Blame view
crypto/poly1305_generic.c
8.53 KB
f979e014c crypto: poly1305 ... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
/* * Poly1305 authenticator algorithm, RFC7539 * * Copyright (C) 2015 Martin Willi * * Based on public domain code by Andrew Moon and Daniel J. Bernstein. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. */ #include <crypto/algapi.h> #include <crypto/internal/hash.h> |
2546f811e crypto: poly1305 ... |
16 |
#include <crypto/poly1305.h> |
f979e014c crypto: poly1305 ... |
17 18 19 |
#include <linux/crypto.h> #include <linux/kernel.h> #include <linux/module.h> |
109e23bd1 crypto: poly1305 ... |
20 |
#include <asm/unaligned.h> |
f979e014c crypto: poly1305 ... |
21 |
|
f979e014c crypto: poly1305 ... |
22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
static inline u64 mlt(u64 a, u64 b) { return a * b; } static inline u32 sr(u64 v, u_char n) { return v >> n; } static inline u32 and(u32 v, u32 mask) { return v & mask; } |
2546f811e crypto: poly1305 ... |
36 |
int crypto_poly1305_init(struct shash_desc *desc) |
f979e014c crypto: poly1305 ... |
37 38 |
{ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc); |
1b6fd3d5d crypto: poly1305 ... |
39 |
poly1305_core_init(&dctx->h); |
f979e014c crypto: poly1305 ... |
40 |
dctx->buflen = 0; |
c2b7b20ae crypto: poly1305 ... |
41 42 |
dctx->rset = false; dctx->sset = false; |
f979e014c crypto: poly1305 ... |
43 44 45 |
return 0; } |
2546f811e crypto: poly1305 ... |
46 |
EXPORT_SYMBOL_GPL(crypto_poly1305_init); |
f979e014c crypto: poly1305 ... |
47 |
|
1b6fd3d5d crypto: poly1305 ... |
48 |
void poly1305_core_setkey(struct poly1305_key *key, const u8 *raw_key) |
c2b7b20ae crypto: poly1305 ... |
49 |
{ |
f979e014c crypto: poly1305 ... |
50 |
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ |
1b6fd3d5d crypto: poly1305 ... |
51 52 53 54 55 |
key->r[0] = (get_unaligned_le32(raw_key + 0) >> 0) & 0x3ffffff; key->r[1] = (get_unaligned_le32(raw_key + 3) >> 2) & 0x3ffff03; key->r[2] = (get_unaligned_le32(raw_key + 6) >> 4) & 0x3ffc0ff; key->r[3] = (get_unaligned_le32(raw_key + 9) >> 6) & 0x3f03fff; key->r[4] = (get_unaligned_le32(raw_key + 12) >> 8) & 0x00fffff; |
f979e014c crypto: poly1305 ... |
56 |
} |
1b6fd3d5d crypto: poly1305 ... |
57 |
EXPORT_SYMBOL_GPL(poly1305_core_setkey); |
f979e014c crypto: poly1305 ... |
58 |
|
a16e772e6 crypto: poly1305 ... |
59 60 61 62 63 |
/* * Poly1305 requires a unique key for each tag, which implies that we can't set * it on the tfm that gets accessed by multiple users simultaneously. Instead we * expect the key as the first 32 bytes in the update() call. */ |
2546f811e crypto: poly1305 ... |
64 65 |
unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx, const u8 *src, unsigned int srclen) |
f979e014c crypto: poly1305 ... |
66 |
{ |
2546f811e crypto: poly1305 ... |
67 |
if (!dctx->sset) { |
c2b7b20ae crypto: poly1305 ... |
68 |
if (!dctx->rset && srclen >= POLY1305_BLOCK_SIZE) { |
1b6fd3d5d crypto: poly1305 ... |
69 |
poly1305_core_setkey(&dctx->r, src); |
