1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/ddi.h>
30 #include <sys/sysmacros.h>
31 #include <sys/strsun.h>
32 #include <netinet/in.h>
33 #include "aes_impl.h"
34 #ifndef _KERNEL
35 #include <strings.h>
36 #include <stdlib.h>
37 #endif /* !_KERNEL */
38
39 #pragma ident "@(#)aes_impl.c 1.2 05/06/08 SMI"
40
41 /*
42 * This file is derived from the file rijndael-alg-fst.c taken from the
43 * "optimized C code v3.0" on the "rijndael home page"
44 * (http://www.esat.kuleuven.ac.be/~rijmen/rijndael/)
45 * pointed by the NIST web-site (http://nist.gov)
46 *
47 * The following note is from the original file:
48 */
49
50 /*
51 * rijndael-alg-fst.c
52 *
53 * @version 3.0 (December 2000)
54 *
55 * Optimised ANSI C code for the Rijndael cipher (now AES)
56 *
57 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
58 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
59 * @author Paulo Barreto <paulo.barreto@terra.com.br>
60 *
61 * This code is hereby placed in the public domain.
62 *
63 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
64 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
65 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
66 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
67 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
68 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
69 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
70 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
71 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
72 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
73 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
74 */
75
76 /* EXPORT DELETE START */
77
78 #ifndef _RIJNDAEL_TBL_H
79 #define _RIJNDAEL_TBL_H
80
81 /*
82 * Constant tables
83 */
84
85 /*
86 * Te0[x] = S [x].[02, 01, 01, 03];
87 * Te1[x] = S [x].[03, 02, 01, 01];
88 * Te2[x] = S [x].[01, 03, 02, 01];
89 * Te3[x] = S [x].[01, 01, 03, 02];
90 * Te4[x] = S [x].[01, 01, 01, 01];
91 *
92 * Td0[x] = Si[x].[0e, 09, 0d, 0b];
93 * Td1[x] = Si[x].[0b, 0e, 09, 0d];
94 * Td2[x] = Si[x].[0d, 0b, 0e, 09];
95 * Td3[x] = Si[x].[09, 0d, 0b, 0e];
96 * Td4[x] = Si[x].[01, 01, 01, 01];
97 */
98
99
100 static const uint32_t Te0[256] =
101 {
102 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
103 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
104 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
105 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
106 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
107 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
108 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
109 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
110 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
111 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
112 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
113 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
114 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
115 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
116 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
117 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
118 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
423 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
424 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
425 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
426 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
427 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
428 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
429 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
430 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
431 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
432 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
433 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
434 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
435 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
436 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
437 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
438 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
439 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
440 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U
441 };
442
443 static const uint32_t Td0[256] =
444 {
445 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
446 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
447 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
448 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
449 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
450 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
451 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
452 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
453 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
454 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
455 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
456 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
457 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
458 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
459 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
460 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
461 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
462 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
764 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
765 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
766 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
767 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
768 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
769 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
770 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
771 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
772 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
773 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
774 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
775 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
776 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
777 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
778 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
779 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
780 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
781 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU
782 };
783
784 static const uint32_t rcon[] =
785 {
786 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
787 0x01000000, 0x02000000, 0x04000000, 0x08000000,
788 0x10000000, 0x20000000, 0x40000000, 0x80000000,
789 0x1B000000, 0x36000000
790 };
791 #endif
792
793 /*
794 * Expand the cipher key into the encryption key schedule.
795 * return the number of rounds for the given cipher key size.
796 * The size of the key schedule depends on the number of rounds
797 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
798 */
799 static int
800 rijndael_key_setup_enc_raw(uint32_t rk[], const uint32_t cipherKey[],
801 int keyBits)
802 {
803 int i = 0;
804 uint32_t temp;
805
806 rk[0] = cipherKey[0];
807 rk[1] = cipherKey[1];
808 rk[2] = cipherKey[2];
809 rk[3] = cipherKey[3];
810
811 if (keyBits == 128) {
812 for (;;) {
813 temp = rk[3];
814 rk[4] = rk[0] ^
815 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
816 (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
817 (Te4[temp & 0xff] & 0x0000ff00) ^
872
873 if (++i == 7) {
874 return (14);
875 }
876 temp = rk[11];
877 rk[12] = rk[4] ^
878 (Te4[temp >> 24] & 0xff000000) ^
879 (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
880 (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
881 (Te4[temp & 0xff] & 0x000000ff);
882 rk[13] = rk[5] ^ rk[12];
883 rk[14] = rk[6] ^ rk[13];
884 rk[15] = rk[7] ^ rk[14];
885
886 rk += 8;
887 }
888 }
889
890 return (0);
891 }
892
893
894 #ifdef sun4u
895
896 /*
897 * Expand the cipher key into the enryption key schedule as used
898 * by the sun4u optimized assembly implementation.
899 * return the number of rounds for the given cipher key size.
900 * The size of the key schedule depends on the number of rounds
901 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
902 */
903 static int
904 rijndael_key_setup_enc(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
905 {
906 uint32_t rk1[4 * (MAX_AES_NR + 1)];
907 uint64_t *rk64 = (uint64_t *)rk;
908 uint32_t *rkt;
909 uint64_t t;
910 int i, Nr;
911
912 Nr = rijndael_key_setup_enc_raw(rk1, cipherKey, keyBits);
913
914 for (i = 0; i < 4 * Nr; i++) {
915 t = (uint64_t)(rk1[i]);
916 rk64[i] = ((t & 0xff000000) << 11) |
917 ((t & 0xff0000) << 8) |
918 ((t & 0xffff) << 3);
919 }
920
921 rkt = (uint32_t *)(&(rk64[4 * Nr]));
922
923 for (i = 0; i < 4; i++) {
924 rkt[i] = rk1[4 * Nr+i];
925 }
926
927 return (Nr);
928 }
929
930
931 /*
932 * Expand the cipher key into the decryption key schedule as used
933 * by the sun4u optimized assembly implementation.
934 * return the number of rounds for the given cipher key size.
