[PATCH] fix memory scribble in arch/i386/pci/fixup.c
[linux-2.6/verdex.git] / crypto / twofish.c
blob4efff8cf9958c3e661298626230febdebd0fd093
1 /*
2 * Twofish for CryptoAPI
4 * Originally Twofish for GPG
5 * By Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998
6 * 256-bit key length added March 20, 1999
7 * Some modifications to reduce the text size by Werner Koch, April, 1998
8 * Ported to the kerneli patch by Marc Mutz <Marc@Mutz.com>
9 * Ported to CryptoAPI by Colin Slater <hoho@tacomeat.net>
11 * The original author has disclaimed all copyright interest in this
12 * code and thus put it in the public domain. The subsequent authors
13 * have put this under the GNU General Public License.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
28 * USA
30 * This code is a "clean room" implementation, written from the paper
31 * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey,
32 * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available
33 * through http://www.counterpane.com/twofish.html
35 * For background information on multiplication in finite fields, used for
36 * the matrix operations in the key schedule, see the book _Contemporary
37 * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the
38 * Third Edition.
40 #include <linux/module.h>
41 #include <linux/init.h>
42 #include <linux/types.h>
43 #include <linux/errno.h>
44 #include <linux/crypto.h>
47 /* The large precomputed tables for the Twofish cipher (twofish.c)
48 * Taken from the same source as twofish.c
49 * Marc Mutz <Marc@Mutz.com>
52 /* These two tables are the q0 and q1 permutations, exactly as described in
53 * the Twofish paper. */
55 static const u8 q0[256] = {
56 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78,
57 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C,
58 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30,
59 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82,
60 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE,
61 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B,
62 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45,
63 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7,
64 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF,
65 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8,
66 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED,
67 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90,
68 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B,
69 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B,
70 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F,
71 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A,
72 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17,
73 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72,
74 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68,
75 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4,
76 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42,
77 0x4A, 0x5E, 0xC1, 0xE0
80 static const u8 q1[256] = {
81 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B,
82 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1,
83 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B,
84 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5,
85 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54,
86 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96,
87 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7,
88 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8,
89 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF,
90 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9,
91 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D,
92 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E,
93 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21,
94 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01,
95 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E,
96 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64,
97 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44,
98 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E,
99 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B,
100 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9,
101 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56,
102 0x55, 0x09, 0xBE, 0x91
105 /* These MDS tables are actually tables of MDS composed with q0 and q1,
106 * because it is only ever used that way and we can save some time by
107 * precomputing. Of course the main saving comes from precomputing the
108 * GF(2^8) multiplication involved in the MDS matrix multiply; by looking
109 * things up in these tables we reduce the matrix multiply to four lookups
110 * and three XORs. Semi-formally, the definition of these tables is:
111 * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T
112 * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T
113 * where ^T means "transpose", the matrix multiply is performed in GF(2^8)
114 * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described
115 * by Schneier et al, and I'm casually glossing over the byte/word
116 * conversion issues. */
118 static const u32 mds[4][256] = {
119 {0xBCBC3275, 0xECEC21F3, 0x202043C6, 0xB3B3C9F4, 0xDADA03DB, 0x02028B7B,
120 0xE2E22BFB, 0x9E9EFAC8, 0xC9C9EC4A, 0xD4D409D3, 0x18186BE6, 0x1E1E9F6B,
