blob: b501d5ab9c45d8660c9d43139729ba49aa306227 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001/*
2 * Twofish for CryptoAPI
3 *
4 * Originally Twofish for GPG
5 * By Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998
6 * 256-bit key length added March 20, 1999
7 * Some modifications to reduce the text size by Werner Koch, April, 1998
8 * Ported to the kerneli patch by Marc Mutz <Marc@Mutz.com>
9 * Ported to CryptoAPI by Colin Slater <hoho@tacomeat.net>
10 *
11 * The original author has disclaimed all copyright interest in this
12 * code and thus put it in the public domain. The subsequent authors
13 * have put this under the GNU General Public License.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
28 * USA
29 *
30 * This code is a "clean room" implementation, written from the paper
31 * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey,
32 * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available
33 * through http://www.counterpane.com/twofish.html
34 *
35 * For background information on multiplication in finite fields, used for
36 * the matrix operations in the key schedule, see the book _Contemporary
37 * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the
38 * Third Edition.
39 */
Herbert Xu06ace7a2005-10-30 21:25:15 +110040
41#include <asm/byteorder.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070042#include <linux/module.h>
43#include <linux/init.h>
44#include <linux/types.h>
45#include <linux/errno.h>
46#include <linux/crypto.h>
47
48
49/* The large precomputed tables for the Twofish cipher (twofish.c)
50 * Taken from the same source as twofish.c
51 * Marc Mutz <Marc@Mutz.com>
52 */
53
54/* These two tables are the q0 and q1 permutations, exactly as described in
55 * the Twofish paper. */
56
57static const u8 q0[256] = {
58 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78,
59 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C,
60 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30,
61 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82,
62 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE,
63 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B,
64 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45,
65 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7,
66 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF,
67 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8,
68 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED,
69 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90,
70 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B,
71 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B,
72 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F,
73 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A,
74 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17,
75 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72,
76 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68,
77 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4,
78 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42,
79 0x4A, 0x5E, 0xC1, 0xE0
80};
81
82static const u8 q1[256] = {
83 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B,
84 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1,
85 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B,
86 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5,
87 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54,
88 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96,
89 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7,
90 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8,
91 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF,
92 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9,
93 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D,
94 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E,
95 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21,
96 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01,
97 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E,
98 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64,
99 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44,
100 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E,
101 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B,
102 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9,
103 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56,
104 0x55, 0x09, 0xBE, 0x91
105};
106
107/* These MDS tables are actually tables of MDS composed with q0 and q1,
108 * because it is only ever used that way and we can save some time by
109 * precomputing. Of course the main saving comes from precomputing the
110 * GF(2^8) multiplication involved in the MDS matrix multiply; by looking
111 * things up in these tables we reduce the matrix multiply to four lookups
112 * and three XORs. Semi-formally, the definition of these tables is:
113 * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T
114 * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T
115 * where ^T means "transpose", the matrix multiply is performed in GF(2^8)
116 * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described
117 * by Schneier et al, and I'm casually glossing over the byte/word
118 * conversion issues. */
119
120static const u32 mds[4][256] = {
121 {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B,
122 0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B,
123 0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32,
124 0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1,
125 0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA,
126 0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B,
127 0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1,
128 0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5,
129 0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490,
130 0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154,
131 0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0,
132 0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796,
133 0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228,
134 0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7,
135 0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3,
136 0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8,
137 0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477,
138 0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF,
139 0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C,
140 0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9,
141 0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA,
142 0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D,
143 0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72,
144 0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E,
145 0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76,
146 0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321,
147 0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39,
148 0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01,
149 0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D,
150 0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E,
151 0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5,
152 0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64,
153 0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7,
154 0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544,
155 0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E,
156 0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E,
157 0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A,
158 0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B,
159 0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2,
160 0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9,
161 0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504,
162 0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756,
163 0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91},
164
165 {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252,
166 0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A,
167 0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020,
168 0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141,
169 0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444,
170 0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424,
171 0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A,
172 0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757,
173 0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383,
174 0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A,
175 0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9,
176 0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656,
177 0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1,
178 0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898,
179 0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414,
180 0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3,
