diff options
author | Joachim Fritschi <jfritschi@freenet.de> | 2006-06-20 06:37:23 -0400 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2006-09-20 21:16:27 -0400 |
commit | 2729bb427f686e47970406d6bde6b11892885f29 (patch) | |
tree | 6c17bab6970fc4bcc92c0de76d174e35d8043844 | |
parent | 799111020c66c41aef621a3b53ad112543754124 (diff) |
[CRYPTO] twofish: Split out common c code
This patch splits up the twofish crypto routine into a common part ( key
setup ) which will be uses by all twofish crypto modules ( generic-c , i586
assembler and x86_64 assembler ) and generic-c part. It also creates a new
header file which will be used by all 3 modules.
This eliminates all code duplication.
Correctness was verified with the tcrypt module and automated test scripts.
Signed-off-by: Joachim Fritschi <jfritschi@freenet.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | crypto/Kconfig | 8 | ||||
-rw-r--r-- | crypto/Makefile | 1 | ||||
-rw-r--r-- | crypto/twofish.c | 698 | ||||
-rw-r--r-- | crypto/twofish_common.c | 744 | ||||
-rw-r--r-- | include/crypto/twofish.h | 23 |
5 files changed, 777 insertions, 697 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index ba133d557045..5472f693e6ec 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig | |||
@@ -131,6 +131,7 @@ config CRYPTO_BLOWFISH | |||
131 | config CRYPTO_TWOFISH | 131 | config CRYPTO_TWOFISH |
132 | tristate "Twofish cipher algorithm" | 132 | tristate "Twofish cipher algorithm" |
133 | depends on CRYPTO | 133 | depends on CRYPTO |
134 | select CRYPTO_TWOFISH_COMMON | ||
134 | help | 135 | help |
135 | Twofish cipher algorithm. | 136 | Twofish cipher algorithm. |
136 | 137 | ||
@@ -142,6 +143,13 @@ config CRYPTO_TWOFISH | |||
142 | See also: | 143 | See also: |
143 | <http://www.schneier.com/twofish.html> | 144 | <http://www.schneier.com/twofish.html> |
144 | 145 | ||
146 | config CRYPTO_TWOFISH_COMMON | ||
147 | tristate | ||
148 | depends on CRYPTO | ||
149 | help | ||
150 | Common parts of the Twofish cipher algorithm shared by the | ||
151 | generic c and the assembler implementations. | ||
152 | |||
145 | config CRYPTO_SERPENT | 153 | config CRYPTO_SERPENT |
146 | tristate "Serpent cipher algorithm" | 154 | tristate "Serpent cipher algorithm" |
147 | depends on CRYPTO | 155 | depends on CRYPTO |
diff --git a/crypto/Makefile b/crypto/Makefile index d287b9e60c47..fe934f1001c6 100644 --- a/crypto/Makefile +++ b/crypto/Makefile | |||
@@ -19,6 +19,7 @@ obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o | |||
19 | obj-$(CONFIG_CRYPTO_DES) += des.o | 19 | obj-$(CONFIG_CRYPTO_DES) += des.o |
20 | obj-$(CONFIG_CRYPTO_BLOWFISH) += blowfish.o | 20 | obj-$(CONFIG_CRYPTO_BLOWFISH) += blowfish.o |
21 | obj-$(CONFIG_CRYPTO_TWOFISH) += twofish.o | 21 | obj-$(CONFIG_CRYPTO_TWOFISH) += twofish.o |
22 | obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o | ||
22 | obj-$(CONFIG_CRYPTO_SERPENT) += serpent.o | 23 | obj-$(CONFIG_CRYPTO_SERPENT) += serpent.o |
23 | obj-$(CONFIG_CRYPTO_AES) += aes.o | 24 | obj-$(CONFIG_CRYPTO_AES) += aes.o |
24 | obj-$(CONFIG_CRYPTO_CAST5) += cast5.o | 25 | obj-$(CONFIG_CRYPTO_CAST5) += cast5.o |
diff --git a/crypto/twofish.c b/crypto/twofish.c index ec2488242e2d..e3b3a0a6cb4d 100644 --- a/crypto/twofish.c +++ b/crypto/twofish.c | |||
@@ -39,6 +39,7 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include <asm/byteorder.h> | 41 | #include <asm/byteorder.h> |
42 | #include <crypto/twofish.h> | ||
42 | #include <linux/module.h> | 43 | #include <linux/module.h> |
43 | #include <linux/init.h> | 44 | #include <linux/init.h> |
44 | #include <linux/types.h> | 45 | #include <linux/types.h> |
@@ -46,534 +47,6 @@ | |||
46 | #include <linux/crypto.h> | 47 | #include <linux/crypto.h> |
47 | #include <linux/bitops.h> | 48 | #include <linux/bitops.h> |
48 | 49 | ||
49 | |||
50 | /* The large precomputed tables for the Twofish cipher (twofish.c) | ||
51 | * Taken from the same source as twofish.c | ||
52 | * Marc Mutz <Marc@Mutz.com> | ||
53 | */ | ||
54 | |||
55 | /* These two tables are the q0 and q1 permutations, exactly as described in | ||
56 | * the Twofish paper. */ | ||
57 | |||
58 | static const u8 q0[256] = { | ||
59 | 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78, | ||
60 | 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C, | ||
61 | 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30, | ||
62 | 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82, | ||
63 | 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE, | ||
64 | 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B, | ||
65 | 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45, | ||
66 | 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7, | ||
67 | 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF, | ||
68 | 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8, | ||
69 | 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED, | ||
70 | 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90, | ||
71 | 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B, | ||
72 | 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B, | ||
73 | 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F, | ||
74 | 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A, | ||
75 | 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17, | ||
76 | 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72, | ||
77 | 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68, | ||
78 | 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4, | ||
79 | 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42, | ||
80 | 0x4A, 0x5E, 0xC1, 0xE0 | ||
81 | }; | ||
82 | |||
83 | static const u8 q1[256] = { | ||
84 | 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B, | ||
85 | 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1, | ||
86 | 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B, | ||
87 | 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5, | ||
88 | 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54, | ||
89 | 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96, | ||
90 | 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7, | ||
91 | 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8, | ||
92 | 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF, | ||
93 | 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9, | ||
94 | 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D, | ||
95 | 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E, | ||
96 | 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21, | ||
97 | 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01, | ||
98 | 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E, | ||
99 | 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64, | ||
100 | 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44, | ||
101 | 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E, | ||
102 | 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B, | ||
103 | 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9, | ||
104 | 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56, | ||
105 | 0x55, 0x09, 0xBE, 0x91 | ||
106 | }; | ||
107 | |||
108 | /* These MDS tables are actually tables of MDS composed with q0 and q1, | ||
109 | * because it is only ever used that way and we can save some time by | ||
110 | * precomputing. Of course the main saving comes from precomputing the | ||
111 | * GF(2^8) multiplication involved in the MDS matrix multiply; by looking | ||
112 | * things up in these tables we reduce the matrix multiply to four lookups | ||
113 | * and three XORs. Semi-formally, the definition of these tables is: | ||
114 | * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T | ||
115 | * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T | ||
116 | * where ^T means "transpose", the matrix multiply is performed in GF(2^8) | ||
117 | * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described | ||
118 | * by Schneier et al, and I'm casually glossing over the byte/word | ||
119 | * conversion issues. */ | ||
120 | |||
121 | static const u32 mds[4][256] = { | ||
122 | {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B, | ||
123 | 0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B, | ||
124 | 0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32, | ||
125 | 0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1, | ||
126 | 0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA, | ||
127 | 0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B, | ||
128 | 0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1, | ||
129 | 0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5, | ||
130 | 0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490, | ||
131 | 0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154, | ||
132 | 0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0, | ||
133 | 0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796, | ||
134 | 0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228, | ||
135 | 0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7, | ||
136 | 0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3, | ||
137 | 0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8, | ||
138 | 0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477, | ||
139 | 0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF, | ||
140 | 0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C, | ||
141 | 0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9, | ||
142 | 0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA, | ||
143 | 0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D, | ||
144 | 0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72, | ||
145 | 0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E, | ||
146 | 0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76, | ||
147 | 0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321, | ||
148 | 0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39, | ||
149 | 0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01, | ||
150 | 0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D, | ||
151 | 0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E, | ||
152 | 0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5, | ||
153 | 0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64, | ||
154 | 0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7, | ||
155 | 0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544, | ||
156 | 0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E, | ||
157 | 0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E, | ||
158 | 0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A, | ||
159 | 0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B, | ||
160 | 0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2, | ||
161 | 0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9, | ||
162 | 0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504, | ||
163 | 0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756, | ||
164 | 0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91}, | ||
165 | |||
166 | {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252, | ||
167 | 0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A, | ||
168 | 0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020, | ||
169 | 0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141, | ||
170 | 0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444, | ||
171 | 0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424, | ||
172 | 0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A, | ||
173 | 0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757, | ||
174 | 0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383, | ||
175 | 0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A, | ||
176 | 0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9, | ||
177 | 0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656, | ||
178 | 0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1, | ||
179 | 0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898, | ||
180 | 0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414, | ||
181 | 0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3, | ||
182 | 0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1, | ||
183 | 0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989, | ||
184 | 0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5, | ||
185 | 0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282, | ||
186 | 0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E, | ||
187 | 0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E, | ||
188 | 0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202, | ||
189 | 0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC, | ||
190 | 0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565, | ||
191 | 0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A, | ||
192 | 0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808, | ||
193 | 0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272, | ||
194 | 0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A, | ||
195 | 0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969, | ||
196 | 0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505, | ||
197 | 0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5, | ||
198 | 0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D, | ||
199 | 0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343, | ||
200 | 0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF, | ||
201 | 0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3, | ||
202 | 0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F, | ||
203 | 0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646, | ||
204 | 0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6, | ||
205 | 0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF, | ||
206 | 0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A, | ||
207 | 0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7, | ||
208 | 0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8}, | ||
209 | |||
210 | {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B, | ||
211 | 0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F, | ||
212 | 0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A, | ||
213 | 0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783, | ||
214 | 0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70, | ||
215 | 0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3, | ||
216 | 0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB, | ||
217 | 0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA, | ||
218 | 0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4, | ||
219 | 0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41, | ||
220 | 0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C, | ||
221 | 0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07, | ||
222 | 0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622, | ||
223 | 0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18, | ||
224 | 0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035, | ||
225 | 0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96, | ||
226 | 0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84, | ||
227 | 0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E, | ||
228 | 0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F, | ||
229 | 0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD, | ||
230 | 0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558, | ||
231 | 0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40, | ||
232 | 0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA, | ||
233 | 0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85, | ||
234 | 0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF, | ||
235 | 0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773, | ||
236 | 0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D, | ||
237 | 0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B, | ||
238 | 0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C, | ||
239 | 0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19, | ||
240 | 0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086, | ||
241 | 0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D, | ||
242 | 0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74, | ||
243 | 0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755, | ||
244 | 0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691, | ||
245 | 0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D, | ||
246 | 0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4, | ||
247 | 0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53, | ||
248 | 0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E, | ||
249 | 0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9, | ||
250 | 0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705, | ||
251 | 0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7, | ||
252 | 0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF}, | ||
253 | |||
254 | {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98, | ||
255 | 0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866, | ||
256 | 0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643, | ||
257 | 0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77, | ||
258 | 0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9, | ||
259 | 0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C, | ||
260 | 0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3, | ||
261 | 0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216, | ||
262 | 0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F, | ||
263 | 0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25, | ||
264 | 0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF, | ||
265 | 0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7, | ||
266 | 0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4, | ||
267 | 0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E, | ||
268 | 0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA, | ||
269 | 0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C, | ||
270 | 0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12, | ||
271 | 0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A, | ||
272 | 0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D, | ||
273 | 0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE, | ||
274 | 0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A, | ||
275 | 0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C, | ||
276 | 0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B, | ||
277 | 0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4, | ||
278 | 0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B, | ||
279 | 0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3, | ||
280 | 0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE, | ||
281 | 0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB, | ||
282 | 0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85, | ||
283 | 0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA, | ||
284 | 0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E, | ||
285 | 0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8, | ||
286 | 0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33, | ||
287 | 0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC, | ||
288 | 0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718, | ||
289 | 0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA, | ||
290 | 0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8, | ||
291 | 0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872, | ||
292 | 0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882, | ||
293 | 0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D, | ||
294 | 0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10, | ||
295 | 0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6, | ||
296 | 0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8} | ||
297 | }; | ||
298 | |||
299 | /* The exp_to_poly and poly_to_exp tables are used to perform efficient | ||
300 | * operations in GF(2^8) represented as GF(2)[x]/w(x) where | ||
301 | * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the | ||
302 | * definition of the RS matrix in the key schedule. Elements of that field | ||
303 | * are polynomials of degree not greater than 7 and all coefficients 0 or 1, | ||
304 | * which can be represented naturally by bytes (just substitute x=2). In that | ||
305 | * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8) | ||
306 | * multiplication is inefficient without hardware support. To multiply | ||
307 | * faster, I make use of the fact x is a generator for the nonzero elements, | ||
308 | * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for | ||
309 | * some n in 0..254. Note that that caret is exponentiation in GF(2^8), | ||
310 | * *not* polynomial notation. So if I want to compute pq where p and q are | ||
311 | * in GF(2^8), I can just say: | ||
312 | * 1. if p=0 or q=0 then pq=0 | ||
313 | * 2. otherwise, find m and n such that p=x^m and q=x^n | ||
314 | * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq | ||
315 | * The translations in steps 2 and 3 are looked up in the tables | ||
316 | * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this | ||
317 | * in action, look at the CALC_S macro. As additional wrinkles, note that | ||
318 | * one of my operands is always a constant, so the poly_to_exp lookup on it | ||
319 | * is done in advance; I included the original values in the comments so | ||
320 | * readers can have some chance of recognizing that this *is* the RS matrix | ||
321 | * from the Twofish paper. I've only included the table entries I actually | ||
322 | * need; I never do a lookup on a variable input of zero and the biggest | ||
323 | * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll | ||
324 | * never sum to more than 491. I'm repeating part of the exp_to_poly table | ||
325 | * so that I don't have to do mod-255 reduction in the exponent arithmetic. | ||
326 | * Since I know my constant operands are never zero, I only have to worry | ||
327 | * about zero values in the variable operand, and I do it with a simple | ||
328 | * conditional branch. I know conditionals are expensive, but I couldn't | ||
329 | * see a non-horrible way of avoiding them, and I did manage to group the | ||
330 | * statements so that each if covers four group multiplications. */ | ||
331 | |||
332 | static const u8 poly_to_exp[255] = { | ||
333 | 0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19, | ||
334 | 0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A, | ||
335 | 0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C, | ||
336 | 0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B, | ||
337 | 0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47, | ||
338 | 0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D, | ||
339 | 0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8, | ||
340 | 0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C, | ||
341 | 0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83, | ||
342 | 0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48, | ||
343 | 0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26, | ||
344 | 0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E, | ||
345 | 0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3, | ||
346 | 0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9, | ||
347 | 0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A, | ||
348 | 0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D, | ||
349 | 0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75, | ||
350 | 0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84, | ||
351 | 0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64, | ||
352 | 0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49, | ||
353 | 0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF, | ||
354 | 0x85, 0xC8, 0xA1 | ||
355 | }; | ||
356 | |||
357 | static const u8 exp_to_poly[492] = { | ||
358 | 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2, | ||
359 | 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03, | ||
360 | 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6, | ||
361 | 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A, | ||
362 | 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63, | ||
363 | 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C, | ||
364 | 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07, | ||
365 | 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88, | ||
366 | 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12, | ||
367 | 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7, | ||
368 | 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C, | ||
369 | 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8, | ||
370 | 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25, | ||
371 | 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A, | ||
372 | 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE, | ||
373 | 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC, | ||
374 | 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E, | ||
375 | 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92, | ||
376 | 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89, | ||
377 | 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB, | ||
378 | 0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1, | ||
379 | 0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, | ||
380 | 0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, | ||
381 | 0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, | ||
382 | 0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, | ||
383 | 0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, | ||
384 | 0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, | ||
385 | 0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, | ||
386 | 0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, | ||
387 | 0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, | ||
388 | 0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, | ||
389 | 0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, | ||
390 | 0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, | ||
391 | 0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, | ||
392 | 0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, | ||
393 | 0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, | ||
394 | 0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, | ||
395 | 0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, | ||
396 | 0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, | ||
397 | 0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, | ||
398 | 0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB | ||
399 | }; | ||
400 | |||
401 | |||
402 | /* The table constants are indices of | ||
403 | * S-box entries, preprocessed through q0 and q1. */ | ||
404 | static const u8 calc_sb_tbl[512] = { | ||
405 | 0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4, | ||
406 | 0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8, | ||
407 | 0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B, | ||
408 | 0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B, | ||
409 | 0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD, | ||
410 | 0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1, | ||
411 | 0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B, | ||
412 | 0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F, | ||
413 | 0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B, | ||
414 | 0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D, | ||
415 | 0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E, | ||
416 | 0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5, | ||
417 | 0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14, | ||
418 | 0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3, | ||
419 | 0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54, | ||
420 | 0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51, | ||
421 | 0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A, | ||
422 | 0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96, | ||
423 | 0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10, | ||
424 | 0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C, | ||
425 | 0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7, | ||
426 | 0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70, | ||
427 | 0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB, | ||
428 | 0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8, | ||
429 | 0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF, | ||
430 | 0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC, | ||
431 | 0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF, | ||
432 | 0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2, | ||
433 | 0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82, | ||
434 | 0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9, | ||
435 | 0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97, | ||
436 | 0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17, | ||
437 | 0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D, | ||
438 | 0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3, | ||
439 | 0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C, | ||
440 | 0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E, | ||
441 | 0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F, | ||
442 | 0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49, | ||
443 | 0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21, | ||
444 | 0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9, | ||
445 | 0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD, | ||
446 | 0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01, | ||
447 | 0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F, | ||
448 | 0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48, | ||
449 | 0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E, | ||
450 | 0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19, | ||
451 | 0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57, | ||
452 | 0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64, | ||
453 | 0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE, | ||
454 | 0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5, | ||
455 | 0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44, | ||
456 | 0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69, | ||
457 | 0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15, | ||
458 | 0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E, | ||
459 | 0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34, | ||
460 | 0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC, | ||
461 | 0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B, | ||
462 | 0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB, | ||
463 | 0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52, | ||
464 | 0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9, | ||
465 | 0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4, | ||
466 | 0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2, | ||
467 | 0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56, | ||
468 | 0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91 | ||
469 | }; | ||
470 | |||
471 | /* Macro to perform one column of the RS matrix multiplication. The | ||
472 | * parameters a, b, c, and d are the four bytes of output; i is the index | ||
473 | * of the key bytes, and w, x, y, and z, are the column of constants from | ||
474 | * the RS matrix, preprocessed through the poly_to_exp table. */ | ||
475 | |||
476 | #define CALC_S(a, b, c, d, i, w, x, y, z) \ | ||
477 | if (key[i]) { \ | ||
478 | tmp = poly_to_exp[key[i] - 1]; \ | ||
479 | (a) ^= exp_to_poly[tmp + (w)]; \ | ||
480 | (b) ^= exp_to_poly[tmp + (x)]; \ | ||
481 | (c) ^= exp_to_poly[tmp + (y)]; \ | ||
482 | (d) ^= exp_to_poly[tmp + (z)]; \ | ||
483 | } | ||
484 | |||
485 | /* Macros to calculate the key-dependent S-boxes for a 128-bit key using | ||
486 | * the S vector from CALC_S. CALC_SB_2 computes a single entry in all | ||
487 | * four S-boxes, where i is the index of the entry to compute, and a and b | ||
488 | * are the index numbers preprocessed through the q0 and q1 tables | ||
489 | * respectively. */ | ||
490 | |||
491 | #define CALC_SB_2(i, a, b) \ | ||
492 | ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \ | ||
493 | ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \ | ||
494 | ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \ | ||
495 | ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh] | ||
496 | |||
497 | /* Macro exactly like CALC_SB_2, but for 192-bit keys. */ | ||
498 | |||
499 | #define CALC_SB192_2(i, a, b) \ | ||
500 | ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \ | ||
501 | ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \ | ||
502 | ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \ | ||
503 | ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl]; | ||
504 | |||
505 | /* Macro exactly like CALC_SB_2, but for 256-bit keys. */ | ||
506 | |||
507 | #define CALC_SB256_2(i, a, b) \ | ||
508 | ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \ | ||
509 | ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \ | ||
510 | ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \ | ||
511 | ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp]; | ||
512 | |||
513 | /* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the | ||
514 | * last two stages of the h() function for a given index (either 2i or 2i+1). | ||
515 | * a, b, c, and d are the four bytes going into the last two stages. For | ||
516 | * 128-bit keys, this is the entire h() function and a and c are the index | ||
517 | * preprocessed through q0 and q1 respectively; for longer keys they are the | ||
518 | * output of previous stages. j is the index of the first key byte to use. | ||
519 | * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2 | ||
520 | * twice, doing the Pseudo-Hadamard Transform, and doing the necessary | ||
521 | * rotations. Its parameters are: a, the array to write the results into, | ||
522 | * j, the index of the first output entry, k and l, the preprocessed indices | ||
523 | * for index 2i, and m and n, the preprocessed indices for index 2i+1. | ||
524 | * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an | ||
525 | * additional lookup-and-XOR stage. The parameters a, b, c and d are the | ||
526 | * four bytes going into the last three stages. For 192-bit keys, c = d | ||
527 | * are the index preprocessed through q0, and a = b are the index | ||
528 | * preprocessed through q1; j is the index of the first key byte to use. | ||
529 | * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro | ||
530 | * instead of CALC_K_2. | ||
531 | * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an | ||
532 | * additional lookup-and-XOR stage. The parameters a and b are the index | ||
533 | * preprocessed through q0 and q1 respectively; j is the index of the first | ||
534 | * key byte to use. CALC_K256 is identical to CALC_K but for using the | ||
535 | * CALC_K256_2 macro instead of CALC_K_2. */ | ||
536 | |||
537 | #define CALC_K_2(a, b, c, d, j) \ | ||
538 | mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \ | ||
539 | ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \ | ||
540 | ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \ | ||
541 | ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]] | ||
542 | |||
543 | #define CALC_K(a, j, k, l, m, n) \ | ||
544 | x = CALC_K_2 (k, l, k, l, 0); \ | ||
545 | y = CALC_K_2 (m, n, m, n, 4); \ | ||
546 | y = rol32(y, 8); \ | ||
547 | x += y; y += x; ctx->a[j] = x; \ | ||
548 | ctx->a[(j) + 1] = rol32(y, 9) | ||
549 | |||
550 | #define CALC_K192_2(a, b, c, d, j) \ | ||
551 | CALC_K_2 (q0[a ^ key[(j) + 16]], \ | ||
552 | q1[b ^ key[(j) + 17]], \ | ||
553 | q0[c ^ key[(j) + 18]], \ | ||
554 | q1[d ^ key[(j) + 19]], j) | ||
555 | |||
556 | #define CALC_K192(a, j, k, l, m, n) \ | ||
557 | x = CALC_K192_2 (l, l, k, k, 0); \ | ||
558 | y = CALC_K192_2 (n, n, m, m, 4); \ | ||
559 | y = rol32(y, 8); \ | ||
560 | x += y; y += x; ctx->a[j] = x; \ | ||
561 | ctx->a[(j) + 1] = rol32(y, 9) | ||
562 | |||
563 | #define CALC_K256_2(a, b, j) \ | ||
564 | CALC_K192_2 (q1[b ^ key[(j) + 24]], \ | ||
565 | q1[a ^ key[(j) + 25]], \ | ||
566 | q0[a ^ key[(j) + 26]], \ | ||
567 | q0[b ^ key[(j) + 27]], j) | ||
568 | |||
569 | #define CALC_K256(a, j, k, l, m, n) \ | ||
570 | x = CALC_K256_2 (k, l, 0); \ | ||
571 | y = CALC_K256_2 (m, n, 4); \ | ||
572 | y = rol32(y, 8); \ | ||
573 | x += y; y += x; ctx->a[j] = x; \ | ||
574 | ctx->a[(j) + 1] = rol32(y, 9) | ||
575 | |||
576 | |||
577 | /* Macros to compute the g() function in the encryption and decryption | 50 | /* Macros to compute the g() function in the encryption and decryption |
578 | * rounds. G1 is the straight g() function; G2 includes the 8-bit | 51 | * rounds. G1 is the straight g() function; G2 includes the 8-bit |
579 | * rotation for the high 32-bit word. */ | 52 | * rotation for the high 32-bit word. */ |
@@ -630,176 +103,7 @@ static const u8 calc_sb_tbl[512] = { | |||
630 | x ^= ctx->w[m]; \ | 103 | x ^= ctx->w[m]; \ |
631 | dst[n] = cpu_to_le32(x) | 104 | dst[n] = cpu_to_le32(x) |
632 | 105 | ||
633 | #define TF_MIN_KEY_SIZE 16 | ||
634 | #define TF_MAX_KEY_SIZE 32 | ||
635 | #define TF_BLOCK_SIZE 16 | ||
636 | |||
637 | /* Structure for an expanded Twofish key. s contains the key-dependent | ||
638 | * S-boxes composed with the MDS matrix; w contains the eight "whitening" | ||
639 | * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note | ||
640 | * that k[i] corresponds to what the Twofish paper calls K[i+8]. */ | ||
641 | struct twofish_ctx { | ||
642 | u32 s[4][256], w[8], k[32]; | ||
643 | }; | ||
644 | |||
645 | /* Perform the key setup. */ | ||
646 | static int twofish_setkey(struct crypto_tfm *tfm, const u8 *key, | ||
647 | unsigned int key_len, u32 *flags) | ||
648 | { | ||
649 | |||
650 | struct twofish_ctx *ctx = crypto_tfm_ctx(tfm); | ||
651 | 106 | ||
652 | int i, j, k; | ||
653 | |||
654 | /* Temporaries for CALC_K. */ | ||
655 | u32 x, y; | ||
656 | |||
657 | /* The S vector used to key the S-boxes, split up into individual bytes. | ||
658 | * 128-bit keys use only sa through sh; 256-bit use all of them. */ | ||
659 | u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0; | ||
660 | u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0; | ||
661 | |||
662 | /* Temporary for CALC_S. */ | ||
663 | u8 tmp; | ||
664 | |||
665 | /* Check key length. */ | ||
666 | if (key_len != 16 && key_len != 24 && key_len != 32) | ||
667 | { | ||
668 | *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; | ||
669 | return -EINVAL; /* unsupported key length */ | ||
670 | } | ||
671 | |||
672 | /* Compute the first two words of the S vector. The magic numbers are | ||
673 | * the entries of the RS matrix, preprocessed through poly_to_exp. The | ||
674 | * numbers in the comments are the original (polynomial form) matrix | ||
675 | * entries. */ | ||
676 | CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
677 | CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
678 | CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
679 | CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
680 | CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
681 | CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
682 | CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
683 | CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
684 | CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
685 | CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
686 | CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
687 | CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
688 | CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
689 | CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
690 | CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
691 | CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
692 | |||
693 | if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */ | ||
694 | /* Calculate the third word of the S vector */ | ||
695 | CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
696 | CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
697 | CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
698 | CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
699 | CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
700 | CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
701 | CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
702 | CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
703 | } | ||
704 | |||
705 | if (key_len == 32) { /* 256-bit key */ | ||
706 | /* Calculate the fourth word of the S vector */ | ||
707 | CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
708 | CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
709 | CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
710 | CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
711 | CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
712 | CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
713 | CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
714 | CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
715 | |||
716 | /* Compute the S-boxes. */ | ||
717 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
718 | CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
719 | } | ||
720 | |||
721 | /* Calculate whitening and round subkeys. The constants are | ||
722 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
723 | CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
724 | CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
725 | CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
726 | CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
727 | CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
728 | CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
729 | CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
730 | CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
731 | CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
732 | CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
733 | CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
734 | CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
735 | CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
736 | CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
737 | CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
738 | CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
739 | CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
740 | CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
741 | CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
742 | CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
743 | } else if (key_len == 24) { /* 192-bit key */ | ||
744 | /* Compute the S-boxes. */ | ||
745 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
746 | CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
747 | } | ||
748 | |||
749 | /* Calculate whitening and round subkeys. The constants are | ||
750 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
751 | CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
752 | CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
753 | CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
754 | CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
755 | CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
756 | CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
757 | CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
758 | CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
759 | CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
760 | CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
761 | CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
762 | CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
763 | CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
764 | CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
765 | CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
766 | CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
767 | CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
768 | CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
769 | CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
770 | CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
771 | } else { /* 128-bit key */ | ||
772 | /* Compute the S-boxes. */ | ||
773 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
774 | CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
775 | } | ||
776 | |||
777 | /* Calculate whitening and round subkeys. The constants are | ||
778 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
779 | CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
780 | CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
781 | CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
782 | CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
783 | CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
784 | CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
785 | CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
786 | CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
787 | CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
788 | CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
789 | CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
790 | CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
791 | CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
792 | CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
793 | CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
794 | CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
795 | CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
796 | CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
797 | CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
798 | CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
799 | } | ||
800 | |||
801 | return 0; | ||
802 | } | ||
803 | 107 | ||
804 | /* Encrypt one block. in and out may be the same. */ | 108 | /* Encrypt one block. in and out may be the same. */ |
805 | static void twofish_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) | 109 | static void twofish_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) |
diff --git a/crypto/twofish_common.c b/crypto/twofish_common.c new file mode 100644 index 000000000000..1ae0280c2513 --- /dev/null +++ b/crypto/twofish_common.c | |||
@@ -0,0 +1,744 @@ | |||
1 | /* | ||
2 | * Common Twofish algorithm parts shared between the c and assembler | ||
3 | * implementations | ||
4 | * | ||
5 | * Originally Twofish for GPG | ||
6 | * By Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998 | ||
7 | * 256-bit key length added March 20, 1999 | ||
8 | * Some modifications to reduce the text size by Werner Koch, April, 1998 | ||
9 | * Ported to the kerneli patch by Marc Mutz <Marc@Mutz.com> | ||
10 | * Ported to CryptoAPI by Colin Slater <hoho@tacomeat.net> | ||
11 | * | ||
12 | * The original author has disclaimed all copyright interest in this | ||
13 | * code and thus put it in the public domain. The subsequent authors | ||
14 | * have put this under the GNU General Public License. | ||
15 | * | ||
16 | * This program is free software; you can redistribute it and/or modify | ||
17 | * it under the terms of the GNU General Public License as published by | ||
18 | * the Free Software Foundation; either version 2 of the License, or | ||
19 | * (at your option) any later version. | ||
20 | * | ||
21 | * This program is distributed in the hope that it will be useful, | ||
22 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
23 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
24 | * GNU General Public License for more details. | ||
25 | * | ||
26 | * You should have received a copy of the GNU General Public License | ||
27 | * along with this program; if not, write to the Free Software | ||
28 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 | ||
29 | * USA | ||
30 | * | ||
31 | * This code is a "clean room" implementation, written from the paper | ||
32 | * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey, | ||
33 | * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available | ||
34 | * through http://www.counterpane.com/twofish.html | ||
35 | * | ||
36 | * For background information on multiplication in finite fields, used for | ||
37 | * the matrix operations in the key schedule, see the book _Contemporary | ||
38 | * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the | ||
39 | * Third Edition. | ||
40 | */ | ||
41 | |||
42 | #include <crypto/twofish.h> | ||
43 | #include <linux/bitops.h> | ||
44 | #include <linux/crypto.h> | ||
45 | #include <linux/errno.h> | ||
46 | #include <linux/init.h> | ||
47 | #include <linux/kernel.h> | ||
48 | #include <linux/module.h> | ||
49 | #include <linux/types.h> | ||
50 | |||
51 | |||
52 | /* The large precomputed tables for the Twofish cipher (twofish.c) | ||
53 | * Taken from the same source as twofish.c | ||
54 | * Marc Mutz <Marc@Mutz.com> | ||
55 | */ | ||
56 | |||
57 | /* These two tables are the q0 and q1 permutations, exactly as described in | ||
58 | * the Twofish paper. */ | ||
59 | |||
60 | static const u8 q0[256] = { | ||
61 | 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78, | ||
62 | 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C, | ||
63 | 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30, | ||
64 | 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82, | ||
65 | 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE, | ||
66 | 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B, | ||
67 | 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45, | ||
68 | 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7, | ||
69 | 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF, | ||
70 | 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8, | ||
71 | 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED, | ||
72 | 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90, | ||
73 | 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B, | ||
74 | 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B, | ||
75 | 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F, | ||
76 | 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A, | ||
77 | 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17, | ||
78 | 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72, | ||
79 | 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68, | ||
80 | 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4, | ||
81 | 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42, | ||
82 | 0x4A, 0x5E, 0xC1, 0xE0 | ||
83 | }; | ||
84 | |||
85 | static const u8 q1[256] = { | ||
86 | 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B, | ||
87 | 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1, | ||
88 | 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B, | ||
89 | 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5, | ||
90 | 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54, | ||
91 | 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96, | ||
92 | 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7, | ||
93 | 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8, | ||
94 | 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF, | ||
95 | 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9, | ||
96 | 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D, | ||
97 | 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E, | ||
98 | 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21, | ||
99 | 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01, | ||
100 | 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E, | ||
101 | 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64, | ||
102 | 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44, | ||
103 | 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E, | ||
104 | 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B, | ||
105 | 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9, | ||
106 | 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56, | ||
107 | 0x55, 0x09, 0xBE, 0x91 | ||
108 | }; | ||
109 | |||
110 | /* These MDS tables are actually tables of MDS composed with q0 and q1, | ||
111 | * because it is only ever used that way and we can save some time by | ||
112 | * precomputing. Of course the main saving comes from precomputing the | ||
113 | * GF(2^8) multiplication involved in the MDS matrix multiply; by looking | ||
114 | * things up in these tables we reduce the matrix multiply to four lookups | ||
115 | * and three XORs. Semi-formally, the definition of these tables is: | ||
116 | * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T | ||
117 | * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T | ||
118 | * where ^T means "transpose", the matrix multiply is performed in GF(2^8) | ||
119 | * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described | ||
120 | * by Schneier et al, and I'm casually glossing over the byte/word | ||
121 | * conversion issues. */ | ||
122 | |||
123 | static const u32 mds[4][256] = { | ||
124 | { | ||
125 | 0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B, | ||
126 | 0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B, | ||
127 | 0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32, | ||
128 | 0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1, | ||
129 | 0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA, | ||
130 | 0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B, | ||
131 | 0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1, | ||
132 | 0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5, | ||
133 | 0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490, | ||
134 | 0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154, | ||
135 | 0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0, | ||
136 | 0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796, | ||
137 | 0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228, | ||
138 | 0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7, | ||
139 | 0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3, | ||
140 | 0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8, | ||
141 | 0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477, | ||
142 | 0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF, | ||
143 | 0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C, | ||
144 | 0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9, | ||
145 | 0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA, | ||
146 | 0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D, | ||
147 | 0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72, | ||
148 | 0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E, | ||
149 | 0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76, | ||
150 | 0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321, | ||
151 | 0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39, | ||
152 | 0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01, | ||
153 | 0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D, | ||
154 | 0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E, | ||
155 | 0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5, | ||
156 | 0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64, | ||
157 | 0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7, | ||
158 | 0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544, | ||
159 | 0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E, | ||
160 | 0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E, | ||
161 | 0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A, | ||
162 | 0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B, | ||
163 | 0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2, | ||
164 | 0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9, | ||
165 | 0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504, | ||
166 | 0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756, | ||
167 | 0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91}, | ||
168 | |||
169 | { | ||
170 | 0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252, | ||
171 | 0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A, | ||
172 | 0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020, | ||
173 | 0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141, | ||
174 | 0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444, | ||
175 | 0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424, | ||
176 | 0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A, | ||
177 | 0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757, | ||
178 | 0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383, | ||
179 | 0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A, | ||
180 | 0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9, | ||
181 | 0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656, | ||
182 | 0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1, | ||
183 | 0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898, | ||
184 | 0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414, | ||
