xref: /illumos-gate/usr/src/common/crypto/aes/amd64/aeskey.c (revision d09832051bb4b41ce2b3202c09fceedc089678af)
1 /*
2  * ---------------------------------------------------------------------------
3  * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
4  *
5  * LICENSE TERMS
6  *
7  * The free distribution and use of this software is allowed (with or without
8  * changes) provided that:
9  *
10  *  1. source code distributions include the above copyright notice, this
11  *	 list of conditions and the following disclaimer;
12  *
13  *  2. binary distributions include the above copyright notice, this list
14  *	 of conditions and the following disclaimer in their documentation;
15  *
16  *  3. the name of the copyright holder is not used to endorse products
17  *	 built using this software without specific written permission.
18  *
19  * DISCLAIMER
20  *
21  * This software is provided 'as is' with no explicit or implied warranties
22  * in respect of its properties, including, but not limited to, correctness
23  * and/or fitness for purpose.
24  * ---------------------------------------------------------------------------
25  * Issue Date: 20/12/2007
26  */
27 
28 #pragma ident	"%Z%%M%	%I%	%E% SMI"
29 
30 #include "aes_impl.h"
31 #include "aesopt.h"
32 #include "aestab.h"
33 #include "aestab2.h"
34 
35 /*
36  *	Initialise the key schedule from the user supplied key. The key
37  *	length can be specified in bytes, with legal values of 16, 24
38  *	and 32, or in bits, with legal values of 128, 192 and 256. These
39  *	values correspond with Nk values of 4, 6 and 8 respectively.
40  *
41  *	The following macros implement a single cycle in the key
42  *	schedule generation process. The number of cycles needed
43  *	for each cx->n_col and nk value is:
44  *
45  *	nk =		4  5  6  7  8
46  *	------------------------------
47  *	cx->n_col = 4	10  9  8  7  7
48  *	cx->n_col = 5	14 11 10  9  9
49  *	cx->n_col = 6	19 15 12 11 11
50  *	cx->n_col = 7	21 19 16 13 14
51  *	cx->n_col = 8	29 23 19 17 14
52  */
53 
54 /*
55  * OpenSolaris changes
56  * 1. Added header files aes_impl.h and aestab2.h
57  * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
58  * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
59  * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
60  *	AES_128, AES_192, AES_256, AES_VAR defines
61  * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
62  * 6. Changed N_COLS to MAX_AES_NB
63  * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
64  *	OpenSolaris-compatible functions rijndael_key_setup_enc and
65  *	rijndael_key_setup_dec
66  * 8. cstyled code and removed lint warnings
67  *
68  */
69 
70 #if defined(REDUCE_CODE_SIZE)
71 #define	ls_box ls_sub
72 	uint32_t	ls_sub(const uint32_t t, const uint32_t n);
73 #define	inv_mcol im_sub
74 	uint32_t	im_sub(const uint32_t x);
75 #ifdef ENC_KS_UNROLL
76 #undef ENC_KS_UNROLL
77 #endif
78 #ifdef DEC_KS_UNROLL
79 #undef DEC_KS_UNROLL
80 #endif
81 #endif	/* REDUCE_CODE_SIZE */
82 
83 
84 #define	ke4(k, i) \
85 {	k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
86 	k[4 * (i) + 5] = ss[1] ^= ss[0]; \
87 	k[4 * (i) + 6] = ss[2] ^= ss[1]; \
88 	k[4 * (i) + 7] = ss[3] ^= ss[2]; \
89 }
90 
91 static void
92 aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
93 {
94 	uint32_t	ss[4];
95 
96 	rk[0] = ss[0] = word_in(key, 0);
97 	rk[1] = ss[1] = word_in(key, 1);
98 	rk[2] = ss[2] = word_in(key, 2);
99 	rk[3] = ss[3] = word_in(key, 3);
100 
101 #ifdef ENC_KS_UNROLL
102 	ke4(rk, 0);  ke4(rk, 1);
103 	ke4(rk, 2);  ke4(rk, 3);
104 	ke4(rk, 4);  ke4(rk, 5);
105 	ke4(rk, 6);  ke4(rk, 7);
106 	ke4(rk, 8);
107 #else
108 	{
109 		uint32_t	i;
110 		for (i = 0; i < 9; ++i)
111 			ke4(rk, i);
112 	}
113 #endif	/* ENC_KS_UNROLL */
114 	ke4(rk, 9);
115 }
116 
117 
118 #define	kef6(k, i) \
119 {	k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
120 	k[6 * (i) + 7] = ss[1] ^= ss[0]; \
121 	k[6 * (i) + 8] = ss[2] ^= ss[1]; \
122 	k[6 * (i) + 9] = ss[3] ^= ss[2]; \
123 }
124 
125 #define	ke6(k, i) \
126 {	kef6(k, i); \
127 	k[6 * (i) + 10] = ss[4] ^= ss[3]; \
128 	k[6 * (i) + 11] = ss[5] ^= ss[4]; \
129 }
130 
131 static void
132 aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
133 {
134 	uint32_t	ss[6];
135 
136 	rk[0] = ss[0] = word_in(key, 0);
137 	rk[1] = ss[1] = word_in(key, 1);
138 	rk[2] = ss[2] = word_in(key, 2);
139 	rk[3] = ss[3] = word_in(key, 3);
140 	rk[4] = ss[4] = word_in(key, 4);
141 	rk[5] = ss[5] = word_in(key, 5);
142 
143 #ifdef ENC_KS_UNROLL
