| blob | 8870c7c5d9a4df035b84ac3d66074d802b3498ee |
1 /*
2 * AES-NI + SSE2 implementation of AEGIS-128L
3 *
4 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
5 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License version 2 as published
9 * by the Free Software Foundation.
10 */
12 #include <linux/linkage.h>
13 #include <asm/frame.h>
15 #define STATE0 %xmm0
16 #define STATE1 %xmm1
17 #define STATE2 %xmm2
18 #define STATE3 %xmm3
19 #define STATE4 %xmm4
20 #define STATE5 %xmm5
21 #define MSG %xmm6
22 #define T0 %xmm7
23 #define T1 %xmm8
24 #define T2 %xmm9
25 #define T3 %xmm10
27 #define STATEP %rdi
28 #define LEN %rsi
29 #define SRC %rdx
30 #define DST %rcx
32 .section .rodata.cst16.aegis256_const, "aM", @progbits, 32
33 .align 16
34 .Laegis256_const_0:
35 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
36 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
37 .Laegis256_const_1:
38 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
39 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
41 .section .rodata.cst16.aegis256_counter, "aM", @progbits, 16
42 .align 16
43 .Laegis256_counter:
44 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
45 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
47 .text
49 /*
50 * __load_partial: internal ABI
51 * input:
52 * LEN - bytes
53 * SRC - src
54 * output:
55 * MSG - message block
56 * changed:
57 * T0
58 * %r8
59 * %r9
60 */
61 __load_partial:
62 xor %r9d, %r9d
63 pxor MSG, MSG
65 mov LEN, %r8
66 and $0x1, %r8
67 jz .Lld_partial_1
69 mov LEN, %r8
70 and $0x1E, %r8
71 add SRC, %r8
72 mov (%r8), %r9b
74 .Lld_partial_1:
75 mov LEN, %r8
76 and $0x2, %r8
77 jz .Lld_partial_2
79 mov LEN, %r8
80 and $0x1C, %r8
81 add SRC, %r8
82 shl $0x10, %r9
83 mov (%r8), %r9w
85 .Lld_partial_2:
86 mov LEN, %r8
87 and $0x4, %r8
88 jz .Lld_partial_4
90 mov LEN, %r8
91 and $0x18, %r8
92 add SRC, %r8
93 shl $32, %r9
94 mov (%r8), %r8d
95 xor %r8, %r9
97 .Lld_partial_4:
98 movq %r9, MSG
100 mov LEN, %r8
101 and $0x8, %r8
102 jz .Lld_partial_8
104 mov LEN, %r8
105 and $0x10, %r8
106 add SRC, %r8
107 pslldq $8, MSG
108 movq (%r8), T0
109 pxor T0, MSG
111 .Lld_partial_8:
112 ret
113 ENDPROC(__load_partial)
115 /*
116 * __store_partial: internal ABI
117 * input:
118 * LEN - bytes
119 * DST - dst
120 * output:
121 * T0 - message block
122 * changed:
123 * %r8
124 * %r9
125 * %r10
126 */
127 __store_partial:
128 mov LEN, %r8
129 mov DST, %r9
131 movq T0, %r10
133 cmp $8, %r8
134 jl .Lst_partial_8
136 mov %r10, (%r9)
137 psrldq $8, T0
138 movq T0, %r10
140 sub $8, %r8
141 add $8, %r9
143 .Lst_partial_8:
144 cmp $4, %r8
145 jl .Lst_partial_4
147 mov %r10d, (%r9)
148 shr $32, %r10
150 sub $4, %r8
151 add $4, %r9
153 .Lst_partial_4:
154 cmp $2, %r8
155 jl .Lst_partial_2
157 mov %r10w, (%r9)
158 shr $0x10, %r10
160 sub $2, %r8
161 add $2, %r9
163 .Lst_partial_2:
164 cmp $1, %r8
165 jl .Lst_partial_1
167 mov %r10b, (%r9)
169 .Lst_partial_1:
170 ret
171 ENDPROC(__store_partial)
173 .macro update
