1 /* gf128mul.c - GF(2^128) multiplication functions
17  ---------------------------------------------------------------------------
32    3. the copyright holder's name is not used to endorse products
42  in respect of its properties, including, but not limited to, correctness
44  ---------------------------------------------------------------------------
95  * 16-bit value that must be XOR-ed into the low-degree end of the
96  * product to reduce it modulo the polynomial x^128 + x^7 + x^2 + x + 1.
99  * the "be" convention where the highest-order bit is the coefficient of
100  * the highest-degree polynomial term, and one for the "le" convention
101  * where the highest-order bit is the coefficient of the lowest-degree
105  * correspond to the coefficients of x^15..x^0, and in the "le" table
106  * bits 15..0 correspond to the coefficients of x^0..x^15.
110  * anyway to support both little endian and big endian CPUs), the "be"
135  * the polynomial field representation.  They use 64-bit word operations
136  * to gain speed but compensate for machine endianness and hence work
142 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle()
143 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle()
146 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle()
147 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle()
153 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_lle_ti()
154 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_lle_ti()
157 	x->b = cpu_to_be64((b >> 8) | (a << 56));  in gf128mul_x8_lle_ti()
158 	x->a = cpu_to_be64((a >> 8) ^ (_tt << 48));  in gf128mul_x8_lle_ti()
163 	u64 a = be64_to_cpu(x->a);  in gf128mul_x8_bbe()
164 	u64 b = be64_to_cpu(x->b);  in gf128mul_x8_bbe()
167 	x->a = cpu_to_be64((a << 8) | (b >> 56));  in gf128mul_x8_bbe()
168 	x->b = cpu_to_be64((b << 8) ^ _tt);  in gf128mul_x8_bbe()
173 	u64 a = le64_to_cpu(x->a);  in gf128mul_x8_ble()
174 	u64 b = le64_to_cpu(x->b);  in gf128mul_x8_ble()
177 	r->a = cpu_to_le64((a << 8) | (b >> 56));  in gf128mul_x8_ble()
178 	r->b = cpu_to_le64((b << 8) ^ _tt);  in gf128mul_x8_ble()
185 	 * The p array should be aligned to twice the size of its element type,  in gf128mul_lle()
186 	 * so that every even/odd pair is guaranteed to share a cacheline  in gf128mul_lle()
191 	 * key, e.g., for GHASH. The odd array elements are all set to zero,  in gf128mul_lle()
193 	 * set, and this is equivalent to calling be128_xor() conditionally.  in gf128mul_lle()
194 	 * This approach aims to avoid leaking information about such keys  in gf128mul_lle()
198 	 * variables on the stack so we need to perform the alignment by hand.  in gf128mul_lle()
210 		u8 ch = ((u8 *)b)[15 - i];  in gf128mul_lle()
229 /*      This version uses 64k bytes of table space.
230     A 16 byte buffer has to be multiplied by a 16 byte key
246 	int i, j, k;  in gf128mul_init_64k_bbe()  local
253 		t->t[i] = kzalloc(sizeof(*t->t[i]), GFP_KERNEL);  in gf128mul_init_64k_bbe()
254 		if (!t->t[i]) {  in gf128mul_init_64k_bbe()
261 	t->t[0]->t[1] = *g;  in gf128mul_init_64k_bbe()
262 	for (j = 1; j <= 64; j <<= 1)  in gf128mul_init_64k_bbe()
263 		gf128mul_x_bbe(&t->t[0]->t[j + j], &t->t[0]->t[j]);  in gf128mul_init_64k_bbe()
266 		for (j = 2; j < 256; j += j)  in gf128mul_init_64k_bbe()
267 			for (k = 1; k < j; ++k)  in gf128mul_init_64k_bbe()
268 				be128_xor(&t->t[i]->t[j + k],  in gf128mul_init_64k_bbe()
269 					  &t->t[i]->t[j], &t->t[i]->t[k]);  in gf128mul_init_64k_bbe()
274 		for (j = 128; j > 0; j >>= 1) {  in gf128mul_init_64k_bbe()
275 			t->t[i]->t[j] = t->t[i - 1]->t[j];  in gf128mul_init_64k_bbe()
276 			gf128mul_x8_bbe(&t->t[i]->t[j]);  in gf128mul_init_64k_bbe()
290 		kfree_sensitive(t->t[i]);  in gf128mul_free_64k()
301 	*r = t->t[0]->t[ap[15]];  in gf128mul_64k_bbe()
303 		be128_xor(r, r, &t->t[i]->t[ap[15 - i]]);  in gf128mul_64k_bbe()
308 /*      This version uses 4k bytes of table space.
309     A 16 byte buffer has to be multiplied by a 16 byte key
314     the buffer and use this table to get the result, we then
315     have to multiply by x^120 to get the final value. For the
316     next highest byte the result has to be multiplied by x^112
327 	int j, k;  in gf128mul_init_4k_lle()  local
333 	t->t[128] = *g;  in gf128mul_init_4k_lle()
334 	for (j = 64; j > 0; j >>= 1)  in gf128mul_init_4k_lle()
335 		gf128mul_x_lle(&t->t[j], &t->t[j+j]);  in gf128mul_init_4k_lle()
337 	for (j = 2; j < 256; j += j)  in gf128mul_init_4k_lle()
338 		for (k = 1; k < j; ++k)  in gf128mul_init_4k_lle()
339 			be128_xor(&t->t[j + k], &t->t[j], &t->t[k]);  in gf128mul_init_4k_lle()
352 	*r = t->t[ap[15]];  in gf128mul_4k_lle()
353 	while (i--) {  in gf128mul_4k_lle()
355 		be128_xor(r, r, &t->t[ap[i]]);  in gf128mul_4k_lle()