fxr.watson.org: linux-2.4.22 sys/crypto/twofish.c

FreeBSD/Linux Kernel Cross Reference
sys/crypto/twofish.c

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

1 /* 2 * Twofish for CryptoAPI 3 * 4 * Originaly Twofish for GPG 5 * By Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998 6 * 256-bit key length added March 20, 1999 7 * Some modifications to reduce the text size by Werner Koch, April, 1998 8 * Ported to the kerneli patch by Marc Mutz <Marc@Mutz.com> 9 * Ported to CryptoAPI by Colin Slater <hoho@tacomeat.net> 10 * 11 * The original author has disclaimed all copyright interest in this 12 * code and thus put it in the public domain. The subsequent authors 13 * have put this under the GNU General Public License. 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 23 * GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with this program; if not, write to the Free Software 27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 28 * USA 29 * 30 * This code is a "clean room" implementation, written from the paper 31 * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey, 32 * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available 33 * through http://www.counterpane.com/twofish.html 34 * 35 * For background information on multiplication in finite fields, used for 36 * the matrix operations in the key schedule, see the book _Contemporary 37 * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the 38 * Third Edition. 39 */ 40 #include <linux/module.h> 41 #include <linux/init.h> 42 #include <linux/types.h> 43 #include <linux/errno.h> 44 #include <linux/crypto.h> 45 46 47 /* The large precomputed tables for the Twofish cipher (twofish.c) 48 * Taken from the same source as twofish.c 49 * Marc Mutz <Marc@Mutz.com> 50 */ 51 52 /* These two tables are the q0 and q1 permutations, exactly as described in 53 * the Twofish paper. */ 54 55 static const u8 q0[256] = { 56 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78, 57 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C, 58 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30, 59 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82, 60 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE, 61 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B, 62 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45, 63 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7, 64 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF, 65 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8, 66 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED, 67 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90, 68 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B, 69 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B, 70 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F, 71 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A, 72 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17, 73 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72, 74 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68, 75 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4, 76 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42, 77 0x4A, 0x5E, 0xC1, 0xE0 78 }; 79 80 static const u8 q1[256] = { 81 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B, 82 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1, 83 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B, 84 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5, 85 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54, 86 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96, 87 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7, 88 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8, 89 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF, 90 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9, 91 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D, 92 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E, 93 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21, 94 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01, 95 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E, 96 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64, 97 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44, 98 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E, 99 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B, 100 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9, 101 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56, 102 0x55, 0x09, 0xBE, 0x91 103 }; 104 105 /* These MDS tables are actually tables of MDS composed with q0 and q1, 106 * because it is only ever used that way and we can save some time by 107 * precomputing. Of course the main saving comes from precomputing the 108 * GF(2^8) multiplication involved in the MDS matrix multiply; by looking 109 * things up in these tables we reduce the matrix multiply to four lookups 110 * and three XORs. Semi-formally, the definition of these tables is: 111 * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T 112 * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T 113 * where ^T means "transpose", the matrix multiply is performed in GF(2^8) 114 * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described 115 * by Schneier et al, and I'm casually glossing over the byte/word 116 * conversion issues. */ 117 118 static const u32 mds[4][256] = { 119 {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B, 120 0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B, 121 0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32, 122 0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1, 123 0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA, 124 0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B, 125 0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1, 126 0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5, 127 0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490, 128 0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154, 129 0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0, 130 0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796, 131 0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228, 132 0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7, 133 0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3, 134 0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8, 135 0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477, 136 0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF, 137 0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C, 138 0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9, 139 0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA, 140 0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D, 141 0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72, 142 0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E, 143 0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76, 144 0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321, 145 0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39, 146 0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01, 147 0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D, 148 0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E, 149 0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5, 150 0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64, 