935 * The size of the key schedule depends on the number of rounds
936 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
937 */
938 static int
939 rijndael_key_setup_dec_raw(uint32_t rk[], const uint32_t cipherKey[],
940 int keyBits)
941 {
942 int Nr, i;
943 uint32_t temp;
944
945 /* expand the cipher key: */
946 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
947
948 /* invert the order of the round keys: */
949
950 for (i = 0; i < 2 * Nr + 2; i++) {
951 temp = rk[i];
952 rk[i] = rk[4 * Nr - i + 3];
953 rk[4 * Nr - i + 3] = temp;
954 }
955
956 /*
967 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
968 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
969 Td3[Te4[rk[1] & 0xff] & 0xff];
970 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
971 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
972 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
973 Td3[Te4[rk[2] & 0xff] & 0xff];
974 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
975 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
976 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
977 Td3[Te4[rk[3] & 0xff] & 0xff];
978 }
979
980 return (Nr);
981 }
982
983
984 /*
985 * The size of the key schedule depends on the number of rounds
986 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
987 */
988 int
989 rijndael_key_setup_dec(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
990 {
991 uint32_t rk1[4 * (MAX_AES_NR + 1)];
992 uint64_t *rk64 = (uint64_t *)rk;
993 uint32_t *rkt;
994 uint64_t t;
995 int i, Nr;
996
997 Nr = rijndael_key_setup_dec_raw(rk1, cipherKey, keyBits);
998 for (i = 0; i < 4 * Nr; i++) {
999 t = (uint64_t)(rk1[i]);
1000 rk64[i] = ((t & 0xff000000) << 11) |
1001 ((t & 0xff0000) << 8) |
1002 ((t & 0xffff) << 3);
1003 }
1004
1005 rkt = (uint32_t *)(&(rk64[4 * Nr]));
1006
1007 for (i = 0; i < 4; i++) {
1008 rkt[i] = rk1[4 * Nr + i];
1009 }
1010
1011 return (Nr);
1012 }
1013
1014
1015 static void
1016 aes_setupkeys(aes_key_t *key, uint32_t *keyarr32, int keybits)
1017 {
1018 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks64[0]), keyarr32,
1019 keybits);
1020 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks64[0]), keyarr32,
1021 keybits);
1022 key->type = AES_64BIT_KS;
1023 }
1024
1025 #else /* !sun4u */
1026
1027 /*
1028 * Expand the cipher key into the encryption key schedule.
1029 * return the number of rounds for the given cipher key size.
1030 * The size of the key schedule depends on the number of rounds
1031 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1032 */
1033 static int
1034 rijndael_key_setup_enc(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
1035 {
1036 return (rijndael_key_setup_enc_raw(rk, cipherKey, keyBits));
1037 }
1038
1039
1040 /*
1041 * Expand the cipher key into the decryption key schedule.
1042 * @return the number of rounds for the given cipher key size.
1043 * The size of the key schedule depends on the number of rounds
1044 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1045 */
1046 static int
1047 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
1048 {
1049 int Nr, i, j;
1050 uint32_t temp;
1051
1052 /* expand the cipher key: */
1053 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
1054
1055 /* invert the order of the round keys: */
1056 for (i = 0, j = 4 * Nr; i < j; i += 4, j -= 4) {
1057 temp = rk[i];
1058 rk[i] = rk[j];
1059 rk[j] = temp;
1060 temp = rk[i + 1];
1061 rk[i + 1] = rk[j + 1];
1062 rk[j + 1] = temp;
1063 temp = rk[i + 2];
1064 rk[i + 2] = rk[j + 2];
1079 Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
1080 Td3[Te4[rk[0] & 0xff] & 0xff];
1081 rk[1] = Td0[Te4[rk[1] >> 24] & 0xff] ^
1082 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1083 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
1084 Td3[Te4[rk[1] & 0xff] & 0xff];
1085 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
1086 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1087 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
1088 Td3[Te4[rk[2] & 0xff] & 0xff];
1089 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
1090 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1091 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
1092 Td3[Te4[rk[3] & 0xff] & 0xff];
1093 }
1094
1095 return (Nr);
1096 }
1097
1098
1099 static void
1100 aes_setupkeys(aes_key_t *key, uint32_t *keyarr32, int keybits)
1101 {
1102 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks32[0]), keyarr32,
1103 keybits);
1104 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks32[0]), keyarr32,
1105 keybits);
1106 key->type = AES_32BIT_KS;
1107 }
1108
1109 /*
1110 * Encrypt one block of data. The block is assumed to be an array
1111 * of four uint32_t values, so copy for alignment (and byte-order
1112 * reversal for little endian systems might be necessary on the
1113 * input and output byte streams.
1114 * The size of the key schedule depends on the number of rounds
1115 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1116 */
1117 void
1118 rijndael_encrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
1119 uint32_t ct[4])
1120 {
1121 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1122 int r;
1123
1124 /*
1125 * map byte array block to cipher state
1126 * and add initial round key:
1127 */
1128
1129 s0 = pt[0] ^ rk[0];
1130 s1 = pt[1] ^ rk[1];
1131 s2 = pt[2] ^ rk[2];
1132 s3 = pt[3] ^ rk[3];
1133
1134 /*
1135 * Nr - 1 full rounds:
1136 */
1137
1218 (Te4[t1 & 0xff] & 0x000000ff) ^
1219 rk[2];
1220 ct[2] = s2;
1221
1222 s3 = (Te4[(t3 >> 24)] & 0xff000000) ^
1223 (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1224 (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1225 (Te4[t2 & 0xff] & 0x000000ff) ^
1226 rk[3];
1227 ct[3] = s3;
1228 }
1229
1230
1231 /*
1232 * Decrypt one block of data. The block is assumed to be an array
1233 * of four uint32_t values, so copy for alignment (and byte-order
1234 * reversal for little endian systems might be necessary on the
1235 * input and output byte streams.
