1 // SPDX-License-Identifier: Brian-Gladman-3-Clause
2 /*
3 * ---------------------------------------------------------------------------
4 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
5 *
6 * LICENSE TERMS
7 *
8 * The free distribution and use of this software is allowed (with or without
9 * changes) provided that:
10 *
11 * 1. source code distributions include the above copyright notice, this
12 * list of conditions and the following disclaimer;
13 *
14 * 2. binary distributions include the above copyright notice, this list
15 * of conditions and the following disclaimer in their documentation;
16 *
17 * 3. the name of the copyright holder is not used to endorse products
18 * built using this software without specific written permission.
19 *
20 * DISCLAIMER
21 *
22 * This software is provided 'as is' with no explicit or implied warranties
23 * in respect of its properties, including, but not limited to, correctness
24 * and/or fitness for purpose.
25 * ---------------------------------------------------------------------------
26 * Issue Date: 20/12/2007
27 */
28
29 #include <aes/aes_impl.h>
30 #include "aesopt.h"
31 #include "aestab.h"
32 #include "aestab2.h"
33
34 /*
35 * Initialise the key schedule from the user supplied key. The key
36 * length can be specified in bytes, with legal values of 16, 24
37 * and 32, or in bits, with legal values of 128, 192 and 256. These
38 * values correspond with Nk values of 4, 6 and 8 respectively.
39 *
40 * The following macros implement a single cycle in the key
41 * schedule generation process. The number of cycles needed
42 * for each cx->n_col and nk value is:
43 *
44 * nk = 4 5 6 7 8
45 * ------------------------------
46 * cx->n_col = 4 10 9 8 7 7
47 * cx->n_col = 5 14 11 10 9 9
48 * cx->n_col = 6 19 15 12 11 11
49 * cx->n_col = 7 21 19 16 13 14
50 * cx->n_col = 8 29 23 19 17 14
51 */
52
53 /*
54 * OpenSolaris changes
55 * 1. Added header files aes_impl.h and aestab2.h
56 * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
57 * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
58 * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
59 * AES_128, AES_192, AES_256, AES_VAR defines
60 * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
61 * 6. Changed N_COLS to MAX_AES_NB
62 * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
63 * OpenSolaris-compatible functions rijndael_key_setup_enc_amd64 and
64 * rijndael_key_setup_dec_amd64
65 * 8. cstyled code and removed lint warnings
66 */
67
68 #if defined(REDUCE_CODE_SIZE)
69 #define ls_box ls_sub
70 uint32_t ls_sub(const uint32_t t, const uint32_t n);
71 #define inv_mcol im_sub
72 uint32_t im_sub(const uint32_t x);
73 #ifdef ENC_KS_UNROLL
74 #undef ENC_KS_UNROLL
75 #endif
76 #ifdef DEC_KS_UNROLL
77 #undef DEC_KS_UNROLL
78 #endif
79 #endif /* REDUCE_CODE_SIZE */
80
81
82 #define ke4(k, i) \
83 { k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
84 k[4 * (i) + 5] = ss[1] ^= ss[0]; \
85 k[4 * (i) + 6] = ss[2] ^= ss[1]; \
86 k[4 * (i) + 7] = ss[3] ^= ss[2]; \
87 }
88
89 static void
aes_encrypt_key128(const unsigned char * key,uint32_t rk[])90 aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
91 {
92 uint32_t ss[4];
93
94 rk[0] = ss[0] = word_in(key, 0);
95 rk[1] = ss[1] = word_in(key, 1);
96 rk[2] = ss[2] = word_in(key, 2);
97 rk[3] = ss[3] = word_in(key, 3);
98
99 #ifdef ENC_KS_UNROLL
100 ke4(rk, 0); ke4(rk, 1);
101 ke4(rk, 2); ke4(rk, 3);
102 ke4(rk, 4); ke4(rk, 5);
103 ke4(rk, 6); ke4(rk, 7);
104 ke4(rk, 8);
105 #else
106 {
107 uint32_t i;
108 for (i = 0; i < 9; ++i)
109 ke4(rk, i);
110 }
111 #endif /* ENC_KS_UNROLL */
112 ke4(rk, 9);
113 }
114
115
116 #define kef6(k, i) \
117 { k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
118 k[6 * (i) + 7] = ss[1] ^= ss[0]; \
119 k[6 * (i) + 8] = ss[2] ^= ss[1]; \
120 k[6 * (i) + 9] = ss[3] ^= ss[2]; \
121 }
122
123 #define ke6(k, i) \
124 { kef6(k, i); \
125 k[6 * (i) + 10] = ss[4] ^= ss[3]; \
126 k[6 * (i) + 11] = ss[5] ^= ss[4]; \
127 }
128
129 static void
aes_encrypt_key192(const unsigned char * key,uint32_t rk[])130 aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
131 {
132 uint32_t ss[6];
133
134 rk[0] = ss[0] = word_in(key, 0);
135 rk[1] = ss[1] = word_in(key, 1);
136 rk[2] = ss[2] = word_in(key, 2);
137 rk[3] = ss[3] = word_in(key, 3);
138 rk[4] = ss[4] = word_in(key, 4);
139 rk[5] = ss[5] = word_in(key, 5);
140
141 #ifdef ENC_KS_UNROLL
142 ke6(rk, 0); ke6(rk, 1);
143 ke6(rk, 2); ke6(rk, 3);
144 ke6(rk, 4); ke6(rk, 5);