121 0x98980E45, 0xB2B2387D, 0xA6A6D2E8, 0x2626B74B, 0x3C3C57D6, 0x93938A32,
122 0x8282EED8, 0x525298FD, 0x7B7BD437, 0xBBBB3771, 0x5B5B97F1, 0x474783E1,
123 0x24243C30, 0x5151E20F, 0xBABAC6F8, 0x4A4AF31B, 0xBFBF4887, 0x0D0D70FA,
124 0xB0B0B306, 0x7575DE3F, 0xD2D2FD5E, 0x7D7D20BA, 0x666631AE, 0x3A3AA35B,
125 0x59591C8A, 0x00000000, 0xCDCD93BC, 0x1A1AE09D, 0xAEAE2C6D, 0x7F7FABC1,
126 0x2B2BC7B1, 0xBEBEB90E, 0xE0E0A080, 0x8A8A105D, 0x3B3B52D2, 0x6464BAD5,
127 0xD8D888A0, 0xE7E7A584, 0x5F5FE807, 0x1B1B1114, 0x2C2CC2B5, 0xFCFCB490,
128 0x3131272C, 0x808065A3, 0x73732AB2, 0x0C0C8173, 0x79795F4C, 0x6B6B4154,
129 0x4B4B0292, 0x53536974, 0x94948F36, 0x83831F51, 0x2A2A3638, 0xC4C49CB0,
130 0x2222C8BD, 0xD5D5F85A, 0xBDBDC3FC, 0x48487860, 0xFFFFCE62, 0x4C4C0796,
131 0x4141776C, 0xC7C7E642, 0xEBEB24F7, 0x1C1C1410, 0x5D5D637C, 0x36362228,
132 0x6767C027, 0xE9E9AF8C, 0x4444F913, 0x1414EA95, 0xF5F5BB9C, 0xCFCF18C7,
133 0x3F3F2D24, 0xC0C0E346, 0x7272DB3B, 0x54546C70, 0x29294CCA, 0xF0F035E3,
134 0x0808FE85, 0xC6C617CB, 0xF3F34F11, 0x8C8CE4D0, 0xA4A45993, 0xCACA96B8,
135 0x68683BA6, 0xB8B84D83, 0x38382820, 0xE5E52EFF, 0xADAD569F, 0x0B0B8477,
136 0xC8C81DC3, 0x9999FFCC, 0x5858ED03, 0x19199A6F, 0x0E0E0A08, 0x95957EBF,
137 0x70705040, 0xF7F730E7, 0x6E6ECF2B, 0x1F1F6EE2, 0xB5B53D79, 0x09090F0C,
138 0x616134AA, 0x57571682, 0x9F9F0B41, 0x9D9D803A, 0x111164EA, 0x2525CDB9,
139 0xAFAFDDE4, 0x4545089A, 0xDFDF8DA4, 0xA3A35C97, 0xEAEAD57E, 0x353558DA,
140 0xEDEDD07A, 0x4343FC17, 0xF8F8CB66, 0xFBFBB194, 0x3737D3A1, 0xFAFA401D,
141 0xC2C2683D, 0xB4B4CCF0, 0x32325DDE, 0x9C9C71B3, 0x5656E70B, 0xE3E3DA72,
142 0x878760A7, 0x15151B1C, 0xF9F93AEF, 0x6363BFD1, 0x3434A953, 0x9A9A853E,
143 0xB1B1428F, 0x7C7CD133, 0x88889B26, 0x3D3DA65F, 0xA1A1D7EC, 0xE4E4DF76,
144 0x8181942A, 0x91910149, 0x0F0FFB81, 0xEEEEAA88, 0x161661EE, 0xD7D77321,
145 0x9797F5C4, 0xA5A5A81A, 0xFEFE3FEB, 0x6D6DB5D9, 0x7878AEC5, 0xC5C56D39,
146 0x1D1DE599, 0x7676A4CD, 0x3E3EDCAD, 0xCBCB6731, 0xB6B6478B, 0xEFEF5B01,
147 0x12121E18, 0x6060C523, 0x6A6AB0DD, 0x4D4DF61F, 0xCECEE94E, 0xDEDE7C2D,
148 0x55559DF9, 0x7E7E5A48, 0x2121B24F, 0x03037AF2, 0xA0A02665, 0x5E5E198E,
149 0x5A5A6678, 0x65654B5C, 0x62624E58, 0xFDFD4519, 0x0606F48D, 0x404086E5,
150 0xF2F2BE98, 0x3333AC57, 0x17179067, 0x05058E7F, 0xE8E85E05, 0x4F4F7D64,
151 0x89896AAF, 0x10109563, 0x74742FB6, 0x0A0A75FE, 0x5C5C92F5, 0x9B9B74B7,
152 0x2D2D333C, 0x3030D6A5, 0x2E2E49CE, 0x494989E9, 0x46467268, 0x77775544,
153 0xA8A8D8E0, 0x9696044D, 0x2828BD43, 0xA9A92969, 0xD9D97929, 0x8686912E,
154 0xD1D187AC, 0xF4F44A15, 0x8D8D1559, 0xD6D682A8, 0xB9B9BC0A, 0x42420D9E,
155 0xF6F6C16E, 0x2F2FB847, 0xDDDD06DF, 0x23233934, 0xCCCC6235, 0xF1F1C46A,
156 0xC1C112CF, 0x8585EBDC, 0x8F8F9E22, 0x7171A1C9, 0x9090F0C0, 0xAAAA539B,
157 0x0101F189, 0x8B8BE1D4, 0x4E4E8CED, 0x8E8E6FAB, 0xABABA212, 0x6F6F3EA2,
158 0xE6E6540D, 0xDBDBF252, 0x92927BBB, 0xB7B7B602, 0x6969CA2F, 0x3939D9A9,
159 0xD3D30CD7, 0xA7A72361, 0xA2A2AD1E, 0xC3C399B4, 0x6C6C4450, 0x07070504,
160 0x04047FF6, 0x272746C2, 0xACACA716, 0xD0D07625, 0x50501386, 0xDCDCF756,
161 0x84841A55, 0xE1E15109, 0x7A7A25BE, 0x1313EF91},
163 {0xA9D93939, 0x67901717, 0xB3719C9C, 0xE8D2A6A6, 0x04050707, 0xFD985252,
164 0xA3658080, 0x76DFE4E4, 0x9A084545, 0x92024B4B, 0x80A0E0E0, 0x78665A5A,
165 0xE4DDAFAF, 0xDDB06A6A, 0xD1BF6363, 0x38362A2A, 0x0D54E6E6, 0xC6432020,
166 0x3562CCCC, 0x98BEF2F2, 0x181E1212, 0xF724EBEB, 0xECD7A1A1, 0x6C774141,
167 0x43BD2828, 0x7532BCBC, 0x37D47B7B, 0x269B8888, 0xFA700D0D, 0x13F94444,
168 0x94B1FBFB, 0x485A7E7E, 0xF27A0303, 0xD0E48C8C, 0x8B47B6B6, 0x303C2424,
169 0x84A5E7E7, 0x54416B6B, 0xDF06DDDD, 0x23C56060, 0x1945FDFD, 0x5BA33A3A,
170 0x3D68C2C2, 0x59158D8D, 0xF321ECEC, 0xAE316666, 0xA23E6F6F, 0x82165757,
171 0x63951010, 0x015BEFEF, 0x834DB8B8, 0x2E918686, 0xD9B56D6D, 0x511F8383,
172 0x9B53AAAA, 0x7C635D5D, 0xA63B6868, 0xEB3FFEFE, 0xA5D63030, 0xBE257A7A,
173 0x16A7ACAC, 0x0C0F0909, 0xE335F0F0, 0x6123A7A7, 0xC0F09090, 0x8CAFE9E9,
174 0x3A809D9D, 0xF5925C5C, 0x73810C0C, 0x2C273131, 0x2576D0D0, 0x0BE75656,
175 0xBB7B9292, 0x4EE9CECE, 0x89F10101, 0x6B9F1E1E, 0x53A93434, 0x6AC4F1F1,
176 0xB499C3C3, 0xF1975B5B, 0xE1834747, 0xE66B1818, 0xBDC82222, 0x450E9898,
177 0xE26E1F1F, 0xF4C9B3B3, 0xB62F7474, 0x66CBF8F8, 0xCCFF9999, 0x95EA1414,
178 0x03ED5858, 0x56F7DCDC, 0xD4E18B8B, 0x1C1B1515, 0x1EADA2A2, 0xD70CD3D3,
179 0xFB2BE2E2, 0xC31DC8C8, 0x8E195E5E, 0xB5C22C2C, 0xE9894949, 0xCF12C1C1,
180 0xBF7E9595, 0xBA207D7D, 0xEA641111, 0x77840B0B, 0x396DC5C5, 0xAF6A8989,
181 0x33D17C7C, 0xC9A17171, 0x62CEFFFF, 0x7137BBBB, 0x81FB0F0F, 0x793DB5B5,
182 0x0951E1E1, 0xADDC3E3E, 0x242D3F3F, 0xCDA47676, 0xF99D5555, 0xD8EE8282,
183 0xE5864040, 0xC5AE7878, 0xB9CD2525, 0x4D049696, 0x44557777, 0x080A0E0E,
184 0x86135050, 0xE730F7F7, 0xA1D33737, 0x1D40FAFA, 0xAA346161, 0xED8C4E4E,
185 0x06B3B0B0, 0x706C5454, 0xB22A7373, 0xD2523B3B, 0x410B9F9F, 0x7B8B0202,
186 0xA088D8D8, 0x114FF3F3, 0x3167CBCB, 0xC2462727, 0x27C06767, 0x90B4FCFC,
187 0x20283838, 0xF67F0404, 0x60784848, 0xFF2EE5E5, 0x96074C4C, 0x5C4B6565,
188 0xB1C72B2B, 0xAB6F8E8E, 0x9E0D4242, 0x9CBBF5F5, 0x52F2DBDB, 0x1BF34A4A,
189 0x5FA63D3D, 0x9359A4A4, 0x0ABCB9B9, 0xEF3AF9F9, 0x91EF1313, 0x85FE0808,
190 0x49019191, 0xEE611616, 0x2D7CDEDE, 0x4FB22121, 0x8F42B1B1, 0x3BDB7272,
191 0x47B82F2F, 0x8748BFBF, 0x6D2CAEAE, 0x46E3C0C0, 0xD6573C3C, 0x3E859A9A,
