kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-19 10:05:05 -07:00
Code Releases Wiki Activity

Replace the aegis256 implementation with the libaegis implementation

Browse Source
This commit is contained in:
Frank Denis 2023-09-09 20:20:54 +02:00
parent 2056215af5
commit 3567436865
18 changed files with 479 additions and 822 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
AUTHORS
View File

@ -48,10 +48,8 @@ siphash Jean-Philippe Aumasson
Implementors Implementors
============ ============
crypto_aead/aegis128l Hongjun Wu crypto_aead/aegis128l Frank Denis
crypto_aead/aegis256 Bart Preneel crypto_aead/aegis256
Adrien Gallouet
Frank Denis
crypto_aead/aes256gcm/aesni Frank Denis crypto_aead/aes256gcm/aesni Frank Denis

15
src/libsodium/Makefile.am
View File

@ -8,9 +8,10 @@ libsodium_la_SOURCES = \
crypto_aead/aegis128l/aegis128l_soft.h \ crypto_aead/aegis128l/aegis128l_soft.h \
crypto_aead/aegis128l/implementations.h \ crypto_aead/aegis128l/implementations.h \
crypto_aead/aegis256/aead_aegis256.c \ crypto_aead/aegis256/aead_aegis256.c \
crypto_aead/aegis256/aead_aegis256.h \ crypto_aead/aegis256/aegis256_common.h \
crypto_aead/aegis256/soft/aead_aegis256_soft.c \ crypto_aead/aegis256/aegis256_soft.c \
crypto_aead/aegis256/soft/aead_aegis256_soft.h \ crypto_aead/aegis256/aegis256_soft.h \
crypto_aead/aegis256/implementations.h \
crypto_aead/aes256gcm/aead_aes256gcm.c \ crypto_aead/aes256gcm/aead_aes256gcm.c \
crypto_aead/chacha20poly1305/aead_chacha20poly1305.c \ crypto_aead/chacha20poly1305/aead_chacha20poly1305.c \
crypto_aead/xchacha20poly1305/aead_xchacha20poly1305.c \ crypto_aead/xchacha20poly1305/aead_xchacha20poly1305.c \
@ -235,8 +236,8 @@ libarmcrypto_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \
libarmcrypto_la_SOURCES = \ libarmcrypto_la_SOURCES = \
crypto_aead/aegis128l/aegis128l_armcrypto.c \ crypto_aead/aegis128l/aegis128l_armcrypto.c \
crypto_aead/aegis128l/aegis128l_armcrypto.h \ crypto_aead/aegis128l/aegis128l_armcrypto.h \
crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c \ crypto_aead/aegis256/aegis256_armcrypto.c \
crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h \ crypto_aead/aegis256/aegis256_armcrypto.h \
crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c
libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS) libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS)
@ -245,8 +246,8 @@ libaesni_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \
libaesni_la_SOURCES = \ libaesni_la_SOURCES = \
crypto_aead/aegis128l/aegis128l_aesni.c \ crypto_aead/aegis128l/aegis128l_aesni.c \
crypto_aead/aegis128l/aegis128l_aesni.h \ crypto_aead/aegis128l/aegis128l_aesni.h \
crypto_aead/aegis256/aesni/aead_aegis256_aesni.c \ crypto_aead/aegis256/aegis256_aesni.c \
crypto_aead/aegis256/aesni/aead_aegis256_aesni.h \ crypto_aead/aegis256/aegis256_aesni.h \
crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c
libsse2_la_LDFLAGS = $(libsodium_la_LDFLAGS) libsse2_la_LDFLAGS = $(libsodium_la_LDFLAGS)

