1 /*
2 * ---------------------------------------------------------------------------
3 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
4 *
5 * LICENSE TERMS
6 *
7 * The free distribution and use of this software is allowed (with or without
8 * changes) provided that:
9 *
10 * 1. source code distributions include the above copyright notice, this
11 * list of conditions and the following disclaimer;
12 *
13 * 2. binary distributions include the above copyright notice, this list
14 * of conditions and the following disclaimer in their documentation;
15 *
16 * 3. the name of the copyright holder is not used to endorse products
17 * built using this software without specific written permission.
18 *
19 * DISCLAIMER
20 *
21 * This software is provided 'as is' with no explicit or implied warranties
22 * in respect of its properties, including, but not limited to, correctness
23 * and/or fitness for purpose.
24 * ---------------------------------------------------------------------------
25 * Issue Date: 20/12/2007
26 */
27
28 #pragma ident "@(#)aeskey.c 1.1 08/05/21 SMI"
29
30 #include "aes_impl.h"
31 #include "aesopt.h"
32 #include "aestab.h"
33 #include "aestab2.h"
34
35 /*
36 * Initialise the key schedule from the user supplied key. The key
37 * length can be specified in bytes, with legal values of 16, 24
38 * and 32, or in bits, with legal values of 128, 192 and 256. These
39 * values correspond with Nk values of 4, 6 and 8 respectively.
40 *
41 * The following macros implement a single cycle in the key
42 * schedule generation process. The number of cycles needed
43 * for each cx->n_col and nk value is:
44 *
45 * nk = 4 5 6 7 8
46 * ------------------------------
47 * cx->n_col = 4 10 9 8 7 7
48 * cx->n_col = 5 14 11 10 9 9
49 * cx->n_col = 6 19 15 12 11 11
50 * cx->n_col = 7 21 19 16 13 14
51 * cx->n_col = 8 29 23 19 17 14
52 */
53
54 /*
55 * OpenSolaris changes
56 * 1. Added header files aes_impl.h and aestab2.h
57 * 2. Changed uint_8t and uint_32t to uint8_t and uint32_t
58 * 3. Remove code under ifdef USE_VIA_ACE_IF_PRESENT (always undefined)
59 * 4. Removed always-defined ifdefs FUNCS_IN_C, ENC_KEYING_IN_C,
60 * AES_128, AES_192, AES_256, AES_VAR defines
61 * 5. Changed aes_encrypt_key* aes_decrypt_key* functions to "static void"
62 * 6. Changed N_COLS to MAX_AES_NB
63 * 7. Replaced functions aes_encrypt_key and aes_decrypt_key with
64 * OpenSolaris-compatible functions rijndael_key_setup_enc and
65 * rijndael_key_setup_dec
66 * 8. cstyled code and removed lint warnings
67 *
68 */
69
70 #if defined(REDUCE_CODE_SIZE)
71 #define ls_box ls_sub
72 uint32_t ls_sub(const uint32_t t, const uint32_t n);
73 #define inv_mcol im_sub
74 uint32_t im_sub(const uint32_t x);
75 #ifdef ENC_KS_UNROLL
76 #undef ENC_KS_UNROLL
77 #endif
78 #ifdef DEC_KS_UNROLL
79 #undef DEC_KS_UNROLL
80 #endif
81 #endif /* REDUCE_CODE_SIZE */
82
83
84 #define ke4(k, i) \
