poly1305.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041
  1. /* poly1305.c
  2. *
  3. * Copyright (C) 2006-2024 wolfSSL Inc.
  4. *
  5. * This file is part of wolfSSL.
  6. *
  7. * wolfSSL is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * wolfSSL is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20. */
  21. /*
  22. DESCRIPTION
  23. This library contains implementation for the Poly1305 authenticator.
  24. Based off the public domain implementations by Andrew Moon
  25. and Daniel J. Bernstein
  26. */
  27. /*
  28. * WOLFSSL_W64_WRAPPER Uses wrappers around word64 types for a system that does
  29. * not have word64 available. As expected it reduces
  30. * performance. Benchmarks collected July 2024 show
  31. * 303.004 MiB/s with and 1874.194 MiB/s without.
  32. */
  33. #ifdef HAVE_CONFIG_H
  34. #include <config.h>
  35. #endif
  36. #include <wolfssl/wolfcrypt/settings.h>
  37. #ifdef HAVE_POLY1305
  38. #include <wolfssl/wolfcrypt/poly1305.h>
  39. #include <wolfssl/wolfcrypt/error-crypt.h>
  40. #include <wolfssl/wolfcrypt/logging.h>
  41. #include <wolfssl/wolfcrypt/cpuid.h>
  42. #ifdef NO_INLINE
  43. #include <wolfssl/wolfcrypt/misc.h>
  44. #else
  45. #define WOLFSSL_MISC_INCLUDED
  46. #include <wolfcrypt/src/misc.c>
  47. #endif
  48. #ifdef CHACHA_AEAD_TEST
  49. #include <stdio.h>
  50. #endif
  51. #ifdef _MSC_VER
  52. /* 4127 warning constant while(1) */
  53. #pragma warning(disable: 4127)
  54. #endif
  55. #ifdef USE_INTEL_POLY1305_SPEEDUP
  56. #include <emmintrin.h>
  57. #include <immintrin.h>
  58. #if defined(__GNUC__) && ((__GNUC__ < 4) || \
  59. (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
  60. #undef NO_AVX2_SUPPORT
  61. #define NO_AVX2_SUPPORT
  62. #endif
  63. #if defined(__clang__) && ((__clang_major__ < 3) || \
  64. (__clang_major__ == 3 && __clang_minor__ <= 5))
  65. #define NO_AVX2_SUPPORT
  66. #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
  67. #undef NO_AVX2_SUPPORT
  68. #endif
  69. #if defined(_MSC_VER) && (_MSC_VER <= 1900)
  70. #undef NO_AVX2_SUPPORT
  71. #define NO_AVX2_SUPPORT
  72. #endif
  73. #define HAVE_INTEL_AVX1
  74. #ifndef NO_AVX2_SUPPORT
  75. #define HAVE_INTEL_AVX2
  76. #endif
  77. #endif
  78. #ifdef USE_INTEL_POLY1305_SPEEDUP
  79. static word32 intel_flags = 0;
  80. static word32 cpu_flags_set = 0;
  81. #endif
  82. #if defined(USE_INTEL_POLY1305_SPEEDUP) || defined(POLY130564)
  83. #if defined(_MSC_VER)
  84. #define POLY1305_NOINLINE __declspec(noinline)
  85. #elif defined(__GNUC__)
  86. #define POLY1305_NOINLINE __attribute__((noinline))
  87. #else
  88. #define POLY1305_NOINLINE
  89. #endif
  90. #if defined(_MSC_VER)
  91. #include <intrin.h>
  92. typedef struct word128 {
  93. word64 lo;
  94. word64 hi;
  95. } word128;
  96. #define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi)
  97. #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; \
  98. out.hi += (out.lo < t) + in.hi; }
  99. #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; \
  100. out.hi += (out.lo < t); }
  101. #define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift)))
  102. #define LO(in) (in.lo)
  103. #elif defined(__GNUC__)
  104. #if defined(__SIZEOF_INT128__)
  105. PEDANTIC_EXTENSION typedef unsigned __int128 word128;
  106. #else
  107. typedef unsigned word128 __attribute__((mode(TI)));
  108. #endif
  109. #define MUL(out, x, y) out = ((word128)(x) * (y))
  110. #define ADD(out, in) (out) += (in)
  111. #define ADDLO(out, in) (out) += (in)
  112. #define SHR(in, shift) (word64)((in) >> (shift))
  113. #define LO(in) (word64)(in)
  114. #endif
  115. #endif
  116. #ifdef USE_INTEL_POLY1305_SPEEDUP
  117. #ifdef __cplusplus
  118. extern "C" {
  119. #endif
  120. #ifdef HAVE_INTEL_AVX1
  121. /* Process one block (16 bytes) of data.
  122. *
  123. * ctx Poly1305 context.
  124. * m One block of message data.
  125. */
  126. extern void poly1305_block_avx(Poly1305* ctx, const unsigned char *m);
  127. /* Process multiple blocks (n * 16 bytes) of data.
  128. *
  129. * ctx Poly1305 context.
  130. * m Blocks of message data.
  131. * bytes The number of bytes to process.
  132. */
  133. extern void poly1305_blocks_avx(Poly1305* ctx, const unsigned char* m,
  134. size_t bytes);
  135. /* Set the key to use when processing data.
