Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/crypto/gf128mul.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* gf128mul.c - GF(2^128) multiplication functions 2 * 3 * Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. 4 * Copyright (c) 2006, Rik Snel <rsnel@cube.dyndns.org> 5 * 6 * Based on Dr Brian Gladman's (GPL'd) work published at 7 * http://gladman.plushost.co.uk/oldsite/cryptography_technology/index.php 8 * See the original copyright notice below. 9 * 10 * This program is free software; you can redistribute it and/or modify it 11 * under the terms of the GNU General Public License as published by the Free 12 * Software Foundation; either version 2 of the License, or (at your option) 13 * any later version. 14 */ 15 16 /* 17 --------------------------------------------------------------------------- 18 Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved. 19 20 LICENSE TERMS 21 22 The free distribution and use of this software in both source and binary 23 form is allowed (with or without changes) provided that: 24 25 1. distributions of this source code include the above copyright 26 notice, this list of conditions and the following disclaimer; 27 28 2. distributions in binary form include the above copyright 29 notice, this list of conditions and the following disclaimer 30 in the documentation and/or other associated materials; 31 32 3. the copyright holder's name is not used to endorse products 33 built using this software without specific written permission. 34 35 ALTERNATIVELY, provided that this notice is retained in full, this product 36 may be distributed under the terms of the GNU General Public License (GPL), 37 in which case the provisions of the GPL apply INSTEAD OF those given above. 38 39 DISCLAIMER 40 41 This software is provided 'as is' with no explicit or implied warranties 42 in respect of its properties, including, but not limited to, correctness 43 and/or fitness for purpose. 44 --------------------------------------------------------------------------- 45 Issue 31/01/2006 46 47 This file provides fast multiplication in GF(128) as required by several 48 cryptographic authentication modes 49 */ 50 51 #include <crypto/gf128mul.h> 52 #include <linux/kernel.h> 53 #include <linux/module.h> 54 #include <linux/slab.h> 55 56 #define gf128mul_dat(q) { \ 57 q(0x00), q(0x01), q(0x02), q(0x03), q(0x04), q(0x05), q(0x06), q(0x07),\ 58 q(0x08), q(0x09), q(0x0a), q(0x0b), q(0x0c), q(0x0d), q(0x0e), q(0x0f),\ 59 q(0x10), q(0x11), q(0x12), q(0x13), q(0x14), q(0x15), q(0x16), q(0x17),\ 60 q(0x18), q(0x19), q(0x1a), q(0x1b), q(0x1c), q(0x1d), q(0x1e), q(0x1f),\ 61 q(0x20), q(0x21), q(0x22), q(0x23), q(0x24), q(0x25), q(0x26), q(0x27),\ 62 q(0x28), q(0x29), q(0x2a), q(0x2b), q(0x2c), q(0x2d), q(0x2e), q(0x2f),\ 63 q(0x30), q(0x31), q(0x32), q(0x33), q(0x34), q(0x35), q(0x36), q(0x37),\ 64 q(0x38), q(0x39), q(0x3a), q(0x3b), q(0x3c), q(0x3d), q(0x3e), q(0x3f),\ 65 