85 { k[4 * (i) + 4] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
86 k[4 * (i) + 5] = ss[1] ^= ss[0]; \
87 k[4 * (i) + 6] = ss[2] ^= ss[1]; \
88 k[4 * (i) + 7] = ss[3] ^= ss[2]; \
89 }
90
91 static void
92 aes_encrypt_key128(const unsigned char *key, uint32_t rk[])
93 {
94 uint32_t ss[4];
95
96 rk[0] = ss[0] = word_in(key, 0);
97 rk[1] = ss[1] = word_in(key, 1);
98 rk[2] = ss[2] = word_in(key, 2);
99 rk[3] = ss[3] = word_in(key, 3);
100
101 #ifdef ENC_KS_UNROLL
102 ke4(rk, 0); ke4(rk, 1);
103 ke4(rk, 2); ke4(rk, 3);
104 ke4(rk, 4); ke4(rk, 5);
105 ke4(rk, 6); ke4(rk, 7);
106 ke4(rk, 8);
107 #else
108 {
109 uint32_t i;
110 for (i = 0; i < 9; ++i)
111 ke4(rk, i);
112 }
113 #endif /* ENC_KS_UNROLL */
114 ke4(rk, 9);
115 }
116
117
118 #define kef6(k, i) \
119 { k[6 * (i) + 6] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
120 k[6 * (i) + 7] = ss[1] ^= ss[0]; \
121 k[6 * (i) + 8] = ss[2] ^= ss[1]; \
122 k[6 * (i) + 9] = ss[3] ^= ss[2]; \
123 }
124
125 #define ke6(k, i) \
126 { kef6(k, i); \
127 k[6 * (i) + 10] = ss[4] ^= ss[3]; \
128 k[6 * (i) + 11] = ss[5] ^= ss[4]; \
129 }
130
131 static void
132 aes_encrypt_key192(const unsigned char *key, uint32_t rk[])
133 {
134 uint32_t ss[6];
135
136 rk[0] = ss[0] = word_in(key, 0);
137 rk[1] = ss[1] = word_in(key, 1);
138 rk[2] = ss[2] = word_in(key, 2);
139 rk[3] = ss[3] = word_in(key, 3);
140 rk[4] = ss[4] = word_in(key, 4);
141 rk[5] = ss[5] = word_in(key, 5);
142
143 #ifdef ENC_KS_UNROLL
144 ke6(rk, 0); ke6(rk, 1);
145 ke6(rk, 2); ke6(rk, 3);
146 ke6(rk, 4); ke6(rk, 5);
147 ke6(rk, 6);
148 #else
149 {
150 uint32_t i;
151 for (i = 0; i < 7; ++i)
152 ke6(rk, i);
153 }
154 #endif /* ENC_KS_UNROLL */
155 kef6(rk, 7);
156 }
157
158
159
160 #define kef8(k, i) \
161 { k[8 * (i) + 8] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
162 k[8 * (i) + 9] = ss[1] ^= ss[0]; \
163 k[8 * (i) + 10] = ss[2] ^= ss[1]; \
164 k[8 * (i) + 11] = ss[3] ^= ss[2]; \
165 }
166
167 #define ke8(k, i) \
168 { kef8(k, i); \
169 k[8 * (i) + 12] = ss[4] ^= ls_box(ss[3], 0); \
170 k[8 * (i) + 13] = ss[5] ^= ss[4]; \
171 k[8 * (i) + 14] = ss[6] ^= ss[5]; \
172 k[8 * (i) + 15] = ss[7] ^= ss[6]; \
173 }
174
175 static void
176 aes_encrypt_key256(const unsigned char *key, uint32_t rk[])
177 {
178 uint32_t ss[8];
179
180 rk[0] = ss[0] = word_in(key, 0);
181 rk[1] = ss[1] = word_in(key, 1);
182 rk[2] = ss[2] = word_in(key, 2);
183 rk[3] = ss[3] = word_in(key, 3);
184 rk[4] = ss[4] = word_in(key, 4);
185 rk[5] = ss[5] = word_in(key, 5);
186 rk[6] = ss[6] = word_in(key, 6);
187 rk[7] = ss[7] = word_in(key, 7);
188
189 #ifdef ENC_KS_UNROLL
190 ke8(rk, 0); ke8(rk, 1);
191 ke8(rk, 2); ke8(rk, 3);
192 ke8(rk, 4); ke8(rk, 5);
193 #else
194 {
195 uint32_t i;
196 for (i = 0; i < 6; ++i)
197 ke8(rk, i);
198 }
199 #endif /* ENC_KS_UNROLL */
200 kef8(rk, 6);
201 }
202
203
204 /*
205 * Expand the cipher key into the encryption key schedule.
206 *
207 * Return the number of rounds for the given cipher key size.