  136. * Initialize the context.
  137. *
  138. * ctx Poly1305 context.
  139. * key The key data (16 bytes).
  140. */
  141. extern void poly1305_setkey_avx(Poly1305* ctx, const byte* key);
  142. /* Calculate the final result - authentication data.
  143. * Zeros out the private data in the context.
  144. *
  145. * ctx Poly1305 context.
  146. * mac Buffer to hold 16 bytes.
  147. */
  148. extern void poly1305_final_avx(Poly1305* ctx, byte* mac);
  149. #endif
  150. #ifdef HAVE_INTEL_AVX2
  151. /* Process multiple blocks (n * 16 bytes) of data.
  152. *
  153. * ctx Poly1305 context.
  154. * m Blocks of message data.
  155. * bytes The number of bytes to process.
  156. */
  157. extern void poly1305_blocks_avx2(Poly1305* ctx, const unsigned char* m,
  158. size_t bytes);
  159. /* Calculate R^1, R^2, R^3 and R^4 and store them in the context.
  160. *
  161. * ctx Poly1305 context.
  162. */
  163. extern void poly1305_calc_powers_avx2(Poly1305* ctx);
  164. /* Set the key to use when processing data.
  165. * Initialize the context.
  166. * Calls AVX set key function as final function calls AVX code.
  167. *
  168. * ctx Poly1305 context.
  169. * key The key data (16 bytes).
  170. */
  171. extern void poly1305_setkey_avx2(Poly1305* ctx, const byte* key);
  172. /* Calculate the final result - authentication data.
  173. * Zeros out the private data in the context.
  174. * Calls AVX final function to quickly process last blocks.
  175. *
  176. * ctx Poly1305 context.
  177. * mac Buffer to hold 16 bytes - authentication data.
  178. */
  179. extern void poly1305_final_avx2(Poly1305* ctx, byte* mac);
  180. #endif
  181. #ifdef __cplusplus
  182. } /* extern "C" */
  183. #endif
  184. #elif defined(POLY130564)
  185. #if !defined(WOLFSSL_ARMASM) && !defined(WOLFSSL_RISCV_ASM)
  186. static word64 U8TO64(const byte* p)
  187. {
  188. return
  189. (((word64)(p[0] & 0xff) ) |
  190. ((word64)(p[1] & 0xff) << 8) |
  191. ((word64)(p[2] & 0xff) << 16) |
  192. ((word64)(p[3] & 0xff) << 24) |
  193. ((word64)(p[4] & 0xff) << 32) |
  194. ((word64)(p[5] & 0xff) << 40) |
  195. ((word64)(p[6] & 0xff) << 48) |
  196. ((word64)(p[7] & 0xff) << 56));
  197. }
  198. static void U64TO8(byte* p, word64 v) {
  199. p[0] = (byte)v;
  200. p[1] = (byte)(v >> 8);
  201. p[2] = (byte)(v >> 16);
  202. p[3] = (byte)(v >> 24);
  203. p[4] = (byte)(v >> 32);
  204. p[5] = (byte)(v >> 40);
  205. p[6] = (byte)(v >> 48);
  206. p[7] = (byte)(v >> 56);
  207. }
  208. #endif/* !WOLFSSL_ARMASM && !WOLFSSL_RISCV_ASM */
  209. /* if not 64 bit then use 32 bit */
  210. #elif !defined(WOLFSSL_ARMASM)
  211. static word32 U8TO32(const byte *p)
  212. {
  213. return
  214. (((word32)(p[0] & 0xff) ) |
  215. ((word32)(p[1] & 0xff) << 8) |
  216. ((word32)(p[2] & 0xff) << 16) |
  217. ((word32)(p[3] & 0xff) << 24));
  218. }
  219. static void U32TO8(byte *p, word32 v) {
  220. p[0] = (byte)((v ) & 0xff);
  221. p[1] = (byte)((v >> 8) & 0xff);
  222. p[2] = (byte)((v >> 16) & 0xff);
  223. p[3] = (byte)((v >> 24) & 0xff);
  224. }
  225. #endif
  226. /* convert 32-bit unsigned to little endian 64 bit type as byte array */
  227. static WC_INLINE void u32tole64(const word32 inLe32, byte outLe64[8])
  228. {
  229. #ifndef WOLFSSL_X86_64_BUILD
  230. outLe64[0] = (byte)(inLe32 & 0x000000FF);
  231. outLe64[1] = (byte)((inLe32 & 0x0000FF00) >> 8);
  232. outLe64[2] = (byte)((inLe32 & 0x00FF0000) >> 16);
  233. outLe64[3] = (byte)((inLe32 & 0xFF000000) >> 24);
  234. outLe64[4] = 0;
  235. outLe64[5] = 0;
  236. outLe64[6] = 0;
  237. outLe64[7] = 0;
  238. #else
  239. *(word64*)outLe64 = inLe32;
  240. #endif
  241. }
  242. #if !defined(WOLFSSL_ARMASM) && !defined(WOLFSSL_RISCV_ASM)
  243. /*
  244. This local function operates on a message with a given number of bytes
  245. with a given ctx pointer to a Poly1305 structure.
