forked from mirror/go-ethereum
Merge pull request #18390 from realdave/remove-sha3-pkg
vendor, crypto, swarm: switch over to upstream sha3 packagerelease/1.8
Péter Szilágyi
6 years ago
committed by
GitHub
commit
391d4cb9b5
@ -1,27 +0,0 @@ |
||||
Copyright (c) 2009 The Go Authors. All rights reserved. |
||||
|
||||
Redistribution and use in source and binary forms, with or without |
||||
modification, are permitted provided that the following conditions are |
||||
met: |
||||
|
||||
* Redistributions of source code must retain the above copyright |
||||
notice, this list of conditions and the following disclaimer. |
||||
* Redistributions in binary form must reproduce the above |
||||
copyright notice, this list of conditions and the following disclaimer |
||||
in the documentation and/or other materials provided with the |
||||
distribution. |
||||
* Neither the name of Google Inc. nor the names of its |
||||
contributors may be used to endorse or promote products derived from |
||||
this software without specific prior written permission. |
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
||||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||||
@ -1,22 +0,0 @@ |
||||
Additional IP Rights Grant (Patents) |
||||
|
||||
"This implementation" means the copyrightable works distributed by |
||||
Google as part of the Go project. |
||||
|
||||
Google hereby grants to You a perpetual, worldwide, non-exclusive, |
||||
no-charge, royalty-free, irrevocable (except as stated in this section) |
||||
patent license to make, have made, use, offer to sell, sell, import, |
||||
transfer and otherwise run, modify and propagate the contents of this |
||||
implementation of Go, where such license applies only to those patent |
||||
claims, both currently owned or controlled by Google and acquired in |
||||
the future, licensable by Google that are necessarily infringed by this |
||||
implementation of Go. This grant does not include claims that would be |
||||
infringed only as a consequence of further modification of this |
||||
implementation. If you or your agent or exclusive licensee institute or |
||||
order or agree to the institution of patent litigation against any |
||||
entity (including a cross-claim or counterclaim in a lawsuit) alleging |
||||
that this implementation of Go or any code incorporated within this |
||||
implementation of Go constitutes direct or contributory patent |
||||
infringement, or inducement of patent infringement, then any patent |
||||
rights granted to you under this License for this implementation of Go |
||||
shall terminate as of the date such litigation is filed. |
||||
@ -1,297 +0,0 @@ |
||||
// Copyright 2014 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sha3 |
||||
|
||||
// Tests include all the ShortMsgKATs provided by the Keccak team at
|
||||
// https://github.com/gvanas/KeccakCodePackage
|
||||
//
|
||||
// They only include the zero-bit case of the bitwise testvectors
|
||||
// published by NIST in the draft of FIPS-202.
|
||||
|
||||
import ( |
||||
"bytes" |
||||
"compress/flate" |
||||
"encoding/hex" |
||||
"encoding/json" |
||||
"hash" |
||||
"os" |
||||
"strings" |
||||
"testing" |
||||
) |
||||
|
||||
const ( |
||||
testString = "brekeccakkeccak koax koax" |
||||
katFilename = "testdata/keccakKats.json.deflate" |
||||
) |
||||
|
||||
// Internal-use instances of SHAKE used to test against KATs.
|
||||
func newHashShake128() hash.Hash { |
||||
return &state{rate: 168, dsbyte: 0x1f, outputLen: 512} |
||||
} |
||||
func newHashShake256() hash.Hash { |
||||
return &state{rate: 136, dsbyte: 0x1f, outputLen: 512} |
||||
} |
||||
|
||||
// testDigests contains functions returning hash.Hash instances
|
||||
// with output-length equal to the KAT length for both SHA-3 and
|
||||
// SHAKE instances.
|
||||
var testDigests = map[string]func() hash.Hash{ |
||||
"SHA3-224": New224, |
||||
"SHA3-256": New256, |
||||
"SHA3-384": New384, |
||||
"SHA3-512": New512, |
||||
"SHAKE128": newHashShake128, |
||||
"SHAKE256": newHashShake256, |
||||
} |
||||
|
||||
// testShakes contains functions that return ShakeHash instances for
|
||||
// testing the ShakeHash-specific interface.
|
||||
var testShakes = map[string]func() ShakeHash{ |
||||
"SHAKE128": NewShake128, |
||||
"SHAKE256": NewShake256, |
||||
} |
||||
|
||||
// structs used to marshal JSON test-cases.
|
||||
type KeccakKats struct { |
||||
Kats map[string][]struct { |
||||
Digest string `json:"digest"` |
||||
Length int64 `json:"length"` |
||||
Message string `json:"message"` |
||||
} |
||||
} |
||||
|
||||
func testUnalignedAndGeneric(t *testing.T, testf func(impl string)) { |
||||
xorInOrig, copyOutOrig := xorIn, copyOut |
||||
xorIn, copyOut = xorInGeneric, copyOutGeneric |
||||
testf("generic") |
||||
if xorImplementationUnaligned != "generic" { |
||||
xorIn, copyOut = xorInUnaligned, copyOutUnaligned |
||||
testf("unaligned") |
||||
} |
||||
xorIn, copyOut = xorInOrig, copyOutOrig |
||||
} |
||||
|
||||
// TestKeccakKats tests the SHA-3 and Shake implementations against all the
|
||||
// ShortMsgKATs from https://github.com/gvanas/KeccakCodePackage
|
||||
// (The testvectors are stored in keccakKats.json.deflate due to their length.)
|
||||
func TestKeccakKats(t *testing.T) { |
||||
testUnalignedAndGeneric(t, func(impl string) { |
||||
// Read the KATs.
|
||||
deflated, err := os.Open(katFilename) |
||||
if err != nil { |
||||
t.Errorf("error opening %s: %s", katFilename, err) |
||||
} |
||||
file := flate.NewReader(deflated) |
||||
dec := json.NewDecoder(file) |
||||
var katSet KeccakKats |
||||
err = dec.Decode(&katSet) |
||||
if err != nil { |
||||
t.Errorf("error decoding KATs: %s", err) |
||||
} |
||||
|
||||
// Do the KATs.
|
||||
for functionName, kats := range katSet.Kats { |
||||
d := testDigests[functionName]() |
||||
for _, kat := range kats { |
||||
d.Reset() |
||||
in, err := hex.DecodeString(kat.Message) |
||||
if err != nil { |
||||
t.Errorf("error decoding KAT: %s", err) |
||||
} |
||||
d.Write(in[:kat.Length/8]) |
||||
got := strings.ToUpper(hex.EncodeToString(d.Sum(nil))) |
||||
if got != kat.Digest { |
||||
t.Errorf("function=%s, implementation=%s, length=%d\nmessage:\n %s\ngot:\n %s\nwanted:\n %s", |
||||
functionName, impl, kat.Length, kat.Message, got, kat.Digest) |
||||
t.Logf("wanted %+v", kat) |
||||
t.FailNow() |
||||
} |
||||
continue |
||||
} |
||||
} |
||||
}) |
||||
} |
||||
|
||||
// TestUnalignedWrite tests that writing data in an arbitrary pattern with
|
||||
// small input buffers.
|
||||
func TestUnalignedWrite(t *testing.T) { |
||||
testUnalignedAndGeneric(t, func(impl string) { |
||||
buf := sequentialBytes(0x10000) |
||||
for alg, df := range testDigests { |
||||
d := df() |
||||
d.Reset() |
||||
d.Write(buf) |
||||
want := d.Sum(nil) |
||||
d.Reset() |
||||
for i := 0; i < len(buf); { |
||||
// Cycle through offsets which make a 137 byte sequence.
|
||||
// Because 137 is prime this sequence should exercise all corner cases.
|
||||
offsets := [17]int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 1} |
||||
for _, j := range offsets { |
||||
if v := len(buf) - i; v < j { |
||||
j = v |
||||
} |
||||
d.Write(buf[i : i+j]) |
||||
i += j |
||||
} |
||||
} |
||||
got := d.Sum(nil) |
||||
if !bytes.Equal(got, want) { |
||||
t.Errorf("Unaligned writes, implementation=%s, alg=%s\ngot %q, want %q", impl, alg, got, want) |
||||
} |
||||
} |
||||
}) |
||||
} |
||||
|
||||
// TestAppend checks that appending works when reallocation is necessary.
|
||||
func TestAppend(t *testing.T) { |
||||
testUnalignedAndGeneric(t, func(impl string) { |
||||
d := New224() |
||||
|
||||
for capacity := 2; capacity <= 66; capacity += 64 { |
||||
// The first time around the loop, Sum will have to reallocate.
|
||||
// The second time, it will not.
|
||||
buf := make([]byte, 2, capacity) |
||||
d.Reset() |
||||
d.Write([]byte{0xcc}) |
||||
buf = d.Sum(buf) |
||||
expected := "0000DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39" |
||||
if got := strings.ToUpper(hex.EncodeToString(buf)); got != expected { |
||||
t.Errorf("got %s, want %s", got, expected) |
||||
} |
||||
} |
||||
}) |
||||
} |
||||
|
||||
// TestAppendNoRealloc tests that appending works when no reallocation is necessary.
|
||||
func TestAppendNoRealloc(t *testing.T) { |
||||
testUnalignedAndGeneric(t, func(impl string) { |
||||
buf := make([]byte, 1, 200) |
||||
d := New224() |
||||
d.Write([]byte{0xcc}) |
||||
buf = d.Sum(buf) |
||||
expected := "00DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39" |
||||
if got := strings.ToUpper(hex.EncodeToString(buf)); got != expected { |
||||
t.Errorf("%s: got %s, want %s", impl, got, expected) |
||||
} |
||||
}) |
||||
} |
||||
|
||||
// TestSqueezing checks that squeezing the full output a single time produces
|
||||
// the same output as repeatedly squeezing the instance.
|
||||
func TestSqueezing(t *testing.T) { |
||||
testUnalignedAndGeneric(t, func(impl string) { |
||||
for functionName, newShakeHash := range testShakes { |
||||
d0 := newShakeHash() |
||||
d0.Write([]byte(testString)) |
||||
ref := make([]byte, 32) |
||||
d0.Read(ref) |
||||
|
||||
d1 := newShakeHash() |
||||
d1.Write([]byte(testString)) |
||||
var multiple []byte |
||||
for range ref { |
||||
one := make([]byte, 1) |
||||
d1.Read(one) |
||||
multiple = append(multiple, one...) |
||||
} |
||||
if !bytes.Equal(ref, multiple) { |
||||
t.Errorf("%s (%s): squeezing %d bytes one at a time failed", functionName, impl, len(ref)) |
||||
} |
||||
} |
||||
}) |
||||
} |
||||
|
||||
// sequentialBytes produces a buffer of size consecutive bytes 0x00, 0x01, ..., used for testing.
|
||||
func sequentialBytes(size int) []byte { |
||||
result := make([]byte, size) |
||||
for i := range result { |
||||
result[i] = byte(i) |
||||
} |
||||
return result |
||||
} |
||||
|
||||
// BenchmarkPermutationFunction measures the speed of the permutation function
|
||||
// with no input data.
|
||||
func BenchmarkPermutationFunction(b *testing.B) { |
||||
b.SetBytes(int64(200)) |
||||
var lanes [25]uint64 |
||||
for i := 0; i < b.N; i++ { |
||||
keccakF1600(&lanes) |
||||
} |
||||
} |
||||
|
||||
// benchmarkHash tests the speed to hash num buffers of buflen each.
|
||||
func benchmarkHash(b *testing.B, h hash.Hash, size, num int) { |
||||
b.StopTimer() |
||||
h.Reset() |
||||
data := sequentialBytes(size) |
||||
b.SetBytes(int64(size * num)) |
||||
b.StartTimer() |
||||
|
||||
var state []byte |
||||
for i := 0; i < b.N; i++ { |
||||
for j := 0; j < num; j++ { |
||||
h.Write(data) |
||||
} |
||||
state = h.Sum(state[:0]) |
||||
} |
||||
b.StopTimer() |
||||
h.Reset() |
||||
} |
||||
|
||||
// benchmarkShake is specialized to the Shake instances, which don't
|
||||
// require a copy on reading output.
|
||||
func benchmarkShake(b *testing.B, h ShakeHash, size, num int) { |
||||
b.StopTimer() |
||||
h.Reset() |
||||
data := sequentialBytes(size) |
||||
d := make([]byte, 32) |
||||
|
||||
b.SetBytes(int64(size * num)) |
||||
b.StartTimer() |
||||
|
||||
for i := 0; i < b.N; i++ { |
||||
h.Reset() |
||||
for j := 0; j < num; j++ { |
||||
h.Write(data) |
||||
} |
||||
h.Read(d) |
||||
} |
||||
} |
||||
|
||||
func BenchmarkSha3_512_MTU(b *testing.B) { benchmarkHash(b, New512(), 1350, 1) } |
||||
func BenchmarkSha3_384_MTU(b *testing.B) { benchmarkHash(b, New384(), 1350, 1) } |
||||
func BenchmarkSha3_256_MTU(b *testing.B) { benchmarkHash(b, New256(), 1350, 1) } |
||||
func BenchmarkSha3_224_MTU(b *testing.B) { benchmarkHash(b, New224(), 1350, 1) } |
||||
|
||||
func BenchmarkShake128_MTU(b *testing.B) { benchmarkShake(b, NewShake128(), 1350, 1) } |
||||
func BenchmarkShake256_MTU(b *testing.B) { benchmarkShake(b, NewShake256(), 1350, 1) } |
||||
func BenchmarkShake256_16x(b *testing.B) { benchmarkShake(b, NewShake256(), 16, 1024) } |
||||
func BenchmarkShake256_1MiB(b *testing.B) { benchmarkShake(b, NewShake256(), 1024, 1024) } |
||||
|
||||
func BenchmarkSha3_512_1MiB(b *testing.B) { benchmarkHash(b, New512(), 1024, 1024) } |
||||
|
||||
func Example_sum() { |
||||
buf := []byte("some data to hash") |
||||
// A hash needs to be 64 bytes long to have 256-bit collision resistance.
|
||||
h := make([]byte, 64) |
||||
// Compute a 64-byte hash of buf and put it in h.
|
||||
ShakeSum256(h, buf) |
||||
} |
||||
|
||||
func Example_mac() { |
||||
k := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long") |
||||
buf := []byte("and this is some data to authenticate") |
||||
// A MAC with 32 bytes of output has 256-bit security strength -- if you use at least a 32-byte-long key.
|
||||
h := make([]byte, 32) |
||||
d := NewShake256() |
||||
// Write the key into the hash.
|
||||
d.Write(k) |
||||
// Now write the data.
|
||||
d.Write(buf) |
||||
// Read 32 bytes of output from the hash into h.
|
||||
d.Read(h) |
||||
} |
||||
Binary file not shown.
File diff suppressed because one or more lines are too long
@ -0,0 +1,264 @@ |
||||
// Copyright 2016 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// Package ChaCha20 implements the core ChaCha20 function as specified
|
||||
// in https://tools.ietf.org/html/rfc7539#section-2.3.
|
||||
package chacha20 |
||||
|
||||
import ( |
||||
"crypto/cipher" |
||||
"encoding/binary" |
||||
|
||||
"golang.org/x/crypto/internal/subtle" |
||||
) |
||||
|
||||
// assert that *Cipher implements cipher.Stream
|
||||
var _ cipher.Stream = (*Cipher)(nil) |
||||
|
||||
// Cipher is a stateful instance of ChaCha20 using a particular key
|
||||
// and nonce. A *Cipher implements the cipher.Stream interface.
|
||||
type Cipher struct { |
||||
key [8]uint32 |
||||
counter uint32 // incremented after each block
|
||||
nonce [3]uint32 |
||||
buf [bufSize]byte // buffer for unused keystream bytes
|
||||
len int // number of unused keystream bytes at end of buf
|
||||
} |
||||
|
||||
// New creates a new ChaCha20 stream cipher with the given key and nonce.
|
||||
// The initial counter value is set to 0.
|
||||
func New(key [8]uint32, nonce [3]uint32) *Cipher { |
||||
return &Cipher{key: key, nonce: nonce} |
||||
} |
||||
|
||||
// ChaCha20 constants spelling "expand 32-byte k"
|
||||
const ( |
||||
j0 uint32 = 0x61707865 |
||||
j1 uint32 = 0x3320646e |
||||
j2 uint32 = 0x79622d32 |
||||
j3 uint32 = 0x6b206574 |
||||
) |
||||
|
||||
func quarterRound(a, b, c, d uint32) (uint32, uint32, uint32, uint32) { |
||||
a += b |
||||
d ^= a |
||||
d = (d << 16) | (d >> 16) |
||||
c += d |
||||
b ^= c |
||||
b = (b << 12) | (b >> 20) |
||||
a += b |
||||
d ^= a |
||||
d = (d << 8) | (d >> 24) |
||||
c += d |
||||
b ^= c |
||||
b = (b << 7) | (b >> 25) |
||||
return a, b, c, d |
||||
} |
||||
|
||||
// XORKeyStream XORs each byte in the given slice with a byte from the
|
||||
// cipher's key stream. Dst and src must overlap entirely or not at all.
|
||||
//
|
||||
// If len(dst) < len(src), XORKeyStream will panic. It is acceptable
|
||||
// to pass a dst bigger than src, and in that case, XORKeyStream will
|
||||
// only update dst[:len(src)] and will not touch the rest of dst.
|
||||
//
|
||||
// Multiple calls to XORKeyStream behave as if the concatenation of
|
||||
// the src buffers was passed in a single run. That is, Cipher
|
||||
// maintains state and does not reset at each XORKeyStream call.
