"Fossies" - the Fresh Open Source Software Archive

Member "hashcat-6.2.6/OpenCL/inc_luks_serpent.cl" (2 Sep 2022, 95904 Bytes) of package /linux/privat/hashcat-6.2.6.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Lisp source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "inc_luks_serpent.cl": 6.2.5_vs_6.2.6.

    1 /**
    2  * Author......: See docs/credits.txt
    3  * License.....: MIT
    4  */
    5 
    6 #include "inc_vendor.h"
    7 #include "inc_types.h"
    8 #include "inc_platform.h"
    9 #include "inc_common.h"
   10 #include "inc_luks_serpent.h"
   11 
   12 // cbc-essiv
   13 
   14 DECLSPEC void serpent128_decrypt_cbc (PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS u32 *essiv)
   15 {
   16   serpent128_decrypt (ks1, in, out);
   17 
   18   out[0] ^= essiv[0];
   19   out[1] ^= essiv[1];
   20   out[2] ^= essiv[2];
   21   out[3] ^= essiv[3];
   22 
   23   essiv[0] = in[0];
   24   essiv[1] = in[1];
   25   essiv[2] = in[2];
   26   essiv[3] = in[3];
   27 }
   28 
   29 DECLSPEC void serpent256_decrypt_cbc (PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS u32 *essiv)
   30 {
   31   serpent256_decrypt (ks1, in, out);
   32 
   33   out[0] ^= essiv[0];
   34   out[1] ^= essiv[1];
   35   out[2] ^= essiv[2];
   36   out[3] ^= essiv[3];
   37 
   38   essiv[0] = in[0];
   39   essiv[1] = in[1];
   40   essiv[2] = in[2];
   41   essiv[3] = in[3];
   42 }
   43 
   44 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
   45 {
   46   u32 S[4] = { sector, 0, 0, 0 };
   47 
   48   u32 essiv[4];
   49 
   50   serpent256_encrypt (ks2, S, essiv);
   51 
   52   int idx_in  = 0;
   53   int idx_out = 0;
   54 
   55   for (int i = 0; i < 32; i++)
   56   {
   57     for (int block = 0; block < 1; block++)
   58     {
   59       u32 data_in[4];
   60 
   61       data_in[0] = in[idx_in++];
   62       data_in[1] = in[idx_in++];
   63       data_in[2] = in[idx_in++];
   64       data_in[3] = in[idx_in++];
   65 
   66       u32 data_out[4];
   67 
   68       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
   69 
   70       out[idx_out++] = data_out[0];
   71       out[idx_out++] = data_out[1];
   72       out[idx_out++] = data_out[2];
   73       out[idx_out++] = data_out[3];
   74     }
   75   }
   76 }
   77 
   78 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
   79 {
   80   u32 S[4] = { sector, 0, 0, 0 };
   81 
   82   u32 essiv[4];
   83 
   84   serpent256_encrypt (ks2, S, essiv);
   85 
   86   int idx_in = 0;
   87 
   88   for (int i = 0; i < 32; i++)
   89   {
   90     int idx_mk = 0;
   91 
   92     for (int block = 0; block < 1; block++)
   93     {
   94       u32 data_in[4];
   95 
   96       data_in[0] = in[idx_in++];
   97       data_in[1] = in[idx_in++];
   98       data_in[2] = in[idx_in++];
   99       data_in[3] = in[idx_in++];
  100 
  101       u32 data_out[4];
  102 
  103       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  104 
  105       mk[idx_mk++] ^= data_out[0];
  106       mk[idx_mk++] ^= data_out[1];
  107       mk[idx_mk++] ^= data_out[2];
  108       mk[idx_mk++] ^= data_out[3];
  109     }
  110 
  111     AF_sha1_diffuse16 (mk);
  112   }
  113 }
  114 
  115 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  116 {
  117   u32 S[4] = { sector, 0, 0, 0 };
  118 
  119   u32 essiv[4];
  120 
  121   serpent256_encrypt (ks2, S, essiv);
  122 
  123   int idx_in = 0;
  124 
  125   for (int i = 0; i < 32 - 1; i++)
  126   {
  127     int idx_mk = 0;
  128 
  129     for (int block = 0; block < 1; block++)
  130     {
  131       u32 data_in[4];
  132 
  133       data_in[0] = in[idx_in++];
  134       data_in[1] = in[idx_in++];
  135       data_in[2] = in[idx_in++];
  136       data_in[3] = in[idx_in++];
  137 
  138       u32 data_out[4];
  139 
  140       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  141 
  142       mk[idx_mk++] ^= data_out[0];
  143       mk[idx_mk++] ^= data_out[1];
  144       mk[idx_mk++] ^= data_out[2];
  145       mk[idx_mk++] ^= data_out[3];
  146     }
  147 
  148     AF_sha1_diffuse16 (mk);
  149   }
  150 
  151   // this one has no AF_sha1_diffuse16()
  152 
  153   int idx_mk = 0;
  154 
  155   for (int block = 0; block < 1; block++)
  156   {
  157     u32 data_in[4];
  158 
  159     data_in[0] = in[idx_in++];
  160     data_in[1] = in[idx_in++];
  161     data_in[2] = in[idx_in++];
  162     data_in[3] = in[idx_in++];
  163 
  164     u32 data_out[4];
  165 
  166     serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  167 
  168     mk[idx_mk++] ^= data_out[0];
  169     mk[idx_mk++] ^= data_out[1];
  170     mk[idx_mk++] ^= data_out[2];
  171     mk[idx_mk++] ^= data_out[3];
  172   }
  173 }
  174 
  175 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  176 {
  177   u32 S[4] = { sector, 0, 0, 0 };
  178 
  179   u32 essiv[4];
  180 
  181   serpent256_encrypt (ks2, S, essiv);
  182 
  183   int idx_in = 0;
  184 
  185   for (int i = 0; i < 32; i++)
  186   {
  187     int idx_mk = 0;
  188 
  189     for (int block = 0; block < 1; block++)
  190     {
  191       u32 data_in[4];
  192 
  193       data_in[0] = in[idx_in++];
  194       data_in[1] = in[idx_in++];
  195       data_in[2] = in[idx_in++];
  196       data_in[3] = in[idx_in++];
  197 
  198       u32 data_out[4];
  199 
  200       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  201 
  202       mk[idx_mk++] ^= data_out[0];
  203       mk[idx_mk++] ^= data_out[1];
  204       mk[idx_mk++] ^= data_out[2];
  205       mk[idx_mk++] ^= data_out[3];
  206     }
  207 
  208     AF_sha256_diffuse16 (mk);
  209   }
  210 }
  211 
  212 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  213 {
  214   u32 S[4] = { sector, 0, 0, 0 };
  215 
  216   u32 essiv[4];
  217 
  218   serpent256_encrypt (ks2, S, essiv);
  219 
  220   int idx_in = 0;
  221 
  222   for (int i = 0; i < 32 - 1; i++)
  223   {
  224     int idx_mk = 0;
  225 
  226     for (int block = 0; block < 1; block++)
  227     {
  228       u32 data_in[4];
  229 
  230       data_in[0] = in[idx_in++];
  231       data_in[1] = in[idx_in++];
  232       data_in[2] = in[idx_in++];
  233       data_in[3] = in[idx_in++];
  234 
  235       u32 data_out[4];
  236 
  237       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  238 
  239       mk[idx_mk++] ^= data_out[0];
  240       mk[idx_mk++] ^= data_out[1];
  241       mk[idx_mk++] ^= data_out[2];
  242       mk[idx_mk++] ^= data_out[3];
  243     }
  244 
  245     AF_sha256_diffuse16 (mk);
  246   }
  247 
  248   // this one has no AF_sha256_diffuse16()
  249 
  250   int idx_mk = 0;
  251 
  252   for (int block = 0; block < 1; block++)
  253   {
  254     u32 data_in[4];
  255 
  256     data_in[0] = in[idx_in++];
  257     data_in[1] = in[idx_in++];
  258     data_in[2] = in[idx_in++];
  259     data_in[3] = in[idx_in++];
  260 
  261     u32 data_out[4];
  262 
  263     serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  264 
  265     mk[idx_mk++] ^= data_out[0];
  266     mk[idx_mk++] ^= data_out[1];
  267     mk[idx_mk++] ^= data_out[2];
  268     mk[idx_mk++] ^= data_out[3];
  269   }
  270 }
  271 
  272 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  273 {
  274   u32 S[4] = { sector, 0, 0, 0 };
  275 
  276   u32 essiv[4];
  277 
  278   serpent256_encrypt (ks2, S, essiv);
  279 
  280   int idx_in = 0;
  281 
  282   for (int i = 0; i < 32; i++)
  283   {
  284     int idx_mk = 0;
  285 
  286     for (int block = 0; block < 1; block++)
  287     {
  288       u32 data_in[4];
  289 
  290       data_in[0] = in[idx_in++];
  291       data_in[1] = in[idx_in++];
  292       data_in[2] = in[idx_in++];
  293       data_in[3] = in[idx_in++];
  294 
  295       u32 data_out[4];
  296 
  297       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  298 
  299       mk[idx_mk++] ^= data_out[0];
  300       mk[idx_mk++] ^= data_out[1];
  301       mk[idx_mk++] ^= data_out[2];
  302       mk[idx_mk++] ^= data_out[3];
  303     }
  304 
  305     AF_sha512_diffuse16 (mk);
  306   }
  307 }
  308 
  309 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  310 {
  311   u32 S[4] = { sector, 0, 0, 0 };
  312 
  313   u32 essiv[4];
  314 
  315   serpent256_encrypt (ks2, S, essiv);
  316 
  317   int idx_in = 0;
  318 
  319   for (int i = 0; i < 32 - 1; i++)
  320   {
  321     int idx_mk = 0;
  322 
  323     for (int block = 0; block < 1; block++)
  324     {
  325       u32 data_in[4];
  326 
  327       data_in[0] = in[idx_in++];
  328       data_in[1] = in[idx_in++];
  329       data_in[2] = in[idx_in++];
  330       data_in[3] = in[idx_in++];
  331 
  332       u32 data_out[4];
  333 
  334       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  335 
  336       mk[idx_mk++] ^= data_out[0];
  337       mk[idx_mk++] ^= data_out[1];
  338       mk[idx_mk++] ^= data_out[2];
  339       mk[idx_mk++] ^= data_out[3];
  340     }
  341 
  342     AF_sha512_diffuse16 (mk);
  343   }
  344 
  345   // this one has no AF_sha512_diffuse16()
  346 
  347   int idx_mk = 0;
  348 
  349   for (int block = 0; block < 1; block++)
  350   {
  351     u32 data_in[4];
  352 
  353     data_in[0] = in[idx_in++];
  354     data_in[1] = in[idx_in++];
  355     data_in[2] = in[idx_in++];
  356     data_in[3] = in[idx_in++];
  357 
  358     u32 data_out[4];
  359 
  360     serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  361 
  362     mk[idx_mk++] ^= data_out[0];
  363     mk[idx_mk++] ^= data_out[1];
  364     mk[idx_mk++] ^= data_out[2];
  365     mk[idx_mk++] ^= data_out[3];
  366   }
  367 }
  368 
  369 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  370 {
  371   u32 S[4] = { sector, 0, 0, 0 };
  372 
  373   u32 essiv[4];
  374 
  375   serpent256_encrypt (ks2, S, essiv);
  376 
  377   int idx_in = 0;
  378 
  379   for (int i = 0; i < 32; i++)
  380   {
  381     int idx_mk = 0;
  382 
  383     for (int block = 0; block < 1; block++)
  384     {
  385       u32 data_in[4];
  386 
  387       data_in[0] = in[idx_in++];
  388       data_in[1] = in[idx_in++];
  389       data_in[2] = in[idx_in++];
  390       data_in[3] = in[idx_in++];
  391 
  392       u32 data_out[4];
  393 
  394       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  395 
  396       mk[idx_mk++] ^= data_out[0];
  397       mk[idx_mk++] ^= data_out[1];
  398       mk[idx_mk++] ^= data_out[2];
  399       mk[idx_mk++] ^= data_out[3];
  400     }
  401 
  402     AF_ripemd160_diffuse16 (mk);
  403   }
  404 }
  405 
  406 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv128_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  407 {
  408   u32 S[4] = { sector, 0, 0, 0 };
  409 
  410   u32 essiv[4];
  411 
  412   serpent256_encrypt (ks2, S, essiv);
  413 
  414   int idx_in = 0;
  415 
  416   for (int i = 0; i < 32 - 1; i++)
  417   {
  418     int idx_mk = 0;
  419 
  420     for (int block = 0; block < 1; block++)
  421     {
  422       u32 data_in[4];
  423 
  424       data_in[0] = in[idx_in++];
  425       data_in[1] = in[idx_in++];
  426       data_in[2] = in[idx_in++];
  427       data_in[3] = in[idx_in++];
  428 
  429       u32 data_out[4];
  430 
  431       serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  432 
  433       mk[idx_mk++] ^= data_out[0];
  434       mk[idx_mk++] ^= data_out[1];
  435       mk[idx_mk++] ^= data_out[2];
  436       mk[idx_mk++] ^= data_out[3];
  437     }
  438 
  439     AF_ripemd160_diffuse16 (mk);
  440   }
  441 
  442   // this one has no AF_ripemd160_diffuse16()
  443 
  444   int idx_mk = 0;
  445 
  446   for (int block = 0; block < 1; block++)
  447   {
  448     u32 data_in[4];
  449 
  450     data_in[0] = in[idx_in++];
  451     data_in[1] = in[idx_in++];
  452     data_in[2] = in[idx_in++];
  453     data_in[3] = in[idx_in++];
  454 
  455     u32 data_out[4];
  456 
  457     serpent128_decrypt_cbc (ks1, data_in, data_out, essiv);
  458 
  459     mk[idx_mk++] ^= data_out[0];
  460     mk[idx_mk++] ^= data_out[1];
  461     mk[idx_mk++] ^= data_out[2];
  462     mk[idx_mk++] ^= data_out[3];
  463   }
  464 }
  465 
  466 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  467 {
  468   u32 S[4] = { sector, 0, 0, 0 };
  469 
  470   u32 essiv[4];
  471 
  472   serpent256_encrypt (ks2, S, essiv);
  473 
  474   int idx_in  = 0;
  475   int idx_out = 0;
  476 
  477   for (int i = 0; i < 16; i++)
  478   {
  479     for (int block = 0; block < 2; block++)
  480     {
  481       u32 data_in[4];
  482 
  483       data_in[0] = in[idx_in++];
  484       data_in[1] = in[idx_in++];
  485       data_in[2] = in[idx_in++];
  486       data_in[3] = in[idx_in++];
  487 
  488       u32 data_out[4];
  489 
  490       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  491 
  492       out[idx_out++] = data_out[0];
  493       out[idx_out++] = data_out[1];
  494       out[idx_out++] = data_out[2];
  495       out[idx_out++] = data_out[3];
  496     }
  497   }
  498 }
  499 
  500 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  501 {
  502   u32 S[4] = { sector, 0, 0, 0 };
  503 
  504   u32 essiv[4];
  505 
  506   serpent256_encrypt (ks2, S, essiv);
  507 
  508   int idx_in = 0;
  509 
  510   for (int i = 0; i < 16; i++)
  511   {
  512     int idx_mk = 0;
  513 
  514     for (int block = 0; block < 2; block++)
  515     {
  516       u32 data_in[4];
  517 
  518       data_in[0] = in[idx_in++];
  519       data_in[1] = in[idx_in++];
  520       data_in[2] = in[idx_in++];
  521       data_in[3] = in[idx_in++];
  522 
  523       u32 data_out[4];
  524 
  525       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  526 
  527       mk[idx_mk++] ^= data_out[0];
  528       mk[idx_mk++] ^= data_out[1];
  529       mk[idx_mk++] ^= data_out[2];
  530       mk[idx_mk++] ^= data_out[3];
  531     }
  532 
  533     AF_sha1_diffuse32 (mk);
  534   }
  535 }
  536 
  537 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  538 {
  539   u32 S[4] = { sector, 0, 0, 0 };
  540 
  541   u32 essiv[4];
  542 
  543   serpent256_encrypt (ks2, S, essiv);