  246. */
  247. static int poly1305_blocks(Poly1305* ctx, const unsigned char *m,
  248. size_t bytes)
  249. {
  250. #ifdef USE_INTEL_POLY1305_SPEEDUP
  251. /* AVX2 is handled in wc_Poly1305Update. */
  252. SAVE_VECTOR_REGISTERS(return _svr_ret;);
  253. poly1305_blocks_avx(ctx, m, bytes);
  254. RESTORE_VECTOR_REGISTERS();
  255. return 0;
  256. #elif defined(POLY130564)
  257. const word64 hibit = (ctx->finished) ? 0 : ((word64)1 << 40); /* 1 << 128 */
  258. word64 r0,r1,r2;
  259. word64 s1,s2;
  260. word64 h0,h1,h2;
  261. word64 c;
  262. word128 d0,d1,d2,d;
  263. r0 = ctx->r[0];
  264. r1 = ctx->r[1];
  265. r2 = ctx->r[2];
  266. h0 = ctx->h[0];
  267. h1 = ctx->h[1];
  268. h2 = ctx->h[2];
  269. s1 = r1 * (5 << 2);
  270. s2 = r2 * (5 << 2);
  271. while (bytes >= POLY1305_BLOCK_SIZE) {
  272. word64 t0,t1;
  273. /* h += m[i] */
  274. t0 = U8TO64(&m[0]);
  275. t1 = U8TO64(&m[8]);
  276. h0 += (( t0 ) & 0xfffffffffff);
  277. h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff);
  278. h2 += (((t1 >> 24) ) & 0x3ffffffffff) | hibit;
  279. /* h *= r */
  280. MUL(d0, h0, r0); MUL(d, h1, s2); ADD(d0, d); MUL(d, h2, s1); ADD(d0, d);
  281. MUL(d1, h0, r1); MUL(d, h1, r0); ADD(d1, d); MUL(d, h2, s2); ADD(d1, d);
  282. MUL(d2, h0, r2); MUL(d, h1, r1); ADD(d2, d); MUL(d, h2, r0); ADD(d2, d);
  283. /* (partial) h %= p */
  284. c = SHR(d0, 44); h0 = LO(d0) & 0xfffffffffff;
  285. ADDLO(d1, c); c = SHR(d1, 44); h1 = LO(d1) & 0xfffffffffff;
  286. ADDLO(d2, c); c = SHR(d2, 42); h2 = LO(d2) & 0x3ffffffffff;
  287. h0 += c * 5; c = (h0 >> 44); h0 = h0 & 0xfffffffffff;
  288. h1 += c;
  289. m += POLY1305_BLOCK_SIZE;
  290. bytes -= POLY1305_BLOCK_SIZE;
  291. }
  292. ctx->h[0] = h0;
  293. ctx->h[1] = h1;
  294. ctx->h[2] = h2;
  295. return 0;
  296. #else /* if not 64 bit then use 32 bit */
  297. const word32 hibit = (ctx->finished) ? 0 : ((word32)1 << 24); /* 1 << 128 */
  298. word32 r0,r1,r2,r3,r4;
  299. word32 s1,s2,s3,s4;
  300. word32 h0,h1,h2,h3,h4;
  301. word32 c;
  302. #ifdef WOLFSSL_W64_WRAPPER
  303. #ifdef WOLFSSL_SMALL_STACK
  304. w64wrapper* d;
  305. d = (w64wrapper*)XMALLOC(5 * sizeof(w64wrapper), NULL,
  306. DYNAMIC_TYPE_TMP_BUFFER);
  307. if (d == NULL) {
  308. return MEMORY_E;
  309. }
  310. #else
  311. w64wrapper d[5];
  312. #endif
  313. #else
  314. word64 d0,d1,d2,d3,d4;
  315. #endif
  316. r0 = ctx->r[0];
  317. r1 = ctx->r[1];
  318. r2 = ctx->r[2];
  319. r3 = ctx->r[3];
  320. r4 = ctx->r[4];
  321. s1 = r1 * 5;
  322. s2 = r2 * 5;
  323. s3 = r3 * 5;
  324. s4 = r4 * 5;
  325. h0 = ctx->h[0];
  326. h1 = ctx->h[1];
  327. h2 = ctx->h[2];
  328. h3 = ctx->h[3];
  329. h4 = ctx->h[4];
  330. while (bytes >= POLY1305_BLOCK_SIZE) {
  331. /* h += m[i] */
  332. h0 += (U8TO32(m+ 0) ) & 0x3ffffff;
  333. h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff;
  334. h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff;
  335. h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff;
  336. h4 += (U8TO32(m+12) >> 8) | hibit;
  337. /* h *= r */
  338. #ifdef WOLFSSL_W64_WRAPPER
  339. {
  340. w64wrapper tmp;
  341. d[0] = w64Mul(h0, r0); tmp = w64Mul(h1, s4);
  342. d[0] = w64Add(d[0], tmp, NULL); tmp = w64Mul(h2, s3);
  343. d[0] = w64Add(d[0], tmp, NULL); tmp = w64Mul(h3, s2);
  344. d[0] = w64Add(d[0], tmp, NULL); tmp = w64Mul(h4, s1);
  345. d[0] = w64Add(d[0], tmp, NULL);
