1 /* gf128mul.c - GF(2^128) multiplication functions
17  ---------------------------------------------------------------------------
44  ---------------------------------------------------------------------------
93  * Given a value i in 0..255 as the byte overflow when a field element
95  * 16-bit value that must be XOR-ed into the low-degree end of the
99  * the "be" convention where the highest-order bit is the coefficient of
100  * the highest-degree polynomial term, and one for the "le" convention
101  * where the highest-order bit is the coefficient of the lowest-degree
102  * polynomial term.  In both cases the values are stored in CPU byte
108  * Therefore, provided that the appropriate byte endianness conversions
135  * the polynomial field representation.  They use 64-bit word operations
142 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle()
143 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle()
146 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle()
147 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle()
153 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle_ti()
154 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle_ti()
157 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle_ti()
158 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle_ti()
163 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_bbe()
164 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_bbe()
167 	x->a = cpu_to_be64((a << 8) | (b >> 56));  in gf128mul_x8_bbe()
168 	x->b = cpu_to_be64((b << 8) ^ _tt);  in gf128mul_x8_bbe()
173 	u64 a = le64_to_cpu(x->a);  in gf128mul_x8_ble()
174 	u64 b = le64_to_cpu(x->b);  in gf128mul_x8_ble()
177 	r->a = cpu_to_le64((a << 8) | (b >> 56));  in gf128mul_x8_ble()
178 	r->b = cpu_to_le64((b << 8) ^ _tt);  in gf128mul_x8_ble()
197 	 * Unfortunately, __aligned(16) or higher does not work on x86 for  in gf128mul_lle()
200 	be128 array[16 + 3] = {};  in gf128mul_lle()
210 		u8 ch = ((u8 *)b)[15 - i];  in gf128mul_lle()
221 		if (++i >= 16)  in gf128mul_lle()
230     A 16 byte buffer has to be multiplied by a 16 byte key
232     the buffer's lowest byte, we can construct a table of
233     the 256 16 byte values that result from the 256 values
234     of this byte.  This requires 4096 bytes. But we also
235     need tables for each of the 16 higher bytes in the
239  * t[0][BYTE] contains g*BYTE
240  * t[1][BYTE] contains g*x^8*BYTE
242  * t[15][BYTE] contains g*x^120*BYTE */
252 	for (i = 0; i < 16; i++) {  in gf128mul_init_64k_bbe()
253 		t->t[i] = kzalloc(sizeof(*t->t[i]), GFP_KERNEL);  in gf128mul_init_64k_bbe()
254 		if (!t->t[i]) {  in gf128mul_init_64k_bbe()
261 	t->t[0]->t[1] = *g;  in gf128mul_init_64k_bbe()
263 		gf128mul_x_bbe(&t->t[0]->t[j + j], &t->t[0]->t[j]);  in gf128mul_init_64k_bbe()
268 				be128_xor(&t->t[i]->t[j + k],  in gf128mul_init_64k_bbe()
269 					  &t->t[i]->t[j], &t->t[i]->t[k]);  in gf128mul_init_64k_bbe()
271 		if (++i >= 16)  in gf128mul_init_64k_bbe()
275 			t->t[i]->t[j] = t->t[i - 1]->t[j];  in gf128mul_init_64k_bbe()
276 			gf128mul_x8_bbe(&t->t[i]->t[j]);  in gf128mul_init_64k_bbe()
289 	for (i = 0; i < 16; i++)  in gf128mul_free_64k()
290 		kfree_sensitive(t->t[i]);  in gf128mul_free_64k()
301 	*r = t->t[0]->t[ap[15]];  in gf128mul_64k_bbe()
302 	for (i = 1; i < 16; ++i)  in gf128mul_64k_bbe()
303 		be128_xor(r, r, &t->t[i]->t[ap[15 - i]]);  in gf128mul_64k_bbe()
309     A 16 byte buffer has to be multiplied by a 16 byte key
311     single byte, we can construct a table of the 256 16 byte
312     values that result from the 256 values of this byte.
313     This requires 4096 bytes. If we take the highest byte in
316     next highest byte the result has to be multiplied by x^112
319     byte.  We repeatedly multiply the accumulator value by
320     x^8 and then add in (i.e. xor) the 16 bytes of the next
321     lower byte in the buffer, stopping when we reach the
322     lowest byte. This requires a 4096 byte table.
333 	t->t[128] = *g;  in gf128mul_init_4k_lle()
335 		gf128mul_x_lle(&t->t[j], &t->t[j+j]);  in gf128mul_init_4k_lle()
339 			be128_xor(&t->t[j + k], &t->t[j], &t->t[k]);  in gf128mul_init_4k_lle()
352 	*r = t->t[ap[15]];  in gf128mul_4k_lle()
353 	while (i--) {  in gf128mul_4k_lle()
355 		be128_xor(r, r, &t->t[ap[i]]);  in gf128mul_4k_lle()