xref: /OK3568_Linux_fs/kernel/crypto/aegis128-core.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * The AEGIS-128 Authenticated-Encryption Algorithm
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6*4882a593Smuzhiyun  * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7*4882a593Smuzhiyun  */
8*4882a593Smuzhiyun 
9*4882a593Smuzhiyun #include <crypto/algapi.h>
10*4882a593Smuzhiyun #include <crypto/internal/aead.h>
11*4882a593Smuzhiyun #include <crypto/internal/simd.h>
12*4882a593Smuzhiyun #include <crypto/internal/skcipher.h>
13*4882a593Smuzhiyun #include <crypto/scatterwalk.h>
14*4882a593Smuzhiyun #include <linux/err.h>
15*4882a593Smuzhiyun #include <linux/init.h>
16*4882a593Smuzhiyun #include <linux/jump_label.h>
17*4882a593Smuzhiyun #include <linux/kernel.h>
18*4882a593Smuzhiyun #include <linux/module.h>
19*4882a593Smuzhiyun #include <linux/scatterlist.h>
20*4882a593Smuzhiyun 
21*4882a593Smuzhiyun #include <asm/simd.h>
22*4882a593Smuzhiyun 
23*4882a593Smuzhiyun #include "aegis.h"
24*4882a593Smuzhiyun 
25*4882a593Smuzhiyun #define AEGIS128_NONCE_SIZE 16
26*4882a593Smuzhiyun #define AEGIS128_STATE_BLOCKS 5
27*4882a593Smuzhiyun #define AEGIS128_KEY_SIZE 16
28*4882a593Smuzhiyun #define AEGIS128_MIN_AUTH_SIZE 8
29*4882a593Smuzhiyun #define AEGIS128_MAX_AUTH_SIZE 16
30*4882a593Smuzhiyun 
31*4882a593Smuzhiyun struct aegis_state {
32*4882a593Smuzhiyun 	union aegis_block blocks[AEGIS128_STATE_BLOCKS];
33*4882a593Smuzhiyun };
34*4882a593Smuzhiyun 
35*4882a593Smuzhiyun struct aegis_ctx {
36*4882a593Smuzhiyun 	union aegis_block key;
37*4882a593Smuzhiyun };
38*4882a593Smuzhiyun 
39*4882a593Smuzhiyun static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_simd);
40*4882a593Smuzhiyun 
41*4882a593Smuzhiyun static const union aegis_block crypto_aegis_const[2] = {
42*4882a593Smuzhiyun 	{ .words64 = {
43*4882a593Smuzhiyun 		cpu_to_le64(U64_C(0x0d08050302010100)),
44*4882a593Smuzhiyun 		cpu_to_le64(U64_C(0x6279e99059372215)),
45*4882a593Smuzhiyun 	} },
46*4882a593Smuzhiyun 	{ .words64 = {
47*4882a593Smuzhiyun 		cpu_to_le64(U64_C(0xf12fc26d55183ddb)),
48*4882a593Smuzhiyun 		cpu_to_le64(U64_C(0xdd28b57342311120)),
49*4882a593Smuzhiyun 	} },
50*4882a593Smuzhiyun };
51*4882a593Smuzhiyun 
aegis128_do_simd(void)52*4882a593Smuzhiyun static bool aegis128_do_simd(void)
53*4882a593Smuzhiyun {
54*4882a593Smuzhiyun #ifdef CONFIG_CRYPTO_AEGIS128_SIMD
55*4882a593Smuzhiyun 	if (static_branch_likely(&have_simd))
56*4882a593Smuzhiyun 		return crypto_simd_usable();
57*4882a593Smuzhiyun #endif
58*4882a593Smuzhiyun 	return false;
59*4882a593Smuzhiyun }
60*4882a593Smuzhiyun 
61*4882a593Smuzhiyun bool crypto_aegis128_have_simd(void);
62*4882a593Smuzhiyun void crypto_aegis128_update_simd(struct aegis_state *state, const void *msg);
63*4882a593Smuzhiyun void crypto_aegis128_init_simd(struct aegis_state *state,
64*4882a593Smuzhiyun 			       const union aegis_block *key,
65*4882a593Smuzhiyun 			       const u8 *iv);
66*4882a593Smuzhiyun void crypto_aegis128_encrypt_chunk_simd(struct aegis_state *state, u8 *dst,
67*4882a593Smuzhiyun 					const u8 *src, unsigned int size);
68*4882a593Smuzhiyun void crypto_aegis128_decrypt_chunk_simd(struct aegis_state *state, u8 *dst,