174 movdqa STATE5, T0
175 aesenc STATE0, STATE5
176 aesenc STATE1, STATE0
177 aesenc STATE2, STATE1
178 aesenc STATE3, STATE2
179 aesenc STATE4, STATE3
180 aesenc T0, STATE4
181 .endm
183 .macro update0 m
184 update
185 pxor \m, STATE5
186 .endm
188 .macro update1 m
189 update
190 pxor \m, STATE4
191 .endm
193 .macro update2 m
194 update
195 pxor \m, STATE3
196 .endm
198 .macro update3 m
199 update
200 pxor \m, STATE2
201 .endm
203 .macro update4 m
204 update
205 pxor \m, STATE1
206 .endm
208 .macro update5 m
209 update
210 pxor \m, STATE0
211 .endm
213 .macro state_load
214 movdqu 0x00(STATEP), STATE0
215 movdqu 0x10(STATEP), STATE1
216 movdqu 0x20(STATEP), STATE2
217 movdqu 0x30(STATEP), STATE3
218 movdqu 0x40(STATEP), STATE4
219 movdqu 0x50(STATEP), STATE5
220 .endm
222 .macro state_store s0 s1 s2 s3 s4 s5
223 movdqu \s5, 0x00(STATEP)
224 movdqu \s0, 0x10(STATEP)
225 movdqu \s1, 0x20(STATEP)
226 movdqu \s2, 0x30(STATEP)
227 movdqu \s3, 0x40(STATEP)
228 movdqu \s4, 0x50(STATEP)
229 .endm
231 .macro state_store0
232 state_store STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
233 .endm
235 .macro state_store1
236 state_store STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
237 .endm
239 .macro state_store2
240 state_store STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
241 .endm
243 .macro state_store3
244 state_store STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
245 .endm
247 .macro state_store4
248 state_store STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
249 .endm
251 .macro state_store5
252 state_store STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
253 .endm
255 /*
256 * void crypto_aegis256_aesni_init(void *state, const void *key, const void *iv);
257 */
258 ENTRY(crypto_aegis256_aesni_init)
259 FRAME_BEGIN
261 /* load key: */
262 movdqa 0x00(%rsi), MSG
263 movdqa 0x10(%rsi), T1
264 movdqa MSG, STATE4
265 movdqa T1, STATE5
267 /* load IV: */
268 movdqu 0x00(%rdx), T2
269 movdqu 0x10(%rdx), T3
270 pxor MSG, T2
271 pxor T1, T3
272 movdqa T2, STATE0
273 movdqa T3, STATE1
275 /* load the constants: */
276 movdqa .Laegis256_const_0, STATE3
277 movdqa .Laegis256_const_1, STATE2
278 pxor STATE3, STATE4
279 pxor STATE2, STATE5
281 /* update 10 times with IV and KEY: */
282 update0 MSG
283 update1 T1
284 update2 T2
285 update3 T3
286 update4 MSG
287 update5 T1
288 update0 T2
289 update1 T3
290 update2 MSG
291 update3 T1
292 update4 T2
293 update5 T3
294 update0 MSG
295 update1 T1
296 update2 T2
297 update3 T3
299 state_store3
301 FRAME_END
302 ret
303 ENDPROC(crypto_aegis256_aesni_init)
305 .macro ad_block a i
306 movdq\a (\i * 0x10)(SRC), MSG
307 update\i MSG
308 sub $0x10, LEN
309 cmp $0x10, LEN
310 jl .Lad_out_\i
311 .endm
313 /*
314 * void crypto_aegis256_aesni_ad(void *state, unsigned int length,
315 * const void *data);
316 */
317 ENTRY(crypto_aegis256_aesni_ad)
318 FRAME_BEGIN
320 cmp $0x10, LEN
321 jb .Lad_out
323 state_load
325 mov SRC, %r8
326 and $0xf, %r8
327 jnz .Lad_u_loop
