CoCalc -- aeskey.c

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/contrib/openzfs/module/icp/asm-x86_64/aes/aeskey.c
⁴⁸⁷⁷⁵ views
1
// SPDX-License-Identifier: Brian-Gladman-3-Clause
2
/*
3
 * ---------------------------------------------------------------------------
4
 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
5
 *
6
 * LICENSE TERMS
7
 *
8
 * The free distribution and use of this software is allowed (with or without
9
 * changes) provided that:
10
 *
11
 *  1. source code distributions include the above copyright notice, this
12
 *	 list of conditions and the following disclaimer;
13
 *
14
 *  2. binary distributions include the above copyright notice, this list
15
 *	 of conditions and the following disclaimer in their documentation;
16
 *
17
 *  3. the name of the copyright holder is not used to endorse products
18
 *	 built using this software without specific written permission.
19
 *
20
 * DISCLAIMER
21
 *
22
 * This software is provided 'as is' with no explicit or implied warranties
23
 * in respect of its properties, including, but not limited to, correctness
24
 * and/or fitness for purpose.
25
 * ---------------------------------------------------------------------------
26
 * Issue Date: 20/12/2007
27
 */
28

29
#include <aes/aes_impl.h>
30
#include "aesopt.h"
31
#include "aestab.h"
32
#include "aestab2.h"
33

34
/*
35
 *	Initialise the key schedule from the user supplied key. The key
36
 *	length can be specified in bytes, with legal values of 16, 24
37
 *	and 32, or in bits, with legal values of 128, 192 and 256. These
38
 *	values correspond with Nk values of 4, 6 and 8 respectively.
39
 *
40
 *	The following macros implement a single cycle in the key
41
 *	schedule generation process. The number of cycles needed
42
 *	for each cx->n_col and nk value is:
43
 *
44
 *	nk =		4  5  6  7  8
45
 *	------------------------------
46
 *	cx->n_col = 4	10  9  8  7  7
47
 *	cx->n_col = 5	14 11 10  9  9
48
 *	cx->n_col = 6	19 15 12 11 11
49
 *	cx->n_col = 7	21 19 16 13 14
50
 *	cx->n_col = 8	29 23 19 17 14
51
 */
52

53
/*
54
 * OpenSolaris changes
55
 * 1. Added header files aes_impl.h and aestab2.h
56
 * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
57
 * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
58
 * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
59
 *	AES_128, AES_192, AES_256, AES_VAR defines
60
 * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
61
 * 6. Changed N_COLS to MAX_AES_NB
62
 * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
63
 *	OpenSolaris-compatible functions rijndael_key_setup_enc_amd64 and
64
 *	rijndael_key_setup_dec_amd64
65
 * 8. cstyled code and removed lint warnings
66
 */
67

68
#if defined(REDUCE_CODE_SIZE)
69
#define	ls_box ls_sub
70
	uint32_t	ls_sub(const uint32_t t, const uint32_t n);
71
#define	inv_mcol im_sub
72
	uint32_t	im_sub(const uint32_t x);
73
#ifdef ENC_KS_UNROLL
74
#undef ENC_KS_UNROLL
75
#endif
76
#ifdef DEC_KS_UNROLL
77
#undef DEC_KS_UNROLL
78
#endif
79
#endif	/* REDUCE_CODE_SIZE */
80

81

82
#define	ke4(k, i) \
83
{	k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
84
	k[4 * (i) + 5] = ss[1] ^= ss[0]; \
85
	k[4 * (i) + 6] = ss[2] ^= ss[1]; \
86
	k[4 * (i) + 7] = ss[3] ^= ss[2]; \
87
}
88

89
static void
90
aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
91
{
92
	uint32_t	ss[4];
93

94
	rk[0] = ss[0] = word_in(key, 0);
95
	rk[1] = ss[1] = word_in(key, 1);
96
	rk[2] = ss[2] = word_in(key, 2);
97
	rk[3] = ss[3] = word_in(key, 3);
98

99
#ifdef ENC_KS_UNROLL
100
	ke4(rk, 0);  ke4(rk, 1);
101
	ke4(rk, 2);  ke4(rk, 3);
102
	ke4(rk, 4);  ke4(rk, 5);
103
	ke4(rk, 6);  ke4(rk, 7);
104
	ke4(rk, 8);
105
#else
106
	{
107
		uint32_t	i;
108
		for (i = 0; i < 9; ++i)
109
			ke4(rk, i);
110
	}
111
#endif	/* ENC_KS_UNROLL */
112
	ke4(rk, 9);
113
}
114