c2b7b20ae crypto: poly1305 ... |
70 71 72 73 74 |
src += POLY1305_BLOCK_SIZE; srclen -= POLY1305_BLOCK_SIZE; dctx->rset = true; } if (srclen >= POLY1305_BLOCK_SIZE) { |
1b6fd3d5d crypto: poly1305 ... |
75 76 77 78 |
dctx->s[0] = get_unaligned_le32(src + 0); dctx->s[1] = get_unaligned_le32(src + 4); dctx->s[2] = get_unaligned_le32(src + 8); dctx->s[3] = get_unaligned_le32(src + 12); |
c2b7b20ae crypto: poly1305 ... |
79 80 81 82 83 |
src += POLY1305_BLOCK_SIZE; srclen -= POLY1305_BLOCK_SIZE; dctx->sset = true; } } |
2546f811e crypto: poly1305 ... |
84 85 86 |
return srclen; } EXPORT_SYMBOL_GPL(crypto_poly1305_setdesckey); |
1b6fd3d5d crypto: poly1305 ... |
87 88 89 90 |
static void poly1305_blocks_internal(struct poly1305_state *state, const struct poly1305_key *key, const void *src, unsigned int nblocks, u32 hibit) |
2546f811e crypto: poly1305 ... |
91 92 93 94 95 |
{ u32 r0, r1, r2, r3, r4; u32 s1, s2, s3, s4; u32 h0, h1, h2, h3, h4; u64 d0, d1, d2, d3, d4; |
2546f811e crypto: poly1305 ... |
96 |
|
1b6fd3d5d crypto: poly1305 ... |
97 98 |
if (!nblocks) return; |
c2b7b20ae crypto: poly1305 ... |
99 |
|
1b6fd3d5d crypto: poly1305 ... |
100 101 102 103 104 |
r0 = key->r[0]; r1 = key->r[1]; r2 = key->r[2]; r3 = key->r[3]; r4 = key->r[4]; |
f979e014c crypto: poly1305 ... |
105 106 107 108 109 |
s1 = r1 * 5; s2 = r2 * 5; s3 = r3 * 5; s4 = r4 * 5; |
1b6fd3d5d crypto: poly1305 ... |
110 111 112 113 114 |
h0 = state->h[0]; h1 = state->h[1]; h2 = state->h[2]; h3 = state->h[3]; h4 = state->h[4]; |
f979e014c crypto: poly1305 ... |
115 |
|
1b6fd3d5d crypto: poly1305 ... |
116 |
do { |
f979e014c crypto: poly1305 ... |
117 |
/* h += m[i] */ |
109e23bd1 crypto: poly1305 ... |
118 119 120 121 122 |
h0 += (get_unaligned_le32(src + 0) >> 0) & 0x3ffffff; h1 += (get_unaligned_le32(src + 3) >> 2) & 0x3ffffff; h2 += (get_unaligned_le32(src + 6) >> 4) & 0x3ffffff; h3 += (get_unaligned_le32(src + 9) >> 6) & 0x3ffffff; h4 += (get_unaligned_le32(src + 12) >> 8) | hibit; |
f979e014c crypto: poly1305 ... |
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
/* h *= r */ d0 = mlt(h0, r0) + mlt(h1, s4) + mlt(h2, s3) + mlt(h3, s2) + mlt(h4, s1); d1 = mlt(h0, r1) + mlt(h1, r0) + mlt(h2, s4) + mlt(h3, s3) + mlt(h4, s2); d2 = mlt(h0, r2) + mlt(h1, r1) + mlt(h2, r0) + mlt(h3, s4) + mlt(h4, s3); d3 = mlt(h0, r3) + mlt(h1, r2) + mlt(h2, r1) + mlt(h3, r0) + mlt(h4, s4); d4 = mlt(h0, r4) + mlt(h1, r3) + mlt(h2, r2) + mlt(h3, r1) + mlt(h4, r0); /* (partial) h %= p */ d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff); d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff); d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff); d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff); h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff); h1 += h0 >> 26; h0 = h0 & 0x3ffffff; src += POLY1305_BLOCK_SIZE; |
1b6fd3d5d crypto: poly1305 ... |
145 |
} while (--nblocks); |
f979e014c crypto: poly1305 ... |
146 |
|
1b6fd3d5d crypto: poly1305 ... |
147 148 149 150 151 152 |