  346. d[1] = w64Mul(h0, r1); tmp = w64Mul(h1, r0);
  347. d[1] = w64Add(d[1], tmp, NULL); tmp = w64Mul(h2, s4);
  348. d[1] = w64Add(d[1], tmp, NULL); tmp = w64Mul(h3, s3);
  349. d[1] = w64Add(d[1], tmp, NULL); tmp = w64Mul(h4, s2);
  350. d[1] = w64Add(d[1], tmp, NULL);
  351. d[2] = w64Mul(h0, r2); tmp = w64Mul(h1, r1);
  352. d[2] = w64Add(d[2], tmp, NULL); tmp = w64Mul(h2, r0);
  353. d[2] = w64Add(d[2], tmp, NULL); tmp = w64Mul(h3, s4);
  354. d[2] = w64Add(d[2], tmp, NULL); tmp = w64Mul(h4, s3);
  355. d[2] = w64Add(d[2], tmp, NULL);
  356. d[3] = w64Mul(h0, r3); tmp = w64Mul(h1, r2);
  357. d[3] = w64Add(d[3], tmp, NULL); tmp = w64Mul(h2, r1);
  358. d[3] = w64Add(d[3], tmp, NULL); tmp = w64Mul(h3, r0);
  359. d[3] = w64Add(d[3], tmp, NULL); tmp = w64Mul(h4, s4);
  360. d[3] = w64Add(d[3], tmp, NULL);
  361. d[4] = w64Mul(h0, r4); tmp = w64Mul(h1, r3);
  362. d[4] = w64Add(d[4], tmp, NULL); tmp = w64Mul(h2, r2);
  363. d[4] = w64Add(d[4], tmp, NULL); tmp = w64Mul(h3, r1);
  364. d[4] = w64Add(d[4], tmp, NULL); tmp = w64Mul(h4, r0);
  365. d[4] = w64Add(d[4], tmp, NULL);
  366. }
  367. #else
  368. d0 = ((word64)h0 * r0) + ((word64)h1 * s4) + ((word64)h2 * s3) +
  369. ((word64)h3 * s2) + ((word64)h4 * s1);
  370. d1 = ((word64)h0 * r1) + ((word64)h1 * r0) + ((word64)h2 * s4) +
  371. ((word64)h3 * s3) + ((word64)h4 * s2);
  372. d2 = ((word64)h0 * r2) + ((word64)h1 * r1) + ((word64)h2 * r0) +
  373. ((word64)h3 * s4) + ((word64)h4 * s3);
  374. d3 = ((word64)h0 * r3) + ((word64)h1 * r2) + ((word64)h2 * r1) +
  375. ((word64)h3 * r0) + ((word64)h4 * s4);
  376. d4 = ((word64)h0 * r4) + ((word64)h1 * r3) + ((word64)h2 * r2) +
  377. ((word64)h3 * r1) + ((word64)h4 * r0);
  378. #endif
  379. /* (partial) h %= p */
  380. #ifdef WOLFSSL_W64_WRAPPER
  381. c = w64GetLow32(w64ShiftRight(d[0], 26));
  382. h0 = w64GetLow32(d[0]) & 0x3ffffff;
  383. d[1] = w64Add32(d[1], c, NULL);
  384. c = w64GetLow32(w64ShiftRight(d[1], 26));
  385. h1 = w64GetLow32(d[1]) & 0x3ffffff;
  386. d[2] = w64Add32(d[2], c, NULL);
  387. c = w64GetLow32(w64ShiftRight(d[2], 26));
  388. h2 = w64GetLow32(d[2]) & 0x3ffffff;
  389. d[3] = w64Add32(d[3], c, NULL);
  390. c = w64GetLow32(w64ShiftRight(d[3], 26));
  391. h3 = w64GetLow32(d[3]) & 0x3ffffff;
  392. d[4] = w64Add32(d[4], c, NULL);
  393. c = w64GetLow32(w64ShiftRight(d[4], 26));
  394. h4 = w64GetLow32(d[4]) & 0x3ffffff;
  395. #else
  396. c = (word32)(d0 >> 26); h0 = (word32)d0 & 0x3ffffff;
  397. d1 += c; c = (word32)(d1 >> 26); h1 = (word32)d1 & 0x3ffffff;
  398. d2 += c; c = (word32)(d2 >> 26); h2 = (word32)d2 & 0x3ffffff;
  399. d3 += c; c = (word32)(d3 >> 26); h3 = (word32)d3 & 0x3ffffff;
  400. d4 += c; c = (word32)(d4 >> 26); h4 = (word32)d4 & 0x3ffffff;
  401. #endif
  402. h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff;
  403. h1 += c;
  404. m += POLY1305_BLOCK_SIZE;
  405. bytes -= POLY1305_BLOCK_SIZE;
  406. }
  407. ctx->h[0] = h0;
  408. ctx->h[1] = h1;
  409. ctx->h[2] = h2;
  410. ctx->h[3] = h3;
  411. ctx->h[4] = h4;
  412. #if defined(WOLFSSL_W64_WRAPPER) && defined(WOLFSSL_SMALL_STACK)
  413. XFREE(d, NULL, DYNAMIC_TYPE_TMP_BUFFER);
  414. #endif
  415. return 0;
  416. #endif /* end of 64 bit cpu blocks or 32 bit cpu */
  417. }
  418. /*
  419. This local function is used for the last call when a message with a given
  420. number of bytes is less than the block size.
