[CRYPTO] padlock-aes: Use generic setkey function

The Padlock AES setkey routine is the same as exported by the generic implementation. So we could use it. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Cc: Michal Ludvig <michal@logix.cz> Tested-by: Stefan Hellermann <stefan@the2masters.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Sebastian Siewior <sebastian@breakpoint.cc> 2008-04-01 09:24:50 -0400
committer: Herbert Xu <herbert@gondor.apana.org.au> 2008-04-20 22:19:34 -0400
commit: 7dc748e4e720c1a98185363096ad7582e9113092 (patch)
tree: 664b4b77581c6b77ebd9d0535e7bfdb1ddd041c8 /drivers/crypto
parent: 5427663f498e19b441277de72ce7a685511f247c (diff)
2 files changed, 20 insertions, 301 deletions
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index e15dbc61f20f..43b71b69daa5 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -27,6 +27,7 @@ config CRYPTO_DEV_PADLOCK_AES
        tristate "PadLock driver for AES algorithm"
        depends on CRYPTO_DEV_PADLOCK
        select CRYPTO_BLKCIPHER
+        select CRYPTO_AES
        help
          Use VIA PadLock for AES algorithm.
diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
index 2f3ad3f7dfea..bb30eb9b93ef 100644
--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -5,42 +5,6 @@
 *
 * Copyright (c) 2004  Michal Ludvig <michal@logix.cz>
 *
- * Key expansion routine taken from crypto/aes_generic.c
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * ---------------------------------------------------------------------------
- * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
- * All rights reserved.
- *
- * LICENSE TERMS
- *
- * The free distribution and use of this software in both source and binary
- * form is allowed (with or without changes) provided that:
- *
- *   1. distributions of this source code include the above copyright
- *      notice, this list of conditions and the following disclaimer;
- *
- *   2. distributions in binary form include the above copyright
- *      notice, this list of conditions and the following disclaimer
- *      in the documentation and/or other associated materials;
- *
- *   3. the copyright holder's name is not used to endorse products
- *      built using this software without specific written permission.
- *
- * ALTERNATIVELY, provided that this notice is retained in full, this product
- * may be distributed under the terms of the GNU General Public License (GPL),
- * in which case the provisions of the GPL apply INSTEAD OF those given above.
- *
- * DISCLAIMER
- *
- * This software is provided 'as is' with no explicit or implied warranties
- * in respect of its properties, including, but not limited to, correctness
- * and/or fitness for purpose.
- * ---------------------------------------------------------------------------
 */
 #include <crypto/algapi.h>
@@ -54,9 +18,6 @@
 #include <asm/byteorder.h>
 #include "padlock.h"
-#define AES_EXTENDED_KEY_SIZE   64      /* in uint32_t units */
-#define AES_EXTENDED_KEY_SIZE_B (AES_EXTENDED_KEY_SIZE * sizeof(uint32_t))
 /* Control word. */
 struct cword {
        unsigned int __attribute__ ((__packed__))
@@ -70,218 +31,23 @@ struct cword {
 /* Whenever making any changes to the following
 * structure *make sure* you keep E, d_data
- * and cword aligned on 16 Bytes boundaries!!! */
+ * and cword aligned on 16 Bytes boundaries and
+ * the Hardware can access 16 * 16 bytes of E and d_data
+ * (only the first 15 * 16 bytes matter but the HW reads
+ * more).