185 | 0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3, | ||
186 | 0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1, | ||
187 | 0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989, | ||
188 | 0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5, | ||
189 | 0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282, | ||
190 | 0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E, | ||
191 | 0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E, | ||
192 | 0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202, | ||
193 | 0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC, | ||
194 | 0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565, | ||
195 | 0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A, | ||
196 | 0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808, | ||
197 | 0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272, | ||
198 | 0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A, | ||
199 | 0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969, | ||
200 | 0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505, | ||
201 | 0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5, | ||
202 | 0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D, | ||
203 | 0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343, | ||
204 | 0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF, | ||
205 | 0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3, | ||
206 | 0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F, | ||
207 | 0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646, | ||
208 | 0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6, | ||
209 | 0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF, | ||
210 | 0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A, | ||
211 | 0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7, | ||
212 | 0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8}, | ||
213 | |||
214 | { | ||
215 | 0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B, | ||
216 | 0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F, | ||
217 | 0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A, | ||
218 | 0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783, | ||
219 | 0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70, | ||
220 | 0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3, | ||
221 | 0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB, | ||
222 | 0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA, | ||
223 | 0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4, | ||
224 | 0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41, | ||
225 | 0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C, | ||
226 | 0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07, | ||
227 | 0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622, | ||
228 | 0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18, | ||
229 | 0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035, | ||
230 | 0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96, | ||
231 | 0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84, | ||
232 | 0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E, | ||
233 | 0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F, | ||
234 | 0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD, | ||
235 | 0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558, | ||
236 | 0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40, | ||
237 | 0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA, | ||
238 | 0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85, | ||
239 | 0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF, | ||
240 | 0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773, | ||
241 | 0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D, | ||
242 | 0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B, | ||
243 | 0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C, | ||
244 | 0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19, | ||
245 | 0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086, | ||
246 | 0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D, | ||
247 | 0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74, | ||
248 | 0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755, | ||
249 | 0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691, | ||
250 | 0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D, | ||
251 | 0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4, | ||
252 | 0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53, | ||
253 | 0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E, | ||
254 | 0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9, | ||
255 | 0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705, | ||
256 | 0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7, | ||
257 | 0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF}, | ||
258 | |||
259 | { | ||
260 | 0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98, | ||
261 | 0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866, | ||
262 | 0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643, | ||
263 | 0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77, | ||
264 | 0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9, | ||
265 | 0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C, | ||
266 | 0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3, | ||
267 | 0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216, | ||
268 | 0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F, | ||
269 | 0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25, | ||
270 | 0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF, | ||
271 | 0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7, | ||
272 | 0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4, | ||
273 | 0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E, | ||
274 | 0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA, | ||
275 | 0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C, | ||
276 | 0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12, | ||
277 | 0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A, | ||
278 | 0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D, | ||
279 | 0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE, | ||
280 | 0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A, | ||
281 | 0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C, | ||
282 | 0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B, | ||
283 | 0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4, | ||
284 | 0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B, | ||
285 | 0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3, | ||
286 | 0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE, | ||
287 | 0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB, | ||
288 | 0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85, | ||
289 | 0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA, | ||
290 | 0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E, | ||
291 | 0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8, | ||
292 | 0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33, | ||
293 | 0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC, | ||
294 | 0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718, | ||
295 | 0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA, | ||
296 | 0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8, | ||
297 | 0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872, | ||
298 | 0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882, | ||
299 | 0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D, | ||
300 | 0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10, | ||
301 | 0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6, | ||
302 | 0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8} | ||
303 | }; | ||
304 | |||
305 | /* The exp_to_poly and poly_to_exp tables are used to perform efficient | ||
306 | * operations in GF(2^8) represented as GF(2)[x]/w(x) where | ||
307 | * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the | ||
308 | * definition of the RS matrix in the key schedule. Elements of that field | ||
309 | * are polynomials of degree not greater than 7 and all coefficients 0 or 1, | ||
310 | * which can be represented naturally by bytes (just substitute x=2). In that | ||
311 | * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8) | ||
312 | * multiplication is inefficient without hardware support. To multiply | ||
313 | * faster, I make use of the fact x is a generator for the nonzero elements, | ||
314 | * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for | ||
315 | * some n in 0..254. Note that that caret is exponentiation in GF(2^8), | ||
316 | * *not* polynomial notation. So if I want to compute pq where p and q are | ||
317 | * in GF(2^8), I can just say: | ||
318 | * 1. if p=0 or q=0 then pq=0 | ||
319 | * 2. otherwise, find m and n such that p=x^m and q=x^n | ||
320 | * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq | ||
321 | * The translations in steps 2 and 3 are looked up in the tables | ||
322 | * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this | ||
323 | * in action, look at the CALC_S macro. As additional wrinkles, note that | ||
324 | * one of my operands is always a constant, so the poly_to_exp lookup on it | ||
325 | * is done in advance; I included the original values in the comments so | ||
326 | * readers can have some chance of recognizing that this *is* the RS matrix | ||
327 | * from the Twofish paper. I've only included the table entries I actually | ||
328 | * need; I never do a lookup on a variable input of zero and the biggest | ||
329 | * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll | ||
330 | * never sum to more than 491. I'm repeating part of the exp_to_poly table | ||
331 | * so that I don't have to do mod-255 reduction in the exponent arithmetic. | ||
332 | * Since I know my constant operands are never zero, I only have to worry | ||
333 | * about zero values in the variable operand, and I do it with a simple | ||
334 | * conditional branch. I know conditionals are expensive, but I couldn't | ||
335 | * see a non-horrible way of avoiding them, and I did manage to group the | ||
336 | * statements so that each if covers four group multiplications. */ | ||
337 | |||
338 | static const u8 poly_to_exp[255] = { | ||
339 | 0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19, | ||
340 | 0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A, | ||
341 | 0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C, | ||
342 | 0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B, | ||
343 | 0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47, | ||
344 | 0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D, | ||
345 | 0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8, | ||
346 | 0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C, | ||
347 | 0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83, | ||
348 | 0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48, | ||
349 | 0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26, | ||
350 | 0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E, | ||
351 | 0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3, | ||
352 | 0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9, | ||
353 | 0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A, | ||
