^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* gf128mul.h - GF(2^128) multiplication functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright (c) 2003, Dr Brian Gladman, Worcester, UK.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Based on Dr Brian Gladman's (GPL'd) work published at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * http://fp.gladman.plus.com/cryptography_technology/index.htm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * See the original copyright notice below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * This program is free software; you can redistribute it and/or modify it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * under the terms of the GNU General Public License as published by the Free
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * Software Foundation; either version 2 of the License, or (at your option)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * any later version.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) ---------------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) LICENSE TERMS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) The free distribution and use of this software in both source and binary
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) form is allowed (with or without changes) provided that:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 1. distributions of this source code include the above copyright
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) notice, this list of conditions and the following disclaimer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 2. distributions in binary form include the above copyright
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) notice, this list of conditions and the following disclaimer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) in the documentation and/or other associated materials;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) 3. the copyright holder's name is not used to endorse products
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) built using this software without specific written permission.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) ALTERNATIVELY, provided that this notice is retained in full, this product
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) may be distributed under the terms of the GNU General Public License (GPL),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) in which case the provisions of the GPL apply INSTEAD OF those given above.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) DISCLAIMER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) This software is provided 'as is' with no explicit or implied warranties
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) in respect of its properties, including, but not limited to, correctness
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) and/or fitness for purpose.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) ---------------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) Issue Date: 31/01/2006
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) An implementation of field multiplication in Galois Field GF(2^128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #ifndef _CRYPTO_GF128MUL_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) #define _CRYPTO_GF128MUL_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) #include <asm/byteorder.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #include <crypto/b128ops.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) /* Comment by Rik:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) * For some background on GF(2^128) see for example:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) * The elements of GF(2^128) := GF(2)[X]/(X^128-X^7-X^2-X^1-1) can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) * be mapped to computer memory in a variety of ways. Let's examine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) * three common cases.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) * Take a look at the 16 binary octets below in memory order. The msb's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) * are left and the lsb's are right. char b[16] is an array and b[0] is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) * the first octet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) * 10000000 00000000 00000000 00000000 .... 00000000 00000000 00000000
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) * b[0] b[1] b[2] b[3] b[13] b[14] b[15]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) * Every bit is a coefficient of some power of X. We can store the bits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) * in every byte in little-endian order and the bytes themselves also in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) * little endian order. I will call this lle (little-little-endian).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) * The above buffer represents the polynomial 1, and X^7+X^2+X^1+1 looks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) * like 11100001 00000000 .... 00000000 = { 0xE1, 0x00, }.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) * This format was originally implemented in gf128mul and is used
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) * in GCM (Galois/Counter mode) and in ABL (Arbitrary Block Length).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) * Another convention says: store the bits in bigendian order and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) * bytes also. This is bbe (big-big-endian). Now the buffer above
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) * represents X^127. X^7+X^2+X^1+1 looks like 00000000 .... 10000111,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) * b[15] = 0x87 and the rest is 0. LRW uses this convention and bbe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) * is partly implemented.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) * Both of the above formats are easy to implement on big-endian
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) * machines.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) * XTS and EME (the latter of which is patent encumbered) use the ble
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) * format (bits are stored in big endian order and the bytes in little
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) * endian). The above buffer represents X^7 in this case and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) * primitive polynomial is b[0] = 0x87.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) * The common machine word-size is smaller than 128 bits, so to make
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * an efficient implementation we must split into machine word sizes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) * This implementation uses 64-bit words for the moment. Machine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) * endianness comes into play. The lle format in relation to machine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) * endianness is discussed below by the original author of gf128mul Dr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * Brian Gladman.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * Let's look at the bbe and ble format on a little endian machine.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) * bbe on a little endian machine u32 x[4]:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) * MS x[0] LS MS x[1] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) * 103..96 111.104 119.112 127.120 71...64 79...72 87...80 95...88
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) * MS x[2] LS MS x[3] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) * 39...32 47...40 55...48 63...56 07...00 15...08 23...16 31...24
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) * ble on a little endian machine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) * MS x[0] LS MS x[1] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) * 31...24 23...16 15...08 07...00 63...56 55...48 47...40 39...32
