1 // SPDX-License-Identifier: GPL-2.0 OR MIT
3  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
5  * This is based in part on Andrew Moon's poly1305-donna, which is in the
13 void poly1305_core_setkey(struct poly1305_core_key *key,  in poly1305_core_setkey()  argument
17 	key->key.r[0] = (get_unaligned_le32(&raw_key[0])) & 0x3ffffff;  in poly1305_core_setkey()
18 	key->key.r[1] = (get_unaligned_le32(&raw_key[3]) >> 2) & 0x3ffff03;  in poly1305_core_setkey()
19 	key->key.r[2] = (get_unaligned_le32(&raw_key[6]) >> 4) & 0x3ffc0ff;  in poly1305_core_setkey()
20 	key->key.r[3] = (get_unaligned_le32(&raw_key[9]) >> 6) & 0x3f03fff;  in poly1305_core_setkey()
21 	key->key.r[4] = (get_unaligned_le32(&raw_key[12]) >> 8) & 0x00fffff;  in poly1305_core_setkey()
24 	key->precomputed_s.r[0] = key->key.r[1] * 5;  in poly1305_core_setkey()
25 	key->precomputed_s.r[1] = key->key.r[2] * 5;  in poly1305_core_setkey()
26 	key->precomputed_s.r[2] = key->key.r[3] * 5;  in poly1305_core_setkey()
27 	key->precomputed_s.r[3] = key->key.r[4] * 5;  in poly1305_core_setkey()
32 			  const struct poly1305_core_key *key, const void *src,  in poly1305_core_blocks()  argument
47 	r0 = key->key.r[0];  in poly1305_core_blocks()
48 	r1 = key->key.r[1];  in poly1305_core_blocks()
49 	r2 = key->key.r[2];  in poly1305_core_blocks()
50 	r3 = key->key.r[3];  in poly1305_core_blocks()
51 	r4 = key->key.r[4];  in poly1305_core_blocks()
53 	s1 = key->precomputed_s.r[0];  in poly1305_core_blocks()
54 	s2 = key->precomputed_s.r[1];  in poly1305_core_blocks()
55 	s3 = key->precomputed_s.r[2];  in poly1305_core_blocks()
56 	s4 = key->precomputed_s.r[3];  in poly1305_core_blocks()
58 	h0 = state->h[0];  in poly1305_core_blocks()
59 	h1 = state->h[1];  in poly1305_core_blocks()
60 	h2 = state->h[2];  in poly1305_core_blocks()
61 	h3 = state->h[3];  in poly1305_core_blocks()
62 	h4 = state->h[4];  in poly1305_core_blocks()
67 		h1 += (get_unaligned_le32(&input[3]) >> 2) & 0x3ffffff;  in poly1305_core_blocks()
110 	} while (--nblocks);  in poly1305_core_blocks()
112 	state->h[0] = h0;  in poly1305_core_blocks()
113 	state->h[1] = h1;  in poly1305_core_blocks()
114 	state->h[2] = h2;  in poly1305_core_blocks()
115 	state->h[3] = h3;  in poly1305_core_blocks()
116 	state->h[4] = h4;  in poly1305_core_blocks()
130 	h0 = state->h[0];  in poly1305_core_emit()
131 	h1 = state->h[1];  in poly1305_core_emit()
132 	h2 = state->h[2];  in poly1305_core_emit()
133 	h3 = state->h[3];  in poly1305_core_emit()
134 	h4 = state->h[4];  in poly1305_core_emit()
152 	/* compute h + -p */  in poly1305_core_emit()
165 	g4 = h4 + c - (1UL << 26);  in poly1305_core_emit()
167 	/* select h if h < p, or h + -p if h >= p */  in poly1305_core_emit()
168 	mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1;  in poly1305_core_emit()
182 	/* h = h % (2^128) */  in poly1305_core_emit()
189 		/* mac = (h + nonce) % (2^128) */  in poly1305_core_emit()
194 		f = (u64)h2 + nonce[2] + (f >> 32);  in poly1305_core_emit()