+ */
 struct aes_ctx {
+        u32 E[AES_MAX_KEYLENGTH_U32]
+                __attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
+        u32 d_data[AES_MAX_KEYLENGTH_U32]
+                __attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
        struct {
                struct cword encrypt;
                struct cword decrypt;
        } cword;
        u32 *D;
-        int key_length;
-        u32 E[AES_EXTENDED_KEY_SIZE]
-                __attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
-        u32 d_data[AES_EXTENDED_KEY_SIZE]
-                __attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
 };
-/* ====== Key management routines ====== */
-static inline uint32_t
-generic_rotr32 (const uint32_t x, const unsigned bits)
-{
-        const unsigned n = bits % 32;
-        return (x >> n) | (x << (32 - n));
-}
-static inline uint32_t
-generic_rotl32 (const uint32_t x, const unsigned bits)
-{
-        const unsigned n = bits % 32;
-        return (x << n) | (x >> (32 - n));
-}
-#define rotl generic_rotl32
-#define rotr generic_rotr32
-/*
- * #define byte(x, nr) ((unsigned char)((x) >> (nr*8))) 
- */
-static inline uint8_t
-byte(const uint32_t x, const unsigned n)
-{
-        return x >> (n << 3);
-}
-#define E_KEY ctx->E
-#define D_KEY ctx->D
-static uint8_t pow_tab[256];
-static uint8_t log_tab[256];
-static uint8_t sbx_tab[256];
-static uint8_t isb_tab[256];
-static uint32_t rco_tab[10];
-static uint32_t ft_tab[4][256];
-static uint32_t it_tab[4][256];
-static uint32_t fl_tab[4][256];
-static uint32_t il_tab[4][256];
-static inline uint8_t
-f_mult (uint8_t a, uint8_t b)
-{
-        uint8_t aa = log_tab[a], cc = aa + log_tab[b];
-        return pow_tab[cc + (cc < aa ? 1 : 0)];
-}
-#define ff_mult(a,b)    (a && b ? f_mult(a, b) : 0)
-#define f_rn(bo, bi, n, k)                                      \
-    bo[n] =  ft_tab[0][byte(bi[n],0)] ^                         \
-             ft_tab[1][byte(bi[(n + 1) & 3],1)] ^               \
-             ft_tab[2][byte(bi[(n + 2) & 3],2)] ^               \
-             ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
-#define i_rn(bo, bi, n, k)                                      \
-    bo[n] =  it_tab[0][byte(bi[n],0)] ^                         \
-             it_tab[1][byte(bi[(n + 3) & 3],1)] ^               \
-             it_tab[2][byte(bi[(n + 2) & 3],2)] ^               \
-             it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
-#define ls_box(x)                               \
-    ( fl_tab[0][byte(x, 0)] ^                   \
-      fl_tab[1][byte(x, 1)] ^                   \
-      fl_tab[2][byte(x, 2)] ^                   \
-      fl_tab[3][byte(x, 3)] )
-#define f_rl(bo, bi, n, k)                                      \
-    bo[n] =  fl_tab[0][byte(bi[n],0)] ^                         \
-             fl_tab[1][byte(bi[(n + 1) & 3],1)] ^               \
-             fl_tab[2][byte(bi[(n + 2) & 3],2)] ^               \
-             fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
-#define i_rl(bo, bi, n, k)                                      \
-    bo[n] =  il_tab[0][byte(bi[n],0)] ^                         \
-             il_tab[1][byte(bi[(n + 3) & 3],1)] ^               \
-             il_tab[2][byte(bi[(n + 2) & 3],2)] ^               \
-             il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
-static void
-gen_tabs (void)
-{
-        uint32_t i, t;
-        uint8_t p, q;
-        /* log and power tables for GF(2**8) finite field with
-           0x011b as modular polynomial - the simplest prmitive
-           root is 0x03, used here to generate the tables */
-        for (i = 0, p = 1; i < 256; ++i) {
-                pow_tab[i] = (uint8_t) p;
-                log_tab[p] = (uint8_t) i;
-                p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0);
-        }