181 0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1,
182 0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989,
183 0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5,
184 0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282,
185 0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E,
186 0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E,
187 0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202,
188 0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC,
189 0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565,
190 0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A,
191 0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808,
192 0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272,
193 0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A,
194 0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969,
195 0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505,
196 0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5,
197 0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D,
198 0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343,
199 0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF,
200 0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3,
201 0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F,
202 0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646,
203 0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6,
204 0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF,
205 0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A,
206 0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7,
207 0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8},
208
209 {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B,
210 0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F,
211 0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A,
212 0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783,
213 0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70,
214 0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3,
215 0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB,
216 0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA,
217 0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4,
218 0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41,
219 0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C,
220 0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07,
221 0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622,
222 0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18,
223 0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035,
224 0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96,
225 0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84,
226 0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E,
227 0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F,
228 0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD,
229 0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558,
230 0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40,
231 0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA,
232 0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85,
233 0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF,
234 0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773,
235 0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D,
236 0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B,
237 0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C,
238 0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19,
239 0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086,
240 0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D,
241 0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74,
242 0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755,
243 0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691,
244 0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D,
245 0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4,
246 0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53,
247 0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E,
248 0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9,
249 0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705,
250 0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7,
251 0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF},
252
253 {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98,
254 0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866,
255 0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643,
256 0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77,
257 0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9,
258 0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C,
259 0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3,
260 0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216,
261 0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F,
262 0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25,
263 0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF,
264 0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7,
265 0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4,
266 0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E,
267 0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA,
268 0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C,
269 0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12,
270 0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A,
271 0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D,
272 0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE,
273 0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A,
274 0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C,
275 0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B,
276 0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4,
277 0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B,
278 0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3,
279 0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE,
280 0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB,
281 0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85,
282 0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA,
283 0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E,
284 0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8,
285 0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33,
286 0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC,
287 0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718,
288 0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA,
289 0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8,
290 0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872,
291 0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882,
292 0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D,
293 0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10,
294 0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6,
295 0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8}
296};
297
298/* The exp_to_poly and poly_to_exp tables are used to perform efficient
299 * operations in GF(2^8) represented as GF(2)[x]/w(x) where
300 * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the
301 * definition of the RS matrix in the key schedule. Elements of that field
302 * are polynomials of degree not greater than 7 and all coefficients 0 or 1,
303 * which can be represented naturally by bytes (just substitute x=2). In that
304 * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8)
305 * multiplication is inefficient without hardware support. To multiply
306 * faster, I make use of the fact x is a generator for the nonzero elements,
307 * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for
308 * some n in 0..254. Note that that caret is exponentiation in GF(2^8),
309 * *not* polynomial notation. So if I want to compute pq where p and q are
310 * in GF(2^8), I can just say:
311 * 1. if p=0 or q=0 then pq=0
312 * 2. otherwise, find m and n such that p=x^m and q=x^n
313 * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq
314 * The translations in steps 2 and 3 are looked up in the tables
315 * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this
316 * in action, look at the CALC_S macro. As additional wrinkles, note that
317 * one of my operands is always a constant, so the poly_to_exp lookup on it
318 * is done in advance; I included the original values in the comments so
319 * readers can have some chance of recognizing that this *is* the RS matrix
320 * from the Twofish paper. I've only included the table entries I actually
321 * need; I never do a lookup on a variable input of zero and the biggest
322 * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll
323 * never sum to more than 491. I'm repeating part of the exp_to_poly table
324 * so that I don't have to do mod-255 reduction in the exponent arithmetic.