45
src/libsodium/crypto_aead/aegis256/aead_aegis256.c
View File

@ -9,20 +9,17 @@
#include "randombytes.h" #include "randombytes.h"
#include "runtime.h" #include "runtime.h"
#include "aead_aegis256.h" #include "aegis256_soft.h"
#include "soft/aead_aegis256_soft.h"
#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) #if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN)
#include "armcrypto/aead_aegis256_armcrypto.h" #include "aegis256_armcrypto.h"
#endif #endif
#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H) #if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H)
#include "aesni/aead_aegis256_aesni.h" #include "aegis256_aesni.h"
#endif #endif
static const crypto_aead_aegis256_implementation *implementation = static const aegis256_implementation *implementation = &aegis256_soft_implementation;
&crypto_aead_aegis256_soft_implementation;
size_t size_t
crypto_aead_aegis256_keybytes(void) crypto_aead_aegis256_keybytes(void)
@ -69,9 +66,6 @@ crypto_aead_aegis256_encrypt(unsigned char *c, unsigned long long *clen_p, const
unsigned long long clen = 0ULL; unsigned long long clen = 0ULL;
int ret; int ret;
if (mlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) {
sodium_misuse();
}
ret = ret =
crypto_aead_aegis256_encrypt_detached(c, c + mlen, NULL, m, mlen, ad, adlen, nsec, npub, k); crypto_aead_aegis256_encrypt_detached(c, c + mlen, NULL, m, mlen, ad, adlen, nsec, npub, k);
if (clen_p != NULL) { if (clen_p != NULL) {
@ -112,7 +106,17 @@ crypto_aead_aegis256_encrypt_detached(unsigned char *c, unsigned char *mac,
unsigned long long adlen, const unsigned char *nsec, unsigned long long adlen, const unsigned char *nsec,
const unsigned char *npub, const unsigned char *k) const unsigned char *npub, const unsigned char *k)
{ {
return implementation->encrypt_detached(c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub, k); const size_t maclen = crypto_aead_aegis256_ABYTES;
if (maclen_p != NULL) {
*maclen_p = maclen;
}
if (mlen > crypto_aead_aegis256_MESSAGEBYTES_MAX ||
adlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) {
sodium_misuse();
}
return implementation->encrypt_detached(c, mac, maclen, m, (size_t) mlen, ad, (size_t) adlen,
npub, k);
} }
int int
@ -121,24 +125,31 @@ crypto_aead_aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, con
const unsigned char *ad, unsigned long long adlen, const unsigned char *ad, unsigned long long adlen,
const unsigned char *npub, const unsigned char *k) const unsigned char *npub, const unsigned char *k)
{ {
return implementation->decrypt_detached(m, nsec, c, clen, mac, ad, adlen, npub, k); const size_t maclen = crypto_aead_aegis256_ABYTES;
if (clen > crypto_aead_aegis256_MESSAGEBYTES_MAX ||
adlen > crypto_aead_aegis256_MESSAGEBYTES_MAX) {
return -1;
}
return implementation->decrypt_detached(m, c, (size_t) clen, mac, maclen, ad, (size_t) adlen,
npub, k);
} }
int int
_crypto_aead_aegis256_pick_best_implementation(void) _crypto_aead_aegis256_pick_best_implementation(void)
{ {
implementation = &crypto_aead_aegis256_soft_implementation; implementation = &aegis256_soft_implementation;
#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN) #if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN)
if (sodium_runtime_has_armcrypto()) { if (sodium_runtime_has_armcrypto()) {
implementation = &crypto_aead_aegis256_armcrypto_implementation; implementation = &aegis256_armcrypto_implementation;
return 0; return 0;
} }
#endif #endif
#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H) #if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H)
if (sodium_runtime_has_aesni() & sodium_runtime_has_avx()) { if (sodium_runtime_has_aesni() & sodium_runtime_has_avx()) {
implementation = &crypto_aead_aegis256_aesni_implementation; implementation = &aegis256_aesni_implementation;
return 0; return 0;
} }
#endif #endif

16
src/libsodium/crypto_aead/aegis256/aead_aegis256.h
View File

@ -1,16 +0,0 @@
#ifndef aead_aegis256_H
#define aead_aegis256_H
typedef struct crypto_aead_aegis256_implementation {
int (*encrypt_detached)(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p,
const unsigned char *m, unsigned long long mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *nsec, const unsigned char *npub,
const unsigned char *k);
int (*decrypt_detached)(unsigned char *m, unsigned char *nsec, const unsigned char *c,
unsigned long long clen, const unsigned char *mac,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *npub, const unsigned char *k);
} crypto_aead_aegis256_implementation;
#endif

65
src/libsodium/crypto_aead/aegis256/aegis256_aesni.c Normal file
View File

@ -0,0 +1,65 @@
#include <errno.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "crypto_verify_32.h"
#include "export.h"
#include "utils.h"
#include "private/common.h"
#if defined(HAVE_AVXINTRIN_H) && defined(HAVE_WMMINTRIN_H)
#include "aegis256_aesni.h"
#ifdef __clang__
#pragma clang attribute push(__attribute__((target("aes,avx"))), apply_to = function)
#elif defined(__GNUC__)
#pragma GCC target("aes,avx")
#endif
#include "private/sse2_64_32.h"
#include <immintrin.h>
#include <wmmintrin.h>
#define AES_BLOCK_LENGTH 16
typedef __m128i aes_block_t;
#define AES_BLOCK_XOR(A, B) _mm_xor_si128((A), (B))
#define AES_BLOCK_AND(A, B) _mm_and_si128((A), (B))
#define AES_BLOCK_LOAD(A) _mm_loadu_si128((const aes_block_t *) (const void *) (A))
#define AES_BLOCK_LOAD_64x2(A, B) _mm_set_epi64x((long long) (A), (long long) (B))
#define AES_BLOCK_STORE(A, B) _mm_storeu_si128((aes_block_t *) (void *) (A), (B))
#define AES_ENC(A, B) _mm_aesenc_si128((A), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t d)
{
aes_block_t tmp;
tmp = state[5];
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d);
}
#include "aegis256_common.h"
struct aegis256_implementation aegis256_aesni_implementation = { SODIUM_C99(.encrypt_detached =)
encrypt_detached,
SODIUM_C99(.decrypt_detached =)
decrypt_detached };
#ifdef __clang__
#pragma clang attribute pop
#endif
#endif

8
src/libsodium/crypto_aead/aegis256/aegis256_aesni.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef aegis256_aesni_H
#define aegis256_aesni_H
#include "implementations.h"
extern struct aegis256_implementation aegis256_aesni_implementation;
#endif

67
src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.c Normal file
View File

@ -0,0 +1,67 @@
#include <errno.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "crypto_verify_32.h"
#include "export.h"
#include "utils.h"
#include "private/common.h"
#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN)
#include "aegis256_armcrypto.h"
#ifdef __clang__
#pragma clang attribute push(__attribute__((target("neon,crypto,aes"))), apply_to = function)
#elif defined(__GNUC__)
#pragma GCC target("neon,crypto,aes")
#endif
#ifndef __ARM_FEATURE_AES
#define __ARM_FEATURE_AES 1
#endif
#include <arm_neon.h>
#define AES_BLOCK_LENGTH 16
typedef uint8x16_t aes_block_t;
#define AES_BLOCK_XOR(A, B) veorq_u8((A), (B))
#define AES_BLOCK_AND(A, B) vandq_u8((A), (B))
#define AES_BLOCK_LOAD(A) vld1q_u8(A)
#define AES_BLOCK_LOAD_64x2(A, B) vreinterpretq_u8_u64(vsetq_lane_u64((A), vmovq_n_u64(B), 1))
#define AES_BLOCK_STORE(A, B) vst1q_u8((A), (B))
#define AES_ENC(A, B) veorq_u8(vaesmcq_u8(vaeseq_u8((A), vmovq_n_u8(0))), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t d)
{
aes_block_t tmp;
tmp = state[5];
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d);
}
#include "aegis256_common.h"
struct aegis256_implementation aegis256_armcrypto_implementation = { SODIUM_C99(.encrypt_detached =)
encrypt_detached,
SODIUM_C99(.decrypt_detached =)
decrypt_detached };
#ifdef __clang__
#pragma clang attribute pop
#endif
#endif

8
src/libsodium/crypto_aead/aegis256/aegis256_armcrypto.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef aegis256_armcrypto_H
#define aegis256_armcrypto_H
#include "implementations.h"
extern struct aegis256_implementation aegis256_armcrypto_implementation;
#endif

214
src/libsodium/crypto_aead/aegis256/aegis256_common.h Normal file
View File

@ -0,0 +1,214 @@
#define RATE 16
static void
aegis256_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const state)
{
static CRYPTO_ALIGN(AES_BLOCK_LENGTH)
const uint8_t c0_[AES_BLOCK_LENGTH] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d,
0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 };
static CRYPTO_ALIGN(AES_BLOCK_LENGTH)
const uint8_t c1_[AES_BLOCK_LENGTH] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1,
0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd };
const aes_block_t c0 = AES_BLOCK_LOAD(c0_);
const aes_block_t c1 = AES_BLOCK_LOAD(c1_);
const aes_block_t k0 = AES_BLOCK_LOAD(key);
const aes_block_t k1 = AES_BLOCK_LOAD(key + AES_BLOCK_LENGTH);
const aes_block_t n0 = AES_BLOCK_LOAD(nonce);
const aes_block_t n1 = AES_BLOCK_LOAD(nonce + AES_BLOCK_LENGTH);
const aes_block_t k0_n0 = AES_BLOCK_XOR(k0, n0);
const aes_block_t k1_n1 = AES_BLOCK_XOR(k1, n1);
int i;
state[0] = k0_n0;
state[1] = k1_n1;
state[2] = c1;
state[3] = c0;
state[4] = AES_BLOCK_XOR(k0, c0);
state[5] = AES_BLOCK_XOR(k1, c1);
for (i = 0; i < 4; i++) {
aegis256_update(state, k0);
aegis256_update(state, k1);
aegis256_update(state, k0_n0);
aegis256_update(state, k1_n1);
}
}
static void
aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state)
{
aes_block_t tmp;
int i;
tmp = AES_BLOCK_LOAD_64x2(((uint64_t) mlen) << 3, ((uint64_t) adlen) << 3);
tmp = AES_BLOCK_XOR(tmp, state[3]);
for (i = 0; i < 7; i++) {
aegis256_update(state, tmp);
}
if (maclen == 16) {
tmp = AES_BLOCK_XOR(state[5], state[4]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2]));
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0]));
AES_BLOCK_STORE(mac, tmp);
} else if (maclen == 32) {
tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[2], state[1]), state[0]);
AES_BLOCK_STORE(mac, tmp);
tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[5], state[4]), state[3]);
AES_BLOCK_STORE(mac + 16, tmp);
} else {
memset(mac, 0, maclen);
}
}
static inline void
aegis256_absorb(const uint8_t *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
aegis256_update(state, msg);
}
static void
aegis256_enc(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state)
{
aes_block_t msg;
aes_block_t tmp;
msg = AES_BLOCK_LOAD(src);
tmp = AES_BLOCK_XOR(msg, state[5]);
tmp = AES_BLOCK_XOR(tmp, state[4]);
tmp = AES_BLOCK_XOR(tmp, state[1]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, tmp);
aegis256_update(state, msg);
}
static void
aegis256_dec(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
msg = AES_BLOCK_XOR(msg, state[5]);
msg = AES_BLOCK_XOR(msg, state[4]);
msg = AES_BLOCK_XOR(msg, state[1]);
msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, msg);
aegis256_update(state, msg);
}
static void
aegis256_declast(uint8_t *const dst, const uint8_t *const src, size_t len, aes_block_t *const state)
{
uint8_t pad[RATE];
aes_block_t msg;
memset(pad, 0, sizeof pad);
memcpy(pad, src, len);
msg = AES_BLOCK_LOAD(pad);
msg = AES_BLOCK_XOR(msg, state[5]);
msg = AES_BLOCK_XOR(msg, state[4]);
msg = AES_BLOCK_XOR(msg, state[1]);
msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(pad, msg);
memset(pad + len, 0, sizeof pad - len);
memcpy(dst, pad, len);
msg = AES_BLOCK_LOAD(pad);
aegis256_update(state, msg);
}
static int
encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen,
const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(RATE) uint8_t src[RATE];
CRYPTO_ALIGN(RATE) uint8_t dst[RATE];
size_t i;
aegis256_init(k, npub, state);
for (i = 0; i + RATE <= adlen; i += RATE) {
aegis256_absorb(ad + i, state);
}
if (adlen % RATE) {
memset(src, 0, RATE);
memcpy(src, ad + i, adlen % RATE);
aegis256_absorb(src, state);
}
for (i = 0; i + RATE <= mlen; i += RATE) {
aegis256_enc(c + i, m + i, state);
}
if (mlen % RATE) {
memset(src, 0, RATE);
memcpy(src, m + i, mlen % RATE);
aegis256_enc(dst, src, state);
memcpy(c + i, dst, mlen % RATE);
}
aegis256_mac(mac, maclen, adlen, mlen, state);
return 0;
}
static int
decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, size_t maclen,
const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(RATE) uint8_t src[RATE];
CRYPTO_ALIGN(RATE) uint8_t dst[RATE];
CRYPTO_ALIGN(16) uint8_t computed_mac[32];
const size_t mlen = clen;
size_t i;
int ret;
aegis256_init(k, npub, state);
for (i = 0; i + RATE <= adlen; i += RATE) {
aegis256_absorb(ad + i, state);
}
if (adlen % RATE) {
memset(src, 0, RATE);
memcpy(src, ad + i, adlen % RATE);
aegis256_absorb(src, state);
}
if (m != NULL) {
for (i = 0; i + RATE <= mlen; i += RATE) {
aegis256_dec(m + i, c + i, state);
}
} else {
for (i = 0; i + RATE <= mlen; i += RATE) {
aegis256_dec(dst, c + i, state);
}
}
if (mlen % RATE) {
if (m != NULL) {
aegis256_declast(m + i, c + i, mlen % RATE, state);
} else {
aegis256_declast(dst, c + i, mlen % RATE, state);
}
}
COMPILER_ASSERT(sizeof computed_mac >= 32);
aegis256_mac(computed_mac, maclen, adlen, mlen, state);
ret = -1;
if (maclen == 16) {
ret = crypto_verify_16(computed_mac, mac);
} else if (maclen == 32) {
ret = crypto_verify_32(computed_mac, mac);
}
if (ret != 0 && m != NULL) {
memset(m, 0, mlen);
}
return ret;
}

54
src/libsodium/crypto_aead/aegis256/aegis256_soft.c Normal file
View File

@ -0,0 +1,54 @@
#include <errno.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "crypto_verify_32.h"
#include "export.h"
#include "utils.h"
#include "private/common.h"
#include "crypto_aead_aegis256.h"
#include "private/softaes.h"
#if 1
#include "aegis256_soft.h"
#define AES_BLOCK_LENGTH 16
typedef SoftAesBlock aes_block_t;
#define AES_BLOCK_XOR(A, B) softaes_block_xor((A), (B))
#define AES_BLOCK_AND(A, B) softaes_block_and((A), (B))
#define AES_BLOCK_LOAD(A) softaes_block_load(A)
#define AES_BLOCK_LOAD_64x2(A, B) softaes_block_load64x2((A), (B))
#define AES_BLOCK_STORE(A, B) softaes_block_store((A), (B))
#define AES_ENC(A, B) softaes_block_encrypt((A), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t d)
{
aes_block_t tmp;
tmp = state[5];
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = AES_BLOCK_XOR(AES_ENC(tmp, state[0]), d);
}
#include "aegis256_common.h"
struct aegis256_implementation aegis256_soft_implementation = { SODIUM_C99(.encrypt_detached =)
encrypt_detached,
SODIUM_C99(.decrypt_detached =)
decrypt_detached };
#endif