151 0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7, 152 0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544, 153 0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E, 154 0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E, 155 0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A, 156 0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B, 157 0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2, 158 0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9, 159 0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504, 160 0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756, 161 0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91}, 162 163 {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252, 164 0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A, 165 0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020, 166 0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141, 167 0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444, 168 0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424, 169 0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A, 170 0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757, 171 0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383, 172 0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A, 173 0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9, 174 0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656, 175 0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1, 176 0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898, 177 0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414, 178 0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3, 179 0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1, 180 0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989, 181 0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5, 182 0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282, 183 0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E, 184 0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E, 185 0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202, 186 0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC, 187 0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565, 188 0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A, 189 0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808, 190 0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272, 191 0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A, 192 0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969, 193 0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505, 194 0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5, 195 0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D, 196 0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343, 197 0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF, 198 0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3, 199 0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F, 200 0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646, 201 0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6, 202 0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF, 203 0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A, 204 0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7, 205 0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8}, 206 207 {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B, 208 0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F, 209 0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A, 210 0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783, 211 0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70, 212 0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3, 213 0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB, 214 0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA, 215 0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4, 216 0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41, 217 0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C, 218 0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07, 219 0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622, 220 0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18, 221 0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035, 222 0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96, 223 0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84, 224 0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E, 225 0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F, 226 0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD, 227 0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558, 228 0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40, 229 0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA, 230 0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85, 231 0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF, 232 0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773, 233 0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D, 234 0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B, 235 0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C, 236 0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19, 237 0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086, 238 0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D, 239 0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74, 240 0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755, 241 0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691, 242 0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D, 243 0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4, 244 0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53, 245 0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E, 246 0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9, 247 0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705, 248 0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7, 249 0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF}, 250 251 {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98, 252 0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866, 253 0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643, 254 0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77, 255 0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9, 256 0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C, 257 0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3, 258 0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216, 259 0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F, 260 0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25, 261 0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF, 262 0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7, 263 0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4, 264 0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E, 265 0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA, 266 0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C, 267 0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12, 268 0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A, 269 0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D, 270 0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE, 271 0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A, 272 