1 /* 2 * --------------------------------------------------------------------------- 3 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved. 4 * 5 * LICENSE TERMS 6 * 7 * The free distribution and use of this software is allowed (with or without 8 * changes) provided that: 9 * 10 * 1. source code distributions include the above copyright notice, this 11 * list of conditions and the following disclaimer; 12 * 13 * 2. binary distributions include the above copyright notice, this list 14 * of conditions and the following disclaimer in their documentation; 15 * 16 * 3. the name of the copyright holder is not used to endorse products 17 * built using this software without specific written permission. 18 * 19 * DISCLAIMER 20 * 21 * This software is provided 'as is' with no explicit or implied warranties 22 * in respect of its properties, including, but not limited to, correctness 23 * and/or fitness for purpose. 24 * --------------------------------------------------------------------------- 25 * Issue Date: 20/12/2007 26 */ 27 28 #pragma ident "%Z%%M% %I% %E% SMI" 29 30 #include "aes_impl.h" 31 #include "aesopt.h" 32 #include "aestab.h" 33 #include "aestab2.h" 34 35 /* 36 * Initialise the key schedule from the user supplied key. The key 37 * length can be specified in bytes, with legal values of 16, 24 38 * and 32, or in bits, with legal values of 128, 192 and 256. These 39 * values correspond with Nk values of 4, 6 and 8 respectively. 40 * 41 * The following macros implement a single cycle in the key 42 * schedule generation process. The number of cycles needed 43 * for each cx->n_col and nk value is: 44 * 45 * nk = 4 5 6 7 8 46 * ------------------------------ 47 * cx->n_col = 4 10 9 8 7 7 48 * cx->n_col = 5 14 11 10 9 9 49 * cx->n_col = 6 19 15 12 11 11 50 * cx->n_col = 7 21 19 16 13 14 51 * cx->n_col = 8 29 23 19 17 14 52 */ 53 54 /* 55 * OpenSolaris changes 56 * 1. Added header files aes_impl.h and aestab2.h 57 * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t 58 * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined) 59 * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C, 60 * AES_128, AES_192, AES_256, AES_VAR defines 61 * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void" 62 * 6. Changed N_COLS to MAX_AES_NB 63 * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with 64 * OpenSolaris-compatible functions rijndael_key_setup_enc and 65 * rijndael_key_setup_dec 66 * 8. cstyled code and removed lint warnings 67 * 68 */ 69 70 #if defined(REDUCE_CODE_SIZE) 71 #define ls_box ls_sub 72 uint32_t ls_sub(const uint32_t t, const uint32_t n); 73 #define inv_mcol im_sub 74 uint32_t im_sub(const uint32_t x); 75 #ifdef ENC_KS_UNROLL 76 #undef ENC_KS_UNROLL 77 #endif 78 #ifdef DEC_KS_UNROLL 79 #undef DEC_KS_UNROLL 80 #endif 81 #endif /* REDUCE_CODE_SIZE */ 82 83 84 #define ke4(k, i) \ 85 { k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \ 86 k[4 * (i) + 5] = ss[1] ^= ss[0]; \ 87 k[4 * (i) + 6] = ss[2] ^= ss[1]; \ 88 k[4 * (i) + 7] = ss[3] ^= ss[2]; \ 89 } 90 91 static void 92 aes_encrypt_key128(const unsigned char *key, uint32_t rk[]) 93 { 94 uint32_t ss[4]; 95 96 rk[0] = ss[0] = word_in(key, 0); 97 rk[1] = ss[1] = word_in(key, 1); 98 rk[2] = ss[2] = word_in(key, 2); 99 rk[3] = ss[3] = word_in(key, 3); 100 101 #ifdef ENC_KS_UNROLL 102 ke4(rk, 0); ke4(rk, 1); 103 ke4(rk, 2); ke4(rk, 3); 104 ke4(rk, 4); ke4(rk, 5); 105 ke4(rk, 6); ke4(rk, 7); 106 ke4(rk, 8); 107 #else 108 { 109 uint32_t i; 110 for (i = 0; i < 9; ++i) 111 ke4(rk, i); 112 } 113 #endif /* ENC_KS_UNROLL */ 114 ke4(rk, 9); 115 } 116 117 118 #define kef6(k, i) \ 119 { k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \ 120 k[6 * (i) + 7] = ss[1] ^= ss[0]; \ 121 k[6 * (i) + 8] = ss[2] ^= ss[1]; \ 122 k[6 * (i) + 9] = ss[3] ^= ss[2]; \ 123 } 124 125 #define ke6(k, i) \ 126 { kef6(k, i); \ 127 k[6 * (i) + 10] = ss[4] ^= ss[3]; \ 128 k[6 * (i) + 11] = ss[5] ^= ss[4]; \ 129 } 130 131 static void 132 aes_encrypt_key192(const unsigned char *key, uint32_t rk[]) 133 { 134 uint32_t ss[6]; 135 136 rk[0] = ss[0] = word_in(key, 0); 137 rk[1] = ss[1] = word_in(key, 1); 138 rk[2] = ss[2] = word_in(key, 2); 139 rk[3] = ss[3] = word_in(key, 3); 140 rk[4] = ss[4] = word_in(key, 4); 141 rk[5] = ss[5] = word_in(key, 5); 142 143 #ifdef ENC_KS_UNROLL 144 ke6(rk, 0); ke6(rk, 1); 145 ke6(rk, 2); ke6(rk, 3); 146 ke6(rk, 4); ke6(rk, 5); 147 ke6(rk, 