iPXE
gcm.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2022 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 /** @file
27  *
28  * Galois/Counter Mode (GCM)
29  *
30  * The GCM algorithm is specified in
31  *
32  * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
33  * https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
34  *
35  */
36 
37 #include <stdint.h>
38 #include <string.h>
39 #include <byteswap.h>
40 #include <ipxe/crypto.h>
41 #include <ipxe/gcm.h>
42 
43 /**
44  * Perform encryption
45  *
46  * This value is chosen to allow for ANDing with a fragment length.
47  */
48 #define GCM_FL_ENCRYPT 0x00ff
49 
50 /**
51  * Calculate hash over an initialisation vector value
52  *
53  * The hash calculation for a non 96-bit initialisation vector is
54  * identical to the calculation used for additional data, except that
55  * the non-additional data length counter is used.
56  */
57 #define GCM_FL_IV 0x0100
58 
59 /**
60  * GCM field polynomial
61  *
62  * GCM treats 128-bit blocks as polynomials in GF(2^128) with the
63  * field polynomial f(x) = 1 + x + x^2 + x^7 + x^128.
64  *
65  * In a somewhat bloody-minded interpretation of "big-endian", the
66  * constant term (with degree zero) is arbitrarily placed in the
67  * leftmost bit of the big-endian binary representation (i.e. the most
68  * significant bit of byte 0), thereby failing to correspond to the
69  * bit ordering in any CPU architecture in existence. This
70  * necessitates some wholly gratuitous byte reversals when
71  * constructing the multiplication tables, since all CPUs will treat
72  * bit 0 as being the least significant bit within a byte.
73  *
74  * The field polynomial maps to the 128-bit constant
75  * 0xe1000000000000000000000000000000 (with the x^128 term outside the
76  * 128-bit range), and can therefore be treated as a single-byte
77  * value.
78  */
79 #define GCM_POLY 0xe1
80 
81 /**
82  * Hash key for which multiplication tables are cached
83  *
84  * GCM operates much more efficiently with a cached multiplication
85  * table, which costs 4kB per hash key. Since this exceeds the
86  * available stack space, we place a single 4kB cache in .bss and
87  * recalculate the cached values as required. In the common case of a
88  * single HTTPS connection being used to download a (relatively) large
89  * file, the same key will be used repeatedly for almost all GCM
90  * operations, and so the overhead of recalculation is negligible.
91  */
92 static const union gcm_block *gcm_cached_key;
93 
94 /**
95  * Cached multiplication table (M0) for Shoup's method
96  *
97  * Each entry within this table represents the result of multiplying
98  * the cached hash key by an arbitrary 8-bit polynomial.
99  */
100 static union gcm_block gcm_cached_mult[256];
101 
102 /**
103  * Cached reduction table (R) for Shoup's method
104  *
105  * Each entry within this table represents the result of multiplying
106  * the fixed polynomial x^128 by an arbitrary 8-bit polynomial. Only
107  * the leftmost 16 bits are stored, since all other bits within the
108  * result will always be zero.
