iPXE
gcm.c
Go to the documentation of this file.
1/*
2 * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25FILE_SECBOOT ( PERMITTED );
26
27/** @file
28 *
29 * Galois/Counter Mode (GCM)
30 *
31 * The GCM algorithm is specified in
32 *
33 * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
34 * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
35 *
36 */
37
38#include <stdint.h>
39#include <string.h>
40#include <byteswap.h>
41#include <ipxe/crypto.h>
42#include <ipxe/gcm.h>
43
44/**
45 * Perform encryption
46 *
47 * This value is chosen to allow for ANDing with a fragment length.
48 */
49#define GCM_FL_ENCRYPT 0x00ff
50
51/**
52 * Calculate hash over an initialisation vector value
53 *
54 * The hash calculation for a non 96-bit initialisation vector is
55 * identical to the calculation used for additional data, except that
56 * the non-additional data length counter is used.
57 */
58#define GCM_FL_IV 0x0100
59
60/**
61 * GCM field polynomial
62 *
63 * GCM treats 128-bit blocks as polynomials in GF(2^128) with the
64 * field polynomial f(x) = 1 + x + x^2 + x^7 + x^128.
65 *
66 * In a somewhat bloody-minded interpretation of "big-endian", the
67 * constant term (with degree zero) is arbitrarily placed in the
68 * leftmost bit of the big-endian binary representation (i.e. the most
69 * significant bit of byte 0), thereby failing to correspond to the
70 * bit ordering in any CPU architecture in existence. This
71 * necessitates some wholly gratuitous byte reversals when
72 * constructing the multiplication tables, since all CPUs will treat
73 * bit 0 as being the least significant bit within a byte.
74 *
75 * The field polynomial maps to the 128-bit constant
76 * 0xe1000000000000000000000000000000 (with the x^128 term outside the
77 * 128-bit range), and can therefore be treated as a single-byte
78 * value.
79 */
80#define GCM_POLY 0xe1
81
82/**
83 * Hash key for which multiplication tables are cached
84 *
85 * GCM operates much more efficiently with a cached multiplication
86 * table, which costs 4kB per hash key. Since this exceeds the
87 * available stack space, we place a single 4kB cache in .bss and
88 * recalculate the cached values as required. In the common case of a
89 * single HTTPS connection being used to download a (relatively) large
90 * file, the same key will be used repeatedly for almost all GCM
91 * operations, and so the overhead of recalculation is negligible.
92 */
93static const union gcm_block *gcm_cached_key;
94
95/**
96 * Cached multiplication table (M0) for Shoup's method
97 *
98 * Each entry within this table represents the result of multiplying
99 * the cached hash key by an arbitrary 8-bit polynomial.
100 */
101static union gcm_block gcm_cached_mult[256];
102
103/**
104 * Cached reduction table (R) for Shoup's method
105 *
106 * Each entry within this table represents the result of multiplying
107 * the fixed polynomial x^128 by an arbitrary 8-bit polynomial. Only
108 * the leftmost 16 bits are stored, since all other bits within the
109 * result will always be zero.