1236 * The size of the key schedule depends on the number of rounds
1237 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1238 */
1239 void
1240 rijndael_decrypt(const uint32_t rk[], int Nr, const uint32_t ct[4],
1241 uint32_t pt[4])
1242 {
1243 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1244 int r;
1245
1246 /*
1247 * map byte array block to cipher state
1248 * and add initial round key:
1249 */
1250 s0 = ct[0] ^ rk[0];
1251 s1 = ct[1] ^ rk[1];
1252 s2 = ct[2] ^ rk[2];
1253 s3 = ct[3] ^ rk[3];
1254
1255 /*
1256 * Nr - 1 full rounds:
1257 */
1258
1259 r = Nr >> 1;
1330 (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1331 (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
1332 (Td4[t2 & 0xff] & 0x000000ff) ^
1333 rk[1];
1334 pt[1] = s1;
1335
1336 s2 = (Td4[t2 >> 24] & 0xff000000) ^
1337 (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1338 (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
1339 (Td4[t3 & 0xff] & 0x000000ff) ^
1340 rk[2];
1341 pt[2] = s2;
1342
1343 s3 = (Td4[t3 >> 24] & 0xff000000) ^
1344 (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1345 (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1346 (Td4[t0 & 0xff] & 0x000000ff) ^
1347 rk[3];
1348 pt[3] = s3;
1349 }
1350
1351 void
1352 aes_encrypt_impl(const aes_ks_t *ks, int Nr, const uint32_t pt[4],
1353 uint32_t ct[4])
1354 {
1355 rijndael_encrypt(&(ks->ks32[0]), Nr, pt, ct);
1356 }
1357
1358 void
1359 aes_decrypt_impl(const aes_ks_t *ks, int Nr, const uint32_t ct[4],
1360 uint32_t pt[4])
1361 {
1362 rijndael_decrypt(&(ks->ks32[0]), Nr, ct, pt);
1363 }
1364
1365 #endif /* sun4u */
1366 /* EXPORT DELETE END */
1367
1368
1369 /*
1370 * Initialize key schedules for AES
1371 */
1372 void
1373 aes_init_keysched(uint8_t *cipherKey, uint_t keyBits, void *keysched)
1374 {
1375 /* EXPORT DELETE START */
1376 aes_key_t *newbie = keysched;
1377 uint64_t keyarr64[4];
1378 uint32_t *keyarr32 = (uint32_t *)keyarr64;
1379 uint_t keysize, i, j;
1380
1381 switch (keyBits) {
1382 case 128:
1383 newbie->nr = 10;
1384 break;
1385
1386 case 192:
1387 newbie->nr = 12;
1388 break;
1389
1390 case 256:
1391 newbie->nr = 14;
1392 break;
1393
1394 default:
1395 /* should never get here */
1396 return;
1397 }
1398 keysize = keyBits >> 3;
1399
1400 /*
1401 * The code below, that is always executed on LITTLE_ENDIAN machines,
1402 * reverses every 4 bytes in the key. On BIG_ENDIAN, the same code
1403 * copies the key without reversing bytes.
1404 */
1405 #ifdef _BIG_ENDIAN
1406 if (IS_P2ALIGNED(cipherKey, sizeof (uint64_t))) {
1407 for (i = 0, j = 0; j < keysize; i++, j += 8) {
1408 /* LINTED: pointer alignment */
1409 keyarr64[i] = *((uint64_t *)&cipherKey[j]);
1410 }
1411 } else {
1412 #endif
1413 for (i = 0, j = 0; j < keysize; i++, j += 4) {
1414 keyarr32[i] = (((uint32_t)cipherKey[j] << 24) |
1415 ((uint32_t)cipherKey[j + 1] << 16) |
1416 ((uint32_t)cipherKey[j + 2] << 8) |
1417 (uint32_t)cipherKey[j + 3]);
1418 }
1419 #ifdef _BIG_ENDIAN
1420 }
1421 #endif
1422 aes_setupkeys(newbie, keyarr32, keyBits);
1423
1424 /* EXPORT DELETE END */
1425 }
1426
1427 void
1428 aes_encrypt_block(void *ks, uint8_t *pt, uint8_t *ct)
1429 {
1430 /* EXPORT DELETE START */
1431
1432 aes_key_t *ksch = (aes_key_t *)ks;
1433
1434 #ifdef _BIG_ENDIAN
1435 if (IS_P2ALIGNED(pt, sizeof (uint32_t)) &&
1436 IS_P2ALIGNED(ct, sizeof (uint32_t))) {
1437 /* LINTED: pointer alignment */
1438 aes_encrypt_impl(&ksch->encr_ks, ksch->nr, (uint32_t *)pt,
1439 /* LINTED: pointer alignment */
1440 (uint32_t *)ct);
1441 } else {
1442 #endif
1443 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1444
1445 buffer[0] = (((uint32_t)pt[0] << 24) | ((uint32_t)pt[1] << 16) |
1446 ((uint32_t)pt[2] << 8) | (uint32_t)pt[3]);
1447
1448 buffer[1] = (((uint32_t)pt[4] << 24) | ((uint32_t)pt[5] << 16) |
1449 ((uint32_t)pt[6] << 8) | (uint32_t)pt[7]);
1450
1451 buffer[2] = (((uint32_t)pt[8] << 24) | ((uint32_t)pt[9] << 16) |
1452 ((uint32_t)pt[10] << 8) | (uint32_t)pt[11]);
1453
1454 buffer[3] = (((uint32_t)pt[12] << 24) |
1455 ((uint32_t)pt[13] << 16) | ((uint32_t)pt[14] << 8) |