q(0x40), q(0x41), q(0x42), q(0x43), q(0x44), q(0x45), q(0x46), q(0x47),\ 66 q(0x48), q(0x49), q(0x4a), q(0x4b), q(0x4c), q(0x4d), q(0x4e), q(0x4f),\ 67 q(0x50), q(0x51), q(0x52), q(0x53), q(0x54), q(0x55), q(0x56), q(0x57),\ 68 q(0x58), q(0x59), q(0x5a), q(0x5b), q(0x5c), q(0x5d), q(0x5e), q(0x5f),\ 69 q(0x60), q(0x61), q(0x62), q(0x63), q(0x64), q(0x65), q(0x66), q(0x67),\ 70 q(0x68), q(0x69), q(0x6a), q(0x6b), q(0x6c), q(0x6d), q(0x6e), q(0x6f),\ 71 q(0x70), q(0x71), q(0x72), q(0x73), q(0x74), q(0x75), q(0x76), q(0x77),\ 72 q(0x78), q(0x79), q(0x7a), q(0x7b), q(0x7c), q(0x7d), q(0x7e), q(0x7f),\ 73 q(0x80), q(0x81), q(0x82), q(0x83), q(0x84), q(0x85), q(0x86), q(0x87),\ 74 q(0x88), q(0x89), q(0x8a), q(0x8b), q(0x8c), q(0x8d), q(0x8e), q(0x8f),\ 75 q(0x90), q(0x91), q(0x92), q(0x93), q(0x94), q(0x95), q(0x96), q(0x97),\ 76 q(0x98), q(0x99), q(0x9a), q(0x9b), q(0x9c), q(0x9d), q(0x9e), q(0x9f),\ 77 q(0xa0), q(0xa1), q(0xa2), q(0xa3), q(0xa4), q(0xa5), q(0xa6), q(0xa7),\ 78 q(0xa8), q(0xa9), q(0xaa), q(0xab), q(0xac), q(0xad), q(0xae), q(0xaf),\ 79 q(0xb0), q(0xb1), q(0xb2), q(0xb3), q(0xb4), q(0xb5), q(0xb6), q(0xb7),\ 80 q(0xb8), q(0xb9), q(0xba), q(0xbb), q(0xbc), q(0xbd), q(0xbe), q(0xbf),\ 81 q(0xc0), q(0xc1), q(0xc2), q(0xc3), q(0xc4), q(0xc5), q(0xc6), q(0xc7),\ 82 q(0xc8), q(0xc9), q(0xca), q(0xcb), q(0xcc), q(0xcd), q(0xce), q(0xcf),\ 83 q(0xd0), q(0xd1), q(0xd2), q(0xd3), q(0xd4), q(0xd5), q(0xd6), q(0xd7),\ 84 q(0xd8), q(0xd9), q(0xda), q(0xdb), q(0xdc), q(0xdd), q(0xde), q(0xdf),\ 85 q(0xe0), q(0xe1), q(0xe2), q(0xe3), q(0xe4), q(0xe5), q(0xe6), q(0xe7),\ 86 q(0xe8), q(0xe9), q(0xea), q(0xeb), q(0xec), q(0xed), q(0xee), q(0xef),\ 87 q(0xf0), q(0xf1), q(0xf2), q(0xf3), q(0xf4), q(0xf5), q(0xf6), q(0xf7),\ 88 q(0xf8), q(0xf9), q(0xfa), q(0xfb), q(0xfc), q(0xfd), q(0xfe), q(0xff) \ 89 } 90 91 /* Given the value i in 0..255 as the byte overflow when a field element 92 in GHASH is multiplied by x^8, this function will return the values that 93 are generated in the lo 16-bit word of the field value by applying the 94 modular polynomial. The values lo_byte and hi_byte are returned via the 95 macro xp_fun(lo_byte, hi_byte) so that the values can be assembled into 96 memory as required by a suitable definition of this macro operating on 97 the table above 98 */ 99 100 #define xx(p, q) 0x##p##q 101 102 #define xda_bbe(i) ( \ 103 (i & 0x80 ? xx(43, 80) : 0) ^ (i & 0x40 ? xx(21, c0) : 0) ^ \ 104 (i & 0x20 ? xx(10, e0) : 0) ^ (i & 0x10 ? xx(08, 70) : 0) ^ \ 105 (i & 0x08 ? xx(04, 38) : 0) ^ (i & 0x04 ? xx(02, 1c) : 0) ^ \ 106 (i & 0x02 ? xx(01, 0e) : 0) ^ (i & 0x01 ? xx(00, 87) : 0) \ 107 ) 108 109 #define xda_lle(i) ( \ 110 (i & 0x80 ? xx(e1, 00) : 0) ^ (i & 0x40 ? xx(70, 80) : 0) ^ \ 111 (i & 0x20 ? xx(38, 40) : 0) ^ (i & 0x10 ? xx(1c, 20) : 0) ^ \ 112 (i & 0x08 ? xx(0e, 10) : 0) ^ (i & 0x04 ? xx(07, 08) : 0) ^ \ 113 (i & 0x02 ? xx(03, 84) : 0) ^ (i & 0x01 ? xx(01, c2) : 0) \ 114 ) 115 116 static const u16 gf128mul_table_lle[256] = gf128mul_dat(xda_lle); 117 static const u16 gf128mul_table_bbe[256] = gf128mul_dat(xda_bbe); 118 119 /* These functions multiply a field element by x, by x^4 and by x^8 120 * in the polynomial field representation. It uses 32-bit word operations 121 * to gain speed but compensates for machine endianess and hence works 122 * correctly on both styles of machine. 