crypto/aesni/aesni_wrap.c

210409Skib/*-
247061Spjd * Copyright (C) 2008 Damien Miller <djm@mindrot.org>
210409Skib * Copyright (c) 2010 Konstantin Belousov <kib@FreeBSD.org>
226839Spjd * Copyright (c) 2010-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
255187Sjmg * Copyright 2012-2013 John-Mark Gurney <jmg@FreeBSD.org>
275732Sjmg * Copyright (c) 2014 The FreeBSD Foundation
210409Skib * All rights reserved.
210409Skib *
275732Sjmg * Portions of this software were developed by John-Mark Gurney
275732Sjmg * under sponsorship of the FreeBSD Foundation and
275732Sjmg * Rubicon Communications, LLC (Netgate).
275732Sjmg *
210409Skib * Redistribution and use in source and binary forms, with or without
210409Skib * modification, are permitted provided that the following conditions
210409Skib * are met:
210409Skib * 1. Redistributions of source code must retain the above copyright
210409Skib *    notice, this list of conditions and the following disclaimer.
210409Skib * 2. Redistributions in binary form must reproduce the above copyright
210409Skib *    notice, this list of conditions and the following disclaimer in the
210409Skib *    documentation and/or other materials provided with the distribution.
210409Skib *
210409Skib * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
210409Skib * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
210409Skib * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
210409Skib * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
210409Skib * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
210409Skib * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
210409Skib * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
210409Skib * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
210409Skib * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
210409Skib * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
210409Skib * SUCH DAMAGE.
210409Skib */
210409Skib
210409Skib#include <sys/cdefs.h>
210409Skib__FBSDID("$FreeBSD$");
275732Sjmg
210409Skib#include <sys/param.h>
210409Skib#include <sys/libkern.h>
210409Skib#include <sys/malloc.h>
210409Skib#include <sys/proc.h>
210409Skib#include <sys/systm.h>
210409Skib#include <crypto/aesni/aesni.h>
275732Sjmg
275732Sjmg#include <opencrypto/gmac.h>
275732Sjmg
255187Sjmg#include "aesencdec.h"
275732Sjmg#include <smmintrin.h>
210409Skib
210409SkibMALLOC_DECLARE(M_AESNI);
210409Skib
257757Sjmgstruct blocks8 {
257757Sjmg	__m128i	blk[8];
257757Sjmg} __packed;
257757Sjmg
210409Skibvoid
210409Skibaesni_encrypt_cbc(int rounds, const void *key_schedule, size_t len,
300773Scem    const uint8_t *from, uint8_t *to, const uint8_t iv[static AES_BLOCK_LEN])
210409Skib{
255187Sjmg	__m128i tot, ivreg;
210409Skib	size_t i;
210409Skib
210409Skib	len /= AES_BLOCK_LEN;
255187Sjmg	ivreg = _mm_loadu_si128((const __m128i *)iv);
210409Skib	for (i = 0; i < len; i++) {
255187Sjmg		tot = aesni_enc(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from) ^ ivreg);
255187Sjmg		ivreg = tot;
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
210409Skibvoid
255187Sjmgaesni_decrypt_cbc(int rounds, const void *key_schedule, size_t len,