145 ke6(rk, 6);
146 #else
147 {
148 uint32_t i;
149 for (i = 0; i < 7; ++i)
150 ke6(rk, i);
151 }
152 #endif /* ENC_KS_UNROLL */
153 kef6(rk, 7);
154 }
155
156
157
158 #define kef8(k, i) \
159 { k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
160 k[8 * (i) + 9] = ss[1] ^= ss[0]; \
161 k[8 * (i) + 10] = ss[2] ^= ss[1]; \
162 k[8 * (i) + 11] = ss[3] ^= ss[2]; \
163 }
164
165 #define ke8(k, i) \
166 { kef8(k, i); \
167 k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
168 k[8 * (i) + 13] = ss[5] ^= ss[4]; \
169 k[8 * (i) + 14] = ss[6] ^= ss[5]; \
170 k[8 * (i) + 15] = ss[7] ^= ss[6]; \
171 }
172
173 static void
aes_encrypt_key256(const unsigned char * key,uint32_t rk[])174 aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
175 {
176 uint32_t ss[8];
177
178 rk[0] = ss[0] = word_in(key, 0);
179 rk[1] = ss[1] = word_in(key, 1);
180 rk[2] = ss[2] = word_in(key, 2);
181 rk[3] = ss[3] = word_in(key, 3);
182 rk[4] = ss[4] = word_in(key, 4);
183 rk[5] = ss[5] = word_in(key, 5);
184 rk[6] = ss[6] = word_in(key, 6);
185 rk[7] = ss[7] = word_in(key, 7);
186
187 #ifdef ENC_KS_UNROLL
188 ke8(rk, 0); ke8(rk, 1);
189 ke8(rk, 2); ke8(rk, 3);
190 ke8(rk, 4); ke8(rk, 5);
191 #else
192 {
193 uint32_t i;
194 for (i = 0; i < 6; ++i)
195 ke8(rk, i);
196 }
197 #endif /* ENC_KS_UNROLL */
198 kef8(rk, 6);
199 }
200
201
202 /*
203 * Expand the cipher key into the encryption key schedule.
204 *
205 * Return the number of rounds for the given cipher key size.
206 * The size of the key schedule depends on the number of rounds
207 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
208 *
209 * Parameters:
210 * rk AES key schedule 32-bit array to be initialized
211 * cipherKey User key
212 * keyBits AES key size (128, 192, or 256 bits)
213 */
214 int
rijndael_key_setup_enc_amd64(uint32_t rk[],const uint32_t cipherKey[],int keyBits)215 rijndael_key_setup_enc_amd64(uint32_t rk[], const uint32_t cipherKey[],
216 int keyBits)
217 {
218 switch (keyBits) {
219 case 128:
220 aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
221 return (10);
222 case 192:
223 aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
224 return (12);
225 case 256:
226 aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
227 return (14);
228 default: /* should never get here */
229 break;
230 }
231
232 return (0);
233 }
234
235
236 /* this is used to store the decryption round keys */
237 /* in forward or reverse order */
238
239 #ifdef AES_REV_DKS
240 #define v(n, i) ((n) - (i) + 2 * ((i) & 3))
241 #else
242 #define v(n, i) (i)
243 #endif
244
245 #if DEC_ROUND == NO_TABLES
246 #define ff(x) (x)
247 #else
248 #define ff(x) inv_mcol(x)
249 #if defined(dec_imvars)
250 #define d_vars dec_imvars
251 #endif
252 #endif /* FUNCS_IN_C & DEC_KEYING_IN_C */
253
254
255 #define k4e(k, i) \
256 { k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
257 k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
258 k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
259 k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
260 }
261
262 #if 1
263
264 #define kdf4(k, i) \
265 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
266 ss[1] = ss[1] ^ ss[3]; \
267 ss[2] = ss[2] ^ ss[3]; \
268 ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
269 ss[i % 4] ^= ss[4]; \
270 ss[4] ^= k[v(40, (4 * (i)))]; k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
271 ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
272 ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
273 ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
274 }
275
276 #define kd4(k, i) \
277 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
278 ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
279 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
280 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
281 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
282 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
283 }
284
285 #define kdl4(k, i) \
286 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
287 ss[i % 4] ^= ss[4]; \
288 k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
289 k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
290 k[v(40, (4 * (i)) + 6)] = ss[0]; \
291 k[v(40, (4 * (i)) + 7)] = ss[1]; \
292 }
293
294 #else
295
296 #define kdf4(k, i) \
297 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
298 k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
299 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
300 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
