1 // SPDX-License-Identifier: GPL-2.0
3  * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
15  * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over
16  * Z/(2^{128}Z), where the "∆" operation is addition.  It hashes 1024-byte
17  * chunks of the input with the NH hash function [2], reducing the input length
19  * GF(2^{130}-5), like in the Poly1305 MAC [3].  Note that the polynomial
20  * evaluation by itself would suffice to achieve the ε-∆U property; NH is used
25  * [1] Adiantum: length-preserving encryption for entry-level processors
27  * [2] UMAC: Fast and Secure Message Authentication
29  * [3] The Poly1305-AES message-authentication code
30  *     (https://cr.yp.to/mac/poly1305-20050329.pdf)
42 static void nh_generic(const u32 *key, const u8 *message, size_t message_len,  in nh_generic()  argument
47 	BUILD_BUG_ON(NH_PAIR_STRIDE != 2);  in nh_generic()
56 		sums[0] += (u64)(u32)(m0 + key[ 0]) * (u32)(m2 + key[ 2]);  in nh_generic()
57 		sums[1] += (u64)(u32)(m0 + key[ 4]) * (u32)(m2 + key[ 6]);  in nh_generic()
58 		sums[2] += (u64)(u32)(m0 + key[ 8]) * (u32)(m2 + key[10]);  in nh_generic()
59 		sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]);  in nh_generic()
60 		sums[0] += (u64)(u32)(m1 + key[ 1]) * (u32)(m3 + key[ 3]);  in nh_generic()
61 		sums[1] += (u64)(u32)(m1 + key[ 5]) * (u32)(m3 + key[ 7]);  in nh_generic()
62 		sums[2] += (u64)(u32)(m1 + key[ 9]) * (u32)(m3 + key[11]);  in nh_generic()
63 		sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]);  in nh_generic()
64 		key += NH_MESSAGE_UNIT / sizeof(key[0]);  in nh_generic()
66 		message_len -= NH_MESSAGE_UNIT;  in nh_generic()
71 	hash[2] = cpu_to_le64(sums[2]);  in nh_generic()
77 				  const struct nhpoly1305_key *key)  in process_nh_hash_value()  argument
81 	poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash,  in process_nh_hash_value()
86  * Feed the next portion of the source data, as a whole number of 16-byte
93 			     const struct nhpoly1305_key *key,  in nhpoly1305_units()  argument
99 		if (state->nh_remaining == 0) {  in nhpoly1305_units()
102 			nh_fn(key->nh_key, src, bytes, state->nh_hash);  in nhpoly1305_units()
103 			state->nh_remaining = NH_MESSAGE_BYTES - bytes;  in nhpoly1305_units()
110 			pos = NH_MESSAGE_BYTES - state->nh_remaining;  in nhpoly1305_units()
111 			bytes = min(srclen, state->nh_remaining);  in nhpoly1305_units()
112 			nh_fn(&key->nh_key[pos / 4], src, bytes, tmp_hash);  in nhpoly1305_units()
114 				le64_add_cpu(&state->nh_hash[i],  in nhpoly1305_units()
116 			state->nh_remaining -= bytes;  in nhpoly1305_units()
118 		if (state->nh_remaining == 0)  in nhpoly1305_units()
119 			process_nh_hash_value(state, key);  in nhpoly1305_units()
121 		srclen -= bytes;  in nhpoly1305_units()
126 			     const u8 *key, unsigned int keylen)  in crypto_nhpoly1305_setkey()  argument
132 		return -EINVAL;  in crypto_nhpoly1305_setkey()
134 	poly1305_core_setkey(&ctx->poly_key, key);  in crypto_nhpoly1305_setkey()
135 	key += POLY1305_BLOCK_SIZE;  in crypto_nhpoly1305_setkey()
138 		ctx->nh_key[i] = get_unaligned_le32(key + i * sizeof(u32));  in crypto_nhpoly1305_setkey()
148 	poly1305_core_init(&state->poly_state);  in crypto_nhpoly1305_init()
149 	state->buflen = 0;  in crypto_nhpoly1305_init()
150 	state->nh_remaining = 0;  in crypto_nhpoly1305_init()
160 	const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm);  in crypto_nhpoly1305_update_helper()  local
163 	if (state->buflen) {  in crypto_nhpoly1305_update_helper()
164 		bytes = min(srclen, (int)NH_MESSAGE_UNIT - state->buflen);  in crypto_nhpoly1305_update_helper()
165 		memcpy(&state->buffer[state->buflen], src, bytes);  in crypto_nhpoly1305_update_helper()
166 		state->buflen += bytes;  in crypto_nhpoly1305_update_helper()
167 		if (state->buflen < NH_MESSAGE_UNIT)  in crypto_nhpoly1305_update_helper()
169 		nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT,  in crypto_nhpoly1305_update_helper()
171 		state->buflen = 0;  in crypto_nhpoly1305_update_helper()
173 		srclen -= bytes;  in crypto_nhpoly1305_update_helper()
178 		nhpoly1305_units(state, key, src, bytes, nh_fn);  in crypto_nhpoly1305_update_helper()
180 		srclen -= bytes;  in crypto_nhpoly1305_update_helper()
184 		memcpy(state->buffer, src, srclen);  in crypto_nhpoly1305_update_helper()
185 		state->buflen = srclen;  in crypto_nhpoly1305_update_helper()
201 	const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm);  in crypto_nhpoly1305_final_helper()  local
203 	if (state->buflen) {  in crypto_nhpoly1305_final_helper()
204 		memset(&state->buffer[state->buflen], 0,  in crypto_nhpoly1305_final_helper()
205 		       NH_MESSAGE_UNIT - state->buflen);  in crypto_nhpoly1305_final_helper()
206 		nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT,  in crypto_nhpoly1305_final_helper()
210 	if (state->nh_remaining)  in crypto_nhpoly1305_final_helper()
211 		process_nh_hash_value(state, key);  in crypto_nhpoly1305_final_helper()
213 	poly1305_core_emit(&state->poly_state, NULL, dst);  in crypto_nhpoly1305_final_helper()
226 	.base.cra_driver_name	= "nhpoly1305-generic",
251 MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function");
255 MODULE_ALIAS_CRYPTO("nhpoly1305-generic");