1 /* gf128mul.c - GF(2^128) multiplication functions
17  ---------------------------------------------------------------------------
32    3. the copyright holder's name is not used to endorse products
42  in respect of its properties, including, but not limited to, correctness
44  ---------------------------------------------------------------------------
94  * 16-bit value that must be XOR-ed into the low-degree end of the
95  * product to reduce it modulo the polynomial x^128 + x^7 + x^2 + x + 1.
98  * the "be" convention where the highest-order bit is the coefficient of
99  * the highest-degree polynomial term, and one for the "le" convention
100  * where the highest-order bit is the coefficient of the lowest-degree
104  * correspond to the coefficients of x^15..x^0, and in the "le" table
105  * bits 15..0 correspond to the coefficients of x^0..x^15.
109  * anyway to support both little endian and big endian CPUs), the "be"
134  * the polynomial field representation.  They use 64-bit word operations
135  * to gain speed but compensate for machine endianness and hence work
141 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle()
142 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle()
145 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle()
146 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle()
152 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle_ti()
153 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle_ti()
156 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle_ti()
157 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle_ti()
162 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_bbe()
163 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_bbe()
166 	x->a = cpu_to_be64((a << 8) | (b >> 56));  in gf128mul_x8_bbe()
167 	x->b = cpu_to_be64((b << 8) ^ _tt);  in gf128mul_x8_bbe()
172 	u64 a = le64_to_cpu(x->a);  in gf128mul_x8_ble()
173 	u64 b = le64_to_cpu(x->b);  in gf128mul_x8_ble()
176 	r->a = cpu_to_le64((a << 8) | (b >> 56));  in gf128mul_x8_ble()
177 	r->b = cpu_to_le64((b << 8) ^ _tt);  in gf128mul_x8_ble()
184 	 * The p array should be aligned to twice the size of its element type,  in gf128mul_lle()
185 	 * so that every even/odd pair is guaranteed to share a cacheline  in gf128mul_lle()
190 	 * key, e.g., for GHASH. The odd array elements are all set to zero,  in gf128mul_lle()
192 	 * set, and this is equivalent to calling be128_xor() conditionally.  in gf128mul_lle()
193 	 * This approach aims to avoid leaking information about such keys  in gf128mul_lle()
197 	 * variables on the stack so we need to perform the alignment by hand.  in gf128mul_lle()
209 		u8 ch = ((u8 *)b)[15 - i];  in gf128mul_lle()
266 /*      This version uses 64k bytes of table space.
267     A 16 byte buffer has to be multiplied by a 16 byte key
283 	int i, j, k;  in gf128mul_init_64k_bbe()  local
290 		t->t[i] = kzalloc(sizeof(*t->t[i]), GFP_KERNEL);  in gf128mul_init_64k_bbe()
291 		if (!t->t[i]) {  in gf128mul_init_64k_bbe()
298 	t->t[0]->t[1] = *g;  in gf128mul_init_64k_bbe()
299 	for (j = 1; j <= 64; j <<= 1)  in gf128mul_init_64k_bbe()
300 		gf128mul_x_bbe(&t->t[0]->t[j + j], &t->t[0]->t[j]);  in gf128mul_init_64k_bbe()
303 		for (j = 2; j < 256; j += j)  in gf128mul_init_64k_bbe()
304 			for (k = 1; k < j; ++k)  in gf128mul_init_64k_bbe()
305 				be128_xor(&t->t[i]->t[j + k],  in gf128mul_init_64k_bbe()
306 					  &t->t[i]->t[j], &t->t[i]->t[k]);  in gf128mul_init_64k_bbe()
311 		for (j = 128; j > 0; j >>= 1) {  in gf128mul_init_64k_bbe()
312 			t->t[i]->t[j] = t->t[i - 1]->t[j];  in gf128mul_init_64k_bbe()
313 			gf128mul_x8_bbe(&t->t[i]->t[j]);  in gf128mul_init_64k_bbe()
327 		kfree_sensitive(t->t[i]);  in gf128mul_free_64k()
338 	*r = t->t[0]->t[ap[15]];  in gf128mul_64k_bbe()
340 		be128_xor(r, r, &t->t[i]->t[ap[15 - i]]);  in gf128mul_64k_bbe()
345 /*      This version uses 4k bytes of table space.
346     A 16 byte buffer has to be multiplied by a 16 byte key
351     the buffer and use this table to get the result, we then
352     have to multiply by x^120 to get the final value. For the
353     next highest byte the result has to be multiplied by x^112
364 	int j, k;  in gf128mul_init_4k_lle()  local
370 	t->t[128] = *g;  in gf128mul_init_4k_lle()
371 	for (j = 64; j > 0; j >>= 1)  in gf128mul_init_4k_lle()
372 		gf128mul_x_lle(&t->t[j], &t->t[j+j]);  in gf128mul_init_4k_lle()
374 	for (j = 2; j < 256; j += j)  in gf128mul_init_4k_lle()
375 		for (k = 1; k < j; ++k)  in gf128mul_init_4k_lle()
376 			be128_xor(&t->t[j + k], &t->t[j], &t->t[k]);  in gf128mul_init_4k_lle()
386 	int j, k;  in gf128mul_init_4k_bbe()  local
392 	t->t[1] = *g;  in gf128mul_init_4k_bbe()
393 	for (j = 1; j <= 64; j <<= 1)  in gf128mul_init_4k_bbe()
394 		gf128mul_x_bbe(&t->t[j + j], &t->t[j]);  in gf128mul_init_4k_bbe()
396 	for (j = 2; j < 256; j += j)  in gf128mul_init_4k_bbe()
397 		for (k = 1; k < j; ++k)  in gf128mul_init_4k_bbe()
398 			be128_xor(&t->t[j + k], &t->t[j], &t->t[k]);  in gf128mul_init_4k_bbe()
411 	*r = t->t[ap[15]];  in gf128mul_4k_lle()
412 	while (i--) {  in gf128mul_4k_lle()
414 		be128_xor(r, r, &t->t[ap[i]]);  in gf128mul_4k_lle()
426 	*r = t->t[ap[0]];  in gf128mul_4k_bbe()
429 		be128_xor(r, r, &t->t[ap[i]]);  in gf128mul_4k_bbe()