192 0x6929A9A9, 0x647D4F4F, 0x2A948181, 0xCE492E2E, 0xCB17C6C6, 0x2FCA6969,
193 0xFCC3BDBD, 0x975CA3A3, 0x055EE8E8, 0x7AD0EDED, 0xAC87D1D1, 0x7F8E0505,
194 0xD5BA6464, 0x1AA8A5A5, 0x4BB72626, 0x0EB9BEBE, 0xA7608787, 0x5AF8D5D5,
195 0x28223636, 0x14111B1B, 0x3FDE7575, 0x2979D9D9, 0x88AAEEEE, 0x3C332D2D,
196 0x4C5F7979, 0x02B6B7B7, 0xB896CACA, 0xDA583535, 0xB09CC4C4, 0x17FC4343,
197 0x551A8484, 0x1FF64D4D, 0x8A1C5959, 0x7D38B2B2, 0x57AC3333, 0xC718CFCF,
198 0x8DF40606, 0x74695353, 0xB7749B9B, 0xC4F59797, 0x9F56ADAD, 0x72DAE3E3,
199 0x7ED5EAEA, 0x154AF4F4, 0x229E8F8F, 0x12A2ABAB, 0x584E6262, 0x07E85F5F,
200 0x99E51D1D, 0x34392323, 0x6EC1F6F6, 0x50446C6C, 0xDE5D3232, 0x68724646,
201 0x6526A0A0, 0xBC93CDCD, 0xDB03DADA, 0xF8C6BABA, 0xC8FA9E9E, 0xA882D6D6,
202 0x2BCF6E6E, 0x40507070, 0xDCEB8585, 0xFE750A0A, 0x328A9393, 0xA48DDFDF,
203 0xCA4C2929, 0x10141C1C, 0x2173D7D7, 0xF0CCB4B4, 0xD309D4D4, 0x5D108A8A,
204 0x0FE25151, 0x00000000, 0x6F9A1919, 0x9DE01A1A, 0x368F9494, 0x42E6C7C7,
205 0x4AECC9C9, 0x5EFDD2D2, 0xC1AB7F7F, 0xE0D8A8A8},
207 {0xBC75BC32, 0xECF3EC21, 0x20C62043, 0xB3F4B3C9, 0xDADBDA03, 0x027B028B,
208 0xE2FBE22B, 0x9EC89EFA, 0xC94AC9EC, 0xD4D3D409, 0x18E6186B, 0x1E6B1E9F,
209 0x9845980E, 0xB27DB238, 0xA6E8A6D2, 0x264B26B7, 0x3CD63C57, 0x9332938A,
210 0x82D882EE, 0x52FD5298, 0x7B377BD4, 0xBB71BB37, 0x5BF15B97, 0x47E14783,
211 0x2430243C, 0x510F51E2, 0xBAF8BAC6, 0x4A1B4AF3, 0xBF87BF48, 0x0DFA0D70,
212 0xB006B0B3, 0x753F75DE, 0xD25ED2FD, 0x7DBA7D20, 0x66AE6631, 0x3A5B3AA3,
213 0x598A591C, 0x00000000, 0xCDBCCD93, 0x1A9D1AE0, 0xAE6DAE2C, 0x7FC17FAB,
214 0x2BB12BC7, 0xBE0EBEB9, 0xE080E0A0, 0x8A5D8A10, 0x3BD23B52, 0x64D564BA,
215 0xD8A0D888, 0xE784E7A5, 0x5F075FE8, 0x1B141B11, 0x2CB52CC2, 0xFC90FCB4,
216 0x312C3127, 0x80A38065, 0x73B2732A, 0x0C730C81, 0x794C795F, 0x6B546B41,
217 0x4B924B02, 0x53745369, 0x9436948F, 0x8351831F, 0x2A382A36, 0xC4B0C49C,
218 0x22BD22C8, 0xD55AD5F8, 0xBDFCBDC3, 0x48604878, 0xFF62FFCE, 0x4C964C07,
219 0x416C4177, 0xC742C7E6, 0xEBF7EB24, 0x1C101C14, 0x5D7C5D63, 0x36283622,
220 0x672767C0, 0xE98CE9AF, 0x441344F9, 0x149514EA, 0xF59CF5BB, 0xCFC7CF18,
221 0x3F243F2D, 0xC046C0E3, 0x723B72DB, 0x5470546C, 0x29CA294C, 0xF0E3F035,
222 0x088508FE, 0xC6CBC617, 0xF311F34F, 0x8CD08CE4, 0xA493A459, 0xCAB8CA96,
223 0x68A6683B, 0xB883B84D, 0x38203828, 0xE5FFE52E, 0xAD9FAD56, 0x0B770B84,
224 0xC8C3C81D, 0x99CC99FF, 0x580358ED, 0x196F199A, 0x0E080E0A, 0x95BF957E,
225 0x70407050, 0xF7E7F730, 0x6E2B6ECF, 0x1FE21F6E, 0xB579B53D, 0x090C090F,
226 0x61AA6134, 0x57825716, 0x9F419F0B, 0x9D3A9D80, 0x11EA1164, 0x25B925CD,
227 0xAFE4AFDD, 0x459A4508, 0xDFA4DF8D, 0xA397A35C, 0xEA7EEAD5, 0x35DA3558,
228 0xED7AEDD0, 0x431743FC, 0xF866F8CB, 0xFB94FBB1, 0x37A137D3, 0xFA1DFA40,
229 0xC23DC268, 0xB4F0B4CC, 0x32DE325D, 0x9CB39C71, 0x560B56E7, 0xE372E3DA,
230 0x87A78760, 0x151C151B, 0xF9EFF93A, 0x63D163BF, 0x345334A9, 0x9A3E9A85,
231 0xB18FB142, 0x7C337CD1, 0x8826889B, 0x3D5F3DA6, 0xA1ECA1D7, 0xE476E4DF,
232 0x812A8194, 0x91499101, 0x0F810FFB, 0xEE88EEAA, 0x16EE1661, 0xD721D773,
233 0x97C497F5, 0xA51AA5A8, 0xFEEBFE3F, 0x6DD96DB5, 0x78C578AE, 0xC539C56D,
234 0x1D991DE5, 0x76CD76A4, 0x3EAD3EDC, 0xCB31CB67, 0xB68BB647, 0xEF01EF5B,
235 0x1218121E, 0x602360C5, 0x6ADD6AB0, 0x4D1F4DF6, 0xCE4ECEE9, 0xDE2DDE7C,
236 0x55F9559D, 0x7E487E5A, 0x214F21B2, 0x03F2037A, 0xA065A026, 0x5E8E5E19,
237 0x5A785A66, 0x655C654B, 0x6258624E, 0xFD19FD45, 0x068D06F4, 0x40E54086,
238 0xF298F2BE, 0x335733AC, 0x17671790, 0x057F058E, 0xE805E85E, 0x4F644F7D,
239 0x89AF896A, 0x10631095, 0x74B6742F, 0x0AFE0A75, 0x5CF55C92, 0x9BB79B74,
240 0x2D3C2D33, 0x30A530D6, 0x2ECE2E49, 0x49E94989, 0x46684672, 0x77447755,
241 0xA8E0A8D8, 0x964D9604, 0x284328BD, 0xA969A929, 0xD929D979, 0x862E8691,
242 0xD1ACD187, 0xF415F44A, 0x8D598D15, 0xD6A8D682, 0xB90AB9BC, 0x429E420D,
243 0xF66EF6C1, 0x2F472FB8, 0xDDDFDD06, 0x23342339, 0xCC35CC62, 0xF16AF1C4,
244 0xC1CFC112, 0x85DC85EB, 0x8F228F9E, 0x71C971A1, 0x90C090F0, 0xAA9BAA53,
245 0x018901F1, 0x8BD48BE1, 0x4EED4E8C, 0x8EAB8E6F, 0xAB12ABA2, 0x6FA26F3E,
246 0xE60DE654, 0xDB52DBF2, 0x92BB927B, 0xB702B7B6, 0x692F69CA, 0x39A939D9,
247 0xD3D7D30C, 0xA761A723, 0xA21EA2AD, 0xC3B4C399, 0x6C506C44, 0x07040705,
248 0x04F6047F, 0x27C22746, 0xAC16ACA7, 0xD025D076, 0x50865013, 0xDC56DCF7,
249 0x8455841A, 0xE109E151, 0x7ABE7A25, 0x139113EF},
251 {0xD939A9D9, 0x90176790, 0x719CB371, 0xD2A6E8D2, 0x05070405, 0x9852FD98,
252 0x6580A365, 0xDFE476DF, 0x08459A08, 0x024B9202, 0xA0E080A0, 0x665A7866,
253 0xDDAFE4DD, 0xB06ADDB0, 0xBF63D1BF, 0x362A3836, 0x54E60D54, 0x4320C643,
254 0x62CC3562, 0xBEF298BE, 0x1E12181E, 0x24EBF724, 0xD7A1ECD7, 0x77416C77,
255 0xBD2843BD, 0x32BC7532, 0xD47B37D4, 0x9B88269B, 0x700DFA70, 0xF94413F9,
256 0xB1FB94B1, 0x5A7E485A, 0x7A03F27A, 0xE48CD0E4, 0x47B68B47, 0x3C24303C,
257 0xA5E784A5, 0x416B5441, 0x06DDDF06, 0xC56023C5, 0x45FD1945, 0xA33A5BA3,
258 0x68C23D68, 0x158D5915, 0x21ECF321, 0x3166AE31, 0x3E6FA23E, 0x16578216,
259 0x95106395, 0x5BEF015B, 0x4DB8834D, 0x91862E91, 0xB56DD9B5, 0x1F83511F,
260 0x53AA9B53, 0x635D7C63, 0x3B68A63B, 0x3FFEEB3F, 0xD630A5D6, 0x257ABE25,
261 0xA7AC16A7, 0x0F090C0F, 0x35F0E335, 0x23A76123, 0xF090C0F0, 0xAFE98CAF,
262 0x809D3A80, 0x925CF592, 0x810C7381, 0x27312C27, 0x76D02576, 0xE7560BE7,
263 0x7B92BB7B, 0xE9CE4EE9, 0xF10189F1, 0x9F1E6B9F, 0xA93453A9, 0xC4F16AC4,
