1 /* SPDX-License-Identifier: MIT
3  * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
22 #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
30         while (words--) {  in cpu_to_le32_array()
37         while (words--) {  in le32_to_cpu_array()
44 	return (word >> (shift & 31)) | (word << ((-shift) & 31));  in ror32()
53 	{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
54 	{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
55 	{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
56 	{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
57 	{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
58 	{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
59 	{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
60 	{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
61 	{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
62 	{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
67 	state->f[0] = -1;  in blake2s_set_lastblock()
73 	state->t[0] += inc;  in blake2s_increment_counter()
74 	state->t[1] += (state->t[0] < inc);  in blake2s_increment_counter()
84 		state->h[i] = blake2s_iv[i];  in blake2s_init_param()
85 	state->h[0] ^= param;  in blake2s_init_param()
91 	state->outlen = outlen;  in blake2s_init()
100 	state->outlen = outlen;  in blake2s_init_key()
111 	uint32_t v[16];  in blake2s_compress()  local
118 		memcpy(v, state->h, 32);  in blake2s_compress()
119 		v[ 8] = blake2s_iv[0];  in blake2s_compress()
120 		v[ 9] = blake2s_iv[1];  in blake2s_compress()
121 		v[10] = blake2s_iv[2];  in blake2s_compress()
122 		v[11] = blake2s_iv[3];  in blake2s_compress()
123 		v[12] = blake2s_iv[4] ^ state->t[0];  in blake2s_compress()
124 		v[13] = blake2s_iv[5] ^ state->t[1];  in blake2s_compress()
125 		v[14] = blake2s_iv[6] ^ state->f[0];  in blake2s_compress()
126 		v[15] = blake2s_iv[7] ^ state->f[1];  in blake2s_compress()
132 	b = ror32(b ^ c, 12); \  in blake2s_compress()
140 	G(r, 0, v[0], v[ 4], v[ 8], v[12]); \  in blake2s_compress()
141 	G(r, 1, v[1], v[ 5], v[ 9], v[13]); \  in blake2s_compress()
142 	G(r, 2, v[2], v[ 6], v[10], v[14]); \  in blake2s_compress()
143 	G(r, 3, v[3], v[ 7], v[11], v[15]); \  in blake2s_compress()
144 	G(r, 4, v[0], v[ 5], v[10], v[15]); \  in blake2s_compress()
145 	G(r, 5, v[1], v[ 6], v[11], v[12]); \  in blake2s_compress()
146 	G(r, 6, v[2], v[ 7], v[ 8], v[13]); \  in blake2s_compress()
147 	G(r, 7, v[3], v[ 4], v[ 9], v[14]); \  in blake2s_compress()
164 			state->h[i] ^= v[i] ^ v[i + 8];  in blake2s_compress()
167 		--nblocks;  in blake2s_compress()
173 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;  in blake2s_update()
178 		memcpy(state->buf + state->buflen, in, fill);  in blake2s_update()
179 		blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);  in blake2s_update()
180 		state->buflen = 0;  in blake2s_update()
182 		inlen -= fill;  in blake2s_update()
187 		blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);  in blake2s_update()
188 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);  in blake2s_update()
189 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);  in blake2s_update()
191 	memcpy(state->buf + state->buflen, in, inlen);  in blake2s_update()
192 	state->buflen += inlen;  in blake2s_update()
198 	memset(state->buf + state->buflen, 0,  in blake2s_final()
199 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */  in blake2s_final()
200 	blake2s_compress(state, state->buf, 1, state->buflen);  in blake2s_final()
201 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));  in blake2s_final()
202 	memcpy(out, state->h, state->outlen);  in blake2s_final()
227 	crp.crp_payload_length = m->m_pkthdr.len - POLY1305_HASH_LEN;  in chacha20poly1305_encrypt_mbuf()
244 	if (m->m_pkthdr.len < POLY1305_HASH_LEN)  in chacha20poly1305_decrypt_mbuf()
250 	crp.crp_payload_length = m->m_pkthdr.len - POLY1305_HASH_LEN;  in chacha20poly1305_decrypt_mbuf()
259 	m_adj(m, -POLY1305_HASH_LEN);  in chacha20poly1305_decrypt_mbuf()