  544 
  545   int idx_in = 0;
  546 
  547   for (int i = 0; i < 16 - 1; i++)
  548   {
  549     int idx_mk = 0;
  550 
  551     for (int block = 0; block < 2; block++)
  552     {
  553       u32 data_in[4];
  554 
  555       data_in[0] = in[idx_in++];
  556       data_in[1] = in[idx_in++];
  557       data_in[2] = in[idx_in++];
  558       data_in[3] = in[idx_in++];
  559 
  560       u32 data_out[4];
  561 
  562       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  563 
  564       mk[idx_mk++] ^= data_out[0];
  565       mk[idx_mk++] ^= data_out[1];
  566       mk[idx_mk++] ^= data_out[2];
  567       mk[idx_mk++] ^= data_out[3];
  568     }
  569 
  570     AF_sha1_diffuse32 (mk);
  571   }
  572 
  573   // this one has no AF_sha1_diffuse32()
  574 
  575   int idx_mk = 0;
  576 
  577   for (int block = 0; block < 2; block++)
  578   {
  579     u32 data_in[4];
  580 
  581     data_in[0] = in[idx_in++];
  582     data_in[1] = in[idx_in++];
  583     data_in[2] = in[idx_in++];
  584     data_in[3] = in[idx_in++];
  585 
  586     u32 data_out[4];
  587 
  588     serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  589 
  590     mk[idx_mk++] ^= data_out[0];
  591     mk[idx_mk++] ^= data_out[1];
  592     mk[idx_mk++] ^= data_out[2];
  593     mk[idx_mk++] ^= data_out[3];
  594   }
  595 }
  596 
  597 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  598 {
  599   u32 S[4] = { sector, 0, 0, 0 };
  600 
  601   u32 essiv[4];
  602 
  603   serpent256_encrypt (ks2, S, essiv);
  604 
  605   int idx_in = 0;
  606 
  607   for (int i = 0; i < 16; i++)
  608   {
  609     int idx_mk = 0;
  610 
  611     for (int block = 0; block < 2; block++)
  612     {
  613       u32 data_in[4];
  614 
  615       data_in[0] = in[idx_in++];
  616       data_in[1] = in[idx_in++];
  617       data_in[2] = in[idx_in++];
  618       data_in[3] = in[idx_in++];
  619 
  620       u32 data_out[4];
  621 
  622       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  623 
  624       mk[idx_mk++] ^= data_out[0];
  625       mk[idx_mk++] ^= data_out[1];
  626       mk[idx_mk++] ^= data_out[2];
  627       mk[idx_mk++] ^= data_out[3];
  628     }
  629 
  630     AF_sha256_diffuse32 (mk);
  631   }
  632 }
  633 
  634 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  635 {
  636   u32 S[4] = { sector, 0, 0, 0 };
  637 
  638   u32 essiv[4];
  639 
  640   serpent256_encrypt (ks2, S, essiv);
  641 
  642   int idx_in = 0;
  643 
  644   for (int i = 0; i < 16 - 1; i++)
  645   {
  646     int idx_mk = 0;
  647 
  648     for (int block = 0; block < 2; block++)
  649     {
  650       u32 data_in[4];
  651 
  652       data_in[0] = in[idx_in++];
  653       data_in[1] = in[idx_in++];
  654       data_in[2] = in[idx_in++];
  655       data_in[3] = in[idx_in++];
  656 
  657       u32 data_out[4];
  658 
  659       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  660 
  661       mk[idx_mk++] ^= data_out[0];
  662       mk[idx_mk++] ^= data_out[1];
  663       mk[idx_mk++] ^= data_out[2];
  664       mk[idx_mk++] ^= data_out[3];
  665     }
  666 
  667     AF_sha256_diffuse32 (mk);
  668   }
  669 
  670   // this one has no AF_sha256_diffuse32()
  671 
  672   int idx_mk = 0;
  673 
  674   for (int block = 0; block < 2; block++)
  675   {
  676     u32 data_in[4];
  677 
  678     data_in[0] = in[idx_in++];
  679     data_in[1] = in[idx_in++];
  680     data_in[2] = in[idx_in++];
  681     data_in[3] = in[idx_in++];
  682 
  683     u32 data_out[4];
  684 
  685     serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  686 
  687     mk[idx_mk++] ^= data_out[0];
  688     mk[idx_mk++] ^= data_out[1];
  689     mk[idx_mk++] ^= data_out[2];
  690     mk[idx_mk++] ^= data_out[3];
  691   }
  692 }
  693 
  694 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  695 {
  696   u32 S[4] = { sector, 0, 0, 0 };
  697 
  698   u32 essiv[4];
  699 
  700   serpent256_encrypt (ks2, S, essiv);
  701 
  702   int idx_in = 0;
  703 
  704   for (int i = 0; i < 16; i++)
  705   {
  706     int idx_mk = 0;
  707 
  708     for (int block = 0; block < 2; block++)
  709     {
  710       u32 data_in[4];
  711 
  712       data_in[0] = in[idx_in++];
  713       data_in[1] = in[idx_in++];
  714       data_in[2] = in[idx_in++];
  715       data_in[3] = in[idx_in++];
  716 
  717       u32 data_out[4];
  718 
  719       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  720 
  721       mk[idx_mk++] ^= data_out[0];
  722       mk[idx_mk++] ^= data_out[1];
  723       mk[idx_mk++] ^= data_out[2];
  724       mk[idx_mk++] ^= data_out[3];
  725     }
  726 
  727     AF_sha512_diffuse32 (mk);
  728   }
  729 }
  730 
  731 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  732 {
  733   u32 S[4] = { sector, 0, 0, 0 };
  734 
  735   u32 essiv[4];
  736 
  737   serpent256_encrypt (ks2, S, essiv);
  738 
  739   int idx_in = 0;
  740 
  741   for (int i = 0; i < 16 - 1; i++)
  742   {
  743     int idx_mk = 0;
  744 
  745     for (int block = 0; block < 2; block++)
  746     {
  747       u32 data_in[4];
  748 
  749       data_in[0] = in[idx_in++];
  750       data_in[1] = in[idx_in++];
  751       data_in[2] = in[idx_in++];
  752       data_in[3] = in[idx_in++];
  753 
  754       u32 data_out[4];
  755 
  756       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  757 
  758       mk[idx_mk++] ^= data_out[0];
  759       mk[idx_mk++] ^= data_out[1];
  760       mk[idx_mk++] ^= data_out[2];
  761       mk[idx_mk++] ^= data_out[3];
  762     }
  763 
  764     AF_sha512_diffuse32 (mk);
  765   }
  766 
  767   // this one has no AF_sha512_diffuse32()
  768 
  769   int idx_mk = 0;
  770 
  771   for (int block = 0; block < 2; block++)
  772   {
  773     u32 data_in[4];
  774 
  775     data_in[0] = in[idx_in++];
  776     data_in[1] = in[idx_in++];
  777     data_in[2] = in[idx_in++];
  778     data_in[3] = in[idx_in++];
  779 
  780     u32 data_out[4];
  781 
  782     serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  783 
  784     mk[idx_mk++] ^= data_out[0];
  785     mk[idx_mk++] ^= data_out[1];
  786     mk[idx_mk++] ^= data_out[2];
  787     mk[idx_mk++] ^= data_out[3];
  788   }
  789 }
  790 
  791 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  792 {
  793   u32 S[4] = { sector, 0, 0, 0 };
  794 
  795   u32 essiv[4];
  796 
  797   serpent256_encrypt (ks2, S, essiv);
  798 
  799   int idx_in = 0;
  800 
  801   for (int i = 0; i < 16; i++)
  802   {
  803     int idx_mk = 0;
  804 
  805     for (int block = 0; block < 2; block++)
  806     {
  807       u32 data_in[4];
  808 
  809       data_in[0] = in[idx_in++];
  810       data_in[1] = in[idx_in++];
  811       data_in[2] = in[idx_in++];
  812       data_in[3] = in[idx_in++];
  813 
  814       u32 data_out[4];
  815 
  816       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  817 
  818       mk[idx_mk++] ^= data_out[0];
  819       mk[idx_mk++] ^= data_out[1];
  820       mk[idx_mk++] ^= data_out[2];
  821       mk[idx_mk++] ^= data_out[3];
  822     }
  823 
  824     AF_ripemd160_diffuse32 (mk);
  825   }
  826 }
  827 
  828 DECLSPEC void luks_decrypt_sector_serpent_cbc_essiv256_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
  829 {
  830   u32 S[4] = { sector, 0, 0, 0 };
  831 
  832   u32 essiv[4];
  833 
  834   serpent256_encrypt (ks2, S, essiv);
  835 
  836   int idx_in = 0;
  837 
  838   for (int i = 0; i < 16 - 1; i++)
  839   {
  840     int idx_mk = 0;
  841 
  842     for (int block = 0; block < 2; block++)
  843     {
  844       u32 data_in[4];
  845 
  846       data_in[0] = in[idx_in++];
  847       data_in[1] = in[idx_in++];
  848       data_in[2] = in[idx_in++];
  849       data_in[3] = in[idx_in++];
  850 
  851       u32 data_out[4];
  852 
  853       serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  854 
  855       mk[idx_mk++] ^= data_out[0];
  856       mk[idx_mk++] ^= data_out[1];
  857       mk[idx_mk++] ^= data_out[2];
  858       mk[idx_mk++] ^= data_out[3];
  859     }
  860 
  861     AF_ripemd160_diffuse32 (mk);
  862   }
  863 
  864   // this one has no AF_ripemd160_diffuse32()
  865 
  866   int idx_mk = 0;
  867 
  868   for (int block = 0; block < 2; block++)
  869   {
  870     u32 data_in[4];
  871 
  872     data_in[0] = in[idx_in++];
  873     data_in[1] = in[idx_in++];
  874     data_in[2] = in[idx_in++];
  875     data_in[3] = in[idx_in++];
  876 
  877     u32 data_out[4];
  878 
  879     serpent256_decrypt_cbc (ks1, data_in, data_out, essiv);
  880 
  881     mk[idx_mk++] ^= data_out[0];
  882     mk[idx_mk++] ^= data_out[1];
  883     mk[idx_mk++] ^= data_out[2];
  884     mk[idx_mk++] ^= data_out[3];
  885   }
  886 }
  887 
  888 // cbc-plain
  889 
  890 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, const u32 sector)
  891 {
  892   u32 S[4] = { sector, 0, 0, 0 };
  893 
  894   int idx_in  = 0;
  895   int idx_out = 0;
  896 
  897   for (int i = 0; i < 32; i++)
  898   {
  899     for (int block = 0; block < 1; block++)
  900     {
  901       u32 data_in[4];
  902 
  903       data_in[0] = in[idx_in++];
  904       data_in[1] = in[idx_in++];
  905       data_in[2] = in[idx_in++];
  906       data_in[3] = in[idx_in++];
  907 
  908       u32 data_out[4];
  909 
  910       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
  911 
  912       out[idx_out++] = data_out[0];
  913       out[idx_out++] = data_out[1];
  914       out[idx_out++] = data_out[2];
  915       out[idx_out++] = data_out[3];
  916     }
  917   }
  918 }
  919 
  920 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
  921 {
  922   u32 S[4] = { sector, 0, 0, 0 };
  923 
  924   int idx_in = 0;
  925 
  926   for (int i = 0; i < 32; i++)
  927   {
  928     int idx_mk = 0;
  929 
  930     for (int block = 0; block < 1; block++)
  931     {
  932       u32 data_in[4];
  933 
  934       data_in[0] = in[idx_in++];
  935       data_in[1] = in[idx_in++];
  936       data_in[2] = in[idx_in++];
  937       data_in[3] = in[idx_in++];
  938 
  939       u32 data_out[4];
  940 
  941       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
  942 
  943       mk[idx_mk++] ^= data_out[0];
  944       mk[idx_mk++] ^= data_out[1];
  945       mk[idx_mk++] ^= data_out[2];
  946       mk[idx_mk++] ^= data_out[3];
  947     }
  948 
  949     AF_sha1_diffuse16 (mk);
  950   }
  951 }
  952 
  953 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
  954 {
  955   u32 S[4] = { sector, 0, 0, 0 };
  956 
  957   int idx_in = 0;
  958 
  959   for (int i = 0; i < 32 - 1; i++)
  960   {
  961     int idx_mk = 0;
  962 
  963     for (int block = 0; block < 1; block++)
  964     {
  965       u32 data_in[4];
  966 
  967       data_in[0] = in[idx_in++];
  968       data_in[1] = in[idx_in++];
  969       data_in[2] = in[idx_in++];
  970       data_in[3] = in[idx_in++];
  971 
  972       u32 data_out[4];
  973 
  974       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
  975 
  976       mk[idx_mk++] ^= data_out[0];
  977       mk[idx_mk++] ^= data_out[1];
  978       mk[idx_mk++] ^= data_out[2];
  979       mk[idx_mk++] ^= data_out[3];
  980     }
  981 
  982     AF_sha1_diffuse16 (mk);
  983   }
  984 
  985   // this one has no AF_sha1_diffuse16()
  986 
  987   int idx_mk = 0;
  988 
  989   for (int block = 0; block < 1; block++)
  990   {
  991     u32 data_in[4];
  992 
  993     data_in[0] = in[idx_in++];
  994     data_in[1] = in[idx_in++];
  995     data_in[2] = in[idx_in++];
  996     data_in[3] = in[idx_in++];
  997 
  998     u32 data_out[4];
  999 
 1000     serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1001 
 1002     mk[idx_mk++] ^= data_out[0];
 1003     mk[idx_mk++] ^= data_out[1];
 1004     mk[idx_mk++] ^= data_out[2];
 1005     mk[idx_mk++] ^= data_out[3];
 1006   }
 1007 }
 1008 
 1009 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1010 {
 1011   u32 S[4] = { sector, 0, 0, 0 };
 1012 
 1013   int idx_in = 0;
 1014 
 1015   for (int i = 0; i < 32; i++)
 1016   {
 1017     int idx_mk = 0;
 1018 
 1019     for (int block = 0; block < 1; block++)
 1020     {
 1021       u32 data_in[4];
 1022 
 1023       data_in[0] = in[idx_in++];
 1024       data_in[1] = in[idx_in++];
 1025       data_in[2] = in[idx_in++];
 1026       data_in[3] = in[idx_in++];
 1027 
 1028       u32 data_out[4];
 1029 
 1030       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1031 
 1032       mk[idx_mk++] ^= data_out[0];
 1033       mk[idx_mk++] ^= data_out[1];
 1034       mk[idx_mk++] ^= data_out[2];
 1035       mk[idx_mk++] ^= data_out[3];
 1036     }
 1037 
 1038     AF_sha256_diffuse16 (mk);
 1039   }
 1040 }
 1041 
 1042 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1043 {
 1044   u32 S[4] = { sector, 0, 0, 0 };
 1045 
 1046   int idx_in = 0;
 1047 
 1048   for (int i = 0; i < 32 - 1; i++)
 1049   {
 1050     int idx_mk = 0;
 1051 
 1052     for (int block = 0; block < 1; block++)
 1053     {
 1054       u32 data_in[4];
 1055 
 1056       data_in[0] = in[idx_in++];
 1057       data_in[1] = in[idx_in++];
 1058       data_in[2] = in[idx_in++];
 1059       data_in[3] = in[idx_in++];
 1060 
 1061       u32 data_out[4];
 1062 
 1063       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1064 
 1065       mk[idx_mk++] ^= data_out[0];
 1066       mk[idx_mk++] ^= data_out[1];
 1067       mk[idx_mk++] ^= data_out[2];
 1068       mk[idx_mk++] ^= data_out[3];
 1069     }
 1070 
 1071     AF_sha256_diffuse16 (mk);
 1072   }
 1073 
 1074   // this one has no AF_sha256_diffuse16()
 1075 
 1076   int idx_mk = 0;
 1077 
 1078   for (int block = 0; block < 1; block++)
 1079   {
 1080     u32 data_in[4];
 1081 
 1082     data_in[0] = in[idx_in++];
 1083     data_in[1] = in[idx_in++];
 1084     data_in[2] = in[idx_in++];
 1085     data_in[3] = in[idx_in++];
 1086 
 1087     u32 data_out[4];
 1088 
 1089     serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1090 
 1091     mk[idx_mk++] ^= data_out[0];
 1092     mk[idx_mk++] ^= data_out[1];
 1093     mk[idx_mk++] ^= data_out[2];
 1094     mk[idx_mk++] ^= data_out[3];
