[mirror_ubuntu-bionic-kernel.git] / zfs / module / icp / asm-x86_64 / aes / aeskey.c

/*
 * ---------------------------------------------------------------------------
 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
 *
 * LICENSE TERMS
 *
 * The free distribution and use of this software is allowed (with or without
 * changes) provided that:
 *
 *  1. source code distributions include the above copyright notice, this
 *	 list of conditions and the following disclaimer;
 *
 *  2. binary distributions include the above copyright notice, this list
 *	 of conditions and the following disclaimer in their documentation;
 *
 *  3. the name of the copyright holder is not used to endorse products
 *	 built using this software without specific written permission.
 *
 * DISCLAIMER
 *
 * This software is provided 'as is' with no explicit or implied warranties
 * in respect of its properties, including, but not limited to, correctness
 * and/or fitness for purpose.
 * ---------------------------------------------------------------------------
 * Issue Date: 20/12/2007
 */

#include <aes/aes_impl.h>
#include "aesopt.h"
#include "aestab.h"
#include "aestab2.h"

/*
 *	Initialise the key schedule from the user supplied key. The key
 *	length can be specified in bytes, with legal values of 16, 24
 *	and 32, or in bits, with legal values of 128, 192 and 256. These
 *	values correspond with Nk values of 4, 6 and 8 respectively.
 *
 *	The following macros implement a single cycle in the key
 *	schedule generation process. The number of cycles needed
 *	for each cx->n_col and nk value is:
 *
 *	nk =		4  5  6  7  8
 *	------------------------------
 *	cx->n_col = 4	10  9  8  7  7
 *	cx->n_col = 5	14 11 10  9  9
 *	cx->n_col = 6	19 15 12 11 11
 *	cx->n_col = 7	21 19 16 13 14
 *	cx->n_col = 8	29 23 19 17 14
 */

/*
 * OpenSolaris changes
 * 1. Added header files aes_impl.h and aestab2.h
 * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
 * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
 * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
 *	AES_128, AES_192, AES_256, AES_VAR defines
 * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
 * 6. Changed N_COLS to MAX_AES_NB
 * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
 *	OpenSolaris-compatible functions rijndael_key_setup_enc_amd64 and
 *	rijndael_key_setup_dec_amd64
 * 8. cstyled code and removed lint warnings
 */

#if defined(REDUCE_CODE_SIZE)
#define	ls_box ls_sub
	uint32_t	ls_sub(const uint32_t t, const uint32_t n);
#define	inv_mcol im_sub
	uint32_t	im_sub(const uint32_t x);
#ifdef ENC_KS_UNROLL
#undef ENC_KS_UNROLL
#endif
#ifdef DEC_KS_UNROLL
#undef DEC_KS_UNROLL
#endif
#endif	/* REDUCE_CODE_SIZE */


#define	ke4(k, i) \
{	k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
	k[4 * (i) + 5] = ss[1] ^= ss[0]; \
	k[4 * (i) + 6] = ss[2] ^= ss[1]; \
	k[4 * (i) + 7] = ss[3] ^= ss[2]; \
}

static void
aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[4];

	rk[0] = ss[0] = word_in(key, 0);
	rk[1] = ss[1] = word_in(key, 1);
	rk[2] = ss[2] = word_in(key, 2);
	rk[3] = ss[3] = word_in(key, 3);

#ifdef ENC_KS_UNROLL
	ke4(rk, 0);  ke4(rk, 1);
	ke4(rk, 2);  ke4(rk, 3);
	ke4(rk, 4);  ke4(rk, 5);
	ke4(rk, 6);  ke4(rk, 7);
	ke4(rk, 8);
#else
	{
		uint32_t	i;
		for (i = 0; i < 9; ++i)
			ke4(rk, i);
	}
#endif	/* ENC_KS_UNROLL */
	ke4(rk, 9);
}


#define	kef6(k, i) \
{	k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
	k[6 * (i) + 7] = ss[1] ^= ss[0]; \
	k[6 * (i) + 8] = ss[2] ^= ss[1]; \
	k[6 * (i) + 9] = ss[3] ^= ss[2]; \
}

#define	ke6(k, i) \
{	kef6(k, i); \
	k[6 * (i) + 10] = ss[4] ^= ss[3]; \
	k[6 * (i) + 11] = ss[5] ^= ss[4]; \
}

static void
aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[6];

	rk[0] = ss[0] = word_in(key, 0);
	rk[1] = ss[1] = word_in(key, 1);
	rk[2] = ss[2] = word_in(key, 2);
	rk[3] = ss[3] = word_in(key, 3);
	rk[4] = ss[4] = word_in(key, 4);
	rk[5] = ss[5] = word_in(key, 5);

#ifdef ENC_KS_UNROLL
	ke6(rk, 0);  ke6(rk, 1);
	ke6(rk, 2);  ke6(rk, 3);
	ke6(rk, 4);  ke6(rk, 5);
	ke6(rk, 6);
#else
	{
		uint32_t	i;
		for (i = 0; i < 7; ++i)
			ke6(rk, i);
	}
#endif	/* ENC_KS_UNROLL */
	kef6(rk, 7);
}


#define	kef8(k, i) \
{	k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
	k[8 * (i) + 9] = ss[1] ^= ss[0]; \
	k[8 * (i) + 10] = ss[2] ^= ss[1]; \
	k[8 * (i) + 11] = ss[3] ^= ss[2]; \
}

#define	ke8(k, i) \
{   kef8(k, i); \
	k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
	k[8 * (i) + 13] = ss[5] ^= ss[4]; \
	k[8 * (i) + 14] = ss[6] ^= ss[5]; \
	k[8 * (i) + 15] = ss[7] ^= ss[6]; \
}

static void
aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[8];

	rk[0] = ss[0] = word_in(key, 0);
	rk[1] = ss[1] = word_in(key, 1);
	rk[2] = ss[2] = word_in(key, 2);
	rk[3] = ss[3] = word_in(key, 3);
	rk[4] = ss[4] = word_in(key, 4);
	rk[5] = ss[5] = word_in(key, 5);
	rk[6] = ss[6] = word_in(key, 6);
	rk[7] = ss[7] = word_in(key, 7);

#ifdef ENC_KS_UNROLL
	ke8(rk, 0); ke8(rk, 1);
	ke8(rk, 2); ke8(rk, 3);
	ke8(rk, 4); ke8(rk, 5);
#else
	{
		uint32_t	i;
		for (i = 0; i < 6; ++i)
			ke8(rk,  i);
	}
#endif	/* ENC_KS_UNROLL */
	kef8(rk, 6);
}


/*
 * Expand the cipher key into the encryption key schedule.
 *
 * Return the number of rounds for the given cipher key size.
 * The size of the key schedule depends on the number of rounds
 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
 *
 * Parameters:
 * rk		AES key schedule 32-bit array to be initialized
 * cipherKey	User key
 * keyBits	AES key size (128, 192, or 256 bits)
 */
int
rijndael_key_setup_enc_amd64(uint32_t rk[], const uint32_t cipherKey[],
    int keyBits)
{
	switch (keyBits) {
	case 128:
		aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
		return (10);
	case 192:
		aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
		return (12);
	case 256:
		aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
		return (14);
	default: /* should never get here */
		break;
	}

	return (0);
}


/* this is used to store the decryption round keys  */
/* in forward or reverse order */

#ifdef AES_REV_DKS
#define	v(n, i)  ((n) - (i) + 2 * ((i) & 3))
#else
#define	v(n, i)  (i)
#endif

#if DEC_ROUND == NO_TABLES
#define	ff(x)   (x)
#else
#define	ff(x)   inv_mcol(x)
#if defined(dec_imvars)
#define	d_vars  dec_imvars
#endif
#endif	/* FUNCS_IN_C & DEC_KEYING_IN_C */


#define	k4e(k, i) \
{	k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
	k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
	k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
	k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
}

#if 1

#define	kdf4(k, i) \
{	ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
	ss[1] = ss[1] ^ ss[3]; \
	ss[2] = ss[2] ^ ss[3]; \
	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
	ss[i % 4] ^= ss[4]; \
	ss[4] ^= k[v(40, (4 * (i)))];   k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
	ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
	ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
	ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
}