1456 (uint32_t)pt[15]);
1457
1458 aes_encrypt_impl(&ksch->encr_ks, ksch->nr, buffer, buffer);
1459
1460 ct[0] = buffer[0] >> 24;
1461 ct[1] = buffer[0] >> 16;
1462 ct[2] = buffer[0] >> 8;
1463 ct[3] = (uint8_t)buffer[0];
1464 ct[4] = buffer[1] >> 24;
1465 ct[5] = buffer[1] >> 16;
1466 ct[6] = buffer[1] >> 8;
1467 ct[7] = (uint8_t)buffer[1];
1468 ct[8] = buffer[2] >> 24;
1469 ct[9] = buffer[2] >> 16;
1470 ct[10] = buffer[2] >> 8;
1471 ct[11] = (uint8_t)buffer[2];
1472 ct[12] = buffer[3] >> 24;
1473 ct[13] = buffer[3] >> 16;
1474 ct[14] = buffer[3] >> 8;
1475 ct[15] = (uint8_t)buffer[3];
1476 #ifdef _BIG_ENDIAN
1477 }
1478 #endif
1479
1480 /* EXPORT DELETE END */
1481 }
1482
1483 void
1484 aes_decrypt_block(void *ks, uint8_t *ct, uint8_t *pt)
1485 {
1486 /* EXPORT DELETE START */
1487
1488 aes_key_t *ksch = (aes_key_t *)ks;
1489
1490 #ifdef _BIG_ENDIAN
1491 if (IS_P2ALIGNED(ct, sizeof (uint32_t)) &&
1492 IS_P2ALIGNED(pt, sizeof (uint32_t))) {
1493 /* LINTED: pointer alignment */
1494 aes_decrypt_impl(&ksch->decr_ks, ksch->nr, (uint32_t *)ct,
1495 /* LINTED: pointer alignment */
1496 (uint32_t *)pt);
1497 } else {
1498 #endif
1499 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1500
1501 buffer[0] = (((uint32_t)ct[0] << 24) | ((uint32_t)ct[1] << 16) |
1502 ((uint32_t)ct[2] << 8) | (uint32_t)ct[3]);
1503
1504 buffer[1] = (((uint32_t)ct[4] << 24) | ((uint32_t)ct[5] << 16) |
1505 ((uint32_t)ct[6] << 8) | (uint32_t)ct[7]);
1506
1507 buffer[2] = (((uint32_t)ct[8] << 24) | ((uint32_t)ct[9] << 16) |
1508 ((uint32_t)ct[10] << 8) | (uint32_t)ct[11]);
1509
1510 buffer[3] = (((uint32_t)ct[12] << 24) |
1511 ((uint32_t)ct[13] << 16) | ((uint32_t)ct[14] << 8) |
1512 (uint32_t)ct[15]);
1513
1514 aes_decrypt_impl(&ksch->decr_ks, ksch->nr, buffer, buffer);
1515
1516 pt[0] = buffer[0] >> 24;
1517 pt[1] = buffer[0] >> 16;
1518 pt[2] = buffer[0] >> 8;
1519 pt[3] = (uint8_t)buffer[0];
1520 pt[4] = buffer[1] >> 24;
1521 pt[5] = buffer[1] >> 16;
1522 pt[6] = buffer[1] >> 8;
1523 pt[7] = (uint8_t)buffer[1];
1524 pt[8] = buffer[2] >> 24;
1525 pt[9] = buffer[2] >> 16;
1526 pt[10] = buffer[2] >> 8;
1527 pt[11] = (uint8_t)buffer[2];
1528 pt[12] = buffer[3] >> 24;
1529 pt[13] = buffer[3] >> 16;
1530 pt[14] = buffer[3] >> 8;
1531 pt[15] = (uint8_t)buffer[3];
1532 #ifdef _BIG_ENDIAN
1533 }
1534 #endif
1535
1536 /* EXPORT DELETE END */
1537 }
1538
1539 /*
1540 * Allocate key schedule for AES
1541 */
1542 /* ARGSUSED */
1543 void *
1544 aes_alloc_keysched(size_t *size, int kmflag)
1545 {
1546
1547 /* EXPORT DELETE START */
1548
1549 aes_key_t *keysched;
1550
1551 #ifdef _KERNEL
1552 keysched = (aes_key_t *)kmem_alloc(sizeof (aes_key_t), kmflag);
1553 #else /* !_KERNEL */
1554 keysched = (aes_key_t *)malloc(sizeof (aes_key_t));
1555 #endif /* _KERNEL */
1556
1557 if (keysched != NULL) {
1558 *size = sizeof (aes_key_t);
1559 return (keysched);
1560 }
1561
1562 /* EXPORT DELETE END */
1563
1564 return (NULL);
1565 }
|
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #pragma ident "@(#)aes_impl.c 1.3 08/06/12 SMI"
27
28 #include <sys/types.h>
29 #include <sys/systm.h>
30 #include <sys/ddi.h>
31 #include <sys/sysmacros.h>
32 #include <sys/strsun.h>
33 #include <netinet/in.h>
34 #include "aes_impl.h"
35 #ifndef _KERNEL
36 #include <strings.h>
37 #include <stdlib.h>
38 #endif /* !_KERNEL */
39
40
41 /*
42 * This file is derived from the file rijndael-alg-fst.c taken from the
43 * "optimized C code v3.0" on the "rijndael home page"
44 * http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/~rijmen/rijndael/
45 * pointed by the NIST web-site http://csrc.nist.gov/archive/aes/
46 *
47 * The following note is from the original file:
48 */
49
50 /*
51 * rijndael-alg-fst.c
52 *
53 * @version 3.0 (December 2000)
54 *
55 * Optimised ANSI C code for the Rijndael cipher (now AES)
56 *
57 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
58 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
59 * @author Paulo Barreto <paulo.barreto@terra.com.br>
60 *
61 * This code is hereby placed in the public domain.
