linux/crypto/aegis.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
 * AEGIS common definitions
 *
 * Copyright (c) 2018 Ondrej Mosnacek <omosnacek@gmail.com>
 * Copyright (c) 2018 Red Hat, Inc. All rights reserved.
 */

#ifndef _CRYPTO_AEGIS_H
#define _CRYPTO_AEGIS_H

#include <crypto/aes.h>
#include <linux/types.h>

#define AEGIS_BLOCK_SIZE 16

union aegis_block {
	__le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)];
	__le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)];
	u8 bytes[AEGIS_BLOCK_SIZE];
};

#define AEGIS_BLOCK_ALIGN (__alignof__(union aegis_block))
#define AEGIS_ALIGNED(p) IS_ALIGNED((uintptr_t)p, AEGIS_BLOCK_ALIGN)

static const union aegis_block crypto_aegis_const[2] = {
	{ .words64 = {
		cpu_to_le64(U64_C(0x0d08050302010100)),
		cpu_to_le64(U64_C(0x6279e99059372215)),
	} },
	{ .words64 = {
		cpu_to_le64(U64_C(0xf12fc26d55183ddb)),
		cpu_to_le64(U64_C(0xdd28b57342311120)),
	} },
};

static void crypto_aegis_block_xor(union aegis_block *dst,
				   const union aegis_block *src)
{
	dst->words64[0] ^= src->words64[0];
	dst->words64[1] ^= src->words64[1];
}

static void crypto_aegis_block_and(union aegis_block *dst,
				   const union aegis_block *src)
{
	dst->words64[0] &= src->words64[0];
	dst->words64[1] &= src->words64[1];
}

static void crypto_aegis_aesenc(union aegis_block *dst,
				const union aegis_block *src,
				const union aegis_block *key)
{
	const u8  *s  = src->bytes;
	const u32 *t0 = crypto_ft_tab[0];
	const u32 *t1 = crypto_ft_tab[1];
	const u32 *t2 = crypto_ft_tab[2];
	const u32 *t3 = crypto_ft_tab[3];
	u32 d0, d1, d2, d3;

	d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]];
	d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]];
	d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]];
	d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]];

	dst->words32[0] = cpu_to_le32(d0) ^ key->words32[0];
	dst->words32[1] = cpu_to_le32(d1) ^ key->words32[1];
	dst->words32[2] = cpu_to_le32(d2) ^ key->words32[2];
	dst->words32[3] = cpu_to_le32(d3) ^ key->words32[3];
}

#endif /* _CRYPTO_AEGIS_H */
crypto: aegis - Cleanup license mess Precise and non-ambiguous license information is important. The recently added aegis header file has a SPDX license identifier, which is nice, but at the same time it has a contradictionary license boiler plate text. SPDX-License-Identifier: GPL-2.0 versus * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at your option) * any later version Oh well. As the other aegis related files are licensed under the GPL v2 or later, it's assumed that the boiler plate code is correct, but the SPDX license identifier is wrong. Fix the SPDX identifier and remove the boiler plate as it is redundant. Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Ondrej Mosnacek <omosnacek@gmail.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Acked-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2019-01-18 02:14:18 +03:00			`/* SPDX-License-Identifier: GPL-2.0-or-later */`
crypto: aegis - Add generic AEGIS AEAD implementations This patch adds the generic implementation of the AEGIS family of AEAD algorithms (AEGIS-128, AEGIS-128L, and AEGIS-256). The original authors of AEGIS are Hongjun Wu and Bart Preneel. At the time of writing, AEGIS is one of the finalists in CAESAR, an open competition intended to select a portfolio of alternatives to the problematic AES-GCM: https://competitions.cr.yp.to/caesar-submissions.html https://competitions.cr.yp.to/round3/aegisv11.pdf Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-05-11 15:12:49 +03:00			`/*`
			`* AEGIS common definitions`
			`*`
			`* Copyright (c) 2018 Ondrej Mosnacek <omosnacek@gmail.com>`
			`* Copyright (c) 2018 Red Hat, Inc. All rights reserved.`
			`*/`