#define	kd4(k, i) \
{	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
	ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
}

#define	kdl4(k, i) \
{	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
	ss[i % 4] ^= ss[4]; \
	k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
	k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
	k[v(40, (4 * (i)) + 6)] = ss[0]; \
	k[v(40, (4 * (i)) + 7)] = ss[1]; \
}

#else

#define	kdf4(k, i) \
{	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
	k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
}

#define	kd4(k, i) \
{	ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
	ss[0] ^= ss[4]; \
	ss[4] = ff(ss[4]); \
	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
	ss[1] ^= ss[0]; \
	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
	ss[2] ^= ss[1]; \
	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
	ss[3] ^= ss[2]; \
	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
}

#define	kdl4(k, i) \
{	ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
	k[v(40, (4 * (i)) + 4)] = ss[0]; \
	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
}

#endif

static void
aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[5];
#if defined(d_vars)
	d_vars;
#endif
	rk[v(40, (0))] = ss[0] = word_in(key, 0);
	rk[v(40, (1))] = ss[1] = word_in(key, 1);
	rk[v(40, (2))] = ss[2] = word_in(key, 2);
	rk[v(40, (3))] = ss[3] = word_in(key, 3);

#ifdef DEC_KS_UNROLL
	kdf4(rk, 0); kd4(rk, 1);
	kd4(rk, 2);  kd4(rk, 3);
	kd4(rk, 4);  kd4(rk, 5);
	kd4(rk, 6);  kd4(rk, 7);
	kd4(rk, 8);  kdl4(rk, 9);
#else
	{
		uint32_t	i;
		for (i = 0; i < 10; ++i)
			k4e(rk, i);
#if !(DEC_ROUND == NO_TABLES)
		for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
			rk[i] = inv_mcol(rk[i]);
#endif
	}
#endif	/* DEC_KS_UNROLL */
}


#define	k6ef(k, i) \
{	k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
	k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
	k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
	k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
}

#define	k6e(k, i) \
{	k6ef(k, i); \
	k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
	k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
}

#define	kdf6(k, i) \
{	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
	k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
	ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
	ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
}

#define	kd6(k, i) \
{	ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
	ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
	k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
	ss[1] ^= ss[0]; \
	k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
	ss[2] ^= ss[1]; \
	k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
	ss[3] ^= ss[2]; \
	k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
	ss[4] ^= ss[3]; \
	k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
	ss[5] ^= ss[4]; \
	k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
}

#define	kdl6(k, i) \
{	ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
	k[v(48, (6 * (i)) + 6)] = ss[0]; \
	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
}

static void
aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[7];
#if defined(d_vars)
	d_vars;
#endif
	rk[v(48, (0))] = ss[0] = word_in(key, 0);
	rk[v(48, (1))] = ss[1] = word_in(key, 1);
	rk[v(48, (2))] = ss[2] = word_in(key, 2);
	rk[v(48, (3))] = ss[3] = word_in(key, 3);

#ifdef DEC_KS_UNROLL
	ss[4] = word_in(key, 4);
	rk[v(48, (4))] = ff(ss[4]);
	ss[5] = word_in(key, 5);
	rk[v(48, (5))] = ff(ss[5]);
	kdf6(rk, 0); kd6(rk, 1);
	kd6(rk, 2);  kd6(rk, 3);
	kd6(rk, 4);  kd6(rk, 5);
	kd6(rk, 6);  kdl6(rk, 7);
#else
	rk[v(48, (4))] = ss[4] = word_in(key, 4);
	rk[v(48, (5))] = ss[5] = word_in(key, 5);
	{
		uint32_t	i;

		for (i = 0; i < 7; ++i)
			k6e(rk, i);
		k6ef(rk, 7);
#if !(DEC_ROUND == NO_TABLES)
		for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
			rk[i] = inv_mcol(rk[i]);
#endif
	}
#endif
}


#define	k8ef(k, i) \
{	k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
	k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
	k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
	k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
}

#define	k8e(k, i) \
{	k8ef(k, i); \
	k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
	k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
	k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
	k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
}

#define	kdf8(k, i) \
{	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
	k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
	ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
	ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
	ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
	ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
}