123 */ 124 125 static void gf128mul_x_lle(be128 *r, const be128 *x) 126 { 127 u64 a = be64_to_cpu(x->a); 128 u64 b = be64_to_cpu(x->b); 129 u64 _tt = gf128mul_table_lle[(b << 7) & 0xff]; 130 131 r->b = cpu_to_be64((b >> 1) | (a << 63)); 132 r->a = cpu_to_be64((a >> 1) ^ (_tt << 48)); 133 } 134 135 static void gf128mul_x_bbe(be128 *r, const be128 *x) 136 { 137 u64 a = be64_to_cpu(x->a); 138 u64 b = be64_to_cpu(x->b); 139 u64 _tt = gf128mul_table_bbe[a >> 63]; 140 141 r->a = cpu_to_be64((a << 1) | (b >> 63)); 142 r->b = cpu_to_be64((b << 1) ^ _tt); 143 } 144 145 void gf128mul_x_ble(be128 *r, const be128 *x) 146 { 147 u64 a = le64_to_cpu(x->a); 148 u64 b = le64_to_cpu(x->b); 149 u64 _tt = gf128mul_table_bbe[b >> 63]; 150 151 r->a = cpu_to_le64((a << 1) ^ _tt); 152 r->b = cpu_to_le64((b << 1) | (a >> 63)); 153 } 154 EXPORT_SYMBOL(gf128mul_x_ble); 155 156 static void gf128mul_x8_lle(be128 *x) 157 { 158 u64 a = be64_to_cpu(x->a); 159 u64 b = be64_to_cpu(x->b); 160 u64 _tt = gf128mul_table_lle[b & 0xff]; 161 162 x->b = cpu_to_be64((b >> 8) | (a << 56)); 163 x->a = cpu_to_be64((a >> 8) ^ (_tt << 48)); 164 } 165 166 static void gf128mul_x8_bbe(be128 *x) 167 { 168 u64 a = be64_to_cpu(x->a); 169 u64 b = be64_to_cpu(x->b); 170 u64 _tt = gf128mul_table_bbe[a >> 56]; 171 172 x->a = cpu_to_be64((a << 8) | (b >> 56)); 173 x->b = cpu_to_be64((b << 8) ^ _tt); 174 } 175 176 void gf128mul_lle(be128 *r, const be128 *b) 177 { 178 be128 p[8]; 179 int i; 180 181 p[0] = *r; 182 for (i = 0; i < 7; ++i) 183 gf128mul_x_lle(&p[i + 1], &p[i]); 184 185 memset(r, 0, sizeof(*r)); 186 for (i = 0;;) { 187 u8 ch = ((u8 *)b)[15 - i]; 188 189 if (ch & 0x80) 190 be128_xor(r, r, &p[0]); 191 if (ch & 0x40) 192 be128_xor(r, r, &p[1]); 193 if (ch & 0x20) 194 be128_xor(r, r, &p[2]); 195 if (ch & 0x10) 196 be128_xor(r, r, &p[3]); 197 if (ch & 0x08) 198 be128_xor(r, r, &p[4]); 199 if (ch & 0x04) 200 be128_xor(r, r, &p[5]); 201 if (ch & 0x02) 202 be128_xor(r, r, &p[6]); 203 if (ch & 0x01) 204 be128_xor(r, r, &p[7]); 205 206 if (++i >= 16) 207 break; 208 209 gf128mul_x8_lle(r); 210 } 211 } 212 EXPORT_SYMBOL(gf128mul_lle); 213 214 void gf128mul_bbe(be128 *r, const be128 *b) 215 { 216 be128 p[8]; 217 int i; 218 219 p[0] = *r; 220 for (i = 0; i < 7; ++i) 221 gf128mul_x_bbe(&p[i + 1], &p[i]); 222 223 memset(r, 0, sizeof(*r)); 224 for (i = 0;;) { 225 u8 ch = ((u8 *)b)[i]; 226 227 if (ch & 0x80) 228 be128_xor(r, r, &p[7]); 229 if (ch & 0x40) 230 be128_xor(r, r, &p[6]); 231 if (ch & 0x20) 232 be128_xor(r, r, &p[5]); 233 if (ch & 0x10) 234 be128_xor(r, r, &p[4]); 235 if (ch & 0x08) 236 be128_xor(r, r, &p[3]); 237 if (ch & 0x04) 238 be128_xor(r, r, &p[2]); 239 if (ch & 0x02) 240 be128_xor(r, r, &p[1]); 241 if (ch & 0x01) 242 be128_xor(r, r, &p[0]); 243 244 if (++i >= 16) 245 break; 246 247 gf128mul_x8_bbe(r); 248 } 249 } 250 EXPORT_SYMBOL(gf128mul_bbe); 251 252 /* This version uses 64k bytes of table space. 