69*4882a593Smuzhiyun 					const u8 *src, unsigned int size);
70*4882a593Smuzhiyun void crypto_aegis128_final_simd(struct aegis_state *state,
71*4882a593Smuzhiyun 				union aegis_block *tag_xor,
72*4882a593Smuzhiyun 				u64 assoclen, u64 cryptlen);
73*4882a593Smuzhiyun 
crypto_aegis128_update(struct aegis_state * state)74*4882a593Smuzhiyun static void crypto_aegis128_update(struct aegis_state *state)
75*4882a593Smuzhiyun {
76*4882a593Smuzhiyun 	union aegis_block tmp;
77*4882a593Smuzhiyun 	unsigned int i;
78*4882a593Smuzhiyun 
79*4882a593Smuzhiyun 	tmp = state->blocks[AEGIS128_STATE_BLOCKS - 1];
80*4882a593Smuzhiyun 	for (i = AEGIS128_STATE_BLOCKS - 1; i > 0; i--)
81*4882a593Smuzhiyun 		crypto_aegis_aesenc(&state->blocks[i], &state->blocks[i - 1],
82*4882a593Smuzhiyun 				    &state->blocks[i]);
83*4882a593Smuzhiyun 	crypto_aegis_aesenc(&state->blocks[0], &tmp, &state->blocks[0]);
84*4882a593Smuzhiyun }
85*4882a593Smuzhiyun 
crypto_aegis128_update_a(struct aegis_state * state,const union aegis_block * msg)86*4882a593Smuzhiyun static void crypto_aegis128_update_a(struct aegis_state *state,
87*4882a593Smuzhiyun 				     const union aegis_block *msg)
88*4882a593Smuzhiyun {
89*4882a593Smuzhiyun 	if (aegis128_do_simd()) {
90*4882a593Smuzhiyun 		crypto_aegis128_update_simd(state, msg);
91*4882a593Smuzhiyun 		return;
92*4882a593Smuzhiyun 	}
93*4882a593Smuzhiyun 
94*4882a593Smuzhiyun 	crypto_aegis128_update(state);
95*4882a593Smuzhiyun 	crypto_aegis_block_xor(&state->blocks[0], msg);
96*4882a593Smuzhiyun }
97*4882a593Smuzhiyun 
crypto_aegis128_update_u(struct aegis_state * state,const void * msg)98*4882a593Smuzhiyun static void crypto_aegis128_update_u(struct aegis_state *state, const void *msg)
99*4882a593Smuzhiyun {
100*4882a593Smuzhiyun 	if (aegis128_do_simd()) {
101*4882a593Smuzhiyun 		crypto_aegis128_update_simd(state, msg);
102*4882a593Smuzhiyun 		return;
103*4882a593Smuzhiyun 	}
104*4882a593Smuzhiyun 
105*4882a593Smuzhiyun 	crypto_aegis128_update(state);
106*4882a593Smuzhiyun 	crypto_xor(state->blocks[0].bytes, msg, AEGIS_BLOCK_SIZE);
107*4882a593Smuzhiyun }
108*4882a593Smuzhiyun 
crypto_aegis128_init(struct aegis_state * state,const union aegis_block * key,const u8 * iv)109*4882a593Smuzhiyun static void crypto_aegis128_init(struct aegis_state *state,
110*4882a593Smuzhiyun 				 const union aegis_block *key,
111*4882a593Smuzhiyun 				 const u8 *iv)
112*4882a593Smuzhiyun {
113*4882a593Smuzhiyun 	union aegis_block key_iv;
114*4882a593Smuzhiyun 	unsigned int i;
115*4882a593Smuzhiyun 
116*4882a593Smuzhiyun 	key_iv = *key;
117*4882a593Smuzhiyun 	crypto_xor(key_iv.bytes, iv, AEGIS_BLOCK_SIZE);
118*4882a593Smuzhiyun 
119*4882a593Smuzhiyun 	state->blocks[0] = key_iv;
120*4882a593Smuzhiyun 	state->blocks[1] = crypto_aegis_const[1];
121*4882a593Smuzhiyun 	state->blocks[2] = crypto_aegis_const[0];
122*4882a593Smuzhiyun 	state->blocks[3] = *key;
123*4882a593Smuzhiyun 	state->blocks[4] = *key;
124*4882a593Smuzhiyun 
125*4882a593Smuzhiyun 	crypto_aegis_block_xor(&state->blocks[3], &crypto_aegis_const[0]);
126*4882a593Smuzhiyun 	crypto_aegis_block_xor(&state->blocks[4], &crypto_aegis_const[1]);
127*4882a593Smuzhiyun 
128*4882a593Smuzhiyun 	for (i = 0; i < 5; i++) {
129*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, key);
130*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, &key_iv);
131*4882a593Smuzhiyun 	}
132*4882a593Smuzhiyun }
133*4882a593Smuzhiyun 
crypto_aegis128_ad(struct aegis_state * state,const u8 * src,unsigned int size)134*4882a593Smuzhiyun static void crypto_aegis128_ad(struct aegis_state *state,
135*4882a593Smuzhiyun 			       const u8 *src, unsigned int size)
136*4882a593Smuzhiyun {
137*4882a593Smuzhiyun 	if (AEGIS_ALIGNED(src)) {
138*4882a593Smuzhiyun 		const union aegis_block *src_blk =
139*4882a593Smuzhiyun 				(const union aegis_block *)src;
140*4882a593Smuzhiyun 
141*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
142*4882a593Smuzhiyun 			crypto_aegis128_update_a(state, src_blk);
143*4882a593Smuzhiyun 
144*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
145*4882a593Smuzhiyun 			src_blk++;
146*4882a593Smuzhiyun 		}
147*4882a593Smuzhiyun 	} else {
148*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
149*4882a593Smuzhiyun 			crypto_aegis128_update_u(state, src);
150*4882a593Smuzhiyun 
151*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
152*4882a593Smuzhiyun 			src += AEGIS_BLOCK_SIZE;
153*4882a593Smuzhiyun 		}
154*4882a593Smuzhiyun 	}
155*4882a593Smuzhiyun }
156*4882a593Smuzhiyun 
crypto_aegis128_encrypt_chunk(struct aegis_state * state,u8 * dst,const u8 * src,unsigned int size)157*4882a593Smuzhiyun static void crypto_aegis128_encrypt_chunk(struct aegis_state *state, u8 *dst,
158*4882a593Smuzhiyun 					  const u8 *src, unsigned int size)
159*4882a593Smuzhiyun {
160*4882a593Smuzhiyun 	union aegis_block tmp;
161*4882a593Smuzhiyun 
162*4882a593Smuzhiyun 	if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
163*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
164*4882a593Smuzhiyun 			union aegis_block *dst_blk =
165*4882a593Smuzhiyun 					(union aegis_block *)dst;
166*4882a593Smuzhiyun 			const union aegis_block *src_blk =
167*4882a593Smuzhiyun 					(const union aegis_block *)src;
168*4882a593Smuzhiyun 
169*4882a593Smuzhiyun 			tmp = state->blocks[2];
170*4882a593Smuzhiyun 			crypto_aegis_block_and(&tmp, &state->blocks[3]);
171*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[4]);
172*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[1]);
173*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, src_blk);
174*4882a593Smuzhiyun 
175*4882a593Smuzhiyun 			crypto_aegis128_update_a(state, src_blk);
176*4882a593Smuzhiyun 
177*4882a593Smuzhiyun 			*dst_blk = tmp;
178*4882a593Smuzhiyun 
179*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
180*4882a593Smuzhiyun 			src += AEGIS_BLOCK_SIZE;
181*4882a593Smuzhiyun 			dst += AEGIS_BLOCK_SIZE;
182*4882a593Smuzhiyun 		}
183*4882a593Smuzhiyun 	} else {
184*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
185*4882a593Smuzhiyun 			tmp = state->blocks[2];
186*4882a593Smuzhiyun 			crypto_aegis_block_and(&tmp, &state->blocks[3]);
187*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[4]);
188*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[1]);
189*4882a593Smuzhiyun 			crypto_xor(tmp.bytes, src, AEGIS_BLOCK_SIZE);
190*4882a593Smuzhiyun 
191*4882a593Smuzhiyun 			crypto_aegis128_update_u(state, src);
192*4882a593Smuzhiyun 
193*4882a593Smuzhiyun 			memcpy(dst, tmp.bytes, AEGIS_BLOCK_SIZE);
194*4882a593Smuzhiyun 
195*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
196*4882a593Smuzhiyun 			src += AEGIS_BLOCK_SIZE;
197*4882a593Smuzhiyun 			dst += AEGIS_BLOCK_SIZE;
198*4882a593Smuzhiyun 		}
199*4882a593Smuzhiyun 	}
200*4882a593Smuzhiyun 
201*4882a593Smuzhiyun 	if (size > 0) {
202*4882a593Smuzhiyun 		union aegis_block msg = {};
203*4882a593Smuzhiyun 		memcpy(msg.bytes, src, size);
204*4882a593Smuzhiyun 
205*4882a593Smuzhiyun 		tmp = state->blocks[2];
206*4882a593Smuzhiyun 		crypto_aegis_block_and(&tmp, &state->blocks[3]);
207*4882a593Smuzhiyun 		crypto_aegis_block_xor(&tmp, &state->blocks[4]);
208*4882a593Smuzhiyun 		crypto_aegis_block_xor(&tmp, &state->blocks[1]);
209*4882a593Smuzhiyun 
210*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, &msg);
211*4882a593Smuzhiyun 
212*4882a593Smuzhiyun 		crypto_aegis_block_xor(&msg, &tmp);
213*4882a593Smuzhiyun 
214*4882a593Smuzhiyun 		memcpy(dst, msg.bytes, size);
215*4882a593Smuzhiyun 	}
216*4882a593Smuzhiyun }
217*4882a593Smuzhiyun 
crypto_aegis128_decrypt_chunk(struct aegis_state * state,u8 * dst,const u8 * src,unsigned int size)218*4882a593Smuzhiyun static void crypto_aegis128_decrypt_chunk(struct aegis_state *state, u8 *dst,
219*4882a593Smuzhiyun 					  const u8 *src, unsigned int size)
220*4882a593Smuzhiyun {
221*4882a593Smuzhiyun 	union aegis_block tmp;
222*4882a593Smuzhiyun 
223*4882a593Smuzhiyun 	if (AEGIS_ALIGNED(src) && AEGIS_ALIGNED(dst)) {
224*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
225*4882a593Smuzhiyun 			union aegis_block *dst_blk =
226*4882a593Smuzhiyun 					(union aegis_block *)dst;
227*4882a593Smuzhiyun 			const union aegis_block *src_blk =
228*4882a593Smuzhiyun 					(const union aegis_block *)src;
229*4882a593Smuzhiyun 
230*4882a593Smuzhiyun 			tmp = state->blocks[2];
231*4882a593Smuzhiyun 			crypto_aegis_block_and(&tmp, &state->blocks[3]);
232*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[4]);
233*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[1]);
234*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, src_blk);
235*4882a593Smuzhiyun 
236*4882a593Smuzhiyun 			crypto_aegis128_update_a(state, &tmp);
237*4882a593Smuzhiyun 
238*4882a593Smuzhiyun 			*dst_blk = tmp;
239*4882a593Smuzhiyun 
240*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
241*4882a593Smuzhiyun 			src += AEGIS_BLOCK_SIZE;
242*4882a593Smuzhiyun 			dst += AEGIS_BLOCK_SIZE;
243*4882a593Smuzhiyun 		}
244*4882a593Smuzhiyun 	} else {
245*4882a593Smuzhiyun 		while (size >= AEGIS_BLOCK_SIZE) {
246*4882a593Smuzhiyun 			tmp = state->blocks[2];
247*4882a593Smuzhiyun 			crypto_aegis_block_and(&tmp, &state->blocks[3]);
248*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[4]);
249*4882a593Smuzhiyun 			crypto_aegis_block_xor(&tmp, &state->blocks[1]);
250*4882a593Smuzhiyun 			crypto_xor(tmp.bytes, src, AEGIS_BLOCK_SIZE);
251*4882a593Smuzhiyun 
252*4882a593Smuzhiyun 			crypto_aegis128_update_a(state, &tmp);
253*4882a593Smuzhiyun 
254*4882a593Smuzhiyun 			memcpy(dst, tmp.bytes, AEGIS_BLOCK_SIZE);
255*4882a593Smuzhiyun 
256*4882a593Smuzhiyun 			size -= AEGIS_BLOCK_SIZE;