#define	kd8(k, i) \
{	ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
	ss[0] ^= ss[8]; \
	ss[8] = ff(ss[8]); \
	k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
	ss[1] ^= ss[0]; \
	k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
	ss[2] ^= ss[1]; \
	k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
	ss[3] ^= ss[2]; \
	k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
	ss[8] = ls_box(ss[3], 0); \
	ss[4] ^= ss[8]; \
	ss[8] = ff(ss[8]); \
	k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
	ss[5] ^= ss[4]; \
	k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
	ss[6] ^= ss[5]; \
	k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
	ss[7] ^= ss[6]; \
	k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
}

#define	kdl8(k, i) \
{	ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
	k[v(56, (8 * (i)) + 8)] = ss[0]; \
	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
}

static void
aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
{
	uint32_t	ss[9];
#if defined(d_vars)
	d_vars;
#endif
	rk[v(56, (0))] = ss[0] = word_in(key, 0);
	rk[v(56, (1))] = ss[1] = word_in(key, 1);
	rk[v(56, (2))] = ss[2] = word_in(key, 2);
	rk[v(56, (3))] = ss[3] = word_in(key, 3);

#ifdef DEC_KS_UNROLL
	ss[4] = word_in(key, 4);
	rk[v(56, (4))] = ff(ss[4]);
	ss[5] = word_in(key, 5);
	rk[v(56, (5))] = ff(ss[5]);
	ss[6] = word_in(key, 6);
	rk[v(56, (6))] = ff(ss[6]);
	ss[7] = word_in(key, 7);
	rk[v(56, (7))] = ff(ss[7]);
	kdf8(rk, 0); kd8(rk, 1);
	kd8(rk, 2);  kd8(rk, 3);
	kd8(rk, 4);  kd8(rk, 5);
	kdl8(rk, 6);
#else
	rk[v(56, (4))] = ss[4] = word_in(key, 4);
	rk[v(56, (5))] = ss[5] = word_in(key, 5);
	rk[v(56, (6))] = ss[6] = word_in(key, 6);
	rk[v(56, (7))] = ss[7] = word_in(key, 7);
	{
		uint32_t	i;

		for (i = 0; i < 6; ++i)
			k8e(rk,  i);
		k8ef(rk,  6);
#if !(DEC_ROUND == NO_TABLES)
		for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
			rk[i] = inv_mcol(rk[i]);
#endif
	}
#endif	/* DEC_KS_UNROLL */
}


/*
 * Expand the cipher key into the decryption key schedule.
 *
 * Return the number of rounds for the given cipher key size.
 * The size of the key schedule depends on the number of rounds
 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
 *
 * Parameters:
 * rk		AES key schedule 32-bit array to be initialized
 * cipherKey	User key
 * keyBits	AES key size (128, 192, or 256 bits)
 */
int
rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[],
    int keyBits)
{
	switch (keyBits) {
	case 128:
		aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
		return (10);
	case 192:
		aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
		return (12);
	case 256:
		aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
		return (14);
	default: /* should never get here */
		break;
	}