 1095   }
 1096 }
 1097 
 1098 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1099 {
 1100   u32 S[4] = { sector, 0, 0, 0 };
 1101 
 1102   int idx_in = 0;
 1103 
 1104   for (int i = 0; i < 32; i++)
 1105   {
 1106     int idx_mk = 0;
 1107 
 1108     for (int block = 0; block < 1; block++)
 1109     {
 1110       u32 data_in[4];
 1111 
 1112       data_in[0] = in[idx_in++];
 1113       data_in[1] = in[idx_in++];
 1114       data_in[2] = in[idx_in++];
 1115       data_in[3] = in[idx_in++];
 1116 
 1117       u32 data_out[4];
 1118 
 1119       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1120 
 1121       mk[idx_mk++] ^= data_out[0];
 1122       mk[idx_mk++] ^= data_out[1];
 1123       mk[idx_mk++] ^= data_out[2];
 1124       mk[idx_mk++] ^= data_out[3];
 1125     }
 1126 
 1127     AF_sha512_diffuse16 (mk);
 1128   }
 1129 }
 1130 
 1131 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1132 {
 1133   u32 S[4] = { sector, 0, 0, 0 };
 1134 
 1135   int idx_in = 0;
 1136 
 1137   for (int i = 0; i < 32 - 1; i++)
 1138   {
 1139     int idx_mk = 0;
 1140 
 1141     for (int block = 0; block < 1; block++)
 1142     {
 1143       u32 data_in[4];
 1144 
 1145       data_in[0] = in[idx_in++];
 1146       data_in[1] = in[idx_in++];
 1147       data_in[2] = in[idx_in++];
 1148       data_in[3] = in[idx_in++];
 1149 
 1150       u32 data_out[4];
 1151 
 1152       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1153 
 1154       mk[idx_mk++] ^= data_out[0];
 1155       mk[idx_mk++] ^= data_out[1];
 1156       mk[idx_mk++] ^= data_out[2];
 1157       mk[idx_mk++] ^= data_out[3];
 1158     }
 1159 
 1160     AF_sha512_diffuse16 (mk);
 1161   }
 1162 
 1163   // this one has no AF_sha512_diffuse16()
 1164 
 1165   int idx_mk = 0;
 1166 
 1167   for (int block = 0; block < 1; block++)
 1168   {
 1169     u32 data_in[4];
 1170 
 1171     data_in[0] = in[idx_in++];
 1172     data_in[1] = in[idx_in++];
 1173     data_in[2] = in[idx_in++];
 1174     data_in[3] = in[idx_in++];
 1175 
 1176     u32 data_out[4];
 1177 
 1178     serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1179 
 1180     mk[idx_mk++] ^= data_out[0];
 1181     mk[idx_mk++] ^= data_out[1];
 1182     mk[idx_mk++] ^= data_out[2];
 1183     mk[idx_mk++] ^= data_out[3];
 1184   }
 1185 }
 1186 
 1187 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1188 {
 1189   u32 S[4] = { sector, 0, 0, 0 };
 1190 
 1191   int idx_in = 0;
 1192 
 1193   for (int i = 0; i < 32; i++)
 1194   {
 1195     int idx_mk = 0;
 1196 
 1197     for (int block = 0; block < 1; block++)
 1198     {
 1199       u32 data_in[4];
 1200 
 1201       data_in[0] = in[idx_in++];
 1202       data_in[1] = in[idx_in++];
 1203       data_in[2] = in[idx_in++];
 1204       data_in[3] = in[idx_in++];
 1205 
 1206       u32 data_out[4];
 1207 
 1208       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1209 
 1210       mk[idx_mk++] ^= data_out[0];
 1211       mk[idx_mk++] ^= data_out[1];
 1212       mk[idx_mk++] ^= data_out[2];
 1213       mk[idx_mk++] ^= data_out[3];
 1214     }
 1215 
 1216     AF_ripemd160_diffuse16 (mk);
 1217   }
 1218 }
 1219 
 1220 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain128_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1221 {
 1222   u32 S[4] = { sector, 0, 0, 0 };
 1223 
 1224   int idx_in = 0;
 1225 
 1226   for (int i = 0; i < 32 - 1; i++)
 1227   {
 1228     int idx_mk = 0;
 1229 
 1230     for (int block = 0; block < 1; block++)
 1231     {
 1232       u32 data_in[4];
 1233 
 1234       data_in[0] = in[idx_in++];
 1235       data_in[1] = in[idx_in++];
 1236       data_in[2] = in[idx_in++];
 1237       data_in[3] = in[idx_in++];
 1238 
 1239       u32 data_out[4];
 1240 
 1241       serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1242 
 1243       mk[idx_mk++] ^= data_out[0];
 1244       mk[idx_mk++] ^= data_out[1];
 1245       mk[idx_mk++] ^= data_out[2];
 1246       mk[idx_mk++] ^= data_out[3];
 1247     }
 1248 
 1249     AF_ripemd160_diffuse16 (mk);
 1250   }
 1251 
 1252   // this one has no AF_ripemd160_diffuse16()
 1253 
 1254   int idx_mk = 0;
 1255 
 1256   for (int block = 0; block < 1; block++)
 1257   {
 1258     u32 data_in[4];
 1259 
 1260     data_in[0] = in[idx_in++];
 1261     data_in[1] = in[idx_in++];
 1262     data_in[2] = in[idx_in++];
 1263     data_in[3] = in[idx_in++];
 1264 
 1265     u32 data_out[4];
 1266 
 1267     serpent128_decrypt_cbc (ks1, data_in, data_out, S);
 1268 
 1269     mk[idx_mk++] ^= data_out[0];
 1270     mk[idx_mk++] ^= data_out[1];
 1271     mk[idx_mk++] ^= data_out[2];
 1272     mk[idx_mk++] ^= data_out[3];
 1273   }
 1274 }
 1275 
 1276 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, const u32 sector)
 1277 {
 1278   u32 S[4] = { sector, 0, 0, 0 };
 1279 
 1280   int idx_in  = 0;
 1281   int idx_out = 0;
 1282 
 1283   for (int i = 0; i < 16; i++)
 1284   {
 1285     for (int block = 0; block < 2; block++)
 1286     {
 1287       u32 data_in[4];
 1288 
 1289       data_in[0] = in[idx_in++];
 1290       data_in[1] = in[idx_in++];
 1291       data_in[2] = in[idx_in++];
 1292       data_in[3] = in[idx_in++];
 1293 
 1294       u32 data_out[4];
 1295 
 1296       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1297 
 1298       out[idx_out++] = data_out[0];
 1299       out[idx_out++] = data_out[1];
 1300       out[idx_out++] = data_out[2];
 1301       out[idx_out++] = data_out[3];
 1302     }
 1303   }
 1304 }
 1305 
 1306 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1307 {
 1308   u32 S[4] = { sector, 0, 0, 0 };
 1309 
 1310   int idx_in = 0;
 1311 
 1312   for (int i = 0; i < 16; i++)
 1313   {
 1314     int idx_mk = 0;
 1315 
 1316     for (int block = 0; block < 2; block++)
 1317     {
 1318       u32 data_in[4];
 1319 
 1320       data_in[0] = in[idx_in++];
 1321       data_in[1] = in[idx_in++];
 1322       data_in[2] = in[idx_in++];
 1323       data_in[3] = in[idx_in++];
 1324 
 1325       u32 data_out[4];
 1326 
 1327       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1328 
 1329       mk[idx_mk++] ^= data_out[0];
 1330       mk[idx_mk++] ^= data_out[1];
 1331       mk[idx_mk++] ^= data_out[2];
 1332       mk[idx_mk++] ^= data_out[3];
 1333     }
 1334 
 1335     AF_sha1_diffuse32 (mk);
 1336   }
 1337 }
 1338 
 1339 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1340 {
 1341   u32 S[4] = { sector, 0, 0, 0 };
 1342 
 1343   int idx_in = 0;
 1344 
 1345   for (int i = 0; i < 16 - 1; i++)
 1346   {
 1347     int idx_mk = 0;
 1348 
 1349     for (int block = 0; block < 2; block++)
 1350     {
 1351       u32 data_in[4];
 1352 
 1353       data_in[0] = in[idx_in++];
 1354       data_in[1] = in[idx_in++];
 1355       data_in[2] = in[idx_in++];
 1356       data_in[3] = in[idx_in++];
 1357 
 1358       u32 data_out[4];
 1359 
 1360       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1361 
 1362       mk[idx_mk++] ^= data_out[0];
 1363       mk[idx_mk++] ^= data_out[1];
 1364       mk[idx_mk++] ^= data_out[2];
 1365       mk[idx_mk++] ^= data_out[3];
 1366     }
 1367 
 1368     AF_sha1_diffuse32 (mk);
 1369   }
 1370 
 1371   // this one has no AF_sha1_diffuse32()
 1372 
 1373   int idx_mk = 0;
 1374 
 1375   for (int block = 0; block < 2; block++)
 1376   {
 1377     u32 data_in[4];
 1378 
 1379     data_in[0] = in[idx_in++];
 1380     data_in[1] = in[idx_in++];
 1381     data_in[2] = in[idx_in++];
 1382     data_in[3] = in[idx_in++];
 1383 
 1384     u32 data_out[4];
 1385 
 1386     serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1387 
 1388     mk[idx_mk++] ^= data_out[0];
 1389     mk[idx_mk++] ^= data_out[1];
 1390     mk[idx_mk++] ^= data_out[2];
 1391     mk[idx_mk++] ^= data_out[3];
 1392   }
 1393 }
 1394 
 1395 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1396 {
 1397   u32 S[4] = { sector, 0, 0, 0 };
 1398 
 1399   int idx_in = 0;
 1400 
 1401   for (int i = 0; i < 16; i++)
 1402   {
 1403     int idx_mk = 0;
 1404 
 1405     for (int block = 0; block < 2; block++)
 1406     {
 1407       u32 data_in[4];
 1408 
 1409       data_in[0] = in[idx_in++];
 1410       data_in[1] = in[idx_in++];
 1411       data_in[2] = in[idx_in++];
 1412       data_in[3] = in[idx_in++];
 1413 
 1414       u32 data_out[4];
 1415 
 1416       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1417 
 1418       mk[idx_mk++] ^= data_out[0];
 1419       mk[idx_mk++] ^= data_out[1];
 1420       mk[idx_mk++] ^= data_out[2];
 1421       mk[idx_mk++] ^= data_out[3];
 1422     }
 1423 
 1424     AF_sha256_diffuse32 (mk);
 1425   }
 1426 }
 1427 
 1428 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1429 {
 1430   u32 S[4] = { sector, 0, 0, 0 };
 1431 
 1432   int idx_in = 0;
 1433 
 1434   for (int i = 0; i < 16 - 1; i++)
 1435   {
 1436     int idx_mk = 0;
 1437 
 1438     for (int block = 0; block < 2; block++)
 1439     {
 1440       u32 data_in[4];
 1441 
 1442       data_in[0] = in[idx_in++];
 1443       data_in[1] = in[idx_in++];
 1444       data_in[2] = in[idx_in++];
 1445       data_in[3] = in[idx_in++];
 1446 
 1447       u32 data_out[4];
 1448 
 1449       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1450 
 1451       mk[idx_mk++] ^= data_out[0];
 1452       mk[idx_mk++] ^= data_out[1];
 1453       mk[idx_mk++] ^= data_out[2];
 1454       mk[idx_mk++] ^= data_out[3];
 1455     }
 1456 
 1457     AF_sha256_diffuse32 (mk);
 1458   }
 1459 
 1460   // this one has no AF_sha256_diffuse32()
 1461 
 1462   int idx_mk = 0;
 1463 
 1464   for (int block = 0; block < 2; block++)
 1465   {
 1466     u32 data_in[4];
 1467 
 1468     data_in[0] = in[idx_in++];
 1469     data_in[1] = in[idx_in++];
 1470     data_in[2] = in[idx_in++];
 1471     data_in[3] = in[idx_in++];
 1472 
 1473     u32 data_out[4];
 1474 
 1475     serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1476 
 1477     mk[idx_mk++] ^= data_out[0];
 1478     mk[idx_mk++] ^= data_out[1];
 1479     mk[idx_mk++] ^= data_out[2];
 1480     mk[idx_mk++] ^= data_out[3];
 1481   }
 1482 }
 1483 
 1484 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1485 {
 1486   u32 S[4] = { sector, 0, 0, 0 };
 1487 
 1488   int idx_in = 0;
 1489 
 1490   for (int i = 0; i < 16; i++)
 1491   {
 1492     int idx_mk = 0;
 1493 
 1494     for (int block = 0; block < 2; block++)
 1495     {
 1496       u32 data_in[4];
 1497 
 1498       data_in[0] = in[idx_in++];
 1499       data_in[1] = in[idx_in++];
 1500       data_in[2] = in[idx_in++];
 1501       data_in[3] = in[idx_in++];
 1502 
 1503       u32 data_out[4];
 1504 
 1505       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1506 
 1507       mk[idx_mk++] ^= data_out[0];
 1508       mk[idx_mk++] ^= data_out[1];
 1509       mk[idx_mk++] ^= data_out[2];
 1510       mk[idx_mk++] ^= data_out[3];
 1511     }
 1512 
 1513     AF_sha512_diffuse32 (mk);
 1514   }
 1515 }
 1516 
 1517 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1518 {
 1519   u32 S[4] = { sector, 0, 0, 0 };
 1520 
 1521   int idx_in = 0;
 1522 
 1523   for (int i = 0; i < 16 - 1; i++)
 1524   {
 1525     int idx_mk = 0;
 1526 
 1527     for (int block = 0; block < 2; block++)
 1528     {
 1529       u32 data_in[4];
 1530 
 1531       data_in[0] = in[idx_in++];
 1532       data_in[1] = in[idx_in++];
 1533       data_in[2] = in[idx_in++];
 1534       data_in[3] = in[idx_in++];
 1535 
 1536       u32 data_out[4];
 1537 
 1538       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1539 
 1540       mk[idx_mk++] ^= data_out[0];
 1541       mk[idx_mk++] ^= data_out[1];
 1542       mk[idx_mk++] ^= data_out[2];
 1543       mk[idx_mk++] ^= data_out[3];
 1544     }
 1545 
 1546     AF_sha512_diffuse32 (mk);
 1547   }
 1548 
 1549   // this one has no AF_sha512_diffuse32()
 1550 
 1551   int idx_mk = 0;
 1552 
 1553   for (int block = 0; block < 2; block++)
 1554   {
 1555     u32 data_in[4];
 1556 
 1557     data_in[0] = in[idx_in++];
 1558     data_in[1] = in[idx_in++];
 1559     data_in[2] = in[idx_in++];
 1560     data_in[3] = in[idx_in++];
 1561 
 1562     u32 data_out[4];
 1563 
 1564     serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1565 
 1566     mk[idx_mk++] ^= data_out[0];
 1567     mk[idx_mk++] ^= data_out[1];
 1568     mk[idx_mk++] ^= data_out[2];
 1569     mk[idx_mk++] ^= data_out[3];
 1570   }
 1571 }
 1572 
 1573 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1574 {
 1575   u32 S[4] = { sector, 0, 0, 0 };
 1576 
 1577   int idx_in = 0;
 1578 
 1579   for (int i = 0; i < 16; i++)
 1580   {
 1581     int idx_mk = 0;
 1582 
 1583     for (int block = 0; block < 2; block++)
 1584     {
 1585       u32 data_in[4];
 1586 
 1587       data_in[0] = in[idx_in++];
 1588       data_in[1] = in[idx_in++];
 1589       data_in[2] = in[idx_in++];
 1590       data_in[3] = in[idx_in++];
 1591 
 1592       u32 data_out[4];
 1593 
 1594       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1595 
 1596       mk[idx_mk++] ^= data_out[0];
 1597       mk[idx_mk++] ^= data_out[1];
 1598       mk[idx_mk++] ^= data_out[2];
 1599       mk[idx_mk++] ^= data_out[3];
 1600     }
 1601 
 1602     AF_ripemd160_diffuse32 (mk);
 1603   }
 1604 }
 1605 
 1606 DECLSPEC void luks_decrypt_sector_serpent_cbc_plain256_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, const u32 sector)
 1607 {
 1608   u32 S[4] = { sector, 0, 0, 0 };
 1609 
 1610   int idx_in = 0;
 1611 
 1612   for (int i = 0; i < 16 - 1; i++)
 1613   {
 1614     int idx_mk = 0;
 1615 
 1616     for (int block = 0; block < 2; block++)
 1617     {
 1618       u32 data_in[4];
 1619 
 1620       data_in[0] = in[idx_in++];
 1621       data_in[1] = in[idx_in++];
 1622       data_in[2] = in[idx_in++];
 1623       data_in[3] = in[idx_in++];
 1624 
 1625       u32 data_out[4];
 1626 
 1627       serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1628 
 1629       mk[idx_mk++] ^= data_out[0];
 1630       mk[idx_mk++] ^= data_out[1];
 1631       mk[idx_mk++] ^= data_out[2];
 1632       mk[idx_mk++] ^= data_out[3];
 1633     }
 1634 
 1635     AF_ripemd160_diffuse32 (mk);
 1636   }
 1637 
 1638   // this one has no AF_ripemd160_diffuse32()
 1639 
