xor = BPOLY;
        }
        column0 <<= 1;
        column0  ^= xor;
        
        xor = 0;
        if (column1 & 0x80) {
                xor = BPOLY;
        }
        column1 <<= 1;
        column1  ^= xor;
        
        xor = 0;
        if (column2 & 0x80) {
                xor = BPOLY;
        }
        column2 <<= 1;
        column2  ^= xor;
        
        xor = 0;
        if (column3 & 0x80) {
                xor = BPOLY;
        }
        column3 <<= 1;
        column3  ^= xor;

        // More partial sums.
        result0 ^= column0 ^ column2;
        result1 ^= column1 ^ column3;
        result2 ^= column0 ^ column2;
        result3 ^= column1 ^ column3;

        // Multiply column bytes by 2 modulo BPOLY.
        // This operation is done the following way to ensure cycle count
        // independent from data contents. Take care when changing this code.
        xor = 0;
        if (column0 & 0x80) {
                xor = BPOLY;
        }
        column0 <<= 1;
        column0  ^= xor;
        
        xor = 0;
        if (column1 & 0x80) {
                xor = BPOLY;
        }
        column1 <<= 1;
        column1  ^= xor;
        
        xor = 0;
        if (column2 & 0x80) {
                xor = BPOLY;
        }
        column2 <<= 1;
        column2  ^= xor;
        
        xor = 0;
        if (column3 & 0x80) {
                xor = BPOLY;
        }
        column3 <<= 1;
        column3  ^= xor;

        // Final partial sum.
        column0 ^= column1 ^ column2 ^ column3;

        // Final sums stored indto original column bytes.
        column[0] = result0 ^ column0;
        column[1] = result1 ^ column0;
        column[2] = result2 ^ column0;
        column[3] = result3 ^ column0;
}



static void invMixColumns( byte * state )
{
        invMixColumn( state + 0*4 );
        invMixColumn( state + 1*4 );
        invMixColumn( state + 2*4 );
        invMixColumn( state + 3*4 );
}



static void invShiftRows( byte * state )
{
        byte temp;

        // Note: State is arranged column by column.

        // Cycle second row right one time.
        temp = state[ 1 + 3*4 ];
        state[ 1 + 3*4 ] = state[ 1 + 2*4 ];
        state[ 1 + 2*4 ] = state[ 1 + 1*4 ];
        state[ 1 + 1*4 ] = state[ 1 + 0*4 ];
        state[ 1 + 0*4 ] = temp;

        // Cycle third row right two times.
        temp = state[ 2 + 0*4 ];
        state[ 2 + 0*4 ] = state[ 2 + 2*4 ];
        state[ 2 + 2*4 ] = temp;
        temp = state[ 2 + 1*4 ];
        state[ 2 + 1*4 ] = state[ 2 + 3*4 ];
        state[ 2 + 3*4 ] = temp;

        // Cycle fourth row right three times, ie. left once.
        temp = state[ 3 + 0*4 ];
        state[ 3 + 0*4 ] = state[ 3 + 1*4 ];
        state[ 3 + 1*4 ] = state[ 3 + 2*4 ];
        state[ 3 + 2*4 ] = state[ 3 + 3*4 ];
        state[ 3 + 3*4 ] = temp;
}



#if KEY_SIZE == 24 // Only needed for 192 bit keys.
static void addConstantAndCopy( byte * bytes, const byte * constant, byte * destination, byte count )
{
        // Copy to temporary variables for optimization.
        byte * tempBlock = bytes;
        const byte * tempSource = constant;
        byte * tempDestination = destination;
        byte tempCount = count;
        byte tempValue;

        do {
                 // Add in GF(2), ie. XOR.
                tempValue = *tempBlock ^ *tempSource++;
                *tempBlock++ = tempValue;
                *tempDestination++ = tempValue;
        } while( --tempCount );
}
#endif