|
||||
func (s *Cipher) XORKeyStream(dst, src []byte) { |
||||
if len(dst) < len(src) { |
||||
panic("chacha20: output smaller than input") |
||||
} |
||||
if subtle.InexactOverlap(dst[:len(src)], src) { |
||||
panic("chacha20: invalid buffer overlap") |
||||
} |
||||
|
||||
// xor src with buffered keystream first
|
||||
if s.len != 0 { |
||||
buf := s.buf[len(s.buf)-s.len:] |
||||
if len(src) < len(buf) { |
||||
buf = buf[:len(src)] |
||||
} |
||||
td, ts := dst[:len(buf)], src[:len(buf)] // BCE hint
|
||||
for i, b := range buf { |
||||
td[i] = ts[i] ^ b |
||||
} |
||||
s.len -= len(buf) |
||||
if s.len != 0 { |
||||
return |
||||
} |
||||
s.buf = [len(s.buf)]byte{} // zero the empty buffer
|
||||
src = src[len(buf):] |
||||
dst = dst[len(buf):] |
||||
} |
||||
|
||||
if len(src) == 0 { |
||||
return |
||||
} |
||||
if haveAsm { |
||||
if uint64(len(src))+uint64(s.counter)*64 > (1<<38)-64 { |
||||
panic("chacha20: counter overflow") |
||||
} |
||||
s.xorKeyStreamAsm(dst, src) |
||||
return |
||||
} |
||||
|
||||
// set up a 64-byte buffer to pad out the final block if needed
|
||||
// (hoisted out of the main loop to avoid spills)
|
||||
rem := len(src) % 64 // length of final block
|
||||
fin := len(src) - rem // index of final block
|
||||
if rem > 0 { |
||||
copy(s.buf[len(s.buf)-64:], src[fin:]) |
||||
} |
||||
|
||||
// pre-calculate most of the first round
|
||||
s1, s5, s9, s13 := quarterRound(j1, s.key[1], s.key[5], s.nonce[0]) |
||||
s2, s6, s10, s14 := quarterRound(j2, s.key[2], s.key[6], s.nonce[1]) |
||||
s3, s7, s11, s15 := quarterRound(j3, s.key[3], s.key[7], s.nonce[2]) |
||||
|
||||
n := len(src) |
||||
src, dst = src[:n:n], dst[:n:n] // BCE hint
|
||||
for i := 0; i < n; i += 64 { |
||||
// calculate the remainder of the first round
|
||||
s0, s4, s8, s12 := quarterRound(j0, s.key[0], s.key[4], s.counter) |
||||
|
||||
// execute the second round
|
||||
x0, x5, x10, x15 := quarterRound(s0, s5, s10, s15) |
||||
x1, x6, x11, x12 := quarterRound(s1, s6, s11, s12) |
||||
x2, x7, x8, x13 := quarterRound(s2, s7, s8, s13) |
||||
x3, x4, x9, x14 := quarterRound(s3, s4, s9, s14) |
||||
|
||||
// execute the remaining 18 rounds
|
||||
for i := 0; i < 9; i++ { |
||||
x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12) |
||||
x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13) |
||||
x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14) |
||||
x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15) |
||||
|
||||
x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15) |
||||
x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12) |
||||
x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13) |
||||
x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14) |
||||
} |
||||
|
||||
x0 += j0 |
||||
x1 += j1 |
||||
x2 += j2 |
||||
x3 += j3 |
||||
|
||||
x4 += s.key[0] |
||||
x5 += s.key[1] |
||||
x6 += s.key[2] |
||||
x7 += s.key[3] |
||||
x8 += s.key[4] |
||||
x9 += s.key[5] |
||||
x10 += s.key[6] |
||||
x11 += s.key[7] |
||||
|
||||
x12 += s.counter |
||||
x13 += s.nonce[0] |
||||
x14 += s.nonce[1] |
||||
x15 += s.nonce[2] |
||||
|
||||
// increment the counter
|
||||
s.counter += 1 |
||||
if s.counter == 0 { |
||||
panic("chacha20: counter overflow") |
||||
} |
||||
|
||||
// pad to 64 bytes if needed
|
||||
in, out := src[i:], dst[i:] |
||||
if i == fin { |
||||
// src[fin:] has already been copied into s.buf before
|
||||
// the main loop
|
||||
in, out = s.buf[len(s.buf)-64:], s.buf[len(s.buf)-64:] |
||||
} |
||||
in, out = in[:64], out[:64] // BCE hint
|
||||
|
||||
// XOR the key stream with the source and write out the result
|
||||
xor(out[0:], in[0:], x0) |
||||
xor(out[4:], in[4:], x1) |
||||
xor(out[8:], in[8:], x2) |
||||
xor(out[12:], in[12:], x3) |
||||
xor(out[16:], in[16:], x4) |
||||
xor(out[20:], in[20:], x5) |
||||
xor(out[24:], in[24:], x6) |
||||
xor(out[28:], in[28:], x7) |
||||
xor(out[32:], in[32:], x8) |
||||
xor(out[36:], in[36:], x9) |
||||
xor(out[40:], in[40:], x10) |
||||
xor(out[44:], in[44:], x11) |
||||
xor(out[48:], in[48:], x12) |
||||
xor(out[52:], in[52:], x13) |
||||
xor(out[56:], in[56:], x14) |
||||
xor(out[60:], in[60:], x15) |
||||
} |
||||
// copy any trailing bytes out of the buffer and into dst
|
||||
if rem != 0 { |
||||
s.len = 64 - rem |
||||
copy(dst[fin:], s.buf[len(s.buf)-64:]) |
||||
} |
||||
} |
||||
|
||||
// Advance discards bytes in the key stream until the next 64 byte block
|
||||
// boundary is reached and updates the counter accordingly. If the key
|
||||
// stream is already at a block boundary no bytes will be discarded and
|
||||
// the counter will be unchanged.
|
||||
func (s *Cipher) Advance() { |
||||
s.len -= s.len % 64 |
||||
if s.len == 0 { |
||||
s.buf = [len(s.buf)]byte{} |
||||
} |
||||
} |
||||
|
||||
// XORKeyStream crypts bytes from in to out using the given key and counters.
|
||||
// In and out must overlap entirely or not at all. Counter contains the raw
|
||||
// ChaCha20 counter bytes (i.e. block counter followed by nonce).
|
||||
func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) { |
||||
s := Cipher{ |
||||
key: [8]uint32{ |
||||
binary.LittleEndian.Uint32(key[0:4]), |
||||
binary.LittleEndian.Uint32(key[4:8]), |
||||
binary.LittleEndian.Uint32(key[8:12]), |
||||
binary.LittleEndian.Uint32(key[12:16]), |
||||
binary.LittleEndian.Uint32(key[16:20]), |
||||
binary.LittleEndian.Uint32(key[20:24]), |
||||
binary.LittleEndian.Uint32(key[24:28]), |
||||
binary.LittleEndian.Uint32(key[28:32]), |
||||
}, |
||||
nonce: [3]uint32{ |
||||
binary.LittleEndian.Uint32(counter[4:8]), |
||||
binary.LittleEndian.Uint32(counter[8:12]), |
||||
binary.LittleEndian.Uint32(counter[12:16]), |
||||
}, |
||||
counter: binary.LittleEndian.Uint32(counter[0:4]), |
||||
} |
||||
s.XORKeyStream(out, in) |
||||
} |
||||
|
||||
// HChaCha20 uses the ChaCha20 core to generate a derived key from a key and a
|
||||
// nonce. It should only be used as part of the XChaCha20 construction.
|
||||
func HChaCha20(key *[8]uint32, nonce *[4]uint32) [8]uint32 { |
||||
x0, x1, x2, x3 := j0, j1, j2, j3 |
||||
x4, x5, x6, x7 := key[0], key[1], key[2], key[3] |
||||
x8, x9, x10, x11 := key[4], key[5], key[6], key[7] |
||||
x12, x13, x14, x15 := nonce[0], nonce[1], nonce[2], nonce[3] |
||||
|
||||
for i := 0; i < 10; i++ { |
||||
x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12) |
||||
x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13) |
||||
x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14) |
||||
x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15) |
||||
|
||||
x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15) |
||||
x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12) |
||||
x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13) |
||||
x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14) |
||||
} |
||||
|
||||
var out [8]uint32 |
||||
out[0], out[1], out[2], out[3] = x0, x1, x2, x3 |
||||
out[4], out[5], out[6], out[7] = x12, x13, x14, x15 |
||||
return out |
||||
} |
||||
@ -0,0 +1,16 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build !s390x gccgo appengine
|
||||
|
||||
package chacha20 |
||||
|
||||
const ( |
||||
bufSize = 64 |
||||
haveAsm = false |
||||
) |
||||
|
||||
func (*Cipher) xorKeyStreamAsm(dst, src []byte) { |
||||
panic("not implemented") |
||||
} |
||||
@ -0,0 +1,30 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build s390x,!gccgo,!appengine
|
||||
|
||||
package chacha20 |
||||
|
||||
var haveAsm = hasVectorFacility() |
||||
|
||||
const bufSize = 256 |
||||
|
||||
// hasVectorFacility reports whether the machine supports the vector
|
||||
// facility (vx).
|
||||
// Implementation in asm_s390x.s.
|
||||
func hasVectorFacility() bool |
||||
|
||||
// xorKeyStreamVX is an assembly implementation of XORKeyStream. It must only
|
||||
// be called when the vector facility is available.
|
||||
// Implementation in asm_s390x.s.
|
||||
//go:noescape
|
||||
func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32, buf *[256]byte, len *int) |
||||
|
||||
func (c *Cipher) xorKeyStreamAsm(dst, src []byte) { |
||||
xorKeyStreamVX(dst, src, &c.key, &c.nonce, &c.counter, &c.buf, &c.len) |
||||
} |
||||
|
||||
// EXRL targets, DO NOT CALL!