354 | 0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D, | ||
355 | 0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75, | ||
356 | 0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84, | ||
357 | 0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64, | ||
358 | 0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49, | ||
359 | 0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF, | ||
360 | 0x85, 0xC8, 0xA1 | ||
361 | }; | ||
362 | |||
363 | static const u8 exp_to_poly[492] = { | ||
364 | 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2, | ||
365 | 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03, | ||
366 | 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6, | ||
367 | 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A, | ||
368 | 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63, | ||
369 | 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C, | ||
370 | 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07, | ||
371 | 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88, | ||
372 | 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12, | ||
373 | 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7, | ||
374 | 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C, | ||
375 | 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8, | ||
376 | 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25, | ||
377 | 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A, | ||
378 | 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE, | ||
379 | 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC, | ||
380 | 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E, | ||
381 | 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92, | ||
382 | 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89, | ||
383 | 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB, | ||
384 | 0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1, | ||
385 | 0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, | ||
386 | 0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, | ||
387 | 0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, | ||
388 | 0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, | ||
389 | 0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, | ||
390 | 0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, | ||
391 | 0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, | ||
392 | 0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, | ||
393 | 0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, | ||
394 | 0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, | ||
395 | 0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, | ||
396 | 0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, | ||
397 | 0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, | ||
398 | 0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, | ||
399 | 0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, | ||
400 | 0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, | ||
401 | 0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, | ||
402 | 0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, | ||
403 | 0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, | ||
404 | 0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB | ||
405 | }; | ||
406 | |||
407 | |||
408 | /* The table constants are indices of | ||
409 | * S-box entries, preprocessed through q0 and q1. */ | ||
410 | static const u8 calc_sb_tbl[512] = { | ||
411 | 0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4, | ||
412 | 0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8, | ||
413 | 0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B, | ||
414 | 0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B, | ||
415 | 0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD, | ||
416 | 0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1, | ||
417 | 0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B, | ||
418 | 0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F, | ||
419 | 0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B, | ||
420 | 0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D, | ||
421 | 0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E, | ||
422 | 0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5, | ||
423 | 0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14, | ||
424 | 0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3, | ||
425 | 0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54, | ||
426 | 0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51, | ||
427 | 0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A, | ||
428 | 0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96, | ||
429 | 0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10, | ||
430 | 0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C, | ||
431 | 0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7, | ||
432 | 0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70, | ||
433 | 0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB, | ||
434 | 0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8, | ||
435 | 0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF, | ||
436 | 0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC, | ||
437 | 0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF, | ||
438 | 0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2, | ||
439 | 0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82, | ||
440 | 0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9, | ||
441 | 0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97, | ||
442 | 0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17, | ||
443 | 0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D, | ||
444 | 0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3, | ||
445 | 0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C, | ||
446 | 0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E, | ||
447 | 0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F, | ||
448 | 0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49, | ||
449 | 0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21, | ||
450 | 0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9, | ||
451 | 0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD, | ||
452 | 0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01, | ||
453 | 0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F, | ||
454 | 0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48, | ||
455 | 0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E, | ||
456 | 0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19, | ||
457 | 0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57, | ||
458 | 0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64, | ||
459 | 0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE, | ||
460 | 0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5, | ||
461 | 0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44, | ||
462 | 0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69, | ||
463 | 0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15, | ||
464 | 0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E, | ||
465 | 0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34, | ||
466 | 0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC, | ||
467 | 0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B, | ||
468 | 0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB, | ||
469 | 0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52, | ||
470 | 0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9, | ||
471 | 0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4, | ||
472 | 0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2, | ||
473 | 0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56, | ||
474 | 0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91 | ||
475 | }; | ||
476 | |||
477 | /* Macro to perform one column of the RS matrix multiplication. The | ||
478 | * parameters a, b, c, and d are the four bytes of output; i is the index | ||
479 | * of the key bytes, and w, x, y, and z, are the column of constants from | ||
480 | * the RS matrix, preprocessed through the poly_to_exp table. */ | ||
481 | |||
482 | #define CALC_S(a, b, c, d, i, w, x, y, z) \ | ||
483 | if (key[i]) { \ | ||
484 | tmp = poly_to_exp[key[i] - 1]; \ | ||
485 | (a) ^= exp_to_poly[tmp + (w)]; \ | ||
486 | (b) ^= exp_to_poly[tmp + (x)]; \ | ||
487 | (c) ^= exp_to_poly[tmp + (y)]; \ | ||
488 | (d) ^= exp_to_poly[tmp + (z)]; \ | ||
489 | } | ||
490 | |||
491 | /* Macros to calculate the key-dependent S-boxes for a 128-bit key using | ||
492 | * the S vector from CALC_S. CALC_SB_2 computes a single entry in all | ||
493 | * four S-boxes, where i is the index of the entry to compute, and a and b | ||
494 | * are the index numbers preprocessed through the q0 and q1 tables | ||
495 | * respectively. */ | ||
496 | |||
497 | #define CALC_SB_2(i, a, b) \ | ||
498 | ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \ | ||
499 | ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \ | ||
500 | ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \ | ||
501 | ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh] | ||
502 | |||
503 | /* Macro exactly like CALC_SB_2, but for 192-bit keys. */ | ||
504 | |||
505 | #define CALC_SB192_2(i, a, b) \ | ||
506 | ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \ | ||
507 | ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \ | ||
508 | ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \ | ||
509 | ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl]; | ||
510 | |||
511 | /* Macro exactly like CALC_SB_2, but for 256-bit keys. */ | ||
512 | |||
513 | #define CALC_SB256_2(i, a, b) \ | ||
514 | ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \ | ||
515 | ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \ | ||
516 | ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \ | ||
517 | ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp]; | ||
518 | |||
519 | /* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the | ||
520 | * last two stages of the h() function for a given index (either 2i or 2i+1). | ||
521 | * a, b, c, and d are the four bytes going into the last two stages. For | ||
522 | * 128-bit keys, this is the entire h() function and a and c are the index | ||
523 | * preprocessed through q0 and q1 respectively; for longer keys they are the | ||
524 | * output of previous stages. j is the index of the first key byte to use. | ||
525 | * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2 | ||
526 | * twice, doing the Pseudo-Hadamard Transform, and doing the necessary | ||
527 | * rotations. Its parameters are: a, the array to write the results into, | ||
528 | * j, the index of the first output entry, k and l, the preprocessed indices | ||
529 | * for index 2i, and m and n, the preprocessed indices for index 2i+1. | ||
530 | * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an | ||
531 | * additional lookup-and-XOR stage. The parameters a, b, c and d are the | ||
532 | * four bytes going into the last three stages. For 192-bit keys, c = d | ||
533 | * are the index preprocessed through q0, and a = b are the index | ||
534 | * preprocessed through q1; j is the index of the first key byte to use. | ||
535 | * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro | ||
536 | * instead of CALC_K_2. | ||
537 | * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an | ||