-        log_tab[1] = 0;
-        for (i = 0, p = 1; i < 10; ++i) {
-                rco_tab[i] = p;
-                p = (p << 1) ^ (p & 0x80 ? 0x01b : 0);
-        }
-        for (i = 0; i < 256; ++i) {
-                p = (i ? pow_tab[255 - log_tab[i]] : 0);
-                q = ((p >> 7) | (p << 1)) ^ ((p >> 6) | (p << 2));
-                p ^= 0x63 ^ q ^ ((q >> 6) | (q << 2));
-                sbx_tab[i] = p;
-                isb_tab[p] = (uint8_t) i;
-        }
-        for (i = 0; i < 256; ++i) {
-                p = sbx_tab[i];
-                t = p;
-                fl_tab[0][i] = t;
-                fl_tab[1][i] = rotl (t, 8);
-                fl_tab[2][i] = rotl (t, 16);
-                fl_tab[3][i] = rotl (t, 24);
-                t = ((uint32_t) ff_mult (2, p)) |
-                    ((uint32_t) p << 8) |
-                    ((uint32_t) p << 16) | ((uint32_t) ff_mult (3, p) << 24);
-                ft_tab[0][i] = t;
-                ft_tab[1][i] = rotl (t, 8);
-                ft_tab[2][i] = rotl (t, 16);
-                ft_tab[3][i] = rotl (t, 24);
-                p = isb_tab[i];
-                t = p;
-                il_tab[0][i] = t;
-                il_tab[1][i] = rotl (t, 8);
-                il_tab[2][i] = rotl (t, 16);
-                il_tab[3][i] = rotl (t, 24);
-                t = ((uint32_t) ff_mult (14, p)) |
-                    ((uint32_t) ff_mult (9, p) << 8) |
-                    ((uint32_t) ff_mult (13, p) << 16) |
-                    ((uint32_t) ff_mult (11, p) << 24);
-                it_tab[0][i] = t;
-                it_tab[1][i] = rotl (t, 8);
-                it_tab[2][i] = rotl (t, 16);
-                it_tab[3][i] = rotl (t, 24);
-        }
-}
-#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
-#define imix_col(y,x)       \
-    u   = star_x(x);        \
-    v   = star_x(u);        \
-    w   = star_x(v);        \
-    t   = w ^ (x);          \
-   (y)  = u ^ v ^ w;        \
-   (y) ^= rotr(u ^ t,  8) ^ \
-          rotr(v ^ t, 16) ^ \
-          rotr(t,24)
-/* initialise the key schedule from the user supplied key */
-#define loop4(i)                                    \
-{   t = rotr(t,  8); t = ls_box(t) ^ rco_tab[i];    \
-    t ^= E_KEY[4 * i];     E_KEY[4 * i + 4] = t;    \
-    t ^= E_KEY[4 * i + 1]; E_KEY[4 * i + 5] = t;    \
-    t ^= E_KEY[4 * i + 2]; E_KEY[4 * i + 6] = t;    \
-    t ^= E_KEY[4 * i + 3]; E_KEY[4 * i + 7] = t;    \
-}
-#define loop6(i)                                    \
-{   t = rotr(t,  8); t = ls_box(t) ^ rco_tab[i];    \
-    t ^= E_KEY[6 * i];     E_KEY[6 * i + 6] = t;    \
-    t ^= E_KEY[6 * i + 1]; E_KEY[6 * i + 7] = t;    \
-    t ^= E_KEY[6 * i + 2]; E_KEY[6 * i + 8] = t;    \
-    t ^= E_KEY[6 * i + 3]; E_KEY[6 * i + 9] = t;    \
-    t ^= E_KEY[6 * i + 4]; E_KEY[6 * i + 10] = t;   \
-    t ^= E_KEY[6 * i + 5]; E_KEY[6 * i + 11] = t;   \
-}
-#define loop8(i)                                    \
-{   t = rotr(t,  8); ; t = ls_box(t) ^ rco_tab[i];  \
-    t ^= E_KEY[8 * i];     E_KEY[8 * i + 8] = t;    \
-    t ^= E_KEY[8 * i + 1]; E_KEY[8 * i + 9] = t;    \
-    t ^= E_KEY[8 * i + 2]; E_KEY[8 * i + 10] = t;   \
-    t ^= E_KEY[8 * i + 3]; E_KEY[8 * i + 11] = t;   \
-    t  = E_KEY[8 * i + 4] ^ ls_box(t);    \
-    E_KEY[8 * i + 12] = t;                \
-    t ^= E_KEY[8 * i + 5]; E_KEY[8 * i + 13] = t;   \
-    t ^= E_KEY[8 * i + 6]; E_KEY[8 * i + 14] = t;   \
-    t ^= E_KEY[8 * i + 7]; E_KEY[8 * i + 15] = t;   \
-}
 /* Tells whether the ACE is capable to generate
   the extended key for a given key_len. */
 static inline int
@@ -321,17 +87,13 @@ static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
        struct aes_ctx *ctx = aes_ctx(tfm);
        const __le32 *key = (const __le32 *)in_key;
        u32 *flags = &tfm->crt_flags;
-        uint32_t i, t, u, v, w;
+        struct crypto_aes_ctx gen_aes;