#if KEY_SIZE == 16 || KEY_SIZE == 32
static void addAndCopy( byte * buf1, byte * buf2, byte count )
{
        // Copy to temporary variables for optimization.
        byte * tempBuf1 = buf1;
        byte * tempBuf2 = buf2;
        byte tempCount = count;
        byte tempValue;

        do {
                 // Add in GF(2), ie. XOR.
                tempValue = *tempBuf1 ^ *tempBuf2;
                *tempBuf1++ = tempValue;
                *tempBuf2++ = tempValue;
        } while( --tempCount );
}
#endif



#if KEY_SIZE == 24 // Only used for 192 bit keys.
static void addAndStore( const byte * buf1, const byte * buf2, byte * destination, byte count )
{
        // Copy to temporary variables for optimization.
        const byte * tempBuf1 = buf1;
        const byte * tempBuf2 = buf2;
        byte * tempDestination = destination;
        byte tempCount = count;
        byte tempValue;

        do {
                 // Add in GF(2), ie. XOR.
                tempValue = *tempBuf1++ ^ *tempBuf2++;
                *tempDestination++ = tempValue;
        } while( --tempCount );
}
#endif



static void addConstantAndSubstitute( byte * bytes, const byte * constant, byte count )
{
        // Copy to temporary variables for optimization.
        byte * tempDestination = bytes;
        const byte * tempSource = constant;
        byte tempCount = count;
        byte tempValue;

        do {
                // Add in GF(2), ie. XOR.
                tempValue = *tempDestination ^ *tempSource++;
                *tempDestination++ = sBox[ tempValue ];
        } while( --tempCount );
}



static void invSubstituteAndAddConstant( byte * bytes, const byte * constant, byte count )
{
        // Copy to temporary variables for optimization.
        byte * tempDestination = bytes;
        const byte * tempSource = constant;
        byte tempCount = count;
        byte tempValue;

        do {
                // Add in GF(2), ie. XOR.
                tempValue = *tempDestination;
                *tempDestination++ = sBoxInv[ tempValue ] ^ *tempSource++;
        } while( --tempCount );
}



static void keyExpansion( byte * scheduleBuffer, byte * roundConstant )
{
        byte tempWord[4];
        byte schedulePos = 0;

        // Get last word from previous schedule buffer.
        copyBytes( tempWord, scheduleBuffer + SCHEDULE_BUFFER_SIZE - 4, 4 );

        // Transform it, since we are at a KEY_SIZE boundary in the schedule.
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Update round constant.
        if( roundConstant[0] & 0x80 ) {
                roundConstant[0] <<= 1;
                roundConstant[0] ^= BPOLY;
        } else {
                roundConstant[0] <<= 1;
        }

#if KEY_SIZE == 16 || KEY_SIZE == 32

  #if KEY_SIZE == 32
        do {
                // Add value from one KEY_SIZE backwards, ie. in last schedule buffer.
                // Store in buffer, replacing old value, which was one KEY_SIZE backwards.
                addAndCopy( tempWord, scheduleBuffer, 4 );

                // Move to next word in schedule buffer.
                scheduleBuffer += 4;
                schedulePos += 4;

        } while( schedulePos < BLOCK_SIZE );

        // Substitute previous word when at BLOCK_SIZE boundary with 256 bit keys.
        subBytes( tempWord, 4 );
  #endif

        do {
                // Add value from one KEY_SIZE backwards, ie. in last schedule buffer.
                // Store in buffer, replacing old value, which was one KEY_SIZE backwards.
                addAndCopy( tempWord, scheduleBuffer, 4 );

                // Move to next word in schedule buffer.
                scheduleBuffer += 4;
                schedulePos += 4;

        } while( schedulePos < SCHEDULE_BUFFER_SIZE );

#elif KEY_SIZE == 24
        do {
                // Add value from one KEY_SIZE backwards (wraps to end of buffer).
                // Store in buffer, replacing old value.
                addConstantAndCopy( tempWord, scheduleBuffer + KEY_SIZE, scheduleBuffer, 4 );