|
||||
func mvcSrcToBuf() |
||||
func mvcBufToDst() |
||||
@ -0,0 +1,283 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
// +build s390x,!gccgo,!appengine |
||||
|
||||
#include "go_asm.h" |
||||
#include "textflag.h" |
||||
|
||||
// This is an implementation of the ChaCha20 encryption algorithm as |
||||
// specified in RFC 7539. It uses vector instructions to compute |
||||
// 4 keystream blocks in parallel (256 bytes) which are then XORed |
||||
// with the bytes in the input slice. |
||||
|
||||
GLOBL ·constants<>(SB), RODATA|NOPTR, $32 |
||||
// BSWAP: swap bytes in each 4-byte element |
||||
DATA ·constants<>+0x00(SB)/4, $0x03020100 |
||||
DATA ·constants<>+0x04(SB)/4, $0x07060504 |
||||
DATA ·constants<>+0x08(SB)/4, $0x0b0a0908 |
||||
DATA ·constants<>+0x0c(SB)/4, $0x0f0e0d0c |
||||
// J0: [j0, j1, j2, j3] |
||||
DATA ·constants<>+0x10(SB)/4, $0x61707865 |
||||
DATA ·constants<>+0x14(SB)/4, $0x3320646e |
||||
DATA ·constants<>+0x18(SB)/4, $0x79622d32 |
||||
DATA ·constants<>+0x1c(SB)/4, $0x6b206574 |
||||
|
||||
// EXRL targets: |
||||
TEXT ·mvcSrcToBuf(SB), NOFRAME|NOSPLIT, $0 |
||||
MVC $1, (R1), (R8) |
||||
RET |
||||
|
||||
TEXT ·mvcBufToDst(SB), NOFRAME|NOSPLIT, $0 |
||||
MVC $1, (R8), (R9) |
||||
RET |
||||
|
||||
#define BSWAP V5 |
||||
#define J0 V6 |
||||
#define KEY0 V7 |
||||
#define KEY1 V8 |
||||
#define NONCE V9 |
||||
#define CTR V10 |
||||
#define M0 V11 |
||||
#define M1 V12 |
||||
#define M2 V13 |
||||
#define M3 V14 |
||||
#define INC V15 |
||||
#define X0 V16 |
||||
#define X1 V17 |
||||
#define X2 V18 |
||||
#define X3 V19 |
||||
#define X4 V20 |
||||
#define X5 V21 |
||||
#define X6 V22 |
||||
#define X7 V23 |
||||
#define X8 V24 |
||||
#define X9 V25 |
||||
#define X10 V26 |
||||
#define X11 V27 |
||||
#define X12 V28 |
||||
#define X13 V29 |
||||
#define X14 V30 |
||||
#define X15 V31 |
||||
|
||||
#define NUM_ROUNDS 20 |
||||
|
||||
#define ROUND4(a0, a1, a2, a3, b0, b1, b2, b3, c0, c1, c2, c3, d0, d1, d2, d3) \ |
||||
VAF a1, a0, a0 \ |
||||
VAF b1, b0, b0 \ |
||||
VAF c1, c0, c0 \ |
||||
VAF d1, d0, d0 \ |
||||
VX a0, a2, a2 \ |
||||
VX b0, b2, b2 \ |
||||
VX c0, c2, c2 \ |
||||
VX d0, d2, d2 \ |
||||
VERLLF $16, a2, a2 \ |
||||
VERLLF $16, b2, b2 \ |
||||
VERLLF $16, c2, c2 \ |
||||
VERLLF $16, d2, d2 \ |
||||
VAF a2, a3, a3 \ |
||||
VAF b2, b3, b3 \ |
||||
VAF c2, c3, c3 \ |
||||
VAF d2, d3, d3 \ |
||||
VX a3, a1, a1 \ |
||||
VX b3, b1, b1 \ |
||||
VX c3, c1, c1 \ |
||||
VX d3, d1, d1 \ |
||||
VERLLF $12, a1, a1 \ |
||||
VERLLF $12, b1, b1 \ |
||||
VERLLF $12, c1, c1 \ |
||||
VERLLF $12, d1, d1 \ |
||||
VAF a1, a0, a0 \ |
||||
VAF b1, b0, b0 \ |
||||
VAF c1, c0, c0 \ |
||||
VAF d1, d0, d0 \ |
||||
VX a0, a2, a2 \ |
||||
VX b0, b2, b2 \ |
||||
VX c0, c2, c2 \ |
||||
VX d0, d2, d2 \ |
||||
VERLLF $8, a2, a2 \ |
||||
VERLLF $8, b2, b2 \ |
||||
VERLLF $8, c2, c2 \ |
||||
VERLLF $8, d2, d2 \ |
||||
VAF a2, a3, a3 \ |
||||
VAF b2, b3, b3 \ |
||||
VAF c2, c3, c3 \ |
||||
VAF d2, d3, d3 \ |
||||
VX a3, a1, a1 \ |
||||
VX b3, b1, b1 \ |
||||
VX c3, c1, c1 \ |
||||
VX d3, d1, d1 \ |
||||
VERLLF $7, a1, a1 \ |
||||
VERLLF $7, b1, b1 \ |
||||
VERLLF $7, c1, c1 \ |
||||
VERLLF $7, d1, d1 |
||||
|
||||
#define PERMUTE(mask, v0, v1, v2, v3) \ |
||||
VPERM v0, v0, mask, v0 \ |
||||
VPERM v1, v1, mask, v1 \ |
||||
VPERM v2, v2, mask, v2 \ |
||||
VPERM v3, v3, mask, v3 |
||||
|
||||
#define ADDV(x, v0, v1, v2, v3) \ |
||||
VAF x, v0, v0 \ |
||||
VAF x, v1, v1 \ |
||||
VAF x, v2, v2 \ |
||||
VAF x, v3, v3 |
||||
|
||||
#define XORV(off, dst, src, v0, v1, v2, v3) \ |
||||
VLM off(src), M0, M3 \ |
||||
PERMUTE(BSWAP, v0, v1, v2, v3) \ |
||||
VX v0, M0, M0 \ |
||||
VX v1, M1, M1 \ |
||||
VX v2, M2, M2 \ |
||||
VX v3, M3, M3 \ |
||||
VSTM M0, M3, off(dst) |
||||
|
||||
#define SHUFFLE(a, b, c, d, t, u, v, w) \ |
||||
VMRHF a, c, t \ // t = {a[0], c[0], a[1], c[1]} |
||||
VMRHF b, d, u \ // u = {b[0], d[0], b[1], d[1]} |
||||
VMRLF a, c, v \ // v = {a[2], c[2], a[3], c[3]} |
||||
VMRLF b, d, w \ // w = {b[2], d[2], b[3], d[3]} |
||||
VMRHF t, u, a \ // a = {a[0], b[0], c[0], d[0]} |
||||
VMRLF t, u, b \ // b = {a[1], b[1], c[1], d[1]} |
||||
VMRHF v, w, c \ // c = {a[2], b[2], c[2], d[2]} |
||||
VMRLF v, w, d // d = {a[3], b[3], c[3], d[3]} |
||||
|
||||
// func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32, buf *[256]byte, len *int) |
||||
TEXT ·xorKeyStreamVX(SB), NOSPLIT, $0 |
||||
MOVD $·constants<>(SB), R1 |
||||
MOVD dst+0(FP), R2 // R2=&dst[0] |
||||
LMG src+24(FP), R3, R4 // R3=&src[0] R4=len(src) |
||||
MOVD key+48(FP), R5 // R5=key |
||||
MOVD nonce+56(FP), R6 // R6=nonce |
||||
MOVD counter+64(FP), R7 // R7=counter |
||||
MOVD buf+72(FP), R8 // R8=buf |
||||
MOVD len+80(FP), R9 // R9=len |
||||
|
||||
// load BSWAP and J0 |
||||
VLM (R1), BSWAP, J0 |
||||
|
||||
// set up tail buffer |
||||
ADD $-1, R4, R12 |
||||
MOVBZ R12, R12 |
||||
CMPUBEQ R12, $255, aligned |
||||
MOVD R4, R1 |
||||
AND $~255, R1 |
||||
MOVD $(R3)(R1*1), R1 |
||||
EXRL $·mvcSrcToBuf(SB), R12 |
||||
MOVD $255, R0 |
||||
SUB R12, R0 |
||||
MOVD R0, (R9) // update len |
||||
|
||||
aligned: |
||||
// setup |
||||
MOVD $95, R0 |
||||
VLM (R5), KEY0, KEY1 |
||||
VLL R0, (R6), NONCE |
||||
VZERO M0 |
||||
VLEIB $7, $32, M0 |
||||
VSRLB M0, NONCE, NONCE |
||||
|
||||
// initialize counter values |
||||
VLREPF (R7), CTR |
||||
VZERO INC |
||||
VLEIF $1, $1, INC |
||||
VLEIF $2, $2, INC |
||||
VLEIF $3, $3, INC |
||||
VAF INC, CTR, CTR |
||||
VREPIF $4, INC |
||||
|
||||
chacha: |
||||
VREPF $0, J0, X0 |
||||
VREPF $1, J0, X1 |
||||
VREPF $2, J0, X2 |
||||
VREPF $3, J0, X3 |
||||
VREPF $0, KEY0, X4 |
||||
VREPF $1, KEY0, X5 |
||||
VREPF $2, KEY0, X6 |
||||
VREPF $3, KEY0, X7 |
||||
VREPF $0, KEY1, X8 |
||||
VREPF $1, KEY1, X9 |
||||
VREPF $2, KEY1, X10 |
||||
VREPF $3, KEY1, X11 |
||||
VLR CTR, X12 |
||||
VREPF $1, NONCE, X13 |
||||
VREPF $2, NONCE, X14 |
||||
VREPF $3, NONCE, X15 |
||||
|
||||
MOVD $(NUM_ROUNDS/2), R1 |
||||
|
||||
loop: |
||||
ROUND4(X0, X4, X12, X8, X1, X5, X13, X9, X2, X6, X14, X10, X3, X7, X15, X11) |
||||
ROUND4(X0, X5, X15, X10, X1, X6, X12, X11, X2, X7, X13, X8, X3, X4, X14, X9) |
||||
|
||||
ADD $-1, R1 |
||||
BNE loop |
||||
|
||||
// decrement length |
||||
ADD $-256, R4 |
||||
BLT tail |
||||
|
||||
continue: |
||||
// rearrange vectors |
||||
SHUFFLE(X0, X1, X2, X3, M0, M1, M2, M3) |
||||
ADDV(J0, X0, X1, X2, X3) |
||||
SHUFFLE(X4, X5, X6, X7, M0, M1, M2, M3) |
||||
ADDV(KEY0, X4, X5, X6, X7) |
||||
SHUFFLE(X8, X9, X10, X11, M0, M1, M2, M3) |
||||
ADDV(KEY1, X8, X9, X10, X11) |
||||
VAF CTR, X12, X12 |
||||
SHUFFLE(X12, X13, X14, X15, M0, M1, M2, M3) |
||||
ADDV(NONCE, X12, X13, X14, X15) |
||||
|
||||
// increment counters |
||||
VAF INC, CTR, CTR |
||||
|
||||
// xor keystream with plaintext |
||||
XORV(0*64, R2, R3, X0, X4, X8, X12) |
||||
XORV(1*64, R2, R3, X1, X5, X9, X13) |
||||
XORV(2*64, R2, R3, X2, X6, X10, X14) |
||||
XORV(3*64, R2, R3, X3, X7, X11, X15) |
||||
|
||||
// increment pointers |
||||
MOVD $256(R2), R2 |
||||
MOVD $256(R3), R3 |
||||
|
||||
CMPBNE R4, $0, chacha |
||||
CMPUBEQ R12, $255, return |
||||
EXRL $·mvcBufToDst(SB), R12 // len was updated during setup |
||||
|
||||
return: |
||||
VSTEF $0, CTR, (R7) |
||||
RET |
||||
|
||||
tail: |
||||
MOVD R2, R9 |
||||
MOVD R8, R2 |
||||
MOVD R8, R3 |
||||
MOVD $0, R4 |
||||
JMP continue |
||||
|
||||
// func hasVectorFacility() bool |
||||
TEXT ·hasVectorFacility(SB), NOSPLIT, $24-1 |
||||
MOVD $x-24(SP), R1 |
||||
XC $24, 0(R1), 0(R1) // clear the storage |
||||
MOVD $2, R0 // R0 is the number of double words stored -1 |
||||
WORD $0xB2B01000 // STFLE 0(R1) |
||||
XOR R0, R0 // reset the value of R0 |
||||
MOVBZ z-8(SP), R1 |
||||
AND $0x40, R1 |
||||
BEQ novector |
||||
|
||||
vectorinstalled: |
||||
// check if the vector instruction has been enabled |
||||
VLEIB $0, $0xF, V16 |
||||
VLGVB $0, V16, R1 |
||||
CMPBNE R1, $0xF, novector |
||||
MOVB $1, ret+0(FP) // have vx |
||||
RET |
||||
|
||||
novector: |
||||
MOVB $0, ret+0(FP) // no vx |
||||
RET |
||||
@ -0,0 +1,43 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found src the LICENSE file.