  421. */
  422. static int poly1305_block(Poly1305* ctx, const unsigned char *m)
  423. {
  424. #ifdef USE_INTEL_POLY1305_SPEEDUP
  425. /* No call to poly1305_block when AVX2, AVX2 does 4 blocks at a time. */
  426. SAVE_VECTOR_REGISTERS(return _svr_ret;);
  427. poly1305_block_avx(ctx, m);
  428. RESTORE_VECTOR_REGISTERS();
  429. return 0;
  430. #else
  431. return poly1305_blocks(ctx, m, POLY1305_BLOCK_SIZE);
  432. #endif
  433. }
  434. int wc_Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz)
  435. {
  436. #if defined(POLY130564) && !defined(USE_INTEL_POLY1305_SPEEDUP)
  437. word64 t0,t1;
  438. #endif
  439. if (key == NULL)
  440. return BAD_FUNC_ARG;
  441. #ifdef CHACHA_AEAD_TEST
  442. word32 k;
  443. printf("Poly key used:\n");
  444. for (k = 0; k < keySz; k++) {
  445. printf("%02x", key[k]);
  446. if ((k+1) % 8 == 0)
  447. printf("\n");
  448. }
  449. printf("\n");
  450. #endif
  451. if (keySz != 32 || ctx == NULL)
  452. return BAD_FUNC_ARG;
  453. #ifdef USE_INTEL_POLY1305_SPEEDUP
  454. if (!cpu_flags_set) {
  455. intel_flags = cpuid_get_flags();
  456. cpu_flags_set = 1;
  457. }
  458. SAVE_VECTOR_REGISTERS(return _svr_ret;);
  459. #ifdef HAVE_INTEL_AVX2
  460. if (IS_INTEL_AVX2(intel_flags))
  461. poly1305_setkey_avx2(ctx, key);
  462. else
  463. #endif
  464. poly1305_setkey_avx(ctx, key);
  465. RESTORE_VECTOR_REGISTERS();
  466. #elif defined(POLY130564)
  467. /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
  468. t0 = U8TO64(key + 0);
  469. t1 = U8TO64(key + 8);
  470. ctx->r[0] = ( t0 ) & 0xffc0fffffff;
  471. ctx->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff;
  472. ctx->r[2] = ((t1 >> 24) ) & 0x00ffffffc0f;
  473. /* h (accumulator) = 0 */
  474. ctx->h[0] = 0;
  475. ctx->h[1] = 0;
  476. ctx->h[2] = 0;
  477. /* save pad for later */
  478. ctx->pad[0] = U8TO64(key + 16);
  479. ctx->pad[1] = U8TO64(key + 24);
  480. ctx->leftover = 0;
  481. ctx->finished = 0;
  482. #else /* if not 64 bit then use 32 bit */
  483. /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
  484. ctx->r[0] = (U8TO32(key + 0) ) & 0x3ffffff;
  485. ctx->r[1] = (U8TO32(key + 3) >> 2) & 0x3ffff03;
  486. ctx->r[2] = (U8TO32(key + 6) >> 4) & 0x3ffc0ff;
  487. ctx->r[3] = (U8TO32(key + 9) >> 6) & 0x3f03fff;
  488. ctx->r[4] = (U8TO32(key + 12) >> 8) & 0x00fffff;
  489. /* h = 0 */
  490. ctx->h[0] = 0;
  491. ctx->h[1] = 0;
  492. ctx->h[2] = 0;
  493. ctx->h[3] = 0;
  494. ctx->h[4] = 0;
  495. /* save pad for later */
  496. ctx->pad[0] = U8TO32(key + 16);
  497. ctx->pad[1] = U8TO32(key + 20);
  498. ctx->pad[2] = U8TO32(key + 24);
  499. ctx->pad[3] = U8TO32(key + 28);
  500. ctx->leftover = 0;
  501. ctx->finished = 0;
  502. #endif
  503. return 0;
  504. }
  505. int wc_Poly1305Final(Poly1305* ctx, byte* mac)
  506. {
  507. #ifdef USE_INTEL_POLY1305_SPEEDUP
  508. #elif defined(POLY130564)
  509. word64 h0,h1,h2,c;
  510. word64 g0,g1,g2;
  511. word64 t0,t1;
  512. #else
  513. word32 h0,h1,h2,h3,h4,c;
  514. word32 g0,g1,g2,g3,g4;
  515. #ifdef WOLFSSL_W64_WRAPPER
  516. w64wrapper f;
  517. #else
  518. word64 f;
  519. #endif
  520. word32 mask;
  521. #endif
  522. if (ctx == NULL || mac == NULL)
  523. return BAD_FUNC_ARG;
  524. #ifdef USE_INTEL_POLY1305_SPEEDUP
  525. SAVE_VECTOR_REGISTERS(return _svr_ret;);
  526. #ifdef HAVE_INTEL_AVX2
  527. if (IS_INTEL_AVX2(intel_flags))
  528. poly1305_final_avx2(ctx, mac);
  529. else
  530. #endif
  531. poly1305_final_avx(ctx, mac);
  532. RESTORE_VECTOR_REGISTERS();
  533. #elif defined(POLY130564)
  534. /* process the remaining block */
  535. if (ctx->leftover) {
  536. size_t i = ctx->leftover;
  537. ctx->buffer[i] = 1;
  538. for (i = i + 1; i < POLY1305_BLOCK_SIZE; i++)
  539. ctx->buffer[i] = 0;
  540. ctx->finished = 1;
  541. poly1305_block(ctx, ctx->buffer);
  542. }