208 * The size of the key schedule depends on the number of rounds
209 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
210 *
211 * Parameters:
212 * rk AES key schedule 32-bit array to be initialized
213 * cipherKey User key
214 * keyBits AES key size (128, 192, or 256 bits)
215 */
216 int
217 rijndael_key_setup_enc(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
218 {
219 switch (keyBits) {
220 case 128:
221 aes_encrypt_key128((unsigned char *)&cipherKey[0], rk);
222 return (10);
223 case 192:
224 aes_encrypt_key192((unsigned char *)&cipherKey[0], rk);
225 return (12);
226 case 256:
227 aes_encrypt_key256((unsigned char *)&cipherKey[0], rk);
228 return (14);
229 default: /* should never get here */
230 break;
231 }
232
233 return (0);
234 }
235
236
237 /* this is used to store the decryption round keys */
238 /* in forward or reverse order */
239
240 #ifdef AES_REV_DKS
241 #define v(n, i) ((n) - (i) + 2 * ((i) & 3))
242 #else
243 #define v(n, i) (i)
244 #endif
245
246 #if DEC_ROUND == NO_TABLES
247 #define ff(x) (x)
248 #else
249 #define ff(x) inv_mcol(x)
250 #if defined(dec_imvars)
251 #define d_vars dec_imvars
252 #endif
253 #endif /* FUNCS_IN_C & DEC_KEYING_IN_C */
254
255
256 #define k4e(k, i) \
257 { k[v(40, (4 * (i)) + 4)] = ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
258 k[v(40, (4 * (i)) + 5)] = ss[1] ^= ss[0]; \
259 k[v(40, (4 * (i)) + 6)] = ss[2] ^= ss[1]; \
260 k[v(40, (4 * (i)) + 7)] = ss[3] ^= ss[2]; \
261 }
262
263 #if 1
264
265 #define kdf4(k, i) \
266 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; \
267 ss[1] = ss[1] ^ ss[3]; \
268 ss[2] = ss[2] ^ ss[3]; \
269 ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
270 ss[i % 4] ^= ss[4]; \
271 ss[4] ^= k[v(40, (4 * (i)))]; k[v(40, (4 * (i)) + 4)] = ff(ss[4]); \
272 ss[4] ^= k[v(40, (4 * (i)) + 1)]; k[v(40, (4 * (i)) + 5)] = ff(ss[4]); \
273 ss[4] ^= k[v(40, (4 * (i)) + 2)]; k[v(40, (4 * (i)) + 6)] = ff(ss[4]); \
274 ss[4] ^= k[v(40, (4 * (i)) + 3)]; k[v(40, (4 * (i)) + 7)] = ff(ss[4]); \
275 }
276
277 #define kd4(k, i) \
278 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
279 ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
280 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
281 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
282 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
283 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
284 }
285
286 #define kdl4(k, i) \
287 { ss[4] = ls_box(ss[(i + 3) % 4], 3) ^ t_use(r, c)[i]; \
288 ss[i % 4] ^= ss[4]; \
289 k[v(40, (4 * (i)) + 4)] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; \
290 k[v(40, (4 * (i)) + 5)] = ss[1] ^ ss[3]; \
291 k[v(40, (4 * (i)) + 6)] = ss[0]; \
292 k[v(40, (4 * (i)) + 7)] = ss[1]; \
293 }
294
295 #else
296
297 #define kdf4(k, i) \
298 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
299 k[v(40, (4 * (i)) + 4)] = ff(ss[0]); \
300 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ff(ss[1]); \