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) * MS x[2] LS MS x[3] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) * 95...88 87...80 79...72 71...64 127.120 199.112 111.104 103..96
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) * Multiplications in GF(2^128) are mostly bit-shifts, so you see why
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) * ble (and lbe also) are easier to implement on a little-endian
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) * machine than on a big-endian machine. The converse holds for bbe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) * and lle.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) * Note: to have good alignment, it seems to me that it is sufficient
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) * to keep elements of GF(2^128) in type u64[2]. On 32-bit wordsize
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) * machines this will automatically aligned to wordsize and on a 64-bit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) * machine also.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) /* Multiply a GF(2^128) field element by x. Field elements are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) held in arrays of bytes in which field bits 8n..8n + 7 are held in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) byte[n], with lower indexed bits placed in the more numerically
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) significant bit positions within bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) On little endian machines the bit indexes translate into the bit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) positions within four 32-bit words in the following way
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) MS x[0] LS MS x[1] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 24...31 16...23 08...15 00...07 56...63 48...55 40...47 32...39
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) MS x[2] LS MS x[3] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 88...95 80...87 72...79 64...71 120.127 112.119 104.111 96..103
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) On big endian machines the bit indexes translate into the bit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) positions within four 32-bit words in the following way
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) MS x[0] LS MS x[1] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 00...07 08...15 16...23 24...31 32...39 40...47 48...55 56...63
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) MS x[2] LS MS x[3] LS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 64...71 72...79 80...87 88...95 96..103 104.111 112.119 120.127
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) /* A slow generic version of gf_mul, implemented for lle and bbe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) * It multiplies a and b and puts the result in a */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) void gf128mul_lle(be128 *a, const be128 *b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) void gf128mul_bbe(be128 *a, const be128 *b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) * The following functions multiply a field element by x in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) * the polynomial field representation. They use 64-bit word operations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) * to gain speed but compensate for machine endianness and hence work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) * correctly on both styles of machine.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) * They are defined here for performance.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) static inline u64 gf128mul_mask_from_bit(u64 x, int which)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) /* a constant-time version of 'x & ((u64)1 << which) ? (u64)-1 : 0' */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) return ((s64)(x << (63 - which)) >> 63);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) static inline void gf128mul_x_lle(be128 *r, const be128 *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) u64 a = be64_to_cpu(x->a);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) u64 b = be64_to_cpu(x->b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) /* equivalent to gf128mul_table_le[(b << 7) & 0xff] << 48
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) * (see crypto/gf128mul.c): */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) u64 _tt = gf128mul_mask_from_bit(b, 0) & ((u64)0xe1 << 56);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) r->b = cpu_to_be64((b >> 1) | (a << 63));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) r->a = cpu_to_be64((a >> 1) ^ _tt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) static inline void gf128mul_x_bbe(be128 *r, const be128 *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) u64 a = be64_to_cpu(x->a);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) u64 b = be64_to_cpu(x->b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) /* equivalent to gf128mul_table_be[a >> 63] (see crypto/gf128mul.c): */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) r->a = cpu_to_be64((a << 1) | (b >> 63));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) r->b = cpu_to_be64((b << 1) ^ _tt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) /* needed by XTS */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) static inline void gf128mul_x_ble(le128 *r, const le128 *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) u64 a = le64_to_cpu(x->a);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) u64 b = le64_to_cpu(x->b);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) /* equivalent to gf128mul_table_be[b >> 63] (see crypto/gf128mul.c): */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) r->a = cpu_to_le64((a << 1) | (b >> 63));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) r->b = cpu_to_le64((b << 1) ^ _tt);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) /* 4k table optimization */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) struct gf128mul_4k {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) be128 t[256];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) struct gf128mul_4k *gf128mul_init_4k_lle(const be128 *g);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) struct gf128mul_4k *gf128mul_init_4k_bbe(const be128 *g);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) void gf128mul_4k_lle(be128 *a, const struct gf128mul_4k *t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) void gf128mul_4k_bbe(be128 *a, const struct gf128mul_4k *t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) void gf128mul_x8_ble(le128 *r, const le128 *x);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) static inline void gf128mul_free_4k(struct gf128mul_4k *t)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) kfree_sensitive(t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) /* 64k table optimization, implemented for bbe */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) struct gf128mul_64k {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) struct gf128mul_4k *t[16];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) /* First initialize with the constant factor with which you
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) * want to multiply and then call gf128mul_64k_bbe with the other
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) * factor in the first argument, and the table in the second.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) * Afterwards, the result is stored in *a.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) struct gf128mul_64k *gf128mul_init_64k_bbe(const be128 *g);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) void gf128mul_free_64k(struct gf128mul_64k *t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) void gf128mul_64k_bbe(be128 *a, const struct gf128mul_64k *t);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) #endif /* _CRYPTO_GF128MUL_H */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags