From 3567436865f64a733f21fbc6a7b786e374b13b69 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sat, 9 Sep 2023 20:20:54 +0200 Subject: [PATCH] Replace the aegis256 implementation with the libaegis implementation --- AUTHORS | 6 +- src/libsodium/Makefile.am | 15 +- .../crypto_aead/aegis256/aead_aegis256.c | 45 +-- .../crypto_aead/aegis256/aead_aegis256.h | 16 -- .../crypto_aead/aegis256/aegis256_aesni.c | 65 +++++ .../crypto_aead/aegis256/aegis256_aesni.h | 8 + .../crypto_aead/aegis256/aegis256_armcrypto.c | 67 +++++ .../crypto_aead/aegis256/aegis256_armcrypto.h | 8 + .../crypto_aead/aegis256/aegis256_common.h | 214 +++++++++++++++ .../crypto_aead/aegis256/aegis256_soft.c | 54 ++++ .../crypto_aead/aegis256/aegis256_soft.h | 8 + .../aegis256/aesni/aead_aegis256_aesni.c | 256 ------------------ .../aegis256/aesni/aead_aegis256_aesni.h | 6 - .../armcrypto/aead_aegis256_armcrypto.c | 256 ------------------ .../armcrypto/aead_aegis256_armcrypto.h | 6 - .../crypto_aead/aegis256/implementations.h | 17 ++ .../aegis256/soft/aead_aegis256_soft.c | 247 ----------------- .../aegis256/soft/aead_aegis256_soft.h | 7 - 18 files changed, 479 insertions(+), 822 deletions(-) delete mode 100644 src/libsodium/crypto_aead/aegis256/aead_aegis256.h create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_aesni.c create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_aesni.h create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.c create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.h create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_common.h create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_soft.c create mode 100644 src/libsodium/crypto_aead/aegis256/aegis256_soft.h delete mode 100644 src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.c delete mode 100644 src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.h delete mode 100644 src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c delete mode 100644 src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h create mode 100644 src/libsodium/crypto_aead/aegis256/implementations.h delete mode 100644 src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.c delete mode 100644 src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.h diff --git a/AUTHORS b/AUTHORS index c2f8294d..9dc5a61a 100644 --- a/AUTHORS +++ b/AUTHORS @@ -48,10 +48,8 @@ siphash Jean-Philippe Aumasson Implementors ============ -crypto_aead/aegis128l Hongjun Wu -crypto_aead/aegis256 Bart Preneel - Adrien Gallouet - Frank Denis +crypto_aead/aegis128l Frank Denis +crypto_aead/aegis256 crypto_aead/aes256gcm/aesni Frank Denis diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 0c13cfb8..6c0c6366 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -8,9 +8,10 @@ libsodium_la_SOURCES = \ crypto_aead/aegis128l/aegis128l_soft.h \ crypto_aead/aegis128l/implementations.h \ crypto_aead/aegis256/aead_aegis256.c \ - crypto_aead/aegis256/aead_aegis256.h \ - crypto_aead/aegis256/soft/aead_aegis256_soft.c \ - crypto_aead/aegis256/soft/aead_aegis256_soft.h \ + crypto_aead/aegis256/aegis256_common.h \ + crypto_aead/aegis256/aegis256_soft.c \ + crypto_aead/aegis256/aegis256_soft.h \ + crypto_aead/aegis256/implementations.h \ crypto_aead/aes256gcm/aead_aes256gcm.c \ crypto_aead/chacha20poly1305/aead_chacha20poly1305.c \ crypto_aead/xchacha20poly1305/aead_xchacha20poly1305.c \ @@ -235,8 +236,8 @@ libarmcrypto_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ libarmcrypto_la_SOURCES = \ crypto_aead/aegis128l/aegis128l_armcrypto.c \ crypto_aead/aegis128l/aegis128l_armcrypto.h \ - crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c \ - crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h \ + crypto_aead/aegis256/aegis256_armcrypto.c \ + crypto_aead/aegis256/aegis256_armcrypto.h \ crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS) @@ -245,8 +246,8 @@ libaesni_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ libaesni_la_SOURCES = \ crypto_aead/aegis128l/aegis128l_aesni.c \ crypto_aead/aegis128l/aegis128l_aesni.h \ - crypto_aead/aegis256/aesni/aead_aegis256_aesni.c \ - crypto_aead/aegis256/aesni/aead_aegis256_aesni.h \ + crypto_aead/aegis256/aegis256_aesni.c \ + crypto_aead/aegis256/aegis256_aesni.h \ crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c libsse2_la_LDFLAGS = $(libsodium_la_LDFLAGS) diff --git a/src/libsodium/crypto_aead/aegis256/aead_aegis256.c b/src/libsodium/crypto_aead/aegis256/aead_aegis256.c index 7bf5d8f5..1ddfff10 100644 --- a/src/libsodium/crypto_aead/aegis256/aead_aegis256.c +++ b/src/libsodium/crypto_aead/aegis256/aead_aegis256.c @@ -9,20 +9,17 @@ #include "randombytes.h" #include "runtime.h" -#include "aead_aegis256.h" - -#include "soft/aead_aegis256_soft.h" +#include "aegis256_soft.h" #if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) -#include "armcrypto/aead_aegis256_armcrypto.h" +#include "aegis256_armcrypto.h" #endif -#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H) -#include "aesni/aead_aegis256_aesni.h" +#if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H) +#include "aegis256_aesni.h" #endif -static const crypto_aead_aegis256_implementation *implementation = - &crypto_aead_aegis256_soft_implementation; +static const aegis256_implementation *implementation = &aegis256_soft_implementation; size_t crypto_aead_aegis256_keybytes(void) @@ -69,9 +66,6 @@ crypto_aead_aegis256_encrypt(unsigned char *c, unsigned long long *clen_p, const unsigned long long clen = 0ULL; int ret; - if (mlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) { - sodium_misuse(); - } ret = crypto_aead_aegis256_encrypt_detached(c, c + mlen, NULL, m, mlen, ad, adlen, nsec, npub, k); if (clen_p != NULL) { @@ -112,7 +106,17 @@ crypto_aead_aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k) { - return implementation->encrypt_detached(c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub, k); + const size_t maclen = crypto_aead_aegis256_ABYTES; + + if (maclen_p != NULL) { + *maclen_p = maclen; + } + if (mlen > crypto_aead_aegis256_MESSAGEBYTES_MAX || + adlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->encrypt_detached(c, mac, maclen, m, (size_t) mlen, ad, (size_t) adlen, + npub, k); } int @@ -121,24 +125,31 @@ crypto_aead_aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, con const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k) { - return implementation->decrypt_detached(m, nsec, c, clen, mac, ad, adlen, npub, k); + const size_t maclen = crypto_aead_aegis256_ABYTES; + + if (clen > crypto_aead_aegis256_MESSAGEBYTES_MAX || + adlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) { + return -1; + } + return implementation->decrypt_detached(m, c, (size_t) clen, mac, maclen, ad, (size_t) adlen, + npub, k); } int _crypto_aead_aegis256_pick_best_implementation(void) { - implementation = &crypto_aead_aegis256_soft_implementation; + implementation = &aegis256_soft_implementation; #if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) if (sodium_runtime_has_armcrypto()) { - implementation = &crypto_aead_aegis256_armcrypto_implementation; + implementation = &aegis256_armcrypto_implementation; return 0; } #endif -#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H) +#if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H) if (sodium_runtime_has_aesni() & sodium_runtime_has_avx()) { - implementation = &crypto_aead_aegis256_aesni_implementation; + implementation = &aegis256_aesni_implementation; return 0; } #endif diff --git a/src/libsodium/crypto_aead/aegis256/aead_aegis256.h b/src/libsodium/crypto_aead/aegis256/aead_aegis256.h deleted file mode 100644 index 9e7784b0..00000000 --- a/src/libsodium/crypto_aead/aegis256/aead_aegis256.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef aead_aegis256_H -#define aead_aegis256_H - -typedef struct crypto_aead_aegis256_implementation { - int (*encrypt_detached)(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, const unsigned char *npub, - const unsigned char *k); - int (*decrypt_detached)(unsigned char *m, unsigned char *nsec, const unsigned char *c, - unsigned long long clen, const unsigned char *mac, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, const unsigned char *k); -} crypto_aead_aegis256_implementation; - -#endif diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_aesni.c b/src/libsodium/crypto_aead/aegis256/aegis256_aesni.c new file mode 100644 index 00000000..96aa0036 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_aesni.c @@ -0,0 +1,65 @@ +#include +#include +#include +#include +#include + +#include "core.h" +#include "crypto_aead_aegis256.h" +#include "crypto_verify_16.h" +#include "crypto_verify_32.h" +#include "export.h" +#include "utils.h" + +#include "private/common.h" + +#if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H) + +#include "aegis256_aesni.h" + +#ifdef __clang__ +#pragma clang attribute push(__attribute__((target("aes,avx"))), apply_to = function) +#elif defined(__GNUC__) +#pragma GCC target("aes,avx") +#endif + +#include "private/sse2_64_32.h" +#include +#include + +#define AES_BLOCK_LENGTH 16 + +typedef __m128i aes_block_t; +#define AES_BLOCK_XOR(A, B) _mm_xor_si128((A), (B)) +#define AES_BLOCK_AND(A, B) _mm_and_si128((A), (B)) +#define AES_BLOCK_LOAD(A) _mm_loadu_si128((const aes_block_t *) (const void *) (A)) +#define AES_BLOCK_LOAD_64x2(A, B) _mm_set_epi64x((long long) (A), (long long) (B)) +#define AES_BLOCK_STORE(A, B) _mm_storeu_si128((aes_block_t *) (void *) (A), (B)) +#define AES_ENC(A, B) _mm_aesenc_si128((A), (B)) + +static inline void +aegis256_update(aes_block_t *const state, const aes_block_t d) +{ + aes_block_t tmp; + + tmp = state[5]; + state[5] = AES_ENC(state[4], state[5]); + state[4] = AES_ENC(state[3], state[4]); + state[3] = AES_ENC(state[2], state[3]); + state[2] = AES_ENC(state[1], state[2]); + state[1] = AES_ENC(state[0], state[1]); + state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d); +} + +#include "aegis256_common.h" + +struct aegis256_implementation aegis256_aesni_implementation = { SODIUM_C99(.encrypt_detached =) + encrypt_detached, + SODIUM_C99(.decrypt_detached =) + decrypt_detached }; + +#ifdef __clang__ +#pragma clang attribute pop +#endif + +#endif diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_aesni.h b/src/libsodium/crypto_aead/aegis256/aegis256_aesni.h new file mode 100644 index 00000000..21f4d819 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_aesni.h @@ -0,0 +1,8 @@ +#ifndef aegis256_aesni_H +#define aegis256_aesni_H + +#include "implementations.h" + +extern struct aegis256_implementation aegis256_aesni_implementation; + +#endif \ No newline at end of file diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.c b/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.c new file mode 100644 index 00000000..62974ae2 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.c @@ -0,0 +1,67 @@ +#include +#include +#include +#include +#include + +#include "core.h" +#include "crypto_aead_aegis256.h" +#include "crypto_verify_16.h" +#include "crypto_verify_32.h" +#include "export.h" +#include "utils.h" + +#include "private/common.h" + +#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) + +#include "aegis256_armcrypto.h" + +#ifdef __clang__ +#pragma clang attribute push(__attribute__((target("neon,crypto,aes"))), apply_to = function) +#elif defined(__GNUC__) +#pragma GCC target("neon,crypto,aes") +#endif + +#ifndef __ARM_FEATURE_AES +#define __ARM_FEATURE_AES 1 +#endif + +#include + +#define AES_BLOCK_LENGTH 16 + +typedef uint8x16_t aes_block_t; +#define AES_BLOCK_XOR(A, B) veorq_u8((A), (B)) +#define AES_BLOCK_AND(A, B) vandq_u8((A), (B)) +#define AES_BLOCK_LOAD(A) vld1q_u8(A) +#define AES_BLOCK_LOAD_64x2(A, B) vreinterpretq_u8_u64(vsetq_lane_u64((A), vmovq_n_u64(B), 1)) +#define AES_BLOCK_STORE(A, B) vst1q_u8((A), (B)) +#define AES_ENC(A, B) veorq_u8(vaesmcq_u8(vaeseq_u8((A), vmovq_n_u8(0))), (B)) + +static inline void +aegis256_update(aes_block_t *const state, const aes_block_t d) +{ + aes_block_t tmp; + + tmp = state[5]; + state[5] = AES_ENC(state[4], state[5]); + state[4] = AES_ENC(state[3], state[4]); + state[3] = AES_ENC(state[2], state[3]); + state[2] = AES_ENC(state[1], state[2]); + state[1] = AES_ENC(state[0], state[1]); + state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d); +} + +#include "aegis256_common.h" + +struct aegis256_implementation aegis256_armcrypto_implementation = { SODIUM_C99(.encrypt_detached =) + encrypt_detached, + SODIUM_C99(.decrypt_detached =) + decrypt_detached }; + +#ifdef __clang__ +#pragma clang attribute pop +#endif + +#endif diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.h b/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.h new file mode 100644 index 00000000..a9bd4ad3 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.h @@ -0,0 +1,8 @@ +#ifndef aegis256_armcrypto_H +#define aegis256_armcrypto_H + +#include "implementations.h" + +extern struct aegis256_implementation aegis256_armcrypto_implementation; + +#endif \ No newline at end of file diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_common.h b/src/libsodium/crypto_aead/aegis256/aegis256_common.h new file mode 100644 index 00000000..5a486f2c --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_common.h @@ -0,0 +1,214 @@ +#define RATE 16 + +static void +aegis256_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const state) +{ + static CRYPTO_ALIGN(AES_BLOCK_LENGTH) + const uint8_t c0_[AES_BLOCK_LENGTH] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, + 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }; + static CRYPTO_ALIGN(AES_BLOCK_LENGTH) + const uint8_t c1_[AES_BLOCK_LENGTH] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, + 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }; + + const aes_block_t c0 = AES_BLOCK_LOAD(c0_); + const aes_block_t c1 = AES_BLOCK_LOAD(c1_); + const aes_block_t k0 = AES_BLOCK_LOAD(key); + const aes_block_t k1 = AES_BLOCK_LOAD(key + AES_BLOCK_LENGTH); + const aes_block_t n0 = AES_BLOCK_LOAD(nonce); + const aes_block_t n1 = AES_BLOCK_LOAD(nonce + AES_BLOCK_LENGTH); + const aes_block_t k0_n0 = AES_BLOCK_XOR(k0, n0); + const aes_block_t k1_n1 = AES_BLOCK_XOR(k1, n1); + int i; + + state[0] = k0_n0; + state[1] = k1_n1; + state[2] = c1; + state[3] = c0; + state[4] = AES_BLOCK_XOR(k0, c0); + state[5] = AES_BLOCK_XOR(k1, c1); + for (i = 0; i < 4; i++) { + aegis256_update(state, k0); + aegis256_update(state, k1); + aegis256_update(state, k0_n0); + aegis256_update(state, k1_n1); + } +} + +static void +aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state) +{ + aes_block_t tmp; + int i; + + tmp = AES_BLOCK_LOAD_64x2(((uint64_t) mlen) << 3, ((uint64_t) adlen) << 3); + tmp = AES_BLOCK_XOR(tmp, state[3]); + + for (i = 0; i < 7; i++) { + aegis256_update(state, tmp); + } + + if (maclen == 16) { + tmp = AES_BLOCK_XOR(state[5], state[4]); + tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2])); + tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0])); + AES_BLOCK_STORE(mac, tmp); + } else if (maclen == 32) { + tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[2], state[1]), state[0]); + AES_BLOCK_STORE(mac, tmp); + tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[5], state[4]), state[3]); + AES_BLOCK_STORE(mac + 16, tmp); + } else { + memset(mac, 0, maclen); + } +} + +static inline void +aegis256_absorb(const uint8_t *const src, aes_block_t *const state) +{ + aes_block_t msg; + + msg = AES_BLOCK_LOAD(src); + aegis256_update(state, msg); +} + +static void +aegis256_enc(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state) +{ + aes_block_t msg; + aes_block_t tmp; + + msg = AES_BLOCK_LOAD(src); + tmp = AES_BLOCK_XOR(msg, state[5]); + tmp = AES_BLOCK_XOR(tmp, state[4]); + tmp = AES_BLOCK_XOR(tmp, state[1]); + tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3])); + AES_BLOCK_STORE(dst, tmp); + + aegis256_update(state, msg); +} + +static void +aegis256_dec(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state) +{ + aes_block_t msg; + + msg = AES_BLOCK_LOAD(src); + msg = AES_BLOCK_XOR(msg, state[5]); + msg = AES_BLOCK_XOR(msg, state[4]); + msg = AES_BLOCK_XOR(msg, state[1]); + msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); + AES_BLOCK_STORE(dst, msg); + + aegis256_update(state, msg); +} + +static void +aegis256_declast(uint8_t *const dst, const uint8_t *const src, size_t len, aes_block_t *const state) +{ + uint8_t pad[RATE]; + aes_block_t msg; + + memset(pad, 0, sizeof pad); + memcpy(pad, src, len); + + msg = AES_BLOCK_LOAD(pad); + msg = AES_BLOCK_XOR(msg, state[5]); + msg = AES_BLOCK_XOR(msg, state[4]); + msg = AES_BLOCK_XOR(msg, state[1]); + msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); + AES_BLOCK_STORE(pad, msg); + + memset(pad + len, 0, sizeof pad - len); + memcpy(dst, pad, len); + + msg = AES_BLOCK_LOAD(pad); + + aegis256_update(state, msg); +} + +static int +encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen, + const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k) +{ + aes_block_t state[6]; + CRYPTO_ALIGN(RATE) uint8_t src[RATE]; + CRYPTO_ALIGN(RATE) uint8_t dst[RATE]; + size_t i; + + aegis256_init(k, npub, state); + + for (i = 0; i + RATE <= adlen; i += RATE) { + aegis256_absorb(ad + i, state); + } + if (adlen % RATE) { + memset(src, 0, RATE); + memcpy(src, ad + i, adlen % RATE); + aegis256_absorb(src, state); + } + for (i = 0; i + RATE <= mlen; i += RATE) { + aegis256_enc(c + i, m + i, state); + } + if (mlen % RATE) { + memset(src, 0, RATE); + memcpy(src, m + i, mlen % RATE); + aegis256_enc(dst, src, state); + memcpy(c + i, dst, mlen % RATE); + } + + aegis256_mac(mac, maclen, adlen, mlen, state); + + return 0; +} + +static int +decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, size_t maclen, + const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k) +{ + aes_block_t state[6]; + CRYPTO_ALIGN(RATE) uint8_t src[RATE]; + CRYPTO_ALIGN(RATE) uint8_t dst[RATE]; + CRYPTO_ALIGN(16) uint8_t computed_mac[32]; + const size_t mlen = clen; + size_t i; + int ret; + + aegis256_init(k, npub, state); + + for (i = 0; i + RATE <= adlen; i += RATE) { + aegis256_absorb(ad + i, state); + } + if (adlen % RATE) { + memset(src, 0, RATE); + memcpy(src, ad + i, adlen % RATE); + aegis256_absorb(src, state); + } + if (m != NULL) { + for (i = 0; i + RATE <= mlen; i += RATE) { + aegis256_dec(m + i, c + i, state); + } + } else { + for (i = 0; i + RATE <= mlen; i += RATE) { + aegis256_dec(dst, c + i, state); + } + } + if (mlen % RATE) { + if (m != NULL) { + aegis256_declast(m + i, c + i, mlen % RATE, state); + } else { + aegis256_declast(dst, c + i, mlen % RATE, state); + } + } + + COMPILER_ASSERT(sizeof computed_mac >= 32); + aegis256_mac(computed_mac, maclen, adlen, mlen, state); + ret = -1; + if (maclen == 16) { + ret = crypto_verify_16(computed_mac, mac); + } else if (maclen == 32) { + ret = crypto_verify_32(computed_mac, mac); + } + if (ret != 0 && m != NULL) { + memset(m, 0, mlen); + } + return ret; +} diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_soft.c b/src/libsodium/crypto_aead/aegis256/aegis256_soft.c new file mode 100644 index 00000000..38024d17 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_soft.c @@ -0,0 +1,54 @@ +#include +#include +#include +#include +#include + +#include "core.h" +#include "crypto_aead_aegis256.h" +#include "crypto_verify_16.h" +#include "crypto_verify_32.h" +#include "export.h" +#include "utils.h" + +#include "private/common.h" + +#include "crypto_aead_aegis256.h" +#include "private/softaes.h" + +#if 1 + +#include "aegis256_soft.h" + +#define AES_BLOCK_LENGTH 16 + +typedef SoftAesBlock aes_block_t; +#define AES_BLOCK_XOR(A, B) softaes_block_xor((A), (B)) +#define AES_BLOCK_AND(A, B) softaes_block_and((A), (B)) +#define AES_BLOCK_LOAD(A) softaes_block_load(A) +#define AES_BLOCK_LOAD_64x2(A, B) softaes_block_load64x2((A), (B)) +#define AES_BLOCK_STORE(A, B) softaes_block_store((A), (B)) +#define AES_ENC(A, B) softaes_block_encrypt((A), (B)) + +static inline void +aegis256_update(aes_block_t *const state, const aes_block_t d) +{ + aes_block_t tmp; + + tmp = state[5]; + state[5] = AES_ENC(state[4], state[5]); + state[4] = AES_ENC(state[3], state[4]); + state[3] = AES_ENC(state[2], state[3]); + state[2] = AES_ENC(state[1], state[2]); + state[1] = AES_ENC(state[0], state[1]); + state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d); +} + +#include "aegis256_common.h" + +struct aegis256_implementation aegis256_soft_implementation = { SODIUM_C99(.encrypt_detached =) + encrypt_detached, + SODIUM_C99(.decrypt_detached =) + decrypt_detached }; + +#endif \ No newline at end of file diff --git a/src/libsodium/crypto_aead/aegis256/aegis256_soft.h b/src/libsodium/crypto_aead/aegis256/aegis256_soft.h new file mode 100644 index 00000000..c20198de --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/aegis256_soft.h @@ -0,0 +1,8 @@ +#ifndef aegis256_soft_H +#define aegis256_soft_H + +#include "implementations.h" + +extern struct aegis256_implementation aegis256_soft_implementation; + +#endif \ No newline at end of file diff --git a/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.c b/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.c deleted file mode 100644 index 2ae23f17..00000000 --- a/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.c +++ /dev/null @@ -1,256 +0,0 @@ -#include -#include -#include -#include - -#include "core.h" -#include "crypto_aead_aegis256.h" -#include "crypto_verify_16.h" -#include "export.h" -#include "randombytes.h" -#include "runtime.h" -#include "utils.h" - -#include "private/common.h" - -#include "aead_aegis256_aesni.h" - -#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H) - -#ifdef __GNUC__ -#pragma GCC target("avx,aes") -#endif - -#include "private/sse2_64_32.h" -#include -#include - -typedef __m128i aes_block_t; -#define AES_BLOCK_XOR(A, B) _mm_xor_si128((A), (B)) -#define AES_BLOCK_AND(A, B) _mm_and_si128((A), (B)) -#define AES_BLOCK_LOAD(A) _mm_loadu_si128((const aes_block_t *) (const void *) (A)) -#define AES_BLOCK_LOAD_64x2(A, B) _mm_set_epi64x((A), (B)) -#define AES_BLOCK_STORE(A, B) _mm_storeu_si128((aes_block_t *) (void *) (A), (B)) -#define AES_ENC(A, B) _mm_aesenc_si128((A), (B)) - -static inline void -aegis256_update(aes_block_t *const state, const aes_block_t data) -{ - aes_block_t tmp; - - tmp = AES_ENC(state[5], state[0]); - state[5] = AES_ENC(state[4], state[5]); - state[4] = AES_ENC(state[3], state[4]); - state[3] = AES_ENC(state[2], state[3]); - state[2] = AES_ENC(state[1], state[2]); - state[1] = AES_ENC(state[0], state[1]); - state[0] = AES_BLOCK_XOR(tmp, data); -} - -static void -aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state) -{ - static CRYPTO_ALIGN(16) - const uint8_t c0_[] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, - 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }; - static CRYPTO_ALIGN(16) - const uint8_t c1_[] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, - 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }; - const aes_block_t c0 = AES_BLOCK_LOAD(c0_); - const aes_block_t c1 = AES_BLOCK_LOAD(c1_); - aes_block_t k1, k2; - aes_block_t kxn1, kxn2; - int i; - - k1 = AES_BLOCK_LOAD(&key[0]); - k2 = AES_BLOCK_LOAD(&key[16]); - kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0])); - kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16])); - - state[0] = kxn1; - state[1] = kxn2; - state[2] = c0; - state[3] = c1; - state[4] = AES_BLOCK_XOR(k1, c1); - state[5] = AES_BLOCK_XOR(k2, c0); - - for (i = 0; i < 4; i++) { - aegis256_update(state, k1); - aegis256_update(state, k2); - aegis256_update(state, kxn1); - aegis256_update(state, kxn2); - } -} - -static void -aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen, - aes_block_t *const state) -{ - aes_block_t tmp; - int i; - - tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3); - tmp = AES_BLOCK_XOR(tmp, state[3]); - - for (i = 0; i < 7; i++) { - aegis256_update(state, tmp); - } - - tmp = AES_BLOCK_XOR(state[5], state[4]); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2])); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0])); - - AES_BLOCK_STORE(mac, tmp); -} - -static inline void -aegis256_absorb(const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - aegis256_update(state, msg); -} - -static void -aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - aes_block_t tmp; - - msg = AES_BLOCK_LOAD(src); - tmp = AES_BLOCK_XOR(msg, state[5]); - tmp = AES_BLOCK_XOR(tmp, state[4]); - tmp = AES_BLOCK_XOR(tmp, state[1]); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, tmp); - - aegis256_update(state, msg); -} - -static void -aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - msg = AES_BLOCK_XOR(msg, state[5]); - msg = AES_BLOCK_XOR(msg, state[4]); - msg = AES_BLOCK_XOR(msg, state[1]); - msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, msg); - - aegis256_update(state, msg); -} - -static int -aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, - const unsigned char *m, unsigned long long mlen, const unsigned char *ad, - unsigned long long adlen, const unsigned char *nsec, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - unsigned long long i; - - (void) nsec; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_enc(c + i, m + i, state); - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, m + i, mlen & 0xf); - aegis256_enc(dst, src, state); - memcpy(c + i, dst, mlen & 0xf); - } - - aegis256_mac(mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - - if (maclen_p != NULL) { - *maclen_p = 16ULL; - } - return 0; -} - -static int -aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c, - unsigned