110 */
111static uint16_t gcm_cached_reduce[256];
112
113/** Offset of a field within GCM context */
114#define gcm_offset( field ) offsetof ( struct gcm_context, field )
115
116/**
117 * Reverse bits in a byte
118 *
119 * @v byte Byte
120 * @ret etyb Bit-reversed byte
121 */
122static inline __attribute__ (( always_inline )) uint8_t
123gcm_reverse ( const uint8_t byte ) {
124 uint8_t etyb = etyb;
125 uint8_t mask;
126
127 for ( mask = 1 ; mask ; mask <<= 1 ) {
128 etyb <<= 1;
129 if ( byte & mask )
130 etyb |= 1;
131 }
132 return etyb;
133}
134
135/**
136 * Update GCM counter
137 *
138 * @v ctr Counter
139 * @v delta Amount to add to counter
140 */
141static inline __attribute__ (( always_inline )) void
142gcm_count ( union gcm_block *ctr, uint32_t delta ) {
143 uint32_t *value = &ctr->ctr.value;
144
145 /* Update counter modulo 2^32 */
146 *value = cpu_to_be32 ( be32_to_cpu ( *value ) + delta );
147}
148
149/**
150 * XOR partial data block
151 *
152 * @v src1 Source buffer 1
153 * @v src2 Source buffer 2
154 * @v dst Destination buffer
155 * @v len Length
156 */
157static inline void gcm_xor ( const void *src1, const void *src2, void *dst,
158 size_t len ) {
159 uint8_t *dst_bytes = dst;
160 const uint8_t *src1_bytes = src1;
161 const uint8_t *src2_bytes = src2;
162
163 /* XOR one byte at a time */
164 while ( len-- )
165 *(dst_bytes++) = ( *(src1_bytes++) ^ *(src2_bytes++) );
166}
167
168/**
169 * XOR whole data block in situ
170 *
171 * @v src Source block
172 * @v dst Destination block
173 */
174static inline void gcm_xor_block ( const union gcm_block *src,
175 union gcm_block *dst ) {
176
177 /* XOR whole dwords */
178 dst->dword[0] ^= src->dword[0];
179 dst->dword[1] ^= src->dword[1];
180 dst->dword[2] ^= src->dword[2];
181 dst->dword[3] ^= src->dword[3];
182}
183
184/**
185 * Multiply polynomial by (x)
186 *
187 * @v mult Multiplicand
188 * @v res Result
189 */
190static void gcm_multiply_x ( const union gcm_block *mult,
191 union gcm_block *res ) {
192 unsigned int i;
193 uint8_t byte;
194 uint8_t carry;
195
196 /* Multiply by (x) by shifting all bits rightward */
197 for ( i = 0, carry = 0 ; i < sizeof ( res->byte ) ; i++ ) {
198 byte = mult->byte[i];
199 res->byte[i] = ( ( carry << 7 ) | ( byte >> 1 ) );
200 carry = ( byte & 0x01 );
201 }
202
203 /* If result overflows, reduce modulo the field polynomial */
204 if ( carry )
205 res->byte[0] ^= GCM_POLY;
206}
207
208/**
209 * Construct cached tables
210 *
211 * @v key Hash key
212 * @v context Context
213 */
214static void gcm_cache ( const union gcm_block *key ) {
215 union gcm_block *mult;
216 uint16_t reduce;
217 unsigned int this;
218 unsigned int other;
219 unsigned int i;
220
221 /* Calculate M0[1..255] and R[1..255]
222 *
223 * The R[] values are independent of the key, but the overhead
224 * of recalculating them here is negligible and saves on
225 * overall code size since the calculations are related.
226 */
227 for ( i = 1 ; i < 256 ; i++ ) {
228
229 /* Reverse bit order to compensate for poor life choices */
230 this = gcm_reverse ( i );
231
232 /* Construct entries */
233 mult = &gcm_cached_mult[this];
234 if ( this & 0x80 ) {
235
236 /* Odd number: entry[i] = entry[i - 1] + poly */
237 other = ( this & 0x7f ); /* bit-reversed (i - 1) */
238 gcm_xor ( key, &gcm_cached_mult[other], mult,
239 sizeof ( *mult ) );
240 reduce = gcm_cached_reduce[other];
241 reduce ^= be16_to_cpu ( GCM_POLY << 8 );
242 gcm_cached_reduce[this] = reduce;
243
244 } else {
245
246 /* Even number: entry[i] = entry[i/2] * (x) */
247 other = ( this << 1 ); /* bit-reversed (i / 2) */
248 gcm_multiply_x ( &gcm_cached_mult[other], mult );
249 reduce = be16_to_cpu ( gcm_cached_reduce[other] );
250 reduce >>= 1;
