xref: /freebsd/sys/contrib/openzfs/module/icp/asm-x86_64/aes/aeskey.c (revision 4757b351ea9d59d71d4a38b82506d2d16fcd560d) 
1 // SPDX-License-Identifier: Brian-Gladman-3-Clause
2 /*
3  * ---------------------------------------------------------------------------
4  * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
5  *
6  * LICENSE TERMS
7  *
8  * The free distribution and use of this software is allowed (with or without
9  * changes) provided that:
10  *
11  *  1. source code distributions include the above copyright notice, this
12  *	 list of conditions and the following disclaimer;
13  *
14  *  2. binary distributions include the above copyright notice, this list
15  *	 of conditions and the following disclaimer in their documentation;
16  *
17  *  3. the name of the copyright holder is not used to endorse products
18  *	 built using this software without specific written permission.
19  *
20  * DISCLAIMER
21  *
22  * This software is provided 'as is' with no explicit or implied warranties
23  * in respect of its properties, including, but not limited to, correctness
24  * and/or fitness for purpose.
25  * ---------------------------------------------------------------------------
26  * Issue Date: 20/12/2007
27  */
28 
29 #include <aes/aes_impl.h>
30 #include "aesopt.h"
31 #include "aestab.h"
32 #include "aestab2.h"
33 
34 /*
35  *	Initialise the key schedule from the user supplied key. The key
36  *	length can be specified in bytes, with legal values of 16, 24
37  *	and 32, or in bits, with legal values of 128, 192 and 256. These
38  *	values correspond with Nk values of 4, 6 and 8 respectively.
39  *
40  *	The following macros implement a single cycle in the key
41  *	schedule generation process. The number of cycles needed
42  *	for each cx->n_col and nk value is:
43  *
44  *	nk =		4  5  6  7  8
45  *	------------------------------
46  *	cx->n_col = 4	10  9  8  7  7
47  *	cx->n_col = 5	14 11 10  9  9
48  *	cx->n_col = 6	19 15 12 11 11
49  *	cx->n_col = 7	21 19 16 13 14
50  *	cx->n_col = 8	29 23 19 17 14
51  */
52 
53 /*
54  * OpenSolaris changes
55  * 1. Added header files aes_impl.h and aestab2.h
56  * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
57  * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
58  * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
59  *	AES_128, AES_192, AES_256, AES_VAR defines
60  * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
61  * 6. Changed N_COLS to MAX_AES_NB
62  * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
63  *	OpenSolaris-compatible functions rijndael_key_setup_enc_amd64 and
64  *	rijndael_key_setup_dec_amd64
65  * 8. cstyled code and removed lint warnings
66  */
67 
68 #if defined(REDUCE_CODE_SIZE)
69 #define	ls_box ls_sub
70 	uint32_t	ls_sub(const uint32_t t, const uint32_t n);
71 #define	inv_mcol im_sub
72 	uint32_t	im_sub(const uint32_t x);
73 #ifdef ENC_KS_UNROLL
74 #undef ENC_KS_UNROLL
75 #endif
76 #ifdef DEC_KS_UNROLL
77 #undef DEC_KS_UNROLL
78 #endif
79 #endif	/* REDUCE_CODE_SIZE */
80 
81 
82 #define	ke4(k, i) \
83 {	k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
84 	k[4 * (i) + 5] = ss[1] ^= ss[0]; \
85 	k[4 * (i) + 6] = ss[2] ^= ss[1]; \
86 	k[4 * (i) + 7] = ss[3] ^= ss[2]; \
87 }
88 
89 static void
90 aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
91 {
92 	uint32_t	ss[4];
93 
94 	rk[0] = ss[0] = word_in(key, 0);
95 	rk[1] = ss[1] = word_in(key, 1);
96 	rk[2] = ss[2] = word_in(key, 2);
97 	rk[3] = ss[3] = word_in(key, 3);
98 
99 #ifdef ENC_KS_UNROLL
100 	ke4(rk, 0);  ke4(rk, 1);
101 	ke4(rk, 2);  ke4(rk, 3);
102 	ke4(rk, 4);  ke4(rk, 5);
103 	ke4(rk, 6);  ke4(rk, 7);
104 	ke4(rk, 8);
105 #else
106 	{
107 		uint32_t	i;
108 		for (i = 0; i < 9; ++i)
109 			ke4(rk, i);
110 	}
111 #endif	/* ENC_KS_UNROLL */
112 	ke4(rk, 9);
113 }
114 
115 
116 #define	kef6(k, i) \
117 {	k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
118 	k[6 * (i) + 7] = ss[1] ^= ss[0]; \
119 	k[6 * (i) + 8] = ss[2] ^= ss[1]; \
120 	k[6 * (i) + 9] = ss[3] ^= ss[2]; \
121 }
122 
123 #define	ke6(k, i) \
124 {	kef6(k, i); \
125 	k[6 * (i) + 10] = ss[4] ^= ss[3]; \
126 	k[6 * (i) + 11] = ss[5] ^= ss[4]; \
127 }
128 
129 static void
130 aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
131 {
132 	uint32_t	ss[6];
133 
134 	rk[0] = ss[0] = word_in(key, 0);
135 	rk[1] = ss[1] = word_in(key, 1);
136 	rk[2] = ss[2] = word_in(key, 2);
137 	rk[3] = ss[3] = word_in(key, 3);
138 	rk[4] = ss[4] = word_in(key, 4);
139 	rk[5] = ss[5] = word_in(key, 5);
140 
141 #ifdef ENC_KS_UNROLL