0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C, 273 0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B, 274 0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4, 275 0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B, 276 0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3, 277 0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE, 278 0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB, 279 0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85, 280 0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA, 281 0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E, 282 0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8, 283 0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33, 284 0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC, 285 0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718, 286 0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA, 287 0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8, 288 0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872, 289 0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882, 290 0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D, 291 0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10, 292 0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6, 293 0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8} 294 }; 295 296 /* The exp_to_poly and poly_to_exp tables are used to perform efficient 297 * operations in GF(2^8) represented as GF(2)[x]/w(x) where 298 * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the 299 * definition of the RS matrix in the key schedule. Elements of that field 300 * are polynomials of degree not greater than 7 and all coefficients 0 or 1, 301 * which can be represented naturally by bytes (just substitute x=2). In that 302 * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8) 303 * multiplication is inefficient without hardware support. To multiply 304 * faster, I make use of the fact x is a generator for the nonzero elements, 305 * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for 306 * some n in 0..254. Note that that caret is exponentiation in GF(2^8), 307 * *not* polynomial notation. So if I want to compute pq where p and q are 308 * in GF(2^8), I can just say: 309 * 1. if p=0 or q=0 then pq=0 310 * 2. otherwise, find m and n such that p=x^m and q=x^n 311 * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq 312 * The translations in steps 2 and 3 are looked up in the tables 313 * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this 314 * in action, look at the CALC_S macro. As additional wrinkles, note that 315 * one of my operands is always a constant, so the poly_to_exp lookup on it 316 * is done in advance; I included the original values in the comments so 317 * readers can have some chance of recognizing that this *is* the RS matrix 318 * from the Twofish paper. I've only included the table entries I actually 319 * need; I never do a lookup on a variable input of zero and the biggest 320 * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll 321 * never sum to more than 491. I'm repeating part of the exp_to_poly table 322 * so that I don't have to do mod-255 reduction in the exponent arithmetic. 323 * Since I know my constant operands are never zero, I only have to worry 324 * about zero values in the variable operand, and I do it with a simple 325 * conditional branch. I know conditionals are expensive, but I couldn't 326 * see a non-horrible way of avoiding them, and I did manage to group the 327 * statements so that each if covers four group multiplications. */ 328 329 static const u8 poly_to_exp[255] = { 330 0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19, 331 0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A, 332 0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C, 333 0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B, 334 0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47, 335 0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D, 336 0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8, 337 0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C, 338 0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83, 339 0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48, 340 0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26, 341 0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E, 342 0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3, 343 0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9, 344 0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A, 345 0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D, 346 0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75, 347 0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84, 348 0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64, 349 0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49, 350 0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF, 351 0x85, 0xC8, 0xA1 352 }; 353 354 static const u8 exp_to_poly[492] = { 355 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2, 356 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03, 357 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6, 358 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A, 359 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63, 360 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C, 361 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07, 362 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88, 363 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12, 364 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7, 365 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C, 366 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8, 367 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25, 368 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A, 369 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE, 370 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC, 371 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E, 372 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92, 373 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89, 374 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB, 375 0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1, 376 0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 377 0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 378 0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 379 0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 380 0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 381 0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 382 0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 383 0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 384 0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 385 0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 386 0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 387 0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 388 0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 389 0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 390 0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 391 0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 392 0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 393 0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 