109  */
111 
112 /**
113  * Reverse bits in a byte
114  *
115  * @v byte Byte
116  * @ret etyb Bit-reversed byte
117  */
118 static inline __attribute__ (( always_inline )) uint8_t
119 gcm_reverse ( const uint8_t byte ) {
120  uint8_t etyb = etyb;
121  uint8_t mask;
122 
123  for ( mask = 1 ; mask ; mask <<= 1 ) {
124  etyb <<= 1;
125  if ( byte & mask )
126  etyb |= 1;
127  }
128  return etyb;
129 }
130 
131 /**
132  * Update GCM counter
133  *
134  * @v ctr Counter
135  * @v delta Amount to add to counter
136  */
137 static inline __attribute__ (( always_inline )) void
138 gcm_count ( union gcm_block *ctr, uint32_t delta ) {
139  uint32_t *value = &ctr->ctr.value;
140 
141  /* Update counter modulo 2^32 */
142  *value = cpu_to_be32 ( be32_to_cpu ( *value ) + delta );
143 }
144 
145 /**
146  * XOR partial data block
147  *
148  * @v src1 Source buffer 1
149  * @v src2 Source buffer 2
150  * @v dst Destination buffer
151  * @v len Length
152  */
153 static inline void gcm_xor ( const void *src1, const void *src2, void *dst,
154  size_t len ) {
155  uint8_t *dst_bytes = dst;
156  const uint8_t *src1_bytes = src1;
157  const uint8_t *src2_bytes = src2;
158 
159  /* XOR one byte at a time */
160  while ( len-- )
161  *(dst_bytes++) = ( *(src1_bytes++) ^ *(src2_bytes++) );
162 }
163 
164 /**
165  * XOR whole data block in situ
166  *
167  * @v src Source block
168  * @v dst Destination block
169  */
170 static inline void gcm_xor_block ( const union gcm_block *src,
171  union gcm_block *dst ) {
172 
173  /* XOR whole dwords */
174  dst->dword[0] ^= src->dword[0];
175  dst->dword[1] ^= src->dword[1];
176  dst->dword[2] ^= src->dword[2];
177  dst->dword[3] ^= src->dword[3];
178 }
179 
180 /**
181  * Multiply polynomial by (x)
182  *
183  * @v mult Multiplicand
184  * @v res Result
185  */
186 static void gcm_multiply_x ( const union gcm_block *mult,
187  union gcm_block *res ) {
188  unsigned int i;
189  uint8_t byte;
190  uint8_t carry;
191 
192  /* Multiply by (x) by shifting all bits rightward */
193  for ( i = 0, carry = 0 ; i < sizeof ( res->byte ) ; i++ ) {
194  byte = mult->byte[i];
195  res->byte[i] = ( ( carry << 7 ) | ( byte >> 1 ) );
196  carry = ( byte & 0x01 );
197  }
198 
199  /* If result overflows, reduce modulo the field polynomial */
200  if ( carry )
201  res->byte[0] ^= GCM_POLY;
202 }
203 
204 /**
205  * Construct cached tables
206  *
207  * @v key Hash key
208  * @v context Context
209  */
210 static void gcm_cache ( const union gcm_block *key ) {
211  union gcm_block *mult;
212  uint16_t reduce;
213  unsigned int this;
214  unsigned int other;
215  unsigned int i;
216 
217  /* Calculate M0[1..255] and R[1..255]
218  *
219  * The R[] values are independent of the key, but the overhead
220  * of recalculating them here is negligible and saves on
221  * overall code size since the calculations are related.
222  */
223  for ( i = 1 ; i < 256 ; i++ ) {
224 
225  /* Reverse bit order to compensate for poor life choices */
226  this = gcm_reverse ( i );
227 
228  /* Construct entries */
229  mult = &gcm_cached_mult[this];
230  if ( this & 0x80 ) {
231 
232  /* Odd number: entry[i] = entry[i - 1] + poly */
233  other = ( this & 0x7f ); /* bit-reversed (i - 1) */
234  gcm_xor ( key, &gcm_cached_mult[other], mult,
235  sizeof ( *mult ) );
236  reduce = gcm_cached_reduce[other];
237  reduce ^= be16_to_cpu ( GCM_POLY << 8 );
238  gcm_cached_reduce[this] = reduce;
239 
240  } else {
241 
242  /* Even number: entry[i] = entry[i/2] * (x) */