 1640   int idx_mk = 0;
 1641 
 1642   for (int block = 0; block < 2; block++)
 1643   {
 1644     u32 data_in[4];
 1645 
 1646     data_in[0] = in[idx_in++];
 1647     data_in[1] = in[idx_in++];
 1648     data_in[2] = in[idx_in++];
 1649     data_in[3] = in[idx_in++];
 1650 
 1651     u32 data_out[4];
 1652 
 1653     serpent256_decrypt_cbc (ks1, data_in, data_out, S);
 1654 
 1655     mk[idx_mk++] ^= data_out[0];
 1656     mk[idx_mk++] ^= data_out[1];
 1657     mk[idx_mk++] ^= data_out[2];
 1658     mk[idx_mk++] ^= data_out[3];
 1659   }
 1660 }
 1661 
 1662 // xts-plain
 1663 
 1664 DECLSPEC void serpent128_decrypt_xts (PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS u32 *T)
 1665 {
 1666   out[0] = in[0];
 1667   out[1] = in[1];
 1668   out[2] = in[2];
 1669   out[3] = in[3];
 1670 
 1671   out[0] ^= T[0];
 1672   out[1] ^= T[1];
 1673   out[2] ^= T[2];
 1674   out[3] ^= T[3];
 1675 
 1676   serpent128_decrypt (ks1, out, out);
 1677 
 1678   out[0] ^= T[0];
 1679   out[1] ^= T[1];
 1680   out[2] ^= T[2];
 1681   out[3] ^= T[3];
 1682 
 1683   xts_mul2 (T, T);
 1684 }
 1685 
 1686 DECLSPEC void serpent256_decrypt_xts (PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS u32 *T)
 1687 {
 1688   out[0] = in[0];
 1689   out[1] = in[1];
 1690   out[2] = in[2];
 1691   out[3] = in[3];
 1692 
 1693   out[0] ^= T[0];
 1694   out[1] ^= T[1];
 1695   out[2] ^= T[2];
 1696   out[3] ^= T[3];
 1697 
 1698   serpent256_decrypt (ks1, out, out);
 1699 
 1700   out[0] ^= T[0];
 1701   out[1] ^= T[1];
 1702   out[2] ^= T[2];
 1703   out[3] ^= T[3];
 1704 
 1705   xts_mul2 (T, T);
 1706 }
 1707 
 1708 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1709 {
 1710   u32 S[4] = { sector, 0, 0, 0 };
 1711 
 1712   u32 T[4];
 1713 
 1714   serpent128_encrypt (ks2, S, T);
 1715 
 1716   int idx_in  = 0;
 1717   int idx_out = 0;
 1718 
 1719   for (int i = 0; i < 16; i++)
 1720   {
 1721     for (int block = 0; block < 2; block++)
 1722     {
 1723       u32 data_in[4];
 1724 
 1725       data_in[0] = in[idx_in++];
 1726       data_in[1] = in[idx_in++];
 1727       data_in[2] = in[idx_in++];
 1728       data_in[3] = in[idx_in++];
 1729 
 1730       u32 data_out[4];
 1731 
 1732       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1733 
 1734       out[idx_out++] = data_out[0];
 1735       out[idx_out++] = data_out[1];
 1736       out[idx_out++] = data_out[2];
 1737       out[idx_out++] = data_out[3];
 1738     }
 1739   }
 1740 }
 1741 
 1742 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1743 {
 1744   u32 S[4] = { sector, 0, 0, 0 };
 1745 
 1746   u32 T[4];
 1747 
 1748   serpent128_encrypt (ks2, S, T);
 1749 
 1750   int idx_in = 0;
 1751 
 1752   for (int i = 0; i < 16; i++)
 1753   {
 1754     int idx_mk = 0;
 1755 
 1756     for (int block = 0; block < 2; block++)
 1757     {
 1758       u32 data_in[4];
 1759 
 1760       data_in[0] = in[idx_in++];
 1761       data_in[1] = in[idx_in++];
 1762       data_in[2] = in[idx_in++];
 1763       data_in[3] = in[idx_in++];
 1764 
 1765       u32 data_out[4];
 1766 
 1767       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1768 
 1769       mk[idx_mk++] ^= data_out[0];
 1770       mk[idx_mk++] ^= data_out[1];
 1771       mk[idx_mk++] ^= data_out[2];
 1772       mk[idx_mk++] ^= data_out[3];
 1773     }
 1774 
 1775     AF_sha1_diffuse32 (mk);
 1776   }
 1777 }
 1778 
 1779 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1780 {
 1781   u32 S[4] = { sector, 0, 0, 0 };
 1782 
 1783   u32 T[4];
 1784 
 1785   serpent128_encrypt (ks2, S, T);
 1786 
 1787   int idx_in = 0;
 1788 
 1789   for (int i = 0; i < 16 - 1; i++)
 1790   {
 1791     int idx_mk = 0;
 1792 
 1793     for (int block = 0; block < 2; block++)
 1794     {
 1795       u32 data_in[4];
 1796 
 1797       data_in[0] = in[idx_in++];
 1798       data_in[1] = in[idx_in++];
 1799       data_in[2] = in[idx_in++];
 1800       data_in[3] = in[idx_in++];
 1801 
 1802       u32 data_out[4];
 1803 
 1804       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1805 
 1806       mk[idx_mk++] ^= data_out[0];
 1807       mk[idx_mk++] ^= data_out[1];
 1808       mk[idx_mk++] ^= data_out[2];
 1809       mk[idx_mk++] ^= data_out[3];
 1810     }
 1811 
 1812     AF_sha1_diffuse32 (mk);
 1813   }
 1814 
 1815   // this one has no AF_sha1_diffuse32()
 1816 
 1817   int idx_mk = 0;
 1818 
 1819   for (int block = 0; block < 2; block++)
 1820   {
 1821     u32 data_in[4];
 1822 
 1823     data_in[0] = in[idx_in++];
 1824     data_in[1] = in[idx_in++];
 1825     data_in[2] = in[idx_in++];
 1826     data_in[3] = in[idx_in++];
 1827 
 1828     u32 data_out[4];
 1829 
 1830     serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1831 
 1832     mk[idx_mk++] ^= data_out[0];
 1833     mk[idx_mk++] ^= data_out[1];
 1834     mk[idx_mk++] ^= data_out[2];
 1835     mk[idx_mk++] ^= data_out[3];
 1836   }
 1837 }
 1838 
 1839 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1840 {
 1841   u32 S[4] = { sector, 0, 0, 0 };
 1842 
 1843   u32 T[4];
 1844 
 1845   serpent128_encrypt (ks2, S, T);
 1846 
 1847   int idx_in = 0;
 1848 
 1849   for (int i = 0; i < 16; i++)
 1850   {
 1851     int idx_mk = 0;
 1852 
 1853     for (int block = 0; block < 2; block++)
 1854     {
 1855       u32 data_in[4];
 1856 
 1857       data_in[0] = in[idx_in++];
 1858       data_in[1] = in[idx_in++];
 1859       data_in[2] = in[idx_in++];
 1860       data_in[3] = in[idx_in++];
 1861 
 1862       u32 data_out[4];
 1863 
 1864       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1865 
 1866       mk[idx_mk++] ^= data_out[0];
 1867       mk[idx_mk++] ^= data_out[1];
 1868       mk[idx_mk++] ^= data_out[2];
 1869       mk[idx_mk++] ^= data_out[3];
 1870     }
 1871 
 1872     AF_sha256_diffuse32 (mk);
 1873   }
 1874 }
 1875 
 1876 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1877 {
 1878   u32 S[4] = { sector, 0, 0, 0 };
 1879 
 1880   u32 T[4];
 1881 
 1882   serpent128_encrypt (ks2, S, T);
 1883 
 1884   int idx_in = 0;
 1885 
 1886   for (int i = 0; i < 16 - 1; i++)
 1887   {
 1888     int idx_mk = 0;
 1889 
 1890     for (int block = 0; block < 2; block++)
 1891     {
 1892       u32 data_in[4];
 1893 
 1894       data_in[0] = in[idx_in++];
 1895       data_in[1] = in[idx_in++];
 1896       data_in[2] = in[idx_in++];
 1897       data_in[3] = in[idx_in++];
 1898 
 1899       u32 data_out[4];
 1900 
 1901       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1902 
 1903       mk[idx_mk++] ^= data_out[0];
 1904       mk[idx_mk++] ^= data_out[1];
 1905       mk[idx_mk++] ^= data_out[2];
 1906       mk[idx_mk++] ^= data_out[3];
 1907     }
 1908 
 1909     AF_sha256_diffuse32 (mk);
 1910   }
 1911 
 1912   // this one has no AF_sha256_diffuse32()
 1913 
 1914   int idx_mk = 0;
 1915 
 1916   for (int block = 0; block < 2; block++)
 1917   {
 1918     u32 data_in[4];
 1919 
 1920     data_in[0] = in[idx_in++];
 1921     data_in[1] = in[idx_in++];
 1922     data_in[2] = in[idx_in++];
 1923     data_in[3] = in[idx_in++];
 1924 
 1925     u32 data_out[4];
 1926 
 1927     serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1928 
 1929     mk[idx_mk++] ^= data_out[0];
 1930     mk[idx_mk++] ^= data_out[1];
 1931     mk[idx_mk++] ^= data_out[2];
 1932     mk[idx_mk++] ^= data_out[3];
 1933   }
 1934 }
 1935 
 1936 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1937 {
 1938   u32 S[4] = { sector, 0, 0, 0 };
 1939 
 1940   u32 T[4];
 1941 
 1942   serpent128_encrypt (ks2, S, T);
 1943 
 1944   int idx_in = 0;
 1945 
 1946   for (int i = 0; i < 16; i++)
 1947   {
 1948     int idx_mk = 0;
 1949 
 1950     for (int block = 0; block < 2; block++)
 1951     {
 1952       u32 data_in[4];
 1953 
 1954       data_in[0] = in[idx_in++];
 1955       data_in[1] = in[idx_in++];
 1956       data_in[2] = in[idx_in++];
 1957       data_in[3] = in[idx_in++];
 1958 
 1959       u32 data_out[4];
 1960 
 1961       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1962 
 1963       mk[idx_mk++] ^= data_out[0];
 1964       mk[idx_mk++] ^= data_out[1];
 1965       mk[idx_mk++] ^= data_out[2];
 1966       mk[idx_mk++] ^= data_out[3];
 1967     }
 1968 
 1969     AF_sha512_diffuse32 (mk);
 1970   }
 1971 }
 1972 
 1973 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 1974 {
 1975   u32 S[4] = { sector, 0, 0, 0 };
 1976 
 1977   u32 T[4];
 1978 
 1979   serpent128_encrypt (ks2, S, T);
 1980 
 1981   int idx_in = 0;
 1982 
 1983   for (int i = 0; i < 16 - 1; i++)
 1984   {
 1985     int idx_mk = 0;
 1986 
 1987     for (int block = 0; block < 2; block++)
 1988     {
 1989       u32 data_in[4];
 1990 
 1991       data_in[0] = in[idx_in++];
 1992       data_in[1] = in[idx_in++];
 1993       data_in[2] = in[idx_in++];
 1994       data_in[3] = in[idx_in++];
 1995 
 1996       u32 data_out[4];
 1997 
 1998       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 1999 
 2000       mk[idx_mk++] ^= data_out[0];
 2001       mk[idx_mk++] ^= data_out[1];
 2002       mk[idx_mk++] ^= data_out[2];
 2003       mk[idx_mk++] ^= data_out[3];
 2004     }
 2005 
 2006     AF_sha512_diffuse32 (mk);
 2007   }
 2008 
 2009   // this one has no AF_sha512_diffuse32()
 2010 
 2011   int idx_mk = 0;
 2012 
 2013   for (int block = 0; block < 2; block++)
 2014   {
 2015     u32 data_in[4];
 2016 
 2017     data_in[0] = in[idx_in++];
 2018     data_in[1] = in[idx_in++];
 2019     data_in[2] = in[idx_in++];
 2020     data_in[3] = in[idx_in++];
 2021 
 2022     u32 data_out[4];
 2023 
 2024     serpent128_decrypt_xts (ks1, data_in, data_out, T);
 2025 
 2026     mk[idx_mk++] ^= data_out[0];
 2027     mk[idx_mk++] ^= data_out[1];
 2028     mk[idx_mk++] ^= data_out[2];
 2029     mk[idx_mk++] ^= data_out[3];
 2030   }
 2031 }
 2032 
 2033 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2034 {
 2035   u32 S[4] = { sector, 0, 0, 0 };
 2036 
 2037   u32 T[4];
 2038 
 2039   serpent128_encrypt (ks2, S, T);
 2040 
 2041   int idx_in = 0;
 2042 
 2043   for (int i = 0; i < 16; i++)
 2044   {
 2045     int idx_mk = 0;
 2046 
 2047     for (int block = 0; block < 2; block++)
 2048     {
 2049       u32 data_in[4];
 2050 
 2051       data_in[0] = in[idx_in++];
 2052       data_in[1] = in[idx_in++];
 2053       data_in[2] = in[idx_in++];
 2054       data_in[3] = in[idx_in++];
 2055 
 2056       u32 data_out[4];
 2057 
 2058       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 2059 
 2060       mk[idx_mk++] ^= data_out[0];
 2061       mk[idx_mk++] ^= data_out[1];
 2062       mk[idx_mk++] ^= data_out[2];
 2063       mk[idx_mk++] ^= data_out[3];
 2064     }
 2065 
 2066     AF_ripemd160_diffuse32 (mk);
 2067   }
 2068 }
 2069 
 2070 DECLSPEC void luks_decrypt_sector_serpent_xts_plain256_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2071 {
 2072   u32 S[4] = { sector, 0, 0, 0 };
 2073 
 2074   u32 T[4];
 2075 
 2076   serpent128_encrypt (ks2, S, T);
 2077 
 2078   int idx_in = 0;
 2079 
 2080   for (int i = 0; i < 16 - 1; i++)
 2081   {
 2082     int idx_mk = 0;
 2083 
 2084     for (int block = 0; block < 2; block++)
 2085     {
 2086       u32 data_in[4];
 2087 
 2088       data_in[0] = in[idx_in++];
 2089       data_in[1] = in[idx_in++];
 2090       data_in[2] = in[idx_in++];
 2091       data_in[3] = in[idx_in++];
 2092 
 2093       u32 data_out[4];
 2094 
 2095       serpent128_decrypt_xts (ks1, data_in, data_out, T);
 2096 
 2097       mk[idx_mk++] ^= data_out[0];
 2098       mk[idx_mk++] ^= data_out[1];
 2099       mk[idx_mk++] ^= data_out[2];
 2100       mk[idx_mk++] ^= data_out[3];
 2101     }
 2102 
 2103     AF_ripemd160_diffuse32 (mk);
 2104   }
 2105 
 2106   // this one has no AF_ripemd160_diffuse32()
 2107 
 2108   int idx_mk = 0;
 2109 
 2110   for (int block = 0; block < 2; block++)
 2111   {
 2112     u32 data_in[4];
 2113 
 2114     data_in[0] = in[idx_in++];
 2115     data_in[1] = in[idx_in++];
 2116     data_in[2] = in[idx_in++];
 2117     data_in[3] = in[idx_in++];
 2118 
 2119     u32 data_out[4];
 2120 
 2121     serpent128_decrypt_xts (ks1, data_in, data_out, T);
 2122 
 2123     mk[idx_mk++] ^= data_out[0];
 2124     mk[idx_mk++] ^= data_out[1];
 2125     mk[idx_mk++] ^= data_out[2];
 2126     mk[idx_mk++] ^= data_out[3];
 2127   }
 2128 }
 2129 
 2130 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *out, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2131 {
 2132   u32 S[4] = { sector, 0, 0, 0 };
 2133 
 2134   u32 T[4];
 2135 
 2136   serpent256_encrypt (ks2, S, T);
 2137 
 2138   int idx_in  = 0;
 2139   int idx_out = 0;
 2140 
 2141   for (int i = 0; i < 8; i++)
 2142   {
 2143     for (int block = 0; block < 4; block++)
 2144     {
 2145       u32 data_in[4];
 2146 
 2147       data_in[0] = in[idx_in++];
 2148       data_in[1] = in[idx_in++];
 2149       data_in[2] = in[idx_in++];
 2150       data_in[3] = in[idx_in++];
 2151 
 2152       u32 data_out[4];
 2153 
 2154       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2155 
 2156       out[idx_out++] = data_out[0];
 2157       out[idx_out++] = data_out[1];
 2158       out[idx_out++] = data_out[2];
 2159       out[idx_out++] = data_out[3];
 2160     }
 2161   }
 2162 }
 2163 
 2164 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha1 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2165 {
 2166   u32 S[4] = { sector, 0, 0, 0 };
 2167 
 2168   u32 T[4];
 2169 
 2170   serpent256_encrypt (ks2, S, T);
 2171 
 2172   int idx_in = 0;
 2173 
 2174   for (int i = 0; i < 8; i++)
 2175   {
 2176     int idx_mk = 0;
 2177 
 2178     for (int block = 0; block < 4; block++)
 2179     {
 2180       u32 data_in[4];
 2181 
 2182       data_in[0] = in[idx_in++];
 2183       data_in[1] = in[idx_in++];
 2184       data_in[2] = in[idx_in++];
 2185       data_in[3] = in[idx_in++];
 2186 
 2187       u32 data_out[4];
 2188 
 2189       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2190 
 2191       mk[idx_mk++] ^= data_out[0];
 2192       mk[idx_mk++] ^= data_out[1];
 2193       mk[idx_mk++] ^= data_out[2];
 2194       mk[idx_mk++] ^= data_out[3];
 2195     }
 2196 
 2197     AF_sha1_diffuse64 (mk);
 2198   }
 2199 }
 2200 