329 .align 8
330 .Lad_a_loop:
331 ad_block a 0
332 ad_block a 1
333 ad_block a 2
334 ad_block a 3
335 ad_block a 4
336 ad_block a 5
338 add $0x60, SRC
339 jmp .Lad_a_loop
341 .align 8
342 .Lad_u_loop:
343 ad_block u 0
344 ad_block u 1
345 ad_block u 2
346 ad_block u 3
347 ad_block u 4
348 ad_block u 5
350 add $0x60, SRC
351 jmp .Lad_u_loop
353 .Lad_out_0:
354 state_store0
355 FRAME_END
356 ret
358 .Lad_out_1:
359 state_store1
360 FRAME_END
361 ret
363 .Lad_out_2:
364 state_store2
365 FRAME_END
366 ret
368 .Lad_out_3:
369 state_store3
370 FRAME_END
371 ret
373 .Lad_out_4:
374 state_store4
375 FRAME_END
376 ret
378 .Lad_out_5:
379 state_store5
380 FRAME_END
381 ret
383 .Lad_out:
384 FRAME_END
385 ret
386 ENDPROC(crypto_aegis256_aesni_ad)
388 .macro crypt m s0 s1 s2 s3 s4 s5
389 pxor \s1, \m
390 pxor \s4, \m
391 pxor \s5, \m
392 movdqa \s2, T3
393 pand \s3, T3
394 pxor T3, \m
395 .endm
397 .macro crypt0 m
398 crypt \m STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
399 .endm
401 .macro crypt1 m
402 crypt \m STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
403 .endm
405 .macro crypt2 m
406 crypt \m STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
407 .endm
409 .macro crypt3 m
410 crypt \m STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
411 .endm
413 .macro crypt4 m
414 crypt \m STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
415 .endm
417 .macro crypt5 m
418 crypt \m STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
419 .endm
421 .macro encrypt_block a i
422 movdq\a (\i * 0x10)(SRC), MSG
423 movdqa MSG, T0
424 crypt\i T0
425 movdq\a T0, (\i * 0x10)(DST)
427 update\i MSG
429 sub $0x10, LEN
430 cmp $0x10, LEN
431 jl .Lenc_out_\i
432 .endm
434 .macro decrypt_block a i
435 movdq\a (\i * 0x10)(SRC), MSG
436 crypt\i MSG
437 movdq\a MSG, (\i * 0x10)(DST)
439 update\i MSG
441 sub $0x10, LEN
442 cmp $0x10, LEN
443 jl .Ldec_out_\i
444 .endm
446 /*
447 * void crypto_aegis256_aesni_enc(void *state, unsigned int length,
448 * const void *src, void *dst);
449 */
450 ENTRY(crypto_aegis256_aesni_enc)
451 FRAME_BEGIN
453 cmp $0x10, LEN
454 jb .Lenc_out
456 state_load
458 mov SRC, %r8
459 or DST, %r8
460 and $0xf, %r8
461 jnz .Lenc_u_loop
463 .align 8
464 .Lenc_a_loop:
465 encrypt_block a 0
466 encrypt_block a 1
467 encrypt_block a 2
468 encrypt_block a 3
469 encrypt_block a 4
470 encrypt_block a 5
472 add $0x60, SRC
473 add $0x60, DST
474 jmp .Lenc_a_loop
476 .align 8
477 .Lenc_u_loop:
478 encrypt_block u 0
479 encrypt_block u 1
480 encrypt_block u 2
481 encrypt_block u 3
482 encrypt_block u 4
483 encrypt_block u 5
485 add $0x60, SRC
486 add $0x60, DST
487 jmp .Lenc_u_loop
489 .Lenc_out_0:
490 state_store0
491 FRAME_END
492 ret
494 .Lenc_out_1:
495 state_store1
496 FRAME_END
497 ret
499 .Lenc_out_2:
500 state_store2
501 FRAME_END
502 ret
504 .Lenc_out_3:
505 state_store3
506 FRAME_END
507 ret
509 .Lenc_out_4:
510 state_store4
511 FRAME_END
512 ret
514 .Lenc_out_5:
515 state_store5
516 FRAME_END
517 ret
519 .Lenc_out:
520 FRAME_END
521 ret
522 ENDPROC(crypto_aegis256_aesni_enc)
524 /*
525 * void crypto_aegis256_aesni_enc_tail(void *state, unsigned int length,
526 * const void *src, void *dst);
527 */
528 ENTRY(crypto_aegis256_aesni_enc_tail)
529 FRAME_BEGIN
531 state_load
533 /* encrypt message: */
534 call __load_partial
536 movdqa MSG, T0
537 crypt0 T0
539 call __store_partial
541 update0 MSG
543 state_store0
545 FRAME_END
546 ret
547 ENDPROC(crypto_aegis256_aesni_enc_tail)
549 /*
550 * void crypto_aegis256_aesni_dec(void *state, unsigned int length,
551 * const void *src, void *dst);
552 */
553 ENTRY(crypto_aegis256_aesni_dec)
554 FRAME_BEGIN
556 cmp $0x10, LEN
557 jb .Ldec_out
559 state_load
561 mov SRC, %r8
562 or DST, %r8
563 and $0xF, %r8
564 jnz .Ldec_u_loop
566 .align 8
567 .Ldec_a_loop:
568 decrypt_block a 0
569 decrypt_block a 1
570 decrypt_block a 2
571 decrypt_block a 3
572 decrypt_block a 4
573 decrypt_block a 5
575 add $0x60, SRC
576 add $0x60, DST
577 jmp .Ldec_a_loop
579 .align 8
580 .Ldec_u_loop:
581 decrypt_block u 0
582 decrypt_block u 1
583 decrypt_block u 2
584 decrypt_block u 3
585 decrypt_block u 4
586 decrypt_block u 5
588 add $0x60, SRC
589 add $0x60, DST
590 jmp .Ldec_u_loop
592 .Ldec_out_0:
593 state_store0
594 FRAME_END
595 ret
597 .Ldec_out_1:
598 state_store1
599 FRAME_END
600 ret
602 .Ldec_out_2:
603 state_store2
604 FRAME_END
605 ret
607 .Ldec_out_3:
608 state_store3
609 FRAME_END
610 ret
612 .Ldec_out_4:
613 state_store4
614 FRAME_END
615 ret
617 .Ldec_out_5:
618 state_store5
619 FRAME_END
620 ret
622 .Ldec_out:
623 FRAME_END
624 ret
625 ENDPROC(crypto_aegis256_aesni_dec)
627 /*
628 * void crypto_aegis256_aesni_dec_tail(void *state, unsigned int length,
629 * const void *src, void *dst);
630 */
631 ENTRY(crypto_aegis256_aesni_dec_tail)
632 FRAME_BEGIN
634 state_load
636 /* decrypt message: */
637 call __load_partial
639 crypt0 MSG
641 movdqa MSG, T0
642 call __store_partial
644 /* mask with byte count: */
645 movq LEN, T0
646 punpcklbw T0, T0
647 punpcklbw T0, T0
648 punpcklbw T0, T0
649 punpcklbw T0, T0
650 movdqa .Laegis256_counter, T1
651 pcmpgtb T1, T0
652 pand T0, MSG
654 update0 MSG
656 state_store0
658 FRAME_END
659 ret
660 ENDPROC(crypto_aegis256_aesni_dec_tail)
662 /*
663 * void crypto_aegis256_aesni_final(void *state, void *tag_xor,
664 * u64 assoclen, u64 cryptlen);
665 */
666 ENTRY(crypto_aegis256_aesni_final)
667 FRAME_BEGIN
669 state_load
671 /* prepare length block: */
672 movq %rdx, MSG
673 movq %rcx, T0
674 pslldq $8, T0
675 pxor T0, MSG
676 psllq $3, MSG /* multiply by 8 (to get bit count) */
678 pxor STATE3, MSG
680 /* update state: */
681 update0 MSG
682 update1 MSG
683 update2 MSG
684 update3 MSG
685 update4 MSG
686 update5 MSG
687 update0 MSG
689 /* xor tag: */
690 movdqu (%rsi), MSG
692 pxor STATE0, MSG
693 pxor STATE1, MSG
694 pxor STATE2, MSG
695 pxor STATE3, MSG
696 pxor STATE4, MSG
697 pxor STATE5, MSG
699 movdqu MSG, (%rsi)
701 FRAME_END
702 ret
703 ENDPROC(crypto_aegis256_aesni_final)