lib/crypto/poly1305-donna64.c

   1 // SPDX-License-Identifier: GPL-2.0 OR MIT
   2 /*
   3  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
   4  *
   5  * This is based in part on Andrew Moon's poly1305-donna, which is in the
   6  * public domain.
   7  */
   8
   9 #include <linux/kernel.h>
  10 #include <linux/unaligned.h>
  11 #include <crypto/internal/poly1305.h>
  12
  13 void poly1305_core_setkey(struct poly1305_core_key *key,
  14                           const u8 raw_key[POLY1305_BLOCK_SIZE])
  15 {
  16         u64 t0, t1;
  17
  18         /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
  19         t0 = get_unaligned_le64(&raw_key[0]);
  20         t1 = get_unaligned_le64(&raw_key[8]);
  21
  22         key->key.r64[0] = t0 & 0xffc0fffffffULL;
  23         key->key.r64[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffffULL;
  24         key->key.r64[2] = ((t1 >> 24)) & 0x00ffffffc0fULL;
  25
  26         /* s = 20*r */
  27         key->precomputed_s.r64[0] = key->key.r64[1] * 20;
  28         key->precomputed_s.r64[1] = key->key.r64[2] * 20;
  29 }
  30 EXPORT_SYMBOL(poly1305_core_setkey);
  31
  32 void poly1305_core_blocks(struct poly1305_state *state,
  33                           const struct poly1305_core_key *key, const void *src,
  34                           unsigned int nblocks, u32 hibit)
  35 {
  36         const u8 *input = src;
  37         u64 hibit64;
  38         u64 r0, r1, r2;
  39         u64 s1, s2;
  40         u64 h0, h1, h2;
  41         u64 c;
  42         u128 d0, d1, d2, d;
  43
  44         if (!nblocks)
  45                 return;
  46
  47         hibit64 = ((u64)hibit) << 40;
  48
  49         r0 = key->key.r64[0];
  50         r1 = key->key.r64[1];
  51         r2 = key->key.r64[2];
  52
  53         h0 = state->h64[0];
  54         h1 = state->h64[1];
  55         h2 = state->h64[2];
  56
  57         s1 = key->precomputed_s.r64[0];
  58         s2 = key->precomputed_s.r64[1];
  59
  60         do {
  61                 u64 t0, t1;
  62
  63                 /* h += m[i] */
  64                 t0 = get_unaligned_le64(&input[0]);
  65                 t1 = get_unaligned_le64(&input[8]);
  66
  67                 h0 += t0 & 0xfffffffffffULL;
  68                 h1 += ((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL;
  69                 h2 += (((t1 >> 24)) & 0x3ffffffffffULL) | hibit64;
  70
  71                 /* h *= r */
  72                 d0 = (u128)h0 * r0;
  73                 d = (u128)h1 * s2;
  74                 d0 += d;
  75                 d = (u128)h2 * s1;
  76                 d0 += d;
  77                 d1 = (u128)h0 * r1;
  78                 d = (u128)h1 * r0;
  79                 d1 += d;
  80                 d = (u128)h2 * s2;
  81                 d1 += d;
  82                 d2 = (u128)h0 * r2;
  83                 d = (u128)h1 * r1;
  84                 d2 += d;
  85                 d = (u128)h2 * r0;
  86                 d2 += d;
  87
  88                 /* (partial) h %= p */
  89                 c = (u64)(d0 >> 44);
  90                 h0 = (u64)d0 & 0xfffffffffffULL;
  91                 d1 += c;
  92                 c = (u64)(d1 >> 44);
  93                 h1 = (u64)d1 & 0xfffffffffffULL;
  94                 d2 += c;
  95                 c = (u64)(d2 >> 42);
  96                 h2 = (u64)d2 & 0x3ffffffffffULL;
  97                 h0 += c * 5;
  98                 c = h0 >> 44;
  99                 h0 = h0 & 0xfffffffffffULL;
 100                 h1 += c;
 101
 102                 input += POLY1305_BLOCK_SIZE;
 103         } while (--nblocks);
 104
 105         state->h64[0] = h0;
 106         state->h64[1] = h1;
 107         state->h64[2] = h2;
 108 }
 109 EXPORT_SYMBOL(poly1305_core_blocks);
 110
 111 void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
 112                         void *dst)
 113 {
 114         u8 *mac = dst;
 115         u64 h0, h1, h2, c;
 116         u64 g0, g1, g2;
 117         u64 t0, t1;
 118
 119         /* fully carry h */
 120         h0 = state->h64[0];
 121         h1 = state->h64[1];
 122         h2 = state->h64[2];
 123
 124         c = h1 >> 44;
 125         h1 &= 0xfffffffffffULL;
 126         h2 += c;
 127         c = h2 >> 42;
 128         h2 &= 0x3ffffffffffULL;
 129         h0 += c * 5;
 130         c = h0 >> 44;
 131         h0 &= 0xfffffffffffULL;
 132         h1 += c;
 133         c = h1 >> 44;
 134         h1 &= 0xfffffffffffULL;
 135         h2 += c;
 136         c = h2 >> 42;
 137         h2 &= 0x3ffffffffffULL;
 138         h0 += c * 5;
 139         c = h0 >> 44;
 140         h0 &= 0xfffffffffffULL;
 141         h1 += c;
 142
 143         /* compute h + -p */
 144         g0 = h0 + 5;
 145         c  = g0 >> 44;
 146         g0 &= 0xfffffffffffULL;
 147         g1 = h1 + c;
 148         c  = g1 >> 44;
 149         g1 &= 0xfffffffffffULL;
 150         g2 = h2 + c - (1ULL << 42);
 151
 152         /* select h if h < p, or h + -p if h >= p */
 153         c = (g2 >> ((sizeof(u64) * 8) - 1)) - 1;
 154         g0 &= c;
 155         g1 &= c;
 156         g2 &= c;
 157         c  = ~c;
 158         h0 = (h0 & c) | g0;
 159         h1 = (h1 & c) | g1;
 160         h2 = (h2 & c) | g2;
 161
 162         if (likely(nonce)) {
 163                 /* h = (h + nonce) */
 164                 t0 = ((u64)nonce[1] << 32) | nonce[0];
 165                 t1 = ((u64)nonce[3] << 32) | nonce[2];
 166
 167                 h0 += t0 & 0xfffffffffffULL;
 168                 c = h0 >> 44;
 169                 h0 &= 0xfffffffffffULL;
 170                 h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL) + c;
 171                 c = h1 >> 44;
 172                 h1 &= 0xfffffffffffULL;
 173                 h2 += (((t1 >> 24)) & 0x3ffffffffffULL) + c;
 174                 h2 &= 0x3ffffffffffULL;
 175         }
 176
 177         /* mac = h % (2^128) */
 178         h0 = h0 | (h1 << 44);
 179         h1 = (h1 >> 20) | (h2 << 24);
 180
 181         put_unaligned_le64(h0, &mac[0]);
 182         put_unaligned_le64(h1, &mac[8]);
 183 }
 184 EXPORT_SYMBOL(poly1305_core_emit);