300773Scem    uint8_t *buf, const uint8_t iv[static AES_BLOCK_LEN])
255187Sjmg{
255187Sjmg	__m128i blocks[8];
257757Sjmg	struct blocks8 *blks;
255187Sjmg	__m128i ivreg, nextiv;
255187Sjmg	size_t i, j, cnt;
255187Sjmg
255187Sjmg	ivreg = _mm_loadu_si128((const __m128i *)iv);
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (struct blocks8 *)buf;
257757Sjmg		aesni_dec8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], &blocks[0]);
255187Sjmg		for (j = 0; j < 8; j++) {
257757Sjmg			nextiv = blks->blk[j];
257757Sjmg			blks->blk[j] = blocks[j] ^ ivreg;
255187Sjmg			ivreg = nextiv;
255187Sjmg		}
255187Sjmg		buf += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
257757Sjmg		nextiv = _mm_loadu_si128((void *)buf);
257757Sjmg		_mm_storeu_si128((void *)buf,
257757Sjmg		    aesni_dec(rounds - 1, key_schedule, nextiv) ^ ivreg);
255187Sjmg		ivreg = nextiv;
255187Sjmg		buf += AES_BLOCK_LEN;
255187Sjmg	}
255187Sjmg}
255187Sjmg
255187Sjmgvoid
210409Skibaesni_encrypt_ecb(int rounds, const void *key_schedule, size_t len,
255187Sjmg    const uint8_t *from, uint8_t *to)
210409Skib{
255187Sjmg	__m128i tot;
257757Sjmg	__m128i tout[8];
257757Sjmg	struct blocks8 *top;
257757Sjmg	const struct blocks8 *blks;
255187Sjmg	size_t i, cnt;
210409Skib
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (const struct blocks8 *)from;
257757Sjmg		top = (struct blocks8 *)to;
257757Sjmg		aesni_enc8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], tout);
257757Sjmg		top->blk[0] = tout[0];
257757Sjmg		top->blk[1] = tout[1];
257757Sjmg		top->blk[2] = tout[2];
257757Sjmg		top->blk[3] = tout[3];
257757Sjmg		top->blk[4] = tout[4];
257757Sjmg		top->blk[5] = tout[5];
257757Sjmg		top->blk[6] = tout[6];
257757Sjmg		top->blk[7] = tout[7];
255187Sjmg		from += AES_BLOCK_LEN * 8;
255187Sjmg		to += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		tot = aesni_enc(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from));
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
210409Skibvoid
210409Skibaesni_decrypt_ecb(int rounds, const void *key_schedule, size_t len,
210409Skib    const uint8_t from[AES_BLOCK_LEN], uint8_t to[AES_BLOCK_LEN])
210409Skib{
255187Sjmg	__m128i tot;
257757Sjmg	__m128i tout[8];
257757Sjmg	const struct blocks8 *blks;
257757Sjmg	struct blocks8 *top;
255187Sjmg	size_t i, cnt;
210409Skib
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (const struct blocks8 *)from;
257757Sjmg		top = (struct blocks8 *)to;
257757Sjmg		aesni_dec8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], tout);
257757Sjmg		top->blk[0] = tout[0];
257757Sjmg		top->blk[1] = tout[1];
257757Sjmg		top->blk[2] = tout[2];
257757Sjmg		top->blk[3] = tout[3];
257757Sjmg		top->blk[4] = tout[4];
257757Sjmg		top->blk[5] = tout[5];
257757Sjmg		top->blk[6] = tout[6];
257757Sjmg		top->blk[7] = tout[7];
255187Sjmg		from += AES_BLOCK_LEN * 8;
255187Sjmg		to += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		tot = aesni_dec(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from));
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
275732Sjmg/*
275732Sjmg * mixed endian increment, low 64bits stored in hi word to be compatible
275732Sjmg * with _icm's BSWAP.
275732Sjmg */
275732Sjmgstatic inline __m128i
275732Sjmgnextc(__m128i x)
275732Sjmg{
275732Sjmg	const __m128i ONE = _mm_setr_epi32(0, 0, 1, 0);
275732Sjmg	const __m128i ZERO = _mm_setzero_si128();
275732Sjmg
275732Sjmg	x = _mm_add_epi64(x, ONE);
275732Sjmg	__m128i t = _mm_cmpeq_epi64(x, ZERO);
275732Sjmg	t = _mm_unpackhi_epi64(t, ZERO);
275732Sjmg	x = _mm_sub_epi64(x, t);
275732Sjmg
275732Sjmg	return x;
275732Sjmg}
275732Sjmg
275732Sjmgvoid
275732Sjmgaesni_encrypt_icm(int rounds, const void *key_schedule, size_t len,
300773Scem    const uint8_t *from, uint8_t *to, const uint8_t iv[static AES_BLOCK_LEN])
275732Sjmg{
275732Sjmg	__m128i tot;
275732Sjmg	__m128i tmp1, tmp2, tmp3, tmp4;
275732Sjmg	__m128i tmp5, tmp6, tmp7, tmp8;
275732Sjmg	__m128i ctr1, ctr2, ctr3, ctr4;
275732Sjmg	__m128i ctr5, ctr6, ctr7, ctr8;
275732Sjmg	__m128i BSWAP_EPI64;
275732Sjmg	__m128i tout[8];
275732Sjmg	struct blocks8 *top;
275732Sjmg	const struct blocks8 *blks;
275732Sjmg	size_t i, cnt;
275732Sjmg
275732Sjmg	BSWAP_EPI64 = _mm_set_epi8(8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7);
275732Sjmg
275732Sjmg	ctr1 = _mm_loadu_si128((__m128i*)iv);
275732Sjmg	ctr1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
275732Sjmg
275732Sjmg	cnt = len / AES_BLOCK_LEN / 8;
275732Sjmg	for (i = 0; i < cnt; i++) {
275732Sjmg		tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
275732Sjmg		ctr2 = nextc(ctr1);
275732Sjmg		tmp2 = _mm_shuffle_epi8(ctr2, BSWAP_EPI64);
275732Sjmg		ctr3 = nextc(ctr2);
275732Sjmg		tmp3 = _mm_shuffle_epi8(ctr3, BSWAP_EPI64);
275732Sjmg		ctr4 = nextc(ctr3);
275732Sjmg		tmp4 = _mm_shuffle_epi8(ctr4, BSWAP_EPI64);
275732Sjmg		ctr5 = nextc(ctr4);
275732Sjmg		tmp5 = _mm_shuffle_epi8(ctr5, BSWAP_EPI64);
275732Sjmg		ctr6 = nextc(ctr5);
275732Sjmg		tmp6 = _mm_shuffle_epi8(ctr6, BSWAP_EPI64);
275732Sjmg		ctr7 = nextc(ctr6);
275732Sjmg		tmp7 = _mm_shuffle_epi8(ctr7, BSWAP_EPI64);
275732Sjmg		ctr8 = nextc(ctr7);
275732Sjmg		tmp8 = _mm_shuffle_epi8(ctr8, BSWAP_EPI64);
275732Sjmg		ctr1 = nextc(ctr8);
275732Sjmg
275732Sjmg		blks = (const struct blocks8 *)from;
275732Sjmg		top = (struct blocks8 *)to;
275732Sjmg		aesni_enc8(rounds - 1, key_schedule, tmp1, tmp2, tmp3, tmp4,
275732Sjmg		    tmp5, tmp6, tmp7, tmp8, tout);
275732Sjmg
275732Sjmg		top->blk[0] = blks->blk[0] ^ tout[0];
275732Sjmg		top->blk[1] = blks->blk[1] ^ tout[1];
275732Sjmg		top->blk[2] = blks->blk[2] ^ tout[2];
275732Sjmg		top->blk[3] = blks->blk[3] ^ tout[3];
275732Sjmg		top->blk[4] = blks->blk[4] ^ tout[4];
275732Sjmg		top->blk[5] = blks->blk[5] ^ tout[5];
275732Sjmg		top->blk[6] = blks->blk[6] ^ tout[6];
275732Sjmg		top->blk[7] = blks->blk[7] ^ tout[7];
275732Sjmg
275732Sjmg		from += AES_BLOCK_LEN * 8;
275732Sjmg		to += AES_BLOCK_LEN * 8;
275732Sjmg	}
275732Sjmg	i *= 8;
275732Sjmg	cnt = len / AES_BLOCK_LEN;
275732Sjmg	for (; i < cnt; i++) {
275732Sjmg		tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
275732Sjmg		ctr1 = nextc(ctr1);
275732Sjmg
275732Sjmg		tot = aesni_enc(rounds - 1, key_schedule, tmp1);
275732Sjmg
275732Sjmg		tot = tot ^ _mm_loadu_si128((const __m128i *)from);
275732Sjmg		_mm_storeu_si128((__m128i *)to, tot);
275732Sjmg
275732Sjmg		from += AES_BLOCK_LEN;
275732Sjmg		to += AES_BLOCK_LEN;
275732Sjmg	}
275732Sjmg
275732Sjmg	/* handle remaining partial round */
275732Sjmg	if (len % AES_BLOCK_LEN != 0) {
275732Sjmg		tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
275732Sjmg		tot = aesni_enc(rounds - 1, key_schedule, tmp1);
275732Sjmg		tot = tot ^ _mm_loadu_si128((const __m128i *)from);
275732Sjmg		memcpy(to, &tot, len % AES_BLOCK_LEN);
275732Sjmg	}
275732Sjmg}
275732Sjmg
213069Spjd#define	AES_XTS_BLOCKSIZE	16
213069Spjd#define	AES_XTS_IVSIZE		8
213069Spjd#define	AES_XTS_ALPHA		0x87	/* GF(2^128) generator polynomial */
213069Spjd
255187Sjmgstatic inline __m128i
255187Sjmgxts_crank_lfsr(__m128i inp)
255187Sjmg{
255187Sjmg	const __m128i alphamask = _mm_set_epi32(1, 1, 1, AES_XTS_ALPHA);
255187Sjmg	__m128i xtweak, ret;
255187Sjmg
255187Sjmg	/* set up xor mask */
255187Sjmg	xtweak = _mm_shuffle_epi32(inp, 0x93);
255187Sjmg	xtweak = _mm_srai_epi32(xtweak, 31);
255187Sjmg	xtweak &= alphamask;
255187Sjmg
255187Sjmg	/* next term */
255187Sjmg	ret = _mm_slli_epi32(inp, 1);
255187Sjmg	ret ^= xtweak;
255187Sjmg
255187Sjmg	return ret;
255187Sjmg}
255187Sjmg
213069Spjdstatic void
257757Sjmgaesni_crypt_xts_block(int rounds, const __m128i *key_schedule, __m128i *tweak,
257757Sjmg    const uint8_t *from, uint8_t *to, int do_encrypt)
213069Spjd{
255187Sjmg	__m128i block;
213069Spjd
257757Sjmg	block = _mm_loadu_si128((const __m128i *)from) ^ *tweak;
213069Spjd
213069Spjd	if (do_encrypt)
255187Sjmg		block = aesni_enc(rounds - 1, key_schedule, block);
213069Spjd	else
255187Sjmg		block = aesni_dec(rounds - 1, key_schedule, block);
213069Spjd
257757Sjmg	_mm_storeu_si128((__m128i *)to, block ^ *tweak);
213069Spjd
255187Sjmg	*tweak = xts_crank_lfsr(*tweak);
255187Sjmg}
226837Spjd
255187Sjmgstatic void
257757Sjmgaesni_crypt_xts_block8(int rounds, const __m128i *key_schedule, __m128i *tweak,
257757Sjmg    const uint8_t *from, uint8_t *to, int do_encrypt)
255187Sjmg{
255187Sjmg	__m128i tmptweak;
255187Sjmg	__m128i a, b, c, d, e, f, g, h;
255187Sjmg	__m128i tweaks[8];
255187Sjmg	__m128i tmp[8];
257757Sjmg	__m128i *top;
257757Sjmg	const __m128i *fromp;
255187Sjmg
255187Sjmg	tmptweak = *tweak;
255187Sjmg
255187Sjmg	/*
255187Sjmg	 * unroll the loop.  This lets gcc put values directly in the
255187Sjmg	 * register and saves memory accesses.