301 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
302 }
303
304 #define kd4(k, i) \
305 { ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
306 ss[0] ^= ss[4]; \
307 ss[4] = ff(ss[4]); \
308 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
309 ss[1] ^= ss[0]; \
310 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
311 ss[2] ^= ss[1]; \
312 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
313 ss[3] ^= ss[2]; \
314 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
315 }
316
317 #define kdl4(k, i) \
318 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
319 k[v(40, (4 * (i)) + 4)] = ss[0]; \
320 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
321 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
322 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
323 }
324
325 #endif
326
327 static void
aes_decrypt_key128(const unsigned char * key,uint32_t rk[])328 aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
329 {
330 uint32_t ss[5];
331 #if defined(d_vars)
332 d_vars;
333 #endif
334 rk[v(40, (0))] = ss[0] = word_in(key, 0);
335 rk[v(40, (1))] = ss[1] = word_in(key, 1);
336 rk[v(40, (2))] = ss[2] = word_in(key, 2);
337 rk[v(40, (3))] = ss[3] = word_in(key, 3);
338
339 #ifdef DEC_KS_UNROLL
340 kdf4(rk, 0); kd4(rk, 1);
341 kd4(rk, 2); kd4(rk, 3);
342 kd4(rk, 4); kd4(rk, 5);
343 kd4(rk, 6); kd4(rk, 7);
344 kd4(rk, 8); kdl4(rk, 9);
345 #else
346 {
347 uint32_t i;
348 for (i = 0; i < 10; ++i)
349 k4e(rk, i);
350 #if !(DEC_ROUND == NO_TABLES)
351 for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
352 rk[i] = inv_mcol(rk[i]);
353 #endif
354 }
355 #endif /* DEC_KS_UNROLL */
356 }
357
358
359
360 #define k6ef(k, i) \
361 { k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
362 k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
363 k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
364 k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
365 }
366
367 #define k6e(k, i) \
368 { k6ef(k, i); \
369 k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
370 k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
371 }
372
373 #define kdf6(k, i) \
374 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
375 k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
376 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
377 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
378 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
379 ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
380 ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
381 }
382
383 #define kd6(k, i) \
384 { ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
385 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
386 k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
387 ss[1] ^= ss[0]; \
388 k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
389 ss[2] ^= ss[1]; \
390 k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
391 ss[3] ^= ss[2]; \
392 k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
393 ss[4] ^= ss[3]; \
394 k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
395 ss[5] ^= ss[4]; \
396 k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
397 }
398
399 #define kdl6(k, i) \
400 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
401 k[v(48, (6 * (i)) + 6)] = ss[0]; \
402 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
403 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
404 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
405 }
406
407 static void
aes_decrypt_key192(const unsigned char * key,uint32_t rk[])408 aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
409 {
410 uint32_t ss[7];
411 #if defined(d_vars)
412 d_vars;
413 #endif
414 rk[v(48, (0))] = ss[0] = word_in(key, 0);
415 rk[v(48, (1))] = ss[1] = word_in(key, 1);
416 rk[v(48, (2))] = ss[2] = word_in(key, 2);
417 rk[v(48, (3))] = ss[3] = word_in(key, 3);
418
419 #ifdef DEC_KS_UNROLL
420 ss[4] = word_in(key, 4);
421 rk[v(48, (4))] = ff(ss[4]);
422 ss[5] = word_in(key, 5);
423 rk[v(48, (5))] = ff(ss[5]);
424 kdf6(rk, 0); kd6(rk, 1);
425 kd6(rk, 2); kd6(rk, 3);
426 kd6(rk, 4); kd6(rk, 5);
427 kd6(rk, 6); kdl6(rk, 7);
428 #else
429 rk[v(48, (4))] = ss[4] = word_in(key, 4);
430 rk[v(48, (5))] = ss[5] = word_in(key, 5);
431 {
432 uint32_t i;
433
434 for (i = 0; i < 7; ++i)
435 k6e(rk, i);
436 k6ef(rk, 7);
437 #if !(DEC_ROUND == NO_TABLES)
438 for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
439 rk[i] = inv_mcol(rk[i]);
440 #endif
441 }
442 #endif