257*4882a593Smuzhiyun 			src += AEGIS_BLOCK_SIZE;
258*4882a593Smuzhiyun 			dst += AEGIS_BLOCK_SIZE;
259*4882a593Smuzhiyun 		}
260*4882a593Smuzhiyun 	}
261*4882a593Smuzhiyun 
262*4882a593Smuzhiyun 	if (size > 0) {
263*4882a593Smuzhiyun 		union aegis_block msg = {};
264*4882a593Smuzhiyun 		memcpy(msg.bytes, src, size);
265*4882a593Smuzhiyun 
266*4882a593Smuzhiyun 		tmp = state->blocks[2];
267*4882a593Smuzhiyun 		crypto_aegis_block_and(&tmp, &state->blocks[3]);
268*4882a593Smuzhiyun 		crypto_aegis_block_xor(&tmp, &state->blocks[4]);
269*4882a593Smuzhiyun 		crypto_aegis_block_xor(&tmp, &state->blocks[1]);
270*4882a593Smuzhiyun 		crypto_aegis_block_xor(&msg, &tmp);
271*4882a593Smuzhiyun 
272*4882a593Smuzhiyun 		memset(msg.bytes + size, 0, AEGIS_BLOCK_SIZE - size);
273*4882a593Smuzhiyun 
274*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, &msg);
275*4882a593Smuzhiyun 
276*4882a593Smuzhiyun 		memcpy(dst, msg.bytes, size);
277*4882a593Smuzhiyun 	}
278*4882a593Smuzhiyun }
279*4882a593Smuzhiyun 
crypto_aegis128_process_ad(struct aegis_state * state,struct scatterlist * sg_src,unsigned int assoclen)280*4882a593Smuzhiyun static void crypto_aegis128_process_ad(struct aegis_state *state,
281*4882a593Smuzhiyun 				       struct scatterlist *sg_src,
282*4882a593Smuzhiyun 				       unsigned int assoclen)
283*4882a593Smuzhiyun {
284*4882a593Smuzhiyun 	struct scatter_walk walk;
285*4882a593Smuzhiyun 	union aegis_block buf;
286*4882a593Smuzhiyun 	unsigned int pos = 0;
287*4882a593Smuzhiyun 
288*4882a593Smuzhiyun 	scatterwalk_start(&walk, sg_src);
289*4882a593Smuzhiyun 	while (assoclen != 0) {
290*4882a593Smuzhiyun 		unsigned int size = scatterwalk_clamp(&walk, assoclen);
291*4882a593Smuzhiyun 		unsigned int left = size;
292*4882a593Smuzhiyun 		void *mapped = scatterwalk_map(&walk);
293*4882a593Smuzhiyun 		const u8 *src = (const u8 *)mapped;
294*4882a593Smuzhiyun 
295*4882a593Smuzhiyun 		if (pos + size >= AEGIS_BLOCK_SIZE) {
296*4882a593Smuzhiyun 			if (pos > 0) {
297*4882a593Smuzhiyun 				unsigned int fill = AEGIS_BLOCK_SIZE - pos;
298*4882a593Smuzhiyun 				memcpy(buf.bytes + pos, src, fill);
299*4882a593Smuzhiyun 				crypto_aegis128_update_a(state, &buf);
300*4882a593Smuzhiyun 				pos = 0;
301*4882a593Smuzhiyun 				left -= fill;
302*4882a593Smuzhiyun 				src += fill;
303*4882a593Smuzhiyun 			}
304*4882a593Smuzhiyun 
305*4882a593Smuzhiyun 			crypto_aegis128_ad(state, src, left);
306*4882a593Smuzhiyun 			src += left & ~(AEGIS_BLOCK_SIZE - 1);
307*4882a593Smuzhiyun 			left &= AEGIS_BLOCK_SIZE - 1;
308*4882a593Smuzhiyun 		}
309*4882a593Smuzhiyun 
310*4882a593Smuzhiyun 		memcpy(buf.bytes + pos, src, left);
311*4882a593Smuzhiyun 
312*4882a593Smuzhiyun 		pos += left;
313*4882a593Smuzhiyun 		assoclen -= size;
314*4882a593Smuzhiyun 		scatterwalk_unmap(mapped);
315*4882a593Smuzhiyun 		scatterwalk_advance(&walk, size);
316*4882a593Smuzhiyun 		scatterwalk_done(&walk, 0, assoclen);
317*4882a593Smuzhiyun 	}
318*4882a593Smuzhiyun 
319*4882a593Smuzhiyun 	if (pos > 0) {
320*4882a593Smuzhiyun 		memset(buf.bytes + pos, 0, AEGIS_BLOCK_SIZE - pos);
321*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, &buf);
322*4882a593Smuzhiyun 	}
323*4882a593Smuzhiyun }