8
src/libsodium/crypto_aead/aegis256/aegis256_soft.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef aegis256_soft_H
#define aegis256_soft_H
#include "implementations.h"
extern struct aegis256_implementation aegis256_soft_implementation;
#endif

256
src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.c
View File

@ -1,256 +0,0 @@
#include <errno.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "export.h"
#include "randombytes.h"
#include "runtime.h"
#include "utils.h"
#include "private/common.h"
#include "aead_aegis256_aesni.h"
#if defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H)
#ifdef __GNUC__
#pragma GCC target("avx,aes")
#endif
#include "private/sse2_64_32.h"
#include <tmmintrin.h>
#include <wmmintrin.h>
typedef __m128i aes_block_t;
#define AES_BLOCK_XOR(A, B) _mm_xor_si128((A), (B))
#define AES_BLOCK_AND(A, B) _mm_and_si128((A), (B))
#define AES_BLOCK_LOAD(A) _mm_loadu_si128((const aes_block_t *) (const void *) (A))
#define AES_BLOCK_LOAD_64x2(A, B) _mm_set_epi64x((A), (B))
#define AES_BLOCK_STORE(A, B) _mm_storeu_si128((aes_block_t *) (void *) (A), (B))
#define AES_ENC(A, B) _mm_aesenc_si128((A), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t data)
{
aes_block_t tmp;
tmp = AES_ENC(state[5], state[0]);
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = AES_BLOCK_XOR(tmp, data);
}
static void
aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state)
{
static CRYPTO_ALIGN(16)
const uint8_t c0_[] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1,
0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd };
static CRYPTO_ALIGN(16)
const uint8_t c1_[] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d,
0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 };
const aes_block_t c0 = AES_BLOCK_LOAD(c0_);
const aes_block_t c1 = AES_BLOCK_LOAD(c1_);
aes_block_t k1, k2;
aes_block_t kxn1, kxn2;
int i;
k1 = AES_BLOCK_LOAD(&key[0]);
k2 = AES_BLOCK_LOAD(&key[16]);
kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0]));
kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16]));
state[0] = kxn1;
state[1] = kxn2;
state[2] = c0;
state[3] = c1;
state[4] = AES_BLOCK_XOR(k1, c1);
state[5] = AES_BLOCK_XOR(k2, c0);
for (i = 0; i < 4; i++) {
aegis256_update(state, k1);
aegis256_update(state, k2);
aegis256_update(state, kxn1);
aegis256_update(state, kxn2);
}
}
static void
aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen,
aes_block_t *const state)
{
aes_block_t tmp;
int i;
tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3);
tmp = AES_BLOCK_XOR(tmp, state[3]);
for (i = 0; i < 7; i++) {
aegis256_update(state, tmp);
}
tmp = AES_BLOCK_XOR(state[5], state[4]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2]));
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0]));
AES_BLOCK_STORE(mac, tmp);
}
static inline void
aegis256_absorb(const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
aegis256_update(state, msg);
}
static void
aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
aes_block_t tmp;
msg = AES_BLOCK_LOAD(src);
tmp = AES_BLOCK_XOR(msg, state[5]);
tmp = AES_BLOCK_XOR(tmp, state[4]);
tmp = AES_BLOCK_XOR(tmp, state[1]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, tmp);
aegis256_update(state, msg);
}
static void
aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
msg = AES_BLOCK_XOR(msg, state[5]);
msg = AES_BLOCK_XOR(msg, state[4]);
msg = AES_BLOCK_XOR(msg, state[1]);
msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, msg);
aegis256_update(state, msg);
}
static int
aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p,
const unsigned char *m, unsigned long long mlen, const unsigned char *ad,
unsigned long long adlen, const unsigned char *nsec,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
unsigned long long i;
(void) nsec;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_enc(c + i, m + i, state);
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, m + i, mlen & 0xf);
aegis256_enc(dst, src, state);
memcpy(c + i, dst, mlen & 0xf);
}
aegis256_mac(mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
if (maclen_p != NULL) {
*maclen_p = 16ULL;
}
return 0;
}
static int
aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c,
unsigned long long clen, const unsigned char *mac,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
CRYPTO_ALIGN(16) unsigned char computed_mac[16];
unsigned long long i;
unsigned long long mlen;
int ret;
(void) nsec;
mlen = clen;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
if (m != NULL) {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(m + i, c + i, state);
}
} else {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(dst, c + i, state);
}
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, c + i, mlen & 0xf);
aegis256_dec(dst, src, state);
if (m != NULL) {
memcpy(m + i, dst, mlen & 0xf);
}
memset(dst, 0, mlen & 0xf);
state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst));
}
aegis256_mac(computed_mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
ret = crypto_verify_16(computed_mac, mac);
sodium_memzero(computed_mac, sizeof computed_mac);
if (m == NULL) {
return ret;
}
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
return 0;
}
struct crypto_aead_aegis256_implementation crypto_aead_aegis256_aesni_implementation = {
SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached,
SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached
};
#endif