264 0x99C3B499, 0x975BF197, 0x8347E183, 0x6B18E66B, 0xC822BDC8, 0x0E98450E,
265 0x6E1FE26E, 0xC9B3F4C9, 0x2F74B62F, 0xCBF866CB, 0xFF99CCFF, 0xEA1495EA,
266 0xED5803ED, 0xF7DC56F7, 0xE18BD4E1, 0x1B151C1B, 0xADA21EAD, 0x0CD3D70C,
267 0x2BE2FB2B, 0x1DC8C31D, 0x195E8E19, 0xC22CB5C2, 0x8949E989, 0x12C1CF12,
268 0x7E95BF7E, 0x207DBA20, 0x6411EA64, 0x840B7784, 0x6DC5396D, 0x6A89AF6A,
269 0xD17C33D1, 0xA171C9A1, 0xCEFF62CE, 0x37BB7137, 0xFB0F81FB, 0x3DB5793D,
270 0x51E10951, 0xDC3EADDC, 0x2D3F242D, 0xA476CDA4, 0x9D55F99D, 0xEE82D8EE,
271 0x8640E586, 0xAE78C5AE, 0xCD25B9CD, 0x04964D04, 0x55774455, 0x0A0E080A,
272 0x13508613, 0x30F7E730, 0xD337A1D3, 0x40FA1D40, 0x3461AA34, 0x8C4EED8C,
273 0xB3B006B3, 0x6C54706C, 0x2A73B22A, 0x523BD252, 0x0B9F410B, 0x8B027B8B,
274 0x88D8A088, 0x4FF3114F, 0x67CB3167, 0x4627C246, 0xC06727C0, 0xB4FC90B4,
275 0x28382028, 0x7F04F67F, 0x78486078, 0x2EE5FF2E, 0x074C9607, 0x4B655C4B,
276 0xC72BB1C7, 0x6F8EAB6F, 0x0D429E0D, 0xBBF59CBB, 0xF2DB52F2, 0xF34A1BF3,
277 0xA63D5FA6, 0x59A49359, 0xBCB90ABC, 0x3AF9EF3A, 0xEF1391EF, 0xFE0885FE,
278 0x01914901, 0x6116EE61, 0x7CDE2D7C, 0xB2214FB2, 0x42B18F42, 0xDB723BDB,
279 0xB82F47B8, 0x48BF8748, 0x2CAE6D2C, 0xE3C046E3, 0x573CD657, 0x859A3E85,
280 0x29A96929, 0x7D4F647D, 0x94812A94, 0x492ECE49, 0x17C6CB17, 0xCA692FCA,
281 0xC3BDFCC3, 0x5CA3975C, 0x5EE8055E, 0xD0ED7AD0, 0x87D1AC87, 0x8E057F8E,
282 0xBA64D5BA, 0xA8A51AA8, 0xB7264BB7, 0xB9BE0EB9, 0x6087A760, 0xF8D55AF8,
283 0x22362822, 0x111B1411, 0xDE753FDE, 0x79D92979, 0xAAEE88AA, 0x332D3C33,
284 0x5F794C5F, 0xB6B702B6, 0x96CAB896, 0x5835DA58, 0x9CC4B09C, 0xFC4317FC,
285 0x1A84551A, 0xF64D1FF6, 0x1C598A1C, 0x38B27D38, 0xAC3357AC, 0x18CFC718,
286 0xF4068DF4, 0x69537469, 0x749BB774, 0xF597C4F5, 0x56AD9F56, 0xDAE372DA,
287 0xD5EA7ED5, 0x4AF4154A, 0x9E8F229E, 0xA2AB12A2, 0x4E62584E, 0xE85F07E8,
288 0xE51D99E5, 0x39233439, 0xC1F66EC1, 0x446C5044, 0x5D32DE5D, 0x72466872,
289 0x26A06526, 0x93CDBC93, 0x03DADB03, 0xC6BAF8C6, 0xFA9EC8FA, 0x82D6A882,
290 0xCF6E2BCF, 0x50704050, 0xEB85DCEB, 0x750AFE75, 0x8A93328A, 0x8DDFA48D,
291 0x4C29CA4C, 0x141C1014, 0x73D72173, 0xCCB4F0CC, 0x09D4D309, 0x108A5D10,
292 0xE2510FE2, 0x00000000, 0x9A196F9A, 0xE01A9DE0, 0x8F94368F, 0xE6C742E6,
293 0xECC94AEC, 0xFDD25EFD, 0xAB7FC1AB, 0xD8A8E0D8}
296 /* The exp_to_poly and poly_to_exp tables are used to perform efficient
297 * operations in GF(2^8) represented as GF(2)[x]/w(x) where
298 * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the
299 * definition of the RS matrix in the key schedule. Elements of that field
300 * are polynomials of degree not greater than 7 and all coefficients 0 or 1,
301 * which can be represented naturally by bytes (just substitute x=2). In that
302 * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8)
303 * multiplication is inefficient without hardware support. To multiply
304 * faster, I make use of the fact x is a generator for the nonzero elements,
305 * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for
306 * some n in 0..254. Note that that caret is exponentiation in GF(2^8),
307 * *not* polynomial notation. So if I want to compute pq where p and q are
308 * in GF(2^8), I can just say:
309 * 1. if p=0 or q=0 then pq=0
310 * 2. otherwise, find m and n such that p=x^m and q=x^n
311 * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq
312 * The translations in steps 2 and 3 are looked up in the tables
313 * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this
314 * in action, look at the CALC_S macro. As additional wrinkles, note that
315 * one of my operands is always a constant, so the poly_to_exp lookup on it
316 * is done in advance; I included the original values in the comments so
317 * readers can have some chance of recognizing that this *is* the RS matrix
318 * from the Twofish paper. I've only included the table entries I actually
319 * need; I never do a lookup on a variable input of zero and the biggest
320 * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll
321 * never sum to more than 491. I'm repeating part of the exp_to_poly table
322 * so that I don't have to do mod-255 reduction in the exponent arithmetic.
323 * Since I know my constant operands are never zero, I only have to worry
324 * about zero values in the variable operand, and I do it with a simple
325 * conditional branch. I know conditionals are expensive, but I couldn't
326 * see a non-horrible way of avoiding them, and I did manage to group the
327 * statements so that each if covers four group multiplications. */
329 static const u8 poly_to_exp[255] = {
330 0x00, 0x01, 0x17, 0x02, 0x2E, 0x18, 0x53, 0x03, 0x6A, 0x2F, 0x93, 0x19,
331 0x34, 0x54, 0x45, 0x04, 0x5C, 0x6B, 0xB6, 0x30, 0xA6, 0x94, 0x4B, 0x1A,
332 0x8C, 0x35, 0x81, 0x55, 0xAA, 0x46, 0x0D, 0x05, 0x24, 0x5D, 0x87, 0x6C,
333 0x9B, 0xB7, 0xC1, 0x31, 0x2B, 0xA7, 0xA3, 0x95, 0x98, 0x4C, 0xCA, 0x1B,
334 0xE6, 0x8D, 0x73, 0x36, 0xCD, 0x82, 0x12, 0x56, 0x62, 0xAB, 0xF0, 0x47,
335 0x4F, 0x0E, 0xBD, 0x06, 0xD4, 0x25, 0xD2, 0x5E, 0x27, 0x88, 0x66, 0x6D,
336 0xD6, 0x9C, 0x79, 0xB8, 0x08, 0xC2, 0xDF, 0x32, 0x68, 0x2C, 0xFD, 0xA8,
337 0x8A, 0xA4, 0x5A, 0x96, 0x29, 0x99, 0x22, 0x4D, 0x60, 0xCB, 0xE4, 0x1C,
338 0x7B, 0xE7, 0x3B, 0x8E, 0x9E, 0x74, 0xF4, 0x37, 0xD8, 0xCE, 0xF9, 0x83,
339 0x6F, 0x13, 0xB2, 0x57, 0xE1, 0x63, 0xDC, 0xAC, 0xC4, 0xF1, 0xAF, 0x48,