251 gcm_cached_reduce[this] = cpu_to_be16 ( reduce );
252 }
253 }
254
255 /* Record cached key */
256 gcm_cached_key = key;
257}
258
259/**
260 * Multiply polynomial by (x^8) in situ
261 *
262 * @v poly Multiplicand and result
263 */
264static void gcm_multiply_x_8 ( union gcm_block *poly ) {
265 uint8_t *byte;
266 uint8_t msb;
267
268 /* Reduction table must already have been calculated */
269 assert ( gcm_cached_key != NULL );
270
271 /* Record most significant byte */
272 byte = &poly->byte[ sizeof ( poly->byte ) - 1 ];
273 msb = *byte;
274
275 /* Multiply least significant bytes by shifting */
276 for ( ; byte > &poly->byte[0] ; byte-- )
277 *byte = *( byte - 1 );
278 *byte = 0;
279
280 /* Multiply most significant byte via reduction table */
281 poly->word[0] ^= gcm_cached_reduce[msb];
282}
283
284/**
285 * Multiply polynomial by hash key in situ
286 *
287 * @v key Hash key
288 * @v poly Multiplicand and result
289 */
290static void gcm_multiply_key ( const union gcm_block *key,
291 union gcm_block *poly ) {
292 union gcm_block res;
293 uint8_t *byte;
294
295 /* Construct tables, if necessary */
296 if ( gcm_cached_key != key )
297 gcm_cache ( key );
298
299 /* Multiply using Shoup's algorithm */
300 byte = &poly->byte[ sizeof ( poly->byte ) - 1 ];
301 memcpy ( &res, &gcm_cached_mult[ *byte ], sizeof ( res ) );
302 for ( byte-- ; byte >= &poly->byte[0] ; byte-- ) {
303 gcm_multiply_x_8 ( &res );
304 gcm_xor_block ( &gcm_cached_mult[ *byte ], &res );
305 }
306
307 /* Overwrite result */
308 memcpy ( poly, &res, sizeof ( *poly ) );
309}
310
311/**
312 * Encrypt/decrypt/authenticate data
313 *
314 * @v context Context
315 * @v src Input data
316 * @v dst Output data, or NULL to process additional data
317 * @v len Length of data
318 * @v flags Operation flags
319 */
320static void gcm_process ( struct gcm_context *context, const void *src,
321 void *dst, size_t len, unsigned int flags ) {
322 union gcm_block tmp;
323 uint64_t *total;
324 size_t frag_len;
325 unsigned int block;
326
327 /* Calculate block number (for debugging) */
328 block = ( ( ( context->len.len.add + 8 * sizeof ( tmp ) - 1 ) /
329 ( 8 * sizeof ( tmp ) ) ) +
330 ( ( context->len.len.data + 8 * sizeof ( tmp ) - 1 ) /
331 ( 8 * sizeof ( tmp ) ) ) + 1 );
332
333 /* Update total length (in bits) */
334 total = ( ( dst || ( flags & GCM_FL_IV ) ) ?
335 &context->len.len.data : &context->len.len.add );
336 *total += ( len * 8 );
337
338 /* Process data */
339 for ( ; len ; src += frag_len, len -= frag_len, block++ ) {
340
341 /* Calculate fragment length */
342 frag_len = len;
343 if ( frag_len > sizeof ( tmp ) )
344 frag_len = sizeof ( tmp );
345
346 /* Update hash with input data */
347 gcm_xor ( src, &context->hash, &context->hash, frag_len );
348
349 /* Encrypt/decrypt block, if applicable */
350 if ( dst ) {
351
352 /* Increment counter */
353 gcm_count ( &context->ctr, 1 );
354
355 /* Encrypt counter */
356 DBGC2 ( context, "GCM %p Y[%d]:\n", context, block );
357 DBGC2_HDA ( context, 0, &context->ctr,
358 sizeof ( context->ctr ) );
359 cipher_encrypt ( context->raw_cipher, &context->raw_ctx,
360 &context->ctr, &tmp, sizeof ( tmp ) );
361 DBGC2 ( context, "GCM %p E(K,Y[%d]):\n",
362 context, block );
363 DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) );
364
365 /* Encrypt/decrypt data */
366 gcm_xor ( src, &tmp, dst, frag_len );
367 dst += frag_len;
368
369 /* Update hash with encrypted data, if applicable */
370 gcm_xor ( &tmp, &context->hash, &context->hash,
371 ( frag_len & flags ) );
372 }
373
374 /* Update hash */
375 gcm_multiply_key ( &context->key, &context->hash );
376 DBGC2 ( context, "GCM %p X[%d]:\n", context, block );
377 DBGC2_HDA ( context, 0, &context->hash,