301 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ff(ss[2]); \
302 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ff(ss[3]); \
303 }
304
305 #define kd4(k, i) \
306 { ss[4] = ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
307 ss[0] ^= ss[4]; \
308 ss[4] = ff(ss[4]); \
309 k[v(40, (4 * (i)) + 4)] = ss[4] ^= k[v(40, (4 * (i)))]; \
310 ss[1] ^= ss[0]; \
311 k[v(40, (4 * (i)) + 5)] = ss[4] ^= k[v(40, (4 * (i)) + 1)]; \
312 ss[2] ^= ss[1]; \
313 k[v(40, (4 * (i)) + 6)] = ss[4] ^= k[v(40, (4 * (i)) + 2)]; \
314 ss[3] ^= ss[2]; \
315 k[v(40, (4 * (i)) + 7)] = ss[4] ^= k[v(40, (4 * (i)) + 3)]; \
316 }
317
318 #define kdl4(k, i) \
319 { ss[0] ^= ls_box(ss[3], 3) ^ t_use(r, c)[i]; \
320 k[v(40, (4 * (i)) + 4)] = ss[0]; \
321 ss[1] ^= ss[0]; k[v(40, (4 * (i)) + 5)] = ss[1]; \
322 ss[2] ^= ss[1]; k[v(40, (4 * (i)) + 6)] = ss[2]; \
323 ss[3] ^= ss[2]; k[v(40, (4 * (i)) + 7)] = ss[3]; \
324 }
325
326 #endif
327
328 static void
329 aes_decrypt_key128(const unsigned char *key, uint32_t rk[])
330 {
331 uint32_t ss[5];
332 #if defined(d_vars)
333 d_vars;
334 #endif
335 rk[v(40, (0))] = ss[0] = word_in(key, 0);
336 rk[v(40, (1))] = ss[1] = word_in(key, 1);
337 rk[v(40, (2))] = ss[2] = word_in(key, 2);
338 rk[v(40, (3))] = ss[3] = word_in(key, 3);
339
340 #ifdef DEC_KS_UNROLL
341 kdf4(rk, 0); kd4(rk, 1);
342 kd4(rk, 2); kd4(rk, 3);
343 kd4(rk, 4); kd4(rk, 5);
344 kd4(rk, 6); kd4(rk, 7);
345 kd4(rk, 8); kdl4(rk, 9);
346 #else
347 {
348 uint32_t i;
349 for (i = 0; i < 10; ++i)
350 k4e(rk, i);
351 #if !(DEC_ROUND == NO_TABLES)
352 for (i = MAX_AES_NB; i < 10 * MAX_AES_NB; ++i)
353 rk[i] = inv_mcol(rk[i]);
354 #endif
355 }
356 #endif /* DEC_KS_UNROLL */
357 }
358
359
360
361 #define k6ef(k, i) \
362 { k[v(48, (6 * (i)) + 6)] = ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
363 k[v(48, (6 * (i)) + 7)] = ss[1] ^= ss[0]; \
364 k[v(48, (6 * (i)) + 8)] = ss[2] ^= ss[1]; \
365 k[v(48, (6 * (i)) + 9)] = ss[3] ^= ss[2]; \
366 }
367
368 #define k6e(k, i) \
369 { k6ef(k, i); \
370 k[v(48, (6 * (i)) + 10)] = ss[4] ^= ss[3]; \
371 k[v(48, (6 * (i)) + 11)] = ss[5] ^= ss[4]; \
372 }
373
374 #define kdf6(k, i) \
375 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
376 k[v(48, (6 * (i)) + 6)] = ff(ss[0]); \
377 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ff(ss[1]); \
378 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ff(ss[2]); \
379 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ff(ss[3]); \
380 ss[4] ^= ss[3]; k[v(48, (6 * (i)) + 10)] = ff(ss[4]); \
381 ss[5] ^= ss[4]; k[v(48, (6 * (i)) + 11)] = ff(ss[5]); \
382 }
383
384 #define kd6(k, i) \
385 { ss[6] = ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
386 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); \
387 k[v(48, (6 * (i)) + 6)] = ss[6] ^= k[v(48, (6 * (i)))]; \
388 ss[1] ^= ss[0]; \
389 k[v(48, (6 * (i)) + 7)] = ss[6] ^= k[v(48, (6 * (i)) + 1)]; \
390 ss[2] ^= ss[1]; \
391 k[v(48, (6 * (i)) + 8)] = ss[6] ^= k[v(48, (6 * (i)) + 2)]; \
