11.1Sriastrad/* $NetBSD: aes_ct64_dec.c,v 1.1 2025/11/23 22:44:14 riastradh Exp $ */ 21.1Sriastrad 31.1Sriastrad/* 41.1Sriastrad * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org> 51.1Sriastrad * 61.1Sriastrad * Permission is hereby granted, free of charge, to any person obtaining 71.1Sriastrad * a copy of this software and associated documentation files (the 81.1Sriastrad * "Software"), to deal in the Software without restriction, including 91.1Sriastrad * without limitation the rights to use, copy, modify, merge, publish, 101.1Sriastrad * distribute, sublicense, and/or sell copies of the Software, and to 111.1Sriastrad * permit persons to whom the Software is furnished to do so, subject to 121.1Sriastrad * the following conditions: 131.1Sriastrad * 141.1Sriastrad * The above copyright notice and this permission notice shall be 151.1Sriastrad * included in all copies or substantial portions of the Software. 161.1Sriastrad * 171.1Sriastrad * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 181.1Sriastrad * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 191.1Sriastrad * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 201.1Sriastrad * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 211.1Sriastrad * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 221.1Sriastrad * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 231.1Sriastrad * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 241.1Sriastrad * SOFTWARE. 251.1Sriastrad */ 261.1Sriastrad 271.1Sriastrad#include <sys/cdefs.h> 281.1Sriastrad__KERNEL_RCSID(1, "$NetBSD: aes_ct64_dec.c,v 1.1 2025/11/23 22:44:14 riastradh Exp $"); 291.1Sriastrad 301.1Sriastrad#include <sys/types.h> 311.1Sriastrad 321.1Sriastrad#include <crypto/aes/aes_bear64.h> 331.1Sriastrad 341.1Sriastrad/* see inner.h */ 351.1Sriastradvoid 361.1Sriastradbr_aes_ct64_bitslice_invSbox(uint64_t q[static 8]) 371.1Sriastrad{ 381.1Sriastrad /* 391.1Sriastrad * See br_aes_ct_bitslice_invSbox(). This is the natural extension 401.1Sriastrad * to 64-bit registers. 411.1Sriastrad */ 421.1Sriastrad uint64_t q0, q1, q2, q3, q4, q5, q6, q7; 431.1Sriastrad 441.1Sriastrad q0 = ~q[0]; 451.1Sriastrad q1 = ~q[1]; 461.1Sriastrad q2 = q[2]; 471.1Sriastrad q3 = q[3]; 481.1Sriastrad q4 = q[4]; 491.1Sriastrad q5 = ~q[5]; 501.1Sriastrad q6 = ~q[6]; 511.1Sriastrad q7 = q[7]; 521.1Sriastrad q[7] = q1 ^ q4 ^ q6; 531.1Sriastrad q[6] = q0 ^ q3 ^ q5; 541.1Sriastrad q[5] = q7 ^ q2 ^ q4; 551.1Sriastrad q[4] = q6 ^ q1 ^ q3; 561.1Sriastrad q[3] = q5 ^ q0 ^ q2; 571.1Sriastrad q[2] = q4 ^ q7 ^ q1; 581.1Sriastrad q[1] = q3 ^ q6 ^ q0; 591.1Sriastrad q[0] = q2 ^ q5 ^ q7; 601.1Sriastrad 611.1Sriastrad br_aes_ct64_bitslice_Sbox(q); 621.1Sriastrad 631.1Sriastrad q0 = ~q[0]; 641.1Sriastrad q1 = ~q[1]; 651.1Sriastrad q2 = q[2]; 661.1Sriastrad q3 = q[3]; 671.1Sriastrad q4 = q[4]; 681.1Sriastrad q5 = ~q[5]; 691.1Sriastrad q6 = ~q[6]; 701.1Sriastrad q7 = q[7]; 711.1Sriastrad q[7] = q1 ^ q4 ^ q6; 721.1Sriastrad q[6] = q0 ^ q3 ^ q5; 731.1Sriastrad q[5] = q7 ^ q2 ^ q4; 741.1Sriastrad q[4] = q6 ^ q1 ^ q3; 751.1Sriastrad q[3] = q5 ^ q0 ^ q2; 761.1Sriastrad q[2] = q4 ^ q7 ^ q1; 771.1Sriastrad q[1] = q3 ^ q6 ^ q0; 781.1Sriastrad q[0] = q2 ^ q5 ^ q7; 791.1Sriastrad} 801.1Sriastrad 811.1Sriastradstatic void 821.1Sriastradadd_round_key(uint64_t q[static 8], const uint64_t sk[static 8]) 831.1Sriastrad{ 841.1Sriastrad int i; 851.1Sriastrad 861.1Sriastrad for (i = 0; i < 8; i ++) { 871.1Sriastrad q[i] ^= sk[i]; 881.1Sriastrad } 891.1Sriastrad} 901.1Sriastrad 911.1Sriastradstatic void 