324*4882a593Smuzhiyun 
325*4882a593Smuzhiyun static __always_inline
crypto_aegis128_process_crypt(struct aegis_state * state,struct aead_request * req,struct skcipher_walk * walk,void (* crypt)(struct aegis_state * state,u8 * dst,const u8 * src,unsigned int size))326*4882a593Smuzhiyun int crypto_aegis128_process_crypt(struct aegis_state *state,
327*4882a593Smuzhiyun 				  struct aead_request *req,
328*4882a593Smuzhiyun 				  struct skcipher_walk *walk,
329*4882a593Smuzhiyun 				  void (*crypt)(struct aegis_state *state,
330*4882a593Smuzhiyun 					        u8 *dst, const u8 *src,
331*4882a593Smuzhiyun 					        unsigned int size))
332*4882a593Smuzhiyun {
333*4882a593Smuzhiyun 	int err = 0;
334*4882a593Smuzhiyun 
335*4882a593Smuzhiyun 	while (walk->nbytes) {
336*4882a593Smuzhiyun 		unsigned int nbytes = walk->nbytes;
337*4882a593Smuzhiyun 
338*4882a593Smuzhiyun 		if (nbytes < walk->total)
339*4882a593Smuzhiyun 			nbytes = round_down(nbytes, walk->stride);
340*4882a593Smuzhiyun 
341*4882a593Smuzhiyun 		crypt(state, walk->dst.virt.addr, walk->src.virt.addr, nbytes);
342*4882a593Smuzhiyun 
343*4882a593Smuzhiyun 		err = skcipher_walk_done(walk, walk->nbytes - nbytes);
344*4882a593Smuzhiyun 	}
345*4882a593Smuzhiyun 	return err;
346*4882a593Smuzhiyun }
347*4882a593Smuzhiyun 
crypto_aegis128_final(struct aegis_state * state,union aegis_block * tag_xor,u64 assoclen,u64 cryptlen)348*4882a593Smuzhiyun static void crypto_aegis128_final(struct aegis_state *state,
349*4882a593Smuzhiyun 				  union aegis_block *tag_xor,
350*4882a593Smuzhiyun 				  u64 assoclen, u64 cryptlen)
351*4882a593Smuzhiyun {
352*4882a593Smuzhiyun 	u64 assocbits = assoclen * 8;
353*4882a593Smuzhiyun 	u64 cryptbits = cryptlen * 8;
354*4882a593Smuzhiyun 
355*4882a593Smuzhiyun 	union aegis_block tmp;
356*4882a593Smuzhiyun 	unsigned int i;
357*4882a593Smuzhiyun 
358*4882a593Smuzhiyun 	tmp.words64[0] = cpu_to_le64(assocbits);
359*4882a593Smuzhiyun 	tmp.words64[1] = cpu_to_le64(cryptbits);
360*4882a593Smuzhiyun 
361*4882a593Smuzhiyun 	crypto_aegis_block_xor(&tmp, &state->blocks[3]);
362*4882a593Smuzhiyun 
363*4882a593Smuzhiyun 	for (i = 0; i < 7; i++)
364*4882a593Smuzhiyun 		crypto_aegis128_update_a(state, &tmp);
365*4882a593Smuzhiyun 
366*4882a593Smuzhiyun 	for (i = 0; i < AEGIS128_STATE_BLOCKS; i++)
367*4882a593Smuzhiyun 		crypto_aegis_block_xor(tag_xor, &state->blocks[i]);
368*4882a593Smuzhiyun }
369*4882a593Smuzhiyun 
crypto_aegis128_setkey(struct crypto_aead * aead,const u8 * key,unsigned int keylen)370*4882a593Smuzhiyun static int crypto_aegis128_setkey(struct crypto_aead *aead, const u8 *key,
371*4882a593Smuzhiyun 				  unsigned int keylen)
372*4882a593Smuzhiyun {
373*4882a593Smuzhiyun 	struct aegis_ctx *ctx = crypto_aead_ctx(aead);
374*4882a593Smuzhiyun 
375*4882a593Smuzhiyun 	if (keylen != AEGIS128_KEY_SIZE)
376*4882a593Smuzhiyun 		return -EINVAL;
377*4882a593Smuzhiyun 
378*4882a593Smuzhiyun 	memcpy(ctx->key.bytes, key, AEGIS128_KEY_SIZE);
379*4882a593Smuzhiyun 	return 0;
380*4882a593Smuzhiyun }
381*4882a593Smuzhiyun 
crypto_aegis128_setauthsize(struct crypto_aead * tfm,unsigned int authsize)382*4882a593Smuzhiyun static int crypto_aegis128_setauthsize(struct crypto_aead *tfm,