144 	ke6(rk, 0);  ke6(rk, 1);
145 	ke6(rk, 2);  ke6(rk, 3);
146 	ke6(rk, 4);  ke6(rk, 5);
147 	ke6(rk, 6);
148 #else
149 	{
150 		uint32_t	i;
151 		for (i = 0; i < 7; ++i)
152 			ke6(rk, i);
153 	}
154 #endif	/* ENC_KS_UNROLL */
155 	kef6(rk, 7);
156 }
157 
158 
159 
160 #define	kef8(k, i) \
161 {	k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
162 	k[8 * (i) + 9] = ss[1] ^= ss[0]; \
163 	k[8 * (i) + 10] = ss[2] ^= ss[1]; \
164 	k[8 * (i) + 11] = ss[3] ^= ss[2]; \
165 }
166 
167 #define	ke8(k, i) \
168 {   kef8(k, i); \
169 	k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
170 	k[8 * (i) + 13] = ss[5] ^= ss[4]; \
171 	k[8 * (i) + 14] = ss[6] ^= ss[5]; \
172 	k[8 * (i) + 15] = ss[7] ^= ss[6]; \
173 }
174 
175 static void
176 aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
177 {
178 	uint32_t	ss[8];
179 
180 	rk[0] = ss[0] = word_in(key, 0);
181 	rk[1] = ss[1] = word_in(key, 1);
182 	rk[2] = ss[2] = word_in(key, 2);
183 	rk[3] = ss[3] = word_in(key, 3);
184 	rk[4] = ss[4] = word_in(key, 4);
185 	rk[5] = ss[5] = word_in(key, 5);
186 	rk[6] = ss[6] = word_in(key, 6);
187 	rk[7] = ss[7] = word_in(key, 7);
188 
189 #ifdef ENC_KS_UNROLL
190 	ke8(rk, 0); ke8(rk, 1);
191 	ke8(rk, 2); ke8(rk, 3);
192 	ke8(rk, 4); ke8(rk, 5);
193 #else
194 	{
195 		uint32_t	i;
196 		for (i = 0; i < 6; ++i)
197 			ke8(rk,  i);
198 	}
199 #endif	/* ENC_KS_UNROLL */
200 	kef8(rk, 6);
201 }
202 
203 
204 /*
205  * Expand the cipher key into the encryption key schedule.
206  *
207  * Return the number of rounds for the given cipher key size.
208  * The size of the key schedule depends on the number of rounds
209  * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
210  *
211  * Parameters:
212  * rk		AES key schedule 32-bit array to be initialized
213  * cipherKey	User key
214  * keyBits	AES key size (128, 192, or 256 bits)
215  */
216 int
217 rijndael_key_setup_enc(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
218 {
219 	switch (keyBits) {
220 	case 128:
221 		aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
222 		return (10);
223 	case 192:
224 		aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
225 		return (12);
226 	case 256:
227 		aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
228 		return (14);
229 	default: /* should never get here */
230 		break;
231 	}
232 
233 	return (0);
234 }
235 
236 
237 /* this is used to store the decryption round keys  */
238 /* in forward or reverse order */
239 
240 #ifdef AES_REV_DKS
241 #define	v(n, i)  ((n) - (i) + 2 * ((i) & 3))
242 #else
243 #define	v(n, i)  (i)
244 #endif
245 
246 #if DEC_ROUND == NO_TABLES
247 #define	ff(x)   (x)
248 #else
249 #define	ff(x)   inv_mcol(x)
250 #if defined(dec_imvars)
251 #define	d_vars  dec_imvars
252 #endif
253 #endif	/* FUNCS_IN_C & DEC_KEYING_IN_C */
254 
255 
256 #define	k4e(k, i) \
257 {	k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
258 	k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
259 	k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
260 	k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
261 }
262 
263 #if 1
264 
265 #define	kdf4(k, i) \
266 {	ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
267 	ss[1] = ss[1] ^ ss[3]; \
268 	ss[2] = ss[2] ^ ss[3]; \
269 	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
270 	ss[i % 4] ^= ss[4]; \
271 	ss[4] ^= k[v(40, (4 * (i)))];   k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
272 	ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
273 	ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
274 	ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
275 }
276 
277 #define	kd4(k, i) \
278 {	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
279 	ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
280 	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
281 	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
282 	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
283 	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
284 }
285 
286 #define	kdl4(k, i) \
287 {	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
288 	ss[i % 4] ^= ss[4]; \
289 	k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
290 	k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
291 	k[v(40, (4 * (i)) + 6)] = ss[0]; \
292 	k[v(40, (4 * (i)) + 7)] = ss[1]; \
293 }
294 
295 #else
296 
297 #define	kdf4(k, i) \
298 {	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
299 	k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
300 	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