142 	ke6(rk, 0);  ke6(rk, 1);
143 	ke6(rk, 2);  ke6(rk, 3);
144 	ke6(rk, 4);  ke6(rk, 5);
145 	ke6(rk, 6);
146 #else
147 	{
148 		uint32_t	i;
149 		for (i = 0; i < 7; ++i)
150 			ke6(rk, i);
151 	}
152 #endif	/* ENC_KS_UNROLL */
153 	kef6(rk, 7);
154 }
155 
156 
157 
158 #define	kef8(k, i) \
159 {	k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
160 	k[8 * (i) + 9] = ss[1] ^= ss[0]; \
161 	k[8 * (i) + 10] = ss[2] ^= ss[1]; \
162 	k[8 * (i) + 11] = ss[3] ^= ss[2]; \
163 }
164 
165 #define	ke8(k, i) \
166 {   kef8(k, i); \
167 	k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
168 	k[8 * (i) + 13] = ss[5] ^= ss[4]; \
169 	k[8 * (i) + 14] = ss[6] ^= ss[5]; \
170 	k[8 * (i) + 15] = ss[7] ^= ss[6]; \
171 }
172 
173 static void
174 aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
175 {
176 	uint32_t	ss[8];
177 
178 	rk[0] = ss[0] = word_in(key, 0);
179 	rk[1] = ss[1] = word_in(key, 1);
180 	rk[2] = ss[2] = word_in(key, 2);
181 	rk[3] = ss[3] = word_in(key, 3);
182 	rk[4] = ss[4] = word_in(key, 4);
183 	rk[5] = ss[5] = word_in(key, 5);
184 	rk[6] = ss[6] = word_in(key, 6);
185 	rk[7] = ss[7] = word_in(key, 7);
186 
187 #ifdef ENC_KS_UNROLL
188 	ke8(rk, 0); ke8(rk, 1);
189 	ke8(rk, 2); ke8(rk, 3);
190 	ke8(rk, 4); ke8(rk, 5);
191 #else
192 	{
193 		uint32_t	i;
194 		for (i = 0; i < 6; ++i)
195 			ke8(rk,  i);
196 	}
197 #endif	/* ENC_KS_UNROLL */
198 	kef8(rk, 6);
199 }
200 
201 
202 /*
203  * Expand the cipher key into the encryption key schedule.
204  *
205  * Return the number of rounds for the given cipher key size.
206  * The size of the key schedule depends on the number of rounds
207  * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
208  *
209  * Parameters:
210  * rk		AES key schedule 32-bit array to be initialized
211  * cipherKey	User key
212  * keyBits	AES key size (128, 192, or 256 bits)
213  */
214 int
215 rijndael_key_setup_enc_amd64(uint32_t rk[], const uint32_t cipherKey[],
216     int keyBits)
217 {
218 	switch (keyBits) {
219 	case 128:
220 		aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
221 		return (10);
222 	case 192:
223 		aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
224 		return (12);
225 	case 256:
226 		aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
227 		return (14);
228 	default: /* should never get here */
229 		break;
230 	}
231 
232 	return (0);
233 }
234 
235 
236 /* this is used to store the decryption round keys  */
237 /* in forward or reverse order */
238 
239 #ifdef AES_REV_DKS
240 #define	v(n, i)  ((n) - (i) + 2 * ((i) & 3))
241 #else
242 #define	v(n, i)  (i)
243 #endif
244 
245 #if DEC_ROUND == NO_TABLES
246 #define	ff(x)   (x)
247 #else
248 #define	ff(x)   inv_mcol(x)
249 #if defined(dec_imvars)
250 #define	d_vars  dec_imvars
251 #endif
252 #endif	/* FUNCS_IN_C & DEC_KEYING_IN_C */
253 
254 
255 #define	k4e(k, i) \
256 {	k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
257 	k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
258 	k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
259 	k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
260 }
261 
262 #if 1
263 
264 #define	kdf4(k, i) \
265 {	ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
266 	ss[1] = ss[1] ^ ss[3]; \
267 	ss[2] = ss[2] ^ ss[3]; \
268 	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
269 	ss[i % 4] ^= ss[4]; \
270 	ss[4] ^= k[v(40, (4 * (i)))];   k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
271 	ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
272 	ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
273 	ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
274 }
275 
276 #define	kd4(k, i) \
277 {	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
278 	ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
279 	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
280 	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
281 	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
282 	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
283 }
284 
285 #define	kdl4(k, i) \
286 {	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
287 	ss[i % 4] ^= ss[4]; \
288 	k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
289 	k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
290 	k[v(40, (4 * (i)) + 6)] = ss[0]; \
291 	k[v(40, (4 * (i)) + 7)] = ss[1]; \
292 }
293 
294 #else
295 
296 #define	kdf4(k, i) \
297 {	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
298 	k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