325 * Since I know my constant operands are never zero, I only have to worry
326 * about zero values in the variable operand, and I do it with a simple
327 * conditional branch. I know conditionals are expensive, but I couldn't
328 * see a non-horrible way of avoiding them, and I did manage to group the
329 * statements so that each if covers four group multiplications. */
330
331static const u8 poly_to_exp[255] = {
332 0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19,
333 0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A,
334 0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C,
335 0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B,
336 0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47,
337 0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D,
338 0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8,
339 0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C,
340 0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83,
341 0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48,
342 0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26,
343 0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E,
344 0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3,
345 0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9,
346 0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A,
347 0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D,
348 0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75,
349 0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84,
350 0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64,
351 0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49,
352 0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF,
353 0x85, 0xC8, 0xA1
354};
355
356static const u8 exp_to_poly[492] = {
357 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2,
358 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03,
359 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6,
360 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A,
361 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63,
362 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C,
363 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07,
364 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88,
365 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12,
366 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7,
367 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C,
368 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8,
369 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25,
370 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A,
371 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE,
372 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC,
373 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E,
374 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92,
375 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89,
376 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB,
377 0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1,
378 0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D,
379 0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC,
380 0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3,
381 0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52,
382 0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0,
383 0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1,
384 0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A,
385 0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11,
386 0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51,
387 0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66,
388 0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB,
389 0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19,
390 0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D,
391 0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56,
392 0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE,
393 0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9,
394 0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE,
395 0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41,
396 0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E,
397 0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB
398};
399
400
401/* The table constants are indices of
402 * S-box entries, preprocessed through q0 and q1. */
403static const u8 calc_sb_tbl[512] = {
404 0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4,
405 0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8,
406 0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B,
407 0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B,
408 0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD,
409 0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1,
410 0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B,
411 0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F,
412 0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B,
413 0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D,
414 0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E,
415 0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5,
416 0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14,
417 0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3,
418 0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54,
419 0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51,
420 0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A,
421 0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96,
422 0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10,
423 0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C,
424 0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7,
425 0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70,
426 0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB,
427 0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8,
428 0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF,
429 0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC,
430 0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF,
431 0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2,
432 0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82,
433 0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9,
434 0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97,
435 0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17,
436 0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D,
437 0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3,
438 0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C,
439 0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E,
440 0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F,
441 0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49,
442 0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21,
443 0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9,
444 0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD,
445 0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01,
446 0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F,
447 0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48,
448 0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E,
449 0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19,
450 0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57,
451 0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64,
452 0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE,
453 0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5,
454 0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44,
455 0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69,
456 0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15,
457 0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E,
458 0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34,
459 0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC,
460 0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B,
461 0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB,
462 0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52,
463 0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9,
464 0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4,
465 0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2,
466 0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56,
467 0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91
468};
469
470/* Macro to perform one column of the RS matrix multiplication. The
471 * parameters a, b, c, and d are the four bytes of output; i is the index
472 * of the key bytes, and w, x, y, and z, are the column of constants from
473 * the RS matrix, preprocessed through the poly_to_exp table. */
474
475#define CALC_S(a, b, c, d, i, w, x, y, z) \
476 if (key[i]) { \
477 tmp = poly_to_exp[key[i] - 1]; \
478 (a) ^= exp_to_poly[tmp + (w)]; \
479 (b) ^= exp_to_poly[tmp + (x)]; \
480 (c) ^= exp_to_poly[tmp + (y)]; \
481 (d) ^= exp_to_poly[tmp + (z)]; \
482 }
483
484/* Macros to calculate the key-dependent S-boxes for a 128-bit key using
485 * the S vector from CALC_S. CALC_SB_2 computes a single entry in all
486 * four S-boxes, where i is the index of the entry to compute, and a and b
487 * are the index numbers preprocessed through the q0 and q1 tables
488 * respectively. */
489
490#define CALC_SB_2(i, a, b) \
491 ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \
492 ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \
493 ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \
494 ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh]
495
496/* Macro exactly like CALC_SB_2, but for 192-bit keys. */
497
498#define CALC_SB192_2(i, a, b) \
499 ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \
500 ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \
501 ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \
502 ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl];
503
504/* Macro exactly like CALC_SB_2, but for 256-bit keys. */
505
506#define CALC_SB256_2(i, a, b) \
507 ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \
508 ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \
509 ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \
510 ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp];
511
512/* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the
513 * last two stages of the h() function for a given index (either 2i or 2i+1).
514 * a, b, c, and d are the four bytes going into the last two stages. For
515 * 128-bit keys, this is the entire h() function and a and c are the index
516 * preprocessed through q0 and q1 respectively; for longer keys they are the
517 * output of previous stages. j is the index of the first key byte to use.
518 * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2
519 * twice, doing the Pseudo-Hadamard Transform, and doing the necessary
520 * rotations. Its parameters are: a, the array to write the results into,
521 * j, the index of the first output entry, k and l, the preprocessed indices
522 * for index 2i, and m and n, the preprocessed indices for index 2i+1.