378 sizeof ( context->hash ) );
379 }
380}
381
382/**
383 * Construct hash
384 *
385 * @v context Context
386 * @v hash Hash to fill in
387 */
388static void gcm_hash ( struct gcm_context *context, union gcm_block *hash ) {
389
390 /* Construct big-endian lengths block */
391 hash->len.add = cpu_to_be64 ( context->len.len.add );
392 hash->len.data = cpu_to_be64 ( context->len.len.data );
393 DBGC2 ( context, "GCM %p len(A)||len(C):\n", context );
394 DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) );
395
396 /* Update hash */
397 gcm_xor_block ( &context->hash, hash );
398 gcm_multiply_key ( &context->key, hash );
399 DBGC2 ( context, "GCM %p GHASH(H,A,C):\n", context );
400 DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) );
401}
402
403/**
404 * Construct tag
405 *
406 * @v context Context
407 * @v tag Tag
408 */
409void gcm_tag ( struct gcm_context *context, union gcm_block *tag ) {
410 union gcm_block tmp;
411 uint32_t offset;
412
413 /* Construct hash */
414 gcm_hash ( context, tag );
415
416 /* Construct encrypted initial counter value */
417 memcpy ( &tmp, &context->ctr, sizeof ( tmp ) );
418 offset = ( ( -context->len.len.data ) / ( 8 * sizeof ( tmp ) ) );
419 gcm_count ( &tmp, offset );
420 cipher_encrypt ( context->raw_cipher, &context->raw_ctx, &tmp,
421 &tmp, sizeof ( tmp ) );
422 DBGC2 ( context, "GCM %p E(K,Y[0]):\n", context );
423 DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) );
424
425 /* Construct tag */
426 gcm_xor_block ( &tmp, tag );
427 DBGC2 ( context, "GCM %p T:\n", context );
428 DBGC2_HDA ( context, 0, tag, sizeof ( *tag ) );
429}
430
431/**
432 * Set key
433 *
434 * @v context Context
435 * @v key Key
436 * @v keylen Key length
437 * @v raw_cipher Underlying cipher
438 * @ret rc Return status code
439 */
440int gcm_setkey ( struct gcm_context *context, const void *key, size_t keylen,
441 struct cipher_algorithm *raw_cipher ) {
442 int rc;
443
444 /* Initialise GCM context */
445 memset ( context, 0, sizeof ( *context ) );
446 context->raw_cipher = raw_cipher;
447
448 /* Set underlying block cipher key */
449 if ( ( rc = cipher_setkey ( raw_cipher, context->raw_ctx, key,
450 keylen ) ) != 0 )
451 return rc;
452
453 /* Construct GCM hash key */
454 cipher_encrypt ( raw_cipher, context->raw_ctx, &context->ctr,
455 &context->key, sizeof ( context->key ) );
456 DBGC2 ( context, "GCM %p H:\n", context );
457 DBGC2_HDA ( context, 0, &context->key, sizeof ( context->key ) );
458
459 /* Reset counter */
460 context->ctr.ctr.value = cpu_to_be32 ( 1 );
461
462 /* Construct cached tables */
463 gcm_cache ( &context->key );
464
465 return 0;
466}
467
468/**
469 * Set initialisation vector
470 *
471 * @v ctx Context
472 * @v iv Initialisation vector
473 * @v ivlen Initialisation vector length
474 */
475void gcm_setiv ( struct gcm_context *context, const void *iv, size_t ivlen ) {
476
477 /* Reset non-key state */
478 memset ( context, 0, gcm_offset ( key ) );
479 build_assert ( gcm_offset ( key ) > gcm_offset ( hash ) );
480 build_assert ( gcm_offset ( key ) > gcm_offset ( len ) );
481 build_assert ( gcm_offset ( key ) > gcm_offset ( ctr ) );
482 build_assert ( gcm_offset ( key ) < gcm_offset ( raw_cipher ) );
483 build_assert ( gcm_offset ( key ) < gcm_offset ( raw_ctx ) );
484
485 /* Reset counter */
486 context->ctr.ctr.value = cpu_to_be32 ( 1 );
487
488 /* Process initialisation vector */
489 if ( ivlen == sizeof ( context->ctr.ctr.iv ) ) {
490
491 /* Initialisation vector is exactly 96 bits, use it as-is */
492 memcpy ( context->ctr.ctr.iv, iv, ivlen );
493
494 } else {
495
496 /* Calculate hash over initialisation vector */
497 gcm_process ( context, iv, NULL, ivlen, GCM_FL_IV );
