1 // SPDX-License-Identifier: GPL-2.0-only
5  * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
12  * Code based on crypto/ghash-generic.c
15  * modulus for finite field multiplication which makes hardware accelerated
16  * implementations on little-endian machines faster. POLYVAL is used in the
17  * kernel to implement HCTR2, but was originally specified for AES-GCM-SIV
21  * Length-preserving encryption with HCTR2:
23  * AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption:
33  * field by computing x*REVERSE(a), where REVERSE reverses the byte-ordering of
35  * POLYVAL field by computing REVERSE(x^{-1}*a). For more information, see:
36  * https://datatracker.ietf.org/doc/html/rfc8452#appendix-A
42  * and is not constant time. For practical use, a hardware accelerated
81  * subroutine.  This function is used as a fallback for hardware accelerated
84  * Note: This function is not used for polyval-generic, instead we use the 4k
102  * as a fallback for hardware accelerated implementations when simd registers
105  * Note: This function is not used for polyval-generic, instead we use the 4k
111 	while (nblocks--) {  in polyval_update_non4k()
126 		return -EINVAL;  in polyval_setkey()
128 	gf128mul_free_4k(ctx->gf128);  in polyval_setkey()
134 	ctx->gf128 = gf128mul_init_4k_lle(&k);  in polyval_setkey()
137 	if (!ctx->gf128)  in polyval_setkey()
138 		return -ENOMEM;  in polyval_setkey()
156 	const struct polyval_tfm_ctx *ctx = crypto_shash_ctx(desc->tfm);  in polyval_update()
161 	if (dctx->bytes) {  in polyval_update()
162 		n = min(srclen, dctx->bytes);  in polyval_update()
163 		pos = dctx->buffer + dctx->bytes - 1;  in polyval_update()
165 		dctx->bytes -= n;  in polyval_update()
166 		srclen -= n;  in polyval_update()
168 		while (n--)  in polyval_update()
169 			*pos-- ^= *src++;  in polyval_update()
171 		if (!dctx->bytes)  in polyval_update()
172 			gf128mul_4k_lle(&dctx->buffer128, ctx->gf128);  in polyval_update()
177 		crypto_xor(dctx->buffer, tmp, POLYVAL_BLOCK_SIZE);  in polyval_update()
178 		gf128mul_4k_lle(&dctx->buffer128, ctx->gf128);  in polyval_update()
180 		srclen -= POLYVAL_BLOCK_SIZE;  in polyval_update()
184 		dctx->bytes = POLYVAL_BLOCK_SIZE - srclen;  in polyval_update()
185 		pos = dctx->buffer + POLYVAL_BLOCK_SIZE - 1;  in polyval_update()
186 		while (srclen--)  in polyval_update()
187 			*pos-- ^= *src++;  in polyval_update()
196 	const struct polyval_tfm_ctx *ctx = crypto_shash_ctx(desc->tfm);  in polyval_final()
198 	if (dctx->bytes)  in polyval_final()
199 		gf128mul_4k_lle(&dctx->buffer128, ctx->gf128);  in polyval_final()
200 	copy_and_reverse(dst, dctx->buffer);  in polyval_final()
208 	gf128mul_free_4k(ctx->gf128);  in polyval_exit_tfm()
220 		.cra_driver_name	= "polyval-generic",
245 MODULE_ALIAS_CRYPTO("polyval-generic");