                // Move to next word in schedule buffer.
                scheduleBuffer += 4;
                schedulePos += 4;

        } while( schedulePos < KEY_SIZE );

        // Transform previous word, since we are at a KEY_SIZE boundary in the schedule.
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Update round constant.
        if( roundConstant[0] & 0x80 ) {
                roundConstant[0] <<= 1;
                roundConstant[0] ^= BPOLY;
        } else {
                roundConstant[0] <<= 1;
        }

        do {
                // Add value from one KEY_SIZE backwards.
                // Store in buffer, replacing old value.
                addConstantAndCopy( tempWord, scheduleBuffer - KEY_SIZE, scheduleBuffer, 4 );

                // Move to next word in schedule buffer.
                scheduleBuffer += 4;
                schedulePos += 4;

        } while( schedulePos < SCHEDULE_BUFFER_SIZE );

#else
  #error Unsupported key size.
#endif
}



#if SCHEDULE_KEY_REPETITIONS > 1 // Only applies when more than one round key is calculated at a time.
static void initialKeyExpansion( byte * scheduleBuffer, byte * roundConstant )
{
  #if KEY_SIZE == 24 // Currently only required for 192-bit keys.
        byte tempWord[4];
        byte schedulePos = SCHEDULE_BUFFER_SIZE / 2;
        scheduleBuffer += SCHEDULE_BUFFER_SIZE / 2;

        // Get last word from previous key in schedule buffer.
        copyBytes( tempWord, scheduleBuffer - 4, 4 );

        // Transform it, since we are at a KEY_SIZE boundary in the schedule.
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Update round constant.
        if( roundConstant[0] & 0x80 ) {
                roundConstant[0] <<= 1;
                roundConstant[0] ^= BPOLY;
        } else {
                roundConstant[0] <<= 1;
        }

        do {
                // Add value from one KEY_SIZE backwards.
                // Store in buffer.
                addConstantAndCopy( tempWord, scheduleBuffer - KEY_SIZE, scheduleBuffer, 4 );

                // Move to next word in schedule buffer.
                scheduleBuffer += 4;
                schedulePos += 4;

        } while( schedulePos < SCHEDULE_BUFFER_SIZE );

  #else
    #error Unsupported key size.
  #endif
}
#endif



static void invKeyExpansion( byte * scheduleBuffer, byte * roundConstant )
{
        byte tempWord[4];

#if KEY_SIZE == 16 || KEY_SIZE == 32
        byte schedulePos = SCHEDULE_BUFFER_SIZE - 4;
        scheduleBuffer += SCHEDULE_BUFFER_SIZE - 4;

  #if KEY_SIZE == 32
        do {
                // Add with previous word.
                addConstant( scheduleBuffer, scheduleBuffer - 4, 4 );

                // Move to previous word in schedule.
                scheduleBuffer -= 4;
                schedulePos -= 4;

        } while( schedulePos > BLOCK_SIZE );

        // Prepare substitution of previous word.
        copyBytes( tempWord, scheduleBuffer - 4, 4 );
        subBytes( tempWord, 4 );

        // Add substituted word to current word.
        addConstant( scheduleBuffer, tempWord, 4 );

        // Move to previous word in schedule.
        scheduleBuffer -= 4;
        schedulePos -= 4;
  #endif

        do {
                // Add with previous word.
                addConstant( scheduleBuffer, scheduleBuffer - 4, 4 );

                // Move to previous word in schedule.
                scheduleBuffer -= 4;
                schedulePos -= 4;

        } while( schedulePos > 0 );

        // Prepare round constant for transformation that follows.
        if( (roundConstant[0] ^ BPOLY) == 0 ) {
                roundConstant[0] = 0x80;
        } else {
                roundConstant[0] >>= 1;
        }