	return (0);
}
Commit	Line	Data
86e3c28a CIK	1	/*
	2	* ---------------------------------------------------------------------------
	3	* Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
	4	*
	5	* LICENSE TERMS
	6	*
	7	* The free distribution and use of this software is allowed (with or without
	8	* changes) provided that:
	9	*
	10	* 1. source code distributions include the above copyright notice, this
	11	* list of conditions and the following disclaimer;
	12	*
	13	* 2. binary distributions include the above copyright notice, this list
	14	* of conditions and the following disclaimer in their documentation;
	15	*
	16	* 3. the name of the copyright holder is not used to endorse products
	17	* built using this software without specific written permission.
	18	*
	19	* DISCLAIMER
	20	*
	21	* This software is provided 'as is' with no explicit or implied warranties
	22	* in respect of its properties, including, but not limited to, correctness
	23	* and/or fitness for purpose.
	24	* ---------------------------------------------------------------------------
	25	* Issue Date: 20/12/2007
	26	*/
	27
	28	#include <aes/aes_impl.h>
	29	#include "aesopt.h"
	30	#include "aestab.h"
	31	#include "aestab2.h"
	32
	33	/*
	34	* Initialise the key schedule from the user supplied key. The key
	35	* length can be specified in bytes, with legal values of 16, 24
	36	* and 32, or in bits, with legal values of 128, 192 and 256. These
	37	* values correspond with Nk values of 4, 6 and 8 respectively.
	38	*
	39	* The following macros implement a single cycle in the key
	40	* schedule generation process. The number of cycles needed
	41	* for each cx->n_col and nk value is:
	42	*
	43	* nk = 4 5 6 7 8
	44	* ------------------------------
	45	* cx->n_col = 4 10 9 8 7 7
	46	* cx->n_col = 5 14 11 10 9 9
	47	* cx->n_col = 6 19 15 12 11 11
	48	* cx->n_col = 7 21 19 16 13 14
	49	* cx->n_col = 8 29 23 19 17 14
	50	*/
	51
	52	/*
	53	* OpenSolaris changes
	54	* 1. Added header files aes_impl.h and aestab2.h
	55	* 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
	56	* 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
	57	* 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
	58	* AES_128, AES_192, AES_256, AES_VAR defines
	59	* 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
	60	* 6. Changed N_COLS to MAX_AES_NB
	61	* 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
	62	* OpenSolaris-compatible functions rijndael_key_setup_enc_amd64 and
	63	* rijndael_key_setup_dec_amd64
	64	* 8. cstyled code and removed lint warnings
65	*/
66
67	#if defined(REDUCE_CODE_SIZE)
68	#define ls_box ls_sub
69	uint32_t ls_sub(const uint32_t t, const uint32_t n);
70	#define inv_mcol im_sub
71	uint32_t im_sub(const uint32_t x);
72	#ifdef ENC_KS_UNROLL
73	#undef ENC_KS_UNROLL
74	#endif
75	#ifdef DEC_KS_UNROLL
76	#undef DEC_KS_UNROLL
77	#endif
78	#endif /* REDUCE_CODE_SIZE */
79
80
81	#define ke4(k, i) \
82	{ k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
83	k[4 * (i) + 5] = ss[1] ^= ss[0]; \
84	k[4 * (i) + 6] = ss[2] ^= ss[1]; \
85	k[4 * (i) + 7] = ss[3] ^= ss[2]; \
86	}
87
88	static void
89	aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
90	{
91	uint32_t ss[4];
92
93	rk[0] = ss[0] = word_in(key, 0);
94	rk[1] = ss[1] = word_in(key, 1);
95	rk[2] = ss[2] = word_in(key, 2);
96	rk[3] = ss[3] = word_in(key, 3);
97
98	#ifdef ENC_KS_UNROLL
99	ke4(rk, 0); ke4(rk, 1);
100	ke4(rk, 2); ke4(rk, 3);
101	ke4(rk, 4); ke4(rk, 5);
102	ke4(rk, 6); ke4(rk, 7);
103	ke4(rk, 8);
104	#else
105	{
106	uint32_t i;
107	for (i = 0; i < 9; ++i)
108	ke4(rk, i);
109	}
110	#endif /* ENC_KS_UNROLL */
111	ke4(rk, 9);
112	}
113
114
115	#define kef6(k, i) \
116	{ k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
117	k[6 * (i) + 7] = ss[1] ^= ss[0]; \
118	k[6 * (i) + 8] = ss[2] ^= ss[1]; \
119	k[6 * (i) + 9] = ss[3] ^= ss[2]; \
120	}
121
122	#define ke6(k, i) \
123	{ kef6(k, i); \
124	k[6 * (i) + 10] = ss[4] ^= ss[3]; \
125	k[6 * (i) + 11] = ss[5] ^= ss[4]; \
126	}
127
128	static void
129	aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
130	{
131	uint32_t ss[6];
132
133	rk[0] = ss[0] = word_in(key, 0);
134	rk[1] = ss[1] = word_in(key, 1);
135	rk[2] = ss[2] = word_in(key, 2);
136	rk[3] = ss[3] = word_in(key, 3);
137	rk[4] = ss[4] = word_in(key, 4);
138	rk[5] = ss[5] = word_in(key, 5);
139
140	#ifdef ENC_KS_UNROLL
141	ke6(rk, 0); ke6(rk, 1);