299 	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
300 	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
301 	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
302 }
303 
304 #define	kd4(k, i) \
305 {	ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
306 	ss[0] ^= ss[4]; \
307 	ss[4] = ff(ss[4]); \
308 	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
309 	ss[1] ^= ss[0]; \
310 	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
311 	ss[2] ^= ss[1]; \
312 	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
313 	ss[3] ^= ss[2]; \
314 	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
315 }
316 
317 #define	kdl4(k, i) \
318 {	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
319 	k[v(40, (4 * (i)) + 4)] = ss[0]; \
320 	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
321 	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
322 	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
323 }
324 
325 #endif
326 
327 static void
328 aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
329 {
330 	uint32_t	ss[5];
331 #if defined(d_vars)
332 	d_vars;
333 #endif
334 	rk[v(40, (0))] = ss[0] = word_in(key, 0);
335 	rk[v(40, (1))] = ss[1] = word_in(key, 1);
336 	rk[v(40, (2))] = ss[2] = word_in(key, 2);
337 	rk[v(40, (3))] = ss[3] = word_in(key, 3);
338 
339 #ifdef DEC_KS_UNROLL
340 	kdf4(rk, 0); kd4(rk, 1);
341 	kd4(rk, 2);  kd4(rk, 3);
342 	kd4(rk, 4);  kd4(rk, 5);
343 	kd4(rk, 6);  kd4(rk, 7);
344 	kd4(rk, 8);  kdl4(rk, 9);
345 #else
346 	{
347 		uint32_t	i;
348 		for (i = 0; i < 10; ++i)
349 			k4e(rk, i);
350 #if !(DEC_ROUND == NO_TABLES)
351 		for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
352 			rk[i] = inv_mcol(rk[i]);
353 #endif
354 	}
355 #endif	/* DEC_KS_UNROLL */
356 }
357 
358 
359 
360 #define	k6ef(k, i) \
361 {	k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
362 	k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
363 	k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
364 	k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
365 }
366 
367 #define	k6e(k, i) \
368 {	k6ef(k, i); \
369 	k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
370 	k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
371 }
372 
373 #define	kdf6(k, i) \
374 {	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
375 	k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
376 	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
377 	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
378 	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
379 	ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
380 	ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
381 }
382 
383 #define	kd6(k, i) \
384 {	ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
385 	ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
386 	k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
387 	ss[1] ^= ss[0]; \
388 	k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
389 	ss[2] ^= ss[1]; \
390 	k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
391 	ss[3] ^= ss[2]; \
392 	k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
393 	ss[4] ^= ss[3]; \
394 	k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
395 	ss[5] ^= ss[4]; \
396 	k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
397 }
398 
399 #define	kdl6(k, i) \
400 {	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
401 	k[v(48, (6 * (i)) + 6)] = ss[0]; \
402 	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
403 	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
404 	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
405 }
406 
407 static void
408 aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
409 {
410 	uint32_t	ss[7];
411 #if defined(d_vars)
412 	d_vars;
413 #endif
414 	rk[v(48, (0))] = ss[0] = word_in(key, 0);
415 	rk[v(48, (1))] = ss[1] = word_in(key, 1);
416 	rk[v(48, (2))] = ss[2] = word_in(key, 2);
417 	rk[v(48, (3))] = ss[3] = word_in(key, 3);
418 
419 #ifdef DEC_KS_UNROLL
420 	ss[4] = word_in(key, 4);
421 	rk[v(48, (4))] = ff(ss[4]);
422 	ss[5] = word_in(key, 5);
423 	rk[v(48, (5))] = ff(ss[5]);
424 	kdf6(rk, 0); kd6(rk, 1);
425 	kd6(rk, 2);  kd6(rk, 3);
426 	kd6(rk, 4);  kd6(rk, 5);
427 	kd6(rk, 6);  kdl6(rk, 7);
428 #else
429 	rk[v(48, (4))] = ss[4] = word_in(key, 4);
430 	rk[v(48, (5))] = ss[5] = word_in(key, 5);
431 	{
432 		uint32_t	i;
433 
434 		for (i = 0; i < 7; ++i)
435 			k6e(rk, i);
436 		k6ef(rk, 7);
437 #if !(DEC_ROUND == NO_TABLES)
438 		for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
439 			rk[i] = inv_mcol(rk[i]);