|
||||
|
||||
package chacha20 |
||||
|
||||
import ( |
||||
"runtime" |
||||
) |
||||
|
||||
// Platforms that have fast unaligned 32-bit little endian accesses.
|
||||
const unaligned = runtime.GOARCH == "386" || |
||||
runtime.GOARCH == "amd64" || |
||||
runtime.GOARCH == "arm64" || |
||||
runtime.GOARCH == "ppc64le" || |
||||
runtime.GOARCH == "s390x" |
||||
|
||||
// xor reads a little endian uint32 from src, XORs it with u and
|
||||
// places the result in little endian byte order in dst.
|
||||
func xor(dst, src []byte, u uint32) { |
||||
_, _ = src[3], dst[3] // eliminate bounds checks
|
||||
if unaligned { |
||||
// The compiler should optimize this code into
|
||||
// 32-bit unaligned little endian loads and stores.
|
||||
// TODO: delete once the compiler does a reliably
|
||||
// good job with the generic code below.
|
||||
// See issue #25111 for more details.
|
||||
v := uint32(src[0]) |
||||
v |= uint32(src[1]) << 8 |
||||
v |= uint32(src[2]) << 16 |
||||
v |= uint32(src[3]) << 24 |
||||
v ^= u |
||||
dst[0] = byte(v) |
||||
dst[1] = byte(v >> 8) |
||||
dst[2] = byte(v >> 16) |
||||
dst[3] = byte(v >> 24) |
||||
} else { |
||||
dst[0] = src[0] ^ byte(u) |
||||
dst[1] = src[1] ^ byte(u>>8) |
||||
dst[2] = src[2] ^ byte(u>>16) |
||||
dst[3] = src[3] ^ byte(u>>24) |
||||
} |
||||
} |
||||
@ -0,0 +1,32 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build !appengine
|
||||
|
||||
// Package subtle implements functions that are often useful in cryptographic
|
||||
// code but require careful thought to use correctly.
|
||||
package subtle // import "golang.org/x/crypto/internal/subtle"
|
||||
|
||||
import "unsafe" |
||||
|
||||
// AnyOverlap reports whether x and y share memory at any (not necessarily
|
||||
// corresponding) index. The memory beyond the slice length is ignored.
|
||||
func AnyOverlap(x, y []byte) bool { |
||||
return len(x) > 0 && len(y) > 0 && |
||||
uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && |
||||
uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) |
||||
} |
||||
|
||||
// InexactOverlap reports whether x and y share memory at any non-corresponding
|
||||
// index. The memory beyond the slice length is ignored. Note that x and y can
|
||||
// have different lengths and still not have any inexact overlap.
|
||||
//
|
||||
// InexactOverlap can be used to implement the requirements of the crypto/cipher
|
||||
// AEAD, Block, BlockMode and Stream interfaces.
|
||||
func InexactOverlap(x, y []byte) bool { |
||||
if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { |
||||
return false |
||||
} |
||||
return AnyOverlap(x, y) |
||||
} |
||||
@ -0,0 +1,35 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build appengine
|
||||
|
||||
// Package subtle implements functions that are often useful in cryptographic
|
||||
// code but require careful thought to use correctly.
|
||||
package subtle // import "golang.org/x/crypto/internal/subtle"
|
||||
|
||||
// This is the Google App Engine standard variant based on reflect
|
||||
// because the unsafe package and cgo are disallowed.
|
||||
|
||||
import "reflect" |
||||
|
||||
// AnyOverlap reports whether x and y share memory at any (not necessarily
|
||||
// corresponding) index. The memory beyond the slice length is ignored.
|
||||
func AnyOverlap(x, y []byte) bool { |
||||
return len(x) > 0 && len(y) > 0 && |
||||
reflect.ValueOf(&x[0]).Pointer() <= reflect.ValueOf(&y[len(y)-1]).Pointer() && |
||||
reflect.ValueOf(&y[0]).Pointer() <= reflect.ValueOf(&x[len(x)-1]).Pointer() |
||||
} |
||||
|
||||
// InexactOverlap reports whether x and y share memory at any non-corresponding
|
||||
// index. The memory beyond the slice length is ignored. Note that x and y can
|
||||
// have different lengths and still not have any inexact overlap.
|
||||
//
|
||||
// InexactOverlap can be used to implement the requirements of the crypto/cipher
|
||||
// AEAD, Block, BlockMode and Stream interfaces.
|
||||
func InexactOverlap(x, y []byte) bool { |
||||
if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { |
||||
return false |
||||
} |
||||
return AnyOverlap(x, y) |
||||
} |
||||
@ -0,0 +1,33 @@ |
||||
// Copyright 2012 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
/* |
||||
Package poly1305 implements Poly1305 one-time message authentication code as |
||||
specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
|
||||
|
||||
Poly1305 is a fast, one-time authentication function. It is infeasible for an |
||||
attacker to generate an authenticator for a message without the key. However, a |
||||
key must only be used for a single message. Authenticating two different |
||||
messages with the same key allows an attacker to forge authenticators for other |
||||
messages with the same key. |
||||
|
||||
Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was |
||||
used with a fixed key in order to generate one-time keys from an nonce. |
||||
However, in this package AES isn't used and the one-time key is specified |
||||
directly. |
||||
*/ |
||||
package poly1305 // import "golang.org/x/crypto/poly1305"
|
||||
|
||||
import "crypto/subtle" |
||||
|
||||
// TagSize is the size, in bytes, of a poly1305 authenticator.
|
||||
const TagSize = 16 |
||||
|
||||
// Verify returns true if mac is a valid authenticator for m with the given
|
||||
// key.
|
||||
func Verify(mac *[16]byte, m []byte, key *[32]byte) bool { |
||||
var tmp [16]byte |
||||
Sum(&tmp, m, key) |
||||
return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1 |
||||
} |
||||
@ -0,0 +1,22 @@ |
||||
// Copyright 2012 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build amd64,!gccgo,!appengine
|
||||
|
||||
package poly1305 |
||||
|
||||
// This function is implemented in sum_amd64.s
|
||||
//go:noescape
|
||||
func poly1305(out *[16]byte, m *byte, mlen uint64, key *[32]byte) |
||||
|
||||
// Sum generates an authenticator for m using a one-time key and puts the
|
||||
// 16-byte result into out. Authenticating two different messages with the same
|
||||
// key allows an attacker to forge messages at will.