498 gcm_hash ( context, &context->ctr );
499 assert ( context->len.len.add == 0 );
500
501 /* Reset non-key, non-counter state */
502 memset ( context, 0, gcm_offset ( ctr ) );
503 build_assert ( gcm_offset ( ctr ) > gcm_offset ( hash ) );
504 build_assert ( gcm_offset ( ctr ) > gcm_offset ( len ) );
505 build_assert ( gcm_offset ( ctr ) < gcm_offset ( key ) );
506 build_assert ( gcm_offset ( ctr ) < gcm_offset ( raw_cipher ) );
507 build_assert ( gcm_offset ( ctr ) < gcm_offset ( raw_ctx ) );
508 }
509
510 DBGC2 ( context, "GCM %p Y[0]:\n", context );
511 DBGC2_HDA ( context, 0, &context->ctr, sizeof ( context->ctr ) );
512}
513
514/**
515 * Encrypt data
516 *
517 * @v context Context
518 * @v src Data to encrypt
519 * @v dst Buffer for encrypted data, or NULL for additional data
520 * @v len Length of data
521 */
522void gcm_encrypt ( struct gcm_context *context, const void *src, void *dst,
523 size_t len ) {
524
525 /* Process data */
526 gcm_process ( context, src, dst, len, GCM_FL_ENCRYPT );
527}
528
529/**
530 * Decrypt data
531 *
532 * @v context Context
533 * @v src Data to decrypt
534 * @v dst Buffer for decrypted data, or NULL for additional data
535 * @v len Length of data
536 */
537void gcm_decrypt ( struct gcm_context *context, const void *src, void *dst,
538 size_t len ) {
539
540 /* Process data */
541 gcm_process ( context, src, dst, len, 0 );
542}
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
value
pseudo_bit_t value[0x00020]
Definition arbel.h:2
hash
pseudo_bit_t hash[0x00010]
Definition arbel.h:2
uint16_t
unsigned short uint16_t
Definition stdint.h:11
uint32_t
unsigned int uint32_t
Definition stdint.h:12
uint64_t
unsigned long long uint64_t
Definition stdint.h:13
uint8_t
unsigned char uint8_t
Definition stdint.h:10
carry
int carry
Definition bigint.h:68
src
static const void * src
Definition string.h:48
build_assert
#define build_assert(condition)
Assert a condition at build time (after dead code elimination)
Definition assert.h:77
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
len
ring len
Length.
Definition dwmac.h:226
tag
uint64_t tag
Identity tag.
Definition edd.h:1
flags
uint8_t flags
Flags.
Definition ena.h:7
gcm_hash
static void gcm_hash(struct gcm_context *context, union gcm_block *hash)
Construct hash.
Definition gcm.c:388
gcm_cached_mult
static union gcm_block gcm_cached_mult[256]
Cached multiplication table (M0) for Shoup's method.
Definition gcm.c:101
gcm_tag
void gcm_tag(struct gcm_context *context, union gcm_block *tag)
Construct tag.
Definition gcm.c:409
gcm_cached_key
static const union gcm_block * gcm_cached_key
Hash key for which multiplication tables are cached.
Definition gcm.c:93
gcm_reverse
static uint8_t gcm_reverse(const uint8_t byte)
Reverse bits in a byte.
Definition gcm.c:123
gcm_xor_block
static void gcm_xor_block(const union gcm_block *src, union gcm_block *dst)
XOR whole data block in situ.
Definition gcm.c:174
gcm_cache
static void gcm_cache(const union gcm_block *key)
Construct cached tables.
Definition gcm.c:214
GCM_FL_ENCRYPT
#define GCM_FL_ENCRYPT
Perform encryption.
Definition gcm.c:49
gcm_multiply_key
static void gcm_multiply_key(const union gcm_block *key, union gcm_block *poly)
Multiply polynomial by hash key in situ.
Definition gcm.c:290
gcm_offset
#define gcm_offset(field)
Offset of a field within GCM context.
Definition gcm.c:114
gcm_xor
static void gcm_xor(const void *src1, const void *src2, void *dst, size_t len)
XOR partial data block.
Definition gcm.c:157
gcm_count
static void gcm_count(union gcm_block *ctr, uint32_t delta)
Update GCM counter.
Definition gcm.c:142
gcm_setiv
void gcm_setiv(struct gcm_context *context, const void *iv, size_t ivlen)
Set initialisation vector.