-        uint32_t P[AES_EXTENDED_KEY_SIZE];
-        uint32_t rounds;
        if (key_len % 8) {
                *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
                return -EINVAL;
        }
-        ctx->key_length = key_len;
        /*
         * If the hardware is capable of generating the extended key
         * itself we must supply the plain key for both encryption
@@ -339,10 +101,10 @@ static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
         */
        ctx->D = ctx->E;
-        E_KEY[0] = le32_to_cpu(key[0]);
+        ctx->E[0] = le32_to_cpu(key[0]);
-        E_KEY[1] = le32_to_cpu(key[1]);
+        ctx->E[1] = le32_to_cpu(key[1]);
-        E_KEY[2] = le32_to_cpu(key[2]);
+        ctx->E[2] = le32_to_cpu(key[2]);
-        E_KEY[3] = le32_to_cpu(key[3]);
+        ctx->E[3] = le32_to_cpu(key[3]);
        /* Prepare control words. */
        memset(&ctx->cword, 0, sizeof(ctx->cword));
@@ -361,56 +123,13 @@ static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
        ctx->cword.encrypt.keygen = 1;
        ctx->cword.decrypt.keygen = 1;
-        switch (key_len) {
+        if (crypto_aes_expand_key(&gen_aes, in_key, key_len)) {
-        case 16:
+                *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
-                t = E_KEY[3];
+                return -EINVAL;
-                for (i = 0; i < 10; ++i)
-                        loop4 (i);
-                break;
-        case 24:
-                E_KEY[4] = le32_to_cpu(key[4]);
-                t = E_KEY[5] = le32_to_cpu(key[5]);
-                for (i = 0; i < 8; ++i)
-                        loop6 (i);
-                break;
-        case 32:
-                E_KEY[4] = le32_to_cpu(key[4]);
-                E_KEY[5] = le32_to_cpu(key[5]);
-                E_KEY[6] = le32_to_cpu(key[6]);
-                t = E_KEY[7] = le32_to_cpu(key[7]);
-                for (i = 0; i < 7; ++i)
-                        loop8 (i);
-                break;
-        }
-        D_KEY[0] = E_KEY[0];
-        D_KEY[1] = E_KEY[1];
-        D_KEY[2] = E_KEY[2];
-        D_KEY[3] = E_KEY[3];
-        for (i = 4; i < key_len + 24; ++i) {
-                imix_col (D_KEY[i], E_KEY[i]);
-        }
-        /* PadLock needs a different format of the decryption key. */
-        rounds = 10 + (key_len - 16) / 4;
-        for (i = 0; i < rounds; i++) {
-                P[((i + 1) * 4) + 0] = D_KEY[((rounds - i - 1) * 4) + 0];
-                P[((i + 1) * 4) + 1] = D_KEY[((rounds - i - 1) * 4) + 1];
-                P[((i + 1) * 4) + 2] = D_KEY[((rounds - i - 1) * 4) + 2];
-                P[((i + 1) * 4) + 3] = D_KEY[((rounds - i - 1) * 4) + 3];
        }
-        P[0] = E_KEY[(rounds * 4) + 0];
+        memcpy(ctx->E, gen_aes.key_enc, AES_MAX_KEYLENGTH);
-        P[1] = E_KEY[(rounds * 4) + 1];
+        memcpy(ctx->D, gen_aes.key_dec, AES_MAX_KEYLENGTH);
-        P[2] = E_KEY[(rounds * 4) + 2];
-        P[3] = E_KEY[(rounds * 4) + 3];
-        memcpy(D_KEY, P, AES_EXTENDED_KEY_SIZE_B);
        return 0;
 }
@@ -675,7 +394,6 @@ static int __init padlock_init(void)
                return -ENODEV;
        }
-        gen_tabs();
        if ((ret = crypto_register_alg(&aes_alg)))
                goto aes_err;
author	Sebastian Siewior <sebastian@breakpoint.cc>	2008-04-01 09:24:50 -0400
committer	Herbert Xu <herbert@gondor.apana.org.au>	2008-04-20 22:19:34 -0400
commit	7dc748e4e720c1a98185363096ad7582e9113092 (patch)
tree	664b4b77581c6b77ebd9d0535e7bfdb1ddd041c8 /drivers/crypto
parent	5427663f498e19b441277de72ce7a685511f247c (diff)

diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig index e15dbc61f20f..43b71b69daa5 100644 --- a/drivers/crypto/Kconfig +++ b/drivers/crypto/Kconfig
@@ -27,6 +27,7 @@ config CRYPTO_DEV_PADLOCK_AES
27	tristate "PadLock driver for AES algorithm"	27	tristate "PadLock driver for AES algorithm"