62 *
63 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
64 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
65 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
66 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
67 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
68 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
69 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
70 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
71 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
72 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
73 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
74 */
75
76 /* EXPORT DELETE START */
77
78 #if defined(sun4u) || defined(__amd64)
79 /* External assembly functions: */
80 extern void aes_encrypt_impl(const uint32_t rk[], int Nr, const uint32_t pt[4],
81 uint32_t ct[4]);
82 extern void aes_decrypt_impl(const uint32_t rk[], int Nr, const uint32_t ct[4],
83 uint32_t pt[4]);
84 #define AES_ENCRYPT_IMPL aes_encrypt_impl
85 #define AES_DECRYPT_IMPL aes_decrypt_impl
86
87 #ifdef __amd64
88 extern int rijndael_key_setup_enc(uint32_t rk[], const uint32_t cipherKey[],
89 int keyBits);
90 extern int rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[],
91 int keyBits);
92 #endif
93
94 #else
95 #define AES_ENCRYPT_IMPL rijndael_encrypt
96 #define AES_DECRYPT_IMPL rijndael_decrypt
97 #define rijndael_key_setup_enc_raw rijndael_key_setup_enc
98 #endif /* sun4u || __amd64 */
99
100 #if defined(_LITTLE_ENDIAN) && !defined(__amd64)
101 #define AES_BYTE_SWAP
102 #endif
103
104 #ifndef __amd64
105 /*
106 * Constant tables
107 */
108
109 /*
110 * Te0[x] = S [x].[02, 01, 01, 03];
111 * Te1[x] = S [x].[03, 02, 01, 01];
112 * Te2[x] = S [x].[01, 03, 02, 01];
113 * Te3[x] = S [x].[01, 01, 03, 02];
114 * Te4[x] = S [x].[01, 01, 01, 01];
115 *
116 * Td0[x] = Si[x].[0e, 09, 0d, 0b];
117 * Td1[x] = Si[x].[0b, 0e, 09, 0d];
118 * Td2[x] = Si[x].[0d, 0b, 0e, 09];
119 * Td3[x] = Si[x].[09, 0d, 0b, 0e];
120 * Td4[x] = Si[x].[01, 01, 01, 01];
121 */
122
123 /* Encrypt Sbox constants (for the substitute bytes operation) */
124
125 static const uint32_t Te0[256] =
126 {
127 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
128 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
129 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
130 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
131 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
132 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
133 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
134 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
135 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
136 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
137 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
138 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
139 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
140 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
141 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
142 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
143 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
448 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
449 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
450 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
451 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
452 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
453 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
454 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
455 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
456 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
457 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
458 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
459 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
460 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
461 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
462 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
463 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
464 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
465 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U
466 };
467
468 /* Decrypt Sbox constants (for the substitute bytes operation) */
469
470 static const uint32_t Td0[256] =
471 {
472 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
473 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
474 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
475 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
476 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
477 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
478 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
479 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
480 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
481 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
482 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
483 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
484 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
485 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
486 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
487 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
488 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
489 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
791 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
792 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
793 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
794 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
795 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
796 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
797 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
798 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
799 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
800 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
801 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
802 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
803 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
804 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
805 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
806 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
807 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
808 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU
809 };
810
811 /* Rcon is Round Constant; used for encryption key expansion */
812 static const uint32_t rcon[RC_LENGTH] =
813 {
814 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
815 0x01000000, 0x02000000, 0x04000000, 0x08000000,
816 0x10000000, 0x20000000, 0x40000000, 0x80000000,
817 0x1B000000, 0x36000000
818 };
819
820
821 /*
822 * Expand the cipher key into the encryption key schedule.
823 *
824 * Return the number of rounds for the given cipher key size.
825 * The size of the key schedule depends on the number of rounds
826 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
827 *
828 * Parameters:
829 * rk AES key schedule 32-bit array to be initialized
830 * cipherKey User key
831 * keyBits AES key size (128, 192, or 256 bits)
832 */
833 static int
834 rijndael_key_setup_enc_raw(uint32_t rk[], const uint32_t cipherKey[],
835 int keyBits)
836 {
837 int i = 0;
838 uint32_t temp;
839
840 rk[0] = cipherKey[0];
841 rk[1] = cipherKey[1];
842 rk[2] = cipherKey[2];
843 rk[3] = cipherKey[3];
844
845 if (keyBits == 128) {
846 for (;;) {
847 temp = rk[3];
848 rk[4] = rk[0] ^
849 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
850 (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
851 (Te4[temp & 0xff] & 0x0000ff00) ^
906
907 if (++i == 7) {
908 return (14);
909 }
910 temp = rk[11];
911 rk[12] = rk[4] ^
912 (Te4[temp >> 24] & 0xff000000) ^
913 (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
914 (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
915 (Te4[temp & 0xff] & 0x000000ff);
916 rk[13] = rk[5] ^ rk[12];
917 rk[14] = rk[6] ^ rk[13];
918 rk[15] = rk[7] ^ rk[14];
919
920 rk += 8;
921 }
922 }
923
924 return (0);
925 }
926 #endif /* !__amd64 */
927
928
929 #ifdef sun4u
930
931 /*
932 * Expand the cipher key into the encryption key schedule.
933 * by the sun4u optimized assembly implementation.
934 *
935 * Return the number of rounds for the given cipher key size.
936 * The size of the key schedule depends on the number of rounds
937 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
938 *
939 * Parameters:
940 * rk AES key schedule 64-bit array to be initialized
941 * cipherKey User key
942 * keyBits AES key size (128, 192, or 256 bits)
943 */
944 static int
945 rijndael_key_setup_enc(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
946 {
947 uint32_t rk1[4 * (MAX_AES_NR + 1)];
948 uint64_t *rk64 = (uint64_t *)rk;
949 uint32_t *rkt;
950 uint64_t t;
951 int i, Nr;
952
953 Nr = rijndael_key_setup_enc_raw(rk1, cipherKey, keyBits);
954
955 for (i = 0; i < 4 * Nr; i++) {
956 t = (uint64_t)(rk1[i]);
957 rk64[i] = ((t & 0xff000000) << 11) |
958 ((t & 0xff0000) << 8) |
959 ((t & 0xffff) << 3);
960 }
961
962 rkt = (uint32_t *)(&(rk64[4 * Nr]));
963
964 for (i = 0; i < 4; i++) {
965 rkt[i] = rk1[4 * Nr+i];
966 }
967
968 return (Nr);
969 }
970
971
972 /*
973 * Expand the cipher key into the decryption key schedule as used
974 * by the sun4u optimized assembly implementation.
975 *
976 * Return the number of rounds for the given cipher key size.