  543. /* fully carry h */
  544. h0 = ctx->h[0];
  545. h1 = ctx->h[1];
  546. h2 = ctx->h[2];
  547. c = (h1 >> 44); h1 &= 0xfffffffffff;
  548. h2 += c; c = (h2 >> 42); h2 &= 0x3ffffffffff;
  549. h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
  550. h1 += c; c = (h1 >> 44); h1 &= 0xfffffffffff;
  551. h2 += c; c = (h2 >> 42); h2 &= 0x3ffffffffff;
  552. h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
  553. h1 += c;
  554. /* compute h + -p */
  555. g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
  556. g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
  557. g2 = h2 + c - ((word64)1 << 42);
  558. /* select h if h < p, or h + -p if h >= p */
  559. c = (g2 >> ((sizeof(word64) * 8) - 1)) - 1;
  560. g0 &= c;
  561. g1 &= c;
  562. g2 &= c;
  563. c = ~c;
  564. h0 = (h0 & c) | g0;
  565. h1 = (h1 & c) | g1;
  566. h2 = (h2 & c) | g2;
  567. /* h = (h + pad) */
  568. t0 = ctx->pad[0];
  569. t1 = ctx->pad[1];
  570. h0 += (( t0 ) & 0xfffffffffff) ;
  571. c = (h0 >> 44); h0 &= 0xfffffffffff;
  572. h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff) + c;
  573. c = (h1 >> 44); h1 &= 0xfffffffffff;
  574. h2 += (((t1 >> 24) ) & 0x3ffffffffff) + c;
  575. h2 &= 0x3ffffffffff;
  576. /* mac = h % (2^128) */
  577. h0 = ((h0 ) | (h1 << 44));
  578. h1 = ((h1 >> 20) | (h2 << 24));
  579. U64TO8(mac + 0, h0);
  580. U64TO8(mac + 8, h1);
  581. /* zero out the state */
  582. ctx->h[0] = 0;
  583. ctx->h[1] = 0;
  584. ctx->h[2] = 0;
  585. ctx->r[0] = 0;
  586. ctx->r[1] = 0;
  587. ctx->r[2] = 0;
  588. ctx->pad[0] = 0;
  589. ctx->pad[1] = 0;
  590. #else /* if not 64 bit then use 32 bit */
  591. /* process the remaining block */
  592. if (ctx->leftover) {
  593. size_t i = ctx->leftover;
  594. ctx->buffer[i++] = 1;
  595. for (; i < POLY1305_BLOCK_SIZE; i++)
  596. ctx->buffer[i] = 0;
  597. ctx->finished = 1;
  598. poly1305_block(ctx, ctx->buffer);
  599. }
  600. /* fully carry h */
  601. h0 = ctx->h[0];
  602. h1 = ctx->h[1];
  603. h2 = ctx->h[2];
  604. h3 = ctx->h[3];
  605. h4 = ctx->h[4];
  606. c = h1 >> 26; h1 = h1 & 0x3ffffff;
  607. h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
  608. h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
  609. h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
  610. h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
  611. h1 += c;
  612. /* compute h + -p */
  613. g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
  614. g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
  615. g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
  616. g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
  617. g4 = h4 + c - ((word32)1 << 26);
  618. /* select h if h < p, or h + -p if h >= p */
  619. mask = ((word32)g4 >> ((sizeof(word32) * 8) - 1)) - 1;
  620. g0 &= mask;
  621. g1 &= mask;
  622. g2 &= mask;
  623. g3 &= mask;
  624. g4 &= mask;
  625. mask = ~mask;
  626. h0 = (h0 & mask) | g0;
  627. h1 = (h1 & mask) | g1;
  628. h2 = (h2 & mask) | g2;
  629. h3 = (h3 & mask) | g3;
  630. h4 = (h4 & mask) | g4;
  631. /* h = h % (2^128) */
  632. h0 = ((h0 ) | (h1 << 26)) & 0xffffffff;
  633. h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
  634. h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
  635. h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
  636. /* mac = (h + pad) % (2^128) */
  637. #ifdef WOLFSSL_W64_WRAPPER
  638. f = w64From32(0, h0);
  639. f = w64Add32(f, ctx->pad[0], NULL);
  640. h0 = w64GetLow32(f);
  641. f = w64ShiftRight(f, 32);
  642. f = w64Add32(f, h1, NULL);
  643. f = w64Add32(f, ctx->pad[1], NULL);
  644. h1 = w64GetLow32(f);
  645. f = w64ShiftRight(f, 32);
  646. f = w64Add32(f, h2, NULL);
  647. f = w64Add32(f, ctx->pad[2], NULL);
  648. h2 = w64GetLow32(f);
  649. f = w64ShiftRight(f, 32);
  650. f = w64Add32(f, h3, NULL);