Definition gcm.c:475
gcm_process
static void gcm_process(struct gcm_context *context, const void *src, void *dst, size_t len, unsigned int flags)
Encrypt/decrypt/authenticate data.
Definition gcm.c:320
gcm_encrypt
void gcm_encrypt(struct gcm_context *context, const void *src, void *dst, size_t len)
Encrypt data.
Definition gcm.c:522
gcm_cached_reduce
static uint16_t gcm_cached_reduce[256]
Cached reduction table (R) for Shoup's method.
Definition gcm.c:111
gcm_decrypt
void gcm_decrypt(struct gcm_context *context, const void *src, void *dst, size_t len)
Decrypt data.
Definition gcm.c:537
gcm_multiply_x_8
static void gcm_multiply_x_8(union gcm_block *poly)
Multiply polynomial by (x^8) in situ.
Definition gcm.c:264
gcm_setkey
int gcm_setkey(struct gcm_context *context, const void *key, size_t keylen, struct cipher_algorithm *raw_cipher)
Set key.
Definition gcm.c:440
GCM_POLY
#define GCM_POLY
GCM field polynomial.
Definition gcm.c:80
GCM_FL_IV
#define GCM_FL_IV
Calculate hash over an initialisation vector value.
Definition gcm.c:58
gcm_multiply_x
static void gcm_multiply_x(const union gcm_block *mult, union gcm_block *res)
Multiply polynomial by (x)
Definition gcm.c:190
gcm.h
Galois/Counter Mode (GCM)
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC2_HDA
#define DBGC2_HDA(...)
Definition compiler.h:523
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
be32_to_cpu
#define be32_to_cpu(value)
Definition byteswap.h:117
cpu_to_be16
#define cpu_to_be16(value)
Definition byteswap.h:110
cpu_to_be32
#define cpu_to_be32(value)
Definition byteswap.h:111
cpu_to_be64
#define cpu_to_be64(value)
Definition byteswap.h:112
be16_to_cpu
#define be16_to_cpu(value)
Definition byteswap.h:116
__attribute__
#define __attribute__(x)
Definition compiler.h:10
crypto.h
Cryptographic API.
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition crypto.h:235
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition crypto.h:251
string.h
String functions.
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
memset
void * memset(void *dest, int character, size_t len) __nonnull
tmp
unsigned long tmp
Definition linux_pci.h:65
block
uint8_t block[3][8]
DES-encrypted blocks.
Definition mschapv2.h:1
byte
unsigned char byte
Definition smc9000.h:38
cipher_algorithm
A cipher algorithm.
Definition crypto.h:51
gcm_context
GCM context.
Definition gcm.h:47
gcm_context::key
union gcm_block key
Hash key (H)
Definition gcm.h:55
gcm_context::raw_cipher
struct cipher_algorithm * raw_cipher
Underlying block cipher.
Definition gcm.h:57
gcm_context::raw_ctx
uint8_t raw_ctx[0]
Underlying block cipher context.
Definition gcm.h:59
gcm_context::ctr
union gcm_block ctr
Counter (Y)
Definition gcm.h:53
gcm_context::hash
union gcm_block hash
Accumulated hash (X)
Definition gcm.h:49
gcm_context::len
union gcm_block len
Accumulated lengths.
Definition gcm.h:51
gcm_counter::iv
uint8_t iv[12]
Initialisation vector.
Definition gcm.h:19
gcm_counter::value
uint32_t value
Counter value.
Definition gcm.h:21
gcm_lengths::data
uint64_t data
Data length.
Definition gcm.h:29
gcm_lengths::add
uint64_t add
Additional data length.
Definition gcm.h:27
gcm_block
A GCM block.
Definition gcm.h:33
gcm_block::byte
uint8_t byte[16]
Raw bytes.
Definition gcm.h:35
gcm_block::ctr
struct gcm_counter ctr
Counter.
Definition gcm.h:41
gcm_block::dword
uint32_t dword[4]
Raw dwords.
Definition gcm.h:39
gcm_block::len
struct gcm_lengths len
Lengths.
Definition gcm.h:43
gcm_block::word
uint16_t word[8]
Raw words.
Definition gcm.h:37
iv
u8 iv[16]
Initialization vector.
Definition wpa.h:33
Generated by doxygen 1.14.0