|
||||
func Sum(out *[16]byte, m []byte, key *[32]byte) { |
||||
var mPtr *byte |
||||
if len(m) > 0 { |
||||
mPtr = &m[0] |
||||
} |
||||
poly1305(out, mPtr, uint64(len(m)), key) |
||||
} |
||||
@ -0,0 +1,125 @@ |
||||
// Copyright 2012 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
// +build amd64,!gccgo,!appengine |
||||
|
||||
#include "textflag.h" |
||||
|
||||
#define POLY1305_ADD(msg, h0, h1, h2) \ |
||||
ADDQ 0(msg), h0; \
|
||||
ADCQ 8(msg), h1; \
|
||||
ADCQ $1, h2; \
|
||||
LEAQ 16(msg), msg |
||||
|
||||
#define POLY1305_MUL(h0, h1, h2, r0, r1, t0, t1, t2, t3) \ |
||||
MOVQ r0, AX; \
|
||||
MULQ h0; \
|
||||
MOVQ AX, t0; \
|
||||
MOVQ DX, t1; \
|
||||
MOVQ r0, AX; \
|
||||
MULQ h1; \
|
||||
ADDQ AX, t1; \
|
||||
ADCQ $0, DX; \
|
||||
MOVQ r0, t2; \
|
||||
IMULQ h2, t2; \
|
||||
ADDQ DX, t2; \
|
||||
\ |
||||
MOVQ r1, AX; \
|
||||
MULQ h0; \
|
||||
ADDQ AX, t1; \
|
||||
ADCQ $0, DX; \
|
||||
MOVQ DX, h0; \
|
||||
MOVQ r1, t3; \
|
||||
IMULQ h2, t3; \
|
||||
MOVQ r1, AX; \
|
||||
MULQ h1; \
|
||||
ADDQ AX, t2; \
|
||||
ADCQ DX, t3; \
|
||||
ADDQ h0, t2; \
|
||||
ADCQ $0, t3; \
|
||||
\ |
||||
MOVQ t0, h0; \
|
||||
MOVQ t1, h1; \
|
||||
MOVQ t2, h2; \
|
||||
ANDQ $3, h2; \
|
||||
MOVQ t2, t0; \
|
||||
ANDQ $0xFFFFFFFFFFFFFFFC, t0; \
|
||||
ADDQ t0, h0; \
|
||||
ADCQ t3, h1; \
|
||||
ADCQ $0, h2; \
|
||||
SHRQ $2, t3, t2; \
|
||||
SHRQ $2, t3; \
|
||||
ADDQ t2, h0; \
|
||||
ADCQ t3, h1; \
|
||||
ADCQ $0, h2 |
||||
|
||||
DATA ·poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF |
||||
DATA ·poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC |
||||
GLOBL ·poly1305Mask<>(SB), RODATA, $16 |
||||
|
||||
// func poly1305(out *[16]byte, m *byte, mlen uint64, key *[32]key) |
||||
TEXT ·poly1305(SB), $0-32 |
||||
MOVQ out+0(FP), DI |
||||
MOVQ m+8(FP), SI |
||||
MOVQ mlen+16(FP), R15 |
||||
MOVQ key+24(FP), AX |
||||
|
||||
MOVQ 0(AX), R11 |
||||
MOVQ 8(AX), R12 |
||||
ANDQ ·poly1305Mask<>(SB), R11 // r0 |
||||
ANDQ ·poly1305Mask<>+8(SB), R12 // r1 |
||||
XORQ R8, R8 // h0 |
||||
XORQ R9, R9 // h1 |
||||
XORQ R10, R10 // h2 |
||||
|
||||
CMPQ R15, $16 |
||||
JB bytes_between_0_and_15 |
||||
|
||||
loop: |
||||
POLY1305_ADD(SI, R8, R9, R10) |
||||
|
||||
multiply: |
||||
POLY1305_MUL(R8, R9, R10, R11, R12, BX, CX, R13, R14) |
||||
SUBQ $16, R15 |
||||
CMPQ R15, $16 |
||||
JAE loop |
||||
|
||||
bytes_between_0_and_15: |
||||
TESTQ R15, R15 |
||||
JZ done |
||||
MOVQ $1, BX |
||||
XORQ CX, CX |
||||
XORQ R13, R13 |
||||
ADDQ R15, SI |
||||
|
||||
flush_buffer: |
||||
SHLQ $8, BX, CX |
||||
SHLQ $8, BX |
||||
MOVB -1(SI), R13 |
||||
XORQ R13, BX |
||||
DECQ SI |
||||
DECQ R15 |
||||
JNZ flush_buffer |
||||
|
||||
ADDQ BX, R8 |
||||
ADCQ CX, R9 |
||||
ADCQ $0, R10 |
||||
MOVQ $16, R15 |
||||
JMP multiply |
||||
|
||||
done: |
||||
MOVQ R8, AX |
||||
MOVQ R9, BX |
||||
SUBQ $0xFFFFFFFFFFFFFFFB, AX |
||||
SBBQ $0xFFFFFFFFFFFFFFFF, BX |
||||
SBBQ $3, R10 |
||||
CMOVQCS R8, AX |
||||
CMOVQCS R9, BX |
||||
MOVQ key+24(FP), R8 |
||||
ADDQ 16(R8), AX |
||||
ADCQ 24(R8), BX |
||||
|
||||
MOVQ AX, 0(DI) |
||||
MOVQ BX, 8(DI) |
||||
RET |
||||
@ -0,0 +1,22 @@ |
||||
// Copyright 2015 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build arm,!gccgo,!appengine,!nacl
|
||||
|
||||
package poly1305 |
||||
|
||||
// This function is implemented in sum_arm.s
|
||||
//go:noescape
|
||||
func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]byte) |
||||
|
||||
// Sum generates an authenticator for m using a one-time key and puts the
|
||||
// 16-byte result into out. Authenticating two different messages with the same
|
||||
// key allows an attacker to forge messages at will.
|
||||
func Sum(out *[16]byte, m []byte, key *[32]byte) { |
||||
var mPtr *byte |
||||
if len(m) > 0 { |
||||
mPtr = &m[0] |
||||
} |
||||
poly1305_auth_armv6(out, mPtr, uint32(len(m)), key) |
||||
} |
||||
@ -0,0 +1,427 @@ |
||||
// Copyright 2015 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
// +build arm,!gccgo,!appengine,!nacl |
||||
|
||||
#include "textflag.h" |
||||
|
||||
// This code was translated into a form compatible with 5a from the public |
||||
// domain source by Andrew Moon: github.com/floodyberry/poly1305-opt/blob/master/app/extensions/poly1305. |
||||
|
||||
DATA ·poly1305_init_constants_armv6<>+0x00(SB)/4, $0x3ffffff |
||||
DATA ·poly1305_init_constants_armv6<>+0x04(SB)/4, $0x3ffff03 |
||||
DATA ·poly1305_init_constants_armv6<>+0x08(SB)/4, $0x3ffc0ff |
||||
DATA ·poly1305_init_constants_armv6<>+0x0c(SB)/4, $0x3f03fff |
||||
DATA ·poly1305_init_constants_armv6<>+0x10(SB)/4, $0x00fffff |
||||
GLOBL ·poly1305_init_constants_armv6<>(SB), 8, $20 |
||||
|
||||
// Warning: the linker may use R11 to synthesize certain instructions. Please |
||||
// take care and verify that no synthetic instructions use it. |
||||
|
||||
TEXT poly1305_init_ext_armv6<>(SB), NOSPLIT, $0 |
||||
// Needs 16 bytes of stack and 64 bytes of space pointed to by R0. (It |
||||
// might look like it's only 60 bytes of space but the final four bytes |
||||
// will be written by another function.) We need to skip over four |
||||
// bytes of stack because that's saving the value of 'g'. |
||||
ADD $4, R13, R8 |
||||
MOVM.IB [R4-R7], (R8) |
||||
MOVM.IA.W (R1), [R2-R5] |
||||
MOVW $·poly1305_init_constants_armv6<>(SB), R7 |
||||
MOVW R2, R8 |
||||
MOVW R2>>26, R9 |
||||
MOVW R3>>20, g |
||||
MOVW R4>>14, R11 |
||||
MOVW R5>>8, R12 |
||||
ORR R3<<6, R9, R9 |
||||
ORR R4<<12, g, g |
||||
ORR R5<<18, R11, R11 |
||||
MOVM.IA (R7), [R2-R6] |
||||
AND R8, R2, R2 |
||||
AND R9, R3, R3 |
||||
AND g, R4, R4 |
||||
AND R11, R5, R5 |
||||
AND R12, R6, R6 |
||||
MOVM.IA.W [R2-R6], (R0) |
||||
EOR R2, R2, R2 |
||||
EOR R3, R3, R3 |
||||
EOR R4, R4, R4 |
||||
EOR R5, R5, R5 |
||||
EOR R6, R6, R6 |
||||
MOVM.IA.W [R2-R6], (R0) |
||||
MOVM.IA.W (R1), [R2-R5] |
||||
MOVM.IA [R2-R6], (R0) |
||||
ADD $20, R13, R0 |
||||
MOVM.DA (R0), [R4-R7] |
||||
RET |
||||
|
||||
#define MOVW_UNALIGNED(Rsrc, Rdst, Rtmp, offset) \ |
||||
MOVBU (offset+0)(Rsrc), Rtmp; \
|
||||
MOVBU Rtmp, (offset+0)(Rdst); \
|
||||
MOVBU (offset+1)(Rsrc), Rtmp; \
|
||||
MOVBU Rtmp, (offset+1)(Rdst); \
|
||||
MOVBU (offset+2)(Rsrc), Rtmp; \
|
||||
MOVBU Rtmp, (offset+2)(Rdst); \
|
||||
MOVBU (offset+3)(Rsrc), Rtmp; \
|
||||
MOVBU Rtmp, (offset+3)(Rdst) |
||||
|
||||
TEXT poly1305_blocks_armv6<>(SB), NOSPLIT, $0 |
||||
// Needs 24 bytes of stack for saved registers and then 88 bytes of |
||||
// scratch space after that. We assume that 24 bytes at (R13) have |
||||
// already been used: four bytes for the link register saved in the |
||||
// prelude of poly1305_auth_armv6, four bytes for saving the value of g |
||||
// in that function and 16 bytes of scratch space used around |
||||
// poly1305_finish_ext_armv6_skip1. |
||||
ADD $24, R13, R12 |
||||
MOVM.IB [R4-R8, R14], (R12) |
||||
MOVW R0, 88(R13) |
||||
MOVW R1, 92(R13) |
||||
MOVW R2, 96(R13) |
||||
MOVW R1, R14 |
