gfmult.h revision 303975 
1159097Smaxim/*-
2159097Smaxim * Copyright (c) 2014 The FreeBSD Foundation
3159097Smaxim * All rights reserved.
4159097Smaxim *
5159097Smaxim * This software was developed by John-Mark Gurney under
6159097Smaxim * the sponsorship of the FreeBSD Foundation and
7159097Smaxim * Rubicon Communications, LLC (Netgate).
8159097Smaxim * Redistribution and use in source and binary forms, with or without
9159097Smaxim * modification, are permitted provided that the following conditions
10159097Smaxim * are met:
11163153Smaxim * 1.  Redistributions of source code must retain the above copyright
12159097Smaxim *     notice, this list of conditions and the following disclaimer.
13159097Smaxim * 2.  Redistributions in binary form must reproduce the above copyright
14159097Smaxim *     notice, this list of conditions and the following disclaimer in the
15159097Smaxim *     documentation and/or other materials provided with the distribution.
16159097Smaxim *
17159097Smaxim * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18159097Smaxim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19159097Smaxim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20159097Smaxim * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21159097Smaxim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22159097Smaxim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23159097Smaxim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24163153Smaxim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25159097Smaxim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26159097Smaxim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27159097Smaxim * SUCH DAMAGE.
28159097Smaxim *
29159097Smaxim *	$FreeBSD: releng/11.0/sys/opencrypto/gfmult.h 275732 2014-12-12 19:56:36Z jmg $
30159098Smaxim *
31159097Smaxim */
32159097Smaxim
33159097Smaxim#ifndef _GFMULT_H_
34159097Smaxim#define _GFMULT_H_
35159097Smaxim
36159097Smaxim#ifdef __APPLE__
37159097Smaxim#define	__aligned(x)    __attribute__((__aligned__(x)))
38159097Smaxim#define	be64dec(buf)	__builtin_bswap64(*(uint64_t *)buf)
39159097Smaxim#define	be64enc(buf, x)	(*(uint64_t *)buf = __builtin_bswap64(x))
40159097Smaxim#else
41159097Smaxim#include <sys/endian.h>
42159097Smaxim#endif
43159097Smaxim
44159097Smaxim#ifdef _KERNEL
45159097Smaxim#include <sys/types.h>
46159097Smaxim#else
47159097Smaxim#include <stdint.h>
48159097Smaxim#include <strings.h>
49159097Smaxim#endif
50159097Smaxim
51159097Smaxim#define REQ_ALIGN	(16 * 4)
52159097Smaxim/*
53159097Smaxim * The rows are striped across cache lines.  Note that the indexes
54159097Smaxim * are bit reversed to make accesses quicker.
55159097Smaxim */
56159097Smaximstruct gf128table {
57159097Smaxim	uint32_t a[16] __aligned(REQ_ALIGN);	/* bits   0 - 31 */
58159097Smaxim	uint32_t b[16] __aligned(REQ_ALIGN);	/* bits  63 - 32 */
59159097Smaxim	uint32_t c[16] __aligned(REQ_ALIGN);	/* bits  95 - 64 */
60159097Smaxim	uint32_t d[16] __aligned(REQ_ALIGN);	/* bits 127 - 96 */
61159097Smaxim} __aligned(REQ_ALIGN);
62159097Smaxim
63159097Smaxim/*
64163153Smaxim * A set of tables that contain h, h^2, h^3, h^4.  To be used w/ gf128_mul4.
65163153Smaxim */
66163153Smaximstruct gf128table4 {
67163153Smaxim	struct gf128table	tbls[4];
68163153Smaxim};
69159097Smaxim
70159097Smaxim/*
71 * GCM per spec is bit reversed in memory.  So byte 0 is really bit reversed
72 * and contains bits 0-7.  We can deal w/ this by using right shifts and
73 * related math instead of having to bit reverse everything.  This means that
74 * the low bits are in v[0] (bits 0-63) and reverse order, while the high
75 * bits are in v[1] (bits 64-127) and reverse order.  The high bit of v[0] is
76 * bit 0, and the low bit of v[1] is bit 127.
77 */
78struct gf128 {
79	uint64_t v[2];
80};
81
82/* Note that we don't bit reverse in MAKE_GF128. */
83#define MAKE_GF128(a, b)	((struct gf128){.v = { (a), (b) } })
84#define GF128_EQ(a, b)		((((a).v[0] ^ (b).v[0]) | \
85				    ((a).v[1] ^ (b).v[1])) == 0)
86
87static inline struct gf128
88gf128_read(const uint8_t *buf)
89{
90	struct gf128 r;
91
92	r.v[0] = be64dec(buf);
93	buf += sizeof(uint64_t);
94
95	r.v[1] = be64dec(buf);
96
97	return r;
98}
99
100static inline void
101gf128_write(struct gf128 v, uint8_t *buf)
102{
103	uint64_t tmp;
104
105	be64enc(buf, v.v[0]);
106	buf += sizeof tmp;
107
108	be64enc(buf, v.v[1]);
109}
110
111static inline struct gf128 __pure /* XXX - __pure2 instead */
112gf128_add(struct gf128 a, struct gf128 b)
113{
114	a.v[0] ^= b.v[0];
115	a.v[1] ^= b.v[1];
116
117	return a;
118}
119
120void gf128_genmultable(struct gf128 h, struct gf128table *t);
121void gf128_genmultable4(struct gf128 h, struct gf128table4 *t);
122struct gf128 gf128_mul(struct gf128 v, struct gf128table *tbl);
123struct gf128 gf128_mul4(struct gf128 a, struct gf128 b, struct gf128 c,
124    struct gf128 d, struct gf128table4 *tbl);
125struct gf128 gf128_mul4b(struct gf128 r, const uint8_t *v,
126    struct gf128table4 *tbl);
127
128#endif /* _GFMULT_H_ */
129