long long clen, const unsigned char *mac, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - CRYPTO_ALIGN(16) unsigned char computed_mac[16]; - unsigned long long i; - unsigned long long mlen; - int ret; - - (void) nsec; - mlen = clen; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - if (m != NULL) { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(m + i, c + i, state); - } - } else { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(dst, c + i, state); - } - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, c + i, mlen & 0xf); - aegis256_dec(dst, src, state); - if (m != NULL) { - memcpy(m + i, dst, mlen & 0xf); - } - memset(dst, 0, mlen & 0xf); - state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst)); - } - - aegis256_mac(computed_mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - ret = crypto_verify_16(computed_mac, mac); - sodium_memzero(computed_mac, sizeof computed_mac); - if (m == NULL) { - return ret; - } - if (ret != 0) { - memset(m, 0, mlen); - return -1; - } - return 0; -} - -struct crypto_aead_aegis256_implementation crypto_aead_aegis256_aesni_implementation = { - SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached, - SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached -}; - -#endif diff --git a/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.h b/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.h deleted file mode 100644 index c5c11c8b..00000000 --- a/src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.h +++ /dev/null @@ -1,6 +0,0 @@ -#include - -#include "../aead_aegis256.h" -#include "crypto_aead_aegis256.h" - -extern struct crypto_aead_aegis256_implementation crypto_aead_aegis256_aesni_implementation; diff --git a/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c b/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c deleted file mode 100644 index 359c5fc9..00000000 --- a/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c +++ /dev/null @@ -1,256 +0,0 @@ -#include -#include -#include -#include - -#include "core.h" -#include "crypto_aead_aegis256.h" -#include "crypto_verify_16.h" -#include "export.h" -#include "randombytes.h" -#include "runtime.h" -#include "utils.h" - -#include "private/common.h" - -#include "aead_aegis256_armcrypto.h" - -#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) - -#ifndef __ARM_FEATURE_AES -#define __ARM_FEATURE_AES 1 -#endif - -#include - -typedef uint8x16_t aes_block_t; -#define AES_BLOCK_XOR(A, B) veorq_u8((A), (B)) -#define AES_BLOCK_AND(A, B) vandq_u8((A), (B)) -#define AES_BLOCK_LOAD(A) vld1q_u8(A) -#define AES_BLOCK_LOAD_64x2(A, B) vreinterpretq_u8_u64(vsetq_lane_u64((A), vmovq_n_u64(B), 1)) -#define AES_BLOCK_STORE(A, B) vst1q_u8((A), (B)) -#define AES_ENC(A, B) veorq_u8(vaesmcq_u8(vaeseq_u8((A), vmovq_n_u8(0))), (B)) - -static inline void -aegis256_update(aes_block_t *const state, const aes_block_t data) -{ - aes_block_t tmp; - - tmp = AES_BLOCK_XOR(AES_ENC(state[5], state[0]), data); - state[5] = AES_ENC(state[4], state[5]); - state[4] = AES_ENC(state[3], state[4]); - state[3] = AES_ENC(state[2], state[3]); - state[2] = AES_ENC(state[1], state[2]); - state[1] = AES_ENC(state[0], state[1]); - state[0] = tmp; -} - -static void -aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state) -{ - static CRYPTO_ALIGN(16) const unsigned char c0_[] = { - 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, - 0x73, 0xb5, 0x28, 0xdd - }; - static CRYPTO_ALIGN(16) const unsigned char c1_[] = { - 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, - 0x90, 0xe9, 0x79, 0x62 - }; - const aes_block_t c0 = AES_BLOCK_LOAD(c0_); - const aes_block_t c1 = AES_BLOCK_LOAD(c1_); - aes_block_t k1, k2; - aes_block_t kxn1, kxn2; - int i; - - k1 = AES_BLOCK_LOAD(&key[0]); - k2 = AES_BLOCK_LOAD(&key[16]); - kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0])); - kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16])); - - state[0] = kxn1; - state[1] = kxn2; - state[2] = c0; - state[3] = c1; - state[4] = AES_BLOCK_XOR(k1, c1); - state[5] = AES_BLOCK_XOR(k2, c0); - - for (i = 0; i < 4; i++) { - aegis256_update(state, k1); - aegis256_update(state, k2); - aegis256_update(state, kxn1); - aegis256_update(state, kxn2); - } -} - -static void -aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen, - aes_block_t *const state) -{ - aes_block_t tmp; - int i; - - tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3); - tmp = AES_BLOCK_XOR(tmp, state[3]); - - for (i = 0; i < 7; i++) { - aegis256_update(state, tmp); - } - - tmp = AES_BLOCK_XOR(state[5], state[4]); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2])); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0])); - - AES_BLOCK_STORE(mac, tmp); -} - -static inline void -aegis256_absorb(const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - aegis256_update(state, msg); -} - -static void -aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - aes_block_t tmp; - - msg = AES_BLOCK_LOAD(src); - tmp = AES_BLOCK_XOR(msg, state[5]); - tmp = AES_BLOCK_XOR(tmp, state[4]); - tmp = AES_BLOCK_XOR(tmp, state[1]); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, tmp); - - aegis256_update(state, msg); -} - -static