340 0x0A, 0x50, 0x42, 0x0F, 0xBA, 0xBE, 0xC7, 0x07, 0xDE, 0xD5, 0x78, 0x26,
341 0x65, 0xD3, 0xD1, 0x5F, 0xE3, 0x28, 0x21, 0x89, 0x59, 0x67, 0xFC, 0x6E,
342 0xB1, 0xD7, 0xF8, 0x9D, 0xF3, 0x7A, 0x3A, 0xB9, 0xC6, 0x09, 0x41, 0xC3,
343 0xAE, 0xE0, 0xDB, 0x33, 0x44, 0x69, 0x92, 0x2D, 0x52, 0xFE, 0x16, 0xA9,
344 0x0C, 0x8B, 0x80, 0xA5, 0x4A, 0x5B, 0xB5, 0x97, 0xC9, 0x2A, 0xA2, 0x9A,
345 0xC0, 0x23, 0x86, 0x4E, 0xBC, 0x61, 0xEF, 0xCC, 0x11, 0xE5, 0x72, 0x1D,
346 0x3D, 0x7C, 0xEB, 0xE8, 0xE9, 0x3C, 0xEA, 0x8F, 0x7D, 0x9F, 0xEC, 0x75,
347 0x1E, 0xF5, 0x3E, 0x38, 0xF6, 0xD9, 0x3F, 0xCF, 0x76, 0xFA, 0x1F, 0x84,
348 0xA0, 0x70, 0xED, 0x14, 0x90, 0xB3, 0x7E, 0x58, 0xFB, 0xE2, 0x20, 0x64,
349 0xD0, 0xDD, 0x77, 0xAD, 0xDA, 0xC5, 0x40, 0xF2, 0x39, 0xB0, 0xF7, 0x49,
350 0xB4, 0x0B, 0x7F, 0x51, 0x15, 0x43, 0x91, 0x10, 0x71, 0xBB, 0xEE, 0xBF,
351 0x85, 0xC8, 0xA1
354 static const u8 exp_to_poly[492] = {
355 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D, 0x9A, 0x79, 0xF2,
356 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC, 0xF5, 0xA7, 0x03,
357 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3, 0x8B, 0x5B, 0xB6,
358 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52, 0xA4, 0x05, 0x0A,
359 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0, 0xED, 0x97, 0x63,
360 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1, 0x0F, 0x1E, 0x3C,
361 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A, 0xF4, 0xA5, 0x07,
362 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11, 0x22, 0x44, 0x88,
363 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51, 0xA2, 0x09, 0x12,
364 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66, 0xCC, 0xD5, 0xE7,
365 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB, 0x1B, 0x36, 0x6C,
366 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19, 0x32, 0x64, 0xC8,
367 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D, 0x5A, 0xB4, 0x25,
368 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56, 0xAC, 0x15, 0x2A,
369 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE, 0x91, 0x6F, 0xDE,
370 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9, 0x3F, 0x7E, 0xFC,
371 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE, 0xB1, 0x2F, 0x5E,
372 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41, 0x82, 0x49, 0x92,
373 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E, 0x71, 0xE2, 0x89,
374 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB, 0xDB, 0xFB, 0xBB,
375 0x3B, 0x76, 0xEC, 0x95, 0x67, 0xCE, 0xD1, 0xEF, 0x93, 0x6B, 0xD6, 0xE1,
376 0x8F, 0x53, 0xA6, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x4D,
377 0x9A, 0x79, 0xF2, 0xA9, 0x1F, 0x3E, 0x7C, 0xF8, 0xBD, 0x37, 0x6E, 0xDC,
378 0xF5, 0xA7, 0x03, 0x06, 0x0C, 0x18, 0x30, 0x60, 0xC0, 0xCD, 0xD7, 0xE3,
379 0x8B, 0x5B, 0xB6, 0x21, 0x42, 0x84, 0x45, 0x8A, 0x59, 0xB2, 0x29, 0x52,
380 0xA4, 0x05, 0x0A, 0x14, 0x28, 0x50, 0xA0, 0x0D, 0x1A, 0x34, 0x68, 0xD0,
381 0xED, 0x97, 0x63, 0xC6, 0xC1, 0xCF, 0xD3, 0xEB, 0x9B, 0x7B, 0xF6, 0xA1,
382 0x0F, 0x1E, 0x3C, 0x78, 0xF0, 0xAD, 0x17, 0x2E, 0x5C, 0xB8, 0x3D, 0x7A,
383 0xF4, 0xA5, 0x07, 0x0E, 0x1C, 0x38, 0x70, 0xE0, 0x8D, 0x57, 0xAE, 0x11,
384 0x22, 0x44, 0x88, 0x5D, 0xBA, 0x39, 0x72, 0xE4, 0x85, 0x47, 0x8E, 0x51,
385 0xA2, 0x09, 0x12, 0x24, 0x48, 0x90, 0x6D, 0xDA, 0xF9, 0xBF, 0x33, 0x66,
386 0xCC, 0xD5, 0xE7, 0x83, 0x4B, 0x96, 0x61, 0xC2, 0xC9, 0xDF, 0xF3, 0xAB,
387 0x1B, 0x36, 0x6C, 0xD8, 0xFD, 0xB7, 0x23, 0x46, 0x8C, 0x55, 0xAA, 0x19,
388 0x32, 0x64, 0xC8, 0xDD, 0xF7, 0xA3, 0x0B, 0x16, 0x2C, 0x58, 0xB0, 0x2D,
389 0x5A, 0xB4, 0x25, 0x4A, 0x94, 0x65, 0xCA, 0xD9, 0xFF, 0xB3, 0x2B, 0x56,
390 0xAC, 0x15, 0x2A, 0x54, 0xA8, 0x1D, 0x3A, 0x74, 0xE8, 0x9D, 0x77, 0xEE,
391 0x91, 0x6F, 0xDE, 0xF1, 0xAF, 0x13, 0x26, 0x4C, 0x98, 0x7D, 0xFA, 0xB9,
392 0x3F, 0x7E, 0xFC, 0xB5, 0x27, 0x4E, 0x9C, 0x75, 0xEA, 0x99, 0x7F, 0xFE,
393 0xB1, 0x2F, 0x5E, 0xBC, 0x35, 0x6A, 0xD4, 0xE5, 0x87, 0x43, 0x86, 0x41,
394 0x82, 0x49, 0x92, 0x69, 0xD2, 0xE9, 0x9F, 0x73, 0xE6, 0x81, 0x4F, 0x9E,
395 0x71, 0xE2, 0x89, 0x5F, 0xBE, 0x31, 0x62, 0xC4, 0xC5, 0xC7, 0xC3, 0xCB
399 /* The table constants are indices of
400 * S-box entries, preprocessed through q0 and q1. */
401 static const u8 calc_sb_tbl[512] = {
402 0xA9, 0x75, 0x67, 0xF3, 0xB3, 0xC6, 0xE8, 0xF4,
403 0x04, 0xDB, 0xFD, 0x7B, 0xA3, 0xFB, 0x76, 0xC8,
404 0x9A, 0x4A, 0x92, 0xD3, 0x80, 0xE6, 0x78, 0x6B,
405 0xE4, 0x45, 0xDD, 0x7D, 0xD1, 0xE8, 0x38, 0x4B,
406 0x0D, 0xD6, 0xC6, 0x32, 0x35, 0xD8, 0x98, 0xFD,
407 0x18, 0x37, 0xF7, 0x71, 0xEC, 0xF1, 0x6C, 0xE1,
408 0x43, 0x30, 0x75, 0x0F, 0x37, 0xF8, 0x26, 0x1B,
409 0xFA, 0x87, 0x13, 0xFA, 0x94, 0x06, 0x48, 0x3F,
410 0xF2, 0x5E, 0xD0, 0xBA, 0x8B, 0xAE, 0x30, 0x5B,
411 0x84, 0x8A, 0x54, 0x00, 0xDF, 0xBC, 0x23, 0x9D,
412 0x19, 0x6D, 0x5B, 0xC1, 0x3D, 0xB1, 0x59, 0x0E,
413 0xF3, 0x80, 0xAE, 0x5D, 0xA2, 0xD2, 0x82, 0xD5,
414 0x63, 0xA0, 0x01, 0x84, 0x83, 0x07, 0x2E, 0x14,
415 0xD9, 0xB5, 0x51, 0x90, 0x9B, 0x2C, 0x7C, 0xA3,
416 0xA6, 0xB2, 0xEB, 0x73, 0xA5, 0x4C, 0xBE, 0x54,
417 0x16, 0x92, 0x0C, 0x74, 0xE3, 0x36, 0x61, 0x51,
418 0xC0, 0x38, 0x8C, 0xB0, 0x3A, 0xBD, 0xF5, 0x5A,
419 0x73, 0xFC, 0x2C, 0x60, 0x25, 0x62, 0x0B, 0x96,
420 0xBB, 0x6C, 0x4E, 0x42, 0x89, 0xF7, 0x6B, 0x10,
421 0x53, 0x7C, 0x6A, 0x28, 0xB4, 0x27, 0xF1, 0x8C,
422 0xE1, 0x13, 0xE6, 0x95, 0xBD, 0x9C, 0x45, 0xC7,