538 | * additional lookup-and-XOR stage. The parameters a and b are the index | ||
539 | * preprocessed through q0 and q1 respectively; j is the index of the first | ||
540 | * key byte to use. CALC_K256 is identical to CALC_K but for using the | ||
541 | * CALC_K256_2 macro instead of CALC_K_2. */ | ||
542 | |||
543 | #define CALC_K_2(a, b, c, d, j) \ | ||
544 | mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \ | ||
545 | ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \ | ||
546 | ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \ | ||
547 | ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]] | ||
548 | |||
549 | #define CALC_K(a, j, k, l, m, n) \ | ||
550 | x = CALC_K_2 (k, l, k, l, 0); \ | ||
551 | y = CALC_K_2 (m, n, m, n, 4); \ | ||
552 | y = rol32(y, 8); \ | ||
553 | x += y; y += x; ctx->a[j] = x; \ | ||
554 | ctx->a[(j) + 1] = rol32(y, 9) | ||
555 | |||
556 | #define CALC_K192_2(a, b, c, d, j) \ | ||
557 | CALC_K_2 (q0[a ^ key[(j) + 16]], \ | ||
558 | q1[b ^ key[(j) + 17]], \ | ||
559 | q0[c ^ key[(j) + 18]], \ | ||
560 | q1[d ^ key[(j) + 19]], j) | ||
561 | |||
562 | #define CALC_K192(a, j, k, l, m, n) \ | ||
563 | x = CALC_K192_2 (l, l, k, k, 0); \ | ||
564 | y = CALC_K192_2 (n, n, m, m, 4); \ | ||
565 | y = rol32(y, 8); \ | ||
566 | x += y; y += x; ctx->a[j] = x; \ | ||
567 | ctx->a[(j) + 1] = rol32(y, 9) | ||
568 | |||
569 | #define CALC_K256_2(a, b, j) \ | ||
570 | CALC_K192_2 (q1[b ^ key[(j) + 24]], \ | ||
571 | q1[a ^ key[(j) + 25]], \ | ||
572 | q0[a ^ key[(j) + 26]], \ | ||
573 | q0[b ^ key[(j) + 27]], j) | ||
574 | |||
575 | #define CALC_K256(a, j, k, l, m, n) \ | ||
576 | x = CALC_K256_2 (k, l, 0); \ | ||
577 | y = CALC_K256_2 (m, n, 4); \ | ||
578 | y = rol32(y, 8); \ | ||
579 | x += y; y += x; ctx->a[j] = x; \ | ||
580 | ctx->a[(j) + 1] = rol32(y, 9) | ||
581 | |||
582 | /* Perform the key setup. */ | ||
583 | int twofish_setkey(struct crypto_tfm *tfm, const u8 *key, | ||
584 | unsigned int key_len, u32 *flags) | ||
585 | { | ||
586 | |||
587 | struct twofish_ctx *ctx = crypto_tfm_ctx(tfm); | ||
588 | |||
589 | int i, j, k; | ||
590 | |||
591 | /* Temporaries for CALC_K. */ | ||
592 | u32 x, y; | ||
593 | |||
594 | /* The S vector used to key the S-boxes, split up into individual bytes. | ||
595 | * 128-bit keys use only sa through sh; 256-bit use all of them. */ | ||
596 | u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0; | ||
597 | u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0; | ||
598 | |||
599 | /* Temporary for CALC_S. */ | ||
600 | u8 tmp; | ||
601 | |||
602 | /* Check key length. */ | ||
603 | if (key_len != 16 && key_len != 24 && key_len != 32) | ||
604 | { | ||
605 | *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; | ||
606 | return -EINVAL; /* unsupported key length */ | ||
607 | } | ||
608 | |||
609 | /* Compute the first two words of the S vector. The magic numbers are | ||
610 | * the entries of the RS matrix, preprocessed through poly_to_exp. The | ||
611 | * numbers in the comments are the original (polynomial form) matrix | ||
612 | * entries. */ | ||
613 | CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
614 | CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
615 | CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
616 | CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
617 | CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
618 | CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
619 | CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
620 | CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
621 | CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
622 | CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
623 | CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
624 | CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
625 | CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
626 | CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
627 | CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
628 | CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
629 | |||
630 | if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */ | ||
631 | /* Calculate the third word of the S vector */ | ||
632 | CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
633 | CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
634 | CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
635 | CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
636 | CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
637 | CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
638 | CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
639 | CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
640 | } | ||
641 | |||
642 | if (key_len == 32) { /* 256-bit key */ | ||
643 | /* Calculate the fourth word of the S vector */ | ||
644 | CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */ | ||
645 | CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */ | ||
646 | CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */ | ||
647 | CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */ | ||
648 | CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */ | ||
649 | CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */ | ||
650 | CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */ | ||
651 | CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */ | ||
652 | |||
653 | /* Compute the S-boxes. */ | ||
654 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
655 | CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
656 | } | ||
657 | |||
658 | /* Calculate whitening and round subkeys. The constants are | ||
659 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
660 | CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
661 | CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
662 | CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
663 | CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
664 | CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
665 | CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
666 | CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
667 | CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
668 | CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
669 | CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
670 | CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
671 | CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
672 | CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
673 | CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
674 | CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
675 | CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
676 | CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
677 | CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
678 | CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
679 | CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
680 | } else if (key_len == 24) { /* 192-bit key */ | ||
681 | /* Compute the S-boxes. */ | ||
682 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
683 | CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
684 | } | ||
685 | |||
686 | /* Calculate whitening and round subkeys. The constants are | ||
687 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
688 | CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
689 | CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
690 | CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
691 | CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
692 | CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
693 | CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
694 | CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
695 | CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
696 | CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
697 | CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
698 | CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
699 | CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
700 | CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
701 | CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
702 | CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
703 | CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
704 | CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
705 | CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
706 | CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
707 | CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
708 | } else { /* 128-bit key */ | ||
709 | /* Compute the S-boxes. */ | ||
710 | for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) { | ||
711 | CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] ); | ||
712 | } | ||
713 | |||
714 | /* Calculate whitening and round subkeys. The constants are | ||
715 | * indices of subkeys, preprocessed through q0 and q1. */ | ||
716 | CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3); | ||
717 | CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4); | ||
718 | CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B); | ||
719 | CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8); | ||
720 | CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3); | ||
721 | CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B); | ||
722 | CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D); | ||
723 | CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B); | ||
724 | CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32); | ||
725 | CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD); | ||
726 | CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71); | ||
727 | CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1); | ||
728 | CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F); | ||
729 | CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B); | ||
730 | CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA); | ||
731 | CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F); | ||
732 | CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA); | ||
733 | CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B); | ||
734 | CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00); | ||
735 | CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D); | ||
736 | } | ||
737 | |||
738 | return 0; | ||
739 | } | ||
740 | |||
741 | EXPORT_SYMBOL_GPL(twofish_setkey); | ||
742 | |||
743 | MODULE_LICENSE("GPL"); | ||
744 | MODULE_DESCRIPTION("Twofish cipher common functions"); | ||
diff --git a/include/crypto/twofish.h b/include/crypto/twofish.h new file mode 100644 index 000000000000..e4328cfaaf64 --- /dev/null +++ b/include/crypto/twofish.h | |||
@@ -0,0 +1,23 @@ | |||
1 | #ifndef _CRYPTO_TWOFISH_H | ||
2 | #define _CRYPTO_TWOFISH_H | ||
3 | |||
4 | #include <linux/types.h> | ||
5 | |||
6 | #define TF_MIN_KEY_SIZE 16 | ||
7 | #define TF_MAX_KEY_SIZE 32 | ||
8 | #define TF_BLOCK_SIZE 16 | ||
9 | |||
10 | struct crypto_tfm; | ||
11 | |||
12 | /* Structure for an expanded Twofish key. s contains the key-dependent | ||
13 | * S-boxes composed with the MDS matrix; w contains the eight "whitening" | ||
14 | * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note | ||
15 | * that k[i] corresponds to what the Twofish paper calls K[i+8]. */ | ||
16 | struct twofish_ctx { | ||
17 | u32 s[4][256], w[8], k[32]; | ||
18 | }; | ||
19 | |||
20 | int twofish_setkey(struct crypto_tfm *tfm, const u8 *key, | ||
21 | unsigned int key_len, u32 *flags); | ||
22 | |||
23 | #endif | ||