392 ss[3] ^= ss[2]; \
393 k[v(48, (6 * (i)) + 9)] = ss[6] ^= k[v(48, (6 * (i)) + 3)]; \
394 ss[4] ^= ss[3]; \
395 k[v(48, (6 * (i)) + 10)] = ss[6] ^= k[v(48, (6 * (i)) + 4)]; \
396 ss[5] ^= ss[4]; \
397 k[v(48, (6 * (i)) + 11)] = ss[6] ^= k[v(48, (6 * (i)) + 5)]; \
398 }
399
400 #define kdl6(k, i) \
401 { ss[0] ^= ls_box(ss[5], 3) ^ t_use(r, c)[i]; \
402 k[v(48, (6 * (i)) + 6)] = ss[0]; \
403 ss[1] ^= ss[0]; k[v(48, (6 * (i)) + 7)] = ss[1]; \
404 ss[2] ^= ss[1]; k[v(48, (6 * (i)) + 8)] = ss[2]; \
405 ss[3] ^= ss[2]; k[v(48, (6 * (i)) + 9)] = ss[3]; \
406 }
407
408 static void
409 aes_decrypt_key192(const unsigned char *key, uint32_t rk[])
410 {
411 uint32_t ss[7];
412 #if defined(d_vars)
413 d_vars;
414 #endif
415 rk[v(48, (0))] = ss[0] = word_in(key, 0);
416 rk[v(48, (1))] = ss[1] = word_in(key, 1);
417 rk[v(48, (2))] = ss[2] = word_in(key, 2);
418 rk[v(48, (3))] = ss[3] = word_in(key, 3);
419
420 #ifdef DEC_KS_UNROLL
421 ss[4] = word_in(key, 4);
422 rk[v(48, (4))] = ff(ss[4]);
423 ss[5] = word_in(key, 5);
424 rk[v(48, (5))] = ff(ss[5]);
425 kdf6(rk, 0); kd6(rk, 1);
426 kd6(rk, 2); kd6(rk, 3);
427 kd6(rk, 4); kd6(rk, 5);
428 kd6(rk, 6); kdl6(rk, 7);
429 #else
430 rk[v(48, (4))] = ss[4] = word_in(key, 4);
431 rk[v(48, (5))] = ss[5] = word_in(key, 5);
432 {
433 uint32_t i;
434
435 for (i = 0; i < 7; ++i)
436 k6e(rk, i);
437 k6ef(rk, 7);
438 #if !(DEC_ROUND == NO_TABLES)
439 for (i = MAX_AES_NB; i < 12 * MAX_AES_NB; ++i)
440 rk[i] = inv_mcol(rk[i]);
441 #endif
442 }
443 #endif
444 }
445
446
447
448 #define k8ef(k, i) \
449 { k[v(56, (8 * (i)) + 8)] = ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
450 k[v(56, (8 * (i)) + 9)] = ss[1] ^= ss[0]; \
451 k[v(56, (8 * (i)) + 10)] = ss[2] ^= ss[1]; \
452 k[v(56, (8 * (i)) + 11)] = ss[3] ^= ss[2]; \
453 }
454
455 #define k8e(k, i) \
456 { k8ef(k, i); \
457 k[v(56, (8 * (i)) + 12)] = ss[4] ^= ls_box(ss[3], 0); \
458 k[v(56, (8 * (i)) + 13)] = ss[5] ^= ss[4]; \
459 k[v(56, (8 * (i)) + 14)] = ss[6] ^= ss[5]; \
460 k[v(56, (8 * (i)) + 15)] = ss[7] ^= ss[6]; \
461 }
462
463 #define kdf8(k, i) \
464 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
465 k[v(56, (8 * (i)) + 8)] = ff(ss[0]); \
466 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ff(ss[1]); \
467 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ff(ss[2]); \
468 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ff(ss[3]); \
469 ss[4] ^= ls_box(ss[3], 0); k[v(56, (8 * (i)) + 12)] = ff(ss[4]); \
470 ss[5] ^= ss[4]; k[v(56, (8 * (i)) + 13)] = ff(ss[5]); \
471 ss[6] ^= ss[5]; k[v(56, (8 * (i)) + 14)] = ff(ss[6]); \
472 ss[7] ^= ss[6]; k[v(56, (8 * (i)) + 15)] = ff(ss[7]); \
473 }
474
475 #define kd8(k, i) \
476 { ss[8] = ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
477 ss[0] ^= ss[8]; \
478 ss[8] = ff(ss[8]); \
479 k[v(56, (8 * (i)) + 8)] = ss[8] ^= k[v(56, (8 * (i)))]; \
480 ss[1] ^= ss[0]; \
481 k[v(56, (8 * (i)) + 9)] = ss[8] ^= k[v(56, (8 * (i)) + 1)]; \
482 ss[2] ^= ss[1]; \