  651. f = w64Add32(f, ctx->pad[3], NULL);
  652. h3 = w64GetLow32(f);
  653. #else
  654. f = (word64)h0 + ctx->pad[0] ; h0 = (word32)f;
  655. f = (word64)h1 + ctx->pad[1] + (f >> 32); h1 = (word32)f;
  656. f = (word64)h2 + ctx->pad[2] + (f >> 32); h2 = (word32)f;
  657. f = (word64)h3 + ctx->pad[3] + (f >> 32); h3 = (word32)f;
  658. #endif
  659. U32TO8(mac + 0, h0);
  660. U32TO8(mac + 4, h1);
  661. U32TO8(mac + 8, h2);
  662. U32TO8(mac + 12, h3);
  663. /* zero out the state */
  664. ctx->h[0] = 0;
  665. ctx->h[1] = 0;
  666. ctx->h[2] = 0;
  667. ctx->h[3] = 0;
  668. ctx->h[4] = 0;
  669. ctx->r[0] = 0;
  670. ctx->r[1] = 0;
  671. ctx->r[2] = 0;
  672. ctx->r[3] = 0;
  673. ctx->r[4] = 0;
  674. ctx->pad[0] = 0;
  675. ctx->pad[1] = 0;
  676. ctx->pad[2] = 0;
  677. ctx->pad[3] = 0;
  678. #endif
  679. return 0;
  680. }
  681. #endif /* !WOLFSSL_ARMASM && !WOLFSSL_RISCV_ASM */
  682. int wc_Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes)
  683. {
  684. size_t i;
  685. if (ctx == NULL || (m == NULL && bytes > 0))
  686. return BAD_FUNC_ARG;
  687. if (bytes == 0) {
  688. /* valid, but do nothing */
  689. return 0;
  690. }
  691. #ifdef CHACHA_AEAD_TEST
  692. word32 k;
  693. printf("Raw input to poly:\n");
  694. for (k = 0; k < bytes; k++) {
  695. printf("%02x", m[k]);
  696. if ((k+1) % 16 == 0)
  697. printf("\n");
  698. }
  699. printf("\n");
  700. #endif
  701. #ifdef USE_INTEL_POLY1305_SPEEDUP
  702. #ifdef HAVE_INTEL_AVX2
  703. if (IS_INTEL_AVX2(intel_flags)) {
  704. SAVE_VECTOR_REGISTERS(return _svr_ret;);
  705. /* handle leftover */
  706. if (ctx->leftover) {
  707. size_t want = sizeof(ctx->buffer) - ctx->leftover;
  708. if (want > bytes)
  709. want = bytes;
  710. for (i = 0; i < want; i++)
  711. ctx->buffer[ctx->leftover + i] = m[i];
  712. bytes -= (word32)want;
  713. m += want;
  714. ctx->leftover += want;
  715. if (ctx->leftover < sizeof(ctx->buffer)) {
  716. RESTORE_VECTOR_REGISTERS();
  717. return 0;
  718. }
  719. if (!ctx->started)
  720. poly1305_calc_powers_avx2(ctx);
  721. poly1305_blocks_avx2(ctx, ctx->buffer, sizeof(ctx->buffer));
  722. ctx->leftover = 0;
  723. }
  724. /* process full blocks */
  725. if (bytes >= sizeof(ctx->buffer)) {
  726. size_t want = bytes & ~(sizeof(ctx->buffer) - 1);
  727. if (!ctx->started)
  728. poly1305_calc_powers_avx2(ctx);
  729. poly1305_blocks_avx2(ctx, m, want);
  730. m += want;
  731. bytes -= (word32)want;
  732. }
  733. /* store leftover */
  734. if (bytes) {
  735. for (i = 0; i < bytes; i++)
  736. ctx->buffer[ctx->leftover + i] = m[i];
  737. ctx->leftover += bytes;
  738. }
  739. RESTORE_VECTOR_REGISTERS();
  740. }
  741. else
  742. #endif
  743. #endif
  744. {
  745. /* handle leftover */
  746. if (ctx->leftover) {
  747. size_t want = (POLY1305_BLOCK_SIZE - ctx->leftover);
  748. if (want > bytes)
  749. want = bytes;
  750. for (i = 0; i < want; i++)
  751. ctx->buffer[ctx->leftover + i] = m[i];
  752. bytes -= (word32)want;
  753. m += want;
  754. ctx->leftover += want;
  755. if (ctx->leftover < POLY1305_BLOCK_SIZE)
  756. return 0;
  757. poly1305_block(ctx, ctx->buffer);
  758. ctx->leftover = 0;
  759. }
  760. /* process full blocks */
  761. if (bytes >= POLY1305_BLOCK_SIZE) {
  762. size_t want = ((size_t)bytes & ~((size_t)POLY1305_BLOCK_SIZE - 1));
  763. #if !defined(WOLFSSL_ARMASM) && !defined(WOLFSSL_RISCV_ASM)
  764. int ret;
  765. ret = poly1305_blocks(ctx, m, want);
  766. if (ret != 0)
  767. return ret;
  768. #else
  769. poly1305_blocks(ctx, m, want);
  770. #endif
  771. m += want;
  772. bytes -= (word32)want;
  773. }
  774. /* store leftover */
  775. if (bytes) {
  776. for (i = 0; i < bytes; i++)
  777. ctx->buffer[ctx->leftover + i] = m[i];
  778. ctx->leftover += bytes;
  779. }
  780. }
  781. return 0;
  782. }