977 * The size of the key schedule depends on the number of rounds
978 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
979 *
980 * Parameters:
981 * rk AES key schedule 32-bit array to be initialized
982 * cipherKey User key
983 * keyBits AES key size (128, 192, or 256 bits)
984 */
985 static int
986 rijndael_key_setup_dec_raw(uint32_t rk[], const uint32_t cipherKey[],
987 int keyBits)
988 {
989 int Nr, i;
990 uint32_t temp;
991
992 /* expand the cipher key: */
993 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
994
995 /* invert the order of the round keys: */
996
997 for (i = 0; i < 2 * Nr + 2; i++) {
998 temp = rk[i];
999 rk[i] = rk[4 * Nr - i + 3];
1000 rk[4 * Nr - i + 3] = temp;
1001 }
1002
1003 /*
1014 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1015 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
1016 Td3[Te4[rk[1] & 0xff] & 0xff];
1017 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
1018 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1019 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
1020 Td3[Te4[rk[2] & 0xff] & 0xff];
1021 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
1022 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1023 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
1024 Td3[Te4[rk[3] & 0xff] & 0xff];
1025 }
1026
1027 return (Nr);
1028 }
1029
1030
1031 /*
1032 * The size of the key schedule depends on the number of rounds
1033 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1034 *
1035 * Parameters:
1036 * rk AES key schedule 64-bit array to be initialized
1037 * cipherKey User key
1038 * keyBits AES key size (128, 192, or 256 bits)
1039 */
1040 static int
1041 rijndael_key_setup_dec(uint64_t rk[], const uint32_t cipherKey[], int keyBits)
1042 {
1043 uint32_t rk1[4 * (MAX_AES_NR + 1)];
1044 uint64_t *rk64 = (uint64_t *)rk;
1045 uint32_t *rkt;
1046 uint64_t t;
1047 int i, Nr;
1048
1049 Nr = rijndael_key_setup_dec_raw(rk1, cipherKey, keyBits);
1050 for (i = 0; i < 4 * Nr; i++) {
1051 t = (uint64_t)(rk1[i]);
1052 rk64[i] = ((t & 0xff000000) << 11) |
1053 ((t & 0xff0000) << 8) |
1054 ((t & 0xffff) << 3);
1055 }
1056
1057 rkt = (uint32_t *)(&(rk64[4 * Nr]));
1058
1059 for (i = 0; i < 4; i++) {
1060 rkt[i] = rk1[4 * Nr + i];
1061 }
1062
1063 return (Nr);
1064 }
1065
1066
1067 /*
1068 * Expand the 64-bit AES cipher key array into the encryption and decryption
1069 * key schedules.
1070 *
1071 * Parameters:
1072 * key AES key schedule to be initialized
1073 * keyarr32 User key
1074 * keyBits AES key size (128, 192, or 256 bits)
1075 */
1076 static void
1077 aes_setupkeys(aes_key_t *key, const uint32_t *keyarr32, int keybits)
1078 {
1079 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks64[0]), keyarr32,
1080 keybits);
1081 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks64[0]), keyarr32,
1082 keybits);
1083 key->type = AES_64BIT_KS;
1084 }
1085
1086
1087 #elif !defined(__amd64)
1088
1089 /*
1090 * Expand the cipher key into the decryption key schedule.
1091 * Return the number of rounds for the given cipher key size.
1092 * The size of the key schedule depends on the number of rounds
1093 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1094 *
1095 * Parameters:
1096 * rk AES key schedule 32-bit array to be initialized
1097 * cipherKey User key
1098 * keyBits AES key size (128, 192, or 256 bits)
1099 */
1100 static int
1101 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
1102 {
1103 int Nr, i, j;
1104 uint32_t temp;
1105
1106 /* expand the cipher key: */
1107 Nr = rijndael_key_setup_enc_raw(rk, cipherKey, keyBits);
1108
1109 /* invert the order of the round keys: */
1110 for (i = 0, j = 4 * Nr; i < j; i += 4, j -= 4) {
1111 temp = rk[i];
1112 rk[i] = rk[j];
1113 rk[j] = temp;
1114 temp = rk[i + 1];
1115 rk[i + 1] = rk[j + 1];
1116 rk[j + 1] = temp;
1117 temp = rk[i + 2];
1118 rk[i + 2] = rk[j + 2];
1133 Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
1134 Td3[Te4[rk[0] & 0xff] & 0xff];
1135 rk[1] = Td0[Te4[rk[1] >> 24] & 0xff] ^
1136 Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
1137 Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
1138 Td3[Te4[rk[1] & 0xff] & 0xff];
1139 rk[2] = Td0[Te4[rk[2] >> 24] & 0xff] ^
1140 Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
1141 Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
1142 Td3[Te4[rk[2] & 0xff] & 0xff];
1143 rk[3] = Td0[Te4[rk[3] >> 24] & 0xff] ^
1144 Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
1145 Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
1146 Td3[Te4[rk[3] & 0xff] & 0xff];
1147 }
1148
1149 return (Nr);
1150 }
1151
1152
1153 /*
1154 * Encrypt one block of data. The block is assumed to be an array
1155 * of four uint32_t values, so copy for alignment (and byte-order
1156 * reversal for little endian systems might be necessary on the
1157 * input and output byte streams.
1158 * The size of the key schedule depends on the number of rounds
1159 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1160 *
1161 * Parameters:
1162 * rk Key schedule, of aes_ks_t (60 32-bit integers)
1163 * Nr Number of rounds
1164 * pt Input block (plain text)
1165 * ct Output block (crypto text). Can overlap with pt
1166 */
1167 static void
1168 rijndael_encrypt(const uint32_t rk[], int Nr, const uint32_t pt[4],
1169 uint32_t ct[4])
1170 {
1171 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1172 int r;
1173
1174 /*
1175 * map byte array block to cipher state
1176 * and add initial round key:
1177 */
1178
1179 s0 = pt[0] ^ rk[0];
1180 s1 = pt[1] ^ rk[1];
1181 s2 = pt[2] ^ rk[2];
1182 s3 = pt[3] ^ rk[3];
1183
1184 /*
1185 * Nr - 1 full rounds:
1186 */
1187
1268 (Te4[t1 & 0xff] & 0x000000ff) ^
1269 rk[2];
1270 ct[2] = s2;
1271
1272 s3 = (Te4[(t3 >> 24)] & 0xff000000) ^
1273 (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1274 (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1275 (Te4[t2 & 0xff] & 0x000000ff) ^
1276 rk[3];
1277 ct[3] = s3;
1278 }
1279
1280
1281 /*
1282 * Decrypt one block of data. The block is assumed to be an array
1283 * of four uint32_t values, so copy for alignment (and byte-order
1284 * reversal for little endian systems might be necessary on the
1285 * input and output byte streams.
1286 * The size of the key schedule depends on the number of rounds
1287 * (which can be computed from the size of the key), i.e. 4*(Nr + 1).