523 * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an
524 * additional lookup-and-XOR stage. The parameters a, b, c and d are the
525 * four bytes going into the last three stages. For 192-bit keys, c = d
526 * are the index preprocessed through q0, and a = b are the index
527 * preprocessed through q1; j is the index of the first key byte to use.
528 * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro
529 * instead of CALC_K_2.
530 * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an
531 * additional lookup-and-XOR stage. The parameters a and b are the index
532 * preprocessed through q0 and q1 respectively; j is the index of the first
533 * key byte to use. CALC_K256 is identical to CALC_K but for using the
534 * CALC_K256_2 macro instead of CALC_K_2. */
535
536#define CALC_K_2(a, b, c, d, j) \
537 mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \
538 ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \
539 ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \
540 ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]]
541
542#define CALC_K(a, j, k, l, m, n) \
543 x = CALC_K_2 (k, l, k, l, 0); \
544 y = CALC_K_2 (m, n, m, n, 4); \
545 y = (y << 8) + (y >> 24); \
546 x += y; y += x; ctx->a[j] = x; \
547 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
548
549#define CALC_K192_2(a, b, c, d, j) \
550 CALC_K_2 (q0[a ^ key[(j) + 16]], \
551 q1[b ^ key[(j) + 17]], \
552 q0[c ^ key[(j) + 18]], \
553 q1[d ^ key[(j) + 19]], j)
554
555#define CALC_K192(a, j, k, l, m, n) \
556 x = CALC_K192_2 (l, l, k, k, 0); \
557 y = CALC_K192_2 (n, n, m, m, 4); \
558 y = (y << 8) + (y >> 24); \
559 x += y; y += x; ctx->a[j] = x; \
560 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
561
562#define CALC_K256_2(a, b, j) \
563 CALC_K192_2 (q1[b ^ key[(j) + 24]], \
564 q1[a ^ key[(j) + 25]], \
565 q0[a ^ key[(j) + 26]], \
566 q0[b ^ key[(j) + 27]], j)
567
568#define CALC_K256(a, j, k, l, m, n) \
569 x = CALC_K256_2 (k, l, 0); \
570 y = CALC_K256_2 (m, n, 4); \
571 y = (y << 8) + (y >> 24); \
572 x += y; y += x; ctx->a[j] = x; \
573 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
574
575
576/* Macros to compute the g() function in the encryption and decryption
577 * rounds. G1 is the straight g() function; G2 includes the 8-bit
578 * rotation for the high 32-bit word. */
579
580#define G1(a) \
581 (ctx->s[0][(a) & 0xFF]) ^ (ctx->s[1][((a) >> 8) & 0xFF]) \
582 ^ (ctx->s[2][((a) >> 16) & 0xFF]) ^ (ctx->s[3][(a) >> 24])
583
584#define G2(b) \
585 (ctx->s[1][(b) & 0xFF]) ^ (ctx->s[2][((b) >> 8) & 0xFF]) \
586 ^ (ctx->s[3][((b) >> 16) & 0xFF]) ^ (ctx->s[0][(b) >> 24])
587
588/* Encryption and decryption Feistel rounds. Each one calls the two g()
589 * macros, does the PHT, and performs the XOR and the appropriate bit
590 * rotations. The parameters are the round number (used to select subkeys),
591 * and the four 32-bit chunks of the text. */
592
593#define ENCROUND(n, a, b, c, d) \
594 x = G1 (a); y = G2 (b); \
595 x += y; y += x + ctx->k[2 * (n) + 1]; \
596 (c) ^= x + ctx->k[2 * (n)]; \
597 (c) = ((c) >> 1) + ((c) << 31); \
598 (d) = (((d) << 1)+((d) >> 31)) ^ y
599
600#define DECROUND(n, a, b, c, d) \
601 x = G1 (a); y = G2 (b); \
602 x += y; y += x; \
603 (d) ^= y + ctx->k[2 * (n) + 1]; \
604 (d) = ((d) >> 1) + ((d) << 31); \
605 (c) = (((c) << 1)+((c) >> 31)); \
606 (c) ^= (x + ctx->k[2 * (n)])
607
608/* Encryption and decryption cycles; each one is simply two Feistel rounds
609 * with the 32-bit chunks re-ordered to simulate the "swap" */
610
611#define ENCCYCLE(n) \
612 ENCROUND (2 * (n), a, b, c, d); \
613 ENCROUND (2 * (n) + 1, c, d, a, b)
614
615#define DECCYCLE(n) \
616 DECROUND (2 * (n) + 1, c, d, a, b); \
617 DECROUND (2 * (n), a, b, c, d)
618
619/* Macros to convert the input and output bytes into 32-bit words,
620 * and simultaneously perform the whitening step. INPACK packs word
621 * number n into the variable named by x, using whitening subkey number m.