28	depends on CRYPTO_DEV_PADLOCK	28	depends on CRYPTO_DEV_PADLOCK
29	select CRYPTO_BLKCIPHER	29	select CRYPTO_BLKCIPHER
		30	select CRYPTO_AES
30	help	31	help
31	Use VIA PadLock for AES algorithm.	32	Use VIA PadLock for AES algorithm.
32		33


diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c index 2f3ad3f7dfea..bb30eb9b93ef 100644 --- a/drivers/crypto/padlock-aes.c +++ b/drivers/crypto/padlock-aes.c
@@ -5,42 +5,6 @@
5	*	5	*
6	* Copyright (c) 2004 Michal Ludvig <michal@logix.cz>	6	* Copyright (c) 2004 Michal Ludvig <michal@logix.cz>
7	*	7	*
8	* Key expansion routine taken from crypto/aes_generic.c
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License as published by
12	* the Free Software Foundation; either version 2 of the License, or
13	* (at your option) any later version.
14	*
15	* ---------------------------------------------------------------------------
16	* Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
17	* All rights reserved.
18	*
19	* LICENSE TERMS
20	*
21	* The free distribution and use of this software in both source and binary
22	* form is allowed (with or without changes) provided that:
23	*
24	* 1. distributions of this source code include the above copyright
25	* notice, this list of conditions and the following disclaimer;
26	*
27	* 2. distributions in binary form include the above copyright
28	* notice, this list of conditions and the following disclaimer
29	* in the documentation and/or other associated materials;
30	*
31	* 3. the copyright holder's name is not used to endorse products
32	* built using this software without specific written permission.
33	*
34	* ALTERNATIVELY, provided that this notice is retained in full, this product
35	* may be distributed under the terms of the GNU General Public License (GPL),
36	* in which case the provisions of the GPL apply INSTEAD OF those given above.
37	*
38	* DISCLAIMER
39	*
40	* This software is provided 'as is' with no explicit or implied warranties
41	* in respect of its properties, including, but not limited to, correctness
42	* and/or fitness for purpose.
43	* ---------------------------------------------------------------------------
44	*/	8	*/
45		9
46	#include <crypto/algapi.h>	10	#include <crypto/algapi.h>
@@ -54,9 +18,6 @@
54	#include <asm/byteorder.h>	18	#include <asm/byteorder.h>
55	#include "padlock.h"	19	#include "padlock.h"
56		20
57	#define AES_EXTENDED_KEY_SIZE 64 /* in uint32_t units */
58	#define AES_EXTENDED_KEY_SIZE_B (AES_EXTENDED_KEY_SIZE * sizeof(uint32_t))
59
60	/* Control word. */	21	/* Control word. */
61	struct cword {	22	struct cword {
62	unsigned int __attribute__ ((__packed__))	23	unsigned int __attribute__ ((__packed__))
@@ -70,218 +31,23 @@ struct cword {
70		31
71	/* Whenever making any changes to the following	32	/* Whenever making any changes to the following
72	* structure make sure you keep E, d_data	33	* structure make sure you keep E, d_data
73	* and cword aligned on 16 Bytes boundaries!!! */	34	* and cword aligned on 16 Bytes boundaries and
		35	* the Hardware can access 16 * 16 bytes of E and d_data
		36	* (only the first 15 * 16 bytes matter but the HW reads
		37	* more).