142	ke6(rk, 2); ke6(rk, 3);
143	ke6(rk, 4); ke6(rk, 5);
144	ke6(rk, 6);
145	#else
146	{
147	uint32_t i;
148	for (i = 0; i < 7; ++i)
149	ke6(rk, i);
150	}
151	#endif /* ENC_KS_UNROLL */
152	kef6(rk, 7);
153	}
154
155
156
157	#define kef8(k, i) \
158	{ k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
159	k[8 * (i) + 9] = ss[1] ^= ss[0]; \
160	k[8 * (i) + 10] = ss[2] ^= ss[1]; \
161	k[8 * (i) + 11] = ss[3] ^= ss[2]; \
162	}
163
164	#define ke8(k, i) \
165	{ kef8(k, i); \
166	k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
167	k[8 * (i) + 13] = ss[5] ^= ss[4]; \
168	k[8 * (i) + 14] = ss[6] ^= ss[5]; \
169	k[8 * (i) + 15] = ss[7] ^= ss[6]; \
170	}
171
172	static void
173	aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
174	{
175	uint32_t ss[8];
176
177	rk[0] = ss[0] = word_in(key, 0);
178	rk[1] = ss[1] = word_in(key, 1);
179	rk[2] = ss[2] = word_in(key, 2);
180	rk[3] = ss[3] = word_in(key, 3);
181	rk[4] = ss[4] = word_in(key, 4);
182	rk[5] = ss[5] = word_in(key, 5);
183	rk[6] = ss[6] = word_in(key, 6);
184	rk[7] = ss[7] = word_in(key, 7);
185
186	#ifdef ENC_KS_UNROLL
187	ke8(rk, 0); ke8(rk, 1);
188	ke8(rk, 2); ke8(rk, 3);
189	ke8(rk, 4); ke8(rk, 5);
190	#else
191	{
192	uint32_t i;
193	for (i = 0; i < 6; ++i)
194	ke8(rk, i);
195	}
196	#endif /* ENC_KS_UNROLL */
197	kef8(rk, 6);
198	}
199
200
201	/*
202	* Expand the cipher key into the encryption key schedule.
203	*
204	* Return the number of rounds for the given cipher key size.
205	* The size of the key schedule depends on the number of rounds
206	* (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
207	*
208	* Parameters:
209	* rk AES key schedule 32-bit array to be initialized
210	* cipherKey User key
211	* keyBits AES key size (128, 192, or 256 bits)
212	*/
213	int
214	rijndael_key_setup_enc_amd64(uint32_t rk[], const uint32_t cipherKey[],
215	int keyBits)
216	{
217	switch (keyBits) {
218	case 128:
219	aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
220	return (10);
221	case 192:
222	aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
223	return (12);
224	case 256:
225	aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
226	return (14);
227	default: /* should never get here */
228	break;
229	}
230
231	return (0);
232	}
233
234
235	/* this is used to store the decryption round keys */
236	/* in forward or reverse order */
237
238	#ifdef AES_REV_DKS
239	#define v(n, i) ((n) - (i) + 2 * ((i) & 3))
240	#else
241	#define v(n, i) (i)
242	#endif
243
244	#if DEC_ROUND == NO_TABLES
245	#define ff(x) (x)
246	#else
247	#define ff(x) inv_mcol(x)
248	#if defined(dec_imvars)
249	#define d_vars dec_imvars
250	#endif
251	#endif /* FUNCS_IN_C & DEC_KEYING_IN_C */
252
253
254	#define k4e(k, i) \
255	{ k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
256	k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
257	k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
258	k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
259	}
260
261	#if 1
262
263	#define kdf4(k, i) \
264	{ ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
265	ss[1] = ss[1] ^ ss[3]; \
266	ss[2] = ss[2] ^ ss[3]; \
267	ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
268	ss[i % 4] ^= ss[4]; \
269	ss[4] ^= k[v(40, (4 * (i)))]; k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
270	ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
271	ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
272	ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
273	}
274
275	#define kd4(k, i) \
276	{ ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
277	ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
278	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
279	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
280	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
281	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
282	}
283
284	#define kdl4(k, i) \
285	{ ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
286	ss[i % 4] ^= ss[4]; \
287	k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
288	k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
289	k[v(40, (4 * (i)) + 6)] = ss[0]; \
290	k[v(40, (4 * (i)) + 7)] = ss[1]; \
291	}
292
293	#else
294
295	#define kdf4(k, i) \
296	{ ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
297	k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
298	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