 2201 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha1_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2202 {
 2203   u32 S[4] = { sector, 0, 0, 0 };
 2204 
 2205   u32 T[4];
 2206 
 2207   serpent256_encrypt (ks2, S, T);
 2208 
 2209   int idx_in = 0;
 2210 
 2211   for (int i = 0; i < 8 - 1; i++)
 2212   {
 2213     int idx_mk = 0;
 2214 
 2215     for (int block = 0; block < 4; block++)
 2216     {
 2217       u32 data_in[4];
 2218 
 2219       data_in[0] = in[idx_in++];
 2220       data_in[1] = in[idx_in++];
 2221       data_in[2] = in[idx_in++];
 2222       data_in[3] = in[idx_in++];
 2223 
 2224       u32 data_out[4];
 2225 
 2226       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2227 
 2228       mk[idx_mk++] ^= data_out[0];
 2229       mk[idx_mk++] ^= data_out[1];
 2230       mk[idx_mk++] ^= data_out[2];
 2231       mk[idx_mk++] ^= data_out[3];
 2232     }
 2233 
 2234     AF_sha1_diffuse64 (mk);
 2235   }
 2236 
 2237   // this one has no AF_sha1_diffuse64()
 2238 
 2239   int idx_mk = 0;
 2240 
 2241   for (int block = 0; block < 4; block++)
 2242   {
 2243     u32 data_in[4];
 2244 
 2245     data_in[0] = in[idx_in++];
 2246     data_in[1] = in[idx_in++];
 2247     data_in[2] = in[idx_in++];
 2248     data_in[3] = in[idx_in++];
 2249 
 2250     u32 data_out[4];
 2251 
 2252     serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2253 
 2254     mk[idx_mk++] ^= data_out[0];
 2255     mk[idx_mk++] ^= data_out[1];
 2256     mk[idx_mk++] ^= data_out[2];
 2257     mk[idx_mk++] ^= data_out[3];
 2258   }
 2259 }
 2260 
 2261 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha256 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2262 {
 2263   u32 S[4] = { sector, 0, 0, 0 };
 2264 
 2265   u32 T[4];
 2266 
 2267   serpent256_encrypt (ks2, S, T);
 2268 
 2269   int idx_in = 0;
 2270 
 2271   for (int i = 0; i < 8; i++)
 2272   {
 2273     int idx_mk = 0;
 2274 
 2275     for (int block = 0; block < 4; block++)
 2276     {
 2277       u32 data_in[4];
 2278 
 2279       data_in[0] = in[idx_in++];
 2280       data_in[1] = in[idx_in++];
 2281       data_in[2] = in[idx_in++];
 2282       data_in[3] = in[idx_in++];
 2283 
 2284       u32 data_out[4];
 2285 
 2286       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2287 
 2288       mk[idx_mk++] ^= data_out[0];
 2289       mk[idx_mk++] ^= data_out[1];
 2290       mk[idx_mk++] ^= data_out[2];
 2291       mk[idx_mk++] ^= data_out[3];
 2292     }
 2293 
 2294     AF_sha256_diffuse64 (mk);
 2295   }
 2296 }
 2297 
 2298 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha256_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2299 {
 2300   u32 S[4] = { sector, 0, 0, 0 };
 2301 
 2302   u32 T[4];
 2303 
 2304   serpent256_encrypt (ks2, S, T);
 2305 
 2306   int idx_in = 0;
 2307 
 2308   for (int i = 0; i < 8 - 1; i++)
 2309   {
 2310     int idx_mk = 0;
 2311 
 2312     for (int block = 0; block < 4; block++)
 2313     {
 2314       u32 data_in[4];
 2315 
 2316       data_in[0] = in[idx_in++];
 2317       data_in[1] = in[idx_in++];
 2318       data_in[2] = in[idx_in++];
 2319       data_in[3] = in[idx_in++];
 2320 
 2321       u32 data_out[4];
 2322 
 2323       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2324 
 2325       mk[idx_mk++] ^= data_out[0];
 2326       mk[idx_mk++] ^= data_out[1];
 2327       mk[idx_mk++] ^= data_out[2];
 2328       mk[idx_mk++] ^= data_out[3];
 2329     }
 2330 
 2331     AF_sha256_diffuse64 (mk);
 2332   }
 2333 
 2334   // this one has no AF_sha256_diffuse64()
 2335 
 2336   int idx_mk = 0;
 2337 
 2338   for (int block = 0; block < 4; block++)
 2339   {
 2340     u32 data_in[4];
 2341 
 2342     data_in[0] = in[idx_in++];
 2343     data_in[1] = in[idx_in++];
 2344     data_in[2] = in[idx_in++];
 2345     data_in[3] = in[idx_in++];
 2346 
 2347     u32 data_out[4];
 2348 
 2349     serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2350 
 2351     mk[idx_mk++] ^= data_out[0];
 2352     mk[idx_mk++] ^= data_out[1];
 2353     mk[idx_mk++] ^= data_out[2];
 2354     mk[idx_mk++] ^= data_out[3];
 2355   }
 2356 }
 2357 
 2358 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha512 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2359 {
 2360   u32 S[4] = { sector, 0, 0, 0 };
 2361 
 2362   u32 T[4];
 2363 
 2364   serpent256_encrypt (ks2, S, T);
 2365 
 2366   int idx_in = 0;
 2367 
 2368   for (int i = 0; i < 8; i++)
 2369   {
 2370     int idx_mk = 0;
 2371 
 2372     for (int block = 0; block < 4; block++)
 2373     {
 2374       u32 data_in[4];
 2375 
 2376       data_in[0] = in[idx_in++];
 2377       data_in[1] = in[idx_in++];
 2378       data_in[2] = in[idx_in++];
 2379       data_in[3] = in[idx_in++];
 2380 
 2381       u32 data_out[4];
 2382 
 2383       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2384 
 2385       mk[idx_mk++] ^= data_out[0];
 2386       mk[idx_mk++] ^= data_out[1];
 2387       mk[idx_mk++] ^= data_out[2];
 2388       mk[idx_mk++] ^= data_out[3];
 2389     }
 2390 
 2391     AF_sha512_diffuse64 (mk);
 2392   }
 2393 }
 2394 
 2395 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_sha512_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2396 {
 2397   u32 S[4] = { sector, 0, 0, 0 };
 2398 
 2399   u32 T[4];
 2400 
 2401   serpent256_encrypt (ks2, S, T);
 2402 
 2403   int idx_in = 0;
 2404 
 2405   for (int i = 0; i < 8 - 1; i++)
 2406   {
 2407     int idx_mk = 0;
 2408 
 2409     for (int block = 0; block < 4; block++)
 2410     {
 2411       u32 data_in[4];
 2412 
 2413       data_in[0] = in[idx_in++];
 2414       data_in[1] = in[idx_in++];
 2415       data_in[2] = in[idx_in++];
 2416       data_in[3] = in[idx_in++];
 2417 
 2418       u32 data_out[4];
 2419 
 2420       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2421 
 2422       mk[idx_mk++] ^= data_out[0];
 2423       mk[idx_mk++] ^= data_out[1];
 2424       mk[idx_mk++] ^= data_out[2];
 2425       mk[idx_mk++] ^= data_out[3];
 2426     }
 2427 
 2428     AF_sha512_diffuse64 (mk);
 2429   }
 2430 
 2431   // this one has no AF_sha512_diffuse64()
 2432 
 2433   int idx_mk = 0;
 2434 
 2435   for (int block = 0; block < 4; block++)
 2436   {
 2437     u32 data_in[4];
 2438 
 2439     data_in[0] = in[idx_in++];
 2440     data_in[1] = in[idx_in++];
 2441     data_in[2] = in[idx_in++];
 2442     data_in[3] = in[idx_in++];
 2443 
 2444     u32 data_out[4];
 2445 
 2446     serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2447 
 2448     mk[idx_mk++] ^= data_out[0];
 2449     mk[idx_mk++] ^= data_out[1];
 2450     mk[idx_mk++] ^= data_out[2];
 2451     mk[idx_mk++] ^= data_out[3];
 2452   }
 2453 }
 2454 
 2455 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_ripemd160 (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2456 {
 2457   u32 S[4] = { sector, 0, 0, 0 };
 2458 
 2459   u32 T[4];
 2460 
 2461   serpent256_encrypt (ks2, S, T);
 2462 
 2463   int idx_in = 0;
 2464 
 2465   for (int i = 0; i < 8; i++)
 2466   {
 2467     int idx_mk = 0;
 2468 
 2469     for (int block = 0; block < 4; block++)
 2470     {
 2471       u32 data_in[4];
 2472 
 2473       data_in[0] = in[idx_in++];
 2474       data_in[1] = in[idx_in++];
 2475       data_in[2] = in[idx_in++];
 2476       data_in[3] = in[idx_in++];
 2477 
 2478       u32 data_out[4];
 2479 
 2480       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2481 
 2482       mk[idx_mk++] ^= data_out[0];
 2483       mk[idx_mk++] ^= data_out[1];
 2484       mk[idx_mk++] ^= data_out[2];
 2485       mk[idx_mk++] ^= data_out[3];
 2486     }
 2487 
 2488     AF_ripemd160_diffuse64 (mk);
 2489   }
 2490 }
 2491 
 2492 DECLSPEC void luks_decrypt_sector_serpent_xts_plain512_mk_ripemd160_final (GLOBAL_AS const u32 *in, PRIVATE_AS u32 *mk, PRIVATE_AS const u32 *ks1, PRIVATE_AS const u32 *ks2, const u32 sector)
 2493 {
 2494   u32 S[4] = { sector, 0, 0, 0 };
 2495 
 2496   u32 T[4];
 2497 
 2498   serpent256_encrypt (ks2, S, T);
 2499 
 2500   int idx_in = 0;
 2501 
 2502   for (int i = 0; i < 8 - 1; i++)
 2503   {
 2504     int idx_mk = 0;
 2505 
 2506     for (int block = 0; block < 4; block++)
 2507     {
 2508       u32 data_in[4];
 2509 
 2510       data_in[0] = in[idx_in++];
 2511       data_in[1] = in[idx_in++];
 2512       data_in[2] = in[idx_in++];
 2513       data_in[3] = in[idx_in++];
 2514 
 2515       u32 data_out[4];
 2516 
 2517       serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2518 
 2519       mk[idx_mk++] ^= data_out[0];
 2520       mk[idx_mk++] ^= data_out[1];
 2521       mk[idx_mk++] ^= data_out[2];
 2522       mk[idx_mk++] ^= data_out[3];
 2523     }
 2524 
 2525     AF_ripemd160_diffuse64 (mk);
 2526   }
 2527 
 2528   // this one has no AF_ripemd160_diffuse64()
 2529 
 2530   int idx_mk = 0;
 2531 
 2532   for (int block = 0; block < 4; block++)
 2533   {
 2534     u32 data_in[4];
 2535 
 2536     data_in[0] = in[idx_in++];
 2537     data_in[1] = in[idx_in++];
 2538     data_in[2] = in[idx_in++];
 2539     data_in[3] = in[idx_in++];
 2540 
 2541     u32 data_out[4];
 2542 
 2543     serpent256_decrypt_xts (ks1, data_in, data_out, T);
 2544 
 2545     mk[idx_mk++] ^= data_out[0];
 2546     mk[idx_mk++] ^= data_out[1];
 2547     mk[idx_mk++] ^= data_out[2];
 2548     mk[idx_mk++] ^= data_out[3];
 2549   }
 2550 }
 2551 
 2552 // luks helper
 2553 
 2554 DECLSPEC void luks_af_sha1_then_serpent_decrypt (GLOBAL_AS const luks_t *luks_bufs, GLOBAL_AS luks_tmp_t *tmps, PRIVATE_AS u32 *pt_buf)
 2555 {
 2556   const u32 key_size    = luks_bufs->key_size;
 2557   const u32 cipher_mode = luks_bufs->cipher_mode;
 2558 
 2559   #define BITS_PER_AF (key_size * LUKS_STRIPES)
 2560   #define BITS_PER_SECTOR (512 * 8)
 2561   #define SECTOR_PER_AF (BITS_PER_AF / BITS_PER_SECTOR)
 2562   #define BLOCKS_PER_SECTOR (512 / 16)
 2563   #define OFFSET_PER_BLOCK (16 / 4)
 2564   #define OFFSET_PER_SECTOR (BLOCKS_PER_SECTOR * OFFSET_PER_BLOCK)
 2565 
 2566   // decrypt AF data and do the AF merge inline
 2567 
 2568   u32 mk[16] = { 0 };
 2569 
 2570   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 2571   {
 2572     if (key_size == HC_LUKS_KEY_SIZE_128)
 2573     {
 2574       u32 ukey[4];
 2575 
 2576       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2577       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2578       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2579       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2580 
 2581       u32 essivhash[8];
 2582 
 2583       ESSIV_sha256_init128 (ukey, essivhash);
 2584 
 2585       u32 ks1[140];
 2586       u32 ks2[140];
 2587 
 2588       serpent128_set_key (ks1, ukey);
 2589       serpent256_set_key (ks2, essivhash);
 2590 
 2591       int sector = 0;
 2592       int offset = 0;
 2593 
 2594       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2595       {
 2596         luks_decrypt_sector_serpent_cbc_essiv128_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2597       }
 2598 
 2599       luks_decrypt_sector_serpent_cbc_essiv128_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2600     }
 2601     else if (key_size == HC_LUKS_KEY_SIZE_256)
 2602     {
 2603       u32 ukey[8];
 2604 
 2605       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2606       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2607       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2608       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2609       ukey[4] = hc_swap32_S (tmps->out32[4]);
 2610       ukey[5] = hc_swap32_S (tmps->out32[5]);
 2611       ukey[6] = hc_swap32_S (tmps->out32[6]);
 2612       ukey[7] = hc_swap32_S (tmps->out32[7]);
 2613 
 2614       u32 essivhash[8];
 2615 
 2616       ESSIV_sha256_init256 (ukey, essivhash);
 2617 
 2618       u32 ks1[140];
 2619       u32 ks2[140];
 2620 
 2621       serpent256_set_key (ks1, ukey);
 2622       serpent256_set_key (ks2, essivhash);
 2623 
 2624       int sector = 0;
 2625       int offset = 0;
 2626 
 2627       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2628       {
 2629         luks_decrypt_sector_serpent_cbc_essiv256_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2630       }
 2631 
 2632       luks_decrypt_sector_serpent_cbc_essiv256_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2633     }
 2634   }
 2635   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 2636   {
 2637     if (key_size == HC_LUKS_KEY_SIZE_128)
 2638     {
 2639       u32 ukey[4];
 2640 
 2641       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2642       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2643       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2644       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2645 
 2646       u32 ks1[140];
 2647 
 2648       serpent128_set_key (ks1, ukey);
 2649 
 2650       int sector = 0;
 2651       int offset = 0;
 2652 
 2653       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2654       {
 2655         luks_decrypt_sector_serpent_cbc_plain128_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, sector);
 2656       }
 2657 
 2658       luks_decrypt_sector_serpent_cbc_plain128_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 2659     }
 2660     else if (key_size == HC_LUKS_KEY_SIZE_256)
 2661     {
 2662       u32 ukey[8];
 2663 
 2664       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2665       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2666       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2667       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2668       ukey[4] = hc_swap32_S (tmps->out32[4]);
 2669       ukey[5] = hc_swap32_S (tmps->out32[5]);
 2670       ukey[6] = hc_swap32_S (tmps->out32[6]);
 2671       ukey[7] = hc_swap32_S (tmps->out32[7]);
 2672 
 2673       u32 ks1[140];
 2674 
 2675       serpent256_set_key (ks1, ukey);
 2676 
 2677       int sector = 0;
 2678       int offset = 0;
 2679 
 2680       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2681       {
 2682         luks_decrypt_sector_serpent_cbc_plain256_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, sector);
 2683       }
 2684 