440 #endif
441 	}
442 #endif
443 }
444 
445 
446 
447 #define	k8ef(k, i) \
448 {	k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
449 	k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
450 	k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
451 	k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
452 }
453 
454 #define	k8e(k, i) \
455 {	k8ef(k, i); \
456 	k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
457 	k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
458 	k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
459 	k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
460 }
461 
462 #define	kdf8(k, i) \
463 {	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
464 	k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
465 	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
466 	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
467 	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
468 	ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
469 	ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
470 	ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
471 	ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
472 }
473 
474 #define	kd8(k, i) \
475 {	ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
476 	ss[0] ^= ss[8]; \
477 	ss[8] = ff(ss[8]); \
478 	k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
479 	ss[1] ^= ss[0]; \
480 	k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
481 	ss[2] ^= ss[1]; \
482 	k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
483 	ss[3] ^= ss[2]; \
484 	k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
485 	ss[8] = ls_box(ss[3], 0); \
486 	ss[4] ^= ss[8]; \
487 	ss[8] = ff(ss[8]); \
488 	k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
489 	ss[5] ^= ss[4]; \
490 	k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
491 	ss[6] ^= ss[5]; \
492 	k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
493 	ss[7] ^= ss[6]; \
494 	k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
495 }
496 
497 #define	kdl8(k, i) \
498 {	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
499 	k[v(56, (8 * (i)) + 8)] = ss[0]; \
500 	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
501 	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
502 	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
503 }
504 
505 static void
506 aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
507 {
508 	uint32_t	ss[9];
509 #if defined(d_vars)
510 	d_vars;
511 #endif
512 	rk[v(56, (0))] = ss[0] = word_in(key, 0);
513 	rk[v(56, (1))] = ss[1] = word_in(key, 1);
514 	rk[v(56, (2))] = ss[2] = word_in(key, 2);
515 	rk[v(56, (3))] = ss[3] = word_in(key, 3);
516 
517 #ifdef DEC_KS_UNROLL
518 	ss[4] = word_in(key, 4);
519 	rk[v(56, (4))] = ff(ss[4]);
520 	ss[5] = word_in(key, 5);
521 	rk[v(56, (5))] = ff(ss[5]);
522 	ss[6] = word_in(key, 6);
523 	rk[v(56, (6))] = ff(ss[6]);
524 	ss[7] = word_in(key, 7);
525 	rk[v(56, (7))] = ff(ss[7]);
526 	kdf8(rk, 0); kd8(rk, 1);
527 	kd8(rk, 2);  kd8(rk, 3);
528 	kd8(rk, 4);  kd8(rk, 5);
529 	kdl8(rk, 6);
530 #else
531 	rk[v(56, (4))] = ss[4] = word_in(key, 4);
532 	rk[v(56, (5))] = ss[5] = word_in(key, 5);
533 	rk[v(56, (6))] = ss[6] = word_in(key, 6);
534 	rk[v(56, (7))] = ss[7] = word_in(key, 7);
535 	{
536 		uint32_t	i;
537 
538 		for (i = 0; i < 6; ++i)
539 			k8e(rk,  i);
540 		k8ef(rk,  6);
541 #if !(DEC_ROUND == NO_TABLES)
542 		for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
543 			rk[i] = inv_mcol(rk[i]);
544 #endif
545 	}
546 #endif	/* DEC_KS_UNROLL */
547 }
548 
549 
550 /*
551  * Expand the cipher key into the decryption key schedule.
552  *
553  * Return the number of rounds for the given cipher key size.
554  * The size of the key schedule depends on the number of rounds
555  * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
556  *
557  * Parameters:
558  * rk		AES key schedule 32-bit array to be initialized
559  * cipherKey	User key
560  * keyBits	AES key size (128, 192, or 256 bits)
561  */
562 int
563 rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[],
564     int keyBits)
565 {
566 	switch (keyBits) {
567 	case 128:
568 		aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
569 		return (10);
570 	case 192:
571 		aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
572 		return (12);
573 	case 256:
574 		aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
575 		return (14);
576 	default: /* should never get here */
577 		break;
578 	}
579 
580 	return (0);
581 }
582