        // Prepare transformation of previous word (which is now at end of buffer).
        copyBytes( tempWord, scheduleBuffer + SCHEDULE_BUFFER_SIZE - 4, 4 );
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Apply transformation result to current word.
        addConstant( scheduleBuffer, tempWord, 4 );

#elif KEY_SIZE == 24
        // Move to end of first KEY_SIZE in schedule.
        byte schedulePos = (SCHEDULE_BUFFER_SIZE/2) - 4;
        scheduleBuffer += (SCHEDULE_BUFFER_SIZE/2) - 4;

        do {
                // Get current word.
                // Add with previous word.
                // Store at position one KEY_SIZE backwards (wraps to end of buffer).
                addAndStore( scheduleBuffer, scheduleBuffer - 4, scheduleBuffer + KEY_SIZE, 4 );

                // Move to previous word in schedule.
                scheduleBuffer -= 4;
                schedulePos -= 4;

        } while( schedulePos > 0 );

        // Prepare round constant for transformation that follows.
        if( (roundConstant[0] ^ BPOLY) == 0 ) {
                roundConstant[0] = 0x80;
        } else {
                roundConstant[0] >>= 1;
        }

        // Prepare transformation of previous word (which is now at end of buffer).
        copyBytes( tempWord, scheduleBuffer + SCHEDULE_BUFFER_SIZE - 4, 4 );
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Add current word to transformation result.
        addConstant( tempWord, scheduleBuffer, 4 );
        // Store at position one KEY_SIZE backwards (wraps to end of buffer).
        copyBytes( scheduleBuffer + KEY_SIZE, tempWord, 4 );

        // Move to last word in schedule.
        schedulePos = SCHEDULE_BUFFER_SIZE - 4;
        scheduleBuffer += SCHEDULE_BUFFER_SIZE - 4;

        do {
                // Get current word.
                // Add with previous word.
                // Store at position one KEY_SIZE backwards.
                addAndStore( scheduleBuffer, scheduleBuffer - 4, scheduleBuffer - KEY_SIZE, 4 );

                // Move to previous word in schedule.
                scheduleBuffer -= 4;
                schedulePos -= 4;

        } while( schedulePos > KEY_SIZE );

        // Prepare round constant for transformation that follows.
        if( (roundConstant[0] ^ BPOLY) == 0 ) {
                roundConstant[0] = 0x80;
        } else {
                roundConstant[0] >>= 1;
        }

        // Prepare transformation of previous word.
        copyBytes( tempWord, scheduleBuffer - 4, 4 );
        cycleLeft( tempWord );
        subBytes( tempWord, 4 );
        addConstant( tempWord, roundConstant, 4 );

        // Add current word to transformation result.
        addConstant( tempWord, scheduleBuffer, 4 );
        // Store at position one KEY_SIZE backwards.
        copyBytes( scheduleBuffer - KEY_SIZE, tempWord, 4 );

#else
  #error Unsupported key size.
#endif
}



static void calcLastRoundKey( byte * scheduleBuffer )
{
        byte roundConstant[ 4 ] = { 0x01, 0x00, 0x00, 0x00 };

#if SCHEDULE_KEY_REPETITIONS > 1
        initialKeyExpansion( scheduleBuffer, roundConstant );
#endif

        byte round;
        for( round = 1; round < ROUNDS+1; round += SCHEDULE_BLOCK_REPETITIONS ) {
                keyExpansion( scheduleBuffer, roundConstant );
        }
}



void cipher( byte * block, byte * scheduleBuffer, const byte * key )
{
        byte roundConstant[4] = { 0x01, 0x00, 0x00, 0x00 };

        copyBytes( scheduleBuffer, key, KEY_SIZE );
#if SCHEDULE_KEY_REPETITIONS > 1
        initialKeyExpansion( scheduleBuffer, roundConstant );
#endif