||||
MOVW R2, R12 |
||||
MOVW 56(R0), R8 |
||||
WORD $0xe1180008 // TST R8, R8 not working see issue 5921 |
||||
EOR R6, R6, R6 |
||||
MOVW.EQ $(1<<24), R6 |
||||
MOVW R6, 84(R13) |
||||
ADD $116, R13, g |
||||
MOVM.IA (R0), [R0-R9] |
||||
MOVM.IA [R0-R4], (g) |
||||
CMP $16, R12 |
||||
BLO poly1305_blocks_armv6_done |
||||
|
||||
poly1305_blocks_armv6_mainloop: |
||||
WORD $0xe31e0003 // TST R14, #3 not working see issue 5921 |
||||
BEQ poly1305_blocks_armv6_mainloop_aligned |
||||
ADD $100, R13, g |
||||
MOVW_UNALIGNED(R14, g, R0, 0) |
||||
MOVW_UNALIGNED(R14, g, R0, 4) |
||||
MOVW_UNALIGNED(R14, g, R0, 8) |
||||
MOVW_UNALIGNED(R14, g, R0, 12) |
||||
MOVM.IA (g), [R0-R3] |
||||
ADD $16, R14 |
||||
B poly1305_blocks_armv6_mainloop_loaded |
||||
|
||||
poly1305_blocks_armv6_mainloop_aligned: |
||||
MOVM.IA.W (R14), [R0-R3] |
||||
|
||||
poly1305_blocks_armv6_mainloop_loaded: |
||||
MOVW R0>>26, g |
||||
MOVW R1>>20, R11 |
||||
MOVW R2>>14, R12 |
||||
MOVW R14, 92(R13) |
||||
MOVW R3>>8, R4 |
||||
ORR R1<<6, g, g |
||||
ORR R2<<12, R11, R11 |
||||
ORR R3<<18, R12, R12 |
||||
BIC $0xfc000000, R0, R0 |
||||
BIC $0xfc000000, g, g |
||||
MOVW 84(R13), R3 |
||||
BIC $0xfc000000, R11, R11 |
||||
BIC $0xfc000000, R12, R12 |
||||
ADD R0, R5, R5 |
||||
ADD g, R6, R6 |
||||
ORR R3, R4, R4 |
||||
ADD R11, R7, R7 |
||||
ADD $116, R13, R14 |
||||
ADD R12, R8, R8 |
||||
ADD R4, R9, R9 |
||||
MOVM.IA (R14), [R0-R4] |
||||
MULLU R4, R5, (R11, g) |
||||
MULLU R3, R5, (R14, R12) |
||||
MULALU R3, R6, (R11, g) |
||||
MULALU R2, R6, (R14, R12) |
||||
MULALU R2, R7, (R11, g) |
||||
MULALU R1, R7, (R14, R12) |
||||
ADD R4<<2, R4, R4 |
||||
ADD R3<<2, R3, R3 |
||||
MULALU R1, R8, (R11, g) |
||||
MULALU R0, R8, (R14, R12) |
||||
MULALU R0, R9, (R11, g) |
||||
MULALU R4, R9, (R14, R12) |
||||
MOVW g, 76(R13) |
||||
MOVW R11, 80(R13) |
||||
MOVW R12, 68(R13) |
||||
MOVW R14, 72(R13) |
||||
MULLU R2, R5, (R11, g) |
||||
MULLU R1, R5, (R14, R12) |
||||
MULALU R1, R6, (R11, g) |
||||
MULALU R0, R6, (R14, R12) |
||||
MULALU R0, R7, (R11, g) |
||||
MULALU R4, R7, (R14, R12) |
||||
ADD R2<<2, R2, R2 |
||||
ADD R1<<2, R1, R1 |
||||
MULALU R4, R8, (R11, g) |
||||
MULALU R3, R8, (R14, R12) |
||||
MULALU R3, R9, (R11, g) |
||||
MULALU R2, R9, (R14, R12) |
||||
MOVW g, 60(R13) |
||||
MOVW R11, 64(R13) |
||||
MOVW R12, 52(R13) |
||||
MOVW R14, 56(R13) |
||||
MULLU R0, R5, (R11, g) |
||||
MULALU R4, R6, (R11, g) |
||||
MULALU R3, R7, (R11, g) |
||||
MULALU R2, R8, (R11, g) |
||||
MULALU R1, R9, (R11, g) |
||||
ADD $52, R13, R0 |
||||
MOVM.IA (R0), [R0-R7] |
||||
MOVW g>>26, R12 |
||||
MOVW R4>>26, R14 |
||||
ORR R11<<6, R12, R12 |
||||
ORR R5<<6, R14, R14 |
||||
BIC $0xfc000000, g, g |
||||
BIC $0xfc000000, R4, R4 |
||||
ADD.S R12, R0, R0 |
||||
ADC $0, R1, R1 |
||||
ADD.S R14, R6, R6 |
||||
ADC $0, R7, R7 |
||||
MOVW R0>>26, R12 |
||||
MOVW R6>>26, R14 |
||||
ORR R1<<6, R12, R12 |
||||
ORR R7<<6, R14, R14 |
||||
BIC $0xfc000000, R0, R0 |
||||
BIC $0xfc000000, R6, R6 |
||||
ADD R14<<2, R14, R14 |
||||
ADD.S R12, R2, R2 |
||||
ADC $0, R3, R3 |
||||
ADD R14, g, g |
||||
MOVW R2>>26, R12 |
||||
MOVW g>>26, R14 |
||||
ORR R3<<6, R12, R12 |
||||
BIC $0xfc000000, g, R5 |
||||
BIC $0xfc000000, R2, R7 |
||||
ADD R12, R4, R4 |
||||
ADD R14, R0, R0 |
||||
MOVW R4>>26, R12 |
||||
BIC $0xfc000000, R4, R8 |
||||
ADD R12, R6, R9 |
||||
MOVW 96(R13), R12 |
||||
MOVW 92(R13), R14 |
||||
MOVW R0, R6 |
||||
CMP $32, R12 |
||||
SUB $16, R12, R12 |
||||
MOVW R12, 96(R13) |
||||
BHS poly1305_blocks_armv6_mainloop |
||||
|
||||
poly1305_blocks_armv6_done: |
||||
MOVW 88(R13), R12 |
||||
MOVW R5, 20(R12) |
||||
MOVW R6, 24(R12) |
||||
MOVW R7, 28(R12) |
||||
MOVW R8, 32(R12) |
||||
MOVW R9, 36(R12) |
||||
ADD $48, R13, R0 |
||||
MOVM.DA (R0), [R4-R8, R14] |
||||
RET |
||||
|
||||
#define MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp) \ |
||||
MOVBU.P 1(Rsrc), Rtmp; \
|
||||
MOVBU.P Rtmp, 1(Rdst); \
|
||||
MOVBU.P 1(Rsrc), Rtmp; \
|
||||
MOVBU.P Rtmp, 1(Rdst) |
||||
|
||||
#define MOVWP_UNALIGNED(Rsrc, Rdst, Rtmp) \ |
||||
MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp); \
|
||||
MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp) |
||||
|
||||
// func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]key) |
||||
TEXT ·poly1305_auth_armv6(SB), $196-16 |
||||
// The value 196, just above, is the sum of 64 (the size of the context |
||||
// structure) and 132 (the amount of stack needed). |
||||
// |
||||
// At this point, the stack pointer (R13) has been moved down. It |
||||
// points to the saved link register and there's 196 bytes of free |
||||
// space above it. |
||||
// |
||||
// The stack for this function looks like: |
||||
// |
||||
// +--------------------- |
||||
// | |
||||
// | 64 bytes of context structure |
||||
// | |
||||
// +--------------------- |
||||
// | |
||||
// | 112 bytes for poly1305_blocks_armv6 |
||||
// | |
||||
// +--------------------- |
||||
// | 16 bytes of final block, constructed at |
||||
// | poly1305_finish_ext_armv6_skip8 |
||||
// +--------------------- |
||||
// | four bytes of saved 'g' |
||||
// +--------------------- |
||||
// | lr, saved by prelude <- R13 points here |
||||
// +--------------------- |
||||
MOVW g, 4(R13) |
||||
|
||||
MOVW out+0(FP), R4 |
||||
MOVW m+4(FP), R5 |
||||
MOVW mlen+8(FP), R6 |
||||
MOVW key+12(FP), R7 |
||||
|
||||
ADD $136, R13, R0 // 136 = 4 + 4 + 16 + 112 |
||||
MOVW R7, R1 |
||||
|
||||
// poly1305_init_ext_armv6 will write to the stack from R13+4, but |
||||
// that's ok because none of the other values have been written yet. |
||||
BL poly1305_init_ext_armv6<>(SB) |
||||
BIC.S $15, R6, R2 |
||||
BEQ poly1305_auth_armv6_noblocks |
||||
ADD $136, R13, R0 |
||||
MOVW R5, R1 |
||||
ADD R2, R5, R5 |
||||
SUB R2, R6, R6 |
||||
BL poly1305_blocks_armv6<>(SB) |
||||
|
||||
poly1305_auth_armv6_noblocks: |
||||
ADD $136, R13, R0 |
||||
MOVW R5, R1 |
||||
MOVW R6, R2 |
||||
MOVW R4, R3 |
||||
|
||||
MOVW R0, R5 |
||||
MOVW R1, R6 |
||||
MOVW R2, R7 |
||||
MOVW R3, R8 |
||||
AND.S R2, R2, R2 |
||||
BEQ poly1305_finish_ext_armv6_noremaining |
||||
EOR R0, R0 |
||||
ADD $8, R13, R9 // 8 = offset to 16 byte scratch space |
||||
MOVW R0, (R9) |
||||
MOVW R0, 4(R9) |
||||
MOVW R0, 8(R9) |
||||
MOVW R0, 12(R9) |
||||
WORD $0xe3110003 // TST R1, #3 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_aligned |
||||
WORD $0xe3120008 // TST R2, #8 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip8 |
||||
MOVWP_UNALIGNED(R1, R9, g) |
||||
MOVWP_UNALIGNED(R1, R9, g) |
||||
|
||||
poly1305_finish_ext_armv6_skip8: |
||||
WORD $0xe3120004 // TST $4, R2 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip4 |
||||
MOVWP_UNALIGNED(R1, R9, g) |
||||
|
||||
poly1305_finish_ext_armv6_skip4: |
||||
WORD $0xe3120002 // TST $2, R2 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip2 |
||||
MOVHUP_UNALIGNED(R1, R9, g) |
||||
B poly1305_finish_ext_armv6_skip2 |