255187Sjmg	 */
257757Sjmg	fromp = (const __m128i *)from;
255187Sjmg#define PREPINP(v, pos) 					\
255187Sjmg		do {						\
255187Sjmg			tweaks[(pos)] = tmptweak;		\
257757Sjmg			(v) = _mm_loadu_si128(&fromp[pos]) ^	\
257757Sjmg			    tmptweak;				\
255187Sjmg			tmptweak = xts_crank_lfsr(tmptweak);	\
255187Sjmg		} while (0)
255187Sjmg	PREPINP(a, 0);
255187Sjmg	PREPINP(b, 1);
255187Sjmg	PREPINP(c, 2);
255187Sjmg	PREPINP(d, 3);
255187Sjmg	PREPINP(e, 4);
255187Sjmg	PREPINP(f, 5);
255187Sjmg	PREPINP(g, 6);
255187Sjmg	PREPINP(h, 7);
255187Sjmg	*tweak = tmptweak;
255187Sjmg
255187Sjmg	if (do_encrypt)
255187Sjmg		aesni_enc8(rounds - 1, key_schedule, a, b, c, d, e, f, g, h,
255187Sjmg		    tmp);
255187Sjmg	else
255187Sjmg		aesni_dec8(rounds - 1, key_schedule, a, b, c, d, e, f, g, h,
255187Sjmg		    tmp);
255187Sjmg
257757Sjmg	top = (__m128i *)to;
257757Sjmg	_mm_storeu_si128(&top[0], tmp[0] ^ tweaks[0]);
257757Sjmg	_mm_storeu_si128(&top[1], tmp[1] ^ tweaks[1]);
257757Sjmg	_mm_storeu_si128(&top[2], tmp[2] ^ tweaks[2]);
257757Sjmg	_mm_storeu_si128(&top[3], tmp[3] ^ tweaks[3]);
257757Sjmg	_mm_storeu_si128(&top[4], tmp[4] ^ tweaks[4]);
257757Sjmg	_mm_storeu_si128(&top[5], tmp[5] ^ tweaks[5]);
257757Sjmg	_mm_storeu_si128(&top[6], tmp[6] ^ tweaks[6]);
257757Sjmg	_mm_storeu_si128(&top[7], tmp[7] ^ tweaks[7]);
213069Spjd}
213069Spjd
213069Spjdstatic void
257757Sjmgaesni_crypt_xts(int rounds, const __m128i *data_schedule,
257757Sjmg    const __m128i *tweak_schedule, size_t len, const uint8_t *from,
300773Scem    uint8_t *to, const uint8_t iv[static AES_BLOCK_LEN], int do_encrypt)
213069Spjd{
255187Sjmg	__m128i tweakreg;
255187Sjmg	uint8_t tweak[AES_XTS_BLOCKSIZE] __aligned(16);
255187Sjmg	size_t i, cnt;
213069Spjd
213069Spjd	/*
213069Spjd	 * Prepare tweak as E_k2(IV). IV is specified as LE representation
213069Spjd	 * of a 64-bit block number which we allow to be passed in directly.
213069Spjd	 */
226837Spjd#if BYTE_ORDER == LITTLE_ENDIAN
226837Spjd	bcopy(iv, tweak, AES_XTS_IVSIZE);
213069Spjd	/* Last 64 bits of IV are always zero. */
213069Spjd	bzero(tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
226837Spjd#else
226837Spjd#error Only LITTLE_ENDIAN architectures are supported.