301 	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
302 	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
303 }
304 
305 #define	kd4(k, i) \
306 {	ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
307 	ss[0] ^= ss[4]; \
308 	ss[4] = ff(ss[4]); \
309 	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
310 	ss[1] ^= ss[0]; \
311 	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
312 	ss[2] ^= ss[1]; \
313 	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
314 	ss[3] ^= ss[2]; \
315 	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
316 }
317 
318 #define	kdl4(k, i) \
319 {	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
320 	k[v(40, (4 * (i)) + 4)] = ss[0]; \
321 	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
322 	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
323 	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
324 }
325 
326 #endif
327 
328 static void
329 aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
330 {
331 	uint32_t	ss[5];
332 #if defined(d_vars)
333 	d_vars;
334 #endif
335 	rk[v(40, (0))] = ss[0] = word_in(key, 0);
336 	rk[v(40, (1))] = ss[1] = word_in(key, 1);
337 	rk[v(40, (2))] = ss[2] = word_in(key, 2);
338 	rk[v(40, (3))] = ss[3] = word_in(key, 3);
339 
340 #ifdef DEC_KS_UNROLL
341 	kdf4(rk, 0); kd4(rk, 1);
342 	kd4(rk, 2);  kd4(rk, 3);
343 	kd4(rk, 4);  kd4(rk, 5);
344 	kd4(rk, 6);  kd4(rk, 7);
345 	kd4(rk, 8);  kdl4(rk, 9);
346 #else
347 	{
348 		uint32_t	i;
349 		for (i = 0; i < 10; ++i)
350 			k4e(rk, i);
351 #if !(DEC_ROUND == NO_TABLES)
352 		for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
353 			rk[i] = inv_mcol(rk[i]);
354 #endif
355 	}
356 #endif	/* DEC_KS_UNROLL */
357 }
358 
359 
360 
361 #define	k6ef(k, i) \
362 {	k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
363 	k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
364 	k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
365 	k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
366 }
367 
368 #define	k6e(k, i) \
369 {	k6ef(k, i); \
370 	k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
371 	k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
372 }
373 
374 #define	kdf6(k, i) \
375 {	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
376 	k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
377 	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
378 	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
379 	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
380 	ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
381 	ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
382 }
383 
384 #define	kd6(k, i) \
385 {	ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
386 	ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
387 	k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
388 	ss[1] ^= ss[0]; \
389 	k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
390 	ss[2] ^= ss[1]; \
391 	k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
392 	ss[3] ^= ss[2]; \
393 	k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
394 	ss[4] ^= ss[3]; \
395 	k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
396 	ss[5] ^= ss[4]; \
397 	k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
398 }
399 
400 #define	kdl6(k, i) \
401 {	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
402 	k[v(48, (6 * (i)) + 6)] = ss[0]; \
403 	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
404 	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
405 	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
406 }
407 
408 static void
409 aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
410 {
411 	uint32_t	ss[7];
412 #if defined(d_vars)
413 	d_vars;
414 #endif
415 	rk[v(48, (0))] = ss[0] = word_in(key, 0);
416 	rk[v(48, (1))] = ss[1] = word_in(key, 1);
417 	rk[v(48, (2))] = ss[2] = word_in(key, 2);
418 	rk[v(48, (3))] = ss[3] = word_in(key, 3);
419 
420 #ifdef DEC_KS_UNROLL
421 	ss[4] = word_in(key, 4);
422 	rk[v(48, (4))] = ff(ss[4]);
423 	ss[5] = word_in(key, 5);
424 	rk[v(48, (5))] = ff(ss[5]);
425 	kdf6(rk, 0); kd6(rk, 1);
426 	kd6(rk, 2);  kd6(rk, 3);
427 	kd6(rk, 4);  kd6(rk, 5);
428 	kd6(rk, 6);  kdl6(rk, 7);
429 #else
430 	rk[v(48, (4))] = ss[4] = word_in(key, 4);
431 	rk[v(48, (5))] = ss[5] = word_in(key, 5);
432 	{
433 		uint32_t	i;
434 
435 		for (i = 0; i < 7; ++i)
436 			k6e(rk, i);
437 		k6ef(rk, 7);
438 #if !(DEC_ROUND == NO_TABLES)
439 		for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
