2
0

poly1305_base2_44.c 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
  1. /*
  2. * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This module is meant to be used as template for base 2^44 assembly
  11. * implementation[s]. On side note compiler-generated code is not
  12. * slower than compiler-generated base 2^64 code on [high-end] x86_64,
  13. * even though amount of multiplications is 50% higher. Go figure...
  14. */
  15. #include <stdlib.h>
  16. typedef unsigned char u8;
  17. typedef unsigned int u32;
  18. typedef unsigned long u64;
  19. typedef unsigned __int128 u128;
  20. typedef struct {
  21. u64 h[3];
  22. u64 s[2];
  23. u64 r[3];
  24. } poly1305_internal;
  25. #define POLY1305_BLOCK_SIZE 16
  26. /* pick 64-bit unsigned integer in little endian order */
  27. static u64 U8TOU64(const unsigned char *p)
  28. {
  29. return (((u64)(p[0] & 0xff)) |
  30. ((u64)(p[1] & 0xff) << 8) |
  31. ((u64)(p[2] & 0xff) << 16) |
  32. ((u64)(p[3] & 0xff) << 24) |
  33. ((u64)(p[4] & 0xff) << 32) |
  34. ((u64)(p[5] & 0xff) << 40) |
  35. ((u64)(p[6] & 0xff) << 48) |
  36. ((u64)(p[7] & 0xff) << 56));
  37. }
  38. /* store a 64-bit unsigned integer in little endian */
  39. static void U64TO8(unsigned char *p, u64 v)
  40. {
  41. p[0] = (unsigned char)((v) & 0xff);
  42. p[1] = (unsigned char)((v >> 8) & 0xff);
  43. p[2] = (unsigned char)((v >> 16) & 0xff);
  44. p[3] = (unsigned char)((v >> 24) & 0xff);
  45. p[4] = (unsigned char)((v >> 32) & 0xff);
  46. p[5] = (unsigned char)((v >> 40) & 0xff);
  47. p[6] = (unsigned char)((v >> 48) & 0xff);
  48. p[7] = (unsigned char)((v >> 56) & 0xff);
  49. }
  50. int poly1305_init(void *ctx, const unsigned char key[16])
  51. {
  52. poly1305_internal *st = (poly1305_internal *)ctx;
  53. u64 r0, r1;
  54. /* h = 0 */
  55. st->h[0] = 0;
  56. st->h[1] = 0;
  57. st->h[2] = 0;
  58. r0 = U8TOU64(&key[0]) & 0x0ffffffc0fffffff;
  59. r1 = U8TOU64(&key[8]) & 0x0ffffffc0ffffffc;
  60. /* break r1:r0 to three 44-bit digits, masks are 1<<44-1 */
  61. st->r[0] = r0 & 0x0fffffffffff;
  62. st->r[1] = ((r0 >> 44) | (r1 << 20)) & 0x0fffffffffff;
  63. st->r[2] = (r1 >> 24);
  64. st->s[0] = (st->r[1] + (st->r[1] << 2)) << 2;
  65. st->s[1] = (st->r[2] + (st->r[2] << 2)) << 2;
  66. return 0;
  67. }
  68. void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len,
  69. u32 padbit)
  70. {
  71. poly1305_internal *st = (poly1305_internal *)ctx;
  72. u64 r0, r1, r2;
  73. u64 s1, s2;
  74. u64 h0, h1, h2, c;
  75. u128 d0, d1, d2;
  76. u64 pad = (u64)padbit << 40;
  77. r0 = st->r[0];
  78. r1 = st->r[1];
  79. r2 = st->r[2];
  80. s1 = st->s[0];
  81. s2 = st->s[1];
  82. h0 = st->h[0];
  83. h1 = st->h[1];
  84. h2 = st->h[2];
  85. while (len >= POLY1305_BLOCK_SIZE) {
  86. u64 m0, m1;
  87. m0 = U8TOU64(inp + 0);
  88. m1 = U8TOU64(inp + 8);
  89. /* h += m[i], m[i] is broken to 44-bit digits */
  90. h0 += m0 & 0x0fffffffffff;
  91. h1 += ((m0 >> 44) | (m1 << 20)) & 0x0fffffffffff;
  92. h2 += (m1 >> 24) + pad;
  93. /* h *= r "%" p, where "%" stands for "partial remainder" */
  94. d0 = ((u128)h0 * r0) + ((u128)h1 * s2) + ((u128)h2 * s1);
  95. d1 = ((u128)h0 * r1) + ((u128)h1 * r0) + ((u128)h2 * s2);
  96. d2 = ((u128)h0 * r2) + ((u128)h1 * r1) + ((u128)h2 * r0);
  97. /* "lazy" reduction step */
  98. h0 = (u64)d0 & 0x0fffffffffff;
  99. h1 = (u64)(d1 += (u64)(d0 >> 44)) & 0x0fffffffffff;
  100. h2 = (u64)(d2 += (u64)(d1 >> 44)) & 0x03ffffffffff; /* last 42 bits */
  101. c = (d2 >> 42);
  102. h0 += c + (c << 2);
  103. inp += POLY1305_BLOCK_SIZE;
  104. len -= POLY1305_BLOCK_SIZE;
  105. }
  106. st->h[0] = h0;
  107. st->h[1] = h1;
  108. st->h[2] = h2;
  109. }
  110. void poly1305_emit(void *ctx, unsigned char mac[16], const u32 nonce[4])
  111. {
  112. poly1305_internal *st = (poly1305_internal *) ctx;
  113. u64 h0, h1, h2;
  114. u64 g0, g1, g2;
  115. u128 t;
  116. u64 mask;
  117. h0 = st->h[0];
  118. h1 = st->h[1];
  119. h2 = st->h[2];
  120. /* after "lazy" reduction, convert 44+bit digits to 64-bit ones */
  121. h0 = (u64)(t = (u128)h0 + (h1 << 44)); h1 >>= 20;
  122. h1 = (u64)(t = (u128)h1 + (h2 << 24) + (t >> 64)); h2 >>= 40;
  123. h2 += (u64)(t >> 64);
  124. /* compare to modulus by computing h + -p */
  125. g0 = (u64)(t = (u128)h0 + 5);
  126. g1 = (u64)(t = (u128)h1 + (t >> 64));
  127. g2 = h2 + (u64)(t >> 64);
  128. /* if there was carry into 131st bit, h1:h0 = g1:g0 */
  129. mask = 0 - (g2 >> 2);
  130. g0 &= mask;
  131. g1 &= mask;
  132. mask = ~mask;
  133. h0 = (h0 & mask) | g0;
  134. h1 = (h1 & mask) | g1;
  135. /* mac = (h + nonce) % (2^128) */
  136. h0 = (u64)(t = (u128)h0 + nonce[0] + ((u64)nonce[1]<<32));
  137. h1 = (u64)(t = (u128)h1 + nonce[2] + ((u64)nonce[3]<<32) + (t >> 64));
  138. U64TO8(mac + 0, h0);
  139. U64TO8(mac + 8, h1);
  140. }