226837Spjd#endif
255187Sjmg	tweakreg = _mm_loadu_si128((__m128i *)&tweak[0]);
255187Sjmg	tweakreg = aesni_enc(rounds - 1, tweak_schedule, tweakreg);
213069Spjd
255187Sjmg	cnt = len / AES_XTS_BLOCKSIZE / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
255187Sjmg		aesni_crypt_xts_block8(rounds, data_schedule, &tweakreg,
257757Sjmg		    from, to, do_encrypt);
255187Sjmg		from += AES_XTS_BLOCKSIZE * 8;
255187Sjmg		to += AES_XTS_BLOCKSIZE * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_XTS_BLOCKSIZE;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		aesni_crypt_xts_block(rounds, data_schedule, &tweakreg,
257757Sjmg		    from, to, do_encrypt);
213069Spjd		from += AES_XTS_BLOCKSIZE;
213069Spjd		to += AES_XTS_BLOCKSIZE;
213069Spjd	}
213069Spjd}
213069Spjd
255187Sjmgvoid
213069Spjdaesni_encrypt_xts(int rounds, const void *data_schedule,
213069Spjd    const void *tweak_schedule, size_t len, const uint8_t *from, uint8_t *to,
300773Scem    const uint8_t iv[static AES_BLOCK_LEN])
213069Spjd{
213069Spjd
213069Spjd	aesni_crypt_xts(rounds, data_schedule, tweak_schedule, len, from, to,
213069Spjd	    iv, 1);
213069Spjd}
213069Spjd
255187Sjmgvoid
213069Spjdaesni_decrypt_xts(int rounds, const void *data_schedule,
213069Spjd    const void *tweak_schedule, size_t len, const uint8_t *from, uint8_t *to,
300773Scem    const uint8_t iv[static AES_BLOCK_LEN])
213069Spjd{
213069Spjd
213069Spjd	aesni_crypt_xts(rounds, data_schedule, tweak_schedule, len, from, to,
213069Spjd	    iv, 0);
213069Spjd}
213069Spjd
267815Skibint
213066Spjdaesni_cipher_setup_common(struct aesni_session *ses, const uint8_t *key,
213066Spjd    int keylen)
210409Skib{
275732Sjmg	int decsched;
210409Skib
275732Sjmg	decsched = 1;
275732Sjmg
213069Spjd	switch (ses->algo) {
275732Sjmg	case CRYPTO_AES_ICM:
275732Sjmg	case CRYPTO_AES_NIST_GCM_16:
275732Sjmg		decsched = 0;
275732Sjmg		/* FALLTHROUGH */
213069Spjd	case CRYPTO_AES_CBC:
213069Spjd		switch (keylen) {
213069Spjd		case 128:
213069Spjd			ses->rounds = AES128_ROUNDS;
213069Spjd			break;
213069Spjd		case 192:
213069Spjd			ses->rounds = AES192_ROUNDS;
213069Spjd			break;
213069Spjd		case 256:
213069Spjd			ses->rounds = AES256_ROUNDS;
213069Spjd			break;
213069Spjd		default:
275732Sjmg			CRYPTDEB("invalid CBC/ICM/GCM key length");
213069Spjd			return (EINVAL);
213069Spjd		}
210409Skib		break;
213069Spjd	case CRYPTO_AES_XTS:
213069Spjd		switch (keylen) {
213069Spjd		case 256:
213069Spjd			ses->rounds = AES128_ROUNDS;
213069Spjd			break;
213069Spjd		case 512:
213069Spjd			ses->rounds = AES256_ROUNDS;
213069Spjd			break;
213069Spjd		default:
275732Sjmg			CRYPTDEB("invalid XTS key length");
213069Spjd			return (EINVAL);
213069Spjd		}
210409Skib		break;
210409Skib	default:
210409Skib		return (EINVAL);
210409Skib	}
213069Spjd
213066Spjd	aesni_set_enckey(key, ses->enc_schedule, ses->rounds);
275732Sjmg	if (decsched)
275732Sjmg		aesni_set_deckey(ses->enc_schedule, ses->dec_schedule,
275732Sjmg		    ses->rounds);
275732Sjmg
275732Sjmg	if (ses->algo == CRYPTO_AES_XTS)
213069Spjd		aesni_set_enckey(key + keylen / 16, ses->xts_schedule,
213069Spjd		    ses->rounds);
210409Skib
213066Spjd	return (0);
210409Skib}