		38	*/
74	struct aes_ctx {	39	struct aes_ctx {
		40	u32 E[AES_MAX_KEYLENGTH_U32]
		41	__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
		42	u32 d_data[AES_MAX_KEYLENGTH_U32]
		43	__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
75	struct {	44	struct {
76	struct cword encrypt;	45	struct cword encrypt;
77	struct cword decrypt;	46	struct cword decrypt;
78	} cword;	47	} cword;
79	u32 *D;	48	u32 *D;
80	int key_length;
81	u32 E[AES_EXTENDED_KEY_SIZE]
82	__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
83	u32 d_data[AES_EXTENDED_KEY_SIZE]
84	__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
85	};	49	};
86		50
87	/* ====== Key management routines ====== */
88
89	static inline uint32_t
90	generic_rotr32 (const uint32_t x, const unsigned bits)
91	{
92	const unsigned n = bits % 32;
93	return (x >> n) \| (x << (32 - n));
94	}
95
96	static inline uint32_t
97	generic_rotl32 (const uint32_t x, const unsigned bits)
98	{
99	const unsigned n = bits % 32;
100	return (x << n) \| (x >> (32 - n));
101	}
102
103	#define rotl generic_rotl32
104	#define rotr generic_rotr32
105
106	/*
107	* #define byte(x, nr) ((unsigned char)((x) >> (nr*8)))
108	*/
109	static inline uint8_t
110	byte(const uint32_t x, const unsigned n)
111	{
112	return x >> (n << 3);
113	}
114
115	#define E_KEY ctx->E
116	#define D_KEY ctx->D
117
118	static uint8_t pow_tab[256];
119	static uint8_t log_tab[256];
120	static uint8_t sbx_tab[256];
121	static uint8_t isb_tab[256];
122	static uint32_t rco_tab[10];
123	static uint32_t ft_tab[4][256];
124	static uint32_t it_tab[4][256];
125
126	static uint32_t fl_tab[4][256];
127	static uint32_t il_tab[4][256];
128
129	static inline uint8_t
130	f_mult (uint8_t a, uint8_t b)
131	{
132	uint8_t aa = log_tab[a], cc = aa + log_tab[b];
133
134	return pow_tab[cc + (cc < aa ? 1 : 0)];
135	}
136
137	#define ff_mult(a,b) (a && b ? f_mult(a, b) : 0)
138
139	#define f_rn(bo, bi, n, k) \
140	bo[n] = ft_tab[0][byte(bi[n],0)] ^ \
141	ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
142	ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
143	ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
144
145	#define i_rn(bo, bi, n, k) \
146	bo[n] = it_tab[0][byte(bi[n],0)] ^ \
147	it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
148	it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
149	it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
150
151	#define ls_box(x) \
152	( fl_tab[0][byte(x, 0)] ^ \
153	fl_tab[1][byte(x, 1)] ^ \
154	fl_tab[2][byte(x, 2)] ^ \
155	fl_tab[3][byte(x, 3)] )
156
157	#define f_rl(bo, bi, n, k) \
158	bo[n] = fl_tab[0][byte(bi[n],0)] ^ \
159	fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
160	fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
161	fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
162
163	#define i_rl(bo, bi, n, k) \
164	bo[n] = il_tab[0][byte(bi[n],0)] ^ \
165	il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
166	il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
167	il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
168
169	static void
170	gen_tabs (void)
171	{
172	uint32_t i, t;
173	uint8_t p, q;
174
175	/* log and power tables for GF(2**8) finite field with
176	0x011b as modular polynomial - the simplest prmitive
177	root is 0x03, used here to generate the tables */
178
179	for (i = 0, p = 1; i < 256; ++i) {
180	pow_tab[i] = (uint8_t) p;