243  other = ( this << 1 ); /* bit-reversed (i / 2) */
244  gcm_multiply_x ( &gcm_cached_mult[other], mult );
245  reduce = be16_to_cpu ( gcm_cached_reduce[other] );
246  reduce >>= 1;
247  gcm_cached_reduce[this] = cpu_to_be16 ( reduce );
248  }
249  }
250 
251  /* Record cached key */
253 }
254 
255 /**
256  * Multiply polynomial by (x^8) in situ
257  *
258  * @v poly Multiplicand and result
259  */
260 static void gcm_multiply_x_8 ( union gcm_block *poly ) {
261  uint8_t *byte;
262  uint8_t msb;
263 
264  /* Reduction table must already have been calculated */
265  assert ( gcm_cached_key != NULL );
266 
267  /* Record most significant byte */
268  byte = &poly->byte[ sizeof ( poly->byte ) - 1 ];
269  msb = *byte;
270 
271  /* Multiply least significant bytes by shifting */
272  for ( ; byte > &poly->byte[0] ; byte-- )
273  *byte = *( byte - 1 );
274  *byte = 0;
275 
276  /* Multiply most significant byte via reduction table */
277  poly->word[0] ^= gcm_cached_reduce[msb];
278 }
279 
280 /**
281  * Multiply polynomial by hash key in situ
282  *
283  * @v key Hash key
284  * @v poly Multiplicand and result
285  */
286 static void gcm_multiply_key ( const union gcm_block *key,
287  union gcm_block *poly ) {
288  union gcm_block res;
289  uint8_t *byte;
290 
291  /* Construct tables, if necessary */
292  if ( gcm_cached_key != key )
293  gcm_cache ( key );
294 
295  /* Multiply using Shoup's algorithm */
296  byte = &poly->byte[ sizeof ( poly->byte ) - 1 ];
297  memcpy ( &res, &gcm_cached_mult[ *byte ], sizeof ( res ) );
298  for ( byte-- ; byte >= &poly->byte[0] ; byte-- ) {
299  gcm_multiply_x_8 ( &res );
300  gcm_xor_block ( &gcm_cached_mult[ *byte ], &res );
301  }
302 
303  /* Overwrite result */
304  memcpy ( poly, &res, sizeof ( *poly ) );
305 }
306 
307 /**
308  * Encrypt/decrypt/authenticate data
309  *
310  * @v context Context
311  * @v src Input data
312  * @v dst Output data, or NULL to process additional data
313  * @v len Length of data
314  * @v flags Operation flags
315  */
316 static void gcm_process ( struct gcm_context *context, const void *src,
317  void *dst, size_t len, unsigned int flags ) {
318  union gcm_block tmp;
319  uint64_t *total;
320  size_t frag_len;
321  unsigned int block;
322 
323  /* Calculate block number (for debugging) */
324  block = ( ( ( context->len.len.add + 8 * sizeof ( tmp ) - 1 ) /
325  ( 8 * sizeof ( tmp ) ) ) +
326  ( ( context->len.len.data + 8 * sizeof ( tmp ) - 1 ) /
327  ( 8 * sizeof ( tmp ) ) ) + 1 );
328 
329  /* Update total length (in bits) */
330  total = ( ( dst || ( flags & GCM_FL_IV ) ) ?
331  &context->len.len.data : &context->len.len.add );
332  *total += ( len * 8 );
333 
334  /* Process data */
335  for ( ; len ; src += frag_len, len -= frag_len, block++ ) {
336 
337  /* Calculate fragment length */
338  frag_len = len;
339  if ( frag_len > sizeof ( tmp ) )
340  frag_len = sizeof ( tmp );
341 
342  /* Update hash with input data */
343  gcm_xor ( src, &context->hash, &context->hash, frag_len );
344 
345  /* Encrypt/decrypt block, if applicable */
346  if ( dst ) {
347 
348  /* Increment counter */
349  gcm_count ( &context->ctr, 1 );
350 
351  /* Encrypt counter */
352  DBGC2 ( context, "GCM %p Y[%d]:\n", context, block );
353  DBGC2_HDA ( context, 0, &context->ctr,
354  sizeof ( context->ctr ) );
355  cipher_encrypt ( context->raw_cipher, &context->raw_ctx,
356  &context->ctr, &tmp, sizeof ( tmp ) );
357  DBGC2 ( context, "GCM %p E(K,Y[%d]):\n",
358  context, block );
