1 // SPDX-License-Identifier: Apache-2.0
3  * Copyright (c) 2017-2020, Linaro Limited
5  *  NIST SP800-38D compliant GCM implementation
7  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
13  *  http://www.apache.org/licenses/LICENSE-2.0
23 #include <crypto/internal_aes-gcm.h>
30  * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
34 gcm-revised-spec.pdf
36  * We use the algorithm described as Shoup's method with 4-bit tables in
37  * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
43  * where i is seen as a field element as in [MGV], ie high-order bits
45  * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
51 	int i, j;  in internal_aes_gcm_ghash_gen_tbl()  local
56 	crypto_aes_enc_block(ek->data, sizeof(ek->data), ek->rounds, h, h);  in internal_aes_gcm_ghash_gen_tbl()
62 	ghash_key->HL[8] = vl;  in internal_aes_gcm_ghash_gen_tbl()
63 	ghash_key->HH[8] = vh;  in internal_aes_gcm_ghash_gen_tbl()
66 	ghash_key->HH[0] = 0;  in internal_aes_gcm_ghash_gen_tbl()
67 	ghash_key->HL[0] = 0;  in internal_aes_gcm_ghash_gen_tbl()
75 		ghash_key->HL[i] = vl;  in internal_aes_gcm_ghash_gen_tbl()
76 		ghash_key->HH[i] = vh;  in internal_aes_gcm_ghash_gen_tbl()
80 		uint64_t *HiL = ghash_key->HL + i;  in internal_aes_gcm_ghash_gen_tbl()
81 		uint64_t *HiH = ghash_key->HH + i;  in internal_aes_gcm_ghash_gen_tbl()
85 		for (j = 1; j < i; j++) {  in internal_aes_gcm_ghash_gen_tbl()
86 			HiH[j] = vh ^ ghash_key->HH[j];  in internal_aes_gcm_ghash_gen_tbl()
87 			HiL[j] = vl ^ ghash_key->HL[j];  in internal_aes_gcm_ghash_gen_tbl()
118 	zh = ghash_key->HH[lo];  in internal_aes_gcm_ghash_mult_tbl()
119 	zl = ghash_key->HL[lo];  in internal_aes_gcm_ghash_mult_tbl()
121 	for (i = 15; i >= 0; i--) {  in internal_aes_gcm_ghash_mult_tbl()
130 			zh ^= ghash_key->HH[lo];  in internal_aes_gcm_ghash_mult_tbl()
131 			zl ^= ghash_key->HL[lo];  in internal_aes_gcm_ghash_mult_tbl()
138 		zh ^= ghash_key->HH[hi];  in internal_aes_gcm_ghash_mult_tbl()
139 		zl ^= ghash_key->HL[hi];  in internal_aes_gcm_ghash_mult_tbl()