void -aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - msg = AES_BLOCK_XOR(msg, state[5]); - msg = AES_BLOCK_XOR(msg, state[4]); - msg = AES_BLOCK_XOR(msg, state[1]); - msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, msg); - - aegis256_update(state, msg); -} - -static int -aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, - const unsigned char *m, unsigned long long mlen, const unsigned char *ad, - unsigned long long adlen, const unsigned char *nsec, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - unsigned long long i; - - (void) nsec; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_enc(c + i, m + i, state); - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, m + i, mlen & 0xf); - aegis256_enc(dst, src, state); - memcpy(c + i, dst, mlen & 0xf); - } - - aegis256_mac(mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - - if (maclen_p != NULL) { - *maclen_p = 16ULL; - } - return 0; -} - -static int -aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c, - unsigned long long clen, const unsigned char *mac, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - CRYPTO_ALIGN(16) unsigned char computed_mac[16]; - unsigned long long i; - unsigned long long mlen; - int ret; - - (void) nsec; - mlen = clen; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - if (m != NULL) { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(m + i, c + i, state); - } - } else { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(dst, c + i, state); - } - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, c + i, mlen & 0xf); - aegis256_dec(dst, src, state); - if (m != NULL) { - memcpy(m + i, dst, mlen & 0xf); - } - memset(dst, 0, mlen & 0xf); - state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst)); - } - - aegis256_mac(computed_mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - ret = crypto_verify_16(computed_mac, mac); - sodium_memzero(computed_mac, sizeof computed_mac); - if (m == NULL) { - return ret; - } - if (ret != 0) { - memset(m, 0, mlen); - return -1; - } - return 0; -} - -struct crypto_aead_aegis256_implementation crypto_aead_aegis256_armcrypto_implementation = { - SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached, - SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached -}; - -#endif diff --git a/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h b/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h deleted file mode 100644 index 83b49a5f..00000000 --- a/src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h +++ /dev/null @@ -1,6 +0,0 @@ -#include - -#include "../aead_aegis256.h" -#include "crypto_aead_aegis256.h" - -extern struct crypto_aead_aegis256_implementation crypto_aead_aegis256_armcrypto_implementation; diff --git a/src/libsodium/crypto_aead/aegis256/implementations.h b/src/libsodium/crypto_aead/aegis256/implementations.h new file mode 100644 index 00000000..9efbf387 --- /dev/null +++ b/src/libsodium/crypto_aead/aegis256/implementations.h @@ -0,0 +1,17 @@ +#ifndef aegis256_implementations_H +#define aegis256_implementations_H + +#include +#include + +#include "crypto_aead_aegis256.h" + +typedef struct aegis256_implementation { + int (*encrypt_detached)(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen, + const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k); + int (*decrypt_detached)(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, + size_t maclen, const uint8_t *ad, size_t adlen, const uint8_t *npub, + const uint8_t *k); +} aegis256_implementation; + +#endif diff --git a/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.c b/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.c deleted file mode 100644 index 48c0b123..00000000 --- a/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.c +++ /dev/null @@ -1,247 +0,0 @@ -#include -#include -#include -#include - -#include "core.h" -#include "crypto_aead_aegis256.h" -#include "crypto_verify_16.h" -#include "export.h" -#include "randombytes.h" -#include "runtime.h" -#include "utils.h" - -#include "private/common.h" -#include "private/softaes.h" - -#include "aead_aegis256_soft.h" - -typedef SoftAesBlock aes_block_t; -#define AES_BLOCK_XOR(A, B) softaes_block_xor((A), (B)) -#define AES_BLOCK_AND(A, B) softaes_block_and((A), (B)) -#define AES_BLOCK_LOAD(A) softaes_block_load(A) -#define AES_BLOCK_LOAD_64x2(A, B) softaes_block_load64x2((A), (B)) -#define AES_BLOCK_STORE(A, B) softaes_block_store((A), (B)) -#define AES_ENC(A, B) softaes_block_encrypt((A), (B)) - -static inline void -aegis256_update(aes_block_t *const state, const aes_block_t data) -{ - aes_block_t tmp; - - tmp = AES_ENC(state[5], state[0]); - state[5] = AES_ENC(state[4], state[5]); - state[4] = AES_ENC(state[3], state[4]); - state[3] = AES_ENC(state[2], state[3]); - state[2] = AES_ENC(state[1], state[2]); - state[1] = AES_ENC(state[0], state[1]); - state[0] = AES_BLOCK_XOR(tmp, data); -} - -static void -aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state) -{ - static CRYPTO_ALIGN(16) - const unsigned char c0_[] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, - 