6); 148 #else 149 { 150 uint32_t i; 151 for (i = 0; i < 7; ++i) 152 ke6(rk, i); 153 } 154 #endif /* ENC_KS_UNROLL */ 155 kef6(rk, 7); 156 } 157 158 159 160 #define kef8(k, i) \ 161 { k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \ 162 k[8 * (i) + 9] = ss[1] ^= ss[0]; \ 163 k[8 * (i) + 10] = ss[2] ^= ss[1]; \ 164 k[8 * (i) + 11] = ss[3] ^= ss[2]; \ 165 } 166 167 #define ke8(k, i) \ 168 { kef8(k, i); \ 169 k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \ 170 k[8 * (i) + 13] = ss[5] ^= ss[4]; \ 171 k[8 * (i) + 14] = ss[6] ^= ss[5]; \ 172 k[8 * (i) + 15] = ss[7] ^= ss[6]; \ 173 } 174 175 static void 176 aes_encrypt_key256(const unsigned char *key, uint32_t rk[]) 177 { 178 uint32_t ss[8]; 179 180 rk[0] = ss[0] = word_in(key, 0); 181 rk[1] = ss[1] = word_in(key, 1); 182 rk[2] = ss[2] = word_in(key, 2); 183 rk[3] = ss[3] = word_in(key, 3); 184 rk[4] = ss[4] = word_in(key, 4); 185 rk[5] = ss[5] = word_in(key, 5); 186 rk[6] = ss[6] = word_in(key, 6); 187 rk[7] = ss[7] = word_in(key, 7); 188 189 #ifdef ENC_KS_UNROLL 190 ke8(rk, 0); ke8(rk, 1); 191 ke8(rk, 2); ke8(rk, 3); 192 ke8(rk, 4); ke8(rk, 5); 193 #else 194 { 195 uint32_t i; 196 for (i = 0; i < 6; ++i) 197 ke8(rk, i); 198 } 199 #endif /* ENC_KS_UNROLL */ 200 kef8(rk, 6); 201 } 202 203 204 /* 205 * Expand the cipher key into the encryption key schedule. 206 * 207 * Return the number of rounds for the given cipher key size. 208 * The size of the key schedule depends on the number of rounds 209 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1). 210 * 211 * Parameters: 212 * rk AES key schedule 32-bit array to be initialized 213 * cipherKey User key 214 * keyBits AES key size (128, 192, or 256 bits) 215 */ 216 int 217 rijndael_key_setup_enc(uint32_t rk[], const uint32_t cipherKey[], int keyBits) 218 { 219 switch (keyBits) { 220 case 128: 221 aes_encrypt_key128((unsigned char *)&cipherKey[0], rk); 222 return (10); 223 case 192: 224 aes_encrypt_key192((unsigned char *)&cipherKey[0], rk); 225 return (12); 226 case 256: 227 aes_encrypt_key256((unsigned char *)&cipherKey[0], rk); 228 return (14); 229 default: /* should never get here */ 230 break; 231 } 232 233 return (0); 234 } 235 236 237 /* this is used to store the decryption round keys */ 238 /* in forward or reverse order */ 239 240 #ifdef AES_REV_DKS 241 #define v(n, i) ((n) - (i) + 2 * ((i) & 3)) 242 #else 243 #define v(n, i) (i) 244 #endif 245 246 #if DEC_ROUND == NO_TABLES 247 #define ff(x) (x) 248 #else 249 #define ff(x) inv_mcol(x) 250 #if defined(dec_imvars) 251 #define d_vars dec_imvars 252 #endif 253 #endif /* FUNCS_IN_C & DEC_KEYING_IN_C */ 254 255 256 #define k4e(k, i) \ 257 { k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \ 258 k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \ 259 k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \ 260 k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \ 261 } 262 263 #if 1 264 265 #define kdf4(k, i) \ 266 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \ 267 ss[1] = ss[1] ^ ss[3]; \ 268 ss[2] = ss[2] ^ ss[3]; \ 269 ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \ 270 ss[i % 4] ^= ss[4]; \ 271 ss[4] ^= k[v(40, (4 * (i)))]; k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \ 272 ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \ 273 ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \ 274 ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \ 275 } 276 277 #define kd4(k, i) \ 278 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \ 279 ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \ 280 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \ 281 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \ 282 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \ 283 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \ 284 } 285 286 #define kdl4(k, i) \ 287 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \ 288 ss[i % 4] ^= ss[4]; \ 289 k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \ 290 k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \ 291 k[v(40, (4 * (i)) + 6)] = ss[0]; \ 292 k[v(40, (4 * (i)) + 7)] = ss[1]; \ 293 } 294 295 #else 296 297 #define kdf4(k, i) \ 298 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \ 299 k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \ 300 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \ 301 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \ 302 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \ 303 } 304 305 #define kd4(k, i) \ 306 { ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \ 307 ss[0] ^= ss[4]; \ 308 ss[4] = ff(ss[4]); \ 309 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \ 310 ss[1] ^= ss[0]; \ 311 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \ 312 ss[2] ^= ss[1]; \ 313 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \ 314 ss[3] ^= ss[2]; \ 315 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \ 316 } 317 318 #define kdl4(k, i) \ 319 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \ 320 k[v(40, (4 * (i)) + 4)] = ss[0]; \ 321 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \ 322 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \ 323 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \ 324 } 325 326 #endif 327 328 static void 329 aes_decrypt_key128(const unsigned char *key, uint32_t rk[]) 330 { 331 uint32_t ss[5]; 332 #if defined(d_vars) 333 d_vars; 334 #endif 335 rk[v(40, (0))] = ss[0] = word_in(key, 0); 336 rk[v(40, (1))] = ss[1] = word_in(key, 1); 337 rk[v(40, (2))] = ss[2] = word_in(key, 2); 338 rk[v(40, (3))] = ss[3] = word_in(key, 3); 339 340 #ifdef DEC_KS_UNROLL 341 kdf4(rk, 0); kd4(rk, 1); 342 kd4(rk, 2); kd4(rk, 3); 343 kd4(rk, 4); kd4(rk, 5); 344 kd4(rk, 6); kd4(rk, 7); 345 kd4(rk, 8); kdl4(rk, 9); 346 #else 347 { 348 uint32_t i; 349 for (i = 0; i < 10; ++i) 350 k4e(rk, i); 351 #if !(DEC_ROUND == NO_TABLES) 352 for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i) 353 rk[i] = inv_mcol(rk[i]); 354 #endif 355 } 356 #endif /* DEC_KS_UNROLL */ 357 } 358 359 360 361 #define k6ef(k, i) \ 362 { k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \ 363 k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \ 364 k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \ 365 k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \ 366 } 367 368 #define k6e(k, i) \ 369 { k6ef(k, i); \ 370 k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \ 371 k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \ 372 } 373 374 #define kdf6(k, i) \ 375 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \ 376 k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \ 377 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \ 378 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \ 379 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \ 380 ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \ 381 ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \ 382 } 383 384 #define kd6(k, i) \ 385 { ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \ 386 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \ 387 k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \ 388 ss[1] ^= ss[0]; \ 389 k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \ 390 ss[2] ^= ss[1]; \ 391 k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \ 392 ss[3] ^= ss[2]; \ 393 k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \ 394 ss[4] ^= ss[3]; \ 395 k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \ 396 ss[5] ^= ss[4]; \ 397 k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \ 398 } 399 400 #define kdl6(k, i) \ 401 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \ 402 k[v(48, (6 * (i)) + 6)] = ss[0]; \ 403 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \ 404 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \ 405 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \ 406 } 407 408 static void 409 aes_decrypt_key192(const unsigned char *key, uint32_t rk[]) 410 { 411 uint32_t ss[7]; 412 #if defined(d_vars) 413 d_vars; 414 #endif 415 rk[v(48, (0))] = ss[0] = word_in(key, 0); 416 rk[v(48, (1))] = ss[1] = word_in(key, 1); 417 rk[v(48, (2))] = ss[2] = word_in(key, 2); 418 rk[v(48, (3))] = ss[3] = word_in(key, 3); 419 420 #ifdef DEC_KS_UNROLL 421 ss[4] = word_in(key, 4); 422 rk[v(48, (4))] = ff(ss[4]); 423 ss[5] = word_in(key, 5); 424 rk[v(48, (5))] = ff(ss[5]); 425 kdf6(rk, 0); kd6(rk, 1); 426 kd6(rk, 2); kd6(rk, 3); 427 kd6(rk, 4); kd6(rk, 5); 428 kd6(rk, 6); kdl6(rk, 7); 429 #else 430 rk[v(48, (4))] = ss[4] = word_in(key, 4); 431 rk[v(48, (5))] = ss[5] = word_in(key, 5); 432 { 433 uint32_t i; 434 435 for (i = 0; i < 7; ++i) 436 k6e(rk, i); 437 k6ef(rk, 7); 438 #if !