383*4882a593Smuzhiyun 				       unsigned int authsize)
384*4882a593Smuzhiyun {
385*4882a593Smuzhiyun 	if (authsize > AEGIS128_MAX_AUTH_SIZE)
386*4882a593Smuzhiyun 		return -EINVAL;
387*4882a593Smuzhiyun 	if (authsize < AEGIS128_MIN_AUTH_SIZE)
388*4882a593Smuzhiyun 		return -EINVAL;
389*4882a593Smuzhiyun 	return 0;
390*4882a593Smuzhiyun }
391*4882a593Smuzhiyun 
crypto_aegis128_encrypt(struct aead_request * req)392*4882a593Smuzhiyun static int crypto_aegis128_encrypt(struct aead_request *req)
393*4882a593Smuzhiyun {
394*4882a593Smuzhiyun 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
395*4882a593Smuzhiyun 	union aegis_block tag = {};
396*4882a593Smuzhiyun 	unsigned int authsize = crypto_aead_authsize(tfm);
397*4882a593Smuzhiyun 	struct aegis_ctx *ctx = crypto_aead_ctx(tfm);
398*4882a593Smuzhiyun 	unsigned int cryptlen = req->cryptlen;
399*4882a593Smuzhiyun 	struct skcipher_walk walk;
400*4882a593Smuzhiyun 	struct aegis_state state;
401*4882a593Smuzhiyun 
402*4882a593Smuzhiyun 	skcipher_walk_aead_encrypt(&walk, req, false);
403*4882a593Smuzhiyun 	if (aegis128_do_simd()) {
404*4882a593Smuzhiyun 		crypto_aegis128_init_simd(&state, &ctx->key, req->iv);
405*4882a593Smuzhiyun 		crypto_aegis128_process_ad(&state, req->src, req->assoclen);
406*4882a593Smuzhiyun 		crypto_aegis128_process_crypt(&state, req, &walk,
407*4882a593Smuzhiyun 					      crypto_aegis128_encrypt_chunk_simd);
408*4882a593Smuzhiyun 		crypto_aegis128_final_simd(&state, &tag, req->assoclen,
409*4882a593Smuzhiyun 					   cryptlen);
410*4882a593Smuzhiyun 	} else {
411*4882a593Smuzhiyun 		crypto_aegis128_init(&state, &ctx->key, req->iv);
412*4882a593Smuzhiyun 		crypto_aegis128_process_ad(&state, req->src, req->assoclen);
413*4882a593Smuzhiyun 		crypto_aegis128_process_crypt(&state, req, &walk,
414*4882a593Smuzhiyun 					      crypto_aegis128_encrypt_chunk);
415*4882a593Smuzhiyun 		crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen);
416*4882a593Smuzhiyun 	}
417*4882a593Smuzhiyun 
418*4882a593Smuzhiyun 	scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen,
419*4882a593Smuzhiyun 				 authsize, 1);
420*4882a593Smuzhiyun 	return 0;
421*4882a593Smuzhiyun }
422*4882a593Smuzhiyun 
crypto_aegis128_decrypt(struct aead_request * req)423*4882a593Smuzhiyun static int crypto_aegis128_decrypt(struct aead_request *req)
424*4882a593Smuzhiyun {
425*4882a593Smuzhiyun 	static const u8 zeros[AEGIS128_MAX_AUTH_SIZE] = {};
426*4882a593Smuzhiyun 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
427*4882a593Smuzhiyun 	union aegis_block tag;
428*4882a593Smuzhiyun 	unsigned int authsize = crypto_aead_authsize(tfm);
429*4882a593Smuzhiyun 	unsigned int cryptlen = req->cryptlen - authsize;
430*4882a593Smuzhiyun 	struct aegis_ctx *ctx = crypto_aead_ctx(tfm);
431*4882a593Smuzhiyun 	struct skcipher_walk walk;
432*4882a593Smuzhiyun 	struct aegis_state state;
433*4882a593Smuzhiyun 
434*4882a593Smuzhiyun 	scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen,
435*4882a593Smuzhiyun 				 authsize, 0);
436*4882a593Smuzhiyun 
437*4882a593Smuzhiyun 	skcipher_walk_aead_decrypt(&walk, req, false);
438*4882a593Smuzhiyun 	if (aegis128_do_simd()) {
439*4882a593Smuzhiyun 		crypto_aegis128_init_simd(&state, &ctx->key, req->iv);