359  DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) );
360 
361  /* Encrypt/decrypt data */
362  gcm_xor ( src, &tmp, dst, frag_len );
363  dst += frag_len;
364 
365  /* Update hash with encrypted data, if applicable */
366  gcm_xor ( &tmp, &context->hash, &context->hash,
367  ( frag_len & flags ) );
368  }
369 
370  /* Update hash */
371  gcm_multiply_key ( &context->key, &context->hash );
372  DBGC2 ( context, "GCM %p X[%d]:\n", context, block );
373  DBGC2_HDA ( context, 0, &context->hash,
374  sizeof ( context->hash ) );
375  }
376 }
377 
378 /**
379  * Construct hash
380  *
381  * @v context Context
382  * @v hash Hash to fill in
383  */
384 static void gcm_hash ( struct gcm_context *context, union gcm_block *hash ) {
385 
386  /* Construct big-endian lengths block */
387  hash->len.add = cpu_to_be64 ( context->len.len.add );
388  hash->len.data = cpu_to_be64 ( context->len.len.data );
389  DBGC2 ( context, "GCM %p len(A)||len(C):\n", context );
390  DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) );
391 
392  /* Update hash */
393  gcm_xor_block ( &context->hash, hash );
394  gcm_multiply_key ( &context->key, hash );
395  DBGC2 ( context, "GCM %p GHASH(H,A,C):\n", context );
396  DBGC2_HDA ( context, 0, hash, sizeof ( *hash ) );
397 }
398 
399 /**
400  * Construct tag
401  *
402  * @v context Context
403  * @v tag Tag
404  */
405 void gcm_tag ( struct gcm_context *context, union gcm_block *tag ) {
406  union gcm_block tmp;
408 
409  /* Construct hash */
410  gcm_hash ( context, tag );
411 
412  /* Construct encrypted initial counter value */
413  memcpy ( &tmp, &context->ctr, sizeof ( tmp ) );
414  offset = ( ( -context->len.len.data ) / ( 8 * sizeof ( tmp ) ) );
415  gcm_count ( &tmp, offset );
416  cipher_encrypt ( context->raw_cipher, &context->raw_ctx, &tmp,
417  &tmp, sizeof ( tmp ) );
418  DBGC2 ( context, "GCM %p E(K,Y[0]):\n", context );
419  DBGC2_HDA ( context, 0, &tmp, sizeof ( tmp ) );
420 
421  /* Construct tag */
422  gcm_xor_block ( &tmp, tag );
423  DBGC2 ( context, "GCM %p T:\n", context );
424  DBGC2_HDA ( context, 0, tag, sizeof ( *tag ) );
425 }
426 
427 /**
428  * Set key
429  *
430  * @v context Context
431  * @v key Key
432  * @v keylen Key length
433  * @v raw_cipher Underlying cipher
434  * @ret rc Return status code
435  */
436 int gcm_setkey ( struct gcm_context *context, const void *key, size_t keylen,
437  struct cipher_algorithm *raw_cipher ) {
438  int rc;
439 
440  /* Initialise GCM context */
441  memset ( context, 0, sizeof ( *context ) );
442  context->raw_cipher = raw_cipher;
443 
444  /* Set underlying block cipher key */
445  if ( ( rc = cipher_setkey ( raw_cipher, context->raw_ctx, key,
446  keylen ) ) != 0 )
447  return rc;
448 
449  /* Construct GCM hash key */
450  cipher_encrypt ( raw_cipher, context->raw_ctx, &context->ctr,
451  &context->key, sizeof ( context->key ) );
452  DBGC2 ( context, "GCM %p H:\n", context );
453  DBGC2_HDA ( context, 0, &context->key, sizeof ( context->key ) );
454 
455  /* Reset counter */
456  context->ctr.ctr.value = cpu_to_be32 ( 1 );
457 
458  /* Construct cached tables */
459  gcm_cache ( &context->key );
460 
461  return 0;
462 }
463 
464 /**
465  * Set initialisation vector
466  *
467  * @v ctx Context
468  * @v iv Initialisation vector
469  * @v ivlen Initialisation vector length
470  */
471 void gcm_setiv ( struct gcm_context *context, const void *iv, size_t ivlen ) {
472  union gcm_block *check = ( ( void * ) context );
473 
474  /* Sanity checks */