394 0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 395 0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB 396 }; 397 398 399 /* The table constants are indices of 400 * S-box entries, preprocessed through q0 and q1. */ 401 static const u8 calc_sb_tbl[512] = { 402 0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4, 403 0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8, 404 0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B, 405 0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B, 406 0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD, 407 0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1, 408 0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B, 409 0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F, 410 0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B, 411 0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D, 412 0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E, 413 0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5, 414 0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14, 415 0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3, 416 0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54, 417 0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51, 418 0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A, 419 0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96, 420 0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10, 421 0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C, 422 0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7, 423 0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70, 424 0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB, 425 0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8, 426 0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF, 427 0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC, 428 0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF, 429 0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2, 430 0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82, 431 0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9, 432 0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97, 433 0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17, 434 0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D, 435 0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3, 436 0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C, 437 0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E, 438 0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F, 439 0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49, 440 0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21, 441 0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9, 442 0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD, 443 0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01, 444 0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F, 445 0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48, 446 0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E, 447 0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19, 448 0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57, 449 0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64, 450 0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE, 451 0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5, 452 0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44, 453 0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69, 454 0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15, 455 0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E, 456 0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34, 457 0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC, 458 0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B, 459 0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB, 460 0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52, 461 0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9, 462 0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4, 463 0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2, 464 0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56, 465 0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91 466 }; 467 468 /* Macro to perform one column of the RS matrix multiplication. The 469 * parameters a, b, c, and d are the four bytes of output; i is the index 470 * of the key bytes, and w, x, y, and z, are the column of constants from 471 * the RS matrix, preprocessed through the poly_to_exp table. */ 472 473 #define CALC_S(a, b, c, d, i, w, x, y, z) \ 474 if (key[i]) { \ 475 tmp = poly_to_exp[key[i] - 1]; \ 476 (a) ^= exp_to_poly[tmp + (w)]; \ 477 (b) ^= exp_to_poly[tmp + (x)]; \ 478 (c) ^= exp_to_poly[tmp + (y)]; \ 479 (d) ^= exp_to_poly[tmp + (z)]; \ 480 } 481 482 /* Macros to calculate the key-dependent S-boxes for a 128-bit key using 483 * the S vector from CALC_S. CALC_SB_2 computes a single entry in all 484 * four S-boxes, where i is the index of the entry to compute, and a and b 485 * are the index numbers preprocessed through the q0 and q1 tables 486 * respectively. */ 487 488 #define CALC_SB_2(i, a, b) \ 489 ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \ 490 ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \ 491 ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \ 492 ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh] 493 494 /* Macro exactly like CALC_SB_2, but for 192-bit keys. */ 495 496 #define CALC_SB192_2(i, a, b) \ 497 ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \ 498 ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \ 499 ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \ 500 ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl]; 501 502 /* Macro exactly like CALC_SB_2, but for 256-bit keys. */ 503 504 #define CALC_SB256_2(i, a, b) \ 505 ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \ 506 ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \ 507 ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \ 508 ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp]; 509 510 /* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the 511 * last two stages of the h() function for a given index (either 2i or 2i+1). 512 * a, b, c, and d are the four bytes going into the last two stages. For 513 * 128-bit keys, this is the entire h() function and a and c are the index 514 * preprocessed through q0 and q1 respectively; for longer keys they are the 515 * output of previous stages. j is the index of the first key byte to use. 516 * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2 517 * twice, doing the Psuedo-Hadamard Transform, and doing the necessary 518 * rotations. Its parameters are: a, the array to write the results into, 519 * j, the index of the first output entry, k and l, the preprocessed indices 520 * for index 2i, and m and n, the preprocessed indices for index 2i+1. 521 * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an 522 * additional lookup-and-XOR stage. The parameters a, b, c and d are the 523 * four bytes going into the last three stages. For 192-bit keys, c = d 524 * are the index preprocessed through q0, and a = b are the index 525 * preprocessed through q1; j is the index of the first key byte to use. 526 * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro 527 * instead of CALC_K_2. 