#if KEY_SIZE == 16
        byte round;
        for( round = 0; round < ROUNDS-1; ++round ) {
                addConstantAndSubstitute( block, scheduleBuffer, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                keyExpansion( scheduleBuffer, roundConstant );
        }

        addConstantAndSubstitute( block, scheduleBuffer, BLOCK_SIZE );
        shiftRows( block );

        keyExpansion( scheduleBuffer, roundConstant );
        addConstant( block, scheduleBuffer, BLOCK_SIZE );

#elif KEY_SIZE == 24
        byte round;
        for( round = 0; round < ROUNDS-3; round += 3 ) {
                addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*2, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                keyExpansion( scheduleBuffer, roundConstant );
        }

        addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );
        shiftRows( block );
        mixColumns( block );

        addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
        shiftRows( block );
        mixColumns( block );

        addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*2, BLOCK_SIZE );
        shiftRows( block );

        keyExpansion( scheduleBuffer, roundConstant );
        addConstant( block, scheduleBuffer, BLOCK_SIZE );

#elif KEY_SIZE == 32
        byte round;
        for( round = 0; round < ROUNDS-2; round += 2 ) {
                addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
                shiftRows( block );
                mixColumns( block );

                keyExpansion( scheduleBuffer, roundConstant );
        }

        addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );
        shiftRows( block );
        mixColumns( block );

        addConstantAndSubstitute( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
        shiftRows( block );

        keyExpansion( scheduleBuffer, roundConstant );
        addConstant( block, scheduleBuffer, BLOCK_SIZE );

#else
  #error Unsupported key size.
#endif
}



void prepareInvCipher( byte * scheduleBuffer, const byte * key )
{
        copyBytes( scheduleBuffer, key, KEY_SIZE );
        calcLastRoundKey( scheduleBuffer );
}



void invCipher( byte * block, byte * scheduleBuffer )
{
        byte roundConstant[4] = { LAST_ROUND_CONSTANT, 0x00, 0x00, 0x00 };

#if KEY_SIZE == 16
        addConstant( block, scheduleBuffer, BLOCK_SIZE );

        byte round;
        for( round = 0; round < ROUNDS-1; ++round ) {
                invKeyExpansion( scheduleBuffer, roundConstant );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer, BLOCK_SIZE );
                invMixColumns( block );
        }

        invKeyExpansion( scheduleBuffer, roundConstant );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer, BLOCK_SIZE );

#elif KEY_SIZE == 24
        // Backtrace last update of round constant, since it is never
        // used, due to the use of two KEY_SIZEs in schedule buffer.
        if( (roundConstant[0] ^ BPOLY) == 0 ) {
                roundConstant[0] = 0x80;
        } else {
                roundConstant[0] >>= 1;
        }

        addConstant( block, scheduleBuffer, BLOCK_SIZE );

        byte round;
        for( round = 0; round < ROUNDS-3; round += 3 ) {
                invKeyExpansion( scheduleBuffer, roundConstant );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*2, BLOCK_SIZE );
                invMixColumns( block );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
                invMixColumns( block );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );
                invMixColumns( block );
        }

        invKeyExpansion( scheduleBuffer, roundConstant );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*2, BLOCK_SIZE );
        invMixColumns( block );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*1, BLOCK_SIZE );
        invMixColumns( block );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE*0, BLOCK_SIZE );

#elif KEY_SIZE == 32
        addConstant( block, scheduleBuffer, BLOCK_SIZE );

        byte round;
        for( round = 0; round < ROUNDS-2; round += 2 ) {
                invKeyExpansion( scheduleBuffer, roundConstant );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE, BLOCK_SIZE );
                invMixColumns( block );

                invShiftRows( block );
                invSubstituteAndAddConstant( block, scheduleBuffer, BLOCK_SIZE );
                invMixColumns( block );
        }

        invKeyExpansion( scheduleBuffer, roundConstant );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer + BLOCK_SIZE, BLOCK_SIZE );
        invMixColumns( block );

        invShiftRows( block );
        invSubstituteAndAddConstant( block, scheduleBuffer, BLOCK_SIZE );

#else
  #error Unsupported key size.
#endif
}