state->h[0] = h0; state->h[1] = h1; state->h[2] = h2; state->h[3] = h3; state->h[4] = h4; } |
f979e014c crypto: poly1305 ... |
153 |
|
1b6fd3d5d crypto: poly1305 ... |
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
void poly1305_core_blocks(struct poly1305_state *state, const struct poly1305_key *key, const void *src, unsigned int nblocks) { poly1305_blocks_internal(state, key, src, nblocks, 1 << 24); } EXPORT_SYMBOL_GPL(poly1305_core_blocks); static void poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, unsigned int srclen, u32 hibit) { unsigned int datalen; if (unlikely(!dctx->sset)) { datalen = crypto_poly1305_setdesckey(dctx, src, srclen); src += srclen - datalen; srclen = datalen; } poly1305_blocks_internal(&dctx->h, &dctx->r, src, srclen / POLY1305_BLOCK_SIZE, hibit); |
f979e014c crypto: poly1305 ... |
175 |
} |
2546f811e crypto: poly1305 ... |
176 |
int crypto_poly1305_update(struct shash_desc *desc, |
f979e014c crypto: poly1305 ... |
177 178 179 |
const u8 *src, unsigned int srclen) { struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc); |
f979e014c crypto: poly1305 ... |
180 181 182 183 184 185 186 187 188 189 |
unsigned int bytes; if (unlikely(dctx->buflen)) { bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen); memcpy(dctx->buf + dctx->buflen, src, bytes); src += bytes; srclen -= bytes; dctx->buflen += bytes; if (dctx->buflen == POLY1305_BLOCK_SIZE) { |
c2b7b20ae crypto: poly1305 ... |
190 |
poly1305_blocks(dctx, dctx->buf, |
f979e014c crypto: poly1305 ... |
191 192 193 194 195 196 |
POLY1305_BLOCK_SIZE, 1 << 24); dctx->buflen = 0; } } if (likely(srclen >= POLY1305_BLOCK_SIZE)) { |
1b6fd3d5d crypto: poly1305 ... |
197 198 199 |
poly1305_blocks(dctx, src, srclen, 1 << 24); src += srclen - (srclen % POLY1305_BLOCK_SIZE); srclen %= POLY1305_BLOCK_SIZE; |
f979e014c crypto: poly1305 ... |
200 201 202 203 204 205 206 207 208 |
} if (unlikely(srclen)) { dctx->buflen = srclen; memcpy(dctx->buf, src, srclen); } return 0; } |
2546f811e crypto: poly1305 ... |
209 |
EXPORT_SYMBOL_GPL(crypto_poly1305_update); |
f979e014c crypto: poly1305 ... |
210 |
|
1b6fd3d5d crypto: poly1305 ... |
211 |
void poly1305_core_emit(const struct poly1305_state *state, void *dst) |
f979e014c crypto: poly1305 ... |
212 |
{ |
f979e014c crypto: poly1305 ... |
213 214 215 |
u32 h0, h1, h2, h3, h4; u32 g0, g1, g2, g3, g4; u32 mask; |
f979e014c crypto: poly1305 ... |
216 217 |
/* fully carry h */ |
1b6fd3d5d crypto: poly1305 ... |
218 219 220 221 222 |
h0 = state->h[0]; h1 = state->h[1]; h2 = state->h[2]; h3 = state->h[3]; h4 = state->h[4]; |
f979e014c crypto: poly1305 ... |
223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 |