6
src/libsodium/crypto_aead/aegis256/aesni/aead_aegis256_aesni.h
View File

@ -1,6 +0,0 @@
#include <stdint.h>
#include "../aead_aegis256.h"
#include "crypto_aead_aegis256.h"
extern struct crypto_aead_aegis256_implementation crypto_aead_aegis256_aesni_implementation;

256
src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.c
View File

@ -1,256 +0,0 @@
#include <errno.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "export.h"
#include "randombytes.h"
#include "runtime.h"
#include "utils.h"
#include "private/common.h"
#include "aead_aegis256_armcrypto.h"
#if defined(HAVE_ARMCRYPTO) && defined(NATIVE_LITTLE_ENDIAN)
#ifndef __ARM_FEATURE_AES
#define __ARM_FEATURE_AES 1
#endif
#include <arm_neon.h>
typedef uint8x16_t aes_block_t;
#define AES_BLOCK_XOR(A, B) veorq_u8((A), (B))
#define AES_BLOCK_AND(A, B) vandq_u8((A), (B))
#define AES_BLOCK_LOAD(A) vld1q_u8(A)
#define AES_BLOCK_LOAD_64x2(A, B) vreinterpretq_u8_u64(vsetq_lane_u64((A), vmovq_n_u64(B), 1))
#define AES_BLOCK_STORE(A, B) vst1q_u8((A), (B))
#define AES_ENC(A, B) veorq_u8(vaesmcq_u8(vaeseq_u8((A), vmovq_n_u8(0))), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t data)
{
aes_block_t tmp;
tmp = AES_BLOCK_XOR(AES_ENC(state[5], state[0]), data);
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = tmp;
}
static void
aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state)
{
static CRYPTO_ALIGN(16) const unsigned char c0_[] = {
0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42,
0x73, 0xb5, 0x28, 0xdd
};
static CRYPTO_ALIGN(16) const unsigned char c1_[] = {
0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59,
0x90, 0xe9, 0x79, 0x62
};
const aes_block_t c0 = AES_BLOCK_LOAD(c0_);
const aes_block_t c1 = AES_BLOCK_LOAD(c1_);
aes_block_t k1, k2;
aes_block_t kxn1, kxn2;
int i;
k1 = AES_BLOCK_LOAD(&key[0]);
k2 = AES_BLOCK_LOAD(&key[16]);
kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0]));
kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16]));
state[0] = kxn1;
state[1] = kxn2;
state[2] = c0;
state[3] = c1;
state[4] = AES_BLOCK_XOR(k1, c1);
state[5] = AES_BLOCK_XOR(k2, c0);
for (i = 0; i < 4; i++) {
aegis256_update(state, k1);
aegis256_update(state, k2);
aegis256_update(state, kxn1);
aegis256_update(state, kxn2);
}
}
static void
aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen,
aes_block_t *const state)
{
aes_block_t tmp;
int i;
tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3);
tmp = AES_BLOCK_XOR(tmp, state[3]);
for (i = 0; i < 7; i++) {
aegis256_update(state, tmp);
}
tmp = AES_BLOCK_XOR(state[5], state[4]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2]));
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0]));
AES_BLOCK_STORE(mac, tmp);
}
static inline void
aegis256_absorb(const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
aegis256_update(state, msg);
}
static void
aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
aes_block_t tmp;
msg = AES_BLOCK_LOAD(src);
tmp = AES_BLOCK_XOR(msg, state[5]);
tmp = AES_BLOCK_XOR(tmp, state[4]);
tmp = AES_BLOCK_XOR(tmp, state[1]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, tmp);
aegis256_update(state, msg);
}
static void
aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
msg = AES_BLOCK_XOR(msg, state[5]);
msg = AES_BLOCK_XOR(msg, state[4]);
msg = AES_BLOCK_XOR(msg, state[1]);
msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, msg);
aegis256_update(state, msg);
}
static int
aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p,
const unsigned char *m, unsigned long long mlen, const unsigned char *ad,
unsigned long long adlen, const unsigned char *nsec,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
unsigned long long i;
(void) nsec;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_enc(c + i, m + i, state);
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, m + i, mlen & 0xf);
aegis256_enc(dst, src, state);
memcpy(c + i, dst, mlen & 0xf);
}
aegis256_mac(mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
if (maclen_p != NULL) {
*maclen_p = 16ULL;
}
return 0;
}
static int
aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c,
unsigned long long clen, const unsigned char *mac,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
CRYPTO_ALIGN(16) unsigned char computed_mac[16];
unsigned long long i;
unsigned long long mlen;
int ret;
(void) nsec;
mlen = clen;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
if (m != NULL) {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(m + i, c + i, state);
}
} else {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(dst, c + i, state);
}
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, c + i, mlen & 0xf);
aegis256_dec(dst, src, state);
if (m != NULL) {
memcpy(m + i, dst, mlen & 0xf);
}
memset(dst, 0, mlen & 0xf);
state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst));
}
aegis256_mac(computed_mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
ret = crypto_verify_16(computed_mac, mac);
sodium_memzero(computed_mac, sizeof computed_mac);
if (m == NULL) {
return ret;
}
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
return 0;
}
struct crypto_aead_aegis256_implementation crypto_aead_aegis256_armcrypto_implementation = {
SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached,
SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached
};
#endif