253 A 16 byte buffer has to be multiplied by a 16 byte key 254 value in GF(128). If we consider a GF(128) value in 255 the buffer's lowest byte, we can construct a table of 256 the 256 16 byte values that result from the 256 values 257 of this byte. This requires 4096 bytes. But we also 258 need tables for each of the 16 higher bytes in the 259 buffer as well, which makes 64 kbytes in total. 260 */ 261 /* additional explanation 262 * t[0][BYTE] contains g*BYTE 263 * t[1][BYTE] contains g*x^8*BYTE 264 * .. 265 * t[15][BYTE] contains g*x^120*BYTE */ 266 struct gf128mul_64k *gf128mul_init_64k_lle(const be128 *g) 267 { 268 struct gf128mul_64k *t; 269 int i, j, k; 270 271 t = kzalloc(sizeof(*t), GFP_KERNEL); 272 if (!t) 273 goto out; 274 275 for (i = 0; i < 16; i++) { 276 t->t[i] = kzalloc(sizeof(*t->t[i]), GFP_KERNEL); 277 if (!t->t[i]) { 278 gf128mul_free_64k(t); 279 t = NULL; 280 goto out; 281 } 282 } 283 284 t->t[0]->t[128] = *g; 285 for (j = 64; j > 0; j >>= 1) 286 gf128mul_x_lle(&t->t[0]->t[j], &t->t[0]->t[j + j]); 287 288 for (i = 0;;) { 289 for (j = 2; j < 256; j += j) 290 for (k = 1; k < j; ++k) 291 be128_xor(&t->t[i]->t[j + k], 292 &t->t[i]->t[j], &t->t[i]->t[k]); 293 294 if (++i >= 16) 295 break; 296 297 for (j = 128; j > 0; j >>= 1) { 298 t->t[i]->t[j] = t->t[i - 1]->t[j]; 299 gf128mul_x8_lle(&t->t[i]->t[j]); 300 } 301 } 302 303 out: 304 return t; 305 } 306 EXPORT_SYMBOL(gf128mul_init_64k_lle); 307 308 struct gf128mul_64k *gf128mul_init_64k_bbe(const be128 *g) 309 { 310 struct gf128mul_64k *t; 311 int i, j, k; 312 313 t = kzalloc(sizeof(*t), GFP_KERNEL); 314 if (!t) 315 goto out; 316 317 for (i = 0; i < 16; i++) { 318 t->t[i] = kzalloc(sizeof(*t->t[i]), GFP_KERNEL); 319 if (!t->t[i]) { 320 gf128mul_free_64k(t); 321 t = NULL; 322 goto out; 323 } 324 } 325 326 t->t[0]->t[1] = *g; 327 for (j = 1; j <= 64; j <<= 1) 328 gf128mul_x_bbe(&t->t[0]->t[j + j], &t->t[0]->t[j]); 329 330 for (i = 0;;) { 331 for (j = 2; j < 256; j += j) 332 for (k = 1; k < j; ++k) 333 be128_xor(&t->t[i]->t[j + k], 334 &t->t[i]->t[j], &t->t[i]->t[k]); 335 336 if (++i >= 16) 337 break; 338 339 for (j = 128; j > 0; j >>= 1) { 340 t->t[i]->t[j] = t->t[i - 1]->t[j]; 341 gf128mul_x8_bbe(&t->t[i]->t[j]); 342 } 343 } 344 345 out: 346 return t; 347 } 348 EXPORT_SYMBOL(gf128mul_init_64k_bbe); 349 350 void gf128mul_free_64k(struct gf128mul_64k *t) 351 { 352 int i; 353 354 for (i = 0; i < 16; i++) 355 kfree(t->t[i]); 356 kfree(t); 357 } 358 EXPORT_SYMBOL(gf128mul_free_64k); 359 360 void gf128mul_64k_lle(be128 *a, struct gf128mul_64k *t) 361 { 362 u8 *ap = (u8 *)a; 363 be128 r[1]; 364 int i; 365 366 *r = t->t[0]->t[ap[0]]; 367 for (i = 1; i < 16; ++i) 368 be128_xor(r, r, &t->t[i]->t[ap[i]]); 369 *a = *r; 370 } 371 EXPORT_SYMBOL(gf128mul_64k_lle); 372 373 void gf128mul_64k_bbe(be128 *a, struct gf128mul_64k *t) 374 { 375 u8 *ap = (u8 *)a; 376 be128 r[1]; 377 int i; 378 379 *r = t->t[0]->t[ap[15]]; 380 for (i = 1; i < 16; ++i) 381 be128_xor(r, r, &t->t[i]->t[ap[15 - i]]); 382 *a = *r; 383 } 384 EXPORT_SYMBOL(gf128mul_64k_bbe); 385 386 /* This version uses 4k bytes of table space. 