			`#ifndef _CRYPTO_AEGIS_H`
			`#define _CRYPTO_AEGIS_H`

			`#include <crypto/aes.h>`
			`#include <linux/types.h>`

			`#define AEGIS_BLOCK_SIZE 16`

			`union aegis_block {`
			`__le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)];`
crypto: aegis/generic - fix for big endian systems Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: <stable@vger.kernel.org> # v4.18+ Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-10-01 11:36:38 +03:00			`__le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)];`
crypto: aegis - Add generic AEGIS AEAD implementations This patch adds the generic implementation of the AEGIS family of AEAD algorithms (AEGIS-128, AEGIS-128L, and AEGIS-256). The original authors of AEGIS are Hongjun Wu and Bart Preneel. At the time of writing, AEGIS is one of the finalists in CAESAR, an open competition intended to select a portfolio of alternatives to the problematic AES-GCM: https://competitions.cr.yp.to/caesar-submissions.html https://competitions.cr.yp.to/round3/aegisv11.pdf Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-05-11 15:12:49 +03:00			`u8 bytes[AEGIS_BLOCK_SIZE];`
			`};`

			`#define AEGIS_BLOCK_ALIGN (__alignof__(union aegis_block))`
			`#define AEGIS_ALIGNED(p) IS_ALIGNED((uintptr_t)p, AEGIS_BLOCK_ALIGN)`

			`static const union aegis_block crypto_aegis_const[2] = {`
			`{ .words64 = {`
			`cpu_to_le64(U64_C(0x0d08050302010100)),`
			`cpu_to_le64(U64_C(0x6279e99059372215)),`
			`} },`
			`{ .words64 = {`
			`cpu_to_le64(U64_C(0xf12fc26d55183ddb)),`
			`cpu_to_le64(U64_C(0xdd28b57342311120)),`
			`} },`
			`};`

			`static void crypto_aegis_block_xor(union aegis_block *dst,`
			`const union aegis_block *src)`
			`{`
			`dst->words64[0] ^= src->words64[0];`
			`dst->words64[1] ^= src->words64[1];`
			`}`

			`static void crypto_aegis_block_and(union aegis_block *dst,`
			`const union aegis_block *src)`
			`{`
			`dst->words64[0] &= src->words64[0];`
			`dst->words64[1] &= src->words64[1];`
			`}`

			`static void crypto_aegis_aesenc(union aegis_block *dst,`
			`const union aegis_block *src,`
			`const union aegis_block *key)`
			`{`
			`const u8 *s = src->bytes;`
			`const u32 *t0 = crypto_ft_tab[0];`
			`const u32 *t1 = crypto_ft_tab[1];`
			`const u32 *t2 = crypto_ft_tab[2];`
			`const u32 *t3 = crypto_ft_tab[3];`
			`u32 d0, d1, d2, d3;`

crypto: aegis/generic - fix for big endian systems Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: <stable@vger.kernel.org> # v4.18+ Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-10-01 11:36:38 +03:00			`d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]];`
			`d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]];`
			`d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]];`
			`d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]];`
crypto: aegis - Add generic AEGIS AEAD implementations This patch adds the generic implementation of the AEGIS family of AEAD algorithms (AEGIS-128, AEGIS-128L, and AEGIS-256). The original authors of AEGIS are Hongjun Wu and Bart Preneel. At the time of writing, AEGIS is one of the finalists in CAESAR, an open competition intended to select a portfolio of alternatives to the problematic AES-GCM: https://competitions.cr.yp.to/caesar-submissions.html https://competitions.cr.yp.to/round3/aegisv11.pdf Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-05-11 15:12:49 +03:00
crypto: aegis/generic - fix for big endian systems Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: <stable@vger.kernel.org> # v4.18+ Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-10-01 11:36:38 +03:00			`dst->words32[0] = cpu_to_le32(d0) ^ key->words32[0];`
			`dst->words32[1] = cpu_to_le32(d1) ^ key->words32[1];`
			`dst->words32[2] = cpu_to_le32(d2) ^ key->words32[2];`
			`dst->words32[3] = cpu_to_le32(d3) ^ key->words32[3];`
crypto: aegis - Add generic AEGIS AEAD implementations This patch adds the generic implementation of the AEGIS family of AEAD algorithms (AEGIS-128, AEGIS-128L, and AEGIS-256). The original authors of AEGIS are Hongjun Wu and Bart Preneel. At the time of writing, AEGIS is one of the finalists in CAESAR, an open competition intended to select a portfolio of alternatives to the problematic AES-GCM: https://competitions.cr.yp.to/caesar-submissions.html https://competitions.cr.yp.to/round3/aegisv11.pdf Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2018-05-11 15:12:49 +03:00			`}`

			`#endif /* _CRYPTO_AEGIS_H */`