299	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
300	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
301	}
302
303	#define kd4(k, i) \
304	{ ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
305	ss[0] ^= ss[4]; \
306	ss[4] = ff(ss[4]); \
307	k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
308	ss[1] ^= ss[0]; \
309	k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
310	ss[2] ^= ss[1]; \
311	k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
312	ss[3] ^= ss[2]; \
313	k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
314	}
315
316	#define kdl4(k, i) \
317	{ ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
318	k[v(40, (4 * (i)) + 4)] = ss[0]; \
319	ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
320	ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
321	ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
322	}
323
324	#endif
325
326	static void
327	aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
328	{
329	uint32_t ss[5];
330	#if defined(d_vars)
331	d_vars;
332	#endif
333	rk[v(40, (0))] = ss[0] = word_in(key, 0);
334	rk[v(40, (1))] = ss[1] = word_in(key, 1);
335	rk[v(40, (2))] = ss[2] = word_in(key, 2);
336	rk[v(40, (3))] = ss[3] = word_in(key, 3);
337
338	#ifdef DEC_KS_UNROLL
339	kdf4(rk, 0); kd4(rk, 1);
340	kd4(rk, 2); kd4(rk, 3);
341	kd4(rk, 4); kd4(rk, 5);
342	kd4(rk, 6); kd4(rk, 7);
343	kd4(rk, 8); kdl4(rk, 9);
344	#else
345	{
346	uint32_t i;
347	for (i = 0; i < 10; ++i)
348	k4e(rk, i);
349	#if !(DEC_ROUND == NO_TABLES)
350	for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
351	rk[i] = inv_mcol(rk[i]);
352	#endif
353	}
354	#endif /* DEC_KS_UNROLL */
355	}
356
357
358
359	#define k6ef(k, i) \
360	{ k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
361	k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
362	k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
363	k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
364	}
365
366	#define k6e(k, i) \
367	{ k6ef(k, i); \
368	k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
369	k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
370	}
371
372	#define kdf6(k, i) \
373	{ ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
374	k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
375	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
376	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
377	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
378	ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
379	ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
380	}
381
382	#define kd6(k, i) \
383	{ ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
384	ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
385	k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
386	ss[1] ^= ss[0]; \
387	k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
388	ss[2] ^= ss[1]; \
389	k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
390	ss[3] ^= ss[2]; \
391	k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
392	ss[4] ^= ss[3]; \
393	k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
394	ss[5] ^= ss[4]; \
395	k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
396	}
397
398	#define kdl6(k, i) \
399	{ ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
400	k[v(48, (6 * (i)) + 6)] = ss[0]; \
401	ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
402	ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
403	ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
404	}
405
406	static void
407	aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
408	{
409	uint32_t ss[7];
410	#if defined(d_vars)
411	d_vars;
412	#endif
413	rk[v(48, (0))] = ss[0] = word_in(key, 0);
414	rk[v(48, (1))] = ss[1] = word_in(key, 1);
415	rk[v(48, (2))] = ss[2] = word_in(key, 2);
416	rk[v(48, (3))] = ss[3] = word_in(key, 3);
417
418	#ifdef DEC_KS_UNROLL
419	ss[4] = word_in(key, 4);
420	rk[v(48, (4))] = ff(ss[4]);
421	ss[5] = word_in(key, 5);
422	rk[v(48, (5))] = ff(ss[5]);
423	kdf6(rk, 0); kd6(rk, 1);
424	kd6(rk, 2); kd6(rk, 3);
425	kd6(rk, 4); kd6(rk, 5);
426	kd6(rk, 6); kdl6(rk, 7);
427	#else
428	rk[v(48, (4))] = ss[4] = word_in(key, 4);
429	rk[v(48, (5))] = ss[5] = word_in(key, 5);
430	{
431	uint32_t i;
432
433	for (i = 0; i < 7; ++i)
434	k6e(rk, i);
435	k6ef(rk, 7);
436	#if !(DEC_ROUND == NO_TABLES)
437	for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
438	rk[i] = inv_mcol(rk[i]);