387 A 16 byte buffer has to be multiplied by a 16 byte key 388 value in GF(128). If we consider a GF(128) value in a 389 single byte, we can construct a table of the 256 16 byte 390 values that result from the 256 values of this byte. 391 This requires 4096 bytes. If we take the highest byte in 392 the buffer and use this table to get the result, we then 393 have to multiply by x^120 to get the final value. For the 394 next highest byte the result has to be multiplied by x^112 395 and so on. But we can do this by accumulating the result 396 in an accumulator starting with the result for the top 397 byte. We repeatedly multiply the accumulator value by 398 x^8 and then add in (i.e. xor) the 16 bytes of the next 399 lower byte in the buffer, stopping when we reach the 400 lowest byte. This requires a 4096 byte table. 401 */ 402 struct gf128mul_4k *gf128mul_init_4k_lle(const be128 *g) 403 { 404 struct gf128mul_4k *t; 405 int j, k; 406 407 t = kzalloc(sizeof(*t), GFP_KERNEL); 408 if (!t) 409 goto out; 410 411 t->t[128] = *g; 412 for (j = 64; j > 0; j >>= 1) 413 gf128mul_x_lle(&t->t[j], &t->t[j+j]); 414 415 for (j = 2; j < 256; j += j) 416 for (k = 1; k < j; ++k) 417 be128_xor(&t->t[j + k], &t->t[j], &t->t[k]); 418 419 out: 420 return t; 421 } 422 EXPORT_SYMBOL(gf128mul_init_4k_lle); 423 424 struct gf128mul_4k *gf128mul_init_4k_bbe(const be128 *g) 425 { 426 struct gf128mul_4k *t; 427 int j, k; 428 429 t = kzalloc(sizeof(*t), GFP_KERNEL); 430 if (!t) 431 goto out; 432 433 t->t[1] = *g; 434 for (j = 1; j <= 64; j <<= 1) 435 gf128mul_x_bbe(&t->t[j + j], &t->t[j]); 436 437 for (j = 2; j < 256; j += j) 438 for (k = 1; k < j; ++k) 439 be128_xor(&t->t[j + k], &t->t[j], &t->t[k]); 440 441 out: 442 return t; 443 } 444 EXPORT_SYMBOL(gf128mul_init_4k_bbe); 445 446 void gf128mul_4k_lle(be128 *a, struct gf128mul_4k *t) 447 { 448 u8 *ap = (u8 *)a; 449 be128 r[1]; 450 int i = 15; 451 452 *r = t->t[ap[15]]; 453 while (i--) { 454 gf128mul_x8_lle(r); 455 be128_xor(r, r, &t->t[ap[i]]); 456 } 457 *a = *r; 458 } 459 EXPORT_SYMBOL(gf128mul_4k_lle); 460 461 void gf128mul_4k_bbe(be128 *a, struct gf128mul_4k *t) 462 { 463 u8 *ap = (u8 *)a; 464 be128 r[1]; 465 int i = 0; 466 467 *r = t->t[ap[0]]; 468 while (++i < 16) { 469 gf128mul_x8_bbe(r); 470 be128_xor(r, r, &t->t[ap[i]]); 471 } 472 *a = *r; 473 } 474 EXPORT_SYMBOL(gf128mul_4k_bbe); 475 476 MODULE_LICENSE("GPL"); 477 MODULE_DESCRIPTION("Functions for multiplying elements of GF(2^128)");
Cache object: e36db06d4d1ea65b327480eb7bff0b09
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]