 2685       luks_decrypt_sector_serpent_cbc_plain256_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 2686     }
 2687   }
 2688   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 2689   {
 2690     if (key_size == HC_LUKS_KEY_SIZE_256)
 2691     {
 2692       u32 ukey1[4];
 2693 
 2694       ukey1[0] = hc_swap32_S (tmps->out32[0]);
 2695       ukey1[1] = hc_swap32_S (tmps->out32[1]);
 2696       ukey1[2] = hc_swap32_S (tmps->out32[2]);
 2697       ukey1[3] = hc_swap32_S (tmps->out32[3]);
 2698 
 2699       u32 ukey2[4];
 2700 
 2701       ukey2[0] = hc_swap32_S (tmps->out32[4]);
 2702       ukey2[1] = hc_swap32_S (tmps->out32[5]);
 2703       ukey2[2] = hc_swap32_S (tmps->out32[6]);
 2704       ukey2[3] = hc_swap32_S (tmps->out32[7]);
 2705 
 2706       u32 ks1[140];
 2707       u32 ks2[140];
 2708 
 2709       serpent128_set_key (ks1, ukey1);
 2710       serpent128_set_key (ks2, ukey2);
 2711 
 2712       int sector = 0;
 2713       int offset = 0;
 2714 
 2715       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2716       {
 2717         luks_decrypt_sector_serpent_xts_plain256_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2718       }
 2719 
 2720       luks_decrypt_sector_serpent_xts_plain256_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2721     }
 2722     else if (key_size == HC_LUKS_KEY_SIZE_512)
 2723     {
 2724       u32 ukey1[8];
 2725 
 2726       ukey1[0] = hc_swap32_S (tmps->out32[ 0]);
 2727       ukey1[1] = hc_swap32_S (tmps->out32[ 1]);
 2728       ukey1[2] = hc_swap32_S (tmps->out32[ 2]);
 2729       ukey1[3] = hc_swap32_S (tmps->out32[ 3]);
 2730       ukey1[4] = hc_swap32_S (tmps->out32[ 4]);
 2731       ukey1[5] = hc_swap32_S (tmps->out32[ 5]);
 2732       ukey1[6] = hc_swap32_S (tmps->out32[ 6]);
 2733       ukey1[7] = hc_swap32_S (tmps->out32[ 7]);
 2734 
 2735       u32 ukey2[8];
 2736 
 2737       ukey2[0] = hc_swap32_S (tmps->out32[ 8]);
 2738       ukey2[1] = hc_swap32_S (tmps->out32[ 9]);
 2739       ukey2[2] = hc_swap32_S (tmps->out32[10]);
 2740       ukey2[3] = hc_swap32_S (tmps->out32[11]);
 2741       ukey2[4] = hc_swap32_S (tmps->out32[12]);
 2742       ukey2[5] = hc_swap32_S (tmps->out32[13]);
 2743       ukey2[6] = hc_swap32_S (tmps->out32[14]);
 2744       ukey2[7] = hc_swap32_S (tmps->out32[15]);
 2745 
 2746       u32 ks1[140];
 2747       u32 ks2[140];
 2748 
 2749       serpent256_set_key (ks1, ukey1);
 2750       serpent256_set_key (ks2, ukey2);
 2751 
 2752       int sector = 0;
 2753       int offset = 0;
 2754 
 2755       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2756       {
 2757         luks_decrypt_sector_serpent_xts_plain512_mk_sha1 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2758       }
 2759 
 2760       luks_decrypt_sector_serpent_xts_plain512_mk_sha1_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2761     }
 2762   }
 2763 
 2764   // decrypt payload data
 2765 
 2766   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 2767   {
 2768     if (key_size == HC_LUKS_KEY_SIZE_128)
 2769     {
 2770       u32 ukey[4];
 2771 
 2772       ukey[0] = mk[0];
 2773       ukey[1] = mk[1];
 2774       ukey[2] = mk[2];
 2775       ukey[3] = mk[3];
 2776 
 2777       u32 essivhash[8];
 2778 
 2779       ESSIV_sha256_init128 (ukey, essivhash);
 2780 
 2781       u32 ks1[140];
 2782       u32 ks2[140];
 2783 
 2784       serpent128_set_key (ks1, ukey);
 2785       serpent256_set_key (ks2, essivhash);
 2786 
 2787       luks_decrypt_sector_serpent_cbc_essiv128 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 2788     }
 2789     else if (key_size == HC_LUKS_KEY_SIZE_256)
 2790     {
 2791       u32 ukey[8];
 2792 
 2793       ukey[0] = mk[0];
 2794       ukey[1] = mk[1];
 2795       ukey[2] = mk[2];
 2796       ukey[3] = mk[3];
 2797       ukey[4] = mk[4];
 2798       ukey[5] = mk[5];
 2799       ukey[6] = mk[6];
 2800       ukey[7] = mk[7];
 2801 
 2802       u32 essivhash[8];
 2803 
 2804       ESSIV_sha256_init256 (ukey, essivhash);
 2805 
 2806       u32 ks1[140];
 2807       u32 ks2[140];
 2808 
 2809       serpent256_set_key (ks1, ukey);
 2810       serpent256_set_key (ks2, essivhash);
 2811 
 2812       luks_decrypt_sector_serpent_cbc_essiv256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 2813     }
 2814   }
 2815   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 2816   {
 2817     if (key_size == HC_LUKS_KEY_SIZE_128)
 2818     {
 2819       u32 ukey[4];
 2820 
 2821       ukey[0] = mk[0];
 2822       ukey[1] = mk[1];
 2823       ukey[2] = mk[2];
 2824       ukey[3] = mk[3];
 2825 
 2826       u32 ks1[140];
 2827 
 2828       serpent128_set_key (ks1, ukey);
 2829 
 2830       luks_decrypt_sector_serpent_cbc_plain128 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 2831     }
 2832     else if (key_size == HC_LUKS_KEY_SIZE_256)
 2833     {
 2834       u32 ukey[8];
 2835 
 2836       ukey[0] = mk[0];
 2837       ukey[1] = mk[1];
 2838       ukey[2] = mk[2];
 2839       ukey[3] = mk[3];
 2840       ukey[4] = mk[4];
 2841       ukey[5] = mk[5];
 2842       ukey[6] = mk[6];
 2843       ukey[7] = mk[7];
 2844 
 2845       u32 ks1[140];
 2846 
 2847       serpent256_set_key (ks1, ukey);
 2848 
 2849       luks_decrypt_sector_serpent_cbc_plain256 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 2850     }
 2851   }
 2852   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 2853   {
 2854     if (key_size == HC_LUKS_KEY_SIZE_256)
 2855     {
 2856       u32 ukey1[4];
 2857 
 2858       ukey1[0] = mk[0];
 2859       ukey1[1] = mk[1];
 2860       ukey1[2] = mk[2];
 2861       ukey1[3] = mk[3];
 2862 
 2863       u32 ukey2[4];
 2864 
 2865       ukey2[0] = mk[4];
 2866       ukey2[1] = mk[5];
 2867       ukey2[2] = mk[6];
 2868       ukey2[3] = mk[7];
 2869 
 2870       u32 ks1[140];
 2871       u32 ks2[140];
 2872 
 2873       serpent128_set_key (ks1, ukey1);
 2874       serpent128_set_key (ks2, ukey2);
 2875 
 2876       luks_decrypt_sector_serpent_xts_plain256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 2877     }
 2878     else if (key_size == HC_LUKS_KEY_SIZE_512)
 2879     {
 2880       u32 ukey1[8];
 2881 
 2882       ukey1[0] = mk[ 0];
 2883       ukey1[1] = mk[ 1];
 2884       ukey1[2] = mk[ 2];
 2885       ukey1[3] = mk[ 3];
 2886       ukey1[4] = mk[ 4];
 2887       ukey1[5] = mk[ 5];
 2888       ukey1[6] = mk[ 6];
 2889       ukey1[7] = mk[ 7];
 2890 
 2891       u32 ukey2[8];
 2892 
 2893       ukey2[0] = mk[ 8];
 2894       ukey2[1] = mk[ 9];
 2895       ukey2[2] = mk[10];
 2896       ukey2[3] = mk[11];
 2897       ukey2[4] = mk[12];
 2898       ukey2[5] = mk[13];
 2899       ukey2[6] = mk[14];
 2900       ukey2[7] = mk[15];
 2901 
 2902       u32 ks1[140];
 2903       u32 ks2[140];
 2904 
 2905       serpent256_set_key (ks1, ukey1);
 2906       serpent256_set_key (ks2, ukey2);
 2907 
 2908       luks_decrypt_sector_serpent_xts_plain512 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 2909     }
 2910   }
 2911 }
 2912 
 2913 DECLSPEC void luks_af_sha256_then_serpent_decrypt (GLOBAL_AS const luks_t *luks_bufs, GLOBAL_AS luks_tmp_t *tmps, PRIVATE_AS u32 *pt_buf)
 2914 {
 2915   const u32 key_size    = luks_bufs->key_size;
 2916   const u32 cipher_mode = luks_bufs->cipher_mode;
 2917 
 2918   #define BITS_PER_AF (key_size * LUKS_STRIPES)
 2919   #define BITS_PER_SECTOR (512 * 8)
 2920   #define SECTOR_PER_AF (BITS_PER_AF / BITS_PER_SECTOR)
 2921   #define BLOCKS_PER_SECTOR (512 / 16)
 2922   #define OFFSET_PER_BLOCK (16 / 4)
 2923   #define OFFSET_PER_SECTOR (BLOCKS_PER_SECTOR * OFFSET_PER_BLOCK)
 2924 
 2925   // decrypt AF data and do the AF merge inline
 2926 
 2927   u32 mk[16] = { 0 };
 2928 
 2929   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 2930   {
 2931     if (key_size == HC_LUKS_KEY_SIZE_128)
 2932     {
 2933       u32 ukey[4];
 2934 
 2935       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2936       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2937       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2938       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2939 
 2940       u32 essivhash[8];
 2941 
 2942       ESSIV_sha256_init128 (ukey, essivhash);
 2943 
 2944       u32 ks1[140];
 2945       u32 ks2[140];
 2946 
 2947       serpent128_set_key (ks1, ukey);
 2948       serpent256_set_key (ks2, essivhash);
 2949 
 2950       int sector = 0;
 2951       int offset = 0;
 2952 
 2953       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2954       {
 2955         luks_decrypt_sector_serpent_cbc_essiv128_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2956       }
 2957 
 2958       luks_decrypt_sector_serpent_cbc_essiv128_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2959     }
 2960     else if (key_size == HC_LUKS_KEY_SIZE_256)
 2961     {
 2962       u32 ukey[8];
 2963 
 2964       ukey[0] = hc_swap32_S (tmps->out32[0]);
 2965       ukey[1] = hc_swap32_S (tmps->out32[1]);
 2966       ukey[2] = hc_swap32_S (tmps->out32[2]);
 2967       ukey[3] = hc_swap32_S (tmps->out32[3]);
 2968       ukey[4] = hc_swap32_S (tmps->out32[4]);
 2969       ukey[5] = hc_swap32_S (tmps->out32[5]);
 2970       ukey[6] = hc_swap32_S (tmps->out32[6]);
 2971       ukey[7] = hc_swap32_S (tmps->out32[7]);
 2972 
 2973       u32 essivhash[8];
 2974 
 2975       ESSIV_sha256_init256 (ukey, essivhash);
 2976 
 2977       u32 ks1[140];
 2978       u32 ks2[140];
 2979 
 2980       serpent256_set_key (ks1, ukey);
 2981       serpent256_set_key (ks2, essivhash);
 2982 
 2983       int sector = 0;
 2984       int offset = 0;
 2985 
 2986       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 2987       {
 2988         luks_decrypt_sector_serpent_cbc_essiv256_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2989       }
 2990 
 2991       luks_decrypt_sector_serpent_cbc_essiv256_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 2992     }
 2993   }
 2994   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 2995   {
 2996     if (key_size == HC_LUKS_KEY_SIZE_128)
 2997     {
 2998       u32 ukey[4];
 2999 
 3000       ukey[0] = hc_swap32_S (tmps->out32[0]);
 3001       ukey[1] = hc_swap32_S (tmps->out32[1]);
 3002       ukey[2] = hc_swap32_S (tmps->out32[2]);
 3003       ukey[3] = hc_swap32_S (tmps->out32[3]);
 3004 
 3005       u32 ks1[140];
 3006 
 3007       serpent128_set_key (ks1, ukey);
 3008 
 3009       int sector = 0;
 3010       int offset = 0;
 3011 
 3012       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3013       {
 3014         luks_decrypt_sector_serpent_cbc_plain128_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3015       }
 3016 
 3017       luks_decrypt_sector_serpent_cbc_plain128_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3018     }
 3019     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3020     {
 3021       u32 ukey[8];
 3022 
 3023       ukey[0] = hc_swap32_S (tmps->out32[0]);
 3024       ukey[1] = hc_swap32_S (tmps->out32[1]);
 3025       ukey[2] = hc_swap32_S (tmps->out32[2]);
 3026       ukey[3] = hc_swap32_S (tmps->out32[3]);
 3027       ukey[4] = hc_swap32_S (tmps->out32[4]);
 3028       ukey[5] = hc_swap32_S (tmps->out32[5]);
 3029       ukey[6] = hc_swap32_S (tmps->out32[6]);
 3030       ukey[7] = hc_swap32_S (tmps->out32[7]);
 3031 
 3032       u32 ks1[140];
 3033 
 3034       serpent256_set_key (ks1, ukey);
 3035 
 3036       int sector = 0;
 3037       int offset = 0;
 3038 
 3039       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3040       {
 3041         luks_decrypt_sector_serpent_cbc_plain256_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3042       }
 3043 
 3044       luks_decrypt_sector_serpent_cbc_plain256_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3045     }
 3046   }
 3047   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3048   {
 3049     if (key_size == HC_LUKS_KEY_SIZE_256)
 3050     {
 3051       u32 ukey1[4];
 3052 
 3053       ukey1[0] = hc_swap32_S (tmps->out32[0]);
 3054       ukey1[1] = hc_swap32_S (tmps->out32[1]);
 3055       ukey1[2] = hc_swap32_S (tmps->out32[2]);
 3056       ukey1[3] = hc_swap32_S (tmps->out32[3]);
 3057 
 3058       u32 ukey2[4];
 3059 
 3060       ukey2[0] = hc_swap32_S (tmps->out32[4]);
 3061       ukey2[1] = hc_swap32_S (tmps->out32[5]);
 3062       ukey2[2] = hc_swap32_S (tmps->out32[6]);
 3063       ukey2[3] = hc_swap32_S (tmps->out32[7]);
 3064 
 3065       u32 ks1[140];
 3066       u32 ks2[140];
 3067 
 3068       serpent128_set_key (ks1, ukey1);
 3069       serpent128_set_key (ks2, ukey2);
 3070 
 3071       int sector = 0;
 3072       int offset = 0;
 3073 
 3074       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3075       {
 3076         luks_decrypt_sector_serpent_xts_plain256_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3077       }
 3078 
 3079       luks_decrypt_sector_serpent_xts_plain256_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3080     }
 3081     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3082     {
 3083       u32 ukey1[8];
 3084 
 3085       ukey1[0] = hc_swap32_S (tmps->out32[ 0]);
 3086       ukey1[1] = hc_swap32_S (tmps->out32[ 1]);
 3087       ukey1[2] = hc_swap32_S (tmps->out32[ 2]);
 3088       ukey1[3] = hc_swap32_S (tmps->out32[ 3]);
 3089       ukey1[4] = hc_swap32_S (tmps->out32[ 4]);
 3090       ukey1[5] = hc_swap32_S (tmps->out32[ 5]);
 3091       ukey1[6] = hc_swap32_S (tmps->out32[ 6]);
 3092       ukey1[7] = hc_swap32_S (tmps->out32[ 7]);
 3093 
 3094       u32 ukey2[8];
 3095 
 3096       ukey2[0] = hc_swap32_S (tmps->out32[ 8]);
 3097       ukey2[1] = hc_swap32_S (tmps->out32[ 9]);
 3098       ukey2[2] = hc_swap32_S (tmps->out32[10]);
 3099       ukey2[3] = hc_swap32_S (tmps->out32[11]);
 3100       ukey2[4] = hc_swap32_S (tmps->out32[12]);
 3101       ukey2[5] = hc_swap32_S (tmps->out32[13]);
 3102       ukey2[6] = hc_swap32_S (tmps->out32[14]);
 3103       ukey2[7] = hc_swap32_S (tmps->out32[15]);
 3104 
 3105       u32 ks1[140];
 3106       u32 ks2[140];
 3107 
 3108       serpent256_set_key (ks1, ukey1);
 3109       serpent256_set_key (ks2, ukey2);
 3110 
 3111       int sector = 0;