1288 *
1289 * Parameters:
1290 * rk Key schedule, of aes_ks_t (60 32-bit integers)
1291 * Nr Number of rounds
1292 * ct Input block (crypto text)
1293 * pt Output block (plain text). Can overlap with pt
1294 */
1295 static void
1296 rijndael_decrypt(const uint32_t rk[], int Nr, const uint32_t ct[4],
1297 uint32_t pt[4])
1298 {
1299 uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
1300 int r;
1301
1302 /*
1303 * map byte array block to cipher state
1304 * and add initial round key:
1305 */
1306 s0 = ct[0] ^ rk[0];
1307 s1 = ct[1] ^ rk[1];
1308 s2 = ct[2] ^ rk[2];
1309 s3 = ct[3] ^ rk[3];
1310
1311 /*
1312 * Nr - 1 full rounds:
1313 */
1314
1315 r = Nr >> 1;
1386 (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
1387 (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
1388 (Td4[t2 & 0xff] & 0x000000ff) ^
1389 rk[1];
1390 pt[1] = s1;
1391
1392 s2 = (Td4[t2 >> 24] & 0xff000000) ^
1393 (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
1394 (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
1395 (Td4[t3 & 0xff] & 0x000000ff) ^
1396 rk[2];
1397 pt[2] = s2;
1398
1399 s3 = (Td4[t3 >> 24] & 0xff000000) ^
1400 (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
1401 (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
1402 (Td4[t0 & 0xff] & 0x000000ff) ^
1403 rk[3];
1404 pt[3] = s3;
1405 }
1406 #endif /* sun4u, !__amd64 */
1407
1408 #ifndef sun4u
1409 /*
1410 * Expand the 32-bit AES cipher key array into the encryption and decryption
1411 * key schedules.
1412 *
1413 * Parameters:
1414 * key AES key schedule to be initialized
1415 * keyarr32 User key
1416 * keyBits AES key size (128, 192, or 256 bits)
1417 */
1418 static void
1419 aes_setupkeys(aes_key_t *key, const uint32_t *keyarr32, int keybits)
1420 {
1421 key->nr = rijndael_key_setup_enc(&(key->encr_ks.ks32[0]), keyarr32,
1422 keybits);
1423 key->nr = rijndael_key_setup_dec(&(key->decr_ks.ks32[0]), keyarr32,
1424 keybits);
1425 key->type = AES_32BIT_KS;
1426 }
1427 #endif /* sun4u */
1428 /* EXPORT DELETE END */
1429
1430
1431 /*
1432 * Initialize key schedules for AES
1433 *
1434 * Parameters:
1435 * cipherKey User key
1436 * keyBits AES key size (128, 192, or 256 bits)
1437 * keysched AES key schedule to be initialized, of type aes_key_t.
1438 * Allocated by aes_alloc_keysched().
1439 */
1440 void
1441 aes_init_keysched(const uint8_t *cipherKey, uint_t keyBits, void *keysched)
1442 {
1443 /* EXPORT DELETE START */
1444 aes_key_t *newbie = keysched;
1445 uint_t keysize, i, j;
1446 union {
1447 uint64_t ka64[4];
1448 uint32_t ka32[8];
1449 } keyarr;
1450
1451 switch (keyBits) {
1452 case 128:
1453 newbie->nr = 10;
1454 break;
1455
1456 case 192:
1457 newbie->nr = 12;
1458 break;
1459
1460 case 256:
1461 newbie->nr = 14;
1462 break;
1463
1464 default:
1465 /* should never get here */
1466 return;
1467 }
1468 keysize = keyBits >> 3;
1469
1470 /*
1471 * For _LITTLE_ENDIAN machines (except AMD64), reverse every
1472 * 4 bytes in the key. On _BIG_ENDIAN and AMD64, copy the key
1473 * without reversing bytes.
1474 * For AMD64, do not byte swap for aes_setupkeys().
1475 *
1476 * SPARCv8/v9 uses a key schedule array with 64-bit elements.
1477 * X86/AMD64 uses a key schedule array with 32-bit elements.
1478 */
1479 #ifndef AES_BYTE_SWAP
1480 if (IS_P2ALIGNED(cipherKey, sizeof (uint64_t))) {
1481 for (i = 0, j = 0; j < keysize; i++, j += 8) {
1482 /* LINTED: pointer alignment */
1483 keyarr.ka64[i] = *((uint64_t *)&cipherKey[j]);
1484 }
1485 } else {
1486 bcopy(cipherKey, keyarr.ka32, keysize);
1487 }
1488
1489 #else /* byte swap */
1490 for (i = 0, j = 0; j < keysize; i++, j += 4) {
1491 keyarr.ka32[i] = (((uint32_t)cipherKey[j] << 24) |
1492 ((uint32_t)cipherKey[j + 1] << 16) |
1493 ((uint32_t)cipherKey[j + 2] << 8) |
1494 (uint32_t)cipherKey[j + 3]);
1495 }
1496 #endif
1497
1498 aes_setupkeys(newbie, keyarr.ka32, keyBits);
1499 /* EXPORT DELETE END */
1500 }
1501
1502
1503 /*
1504 * Encrypt one block using AES.
1505 * Align if needed and (for x86 32-bit only) byte-swap.