181	log_tab[p] = (uint8_t) i;
182
183	p ^= (p << 1) ^ (p & 0x80 ? 0x01b : 0);
184	}
185
186	log_tab[1] = 0;
187
188	for (i = 0, p = 1; i < 10; ++i) {
189	rco_tab[i] = p;
190
191	p = (p << 1) ^ (p & 0x80 ? 0x01b : 0);
192	}
193
194	for (i = 0; i < 256; ++i) {
195	p = (i ? pow_tab[255 - log_tab[i]] : 0);
196	q = ((p >> 7) \| (p << 1)) ^ ((p >> 6) \| (p << 2));
197	p ^= 0x63 ^ q ^ ((q >> 6) \| (q << 2));
198	sbx_tab[i] = p;
199	isb_tab[p] = (uint8_t) i;
200	}
201
202	for (i = 0; i < 256; ++i) {
203	p = sbx_tab[i];
204
205	t = p;
206	fl_tab[0][i] = t;
207	fl_tab[1][i] = rotl (t, 8);
208	fl_tab[2][i] = rotl (t, 16);
209	fl_tab[3][i] = rotl (t, 24);
210
211	t = ((uint32_t) ff_mult (2, p)) \|
212	((uint32_t) p << 8) \|
213	((uint32_t) p << 16) \| ((uint32_t) ff_mult (3, p) << 24);
214
215	ft_tab[0][i] = t;
216	ft_tab[1][i] = rotl (t, 8);
217	ft_tab[2][i] = rotl (t, 16);
218	ft_tab[3][i] = rotl (t, 24);
219
220	p = isb_tab[i];
221
222	t = p;
223	il_tab[0][i] = t;
224	il_tab[1][i] = rotl (t, 8);
225	il_tab[2][i] = rotl (t, 16);
226	il_tab[3][i] = rotl (t, 24);
227
228	t = ((uint32_t) ff_mult (14, p)) \|
229	((uint32_t) ff_mult (9, p) << 8) \|
230	((uint32_t) ff_mult (13, p) << 16) \|
231	((uint32_t) ff_mult (11, p) << 24);
232
233	it_tab[0][i] = t;
234	it_tab[1][i] = rotl (t, 8);
235	it_tab[2][i] = rotl (t, 16);
236	it_tab[3][i] = rotl (t, 24);
237	}
238	}
239
240	#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
241
242	#define imix_col(y,x) \
243	u = star_x(x); \
244	v = star_x(u); \
245	w = star_x(v); \
246	t = w ^ (x); \
247	(y) = u ^ v ^ w; \
248	(y) ^= rotr(u ^ t, 8) ^ \
249	rotr(v ^ t, 16) ^ \
250	rotr(t,24)
251
252	/* initialise the key schedule from the user supplied key */
253
254	#define loop4(i) \
255	{ t = rotr(t, 8); t = ls_box(t) ^ rco_tab[i]; \
256	t ^= E_KEY[4 * i]; E_KEY[4 * i + 4] = t; \
257	t ^= E_KEY[4 * i + 1]; E_KEY[4 * i + 5] = t; \
258	t ^= E_KEY[4 * i + 2]; E_KEY[4 * i + 6] = t; \
259	t ^= E_KEY[4 * i + 3]; E_KEY[4 * i + 7] = t; \
260	}
261
262	#define loop6(i) \
263	{ t = rotr(t, 8); t = ls_box(t) ^ rco_tab[i]; \
264	t ^= E_KEY[6 * i]; E_KEY[6 * i + 6] = t; \
265	t ^= E_KEY[6 * i + 1]; E_KEY[6 * i + 7] = t; \
266	t ^= E_KEY[6 * i + 2]; E_KEY[6 * i + 8] = t; \
267	t ^= E_KEY[6 * i + 3]; E_KEY[6 * i + 9] = t; \
268	t ^= E_KEY[6 * i + 4]; E_KEY[6 * i + 10] = t; \
269	t ^= E_KEY[6 * i + 5]; E_KEY[6 * i + 11] = t; \
270	}
271
272	#define loop8(i) \
273	{ t = rotr(t, 8); ; t = ls_box(t) ^ rco_tab[i]; \
274	t ^= E_KEY[8 * i]; E_KEY[8 * i + 8] = t; \
275	t ^= E_KEY[8 * i + 1]; E_KEY[8 * i + 9] = t; \
276	t ^= E_KEY[8 * i + 2]; E_KEY[8 * i + 10] = t; \
277	t ^= E_KEY[8 * i + 3]; E_KEY[8 * i + 11] = t; \
278	t = E_KEY[8 * i + 4] ^ ls_box(t); \
279	E_KEY[8 * i + 12] = t; \
280	t ^= E_KEY[8 * i + 5]; E_KEY[8 * i + 13] = t; \
281	t ^= E_KEY[8 * i + 6]; E_KEY[8 * i + 14] = t; \
282	t ^= E_KEY[8 * i + 7]; E_KEY[8 * i + 15] = t; \
283	}
284
285	/* Tells whether the ACE is capable to generate	51	/* Tells whether the ACE is capable to generate
286	the extended key for a given key_len. */	52	the extended key for a given key_len. */
287	static inline int	53	static inline int
@@ -321,17 +87,13 @@ static int aes_set_key(struct crypto_tfm tfm, const u8 in_key,
321	struct aes_ctx *ctx = aes_ctx(tfm);	87	struct aes_ctx *ctx = aes_ctx(tfm);
322	const __le32 key = (const __le32 )in_key;	88	const __le32 key = (const __le32 )in_key;