423 0xE2, 0x24, 0xF4, 0x46, 0xB6, 0x3B, 0x66, 0x70,
424 0xCC, 0xCA, 0x95, 0xE3, 0x03, 0x85, 0x56, 0xCB,
425 0xD4, 0x11, 0x1C, 0xD0, 0x1E, 0x93, 0xD7, 0xB8,
426 0xFB, 0xA6, 0xC3, 0x83, 0x8E, 0x20, 0xB5, 0xFF,
427 0xE9, 0x9F, 0xCF, 0x77, 0xBF, 0xC3, 0xBA, 0xCC,
428 0xEA, 0x03, 0x77, 0x6F, 0x39, 0x08, 0xAF, 0xBF,
429 0x33, 0x40, 0xC9, 0xE7, 0x62, 0x2B, 0x71, 0xE2,
430 0x81, 0x79, 0x79, 0x0C, 0x09, 0xAA, 0xAD, 0x82,
431 0x24, 0x41, 0xCD, 0x3A, 0xF9, 0xEA, 0xD8, 0xB9,
432 0xE5, 0xE4, 0xC5, 0x9A, 0xB9, 0xA4, 0x4D, 0x97,
433 0x44, 0x7E, 0x08, 0xDA, 0x86, 0x7A, 0xE7, 0x17,
434 0xA1, 0x66, 0x1D, 0x94, 0xAA, 0xA1, 0xED, 0x1D,
435 0x06, 0x3D, 0x70, 0xF0, 0xB2, 0xDE, 0xD2, 0xB3,
436 0x41, 0x0B, 0x7B, 0x72, 0xA0, 0xA7, 0x11, 0x1C,
437 0x31, 0xEF, 0xC2, 0xD1, 0x27, 0x53, 0x90, 0x3E,
438 0x20, 0x8F, 0xF6, 0x33, 0x60, 0x26, 0xFF, 0x5F,
439 0x96, 0xEC, 0x5C, 0x76, 0xB1, 0x2A, 0xAB, 0x49,
440 0x9E, 0x81, 0x9C, 0x88, 0x52, 0xEE, 0x1B, 0x21,
441 0x5F, 0xC4, 0x93, 0x1A, 0x0A, 0xEB, 0xEF, 0xD9,
442 0x91, 0xC5, 0x85, 0x39, 0x49, 0x99, 0xEE, 0xCD,
443 0x2D, 0xAD, 0x4F, 0x31, 0x8F, 0x8B, 0x3B, 0x01,
444 0x47, 0x18, 0x87, 0x23, 0x6D, 0xDD, 0x46, 0x1F,
445 0xD6, 0x4E, 0x3E, 0x2D, 0x69, 0xF9, 0x64, 0x48,
446 0x2A, 0x4F, 0xCE, 0xF2, 0xCB, 0x65, 0x2F, 0x8E,
447 0xFC, 0x78, 0x97, 0x5C, 0x05, 0x58, 0x7A, 0x19,
448 0xAC, 0x8D, 0x7F, 0xE5, 0xD5, 0x98, 0x1A, 0x57,
449 0x4B, 0x67, 0x0E, 0x7F, 0xA7, 0x05, 0x5A, 0x64,
450 0x28, 0xAF, 0x14, 0x63, 0x3F, 0xB6, 0x29, 0xFE,
451 0x88, 0xF5, 0x3C, 0xB7, 0x4C, 0x3C, 0x02, 0xA5,
452 0xB8, 0xCE, 0xDA, 0xE9, 0xB0, 0x68, 0x17, 0x44,
453 0x55, 0xE0, 0x1F, 0x4D, 0x8A, 0x43, 0x7D, 0x69,
454 0x57, 0x29, 0xC7, 0x2E, 0x8D, 0xAC, 0x74, 0x15,
455 0xB7, 0x59, 0xC4, 0xA8, 0x9F, 0x0A, 0x72, 0x9E,
456 0x7E, 0x6E, 0x15, 0x47, 0x22, 0xDF, 0x12, 0x34,
457 0x58, 0x35, 0x07, 0x6A, 0x99, 0xCF, 0x34, 0xDC,
458 0x6E, 0x22, 0x50, 0xC9, 0xDE, 0xC0, 0x68, 0x9B,
459 0x65, 0x89, 0xBC, 0xD4, 0xDB, 0xED, 0xF8, 0xAB,
460 0xC8, 0x12, 0xA8, 0xA2, 0x2B, 0x0D, 0x40, 0x52,
461 0xDC, 0xBB, 0xFE, 0x02, 0x32, 0x2F, 0xA4, 0xA9,
462 0xCA, 0xD7, 0x10, 0x61, 0x21, 0x1E, 0xF0, 0xB4,
463 0xD3, 0x50, 0x5D, 0x04, 0x0F, 0xF6, 0x00, 0xC2,
464 0x6F, 0x16, 0x9D, 0x25, 0x36, 0x86, 0x42, 0x56,
465 0x4A, 0x55, 0x5E, 0x09, 0xC1, 0xBE, 0xE0, 0x91
468 /* Macro to perform one column of the RS matrix multiplication. The
469 * parameters a, b, c, and d are the four bytes of output; i is the index
470 * of the key bytes, and w, x, y, and z, are the column of constants from
471 * the RS matrix, preprocessed through the poly_to_exp table. */
473 #define CALC_S(a, b, c, d, i, w, x, y, z) \
474 if (key[i]) { \
475 tmp = poly_to_exp[key[i] - 1]; \
476 (a) ^= exp_to_poly[tmp + (w)]; \
477 (b) ^= exp_to_poly[tmp + (x)]; \
478 (c) ^= exp_to_poly[tmp + (y)]; \
479 (d) ^= exp_to_poly[tmp + (z)]; \
482 /* Macros to calculate the key-dependent S-boxes for a 128-bit key using
483 * the S vector from CALC_S. CALC_SB_2 computes a single entry in all
484 * four S-boxes, where i is the index of the entry to compute, and a and b
485 * are the index numbers preprocessed through the q0 and q1 tables
486 * respectively. */
488 #define CALC_SB_2(i, a, b) \
489 ctx->s[0][i] = mds[0][q0[(a) ^ sa] ^ se]; \
490 ctx->s[1][i] = mds[1][q0[(b) ^ sb] ^ sf]; \
491 ctx->s[2][i] = mds[2][q1[(a) ^ sc] ^ sg]; \
492 ctx->s[3][i] = mds[3][q1[(b) ^ sd] ^ sh]
494 /* Macro exactly like CALC_SB_2, but for 192-bit keys. */
496 #define CALC_SB192_2(i, a, b) \
497 ctx->s[0][i] = mds[0][q0[q0[(b) ^ sa] ^ se] ^ si]; \
498 ctx->s[1][i] = mds[1][q0[q1[(b) ^ sb] ^ sf] ^ sj]; \
499 ctx->s[2][i] = mds[2][q1[q0[(a) ^ sc] ^ sg] ^ sk]; \
500 ctx->s[3][i] = mds[3][q1[q1[(a) ^ sd] ^ sh] ^ sl];
502 /* Macro exactly like CALC_SB_2, but for 256-bit keys. */
504 #define CALC_SB256_2(i, a, b) \
505 ctx->s[0][i] = mds[0][q0[q0[q1[(b) ^ sa] ^ se] ^ si] ^ sm]; \
506 ctx->s[1][i] = mds[1][q0[q1[q1[(a) ^ sb] ^ sf] ^ sj] ^ sn]; \
507 ctx->s[2][i] = mds[2][q1[q0[q0[(a) ^ sc] ^ sg] ^ sk] ^ so]; \
508 ctx->s[3][i] = mds[3][q1[q1[q0[(b) ^ sd] ^ sh] ^ sl] ^ sp];
510 /* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the
511 * last two stages of the h() function for a given index (either 2i or 2i+1).
512 * a, b, c, and d are the four bytes going into the last two stages. For
513 * 128-bit keys, this is the entire h() function and a and c are the index
514 * preprocessed through q0 and q1 respectively; for longer keys they are the
515 * output of previous stages. j is the index of the first key byte to use.
516 * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2
517 * twice, doing the Pseudo-Hadamard Transform, and doing the necessary
518 * rotations. Its parameters are: a, the array to write the results into,
519 * j, the index of the first output entry, k and l, the preprocessed indices
520 * for index 2i, and m and n, the preprocessed indices for index 2i+1.
521 * CALC_K192_2 expands CALC_K_2 to handle 192-bit keys, by doing an
522 * additional lookup-and-XOR stage. The parameters a, b, c and d are the
523 * four bytes going into the last three stages. For 192-bit keys, c = d
524 * are the index preprocessed through q0, and a = b are the index
525 * preprocessed through q1; j is the index of the first key byte to use.
526 * CALC_K192 is identical to CALC_K but for using the CALC_K192_2 macro
527 * instead of CALC_K_2.