440*4882a593Smuzhiyun 		crypto_aegis128_process_ad(&state, req->src, req->assoclen);
441*4882a593Smuzhiyun 		crypto_aegis128_process_crypt(&state, req, &walk,
442*4882a593Smuzhiyun 					      crypto_aegis128_decrypt_chunk_simd);
443*4882a593Smuzhiyun 		crypto_aegis128_final_simd(&state, &tag, req->assoclen,
444*4882a593Smuzhiyun 					   cryptlen);
445*4882a593Smuzhiyun 	} else {
446*4882a593Smuzhiyun 		crypto_aegis128_init(&state, &ctx->key, req->iv);
447*4882a593Smuzhiyun 		crypto_aegis128_process_ad(&state, req->src, req->assoclen);
448*4882a593Smuzhiyun 		crypto_aegis128_process_crypt(&state, req, &walk,
449*4882a593Smuzhiyun 					      crypto_aegis128_decrypt_chunk);
450*4882a593Smuzhiyun 		crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen);
451*4882a593Smuzhiyun 	}
452*4882a593Smuzhiyun 
453*4882a593Smuzhiyun 	return crypto_memneq(tag.bytes, zeros, authsize) ? -EBADMSG : 0;
454*4882a593Smuzhiyun }
455*4882a593Smuzhiyun 
456*4882a593Smuzhiyun static struct aead_alg crypto_aegis128_alg = {
457*4882a593Smuzhiyun 	.setkey = crypto_aegis128_setkey,
458*4882a593Smuzhiyun 	.setauthsize = crypto_aegis128_setauthsize,
459*4882a593Smuzhiyun 	.encrypt = crypto_aegis128_encrypt,
460*4882a593Smuzhiyun 	.decrypt = crypto_aegis128_decrypt,
461*4882a593Smuzhiyun 
462*4882a593Smuzhiyun 	.ivsize = AEGIS128_NONCE_SIZE,
463*4882a593Smuzhiyun 	.maxauthsize = AEGIS128_MAX_AUTH_SIZE,
464*4882a593Smuzhiyun 	.chunksize = AEGIS_BLOCK_SIZE,
465*4882a593Smuzhiyun 
466*4882a593Smuzhiyun 	.base = {
467*4882a593Smuzhiyun 		.cra_blocksize = 1,
468*4882a593Smuzhiyun 		.cra_ctxsize = sizeof(struct aegis_ctx),
469*4882a593Smuzhiyun 		.cra_alignmask = 0,
470*4882a593Smuzhiyun 
471*4882a593Smuzhiyun 		.cra_priority = 100,
472*4882a593Smuzhiyun 
473*4882a593Smuzhiyun 		.cra_name = "aegis128",
474*4882a593Smuzhiyun 		.cra_driver_name = "aegis128-generic",
475*4882a593Smuzhiyun 
476*4882a593Smuzhiyun 		.cra_module = THIS_MODULE,
477*4882a593Smuzhiyun 	}
478*4882a593Smuzhiyun };
479*4882a593Smuzhiyun 
crypto_aegis128_module_init(void)480*4882a593Smuzhiyun static int __init crypto_aegis128_module_init(void)
481*4882a593Smuzhiyun {
482*4882a593Smuzhiyun 	if (IS_ENABLED(CONFIG_CRYPTO_AEGIS128_SIMD) &&
483*4882a593Smuzhiyun 	    crypto_aegis128_have_simd())
484*4882a593Smuzhiyun 		static_branch_enable(&have_simd);
485*4882a593Smuzhiyun 
486*4882a593Smuzhiyun 	return crypto_register_aead(&crypto_aegis128_alg);
487*4882a593Smuzhiyun }
488*4882a593Smuzhiyun 
crypto_aegis128_module_exit(void)489*4882a593Smuzhiyun static void __exit crypto_aegis128_module_exit(void)
490*4882a593Smuzhiyun {
491*4882a593Smuzhiyun 	crypto_unregister_aead(&crypto_aegis128_alg);
492*4882a593Smuzhiyun }
493*4882a593Smuzhiyun 
494*4882a593Smuzhiyun subsys_initcall(crypto_aegis128_module_init);
495*4882a593Smuzhiyun module_exit(crypto_aegis128_module_exit);
496*4882a593Smuzhiyun 
497*4882a593Smuzhiyun MODULE_LICENSE("GPL");
498*4882a593Smuzhiyun MODULE_AUTHOR("Ondrej Mosnacek <omosnacek@gmail.com>");
499*4882a593Smuzhiyun MODULE_DESCRIPTION("AEGIS-128 AEAD algorithm");
500*4882a593Smuzhiyun MODULE_ALIAS_CRYPTO("aegis128");
501*4882a593Smuzhiyun MODULE_ALIAS_CRYPTO("aegis128-generic");
502