 3112       int offset = 0;
 3113 
 3114       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3115       {
 3116         luks_decrypt_sector_serpent_xts_plain512_mk_sha256 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3117       }
 3118 
 3119       luks_decrypt_sector_serpent_xts_plain512_mk_sha256_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3120     }
 3121   }
 3122 
 3123   // decrypt payload data
 3124 
 3125   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 3126   {
 3127     if (key_size == HC_LUKS_KEY_SIZE_128)
 3128     {
 3129       u32 ukey[4];
 3130 
 3131       ukey[0] = mk[0];
 3132       ukey[1] = mk[1];
 3133       ukey[2] = mk[2];
 3134       ukey[3] = mk[3];
 3135 
 3136       u32 essivhash[8];
 3137 
 3138       ESSIV_sha256_init128 (ukey, essivhash);
 3139 
 3140       u32 ks1[140];
 3141       u32 ks2[140];
 3142 
 3143       serpent128_set_key (ks1, ukey);
 3144       serpent256_set_key (ks2, essivhash);
 3145 
 3146       luks_decrypt_sector_serpent_cbc_essiv128 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3147     }
 3148     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3149     {
 3150       u32 ukey[8];
 3151 
 3152       ukey[0] = mk[0];
 3153       ukey[1] = mk[1];
 3154       ukey[2] = mk[2];
 3155       ukey[3] = mk[3];
 3156       ukey[4] = mk[4];
 3157       ukey[5] = mk[5];
 3158       ukey[6] = mk[6];
 3159       ukey[7] = mk[7];
 3160 
 3161       u32 essivhash[8];
 3162 
 3163       ESSIV_sha256_init256 (ukey, essivhash);
 3164 
 3165       u32 ks1[140];
 3166       u32 ks2[140];
 3167 
 3168       serpent256_set_key (ks1, ukey);
 3169       serpent256_set_key (ks2, essivhash);
 3170 
 3171       luks_decrypt_sector_serpent_cbc_essiv256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3172     }
 3173   }
 3174   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 3175   {
 3176     if (key_size == HC_LUKS_KEY_SIZE_128)
 3177     {
 3178       u32 ukey[4];
 3179 
 3180       ukey[0] = mk[0];
 3181       ukey[1] = mk[1];
 3182       ukey[2] = mk[2];
 3183       ukey[3] = mk[3];
 3184 
 3185       u32 ks1[140];
 3186 
 3187       serpent128_set_key (ks1, ukey);
 3188 
 3189       luks_decrypt_sector_serpent_cbc_plain128 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3190     }
 3191     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3192     {
 3193       u32 ukey[8];
 3194 
 3195       ukey[0] = mk[0];
 3196       ukey[1] = mk[1];
 3197       ukey[2] = mk[2];
 3198       ukey[3] = mk[3];
 3199       ukey[4] = mk[4];
 3200       ukey[5] = mk[5];
 3201       ukey[6] = mk[6];
 3202       ukey[7] = mk[7];
 3203 
 3204       u32 ks1[140];
 3205 
 3206       serpent256_set_key (ks1, ukey);
 3207 
 3208       luks_decrypt_sector_serpent_cbc_plain256 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3209     }
 3210   }
 3211   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3212   {
 3213     if (key_size == HC_LUKS_KEY_SIZE_256)
 3214     {
 3215       u32 ukey1[4];
 3216 
 3217       ukey1[0] = mk[0];
 3218       ukey1[1] = mk[1];
 3219       ukey1[2] = mk[2];
 3220       ukey1[3] = mk[3];
 3221 
 3222       u32 ukey2[4];
 3223 
 3224       ukey2[0] = mk[4];
 3225       ukey2[1] = mk[5];
 3226       ukey2[2] = mk[6];
 3227       ukey2[3] = mk[7];
 3228 
 3229       u32 ks1[140];
 3230       u32 ks2[140];
 3231 
 3232       serpent128_set_key (ks1, ukey1);
 3233       serpent128_set_key (ks2, ukey2);
 3234 
 3235       luks_decrypt_sector_serpent_xts_plain256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3236     }
 3237     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3238     {
 3239       u32 ukey1[8];
 3240 
 3241       ukey1[0] = mk[ 0];
 3242       ukey1[1] = mk[ 1];
 3243       ukey1[2] = mk[ 2];
 3244       ukey1[3] = mk[ 3];
 3245       ukey1[4] = mk[ 4];
 3246       ukey1[5] = mk[ 5];
 3247       ukey1[6] = mk[ 6];
 3248       ukey1[7] = mk[ 7];
 3249 
 3250       u32 ukey2[8];
 3251 
 3252       ukey2[0] = mk[ 8];
 3253       ukey2[1] = mk[ 9];
 3254       ukey2[2] = mk[10];
 3255       ukey2[3] = mk[11];
 3256       ukey2[4] = mk[12];
 3257       ukey2[5] = mk[13];
 3258       ukey2[6] = mk[14];
 3259       ukey2[7] = mk[15];
 3260 
 3261       u32 ks1[140];
 3262       u32 ks2[140];
 3263 
 3264       serpent256_set_key (ks1, ukey1);
 3265       serpent256_set_key (ks2, ukey2);
 3266 
 3267       luks_decrypt_sector_serpent_xts_plain512 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3268     }
 3269   }
 3270 }
 3271 
 3272 DECLSPEC void luks_af_sha512_then_serpent_decrypt (GLOBAL_AS const luks_t *luks_bufs, GLOBAL_AS luks_tmp_t *tmps, PRIVATE_AS u32 *pt_buf)
 3273 {
 3274   const u32 key_size    = luks_bufs->key_size;
 3275   const u32 cipher_mode = luks_bufs->cipher_mode;
 3276 
 3277   #define BITS_PER_AF (key_size * LUKS_STRIPES)
 3278   #define BITS_PER_SECTOR (512 * 8)
 3279   #define SECTOR_PER_AF (BITS_PER_AF / BITS_PER_SECTOR)
 3280   #define BLOCKS_PER_SECTOR (512 / 16)
 3281   #define OFFSET_PER_BLOCK (16 / 4)
 3282   #define OFFSET_PER_SECTOR (BLOCKS_PER_SECTOR * OFFSET_PER_BLOCK)
 3283 
 3284   // move data from out64 to out32
 3285 
 3286   tmps->out32[ 0] = l32_from_64_S (tmps->out64[0]);
 3287   tmps->out32[ 1] = h32_from_64_S (tmps->out64[0]);
 3288   tmps->out32[ 2] = l32_from_64_S (tmps->out64[1]);
 3289   tmps->out32[ 3] = h32_from_64_S (tmps->out64[1]);
 3290   tmps->out32[ 4] = l32_from_64_S (tmps->out64[2]);
 3291   tmps->out32[ 5] = h32_from_64_S (tmps->out64[2]);
 3292   tmps->out32[ 6] = l32_from_64_S (tmps->out64[3]);
 3293   tmps->out32[ 7] = h32_from_64_S (tmps->out64[3]);
 3294   tmps->out32[ 8] = l32_from_64_S (tmps->out64[4]);
 3295   tmps->out32[ 9] = h32_from_64_S (tmps->out64[4]);
 3296   tmps->out32[10] = l32_from_64_S (tmps->out64[5]);
 3297   tmps->out32[11] = h32_from_64_S (tmps->out64[5]);
 3298   tmps->out32[12] = l32_from_64_S (tmps->out64[6]);
 3299   tmps->out32[13] = h32_from_64_S (tmps->out64[6]);
 3300   tmps->out32[14] = l32_from_64_S (tmps->out64[7]);
 3301   tmps->out32[15] = h32_from_64_S (tmps->out64[7]);
 3302 
 3303   // decrypt AF data and do the AF merge inline
 3304 
 3305   u32 mk[16] = { 0 };
 3306 
 3307   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 3308   {
 3309     if (key_size == HC_LUKS_KEY_SIZE_128)
 3310     {
 3311       u32 ukey[4];
 3312 
 3313       ukey[0] = hc_swap32_S (tmps->out32[1]);
 3314       ukey[1] = hc_swap32_S (tmps->out32[0]);
 3315       ukey[2] = hc_swap32_S (tmps->out32[3]);
 3316       ukey[3] = hc_swap32_S (tmps->out32[2]);
 3317 
 3318       u32 essivhash[8];
 3319 
 3320       ESSIV_sha256_init128 (ukey, essivhash);
 3321 
 3322       u32 ks1[140];
 3323       u32 ks2[140];
 3324 
 3325       serpent128_set_key (ks1, ukey);
 3326       serpent256_set_key (ks2, essivhash);
 3327 
 3328       int sector = 0;
 3329       int offset = 0;
 3330 
 3331       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3332       {
 3333         luks_decrypt_sector_serpent_cbc_essiv128_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3334       }
 3335 
 3336       luks_decrypt_sector_serpent_cbc_essiv128_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3337     }
 3338     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3339     {
 3340       u32 ukey[8];
 3341 
 3342       ukey[0] = hc_swap32_S (tmps->out32[1]);
 3343       ukey[1] = hc_swap32_S (tmps->out32[0]);
 3344       ukey[2] = hc_swap32_S (tmps->out32[3]);
 3345       ukey[3] = hc_swap32_S (tmps->out32[2]);
 3346       ukey[4] = hc_swap32_S (tmps->out32[5]);
 3347       ukey[5] = hc_swap32_S (tmps->out32[4]);
 3348       ukey[6] = hc_swap32_S (tmps->out32[7]);
 3349       ukey[7] = hc_swap32_S (tmps->out32[6]);
 3350 
 3351       u32 essivhash[8];
 3352 
 3353       ESSIV_sha256_init256 (ukey, essivhash);
 3354 
 3355       u32 ks1[140];
 3356       u32 ks2[140];
 3357 
 3358       serpent256_set_key (ks1, ukey);
 3359       serpent256_set_key (ks2, essivhash);
 3360 
 3361       int sector = 0;
 3362       int offset = 0;
 3363 
 3364       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3365       {
 3366         luks_decrypt_sector_serpent_cbc_essiv256_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3367       }
 3368 
 3369       luks_decrypt_sector_serpent_cbc_essiv256_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3370     }
 3371   }
 3372   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 3373   {
 3374     if (key_size == HC_LUKS_KEY_SIZE_128)
 3375     {
 3376       u32 ukey[4];
 3377 
 3378       ukey[0] = hc_swap32_S (tmps->out32[1]);
 3379       ukey[1] = hc_swap32_S (tmps->out32[0]);
 3380       ukey[2] = hc_swap32_S (tmps->out32[3]);
 3381       ukey[3] = hc_swap32_S (tmps->out32[2]);
 3382 
 3383       u32 ks1[140];
 3384 
 3385       serpent128_set_key (ks1, ukey);
 3386 
 3387       int sector = 0;
 3388       int offset = 0;
 3389 
 3390       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3391       {
 3392         luks_decrypt_sector_serpent_cbc_plain128_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3393       }
 3394 
 3395       luks_decrypt_sector_serpent_cbc_plain128_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3396     }
 3397     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3398     {
 3399       u32 ukey[8];
 3400 
 3401       ukey[0] = hc_swap32_S (tmps->out32[1]);
 3402       ukey[1] = hc_swap32_S (tmps->out32[0]);
 3403       ukey[2] = hc_swap32_S (tmps->out32[3]);
 3404       ukey[3] = hc_swap32_S (tmps->out32[2]);
 3405       ukey[4] = hc_swap32_S (tmps->out32[5]);
 3406       ukey[5] = hc_swap32_S (tmps->out32[4]);
 3407       ukey[6] = hc_swap32_S (tmps->out32[7]);
 3408       ukey[7] = hc_swap32_S (tmps->out32[6]);
 3409 
 3410       u32 ks1[140];
 3411 
 3412       serpent256_set_key (ks1, ukey);
 3413 
 3414       int sector = 0;
 3415       int offset = 0;
 3416 
 3417       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3418       {
 3419         luks_decrypt_sector_serpent_cbc_plain256_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3420       }
 3421 
 3422       luks_decrypt_sector_serpent_cbc_plain256_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3423     }
 3424   }
 3425   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3426   {
 3427     if (key_size == HC_LUKS_KEY_SIZE_256)
 3428     {
 3429       u32 ukey1[4];
 3430 
 3431       ukey1[0] = hc_swap32_S (tmps->out32[1]);
 3432       ukey1[1] = hc_swap32_S (tmps->out32[0]);
 3433       ukey1[2] = hc_swap32_S (tmps->out32[3]);
 3434       ukey1[3] = hc_swap32_S (tmps->out32[2]);
 3435 
 3436       u32 ukey2[4];
 3437 
 3438       ukey2[0] = hc_swap32_S (tmps->out32[5]);
 3439       ukey2[1] = hc_swap32_S (tmps->out32[4]);
 3440       ukey2[2] = hc_swap32_S (tmps->out32[7]);
 3441       ukey2[3] = hc_swap32_S (tmps->out32[6]);
 3442 
 3443       u32 ks1[140];
 3444       u32 ks2[140];
 3445 
 3446       serpent128_set_key (ks1, ukey1);
 3447       serpent128_set_key (ks2, ukey2);
 3448 
 3449       int sector = 0;
 3450       int offset = 0;
 3451 
 3452       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3453       {
 3454         luks_decrypt_sector_serpent_xts_plain256_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3455       }
 3456 
 3457       luks_decrypt_sector_serpent_xts_plain256_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3458     }
 3459     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3460     {
 3461       u32 ukey1[8];
 3462 
 3463       ukey1[0] = hc_swap32_S (tmps->out32[ 1]);
 3464       ukey1[1] = hc_swap32_S (tmps->out32[ 0]);
 3465       ukey1[2] = hc_swap32_S (tmps->out32[ 3]);
 3466       ukey1[3] = hc_swap32_S (tmps->out32[ 2]);
 3467       ukey1[4] = hc_swap32_S (tmps->out32[ 5]);
 3468       ukey1[5] = hc_swap32_S (tmps->out32[ 4]);
 3469       ukey1[6] = hc_swap32_S (tmps->out32[ 7]);
 3470       ukey1[7] = hc_swap32_S (tmps->out32[ 6]);
 3471 
 3472       u32 ukey2[8];
 3473 
 3474       ukey2[0] = hc_swap32_S (tmps->out32[ 9]);
 3475       ukey2[1] = hc_swap32_S (tmps->out32[ 8]);
 3476       ukey2[2] = hc_swap32_S (tmps->out32[11]);
 3477       ukey2[3] = hc_swap32_S (tmps->out32[10]);
 3478       ukey2[4] = hc_swap32_S (tmps->out32[13]);
 3479       ukey2[5] = hc_swap32_S (tmps->out32[12]);
 3480       ukey2[6] = hc_swap32_S (tmps->out32[15]);
 3481       ukey2[7] = hc_swap32_S (tmps->out32[14]);
 3482 
 3483       u32 ks1[140];
 3484       u32 ks2[140];
 3485 
 3486       serpent256_set_key (ks1, ukey1);
 3487       serpent256_set_key (ks2, ukey2);
 3488 
 3489       int sector = 0;
 3490       int offset = 0;
 3491 
 3492       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3493       {
 3494         luks_decrypt_sector_serpent_xts_plain512_mk_sha512 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3495       }
 3496 
 3497       luks_decrypt_sector_serpent_xts_plain512_mk_sha512_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3498     }
 3499   }
 3500 
 3501   // decrypt payload data
 3502 
 3503   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 3504   {
 3505     if (key_size == HC_LUKS_KEY_SIZE_128)
 3506     {
 3507       u32 ukey[4];
 3508 
 3509       ukey[0] = mk[0];
 3510       ukey[1] = mk[1];
 3511       ukey[2] = mk[2];
 3512       ukey[3] = mk[3];
 3513 
 3514       u32 essivhash[8];
 3515 
 3516       ESSIV_sha256_init128 (ukey, essivhash);
 3517 
 3518       u32 ks1[140];
 3519       u32 ks2[140];
 3520 
 3521       serpent128_set_key (ks1, ukey);
 3522       serpent256_set_key (ks2, essivhash);
 3523 
 3524       luks_decrypt_sector_serpent_cbc_essiv128 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3525     }
 3526     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3527     {
 3528       u32 ukey[8];
 3529 
 3530       ukey[0] = mk[0];
 3531       ukey[1] = mk[1];
 3532       ukey[2] = mk[2];
 3533       ukey[3] = mk[3];
 3534       ukey[4] = mk[4];
 3535       ukey[5] = mk[5];
 3536       ukey[6] = mk[6];
 3537       ukey[7] = mk[7];
 3538 
 3539       u32 essivhash[8];
 3540 