439	#endif
440	}
441	#endif
442	}
443
444
445
446	#define k8ef(k, i) \
447	{ k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
448	k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
449	k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
450	k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
451	}
452
453	#define k8e(k, i) \
454	{ k8ef(k, i); \
455	k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
456	k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
457	k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
458	k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
459	}
460
461	#define kdf8(k, i) \
462	{ ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
463	k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
464	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
465	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
466	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
467	ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
468	ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
469	ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
470	ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
471	}
472
473	#define kd8(k, i) \
474	{ ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
475	ss[0] ^= ss[8]; \
476	ss[8] = ff(ss[8]); \
477	k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
478	ss[1] ^= ss[0]; \
479	k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
480	ss[2] ^= ss[1]; \
481	k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
482	ss[3] ^= ss[2]; \
483	k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
484	ss[8] = ls_box(ss[3], 0); \
485	ss[4] ^= ss[8]; \
486	ss[8] = ff(ss[8]); \
487	k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
488	ss[5] ^= ss[4]; \
489	k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
490	ss[6] ^= ss[5]; \
491	k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
492	ss[7] ^= ss[6]; \
493	k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
494	}
495
496	#define kdl8(k, i) \
497	{ ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
498	k[v(56, (8 * (i)) + 8)] = ss[0]; \
499	ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
500	ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
501	ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
502	}
503
504	static void
505	aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
506	{
507	uint32_t ss[9];
508	#if defined(d_vars)
509	d_vars;
510	#endif
511	rk[v(56, (0))] = ss[0] = word_in(key, 0);
512	rk[v(56, (1))] = ss[1] = word_in(key, 1);
513	rk[v(56, (2))] = ss[2] = word_in(key, 2);
514	rk[v(56, (3))] = ss[3] = word_in(key, 3);
515
516	#ifdef DEC_KS_UNROLL
517	ss[4] = word_in(key, 4);
518	rk[v(56, (4))] = ff(ss[4]);
519	ss[5] = word_in(key, 5);
520	rk[v(56, (5))] = ff(ss[5]);
521	ss[6] = word_in(key, 6);
522	rk[v(56, (6))] = ff(ss[6]);
523	ss[7] = word_in(key, 7);
524	rk[v(56, (7))] = ff(ss[7]);
525	kdf8(rk, 0); kd8(rk, 1);
526	kd8(rk, 2); kd8(rk, 3);
527	kd8(rk, 4); kd8(rk, 5);
528	kdl8(rk, 6);
529	#else
530	rk[v(56, (4))] = ss[4] = word_in(key, 4);
531	rk[v(56, (5))] = ss[5] = word_in(key, 5);
532	rk[v(56, (6))] = ss[6] = word_in(key, 6);
533	rk[v(56, (7))] = ss[7] = word_in(key, 7);
534	{
535	uint32_t i;
536
537	for (i = 0; i < 6; ++i)
538	k8e(rk, i);
539	k8ef(rk, 6);
540	#if !(DEC_ROUND == NO_TABLES)
541	for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
542	rk[i] = inv_mcol(rk[i]);
543	#endif
544	}
545	#endif /* DEC_KS_UNROLL */
546	}
547
548
549	/*
550	* Expand the cipher key into the decryption key schedule.
551	*
552	* Return the number of rounds for the given cipher key size.
553	* The size of the key schedule depends on the number of rounds
554	* (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
555	*
556	* Parameters:
557	* rk AES key schedule 32-bit array to be initialized
558	* cipherKey User key
559	* keyBits AES key size (128, 192, or 256 bits)
560	*/
561	int
562	rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[],
563	int keyBits)
564	{
565	switch (keyBits) {
566	case 128:
567	aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
568	return (10);
569	case 192:
570	aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
571	return (12);
572	case 256:
573	aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
574	return (14);
575	default: /* should never get here */
576	break;
577	}
578
579	return (0);
580	}