475  linker_assert ( &context->hash == check, gcm_bad_layout );
476  linker_assert ( &context->len == check + 1, gcm_bad_layout );
477  linker_assert ( &context->ctr == check + 2, gcm_bad_layout );
478  linker_assert ( &context->key == check + 3, gcm_bad_layout );
479 
480  /* Reset non-key state */
481  memset ( context, 0, offsetof ( typeof ( *context ), key ) );
482 
483  /* Reset counter */
484  context->ctr.ctr.value = cpu_to_be32 ( 1 );
485 
486  /* Process initialisation vector */
487  if ( ivlen == sizeof ( context->ctr.ctr.iv ) ) {
488 
489  /* Initialisation vector is exactly 96 bits, use it as-is */
490  memcpy ( context->ctr.ctr.iv, iv, ivlen );
491 
492  } else {
493 
494  /* Calculate hash over initialisation vector */
495  gcm_process ( context, iv, NULL, ivlen, GCM_FL_IV );
496  gcm_hash ( context, &context->ctr );
497  assert ( context->len.len.add == 0 );
498 
499  /* Reset non-key, non-counter state */
500  memset ( context, 0, offsetof ( typeof ( *context ), ctr ) );
501  }
502 
503  DBGC2 ( context, "GCM %p Y[0]:\n", context );
504  DBGC2_HDA ( context, 0, &context->ctr, sizeof ( context->ctr ) );
505 }
506 
507 /**
508  * Encrypt data
509  *
510  * @v context Context
511  * @v src Data to encrypt
512  * @v dst Buffer for encrypted data, or NULL for additional data
513  * @v len Length of data
514  */
515 void gcm_encrypt ( struct gcm_context *context, const void *src, void *dst,
516  size_t len ) {
517 
518  /* Process data */
519  gcm_process ( context, src, dst, len, GCM_FL_ENCRYPT );
520 }
521 
522 /**
523  * Decrypt data
524  *
525  * @v context Context
526  * @v src Data to decrypt
527  * @v dst Buffer for decrypted data, or NULL for additional data
528  * @v len Length of data
529  */
530 void gcm_decrypt ( struct gcm_context *context, const void *src, void *dst,
531  size_t len ) {
532 
533  /* Process data */
534  gcm_process ( context, src, dst, len, 0 );
535 }
#define cpu_to_be16(value)
Definition: byteswap.h:109
A GCM block.
Definition: gcm.h:32
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
#define GCM_FL_ENCRYPT
Perform encryption.
Definition: gcm.c:48
unsigned short uint16_t
Definition: stdint.h:11
union gcm_block len
Accumulated lengths.
Definition: gcm.h:50
uint8_t raw_ctx[0]
Underlying block cipher context.
Definition: gcm.h:58
struct gcm_lengths len
Lengths.
Definition: gcm.h:42
uint8_t iv[12]
Initialisation vector.
Definition: gcm.h:18
static void gcm_hash(struct gcm_context *context, union gcm_block *hash)
Construct hash.
Definition: gcm.c:384
static void gcm_cache(const union gcm_block *key)
Construct cached tables.
Definition: gcm.c:210
uint16_t block
Definition: tftp.h:12
uint8_t byte[16]
Raw bytes.
Definition: gcm.h:34
#define GCM_FL_IV
Calculate hash over an initialisation vector value.
Definition: gcm.c:57
void gcm_tag(struct gcm_context *context, union gcm_block *tag)
Construct tag.
Definition: gcm.c:405
void gcm_decrypt(struct gcm_context *context, const void *src, void *dst, size_t len)
Decrypt data.
Definition: gcm.c:530
unsigned long long uint64_t
Definition: stdint.h:13
static union gcm_block gcm_cached_mult[256]
Cached multiplication table (M0) for Shoup's method.
Definition: gcm.c:100
static void gcm_xor_block(const union gcm_block *src, union gcm_block *dst)
XOR whole data block in situ.
Definition: gcm.c:170
Cryptographic API.
#define offsetof(type, field)
Get offset of a field within a structure.
Definition: stddef.h:24
union gcm_block hash
Accumulated hash (X)
Definition: gcm.h:48
uint32_t value
Counter value.