6
src/libsodium/crypto_aead/aegis256/armcrypto/aead_aegis256_armcrypto.h
View File

@ -1,6 +0,0 @@
#include <stdint.h>
#include "../aead_aegis256.h"
#include "crypto_aead_aegis256.h"
extern struct crypto_aead_aegis256_implementation crypto_aead_aegis256_armcrypto_implementation;

17
src/libsodium/crypto_aead/aegis256/implementations.h Normal file
View File

@ -0,0 +1,17 @@
#ifndef aegis256_implementations_H
#define aegis256_implementations_H
#include <stddef.h>
#include <stdint.h>
#include "crypto_aead_aegis256.h"
typedef struct aegis256_implementation {
int (*encrypt_detached)(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen,
const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k);
int (*decrypt_detached)(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac,
size_t maclen, const uint8_t *ad, size_t adlen, const uint8_t *npub,
const uint8_t *k);
} aegis256_implementation;
#endif

247
src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.c
View File

@ -1,247 +0,0 @@
#include <errno.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "core.h"
#include "crypto_aead_aegis256.h"
#include "crypto_verify_16.h"
#include "export.h"
#include "randombytes.h"
#include "runtime.h"
#include "utils.h"
#include "private/common.h"
#include "private/softaes.h"
#include "aead_aegis256_soft.h"
typedef SoftAesBlock aes_block_t;
#define AES_BLOCK_XOR(A, B) softaes_block_xor((A), (B))
#define AES_BLOCK_AND(A, B) softaes_block_and((A), (B))
#define AES_BLOCK_LOAD(A) softaes_block_load(A)
#define AES_BLOCK_LOAD_64x2(A, B) softaes_block_load64x2((A), (B))
#define AES_BLOCK_STORE(A, B) softaes_block_store((A), (B))
#define AES_ENC(A, B) softaes_block_encrypt((A), (B))
static inline void
aegis256_update(aes_block_t *const state, const aes_block_t data)
{
aes_block_t tmp;
tmp = AES_ENC(state[5], state[0]);
state[5] = AES_ENC(state[4], state[5]);
state[4] = AES_ENC(state[3], state[4]);
state[3] = AES_ENC(state[2], state[3]);
state[2] = AES_ENC(state[1], state[2]);
state[1] = AES_ENC(state[0], state[1]);
state[0] = AES_BLOCK_XOR(tmp, data);
}
static void
aegis256_init(const unsigned char *key, const unsigned char *nonce, aes_block_t *const state)
{
static CRYPTO_ALIGN(16)
const unsigned char c0_[] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1,
0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd };
static CRYPTO_ALIGN(16)
const unsigned char c1_[] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d,
0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 };
const aes_block_t c0 = AES_BLOCK_LOAD(c0_);
const aes_block_t c1 = AES_BLOCK_LOAD(c1_);
aes_block_t k1, k2;
aes_block_t kxn1, kxn2;
int i;
k1 = AES_BLOCK_LOAD(&key[0]);
k2 = AES_BLOCK_LOAD(&key[16]);
kxn1 = AES_BLOCK_XOR(k1, AES_BLOCK_LOAD(&nonce[0]));
kxn2 = AES_BLOCK_XOR(k2, AES_BLOCK_LOAD(&nonce[16]));
state[0] = kxn1;
state[1] = kxn2;
state[2] = c0;
state[3] = c1;
state[4] = AES_BLOCK_XOR(k1, c1);
state[5] = AES_BLOCK_XOR(k2, c0);
for (i = 0; i < 4; i++) {
aegis256_update(state, k1);
aegis256_update(state, k2);
aegis256_update(state, kxn1);
aegis256_update(state, kxn2);
}
}
static void
aegis256_mac(unsigned char *mac, unsigned long long adlen, unsigned long long mlen,
aes_block_t *const state)
{
aes_block_t tmp;
int i;
tmp = AES_BLOCK_LOAD_64x2(mlen << 3, adlen << 3);
tmp = AES_BLOCK_XOR(tmp, state[3]);
for (i = 0; i < 7; i++) {
aegis256_update(state, tmp);
}
tmp = AES_BLOCK_XOR(state[5], state[4]);
tmp = AES_BLOCK_XOR(tmp, state[3]);
tmp = AES_BLOCK_XOR(tmp, state[2]);