  783. /* Takes a Poly1305 struct that has a key loaded and pads the provided length
  784. ctx : Initialized Poly1305 struct to use
  785. lenToPad : Current number of bytes updated that needs padding to 16
  786. */
  787. int wc_Poly1305_Pad(Poly1305* ctx, word32 lenToPad)
  788. {
  789. int ret = 0;
  790. word32 paddingLen;
  791. byte padding[WC_POLY1305_PAD_SZ - 1];
  792. if (ctx == NULL) {
  793. return BAD_FUNC_ARG;
  794. }
  795. if (lenToPad == 0) {
  796. return 0; /* nothing needs to be done */
  797. }
  798. XMEMSET(padding, 0, sizeof(padding));
  799. /* Pad length to 16 bytes */
  800. paddingLen = (-(int)lenToPad) & (WC_POLY1305_PAD_SZ - 1);
  801. if ((paddingLen > 0) && (paddingLen < WC_POLY1305_PAD_SZ)) {
  802. ret = wc_Poly1305Update(ctx, padding, paddingLen);
  803. }
  804. return ret;
  805. }
  806. /* Takes a Poly1305 struct that has a key loaded and adds the AEAD length
  807. encoding in 64-bit little endian
  808. aadSz : Size of the additional authentication data
  809. dataSz : Size of the plaintext or ciphertext
  810. */
  811. int wc_Poly1305_EncodeSizes(Poly1305* ctx, word32 aadSz, word32 dataSz)
  812. {
  813. int ret;
  814. byte little64[16]; /* sizeof(word64) * 2 */
  815. if (ctx == NULL) {
  816. return BAD_FUNC_ARG;
  817. }
  818. XMEMSET(little64, 0, sizeof(little64));
  819. /* size of additional data and input data as little endian 64 bit types */
  820. u32tole64(aadSz, little64);
  821. u32tole64(dataSz, little64 + 8);
  822. ret = wc_Poly1305Update(ctx, little64, sizeof(little64));
  823. return ret;
  824. }
  825. #ifdef WORD64_AVAILABLE
  826. int wc_Poly1305_EncodeSizes64(Poly1305* ctx, word64 aadSz, word64 dataSz)
  827. {
  828. int ret;
  829. word64 little64[2];
  830. if (ctx == NULL) {
  831. return BAD_FUNC_ARG;
  832. }
  833. #ifdef BIG_ENDIAN_ORDER
  834. little64[0] = ByteReverseWord64(aadSz);
  835. little64[1] = ByteReverseWord64(dataSz);
  836. #else
  837. little64[0] = aadSz;
  838. little64[1] = dataSz;
  839. #endif
  840. ret = wc_Poly1305Update(ctx, (byte *)little64, sizeof(little64));
  841. return ret;
  842. }
  843. #endif
  844. /* Takes in an initialized Poly1305 struct that has a key loaded and creates
  845. a MAC (tag) using recent TLS AEAD padding scheme.
  846. ctx : Initialized Poly1305 struct to use
  847. additional : Additional data to use
  848. addSz : Size of additional buffer
  849. input : Input buffer to create tag from
  850. sz : Size of input buffer
  851. tag : Buffer to hold created tag
  852. tagSz : Size of input tag buffer (must be at least
  853. WC_POLY1305_MAC_SZ(16))
  854. */
  855. int wc_Poly1305_MAC(Poly1305* ctx, const byte* additional, word32 addSz,
  856. const byte* input, word32 sz, byte* tag, word32 tagSz)
  857. {
  858. int ret;
  859. /* sanity check on arguments */
  860. if (ctx == NULL || input == NULL || tag == NULL ||
  861. tagSz < WC_POLY1305_MAC_SZ) {
  862. return BAD_FUNC_ARG;
  863. }
  864. /* additional allowed to be 0 */
  865. if (addSz > 0) {
  866. if (additional == NULL)
  867. return BAD_FUNC_ARG;
  868. /* additional data plus padding */
  869. if ((ret = wc_Poly1305Update(ctx, additional, addSz)) != 0) {
  870. return ret;
  871. }
  872. /* pad additional data */
  873. if ((ret = wc_Poly1305_Pad(ctx, addSz)) != 0) {
  874. return ret;
  875. }
  876. }
  877. /* input plus padding */
  878. if ((ret = wc_Poly1305Update(ctx, input, sz)) != 0) {
  879. return ret;
  880. }
  881. /* pad input data */
  882. if ((ret = wc_Poly1305_Pad(ctx, sz)) != 0) {
  883. return ret;
  884. }
  885. /* encode size of AAD and input data as little endian 64 bit types */
  886. if ((ret = wc_Poly1305_EncodeSizes(ctx, addSz, sz)) != 0) {
  887. return ret;
  888. }
  889. /* Finalize the auth tag */
  890. ret = wc_Poly1305Final(ctx, tag);
  891. return ret;
  892. }
  893. #endif /* HAVE_POLY1305 */