Definition: gcm.h:20
struct cipher_algorithm * raw_cipher
Underlying block cipher.
Definition: gcm.h:56
unsigned long tmp
Definition: linux_pci.h:53
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:228
static void gcm_multiply_key(const union gcm_block *key, union gcm_block *poly)
Multiply polynomial by hash key in situ.
Definition: gcm.c:286
void * memcpy(void *dest, const void *src, size_t len) __nonnull
int gcm_setkey(struct gcm_context *context, const void *key, size_t keylen, struct cipher_algorithm *raw_cipher)
Set key.
Definition: gcm.c:436
#define be32_to_cpu(value)
Definition: byteswap.h:116
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
static __attribute__((always_inline))
Reverse bits in a byte.
Definition: gcm.c:118
void gcm_setiv(struct gcm_context *context, const void *iv, size_t ivlen)
Set initialisation vector.
Definition: gcm.c:471
static void gcm_process(struct gcm_context *context, const void *src, void *dst, size_t len, unsigned int flags)
Encrypt/decrypt/authenticate data.
Definition: gcm.c:316
static userptr_t size_t offset
Offset of the first segment within the content.
Definition: deflate.h:259
#define be16_to_cpu(value)
Definition: byteswap.h:115
union gcm_block key
Hash key (H)
Definition: gcm.h:54
void gcm_encrypt(struct gcm_context *context, const void *src, void *dst, size_t len)
Encrypt data.
Definition: gcm.c:515
uint64_t data
Data length.
Definition: gcm.h:28
struct gcm_counter ctr
Counter.
Definition: gcm.h:40
pseudo_bit_t value[0x00020]
Definition: arbel.h:13
static __always_inline void off_t userptr_t src
Definition: efi_uaccess.h:66
#define DBGC2_HDA(...)
Definition: compiler.h:523
pseudo_bit_t hash[0x00010]
Hash algorithm.
Definition: arbel.h:13
static void gcm_xor(const void *src1, const void *src2, void *dst, size_t len)
XOR partial data block.
Definition: gcm.c:153
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
GCM context.
Definition: gcm.h:46
uint16_t word[8]
Raw words.
Definition: gcm.h:36
uint32_t dword[4]
Raw dwords.
Definition: gcm.h:38
unsigned char uint8_t
Definition: stdint.h:10
unsigned int uint32_t
Definition: stdint.h:12
unsigned char byte
Definition: smc9000.h:38
#define cpu_to_be32(value)
Definition: byteswap.h:110
union gcm_block ctr
Counter (Y)
Definition: gcm.h:52
uint32_t len
Length.
Definition: ena.h:14
#define DBGC2(...)
Definition: compiler.h:522
uint8_t iv[12]
Initialisation vector.
Definition: gcm.h:12
static void gcm_multiply_x_8(union gcm_block *poly)
Multiply polynomial by (x^8) in situ.
Definition: gcm.c:260
Galois/Counter Mode (GCM)
#define cpu_to_be64(value)
Definition: byteswap.h:111
A cipher algorithm.
Definition: crypto.h:49
static const union gcm_block * gcm_cached_key
Hash key for which multiplication tables are cached.
Definition: gcm.c:92
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition: acpi.c:45
struct gcm_counter ctr
Counter.
Definition: gcm.h:18
uint64_t add
Additional data length.
Definition: gcm.h:26
uint64_t tag
Identity tag.
Definition: edd.h:30
#define linker_assert(condition, error_symbol)
Assert a condition at link-time.
Definition: assert.h:68
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
#define GCM_POLY
GCM field polynomial.
Definition: gcm.c:79
String functions.
static void gcm_multiply_x(const union gcm_block *mult, union gcm_block *res)
Multiply polynomial by (x)
Definition: gcm.c:186
static uint16_t gcm_cached_reduce[256]
Cached reduction table (R) for Shoup's method.
Definition: gcm.c:110
union @382 key
Sense key.
Definition: scsi.h:18
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:213
void * memset(void *dest, int character, size_t len) __nonnull
uint8_t flags
Flags.
Definition: ena.h:18