622 * OUTUNPACK unpacks word number n from the variable named by x, using
623 * whitening subkey number m. */
624
625#define INPACK(n, x, m) \
Herbert Xu06ace7a2005-10-30 21:25:15 +1100626 x = le32_to_cpu(src[n]) ^ ctx->w[m]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700627
628#define OUTUNPACK(n, x, m) \
629 x ^= ctx->w[m]; \
Herbert Xu06ace7a2005-10-30 21:25:15 +1100630 dst[n] = cpu_to_le32(x)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700631
632#define TF_MIN_KEY_SIZE 16
633#define TF_MAX_KEY_SIZE 32
634#define TF_BLOCK_SIZE 16
635
636/* Structure for an expanded Twofish key. s contains the key-dependent
637 * S-boxes composed with the MDS matrix; w contains the eight "whitening"
638 * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note
639 * that k[i] corresponds to what the Twofish paper calls K[i+8]. */
640struct twofish_ctx {
641 u32 s[4][256], w[8], k[32];
642};
643
644/* Perform the key setup. */
645static int twofish_setkey(void *cx, const u8 *key,
646 unsigned int key_len, u32 *flags)
647{
648
649 struct twofish_ctx *ctx = cx;
650
651 int i, j, k;
652
653 /* Temporaries for CALC_K. */
654 u32 x, y;
655
656 /* The S vector used to key the S-boxes, split up into individual bytes.
657 * 128-bit keys use only sa through sh; 256-bit use all of them. */
658 u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0;
659 u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0;
660
661 /* Temporary for CALC_S. */
662 u8 tmp;
663
664 /* Check key length. */
665 if (key_len != 16 && key_len != 24 && key_len != 32)
666 {
667 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
668 return -EINVAL; /* unsupported key length */
669 }
670
671 /* Compute the first two words of the S vector. The magic numbers are
672 * the entries of the RS matrix, preprocessed through poly_to_exp. The
673 * numbers in the comments are the original (polynomial form) matrix
674 * entries. */
675 CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
676 CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
677 CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
678 CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
679 CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
680 CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
681 CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
682 CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
683 CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
684 CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
685 CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
686 CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
687 CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
688 CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
689 CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
690 CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
691
692 if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */
693 /* Calculate the third word of the S vector */
694 CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
695 CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
696 CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
697 CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
698 CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
699 CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
700 CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
701 CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
702 }
703
704 if (key_len == 32) { /* 256-bit key */
705 /* Calculate the fourth word of the S vector */
706 CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
707 CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
708 CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
709 CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
710 CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
711 CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
712 CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
713 CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
714
715 /* Compute the S-boxes. */
716 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
717 CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
718 }
719
720 /* Calculate whitening and round subkeys. The constants are
721 * indices of subkeys, preprocessed through q0 and q1. */
722 CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
723 CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
724 CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
725 CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
726 CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
727 CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
728 CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
729 CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
730 CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
731 CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
732 CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71);
733 CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
734 CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F);
735 CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
736 CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
737 CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F);
738 CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
739 CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
740 CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00);
741 CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
742 } else if (key_len == 24) { /* 192-bit key */
743 /* Compute the S-boxes. */
744 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