115

116
#define	kef6(k, i) \
117
{	k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
118
	k[6 * (i) + 7] = ss[1] ^= ss[0]; \
119
	k[6 * (i) + 8] = ss[2] ^= ss[1]; \
120
	k[6 * (i) + 9] = ss[3] ^= ss[2]; \
121
}
122

123
#define	ke6(k, i) \
124
{	kef6(k, i); \
125
	k[6 * (i) + 10] = ss[4] ^= ss[3]; \
126
	k[6 * (i) + 11] = ss[5] ^= ss[4]; \
127
}
128

129
static void
130
aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
131
{
132
	uint32_t	ss[6];
133

134
	rk[0] = ss[0] = word_in(key, 0);
135
	rk[1] = ss[1] = word_in(key, 1);
136
	rk[2] = ss[2] = word_in(key, 2);
137
	rk[3] = ss[3] = word_in(key, 3);
138
	rk[4] = ss[4] = word_in(key, 4);
139
	rk[5] = ss[5] = word_in(key, 5);
140

141
#ifdef ENC_KS_UNROLL
142
	ke6(rk, 0);  ke6(rk, 1);
143
	ke6(rk, 2);  ke6(rk, 3);
144
	ke6(rk, 4);  ke6(rk, 5);
145
	ke6(rk, 6);
146
#else
147
	{
148
		uint32_t	i;
149
		for (i = 0; i < 7; ++i)
150
			ke6(rk, i);
151
	}
152
#endif	/* ENC_KS_UNROLL */
153
	kef6(rk, 7);
154
}
155

156

157

158
#define	kef8(k, i) \
159
{	k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
160
	k[8 * (i) + 9] = ss[1] ^= ss[0]; \
161
	k[8 * (i) + 10] = ss[2] ^= ss[1]; \
162
	k[8 * (i) + 11] = ss[3] ^= ss[2]; \
163
}
164

165
#define	ke8(k, i) \
166
{   kef8(k, i); \
167
	k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
168
	k[8 * (i) + 13] = ss[5] ^= ss[4]; \
169
	k[8 * (i) + 14] = ss[6] ^= ss[5]; \
170
	k[8 * (i) + 15] = ss[7] ^= ss[6]; \
171
}
172

173
static void
174
aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
175
{
176
	uint32_t	ss[8];
177

178
	rk[0] = ss[0] = word_in(key, 0);
179
	rk[1] = ss[1] = word_in(key, 1);
180
	rk[2] = ss[2] = word_in(key, 2);
181
	rk[3] = ss[3] = word_in(key, 3);
182
	rk[4] = ss[4] = word_in(key, 4);
183
	rk[5] = ss[5] = word_in(key, 5);
184
	rk[6] = ss[6] = word_in(key, 6);
185
	rk[7] = ss[7] = word_in(key, 7);
186

187
#ifdef ENC_KS_UNROLL
188
	ke8(rk, 0); ke8(rk, 1);
189
	ke8(rk, 2); ke8(rk, 3);
190
	ke8(rk, 4); ke8(rk, 5);
191
#else
192
	{
193
		uint32_t	i;
194
		for (i = 0; i < 6; ++i)
195
			ke8(rk,  i);
196
	}
197
#endif	/* ENC_KS_UNROLL */
198
	kef8(rk, 6);
199
}
200

201

202
/*
203
 * Expand the cipher key into the encryption key schedule.
204
 *
205
 * Return the number of rounds for the given cipher key size.
206
 * The size of the key schedule depends on the number of rounds
207
 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
208
 *
209
 * Parameters:
210
 * rk		AES key schedule 32-bit array to be initialized
211
 * cipherKey	User key
212
 * keyBits	AES key size (128, 192, or 256 bits)
213
 */
214
int
215
rijndael_key_setup_enc_amd64(uint32_t rk[], const uint32_t cipherKey[],
216
    int keyBits)
217
{
218
	switch (keyBits) {
219
	case 128:
220
		aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
221
		return (10);
222
	case 192:
223
		aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
224
		return (12);
225
	case 256:
226
		aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
227
		return (14);
228
	default: /* should never get here */
229
		break;
230
	}
231

232
	return (0);
233
}
234

235

236
/* this is used to store the decryption round keys  */
237
/* in forward or reverse order */
238

239
#ifdef AES_REV_DKS
240
#define	v(n, i)  ((n) - (i) + 2 * ((i) & 3))
241
#else
242
#define	v(n, i)  (i)
243
#endif
244

245
#if DEC_ROUND == NO_TABLES
246
#define	ff(x)   (x)
247
#else
248
#define	ff(x)   inv_mcol(x)
249
#if defined(dec_imvars)
250
#define	d_vars  dec_imvars
251
#endif
252
#endif	/* FUNCS_IN_C & DEC_KEYING_IN_C */
253