1506 *
1507 * Parameters:
1508 * ks Key schedule, of type aes_key_t
1509 * pt Input block (plain text)
1510 * ct Output block (crypto text). Can overlap with pt
1511 */
1512 void
1513 aes_encrypt_block(const void *ks, const uint8_t *pt, uint8_t *ct)
1514 {
1515 /* EXPORT DELETE START */
1516 aes_key_t *ksch = (aes_key_t *)ks;
1517
1518 #ifndef AES_BYTE_SWAP
1519 if (IS_P2ALIGNED2(pt, ct, sizeof (uint32_t))) {
1520 AES_ENCRYPT_IMPL(&ksch->encr_ks.ks32[0], ksch->nr,
1521 /* LINTED: pointer alignment */
1522 (uint32_t *)pt, (uint32_t *)ct);
1523 } else {
1524 #endif
1525 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1526
1527 /* Copy input block into buffer */
1528 #ifndef AES_BYTE_SWAP
1529 bcopy(pt, &buffer, AES_BLOCK_LEN);
1530
1531 #else /* byte swap */
1532 buffer[0] = (((uint32_t)pt[0] << 24) | ((uint32_t)pt[1] << 16) |
1533 ((uint32_t)pt[2] << 8) | (uint32_t)pt[3]);
1534 buffer[1] = (((uint32_t)pt[4] << 24) | ((uint32_t)pt[5] << 16) |
1535 ((uint32_t)pt[6] << 8) | (uint32_t)pt[7]);
1536 buffer[2] = (((uint32_t)pt[8] << 24) | ((uint32_t)pt[9] << 16) |
1537 ((uint32_t)pt[10] << 8) | (uint32_t)pt[11]);
1538 buffer[3] = (((uint32_t)pt[12] << 24) |
1539 ((uint32_t)pt[13] << 16) | ((uint32_t)pt[14] << 8) |
1540 (uint32_t)pt[15]);
1541 #endif
1542
1543 AES_ENCRYPT_IMPL(&ksch->encr_ks.ks32[0], ksch->nr,
1544 buffer, buffer);
1545
1546 /* Copy result from buffer to output block */
1547 #ifndef AES_BYTE_SWAP
1548 bcopy(&buffer, ct, AES_BLOCK_LEN);
1549 }
1550
1551 #else /* byte swap */
1552 ct[0] = buffer[0] >> 24;
1553 ct[1] = buffer[0] >> 16;
1554 ct[2] = buffer[0] >> 8;
1555 ct[3] = (uint8_t)buffer[0];
1556 ct[4] = buffer[1] >> 24;
1557 ct[5] = buffer[1] >> 16;
1558 ct[6] = buffer[1] >> 8;
1559 ct[7] = (uint8_t)buffer[1];
1560 ct[8] = buffer[2] >> 24;
1561 ct[9] = buffer[2] >> 16;
1562 ct[10] = buffer[2] >> 8;
1563 ct[11] = (uint8_t)buffer[2];
1564 ct[12] = buffer[3] >> 24;
1565 ct[13] = buffer[3] >> 16;
1566 ct[14] = buffer[3] >> 8;
1567 ct[15] = (uint8_t)buffer[3];
1568 #endif
1569 /* EXPORT DELETE END */
1570 }
1571
1572
1573 /*
1574 * Decrypt one block using AES.
1575 * Align and byte-swap if needed.
1576 *
1577 * Parameters:
1578 * ks Key schedule, of type aes_key_t
1579 * ct Input block (crypto text)
1580 * pt Output block (plain text). Can overlap with pt
1581 */
1582 void
1583 aes_decrypt_block(const void *ks, const uint8_t *ct, uint8_t *pt)
1584 {
1585 /* EXPORT DELETE START */
1586 aes_key_t *ksch = (aes_key_t *)ks;
1587
1588 #ifndef AES_BYTE_SWAP
1589 if (IS_P2ALIGNED2(ct, pt, sizeof (uint32_t))) {
1590 AES_DECRYPT_IMPL(&ksch->decr_ks.ks32[0], ksch->nr,
1591 /* LINTED: pointer alignment */
1592 (uint32_t *)ct, (uint32_t *)pt);
1593 } else {
1594 #endif
1595 uint32_t buffer[AES_BLOCK_LEN / sizeof (uint32_t)];
1596
1597 /* Copy input block into buffer */
1598 #ifndef AES_BYTE_SWAP
1599 bcopy(ct, &buffer, AES_BLOCK_LEN);
1600
1601 #else /* byte swap */
1602 buffer[0] = (((uint32_t)ct[0] << 24) | ((uint32_t)ct[1] << 16) |
1603 ((uint32_t)ct[2] << 8) | (uint32_t)ct[3]);
1604
1605 buffer[1] = (((uint32_t)ct[4] << 24) | ((uint32_t)ct[5] << 16) |
1606 ((uint32_t)ct[6] << 8) | (uint32_t)ct[7]);
1607
1608 buffer[2] = (((uint32_t)ct[8] << 24) | ((uint32_t)ct[9] << 16) |
1609 ((uint32_t)ct[10] << 8) | (uint32_t)ct[11]);
1610
1611 buffer[3] = (((uint32_t)ct[12] << 24) |
1612 ((uint32_t)ct[13] << 16) | ((uint32_t)ct[14] << 8) |
1613 (uint32_t)ct[15]);
1614 #endif
1615
1616 AES_DECRYPT_IMPL(&ksch->decr_ks.ks32[0], ksch->nr,
1617 buffer, buffer);
1618
1619 /* Copy result from buffer to output block */
1620 #ifndef AES_BYTE_SWAP
1621 bcopy(&buffer, pt, AES_BLOCK_LEN);
1622 }
1623
1624 #else /* byte swap */
1625 pt[0] = buffer[0] >> 24;
1626 pt[1] = buffer[0] >> 16;
1627 pt[2] = buffer[0] >> 8;
1628 pt[3] = (uint8_t)buffer[0];
1629 pt[4] = buffer[1] >> 24;
1630 pt[5] = buffer[1] >> 16;
1631 pt[6] = buffer[1] >> 8;
1632 pt[7] = (uint8_t)buffer[1];
1633 pt[8] = buffer[2] >> 24;
1634 pt[9] = buffer[2] >> 16;
1635 pt[10] = buffer[2] >> 8;
1636 pt[11] = (uint8_t)buffer[2];
1637 pt[12] = buffer[3] >> 24;
1638 pt[13] = buffer[3] >> 16;
1639 pt[14] = buffer[3] >> 8;
1640 pt[15] = (uint8_t)buffer[3];
1641 #endif
1642
1643 /* EXPORT DELETE END */
1644 }
1645
1646
1647 /*
1648 * Allocate key schedule for AES.
1649 *
1650 * Return the pointer and set size to the number of bytes allocated.
1651 * Memory allocated must be freed by the caller when done.
1652 *
1653 * Parameters:
1654 * size Size of key schedule allocated, in bytes
1655 * kmflag Flag passed to kmem_alloc(9F); ignored in userland.
1656 */
1657 /* ARGSUSED */
1658 void *
1659 aes_alloc_keysched(size_t *size, int kmflag)
1660 {
1661 /* EXPORT DELETE START */
1662 aes_key_t *keysched;
1663
1664 #ifdef _KERNEL
1665 keysched = (aes_key_t *)kmem_alloc(sizeof (aes_key_t), kmflag);
1666 #else /* !_KERNEL */
1667 keysched = (aes_key_t *)malloc(sizeof (aes_key_t));
1668 #endif /* _KERNEL */
1669
1670 if (keysched != NULL) {
1671 *size = sizeof (aes_key_t);
1672 return (keysched);
1673 }
1674 /* EXPORT DELETE END */
1675 return (NULL);
1676 }
|