323	u32 *flags = &tfm->crt_flags;	89	u32 *flags = &tfm->crt_flags;
324	uint32_t i, t, u, v, w;	90	struct crypto_aes_ctx gen_aes;
325	uint32_t P[AES_EXTENDED_KEY_SIZE];
326	uint32_t rounds;
327		91
328	if (key_len % 8) {	92	if (key_len % 8) {
329	*flags \|= CRYPTO_TFM_RES_BAD_KEY_LEN;	93	*flags \|= CRYPTO_TFM_RES_BAD_KEY_LEN;
330	return -EINVAL;	94	return -EINVAL;
331	}	95	}
332		96
333	ctx->key_length = key_len;
334
335	/*	97	/*
336	* If the hardware is capable of generating the extended key	98	* If the hardware is capable of generating the extended key
337	* itself we must supply the plain key for both encryption	99	* itself we must supply the plain key for both encryption
@@ -339,10 +101,10 @@ static int aes_set_key(struct crypto_tfm tfm, const u8 in_key,
339	*/	101	*/
340	ctx->D = ctx->E;	102	ctx->D = ctx->E;
341		103
342	E_KEY[0] = le32_to_cpu(key[0]);	104	ctx->E[0] = le32_to_cpu(key[0]);
343	E_KEY[1] = le32_to_cpu(key[1]);	105	ctx->E[1] = le32_to_cpu(key[1]);
344	E_KEY[2] = le32_to_cpu(key[2]);	106	ctx->E[2] = le32_to_cpu(key[2]);
345	E_KEY[3] = le32_to_cpu(key[3]);	107	ctx->E[3] = le32_to_cpu(key[3]);
346		108
347	/* Prepare control words. */	109	/* Prepare control words. */
348	memset(&ctx->cword, 0, sizeof(ctx->cword));	110	memset(&ctx->cword, 0, sizeof(ctx->cword));
@@ -361,56 +123,13 @@ static int aes_set_key(struct crypto_tfm tfm, const u8 in_key,
361	ctx->cword.encrypt.keygen = 1;	123	ctx->cword.encrypt.keygen = 1;
362	ctx->cword.decrypt.keygen = 1;	124	ctx->cword.decrypt.keygen = 1;
363		125
364	switch (key_len) {	126	if (crypto_aes_expand_key(&gen_aes, in_key, key_len)) {
365	case 16:	127	*flags \|= CRYPTO_TFM_RES_BAD_KEY_LEN;
366	t = E_KEY[3];	128	return -EINVAL;
367	for (i = 0; i < 10; ++i)
368	loop4 (i);
369	break;
370
371	case 24:
372	E_KEY[4] = le32_to_cpu(key[4]);
373	t = E_KEY[5] = le32_to_cpu(key[5]);
374	for (i = 0; i < 8; ++i)
375	loop6 (i);
376	break;
377
378	case 32:
379	E_KEY[4] = le32_to_cpu(key[4]);
380	E_KEY[5] = le32_to_cpu(key[5]);
381	E_KEY[6] = le32_to_cpu(key[6]);
382	t = E_KEY[7] = le32_to_cpu(key[7]);
383	for (i = 0; i < 7; ++i)
384	loop8 (i);
385	break;
386	}
387
388	D_KEY[0] = E_KEY[0];
389	D_KEY[1] = E_KEY[1];
390	D_KEY[2] = E_KEY[2];
391	D_KEY[3] = E_KEY[3];
392
393	for (i = 4; i < key_len + 24; ++i) {
394	imix_col (D_KEY[i], E_KEY[i]);
395	}
396
397	/* PadLock needs a different format of the decryption key. */
398	rounds = 10 + (key_len - 16) / 4;
399
400	for (i = 0; i < rounds; i++) {
401	P[((i + 1) * 4) + 0] = D_KEY[((rounds - i - 1) * 4) + 0];
402	P[((i + 1) * 4) + 1] = D_KEY[((rounds - i - 1) * 4) + 1];
403	P[((i + 1) * 4) + 2] = D_KEY[((rounds - i - 1) * 4) + 2];
404	P[((i + 1) * 4) + 3] = D_KEY[((rounds - i - 1) * 4) + 3];
405	}	129	}
406		130
407	P[0] = E_KEY[(rounds * 4) + 0];	131	memcpy(ctx->E, gen_aes.key_enc, AES_MAX_KEYLENGTH);
408	P[1] = E_KEY[(rounds * 4) + 1];	132	memcpy(ctx->D, gen_aes.key_dec, AES_MAX_KEYLENGTH);
409	P[2] = E_KEY[(rounds * 4) + 2];
410	P[3] = E_KEY[(rounds * 4) + 3];
411
412	memcpy(D_KEY, P, AES_EXTENDED_KEY_SIZE_B);
413
414	return 0;	133	return 0;
415	}	134	}
416		135
@@ -675,7 +394,6 @@ static int __init padlock_init(void)
675	return -ENODEV;	394	return -ENODEV;
676	}	395	}
677		396
678	gen_tabs();
679	if ((ret = crypto_register_alg(&aes_alg)))	397	if ((ret = crypto_register_alg(&aes_alg)))
680	goto aes_err;	398	goto aes_err;
681		399