254

255
#define	k4e(k, i) \
256
{	k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
257
	k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
258
	k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
259
	k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
260
}
261

262
#if 1
263

264
#define	kdf4(k, i) \
265
{	ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
266
	ss[1] = ss[1] ^ ss[3]; \
267
	ss[2] = ss[2] ^ ss[3]; \
268
	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
269
	ss[i % 4] ^= ss[4]; \
270
	ss[4] ^= k[v(40, (4 * (i)))];   k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
271
	ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
272
	ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
273
	ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
274
}
275

276
#define	kd4(k, i) \
277
{	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
278
	ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
279
	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
280
	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
281
	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
282
	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
283
}
284

285
#define	kdl4(k, i) \
286
{	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
287
	ss[i % 4] ^= ss[4]; \
288
	k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
289
	k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
290
	k[v(40, (4 * (i)) + 6)] = ss[0]; \
291
	k[v(40, (4 * (i)) + 7)] = ss[1]; \
292
}
293

294
#else
295

296
#define	kdf4(k, i) \
297
{	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
298
	k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
299
	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
300
	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
301
	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
302
}
303

304
#define	kd4(k, i) \
305
{	ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
306
	ss[0] ^= ss[4]; \
307
	ss[4] = ff(ss[4]); \
308
	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
309
	ss[1] ^= ss[0]; \
310
	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
311
	ss[2] ^= ss[1]; \
312
	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
313
	ss[3] ^= ss[2]; \
314
	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
315
}
316

317
#define	kdl4(k, i) \
318
{	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
319
	k[v(40, (4 * (i)) + 4)] = ss[0]; \
320
	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
321
	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
322
	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
323
}
324

325
#endif
326

327
static void
328
aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
329
{
330
	uint32_t	ss[5];
331
#if defined(d_vars)
332
	d_vars;
333
#endif
334
	rk[v(40, (0))] = ss[0] = word_in(key, 0);
335
	rk[v(40, (1))] = ss[1] = word_in(key, 1);
336
	rk[v(40, (2))] = ss[2] = word_in(key, 2);
337
	rk[v(40, (3))] = ss[3] = word_in(key, 3);
338

339
#ifdef DEC_KS_UNROLL
340
	kdf4(rk, 0); kd4(rk, 1);
341
	kd4(rk, 2);  kd4(rk, 3);
342
	kd4(rk, 4);  kd4(rk, 5);
343
	kd4(rk, 6);  kd4(rk, 7);
344
	kd4(rk, 8);  kdl4(rk, 9);
345
#else
346
	{
347
		uint32_t	i;
348
		for (i = 0; i < 10; ++i)
349
			k4e(rk, i);
350
#if !(DEC_ROUND == NO_TABLES)
351
		for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
352
			rk[i] = inv_mcol(rk[i]);
353
#endif
354
	}
355
#endif	/* DEC_KS_UNROLL */
356
}
357

358

359

360
#define	k6ef(k, i) \
361
{	k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
362
	k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
363
	k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
364
	k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
365
}
366

367
#define	k6e(k, i) \
368
{	k6ef(k, i); \
369
	k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
370
	k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
371
}
372

373
#define	kdf6(k, i) \
374
{	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
375
	k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
376
	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
377
	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
378
	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
379
	ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
380
	ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
381
}
382

383
#define	kd6(k, i) \
384
{	ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
385
	ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
386
	k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
387
	ss[1] ^= ss[0]; \
388
	k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
389
	ss[2] ^= ss[1]; \
390
	k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
391
	ss[3] ^= ss[2]; \
392
	k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
393
	ss[4] ^= ss[3]; \
394
	k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
395
	ss[5] ^= ss[4]; \
396
	k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
397
}
398

399
#define	kdl6(k, i) \
400
{	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
401
	k[v(48, (6 * (i)) + 6)] = ss[0]; \
402
	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
403
	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
404
	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
405
}
406

407
static void
408
aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
409
{
410
	uint32_t	ss[7];
411
#if defined(d_vars)
412
	d_vars;
413
#endif
414
	rk[v(48, (0))] = ss[0] = word_in(key, 0);
415
	rk[v(48, (1))] = ss[1] = word_in(key, 1);
416
	rk[v(48, (2))] = ss[2] = word_in(key, 2);
417
	rk[v(48, (3))] = ss[3] = word_in(key, 3);
418

419
#ifdef DEC_KS_UNROLL
420
	ss[4] = word_in(key, 4);
421
	rk[v(48, (4))] = ff(ss[4]);
422
	ss[5] = word_in(key, 5);
423
	rk[v(48, (5))] = ff(ss[5]);
424
	kdf6(rk, 0); kd6(rk, 1);
425
	kd6(rk, 2);  kd6(rk, 3);
426
	kd6(rk, 4);  kd6(rk, 5);
427
	kd6(rk, 6);  kdl6(rk, 7);
428
#else
429
	rk[v(48, (4))] = ss[4] = word_in(key, 4);
430
	rk[v(48, (5))] = ss[5] = word_in(key, 5);
431
	{
432
		uint32_t	i;
433