921.1Sriastradinv_shift_rows(uint64_t q[static 8]) 931.1Sriastrad{ 941.1Sriastrad int i; 951.1Sriastrad 961.1Sriastrad for (i = 0; i < 8; i ++) { 971.1Sriastrad uint64_t x; 981.1Sriastrad 991.1Sriastrad x = q[i]; 1001.1Sriastrad q[i] = (x & (uint64_t)0x000000000000FFFF) 1011.1Sriastrad | ((x & (uint64_t)0x000000000FFF0000) << 4) 1021.1Sriastrad | ((x & (uint64_t)0x00000000F0000000) >> 12) 1031.1Sriastrad | ((x & (uint64_t)0x000000FF00000000) << 8) 1041.1Sriastrad | ((x & (uint64_t)0x0000FF0000000000) >> 8) 1051.1Sriastrad | ((x & (uint64_t)0x000F000000000000) << 12) 1061.1Sriastrad | ((x & (uint64_t)0xFFF0000000000000) >> 4); 1071.1Sriastrad } 1081.1Sriastrad} 1091.1Sriastrad 1101.1Sriastradstatic inline uint64_t 1111.1Sriastradrotr32(uint64_t x) 1121.1Sriastrad{ 1131.1Sriastrad return (x << 32) | (x >> 32); 1141.1Sriastrad} 1151.1Sriastrad 1161.1Sriastradstatic void 1171.1Sriastradinv_mix_columns(uint64_t q[static 8]) 1181.1Sriastrad{ 1191.1Sriastrad uint64_t q0, q1, q2, q3, q4, q5, q6, q7; 1201.1Sriastrad uint64_t r0, r1, r2, r3, r4, r5, r6, r7; 1211.1Sriastrad 1221.1Sriastrad q0 = q[0]; 1231.1Sriastrad q1 = q[1]; 1241.1Sriastrad q2 = q[2]; 1251.1Sriastrad q3 = q[3]; 1261.1Sriastrad q4 = q[4]; 1271.1Sriastrad q5 = q[5]; 1281.1Sriastrad q6 = q[6]; 1291.1Sriastrad q7 = q[7]; 1301.1Sriastrad r0 = (q0 >> 16) | (q0 << 48); 1311.1Sriastrad r1 = (q1 >> 16) | (q1 << 48); 1321.1Sriastrad r2 = (q2 >> 16) | (q2 << 48); 1331.1Sriastrad r3 = (q3 >> 16) | (q3 << 48); 1341.1Sriastrad r4 = (q4 >> 16) | (q4 << 48); 1351.1Sriastrad r5 = (q5 >> 16) | (q5 << 48); 1361.1Sriastrad r6 = (q6 >> 16) | (q6 << 48); 1371.1Sriastrad r7 = (q7 >> 16) | (q7 << 48); 1381.1Sriastrad 1391.1Sriastrad q[0] = q5 ^ q6 ^ q7 ^ r0 ^ r5 ^ r7 ^ rotr32(q0 ^ q5 ^ q6 ^ r0 ^ r5); 1401.1Sriastrad q[1] = q0 ^ q5 ^ r0 ^ r1 ^ r5 ^ r6 ^ r7 ^ rotr32(q1 ^ q5 ^ q7 ^ r1 ^ r5 ^ r6); 1411.1Sriastrad q[2] = q0 ^ q1 ^ q6 ^ r1 ^ r2 ^ r6 ^ r7 ^ rotr32(q0 ^ q2 ^ q6 ^ r2 ^ r6 ^ r7); 1421.1Sriastrad q[3] = q0 ^ q1 ^ q2 ^ q5 ^ q6 ^ r0 ^ r2 ^ r3 ^ r5 ^ rotr32(q0 ^ q1 ^ q3 ^ q5 ^ q6 ^ q7 ^ r0 ^ r3 ^ r5 ^ r7); 1431.1Sriastrad q[4] = q1 ^ q2 ^ q3 ^ q5 ^ r1 ^ r3 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr32(q1 ^ q2 ^ q4 ^ q5 ^ q7 ^ r1 ^ r4 ^ r5 ^ r6); 1441.1Sriastrad q[5] = q2 ^ q3 ^ q4 ^ q6 ^ r2 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr32(q2 ^ q3 ^ q5 ^ q6 ^ r2 ^ r5 ^ r6 ^ r7); 1451.1Sriastrad q[6] = q3 ^ q4 ^ q5 ^ q7 ^ r3 ^ r5 ^ r6 ^ r7 ^ rotr32(q3 ^ q4 ^ q6 ^ q7 ^ r3 ^ r6 ^ r7); 1461.1Sriastrad q[7] = q4 ^ q5 ^ q6 ^ r4 ^ r6 ^ r7 ^ rotr32(q4 ^ q5 ^ q7 ^ r4 ^ r7); 1471.1Sriastrad} 1481.1Sriastrad 1491.1Sriastrad/* see inner.h */ 1501.1Sriastradvoid 1511.1Sriastradbr_aes_ct64_bitslice_decrypt(unsigned num_rounds, 1521.1Sriastrad const uint64_t skey[static 120], uint64_t q[static 8]) 1531.1Sriastrad{ 1541.1Sriastrad unsigned u; 1551.1Sriastrad 1561.1Sriastrad add_round_key(q, skey + (num_rounds << 3)); 1571.1Sriastrad for (u = num_rounds - 1; u > 0; u --) { 1581.1Sriastrad inv_shift_rows(q); 1591.1Sriastrad br_aes_ct64_bitslice_invSbox(q); 1601.1Sriastrad add_round_key(q, skey + (u << 3)); 1611.1Sriastrad inv_mix_columns(q); 1621.1Sriastrad } 1631.1Sriastrad inv_shift_rows(q); 1641.1Sriastrad br_aes_ct64_bitslice_invSbox(q); 1651.1Sriastrad add_round_key(q, skey); 1661.1Sriastrad} 1671.1Sriastrad 1681.1Sriastrad/* NetBSD addition, for generating compatible decryption keys */ 1691.1Sriastradvoid 1701.1Sriastradbr_aes_ct64_inv_mix_columns(uint64_t q[static 8]) 1711.1Sriastrad{ 1721.1Sriastrad 1731.1Sriastrad inv_mix_columns(q); 1741.1Sriastrad} 175