(DEC_ROUND == NO_TABLES) 439 for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i) 440 rk[i] = inv_mcol(rk[i]); 441 #endif 442 } 443 #endif 444 } 445 446 447 448 #define k8ef(k, i) \ 449 { k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \ 450 k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \ 451 k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \ 452 k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \ 453 } 454 455 #define k8e(k, i) \ 456 { k8ef(k, i); \ 457 k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \ 458 k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \ 459 k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \ 460 k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \ 461 } 462 463 #define kdf8(k, i) \ 464 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \ 465 k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \ 466 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \ 467 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \ 468 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \ 469 ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \ 470 ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \ 471 ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \ 472 ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \ 473 } 474 475 #define kd8(k, i) \ 476 { ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \ 477 ss[0] ^= ss[8]; \ 478 ss[8] = ff(ss[8]); \ 479 k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \ 480 ss[1] ^= ss[0]; \ 481 k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \ 482 ss[2] ^= ss[1]; \ 483 k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \ 484 ss[3] ^= ss[2]; \ 485 k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \ 486 ss[8] = ls_box(ss[3], 0); \ 487 ss[4] ^= ss[8]; \ 488 ss[8] = ff(ss[8]); \ 489 k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \ 490 ss[5] ^= ss[4]; \ 491 k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \ 492 ss[6] ^= ss[5]; \ 493 k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \ 494 ss[7] ^= ss[6]; \ 495 k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \ 496 } 497 498 #define kdl8(k, i) \ 499 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \ 500 k[v(56, (8 * (i)) + 8)] = ss[0]; \ 501 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \ 502 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \ 503 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \ 504 } 505 506 static void 507 aes_decrypt_key256(const unsigned char *key, uint32_t rk[]) 508 { 509 uint32_t ss[9]; 510 #if defined(d_vars) 511 d_vars; 512 #endif 513 rk[v(56, (0))] = ss[0] = word_in(key, 0); 514 rk[v(56, (1))] = ss[1] = word_in(key, 1); 515 rk[v(56, (2))] = ss[2] = word_in(key, 2); 516 rk[v(56, (3))] = ss[3] = word_in(key, 3); 517 518 #ifdef DEC_KS_UNROLL 519 ss[4] = word_in(key, 4); 520 rk[v(56, (4))] = ff(ss[4]); 521 ss[5] = word_in(key, 5); 522 rk[v(56, (5))] = ff(ss[5]); 523 ss[6] = word_in(key, 6); 524 rk[v(56, (6))] = ff(ss[6]); 525 ss[7] = word_in(key, 7); 526 rk[v(56, (7))] = ff(ss[7]); 527 kdf8(rk, 0); kd8(rk, 1); 528 kd8(rk, 2); kd8(rk, 3); 529 kd8(rk, 4); kd8(rk, 5); 530 kdl8(rk, 6); 531 #else 532 rk[v(56, (4))] = ss[4] = word_in(key, 4); 533 rk[v(56, (5))] = ss[5] = word_in(key, 5); 534 rk[v(56, (6))] = ss[6] = word_in(key, 6); 535 rk[v(56, (7))] = ss[7] = word_in(key, 7); 536 { 537 uint32_t i; 538 539 for (i = 0; i < 6; ++i) 540 k8e(rk, i); 541 k8ef(rk, 6); 542 #if !(DEC_ROUND == NO_TABLES) 543 for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i) 544 rk[i] = inv_mcol(rk[i]); 545 #endif 546 } 547 #endif /* DEC_KS_UNROLL */ 548 } 549 550 551 /* 552 * Expand the cipher key into the decryption key schedule. 553 * 554 * Return the number of rounds for the given cipher key size. 555 * The size of the key schedule depends on the number of rounds 556 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1). 557 * 558 * Parameters: 559 * rk AES key schedule 32-bit array to be initialized 560 * cipherKey User key 561 * keyBits AES key size (128, 192, or 256 bits) 562 */ 563 int 564 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits) 565 { 566 switch (keyBits) { 567 case 128: 568 aes_decrypt_key128((unsigned char *)&cipherKey[0], rk); 569 return (10); 570 case 192: 571 aes_decrypt_key192((unsigned char *)&cipherKey[0], rk); 572 return (12); 573 case 256: 574 aes_decrypt_key256((unsigned char *)&cipherKey[0], rk); 575 return (14); 576 default: /* should never get here */ 577 break; 578 } 579 580 return (0); 581 } 582