528 * CALC_K256_2 expands CALC_K192_2 to handle 256-bit keys, by doing an
529 * additional lookup-and-XOR stage. The parameters a and b are the index
530 * preprocessed through q0 and q1 respectively; j is the index of the first
531 * key byte to use. CALC_K256 is identical to CALC_K but for using the
532 * CALC_K256_2 macro instead of CALC_K_2. */
534 #define CALC_K_2(a, b, c, d, j) \
535 mds[0][q0[a ^ key[(j) + 8]] ^ key[j]] \
536 ^ mds[1][q0[b ^ key[(j) + 9]] ^ key[(j) + 1]] \
537 ^ mds[2][q1[c ^ key[(j) + 10]] ^ key[(j) + 2]] \
538 ^ mds[3][q1[d ^ key[(j) + 11]] ^ key[(j) + 3]]
540 #define CALC_K(a, j, k, l, m, n) \
541 x = CALC_K_2 (k, l, k, l, 0); \
542 y = CALC_K_2 (m, n, m, n, 4); \
543 y = (y << 8) + (y >> 24); \
544 x += y; y += x; ctx->a[j] = x; \
545 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
547 #define CALC_K192_2(a, b, c, d, j) \
548 CALC_K_2 (q0[a ^ key[(j) + 16]], \
549 q1[b ^ key[(j) + 17]], \
550 q0[c ^ key[(j) + 18]], \
551 q1[d ^ key[(j) + 19]], j)
553 #define CALC_K192(a, j, k, l, m, n) \
554 x = CALC_K192_2 (l, l, k, k, 0); \
555 y = CALC_K192_2 (n, n, m, m, 4); \
556 y = (y << 8) + (y >> 24); \
557 x += y; y += x; ctx->a[j] = x; \
558 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
560 #define CALC_K256_2(a, b, j) \
561 CALC_K192_2 (q1[b ^ key[(j) + 24]], \
562 q1[a ^ key[(j) + 25]], \
563 q0[a ^ key[(j) + 26]], \
564 q0[b ^ key[(j) + 27]], j)
566 #define CALC_K256(a, j, k, l, m, n) \
567 x = CALC_K256_2 (k, l, 0); \
568 y = CALC_K256_2 (m, n, 4); \
569 y = (y << 8) + (y >> 24); \
570 x += y; y += x; ctx->a[j] = x; \
571 ctx->a[(j) + 1] = (y << 9) + (y >> 23)
574 /* Macros to compute the g() function in the encryption and decryption
575 * rounds. G1 is the straight g() function; G2 includes the 8-bit
576 * rotation for the high 32-bit word. */
578 #define G1(a) \
579 (ctx->s[0][(a) & 0xFF]) ^ (ctx->s[1][((a) >> 8) & 0xFF]) \
580 ^ (ctx->s[2][((a) >> 16) & 0xFF]) ^ (ctx->s[3][(a) >> 24])
582 #define G2(b) \
583 (ctx->s[1][(b) & 0xFF]) ^ (ctx->s[2][((b) >> 8) & 0xFF]) \
584 ^ (ctx->s[3][((b) >> 16) & 0xFF]) ^ (ctx->s[0][(b) >> 24])
586 /* Encryption and decryption Feistel rounds. Each one calls the two g()
587 * macros, does the PHT, and performs the XOR and the appropriate bit
588 * rotations. The parameters are the round number (used to select subkeys),
589 * and the four 32-bit chunks of the text. */
591 #define ENCROUND(n, a, b, c, d) \
592 x = G1 (a); y = G2 (b); \
593 x += y; y += x + ctx->k[2 * (n) + 1]; \
594 (c) ^= x + ctx->k[2 * (n)]; \
595 (c) = ((c) >> 1) + ((c) << 31); \
596 (d) = (((d) << 1)+((d) >> 31)) ^ y
598 #define DECROUND(n, a, b, c, d) \
599 x = G1 (a); y = G2 (b); \
600 x += y; y += x; \
601 (d) ^= y + ctx->k[2 * (n) + 1]; \
602 (d) = ((d) >> 1) + ((d) << 31); \
603 (c) = (((c) << 1)+((c) >> 31)); \
604 (c) ^= (x + ctx->k[2 * (n)])
606 /* Encryption and decryption cycles; each one is simply two Feistel rounds
607 * with the 32-bit chunks re-ordered to simulate the "swap" */
609 #define ENCCYCLE(n) \
610 ENCROUND (2 * (n), a, b, c, d); \
611 ENCROUND (2 * (n) + 1, c, d, a, b)
613 #define DECCYCLE(n) \
614 DECROUND (2 * (n) + 1, c, d, a, b); \
615 DECROUND (2 * (n), a, b, c, d)
617 /* Macros to convert the input and output bytes into 32-bit words,
618 * and simultaneously perform the whitening step. INPACK packs word
619 * number n into the variable named by x, using whitening subkey number m.
620 * OUTUNPACK unpacks word number n from the variable named by x, using
621 * whitening subkey number m. */
623 #define INPACK(n, x, m) \
624 x = in[4 * (n)] ^ (in[4 * (n) + 1] << 8) \
625 ^ (in[4 * (n) + 2] << 16) ^ (in[4 * (n) + 3] << 24) ^ ctx->w[m]
627 #define OUTUNPACK(n, x, m) \
628 x ^= ctx->w[m]; \
629 out[4 * (n)] = x; out[4 * (n) + 1] = x >> 8; \
630 out[4 * (n) + 2] = x >> 16; out[4 * (n) + 3] = x >> 24
632 #define TF_MIN_KEY_SIZE 16
633 #define TF_MAX_KEY_SIZE 32
634 #define TF_BLOCK_SIZE 16
636 /* Structure for an expanded Twofish key. s contains the key-dependent
637 * S-boxes composed with the MDS matrix; w contains the eight "whitening"
638 * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note
639 * that k[i] corresponds to what the Twofish paper calls K[i+8]. */
640 struct twofish_ctx {
641 u32 s[4][256], w[8], k[32];
644 /* Perform the key setup. */
645 static int twofish_setkey(void *cx, const u8 *key,
646 unsigned int key_len, u32 *flags)
649 struct twofish_ctx *ctx = cx;
651 int i, j, k;
653 /* Temporaries for CALC_K. */
654 u32 x, y;
656 /* The S vector used to key the S-boxes, split up into individual bytes.
657 * 128-bit keys use only sa through sh; 256-bit use all of them. */
658 u8 sa = 0, sb = 0, sc = 0, sd = 0, se = 0, sf = 0, sg = 0, sh = 0;
659 u8 si = 0, sj = 0, sk = 0, sl = 0, sm = 0, sn = 0, so = 0, sp = 0;
661 /* Temporary for CALC_S. */
662 u8 tmp;
664 /* Check key length. */
665 if (key_len != 16 && key_len != 24 && key_len != 32)
667 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
668 return -EINVAL; /* unsupported key length */
671 /* Compute the first two words of the S vector. The magic numbers are
672 * the entries of the RS matrix, preprocessed through poly_to_exp. The
673 * numbers in the comments are the original (polynomial form) matrix
674 * entries. */
675 CALC_S (sa, sb, sc, sd, 0, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
676 CALC_S (sa, sb, sc, sd, 1, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
677 CALC_S (sa, sb, sc, sd, 2, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
678 CALC_S (sa, sb, sc, sd, 3, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
679 CALC_S (sa, sb, sc, sd, 4, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
680 CALC_S (sa, sb, sc, sd, 5, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
681 CALC_S (sa, sb, sc, sd, 6, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
682 CALC_S (sa, sb, sc, sd, 7, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
683 CALC_S (se, sf, sg, sh, 8, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
684 CALC_S (se, sf, sg, sh, 9, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
685 CALC_S (se, sf, sg, sh, 10, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
686 CALC_S (se, sf, sg, sh, 11, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
687 CALC_S (se, sf, sg, sh, 12, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
688 CALC_S (se, sf, sg, sh, 13, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
689 CALC_S (se, sf, sg, sh, 14, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
690 CALC_S (se, sf, sg, sh, 15, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
692 if (key_len == 24 || key_len == 32) { /* 192- or 256-bit key */
693 /* Calculate the third word of the S vector */
694 CALC_S (si, sj, sk, sl, 16, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
695 CALC_S (si, sj, sk, sl, 17, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
696 CALC_S (si, sj, sk, sl, 18, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
697 CALC_S (si, sj, sk, sl, 19, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
698 CALC_S (si, sj, sk, sl, 20, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
699 CALC_S (si, sj, sk, sl, 21, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
700 CALC_S (si, sj, sk, sl, 22, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