443 }
444
445
446
447 #define k8ef(k, i) \
448 { k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
449 k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
450 k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
451 k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
452 }
453
454 #define k8e(k, i) \
455 { k8ef(k, i); \
456 k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
457 k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
458 k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
459 k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
460 }
461
462 #define kdf8(k, i) \
463 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
464 k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
465 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
466 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
467 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
468 ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
469 ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
470 ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
471 ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
472 }
473
474 #define kd8(k, i) \
475 { ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
476 ss[0] ^= ss[8]; \
477 ss[8] = ff(ss[8]); \
478 k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
479 ss[1] ^= ss[0]; \
480 k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
481 ss[2] ^= ss[1]; \
482 k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
483 ss[3] ^= ss[2]; \
484 k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
485 ss[8] = ls_box(ss[3], 0); \
486 ss[4] ^= ss[8]; \
487 ss[8] = ff(ss[8]); \
488 k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
489 ss[5] ^= ss[4]; \
490 k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
491 ss[6] ^= ss[5]; \
492 k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
493 ss[7] ^= ss[6]; \
494 k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
495 }
496
497 #define kdl8(k, i) \
498 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
499 k[v(56, (8 * (i)) + 8)] = ss[0]; \
500 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
501 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
502 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
503 }
504
505 static void
aes_decrypt_key256(const unsigned char * key,uint32_t rk[])506 aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
507 {
508 uint32_t ss[9];
509 #if defined(d_vars)
510 d_vars;
511 #endif
512 rk[v(56, (0))] = ss[0] = word_in(key, 0);
513 rk[v(56, (1))] = ss[1] = word_in(key, 1);
514 rk[v(56, (2))] = ss[2] = word_in(key, 2);
515 rk[v(56, (3))] = ss[3] = word_in(key, 3);
516
517 #ifdef DEC_KS_UNROLL
518 ss[4] = word_in(key, 4);
519 rk[v(56, (4))] = ff(ss[4]);
520 ss[5] = word_in(key, 5);
521 rk[v(56, (5))] = ff(ss[5]);
522 ss[6] = word_in(key, 6);
523 rk[v(56, (6))] = ff(ss[6]);
524 ss[7] = word_in(key, 7);
525 rk[v(56, (7))] = ff(ss[7]);
526 kdf8(rk, 0); kd8(rk, 1);
527 kd8(rk, 2); kd8(rk, 3);
528 kd8(rk, 4); kd8(rk, 5);
529 kdl8(rk, 6);
530 #else
531 rk[v(56, (4))] = ss[4] = word_in(key, 4);
532 rk[v(56, (5))] = ss[5] = word_in(key, 5);
533 rk[v(56, (6))] = ss[6] = word_in(key, 6);
534 rk[v(56, (7))] = ss[7] = word_in(key, 7);
535 {
536 uint32_t i;
537
538 for (i = 0; i < 6; ++i)
539 k8e(rk, i);
540 k8ef(rk, 6);
541 #if !(DEC_ROUND == NO_TABLES)
542 for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
543 rk[i] = inv_mcol(rk[i]);
544 #endif
545 }
546 #endif /* DEC_KS_UNROLL */
547 }
548
549
550 /*
551 * Expand the cipher key into the decryption key schedule.
552 *
553 * Return the number of rounds for the given cipher key size.
554 * The size of the key schedule depends on the number of rounds
555 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
556 *
557 * Parameters:
558 * rk AES key schedule 32-bit array to be initialized
559 * cipherKey User key
560 * keyBits AES key size (128, 192, or 256 bits)
561 */
562 int
rijndael_key_setup_dec_amd64(uint32_t rk[],const uint32_t cipherKey[],int keyBits)563 rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[],
564 int keyBits)
565 {
566 switch (keyBits) {
567 case 128:
568 aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
569 return (10);
570 case 192:
571 aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
572 return (12);
573 case 256:
574 aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
575 return (14);
576 default: /* should never get here */
577 break;
578 }
579
580 return (0);
581 }
582