745 CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
746 }
747
748 /* Calculate whitening and round subkeys. The constants are
749 * indices of subkeys, preprocessed through q0 and q1. */
750 CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
751 CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
752 CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
753 CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
754 CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
755 CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
756 CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
757 CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
758 CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
759 CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
760 CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71);
761 CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
762 CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F);
763 CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
764 CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
765 CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F);
766 CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
767 CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
768 CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00);
769 CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
770 } else { /* 128-bit key */
771 /* Compute the S-boxes. */
772 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
773 CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
774 }
775
776 /* Calculate whitening and round subkeys. The constants are
777 * indices of subkeys, preprocessed through q0 and q1. */
778 CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3);
779 CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
780 CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
781 CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
782 CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
783 CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B);
784 CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
785 CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
786 CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
787 CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD);
788 CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71);
789 CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
790 CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F);
791 CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B);
792 CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA);
793 CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F);
794 CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
795 CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
796 CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00);
797 CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
798 }
799
800 return 0;
801}
802
803/* Encrypt one block. in and out may be the same. */
804static void twofish_encrypt(void *cx, u8 *out, const u8 *in)
805{
806 struct twofish_ctx *ctx = cx;
Herbert Xu06ace7a2005-10-30 21:25:15 +1100807 const __le32 *src = (const __le32 *)in;
808 __le32 *dst = (__le32 *)out;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700809
810 /* The four 32-bit chunks of the text. */
811 u32 a, b, c, d;
812
813 /* Temporaries used by the round function. */
814 u32 x, y;
815
816 /* Input whitening and packing. */
817 INPACK (0, a, 0);
818 INPACK (1, b, 1);
819 INPACK (2, c, 2);
820 INPACK (3, d, 3);
821
822 /* Encryption Feistel cycles. */
823 ENCCYCLE (0);
824 ENCCYCLE (1);
825 ENCCYCLE (2);
826 ENCCYCLE (3);
827 ENCCYCLE (4);
828 ENCCYCLE (5);
829 ENCCYCLE (6);
830 ENCCYCLE (7);
831
832 /* Output whitening and unpacking. */
833 OUTUNPACK (0, c, 4);
834 OUTUNPACK (1, d, 5);
835 OUTUNPACK (2, a, 6);
836 OUTUNPACK (3, b, 7);
837
838}
839
840/* Decrypt one block. in and out may be the same. */
841static void twofish_decrypt(void *cx, u8 *out, const u8 *in)
842{
843 struct twofish_ctx *ctx = cx;
Herbert Xu06ace7a2005-10-30 21:25:15 +1100844 const __le32 *src = (const __le32 *)in;
845 __le32 *dst = (__le32 *)out;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700846
847 /* The four 32-bit chunks of the text. */
848 u32 a, b, c, d;
849
850 /* Temporaries used by the round function. */
851 u32 x, y;
852
853 /* Input whitening and packing. */
854 INPACK (0, c, 4);
855 INPACK (1, d, 5);
856 INPACK (2, a, 6);
857 INPACK (3, b, 7);
858
859 /* Encryption Feistel cycles. */
860 DECCYCLE (7);
861 DECCYCLE (6);
862 DECCYCLE (5);
863 DECCYCLE (4);
864 DECCYCLE (3);
865 DECCYCLE (2);
866 DECCYCLE (1);
867 DECCYCLE (0);
868
869 /* Output whitening and unpacking. */
870 OUTUNPACK (0, a, 0);
871 OUTUNPACK (1, b, 1);
872 OUTUNPACK (2, c, 2);
873 OUTUNPACK (3, d, 3);
874
875}
876
877static struct crypto_alg alg = {
878 .cra_name = "twofish",
879 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
880 .cra_blocksize = TF_BLOCK_SIZE,
881 .cra_ctxsize = sizeof(struct twofish_ctx),
882 .cra_module = THIS_MODULE,
883 .cra_list = LIST_HEAD_INIT(alg.cra_list),
884 .cra_u = { .cipher = {
885 .cia_min_keysize = TF_MIN_KEY_SIZE,
886 .cia_max_keysize = TF_MAX_KEY_SIZE,
887 .cia_setkey = twofish_setkey,
888 .cia_encrypt = twofish_encrypt,
889 .cia_decrypt = twofish_decrypt } }
890};
891
892static int __init init(void)
893{
894 return crypto_register_alg(&alg);
895}
896
897static void __exit fini(void)
898{
899 crypto_unregister_alg(&alg);
900}
901
902module_init(init);
903module_exit(fini);
904
905MODULE_LICENSE("GPL");
906MODULE_DESCRIPTION ("Twofish Cipher Algorithm");