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }; - static CRYPTO_ALIGN(16) - const unsigned char c1_[] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, - 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }; - const aes_block_t c0 = AES_BLOCK_LOAD(c0_); - const aes_block_t c1 = AES_BLOCK_LOAD(c1_); - aes_block_t k1, k2; - aes_block_t kxn1, kxn2; - int i; - - k1 = AES_BLOCK_LOAD(&key[0]); - k2 = AES_BLOCK_LOAD(&key[16]); - kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0])); - kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16])); - - state[0] = kxn1; - state[1] = kxn2; - state[2] = c0; - state[3] = c1; - state[4] = AES_BLOCK_XOR(k1, c1); - state[5] = AES_BLOCK_XOR(k2, c0); - - for (i = 0; i < 4; i++) { - aegis256_update(state, k1); - aegis256_update(state, k2); - aegis256_update(state, kxn1); - aegis256_update(state, kxn2); - } -} - -static void -aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen, - aes_block_t *const state) -{ - aes_block_t tmp; - int i; - - tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3); - tmp = AES_BLOCK_XOR(tmp, state[3]); - - for (i = 0; i < 7; i++) { - aegis256_update(state, tmp); - } - - tmp = AES_BLOCK_XOR(state[5], state[4]); - tmp = AES_BLOCK_XOR(tmp, state[3]); - tmp = AES_BLOCK_XOR(tmp, state[2]); - tmp = AES_BLOCK_XOR(tmp, state[1]); - tmp = AES_BLOCK_XOR(tmp, state[0]); - - AES_BLOCK_STORE(mac, tmp); -} - -static inline void -aegis256_absorb(const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - aegis256_update(state, msg); -} - -static void -aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - aes_block_t tmp; - - msg = AES_BLOCK_LOAD(src); - tmp = AES_BLOCK_XOR(msg, state[5]); - tmp = AES_BLOCK_XOR(tmp, state[4]); - tmp = AES_BLOCK_XOR(tmp, state[1]); - tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, tmp); - - aegis256_update(state, msg); -} - -static void -aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state) -{ - aes_block_t msg; - - msg = AES_BLOCK_LOAD(src); - msg = AES_BLOCK_XOR(msg, state[5]); - msg = AES_BLOCK_XOR(msg, state[4]); - msg = AES_BLOCK_XOR(msg, state[1]); - msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); - AES_BLOCK_STORE(dst, msg); - - aegis256_update(state, msg); -} - -static int -aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, - const unsigned char *m, unsigned long long mlen, const unsigned char *ad, - unsigned long long adlen, const unsigned char *nsec, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - unsigned long long i; - - (void) nsec; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_enc(c + i, m + i, state); - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, m + i, mlen & 0xf); - aegis256_enc(dst, src, state); - memcpy(c + i, dst, mlen & 0xf); - } - - aegis256_mac(mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - - if (maclen_p != NULL) { - *maclen_p = 16ULL; - } - return 0; -} - -static int -aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c, - unsigned long long clen, const unsigned char *mac, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, const unsigned char *k) -{ - aes_block_t state[6]; - CRYPTO_ALIGN(16) unsigned char src[16]; - CRYPTO_ALIGN(16) unsigned char dst[16]; - CRYPTO_ALIGN(16) unsigned char computed_mac[16]; - unsigned long long i; - unsigned long long mlen; - int ret; - - (void) nsec; - mlen = clen; - aegis256_init(k, npub, state); - - for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) { - aegis256_absorb(ad + i, state); - } - if (adlen & 0xf) { - memset(src, 0, 16); - memcpy(src, ad + i, adlen & 0xf); - aegis256_absorb(src, state); - } - if (m != NULL) { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(m + i, c + i, state); - } - } else { - for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) { - aegis256_dec(dst, c + i, state); - } - } - if (mlen & 0xf) { - memset(src, 0, 16); - memcpy(src, c + i, mlen & 0xf); - aegis256_dec(dst, src, state); - if (m != NULL) { - memcpy(m + i, dst, mlen & 0xf); - } - memset(dst, 0, mlen & 0xf); - state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst)); - } - - aegis256_mac(computed_mac, adlen, mlen, state); - sodium_memzero(state, sizeof state); - sodium_memzero(src, sizeof src); - sodium_memzero(dst, sizeof dst); - ret = crypto_verify_16(computed_mac, mac); - sodium_memzero(computed_mac, sizeof computed_mac); - if (m == NULL) { - return ret; - } - if (ret != 0) { - memset(m, 0, mlen); - return -1; - } - return 0; -} - -struct crypto_aead_aegis256_implementation crypto_aead_aegis256_soft_implementation = { - SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached, - SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached -}; diff --git a/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.h b/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.h deleted file mode 100644 index 8de350a5..00000000 --- a/src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.h +++ /dev/null @@ -1,7 +0,0 @@ -#include - -#include "../aead_aegis256.h" -#include "crypto_aead_aegis256.h" - -extern struct crypto_aead_aegis256_implementation - crypto_aead_aegis256_soft_implementation;