483 k[v(56, (8 * (i)) + 10)] = ss[8] ^= k[v(56, (8 * (i)) + 2)]; \
484 ss[3] ^= ss[2]; \
485 k[v(56, (8 * (i)) + 11)] = ss[8] ^= k[v(56, (8 * (i)) + 3)]; \
486 ss[8] = ls_box(ss[3], 0); \
487 ss[4] ^= ss[8]; \
488 ss[8] = ff(ss[8]); \
489 k[v(56, (8 * (i)) + 12)] = ss[8] ^= k[v(56, (8 * (i)) + 4)]; \
490 ss[5] ^= ss[4]; \
491 k[v(56, (8 * (i)) + 13)] = ss[8] ^= k[v(56, (8 * (i)) + 5)]; \
492 ss[6] ^= ss[5]; \
493 k[v(56, (8 * (i)) + 14)] = ss[8] ^= k[v(56, (8 * (i)) + 6)]; \
494 ss[7] ^= ss[6]; \
495 k[v(56, (8 * (i)) + 15)] = ss[8] ^= k[v(56, (8 * (i)) + 7)]; \
496 }
497
498 #define kdl8(k, i) \
499 { ss[0] ^= ls_box(ss[7], 3) ^ t_use(r, c)[i]; \
500 k[v(56, (8 * (i)) + 8)] = ss[0]; \
501 ss[1] ^= ss[0]; k[v(56, (8 * (i)) + 9)] = ss[1]; \
502 ss[2] ^= ss[1]; k[v(56, (8 * (i)) + 10)] = ss[2]; \
503 ss[3] ^= ss[2]; k[v(56, (8 * (i)) + 11)] = ss[3]; \
504 }
505
506 static void
507 aes_decrypt_key256(const unsigned char *key, uint32_t rk[])
508 {
509 uint32_t ss[9];
510 #if defined(d_vars)
511 d_vars;
512 #endif
513 rk[v(56, (0))] = ss[0] = word_in(key, 0);
514 rk[v(56, (1))] = ss[1] = word_in(key, 1);
515 rk[v(56, (2))] = ss[2] = word_in(key, 2);
516 rk[v(56, (3))] = ss[3] = word_in(key, 3);
517
518 #ifdef DEC_KS_UNROLL
519 ss[4] = word_in(key, 4);
520 rk[v(56, (4))] = ff(ss[4]);
521 ss[5] = word_in(key, 5);
522 rk[v(56, (5))] = ff(ss[5]);
523 ss[6] = word_in(key, 6);
524 rk[v(56, (6))] = ff(ss[6]);
525 ss[7] = word_in(key, 7);
526 rk[v(56, (7))] = ff(ss[7]);
527 kdf8(rk, 0); kd8(rk, 1);
528 kd8(rk, 2); kd8(rk, 3);
529 kd8(rk, 4); kd8(rk, 5);
530 kdl8(rk, 6);
531 #else
532 rk[v(56, (4))] = ss[4] = word_in(key, 4);
533 rk[v(56, (5))] = ss[5] = word_in(key, 5);
534 rk[v(56, (6))] = ss[6] = word_in(key, 6);
535 rk[v(56, (7))] = ss[7] = word_in(key, 7);
536 {
537 uint32_t i;
538
539 for (i = 0; i < 6; ++i)
540 k8e(rk, i);
541 k8ef(rk, 6);
542 #if !(DEC_ROUND == NO_TABLES)
543 for (i = MAX_AES_NB; i < 14 * MAX_AES_NB; ++i)
544 rk[i] = inv_mcol(rk[i]);
545 #endif
546 }
547 #endif /* DEC_KS_UNROLL */
548 }
549
550
551 /*
552 * Expand the cipher key into the decryption key schedule.
553 *
554 * Return the number of rounds for the given cipher key size.
555 * The size of the key schedule depends on the number of rounds
556 * (which can be computed from the size of the key), i.e. 4 * (Nr + 1).
557 *
558 * Parameters:
559 * rk AES key schedule 32-bit array to be initialized
560 * cipherKey User key
561 * keyBits AES key size (128, 192, or 256 bits)
562 */
563 int
564 rijndael_key_setup_dec(uint32_t rk[], const uint32_t cipherKey[], int keyBits)
565 {
566 switch (keyBits) {
567 case 128:
568 aes_decrypt_key128((unsigned char *)&cipherKey[0], rk);
569 return (10);
570 case 192:
571 aes_decrypt_key192((unsigned char *)&cipherKey[0], rk);
572 return (12);
573 case 256:
574 aes_decrypt_key256((unsigned char *)&cipherKey[0], rk);
575 return (14);
576 default: /* should never get here */
577 break;
578 }
579
580 return (0);
581 }