440 			rk[i] = inv_mcol(rk[i]);
441 #endif
442 	}
443 #endif
444 }
445 
446 
447 
448 #define	k8ef(k, i) \
449 {	k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
450 	k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
451 	k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
452 	k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
453 }
454 
455 #define	k8e(k, i) \
456 {	k8ef(k, i); \
457 	k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
458 	k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
459 	k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
460 	k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
461 }
462 
463 #define	kdf8(k, i) \
464 {	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
465 	k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
466 	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
467 	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
468 	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
469 	ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
470 	ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
471 	ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
472 	ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
473 }
474 
475 #define	kd8(k, i) \
476 {	ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
477 	ss[0] ^= ss[8]; \
478 	ss[8] = ff(ss[8]); \
479 	k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
480 	ss[1] ^= ss[0]; \
481 	k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
482 	ss[2] ^= ss[1]; \
483 	k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
484 	ss[3] ^= ss[2]; \
485 	k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
486 	ss[8] = ls_box(ss[3], 0); \
487 	ss[4] ^= ss[8]; \
488 	ss[8] = ff(ss[8]); \
489 	k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
490 	ss[5] ^= ss[4]; \
491 	k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
492 	ss[6] ^= ss[5]; \
493 	k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
494 	ss[7] ^= ss[6]; \
495 	k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
496 }
497 
498 #define	kdl8(k, i) \
499 {	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
500 	k[v(56, (8 * (i)) + 8)] = ss[0]; \
501 	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
502 	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
503 	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
504 }
505 
506 static void
507 aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
508 {
509 	uint32_t	ss[9];
510 #if defined(d_vars)
511 	d_vars;
512 #endif
513 	rk[v(56, (0))] = ss[0] = word_in(key, 0);
514 	rk[v(56, (1))] = ss[1] = word_in(key, 1);
515 	rk[v(56, (2))] = ss[2] = word_in(key, 2);
516 	rk[v(56, (3))] = ss[3] = word_in(key, 3);
517 
518 #ifdef DEC_KS_UNROLL
519 	ss[4] = word_in(key, 4);
520 	rk[v(56, (4))] = ff(ss[4]);
521 	ss[5] = word_in(key, 5);
522 	rk[v(56, (5))] = ff(ss[5]);
523 	ss[6] = word_in(key, 6);
524 	rk[v(56, (6))] = ff(ss[6]);
525 	ss[7] = word_in(key, 7);
526 	rk[v(56, (7))] = ff(ss[7]);
527 	kdf8(rk, 0); kd8(rk, 1);
528 	kd8(rk, 2);  kd8(rk, 3);
529 	kd8(rk, 4);  kd8(rk, 5);
530 	kdl8(rk, 6);
531 #else
532 	rk[v(56, (4))] = ss[4] = word_in(key, 4);
533 	rk[v(56, (5))] = ss[5] = word_in(key, 5);
534 	rk[v(56, (6))] = ss[6] = word_in(key, 6);
535 	rk[v(56, (7))] = ss[7] = word_in(key, 7);
536 	{
537 		uint32_t	i;
538 
539 		for (i = 0; i < 6; ++i)
540 			k8e(rk,  i);
541 		k8ef(rk,  6);
542 #if !(DEC_ROUND == NO_TABLES)
543 		for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
544 			rk[i] = inv_mcol(rk[i]);
545 #endif
546 	}
547 #endif	/* DEC_KS_UNROLL */
548 }
549 
550 
551 /*
552  * Expand the cipher key into the decryption key schedule.
553  *
554  * Return the number of rounds for the given cipher key size.
555  * The size of the key schedule depends on the number of rounds
556  * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
557  *
558  * Parameters:
559  * rk		AES key schedule 32-bit array to be initialized
560  * cipherKey	User key
561  * keyBits	AES key size (128, 192, or 256 bits)
562  */
563 int
564 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
565 {
566 	switch (keyBits) {
567 	case 128:
568 		aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
569 		return (10);
570 	case 192:
571 		aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
572 		return (12);
573 	case 256:
574 		aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
575 		return (14);
576 	default: /* should never get here */
577 		break;
578 	}
579 
580 	return (0);
581 }
582