h2 += (h1 >> 26); h1 = h1 & 0x3ffffff; h3 += (h2 >> 26); h2 = h2 & 0x3ffffff; h4 += (h3 >> 26); h3 = h3 & 0x3ffffff; h0 += (h4 >> 26) * 5; h4 = h4 & 0x3ffffff; h1 += (h0 >> 26); h0 = h0 & 0x3ffffff; /* compute h + -p */ g0 = h0 + 5; g1 = h1 + (g0 >> 26); g0 &= 0x3ffffff; g2 = h2 + (g1 >> 26); g1 &= 0x3ffffff; g3 = h3 + (g2 >> 26); g2 &= 0x3ffffff; g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x3ffffff; /* select h if h < p, or h + -p if h >= p */ mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1; g0 &= mask; g1 &= mask; g2 &= mask; g3 &= mask; g4 &= mask; mask = ~mask; h0 = (h0 & mask) | g0; h1 = (h1 & mask) | g1; h2 = (h2 & mask) | g2; h3 = (h3 & mask) | g3; h4 = (h4 & mask) | g4; /* h = h % (2^128) */ |
1b6fd3d5d crypto: poly1305 ... |
252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 |
put_unaligned_le32((h0 >> 0) | (h1 << 26), dst + 0); put_unaligned_le32((h1 >> 6) | (h2 << 20), dst + 4); put_unaligned_le32((h2 >> 12) | (h3 << 14), dst + 8); put_unaligned_le32((h3 >> 18) | (h4 << 8), dst + 12); } EXPORT_SYMBOL_GPL(poly1305_core_emit); int crypto_poly1305_final(struct shash_desc *desc, u8 *dst) { struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc); __le32 digest[4]; u64 f = 0; if (unlikely(!dctx->sset)) return -ENOKEY; if (unlikely(dctx->buflen)) { dctx->buf[dctx->buflen++] = 1; memset(dctx->buf + dctx->buflen, 0, POLY1305_BLOCK_SIZE - dctx->buflen); poly1305_blocks(dctx, dctx->buf, POLY1305_BLOCK_SIZE, 0); } poly1305_core_emit(&dctx->h, digest); |
f979e014c crypto: poly1305 ... |
276 277 |
/* mac = (h + s) % (2^128) */ |
1b6fd3d5d crypto: poly1305 ... |
278 279 280 281 282 283 284 285 |
f = (f >> 32) + le32_to_cpu(digest[0]) + dctx->s[0]; put_unaligned_le32(f, dst + 0); f = (f >> 32) + le32_to_cpu(digest[1]) + dctx->s[1]; put_unaligned_le32(f, dst + 4); f = (f >> 32) + le32_to_cpu(digest[2]) + dctx->s[2]; put_unaligned_le32(f, dst + 8); f = (f >> 32) + le32_to_cpu(digest[3]) + dctx->s[3]; put_unaligned_le32(f, dst + 12); |
f979e014c crypto: poly1305 ... |
286 287 288 |
return 0; } |
2546f811e crypto: poly1305 ... |
289 |
EXPORT_SYMBOL_GPL(crypto_poly1305_final); |
f979e014c crypto: poly1305 ... |
290 291 292 |
static struct shash_alg poly1305_alg = { .digestsize = POLY1305_DIGEST_SIZE, |
2546f811e crypto: poly1305 ... |
293 294 295 |
.init = crypto_poly1305_init, .update = crypto_poly1305_update, .final = crypto_poly1305_final, |
f979e014c crypto: poly1305 ... |
296 297 298 299 300 |
.descsize = sizeof(struct poly1305_desc_ctx), .base = { .cra_name = "poly1305", .cra_driver_name = "poly1305-generic", .cra_priority = 100, |
f979e014c crypto: poly1305 ... |
301 |
.cra_blocksize = POLY1305_BLOCK_SIZE, |
f979e014c crypto: poly1305 ... |
302 303 304 305 306 307 308 309 310 311 312 313 314 |
.cra_module = THIS_MODULE, }, }; static int __init poly1305_mod_init(void) { return crypto_register_shash(&poly1305_alg); } static void __exit poly1305_mod_exit(void) { crypto_unregister_shash(&poly1305_alg); } |
c4741b230 crypto: run initc... |
315 |
subsys_initcall(poly1305_mod_init); |
f979e014c crypto: poly1305 ... |
316 317 318 319 320 321 322 |
module_exit(poly1305_mod_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); MODULE_DESCRIPTION("Poly1305 authenticator"); MODULE_ALIAS_CRYPTO("poly1305"); MODULE_ALIAS_CRYPTO("poly1305-generic"); |