528 * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an 529 * additional lookup-and-XOR stage. The parameters a and b are the index 530 * preprocessed through q0 and q1 respectively; j is the index of the first 531 * key byte to use. CALC_K256 is identical to CALC_K but for using the 532 * CALC_K256_2 macro instead of CALC_K_2. */ 533 534 #define CALC_K_2(a, b, c, d, j) \ 535 mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \ 536 ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \ 537 ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \ 538 ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]] 539 540 #define CALC_K(a, j, k, l, m, n) \ 541 x = CALC_K_2 (k, l, k, l, 0); \ 542 y = CALC_K_2 (m, n, m, n, 4); \ 543 y = (y << 8) + (y >> 24); \ 544 x += y; y += x; ctx->a[j] = x; \ 545 ctx->a[(j) + 1] = (y << 9) + (y >> 23) 546 547 #define CALC_K192_2(a, b, c, d, j) \ 548 CALC_K_2 (q0[a ^ key[(j) + 16]], \ 549 q1[b ^ key[(j) + 17]], \ 550 q0[c ^ key[(j) + 18]], \ 551 q1[d ^ key[(j) + 19]], j) 552 553 #define CALC_K192(a, j, k, l, m, n) \ 554 x = CALC_K192_2 (l, l, k, k, 0); \ 555 y = CALC_K192_2 (n, n, m, m, 4); \ 556 y = (y << 8) + (y >> 24); \ 557 x += y; y += x; ctx->a[j] = x; \ 558 ctx->a[(j) + 1] = (y << 9) + (y >> 23) 559 560 #define CALC_K256_2(a, b, j) \ 561 CALC_K192_2 (q1[b ^ key[(j) + 24]], \ 562 q1[a ^ key[(j) + 25]], \ 563 q0[a ^ key[(j) + 26]], \ 564 q0[b ^ key[(j) + 27]], j) 565 566 #define CALC_K256(a, j, k, l, m, n) \ 567 x = CALC_K256_2 (k, l, 0); \ 568 y = CALC_K256_2 (m, n, 4); \ 569 y = (y << 8) + (y >> 24); \ 570 x += y; y += x; ctx->a[j] = x; \ 571 ctx->a[(j) + 1] = (y << 9) + (y >> 23) 572 573 574 /* Macros to compute the g() function in the encryption and decryption 575 * rounds. G1 is the straight g() function; G2 includes the 8-bit 576 * rotation for the high 32-bit word. */ 577 578 #define G1(a) \ 579 (ctx->s[0][(a) & 0xFF]) ^ (ctx->s[1][((a) >> 8) & 0xFF]) \ 580 ^ (ctx->s[2][((a) >> 16) & 0xFF]) ^ (ctx->s[3][(a) >> 24]) 581 582 #define G2(b) \ 583 (ctx->s[1][(b) & 0xFF]) ^ (ctx->s[2][((b) >> 8) & 0xFF]) \ 584 ^ (ctx->s[3][((b) >> 16) & 0xFF]) ^ (ctx->s[0][(b) >> 24]) 585 586 /* Encryption and decryption Feistel rounds. Each one calls the two g() 587 * macros, does the PHT, and performs the XOR and the appropriate bit 588 * rotations. The parameters are the round number (used to select subkeys), 589 * and the four 32-bit chunks of the text. */ 590 591 #define ENCROUND(n, a, b, c, d) \ 592 x = G1 (a); y = G2 (b); \ 593 x += y; y += x + ctx->k[2 * (n) + 1]; \ 594 (c) ^= x + ctx->k[2 * (n)]; \ 595 (c) = ((c) >> 1) + ((c) << 31); \ 596 (d) = (((d) << 1)+((d) >> 31)) ^ y 597 598 #define DECROUND(n, a, b, c, d) \ 599 x = G1 (a); y = G2 (b); \ 600 x += y; y += x; \ 601 (d) ^= y + ctx->k[2 * (n) + 1]; \ 602 (d) = ((d) >> 1) + ((d) << 31); \ 603 (c) = (((c) << 1)+((c) >> 31)); \ 604 (c) ^= (x + ctx->k[2 * (n)]) 605 606 /* Encryption and decryption cycles; each one is simply two Feistel rounds 607 * with the 32-bit chunks re-ordered to simulate the "swap" */ 608 609 #define ENCCYCLE(n) \ 610 ENCROUND (2 * (n), a, b, c, d); \ 611 ENCROUND (2 * (n) + 1, c, d, a, b) 612 613 #define DECCYCLE(n) \ 614 DECROUND (2 * (n) + 1, c, d, a, b); \ 615 DECROUND (2 * (n), a, b, c, d) 616 617 /* Macros to convert the input and output bytes into 32-bit words, 618 * and simultaneously perform the whitening step. INPACK packs word 619 * number n into the variable named by x, using whitening subkey number m. 620 * OUTUNPACK unpacks word number n from the variable named by x, using 621 * whitening subkey number m. */ 622 623 #define INPACK(n, x, m) \ 624 x = in[4 * (n)] ^ (in[4 * (n) + 1] << 8) \ 625 ^ (in[4 * (n) + 2] << 16) ^ (in[4 * (n) + 3] << 24) ^ ctx->w[m] 626 627 #define OUTUNPACK(n, x, m) \ 628 x ^= ctx->w[m]; \ 629 out[4 * (n)] = x; out[4 * (n) + 1] = x >> 8; \ 630 out[4 * (n) + 2] = x >> 16; out[4 * (n) + 3] = x >> 24 631 632 #define TF_MIN_KEY_SIZE 16 633 #define TF_MAX_KEY_SIZE 32 634 #define TF_BLOCK_SIZE 16 635 636 /* Structure for an expanded Twofish key. s contains the key-dependent 637 * S-boxes composed with the MDS matrix; w contains the eight "whitening" 638 * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note 639 * that k[i] corresponds to what the Twofish paper calls K[i+8]. */ 640 struct twofish_ctx { 641 u32 s[4][256], w[8], k[32]; 642 }; 643 644 /* Perform the key setup. */ 645 static int twofish_setkey(void *cx, const u8 *key, 646 unsigned int key_len, u32 *flags) 647 { 648 649 struct twofish_ctx *ctx = cx; 650 651 int i, j, k; 652 653 /* Temporaries for CALC_K. */ 654 u32 x, y; 655 656 /* The S vector used to key the S-boxes, split up into individual bytes. 657 * 128-bit keys use only sa through sh; 256-bit use all of them. */ 658 u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0; 659 u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0; 660 661 /* Temporary for CALC_S. */ 662 u8 tmp; 663 664 /* Check key length. */ 665 if (key_len != 16 && key_len != 24 && key_len != 32) 666 return -EINVAL; /* unsupported key length */ 667 668 /* Compute the first two words of the S vector. The magic numbers are 669 * the entries of the RS matrix, preprocessed through poly_to_exp. The 670 * numbers in the comments are the original (polynomial form) matrix 671 * entries. */ 672 CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ 673 CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ 674 CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ 675 CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ 676 CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ 677 CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ 678 CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ 679 CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ 680 CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ 681 CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ 682 CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ 683 CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ 684 CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ 685 CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ 686 CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ 687 CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ 688 689 if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */ 690 /* Calculate the third word of the S vector */ 691 CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ 692 CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ 693 CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ 694 CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ 695 CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ 696 CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ 697 CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ 698 CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ 699 } 700 701 if (key_len == 32) { /* 256-bit key */ 702 /* Calculate the fourth word of the S vector */ 703 CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ 704 CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ 705 CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ 706 CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ 707 CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ 708 CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ 709 CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ 710 CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ 711 712 /* Compute the S-boxes. */ 713 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { 714 CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); 715 } 716 717 /* Calculate whitening and round subkeys. The constants are 718 * indices of subkeys, preprocessed through q0 and q1. */ 719 CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3); 720 CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); 721 CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); 722 CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); 723 CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); 724 CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B); 725 CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); 726 CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); 727 CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); 728 CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD); 729 CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71); 730 CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); 731 CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F); 732 CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B); 733 CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA); 734 CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F); 735 CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); 736 CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); 737 CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00); 738 CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); 739 } else if (key_len == 24) { /* 192-bit key */ 740 /* Compute the S-boxes. */ 741 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { 742 CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); 743 } 744 745 /* Calculate whitening and round subkeys. The constants are 746 * indices of subkeys, preprocessed through q0 and q1. */ 747 CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3); 748 CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); 749 CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); 750 CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); 751 CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); 752 CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B); 753 CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); 754 CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); 755 CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); 756 CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD); 757 CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71); 758 CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); 759 CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F); 760 CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B); 761 CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA); 762 CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F); 763 CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); 764 CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); 765 CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00); 766 CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); 767 } else { /* 128-bit key */ 768 /* Compute the S-boxes. */ 769 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { 770 CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); 771 } 772 773 /* Calculate whitening and round subkeys. The constants are 774 * indices of subkeys, preprocessed through q0 and q1. */ 775 CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3); 776 CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); 777 CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B); 778 CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8); 779 CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3); 780 CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B); 781 CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D); 782 CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B); 783 CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32); 784 CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD); 785 CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71); 786 CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); 787 CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F); 788 CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B); 789 CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA); 790 CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F); 791 CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); 792 CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B); 793 CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00); 794 CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D); 795 } 796 797 return 0; 798 } 799 800 /* Encrypt one block. in and out may be the same. */ 801 static void twofish_encrypt(void *cx, u8 *out, const u8 *in) 802 { 803 struct twofish_ctx *ctx = cx; 804 805 /* The four 32-bit chunks of the text. */ 806 u32 a, b, c, d; 807 808 /* Temporaries used by the round function. */ 809 u32 x, y; 810 811 /* Input whitening and packing. */ 812 INPACK (0, a, 0); 813 INPACK (1, b, 1); 814 INPACK (2, c, 2); 815 INPACK (3, d, 3); 816 817 /* Encryption Feistel cycles. */ 818 ENCCYCLE (0); 819 ENCCYCLE (1); 820 ENCCYCLE (2); 821 ENCCYCLE (3); 822 ENCCYCLE (4); 823 ENCCYCLE (5); 824 ENCCYCLE (6); 825 ENCCYCLE (7); 826 827 /* Output whitening and unpacking. */ 828 OUTUNPACK (0, c, 4); 829 OUTUNPACK (1, d, 5); 830 OUTUNPACK (2, a, 6); 831 OUTUNPACK (3, b, 7); 832 833 } 834 835 /* Decrypt one block. in and out may be the same. */ 836 static void twofish_decrypt(void *cx, u8 *out, const u8 *in) 837 { 838 struct twofish_ctx *ctx = cx; 839 840 /* The four 32-bit chunks of the text. */ 841 u32 a, b, c, d; 842 843 /* Temporaries used by the round function. */ 844 u32 x, y; 845 846 /* Input whitening and packing. */ 847 INPACK (0, c, 4); 848 INPACK (1, d, 5); 849 INPACK (2, a, 6); 850 INPACK (3, b, 7); 851 852 /* Encryption Feistel cycles. */ 853 DECCYCLE (7); 854 DECCYCLE (6); 855 DECCYCLE (5); 856 DECCYCLE (4); 857 DECCYCLE (3); 858 DECCYCLE (2); 859 DECCYCLE (1); 860 DECCYCLE (0); 861 862 /* Output whitening and unpacking. */ 863 OUTUNPACK (0, a, 0); 864 OUTUNPACK (1, b, 1); 865 OUTUNPACK (2, c, 2); 866 OUTUNPACK (3, d, 3); 867 868 } 869 870 static struct crypto_alg alg = { 871 .cra_name = "twofish", 872 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 873 .cra_blocksize = TF_BLOCK_SIZE, 874 .cra_ctxsize = sizeof(struct twofish_ctx), 875 .cra_module = THIS_MODULE, 876 .cra_list = LIST_HEAD_INIT(alg.cra_list), 877 .cra_u = { .cipher = { 878 .cia_min_keysize = TF_MIN_KEY_SIZE, 879 .cia_max_keysize = TF_MAX_KEY_SIZE, 880 .cia_ivsize = TF_BLOCK_SIZE, 881 .cia_setkey = twofish_setkey, 882 .cia_encrypt = twofish_encrypt, 883 .cia_decrypt = twofish_decrypt } } 884 }; 885 886 static int __init init(void) 887 { 888 return crypto_register_alg(&alg); 889 } 890 891 static void __exit fini(void) 892 { 893 crypto_unregister_alg(&alg); 894 } 895 896 module_init(init); 897 module_exit(fini); 898 899 MODULE_LICENSE("GPL"); 900 MODULE_DESCRIPTION ("Twofish Cipher Algorithm");

Cache object: e659dc71c3846187a795cd00b4dbe004

FreeBSD/Linux Kernel Cross Reference sys/crypto/twofish.c

FreeBSD/Linux Kernel Cross Reference
sys/crypto/twofish.c