 3541       ESSIV_sha256_init256 (ukey, essivhash);
 3542 
 3543       u32 ks1[140];
 3544       u32 ks2[140];
 3545 
 3546       serpent256_set_key (ks1, ukey);
 3547       serpent256_set_key (ks2, essivhash);
 3548 
 3549       luks_decrypt_sector_serpent_cbc_essiv256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3550     }
 3551   }
 3552   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 3553   {
 3554     if (key_size == HC_LUKS_KEY_SIZE_128)
 3555     {
 3556       u32 ukey[4];
 3557 
 3558       ukey[0] = mk[0];
 3559       ukey[1] = mk[1];
 3560       ukey[2] = mk[2];
 3561       ukey[3] = mk[3];
 3562 
 3563       u32 ks1[140];
 3564 
 3565       serpent128_set_key (ks1, ukey);
 3566 
 3567       luks_decrypt_sector_serpent_cbc_plain128 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3568     }
 3569     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3570     {
 3571       u32 ukey[8];
 3572 
 3573       ukey[0] = mk[0];
 3574       ukey[1] = mk[1];
 3575       ukey[2] = mk[2];
 3576       ukey[3] = mk[3];
 3577       ukey[4] = mk[4];
 3578       ukey[5] = mk[5];
 3579       ukey[6] = mk[6];
 3580       ukey[7] = mk[7];
 3581 
 3582       u32 ks1[140];
 3583 
 3584       serpent256_set_key (ks1, ukey);
 3585 
 3586       luks_decrypt_sector_serpent_cbc_plain256 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3587     }
 3588   }
 3589   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3590   {
 3591     if (key_size == HC_LUKS_KEY_SIZE_256)
 3592     {
 3593       u32 ukey1[4];
 3594 
 3595       ukey1[0] = mk[0];
 3596       ukey1[1] = mk[1];
 3597       ukey1[2] = mk[2];
 3598       ukey1[3] = mk[3];
 3599 
 3600       u32 ukey2[4];
 3601 
 3602       ukey2[0] = mk[4];
 3603       ukey2[1] = mk[5];
 3604       ukey2[2] = mk[6];
 3605       ukey2[3] = mk[7];
 3606 
 3607       u32 ks1[140];
 3608       u32 ks2[140];
 3609 
 3610       serpent128_set_key (ks1, ukey1);
 3611       serpent128_set_key (ks2, ukey2);
 3612 
 3613       luks_decrypt_sector_serpent_xts_plain256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3614     }
 3615     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3616     {
 3617       u32 ukey1[8];
 3618 
 3619       ukey1[0] = mk[ 0];
 3620       ukey1[1] = mk[ 1];
 3621       ukey1[2] = mk[ 2];
 3622       ukey1[3] = mk[ 3];
 3623       ukey1[4] = mk[ 4];
 3624       ukey1[5] = mk[ 5];
 3625       ukey1[6] = mk[ 6];
 3626       ukey1[7] = mk[ 7];
 3627 
 3628       u32 ukey2[8];
 3629 
 3630       ukey2[0] = mk[ 8];
 3631       ukey2[1] = mk[ 9];
 3632       ukey2[2] = mk[10];
 3633       ukey2[3] = mk[11];
 3634       ukey2[4] = mk[12];
 3635       ukey2[5] = mk[13];
 3636       ukey2[6] = mk[14];
 3637       ukey2[7] = mk[15];
 3638 
 3639       u32 ks1[140];
 3640       u32 ks2[140];
 3641 
 3642       serpent256_set_key (ks1, ukey1);
 3643       serpent256_set_key (ks2, ukey2);
 3644 
 3645       luks_decrypt_sector_serpent_xts_plain512 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3646     }
 3647   }
 3648 }
 3649 
 3650 DECLSPEC void luks_af_ripemd160_then_serpent_decrypt (GLOBAL_AS const luks_t *luks_bufs, GLOBAL_AS luks_tmp_t *tmps, PRIVATE_AS u32 *pt_buf)
 3651 {
 3652   const u32 key_size    = luks_bufs->key_size;
 3653   const u32 cipher_mode = luks_bufs->cipher_mode;
 3654 
 3655   #define BITS_PER_AF (key_size * LUKS_STRIPES)
 3656   #define BITS_PER_SECTOR (512 * 8)
 3657   #define SECTOR_PER_AF (BITS_PER_AF / BITS_PER_SECTOR)
 3658   #define BLOCKS_PER_SECTOR (512 / 16)
 3659   #define OFFSET_PER_BLOCK (16 / 4)
 3660   #define OFFSET_PER_SECTOR (BLOCKS_PER_SECTOR * OFFSET_PER_BLOCK)
 3661 
 3662   // decrypt AF data and do the AF merge inline
 3663 
 3664   u32 mk[16] = { 0 };
 3665 
 3666   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 3667   {
 3668     if (key_size == HC_LUKS_KEY_SIZE_128)
 3669     {
 3670       u32 ukey[4];
 3671 
 3672       ukey[0] = tmps->out32[0];
 3673       ukey[1] = tmps->out32[1];
 3674       ukey[2] = tmps->out32[2];
 3675       ukey[3] = tmps->out32[3];
 3676 
 3677       u32 essivhash[8];
 3678 
 3679       ESSIV_sha256_init128 (ukey, essivhash);
 3680 
 3681       u32 ks1[140];
 3682       u32 ks2[140];
 3683 
 3684       serpent128_set_key (ks1, ukey);
 3685       serpent256_set_key (ks2, essivhash);
 3686 
 3687       int sector = 0;
 3688       int offset = 0;
 3689 
 3690       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3691       {
 3692         luks_decrypt_sector_serpent_cbc_essiv128_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3693       }
 3694 
 3695       luks_decrypt_sector_serpent_cbc_essiv128_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3696     }
 3697     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3698     {
 3699       u32 ukey[8];
 3700 
 3701       ukey[0] = tmps->out32[0];
 3702       ukey[1] = tmps->out32[1];
 3703       ukey[2] = tmps->out32[2];
 3704       ukey[3] = tmps->out32[3];
 3705       ukey[4] = tmps->out32[4];
 3706       ukey[5] = tmps->out32[5];
 3707       ukey[6] = tmps->out32[6];
 3708       ukey[7] = tmps->out32[7];
 3709 
 3710       u32 essivhash[8];
 3711 
 3712       ESSIV_sha256_init256 (ukey, essivhash);
 3713 
 3714       u32 ks1[140];
 3715       u32 ks2[140];
 3716 
 3717       serpent256_set_key (ks1, ukey);
 3718       serpent256_set_key (ks2, essivhash);
 3719 
 3720       int sector = 0;
 3721       int offset = 0;
 3722 
 3723       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3724       {
 3725         luks_decrypt_sector_serpent_cbc_essiv256_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3726       }
 3727 
 3728       luks_decrypt_sector_serpent_cbc_essiv256_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3729     }
 3730   }
 3731   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 3732   {
 3733     if (key_size == HC_LUKS_KEY_SIZE_128)
 3734     {
 3735       u32 ukey[4];
 3736 
 3737       ukey[0] = tmps->out32[0];
 3738       ukey[1] = tmps->out32[1];
 3739       ukey[2] = tmps->out32[2];
 3740       ukey[3] = tmps->out32[3];
 3741 
 3742       u32 ks1[140];
 3743 
 3744       serpent128_set_key (ks1, ukey);
 3745 
 3746       int sector = 0;
 3747       int offset = 0;
 3748 
 3749       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3750       {
 3751         luks_decrypt_sector_serpent_cbc_plain128_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3752       }
 3753 
 3754       luks_decrypt_sector_serpent_cbc_plain128_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3755     }
 3756     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3757     {
 3758       u32 ukey[8];
 3759 
 3760       ukey[0] = tmps->out32[0];
 3761       ukey[1] = tmps->out32[1];
 3762       ukey[2] = tmps->out32[2];
 3763       ukey[3] = tmps->out32[3];
 3764       ukey[4] = tmps->out32[4];
 3765       ukey[5] = tmps->out32[5];
 3766       ukey[6] = tmps->out32[6];
 3767       ukey[7] = tmps->out32[7];
 3768 
 3769       u32 ks1[140];
 3770 
 3771       serpent256_set_key (ks1, ukey);
 3772 
 3773       int sector = 0;
 3774       int offset = 0;
 3775 
 3776       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3777       {
 3778         luks_decrypt_sector_serpent_cbc_plain256_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, sector);
 3779       }
 3780 
 3781       luks_decrypt_sector_serpent_cbc_plain256_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, sector);
 3782     }
 3783   }
 3784   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3785   {
 3786     if (key_size == HC_LUKS_KEY_SIZE_256)
 3787     {
 3788       u32 ukey1[4];
 3789 
 3790       ukey1[0] = tmps->out32[0];
 3791       ukey1[1] = tmps->out32[1];
 3792       ukey1[2] = tmps->out32[2];
 3793       ukey1[3] = tmps->out32[3];
 3794 
 3795       u32 ukey2[4];
 3796 
 3797       ukey2[0] = tmps->out32[4];
 3798       ukey2[1] = tmps->out32[5];
 3799       ukey2[2] = tmps->out32[6];
 3800       ukey2[3] = tmps->out32[7];
 3801 
 3802       u32 ks1[140];
 3803       u32 ks2[140];
 3804 
 3805       serpent128_set_key (ks1, ukey1);
 3806       serpent128_set_key (ks2, ukey2);
 3807 
 3808       int sector = 0;
 3809       int offset = 0;
 3810 
 3811       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3812       {
 3813         luks_decrypt_sector_serpent_xts_plain256_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3814       }
 3815 
 3816       luks_decrypt_sector_serpent_xts_plain256_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3817     }
 3818     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3819     {
 3820       u32 ukey1[8];
 3821 
 3822       ukey1[0] = tmps->out32[ 0];
 3823       ukey1[1] = tmps->out32[ 1];
 3824       ukey1[2] = tmps->out32[ 2];
 3825       ukey1[3] = tmps->out32[ 3];
 3826       ukey1[4] = tmps->out32[ 4];
 3827       ukey1[5] = tmps->out32[ 5];
 3828       ukey1[6] = tmps->out32[ 6];
 3829       ukey1[7] = tmps->out32[ 7];
 3830 
 3831       u32 ukey2[8];
 3832 
 3833       ukey2[0] = tmps->out32[ 8];
 3834       ukey2[1] = tmps->out32[ 9];
 3835       ukey2[2] = tmps->out32[10];
 3836       ukey2[3] = tmps->out32[11];
 3837       ukey2[4] = tmps->out32[12];
 3838       ukey2[5] = tmps->out32[13];
 3839       ukey2[6] = tmps->out32[14];
 3840       ukey2[7] = tmps->out32[15];
 3841 
 3842       u32 ks1[140];
 3843       u32 ks2[140];
 3844 
 3845       serpent256_set_key (ks1, ukey1);
 3846       serpent256_set_key (ks2, ukey2);
 3847 
 3848       int sector = 0;
 3849       int offset = 0;
 3850 
 3851       for (sector = 0; sector < SECTOR_PER_AF - 1; sector++, offset += OFFSET_PER_SECTOR)
 3852       {
 3853         luks_decrypt_sector_serpent_xts_plain512_mk_ripemd160 (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3854       }
 3855 
 3856       luks_decrypt_sector_serpent_xts_plain512_mk_ripemd160_final (luks_bufs->af_buf + offset, mk, ks1, ks2, sector);
 3857     }
 3858   }
 3859 
 3860   // decrypt payload data
 3861 
 3862   if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_ESSIV_SHA256)
 3863   {
 3864     if (key_size == HC_LUKS_KEY_SIZE_128)
 3865     {
 3866       u32 ukey[4];
 3867 
 3868       ukey[0] = mk[0];
 3869       ukey[1] = mk[1];
 3870       ukey[2] = mk[2];
 3871       ukey[3] = mk[3];
 3872 
 3873       u32 essivhash[8];
 3874 
 3875       ESSIV_sha256_init128 (ukey, essivhash);
 3876 
 3877       u32 ks1[140];
 3878       u32 ks2[140];
 3879 
 3880       serpent128_set_key (ks1, ukey);
 3881       serpent256_set_key (ks2, essivhash);
 3882 
 3883       luks_decrypt_sector_serpent_cbc_essiv128 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3884     }
 3885     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3886     {
 3887       u32 ukey[8];
 3888 
 3889       ukey[0] = mk[0];
 3890       ukey[1] = mk[1];
 3891       ukey[2] = mk[2];
 3892       ukey[3] = mk[3];
 3893       ukey[4] = mk[4];
 3894       ukey[5] = mk[5];
 3895       ukey[6] = mk[6];
 3896       ukey[7] = mk[7];
 3897 
 3898       u32 essivhash[8];
 3899 
 3900       ESSIV_sha256_init256 (ukey, essivhash);
 3901 
 3902       u32 ks1[140];
 3903       u32 ks2[140];
 3904 
 3905       serpent256_set_key (ks1, ukey);
 3906       serpent256_set_key (ks2, essivhash);
 3907 
 3908       luks_decrypt_sector_serpent_cbc_essiv256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3909     }
 3910   }
 3911   else if (cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_CBC_PLAIN64)
 3912   {
 3913     if (key_size == HC_LUKS_KEY_SIZE_128)
 3914     {
 3915       u32 ukey[4];
 3916 
 3917       ukey[0] = mk[0];
 3918       ukey[1] = mk[1];
 3919       ukey[2] = mk[2];
 3920       ukey[3] = mk[3];
 3921 
 3922       u32 ks1[140];
 3923 
 3924       serpent128_set_key (ks1, ukey);
 3925 
 3926       luks_decrypt_sector_serpent_cbc_plain128 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3927     }
 3928     else if (key_size == HC_LUKS_KEY_SIZE_256)
 3929     {
 3930       u32 ukey[8];
 3931 
 3932       ukey[0] = mk[0];
 3933       ukey[1] = mk[1];
 3934       ukey[2] = mk[2];
 3935       ukey[3] = mk[3];
 3936       ukey[4] = mk[4];
 3937       ukey[5] = mk[5];
 3938       ukey[6] = mk[6];
 3939       ukey[7] = mk[7];
 3940 
 3941       u32 ks1[140];
 3942 
 3943       serpent256_set_key (ks1, ukey);
 3944 
 3945       luks_decrypt_sector_serpent_cbc_plain256 (luks_bufs->ct_buf, pt_buf, ks1, 0);
 3946     }
 3947   }
 3948   else if (cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN || cipher_mode == HC_LUKS_CIPHER_MODE_XTS_PLAIN64)
 3949   {
 3950     if (key_size == HC_LUKS_KEY_SIZE_256)
 3951     {
 3952       u32 ukey1[4];
 3953 
 3954       ukey1[0] = mk[0];
 3955       ukey1[1] = mk[1];
 3956       ukey1[2] = mk[2];
 3957       ukey1[3] = mk[3];
 3958 
 3959       u32 ukey2[4];
 3960 
 3961       ukey2[0] = mk[4];
 3962       ukey2[1] = mk[5];
 3963       ukey2[2] = mk[6];
 3964       ukey2[3] = mk[7];
 3965 
 3966       u32 ks1[140];
 3967       u32 ks2[140];
 3968 
 3969       serpent128_set_key (ks1, ukey1);
 3970       serpent128_set_key (ks2, ukey2);
 3971 
 3972       luks_decrypt_sector_serpent_xts_plain256 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 3973     }
 3974     else if (key_size == HC_LUKS_KEY_SIZE_512)
 3975     {
 3976       u32 ukey1[8];
 3977 
 3978       ukey1[0] = mk[ 0];
 3979       ukey1[1] = mk[ 1];
 3980       ukey1[2] = mk[ 2];
 3981       ukey1[3] = mk[ 3];
 3982       ukey1[4] = mk[ 4];
 3983       ukey1[5] = mk[ 5];
 3984       ukey1[6] = mk[ 6];
 3985       ukey1[7] = mk[ 7];
 3986 
 3987       u32 ukey2[8];
 3988 
 3989       ukey2[0] = mk[ 8];
 3990       ukey2[1] = mk[ 9];
 3991       ukey2[2] = mk[10];
 3992       ukey2[3] = mk[11];
 3993       ukey2[4] = mk[12];
 3994       ukey2[5] = mk[13];
 3995       ukey2[6] = mk[14];
 3996       ukey2[7] = mk[15];
 3997 
 3998       u32 ks1[140];
 3999       u32 ks2[140];
 4000 
 4001       serpent256_set_key (ks1, ukey1);
 4002       serpent256_set_key (ks2, ukey2);
 4003 
 4004       luks_decrypt_sector_serpent_xts_plain512 (luks_bufs->ct_buf, pt_buf, ks1, ks2, 0);
 4005     }
 4006   }
 4007 }