701 CALC_S (si, sj, sk, sl, 23, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
704 if (key_len == 32) { /* 256-bit key */
705 /* Calculate the fourth word of the S vector */
706 CALC_S (sm, sn, so, sp, 24, 0x00, 0x2D, 0x01, 0x2D); /* 01 A4 02 A4 */
707 CALC_S (sm, sn, so, sp, 25, 0x2D, 0xA4, 0x44, 0x8A); /* A4 56 A1 55 */
708 CALC_S (sm, sn, so, sp, 26, 0x8A, 0xD5, 0xBF, 0xD1); /* 55 82 FC 87 */
709 CALC_S (sm, sn, so, sp, 27, 0xD1, 0x7F, 0x3D, 0x99); /* 87 F3 C1 5A */
710 CALC_S (sm, sn, so, sp, 28, 0x99, 0x46, 0x66, 0x96); /* 5A 1E 47 58 */
711 CALC_S (sm, sn, so, sp, 29, 0x96, 0x3C, 0x5B, 0xED); /* 58 C6 AE DB */
712 CALC_S (sm, sn, so, sp, 30, 0xED, 0x37, 0x4F, 0xE0); /* DB 68 3D 9E */
713 CALC_S (sm, sn, so, sp, 31, 0xE0, 0xD0, 0x8C, 0x17); /* 9E E5 19 03 */
715 /* Compute the S-boxes. */
716 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
717 CALC_SB256_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
720 /* Calculate whitening and round subkeys. The constants are
721 * indices of subkeys, preprocessed through q0 and q1. */
722 CALC_K256 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
723 CALC_K256 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
724 CALC_K256 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
725 CALC_K256 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
726 CALC_K256 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
727 CALC_K256 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
728 CALC_K256 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
729 CALC_K256 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
730 CALC_K256 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
731 CALC_K256 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
732 CALC_K256 (k, 12, 0x18, 0x37, 0xF7, 0x71);
733 CALC_K256 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
734 CALC_K256 (k, 16, 0x43, 0x30, 0x75, 0x0F);
735 CALC_K256 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
736 CALC_K256 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
737 CALC_K256 (k, 22, 0x94, 0x06, 0x48, 0x3F);
738 CALC_K256 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
739 CALC_K256 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
740 CALC_K256 (k, 28, 0x84, 0x8A, 0x54, 0x00);
741 CALC_K256 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
742 } else if (key_len == 24) { /* 192-bit key */
743 /* Compute the S-boxes. */
744 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
745 CALC_SB192_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
748 /* Calculate whitening and round subkeys. The constants are
749 * indices of subkeys, preprocessed through q0 and q1. */
750 CALC_K192 (w, 0, 0xA9, 0x75, 0x67, 0xF3);
751 CALC_K192 (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
752 CALC_K192 (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
753 CALC_K192 (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
754 CALC_K192 (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
755 CALC_K192 (k, 2, 0x80, 0xE6, 0x78, 0x6B);
756 CALC_K192 (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
757 CALC_K192 (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
758 CALC_K192 (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
759 CALC_K192 (k, 10, 0x35, 0xD8, 0x98, 0xFD);
760 CALC_K192 (k, 12, 0x18, 0x37, 0xF7, 0x71);
761 CALC_K192 (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
762 CALC_K192 (k, 16, 0x43, 0x30, 0x75, 0x0F);
763 CALC_K192 (k, 18, 0x37, 0xF8, 0x26, 0x1B);
764 CALC_K192 (k, 20, 0xFA, 0x87, 0x13, 0xFA);
765 CALC_K192 (k, 22, 0x94, 0x06, 0x48, 0x3F);
766 CALC_K192 (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
767 CALC_K192 (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
768 CALC_K192 (k, 28, 0x84, 0x8A, 0x54, 0x00);
769 CALC_K192 (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
770 } else { /* 128-bit key */
771 /* Compute the S-boxes. */
772 for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 ) {
773 CALC_SB_2( i, calc_sb_tbl[j], calc_sb_tbl[k] );
776 /* Calculate whitening and round subkeys. The constants are
777 * indices of subkeys, preprocessed through q0 and q1. */
778 CALC_K (w, 0, 0xA9, 0x75, 0x67, 0xF3);
779 CALC_K (w, 2, 0xB3, 0xC6, 0xE8, 0xF4);
780 CALC_K (w, 4, 0x04, 0xDB, 0xFD, 0x7B);
781 CALC_K (w, 6, 0xA3, 0xFB, 0x76, 0xC8);
782 CALC_K (k, 0, 0x9A, 0x4A, 0x92, 0xD3);
783 CALC_K (k, 2, 0x80, 0xE6, 0x78, 0x6B);
784 CALC_K (k, 4, 0xE4, 0x45, 0xDD, 0x7D);
785 CALC_K (k, 6, 0xD1, 0xE8, 0x38, 0x4B);
786 CALC_K (k, 8, 0x0D, 0xD6, 0xC6, 0x32);
787 CALC_K (k, 10, 0x35, 0xD8, 0x98, 0xFD);
788 CALC_K (k, 12, 0x18, 0x37, 0xF7, 0x71);
789 CALC_K (k, 14, 0xEC, 0xF1, 0x6C, 0xE1);
790 CALC_K (k, 16, 0x43, 0x30, 0x75, 0x0F);
791 CALC_K (k, 18, 0x37, 0xF8, 0x26, 0x1B);
792 CALC_K (k, 20, 0xFA, 0x87, 0x13, 0xFA);
793 CALC_K (k, 22, 0x94, 0x06, 0x48, 0x3F);
794 CALC_K (k, 24, 0xF2, 0x5E, 0xD0, 0xBA);
795 CALC_K (k, 26, 0x8B, 0xAE, 0x30, 0x5B);
796 CALC_K (k, 28, 0x84, 0x8A, 0x54, 0x00);
797 CALC_K (k, 30, 0xDF, 0xBC, 0x23, 0x9D);
800 return 0;
803 /* Encrypt one block. in and out may be the same. */
804 static void twofish_encrypt(void *cx, u8 *out, const u8 *in)
806 struct twofish_ctx *ctx = cx;
808 /* The four 32-bit chunks of the text. */
809 u32 a, b, c, d;
811 /* Temporaries used by the round function. */
812 u32 x, y;
814 /* Input whitening and packing. */
815 INPACK (0, a, 0);
816 INPACK (1, b, 1);
817 INPACK (2, c, 2);
818 INPACK (3, d, 3);
820 /* Encryption Feistel cycles. */
821 ENCCYCLE (0);
822 ENCCYCLE (1);
823 ENCCYCLE (2);
824 ENCCYCLE (3);
825 ENCCYCLE (4);
826 ENCCYCLE (5);
827 ENCCYCLE (6);
828 ENCCYCLE (7);
830 /* Output whitening and unpacking. */
831 OUTUNPACK (0, c, 4);
832 OUTUNPACK (1, d, 5);
833 OUTUNPACK (2, a, 6);
834 OUTUNPACK (3, b, 7);
838 /* Decrypt one block. in and out may be the same. */
839 static void twofish_decrypt(void *cx, u8 *out, const u8 *in)
841 struct twofish_ctx *ctx = cx;
843 /* The four 32-bit chunks of the text. */
844 u32 a, b, c, d;
846 /* Temporaries used by the round function. */
847 u32 x, y;
849 /* Input whitening and packing. */
850 INPACK (0, c, 4);
851 INPACK (1, d, 5);
852 INPACK (2, a, 6);
853 INPACK (3, b, 7);
855 /* Encryption Feistel cycles. */
856 DECCYCLE (7);
857 DECCYCLE (6);
858 DECCYCLE (5);
859 DECCYCLE (4);
860 DECCYCLE (3);
861 DECCYCLE (2);
862 DECCYCLE (1);
863 DECCYCLE (0);
865 /* Output whitening and unpacking. */
866 OUTUNPACK (0, a, 0);
867 OUTUNPACK (1, b, 1);
868 OUTUNPACK (2, c, 2);
869 OUTUNPACK (3, d, 3);
873 static struct crypto_alg alg = {
874 .cra_name = "twofish",
875 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
876 .cra_blocksize = TF_BLOCK_SIZE,
877 .cra_ctxsize = sizeof(struct twofish_ctx),
878 .cra_module = THIS_MODULE,
879 .cra_list = LIST_HEAD_INIT(alg.cra_list),
880 .cra_u = { .cipher = {
881 .cia_min_keysize = TF_MIN_KEY_SIZE,
882 .cia_max_keysize = TF_MAX_KEY_SIZE,
883 .cia_setkey = twofish_setkey,
884 .cia_encrypt = twofish_encrypt,
885 .cia_decrypt = twofish_decrypt } }
888 static int __init init(void)
890 return crypto_register_alg(&alg);
893 static void __exit fini(void)
895 crypto_unregister_alg(&alg);
898 module_init(init);
899 module_exit(fini);
901 MODULE_LICENSE("GPL");
902 MODULE_DESCRIPTION ("Twofish Cipher Algorithm");