434
		for (i = 0; i < 7; ++i)
435
			k6e(rk, i);
436
		k6ef(rk, 7);
437
#if !(DEC_ROUND == NO_TABLES)
438
		for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
439
			rk[i] = inv_mcol(rk[i]);
440
#endif
441
	}
442
#endif
443
}
444

445

446

447
#define	k8ef(k, i) \
448
{	k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
449
	k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
450
	k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
451
	k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
452
}
453

454
#define	k8e(k, i) \
455
{	k8ef(k, i); \
456
	k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
457
	k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
458
	k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
459
	k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
460
}
461

462
#define	kdf8(k, i) \
463
{	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
464
	k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
465
	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
466
	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
467
	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
468
	ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
469
	ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
470
	ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
471
	ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
472
}
473

474
#define	kd8(k, i) \
475
{	ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
476
	ss[0] ^= ss[8]; \
477
	ss[8] = ff(ss[8]); \
478
	k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
479
	ss[1] ^= ss[0]; \
480
	k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
481
	ss[2] ^= ss[1]; \
482
	k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
483
	ss[3] ^= ss[2]; \
484
	k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
485
	ss[8] = ls_box(ss[3], 0); \
486
	ss[4] ^= ss[8]; \
487
	ss[8] = ff(ss[8]); \
488
	k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
489
	ss[5] ^= ss[4]; \
490
	k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
491
	ss[6] ^= ss[5]; \
492
	k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
493
	ss[7] ^= ss[6]; \
494
	k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
495
}
496

497
#define	kdl8(k, i) \
498
{	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
499
	k[v(56, (8 * (i)) + 8)] = ss[0]; \
500
	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
501
	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
502
	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
503
}
504

505
static void
506
aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
507
{
508
	uint32_t	ss[9];
509
#if defined(d_vars)
510
	d_vars;
511
#endif
512
	rk[v(56, (0))] = ss[0] = word_in(key, 0);
513
	rk[v(56, (1))] = ss[1] = word_in(key, 1);
514
	rk[v(56, (2))] = ss[2] = word_in(key, 2);
515
	rk[v(56, (3))] = ss[3] = word_in(key, 3);
516

517
#ifdef DEC_KS_UNROLL
518
	ss[4] = word_in(key, 4);
519
	rk[v(56, (4))] = ff(ss[4]);
520
	ss[5] = word_in(key, 5);
521
	rk[v(56, (5))] = ff(ss[5]);
522
	ss[6] = word_in(key, 6);
523
	rk[v(56, (6))] = ff(ss[6]);
524
	ss[7] = word_in(key, 7);
525
	rk[v(56, (7))] = ff(ss[7]);
526
	kdf8(rk, 0); kd8(rk, 1);
527
	kd8(rk, 2);  kd8(rk, 3);
528
	kd8(rk, 4);  kd8(rk, 5);
529
	kdl8(rk, 6);
530
#else
531
	rk[v(56, (4))] = ss[4] = word_in(key, 4);
532
	rk[v(56, (5))] = ss[5] = word_in(key, 5);
533
	rk[v(56, (6))] = ss[6] = word_in(key, 6);
534
	rk[v(56, (7))] = ss[7] = word_in(key, 7);
535
	{
536
		uint32_t	i;
537

538
		for (i = 0; i < 6; ++i)
539
			k8e(rk,  i);
540
		k8ef(rk,  6);
541
#if !(DEC_ROUND == NO_TABLES)
542
		for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
543
			rk[i] = inv_mcol(rk[i]);
544
#endif
545
	}
546
#endif	/* DEC_KS_UNROLL */
547
}
548

549

550
/*
551
 * Expand the cipher key into the decryption key schedule.
552
 *
553
 * Return the number of rounds for the given cipher key size.
554
 * The size of the key schedule depends on the number of rounds
555
 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
556
 *
557
 * Parameters:
558
 * rk		AES key schedule 32-bit array to be initialized
559
 * cipherKey	User key
560
 * keyBits	AES key size (128, 192, or 256 bits)
561
 */
562
int
563
rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[],
564
    int keyBits)
565
{
566
	switch (keyBits) {
567
	case 128:
568
		aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
569
		return (10);
570
	case 192:
571
		aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
572
		return (12);
573
	case 256:
574
		aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
575
		return (14);
576
	default: /* should never get here */
577
		break;
578
	}
579

580
	return (0);
581
}
582

583
Product

Resources

Company