tmp = AES_BLOCK_XOR(tmp, state[1]);
tmp = AES_BLOCK_XOR(tmp, state[0]);
AES_BLOCK_STORE(mac, tmp);
}
static inline void
aegis256_absorb(const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
aegis256_update(state, msg);
}
static void
aegis256_enc(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
aes_block_t tmp;
msg = AES_BLOCK_LOAD(src);
tmp = AES_BLOCK_XOR(msg, state[5]);
tmp = AES_BLOCK_XOR(tmp, state[4]);
tmp = AES_BLOCK_XOR(tmp, state[1]);
tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, tmp);
aegis256_update(state, msg);
}
static void
aegis256_dec(unsigned char *const dst, const unsigned char *const src, aes_block_t *const state)
{
aes_block_t msg;
msg = AES_BLOCK_LOAD(src);
msg = AES_BLOCK_XOR(msg, state[5]);
msg = AES_BLOCK_XOR(msg, state[4]);
msg = AES_BLOCK_XOR(msg, state[1]);
msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3]));
AES_BLOCK_STORE(dst, msg);
aegis256_update(state, msg);
}
static int
aegis256_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p,
const unsigned char *m, unsigned long long mlen, const unsigned char *ad,
unsigned long long adlen, const unsigned char *nsec,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
unsigned long long i;
(void) nsec;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_enc(c + i, m + i, state);
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, m + i, mlen & 0xf);
aegis256_enc(dst, src, state);
memcpy(c + i, dst, mlen & 0xf);
}
aegis256_mac(mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
if (maclen_p != NULL) {
*maclen_p = 16ULL;
}
return 0;
}
static int
aegis256_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c,
unsigned long long clen, const unsigned char *mac,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *npub, const unsigned char *k)
{
aes_block_t state[6];
CRYPTO_ALIGN(16) unsigned char src[16];
CRYPTO_ALIGN(16) unsigned char dst[16];
CRYPTO_ALIGN(16) unsigned char computed_mac[16];
unsigned long long i;
unsigned long long mlen;
int ret;
(void) nsec;
mlen = clen;
aegis256_init(k, npub, state);
for (i = 0ULL; i + 16ULL <= adlen; i += 16ULL) {
aegis256_absorb(ad + i, state);
}
if (adlen & 0xf) {
memset(src, 0, 16);
memcpy(src, ad + i, adlen & 0xf);
aegis256_absorb(src, state);
}
if (m != NULL) {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(m + i, c + i, state);
}
} else {
for (i = 0ULL; i + 16ULL <= mlen; i += 16ULL) {
aegis256_dec(dst, c + i, state);
}
}
if (mlen & 0xf) {
memset(src, 0, 16);
memcpy(src, c + i, mlen & 0xf);
aegis256_dec(dst, src, state);
if (m != NULL) {
memcpy(m + i, dst, mlen & 0xf);
}
memset(dst, 0, mlen & 0xf);
state[0] = AES_BLOCK_XOR(state[0], AES_BLOCK_LOAD(dst));
}
aegis256_mac(computed_mac, adlen, mlen, state);
sodium_memzero(state, sizeof state);
sodium_memzero(src, sizeof src);
sodium_memzero(dst, sizeof dst);
ret = crypto_verify_16(computed_mac, mac);
sodium_memzero(computed_mac, sizeof computed_mac);
if (m == NULL) {
return ret;
}
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
return 0;
}
struct crypto_aead_aegis256_implementation crypto_aead_aegis256_soft_implementation = {
SODIUM_C99(.encrypt_detached =) aegis256_encrypt_detached,
SODIUM_C99(.decrypt_detached =) aegis256_decrypt_detached
};

7
src/libsodium/crypto_aead/aegis256/soft/aead_aegis256_soft.h
View File

@ -1,7 +0,0 @@
#include <stdint.h>
#include "../aead_aegis256.h"
#include "crypto_aead_aegis256.h"
extern struct crypto_aead_aegis256_implementation
crypto_aead_aegis256_soft_implementation;