||||
|
||||
poly1305_finish_ext_armv6_aligned: |
||||
WORD $0xe3120008 // TST R2, #8 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip8_aligned |
||||
MOVM.IA.W (R1), [g-R11] |
||||
MOVM.IA.W [g-R11], (R9) |
||||
|
||||
poly1305_finish_ext_armv6_skip8_aligned: |
||||
WORD $0xe3120004 // TST $4, R2 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip4_aligned |
||||
MOVW.P 4(R1), g |
||||
MOVW.P g, 4(R9) |
||||
|
||||
poly1305_finish_ext_armv6_skip4_aligned: |
||||
WORD $0xe3120002 // TST $2, R2 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip2 |
||||
MOVHU.P 2(R1), g |
||||
MOVH.P g, 2(R9) |
||||
|
||||
poly1305_finish_ext_armv6_skip2: |
||||
WORD $0xe3120001 // TST $1, R2 not working see issue 5921 |
||||
BEQ poly1305_finish_ext_armv6_skip1 |
||||
MOVBU.P 1(R1), g |
||||
MOVBU.P g, 1(R9) |
||||
|
||||
poly1305_finish_ext_armv6_skip1: |
||||
MOVW $1, R11 |
||||
MOVBU R11, 0(R9) |
||||
MOVW R11, 56(R5) |
||||
MOVW R5, R0 |
||||
ADD $8, R13, R1 |
||||
MOVW $16, R2 |
||||
BL poly1305_blocks_armv6<>(SB) |
||||
|
||||
poly1305_finish_ext_armv6_noremaining: |
||||
MOVW 20(R5), R0 |
||||
MOVW 24(R5), R1 |
||||
MOVW 28(R5), R2 |
||||
MOVW 32(R5), R3 |
||||
MOVW 36(R5), R4 |
||||
MOVW R4>>26, R12 |
||||
BIC $0xfc000000, R4, R4 |
||||
ADD R12<<2, R12, R12 |
||||
ADD R12, R0, R0 |
||||
MOVW R0>>26, R12 |
||||
BIC $0xfc000000, R0, R0 |
||||
ADD R12, R1, R1 |
||||
MOVW R1>>26, R12 |
||||
BIC $0xfc000000, R1, R1 |
||||
ADD R12, R2, R2 |
||||
MOVW R2>>26, R12 |
||||
BIC $0xfc000000, R2, R2 |
||||
ADD R12, R3, R3 |
||||
MOVW R3>>26, R12 |
||||
BIC $0xfc000000, R3, R3 |
||||
ADD R12, R4, R4 |
||||
ADD $5, R0, R6 |
||||
MOVW R6>>26, R12 |
||||
BIC $0xfc000000, R6, R6 |
||||
ADD R12, R1, R7 |
||||
MOVW R7>>26, R12 |
||||
BIC $0xfc000000, R7, R7 |
||||
ADD R12, R2, g |
||||
MOVW g>>26, R12 |
||||
BIC $0xfc000000, g, g |
||||
ADD R12, R3, R11 |
||||
MOVW $-(1<<26), R12 |
||||
ADD R11>>26, R12, R12 |
||||
BIC $0xfc000000, R11, R11 |
||||
ADD R12, R4, R9 |
||||
MOVW R9>>31, R12 |
||||
SUB $1, R12 |
||||
AND R12, R6, R6 |
||||
AND R12, R7, R7 |
||||
AND R12, g, g |
||||
AND R12, R11, R11 |
||||
AND R12, R9, R9 |
||||
MVN R12, R12 |
||||
AND R12, R0, R0 |
||||
AND R12, R1, R1 |
||||
AND R12, R2, R2 |
||||
AND R12, R3, R3 |
||||
AND R12, R4, R4 |
||||
ORR R6, R0, R0 |
||||
ORR R7, R1, R1 |
||||
ORR g, R2, R2 |
||||
ORR R11, R3, R3 |
||||
ORR R9, R4, R4 |
||||
ORR R1<<26, R0, R0 |
||||
MOVW R1>>6, R1 |
||||
ORR R2<<20, R1, R1 |
||||
MOVW R2>>12, R2 |
||||
ORR R3<<14, R2, R2 |
||||
MOVW R3>>18, R3 |
||||
ORR R4<<8, R3, R3 |
||||
MOVW 40(R5), R6 |
||||
MOVW 44(R5), R7 |
||||
MOVW 48(R5), g |
||||
MOVW 52(R5), R11 |
||||
ADD.S R6, R0, R0 |
||||
ADC.S R7, R1, R1 |
||||
ADC.S g, R2, R2 |
||||
ADC.S R11, R3, R3 |
||||
MOVM.IA [R0-R3], (R8) |
||||
MOVW R5, R12 |
||||
EOR R0, R0, R0 |
||||
EOR R1, R1, R1 |
||||
EOR R2, R2, R2 |
||||
EOR R3, R3, R3 |
||||
EOR R4, R4, R4 |
||||
EOR R5, R5, R5 |
||||
EOR R6, R6, R6 |
||||
EOR R7, R7, R7 |
||||
MOVM.IA.W [R0-R7], (R12) |
||||
MOVM.IA [R0-R7], (R12) |
||||
MOVW 4(R13), g |
||||
RET |
||||
@ -0,0 +1,14 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build s390x,!go1.11 !arm,!amd64,!s390x gccgo appengine nacl
|
||||
|
||||
package poly1305 |
||||
|
||||
// Sum generates an authenticator for msg using a one-time key and puts the
|
||||
// 16-byte result into out. Authenticating two different messages with the same
|
||||
// key allows an attacker to forge messages at will.
|
||||
func Sum(out *[TagSize]byte, msg []byte, key *[32]byte) { |
||||
sumGeneric(out, msg, key) |
||||
} |
||||
@ -0,0 +1,139 @@ |
||||
// Copyright 2012 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package poly1305 |
||||
|
||||
import "encoding/binary" |
||||
|
||||
// sumGeneric generates an authenticator for msg using a one-time key and
|
||||
// puts the 16-byte result into out. This is the generic implementation of
|
||||
// Sum and should be called if no assembly implementation is available.
|
||||
func sumGeneric(out *[TagSize]byte, msg []byte, key *[32]byte) { |
||||
var ( |
||||
h0, h1, h2, h3, h4 uint32 // the hash accumulators
|
||||
r0, r1, r2, r3, r4 uint64 // the r part of the key
|
||||
) |
||||
|
||||
r0 = uint64(binary.LittleEndian.Uint32(key[0:]) & 0x3ffffff) |
||||
r1 = uint64((binary.LittleEndian.Uint32(key[3:]) >> 2) & 0x3ffff03) |
||||
r2 = uint64((binary.LittleEndian.Uint32(key[6:]) >> 4) & 0x3ffc0ff) |
||||
r3 = uint64((binary.LittleEndian.Uint32(key[9:]) >> 6) & 0x3f03fff) |
||||
r4 = uint64((binary.LittleEndian.Uint32(key[12:]) >> 8) & 0x00fffff) |
||||
|
||||
R1, R2, R3, R4 := r1*5, r2*5, r3*5, r4*5 |
||||
|
||||
for len(msg) >= TagSize { |
||||
// h += msg
|
||||
h0 += binary.LittleEndian.Uint32(msg[0:]) & 0x3ffffff |
||||
h1 += (binary.LittleEndian.Uint32(msg[3:]) >> 2) & 0x3ffffff |
||||
h2 += (binary.LittleEndian.Uint32(msg[6:]) >> 4) & 0x3ffffff |
||||
h3 += (binary.LittleEndian.Uint32(msg[9:]) >> 6) & 0x3ffffff |
||||
h4 += (binary.LittleEndian.Uint32(msg[12:]) >> 8) | (1 << 24) |
||||
|
||||
// h *= r
|
||||
d0 := (uint64(h0) * r0) + (uint64(h1) * R4) + (uint64(h2) * R3) + (uint64(h3) * R2) + (uint64(h4) * R1) |
||||
d1 := (d0 >> 26) + (uint64(h0) * r1) + (uint64(h1) * r0) + (uint64(h2) * R4) + (uint64(h3) * R3) + (uint64(h4) * R2) |
||||
d2 := (d1 >> 26) + (uint64(h0) * r2) + (uint64(h1) * r1) + (uint64(h2) * r0) + (uint64(h3) * R4) + (uint64(h4) * R3) |
||||
d3 := (d2 >> 26) + (uint64(h0) * r3) + (uint64(h1) * r2) + (uint64(h2) * r1) + (uint64(h3) * r0) + (uint64(h4) * R4) |
||||
d4 := (d3 >> 26) + (uint64(h0) * r4) + (uint64(h1) * r3) + (uint64(h2) * r2) + (uint64(h3) * r1) + (uint64(h4) * r0) |
||||
|
||||
// h %= p
|
||||
h0 = uint32(d0) & 0x3ffffff |
||||
h1 = uint32(d1) & 0x3ffffff |
||||
h2 = uint32(d2) & 0x3ffffff |
||||
h3 = uint32(d3) & 0x3ffffff |
||||
h4 = uint32(d4) & 0x3ffffff |
||||
|
||||
h0 += uint32(d4>>26) * 5 |
||||
h1 += h0 >> 26 |
||||
h0 = h0 & 0x3ffffff |
||||
|
||||
msg = msg[TagSize:] |
||||
} |
||||
|
||||
if len(msg) > 0 { |
||||
var block [TagSize]byte |
||||
off := copy(block[:], msg) |
||||
block[off] = 0x01 |
||||
|
||||
// h += msg
|
||||
h0 += binary.LittleEndian.Uint32(block[0:]) & 0x3ffffff |
||||
h1 += (binary.LittleEndian.Uint32(block[3:]) >> 2) & 0x3ffffff |
||||
h2 += (binary.LittleEndian.Uint32(block[6:]) >> 4) & 0x3ffffff |
||||
h3 += (binary.LittleEndian.Uint32(block[9:]) >> 6) & 0x3ffffff |
||||
h4 += (binary.LittleEndian.Uint32(block[12:]) >> 8) |
||||
|
||||
// h *= r
|
||||
d0 := (uint64(h0) * r0) + (uint64(h1) * R4) + (uint64(h2) * R3) + (uint64(h3) * R2) + (uint64(h4) * R1) |
||||
d1 := (d0 >> 26) + (uint64(h0) * r1) + (uint64(h1) * r0) + (uint64(h2) * R4) + (uint64(h3) * R3) + (uint64(h4) * R2) |
||||
d2 := (d1 >> 26) + (uint64(h0) * r2) + (uint64(h1) * r1) + (uint64(h2) * r0) + (uint64(h3) * R4) + (uint64(h4) * R3) |
||||
d3 := (d2 >> 26) + (uint64(h0) * r3) + (uint64(h1) * r2) + (uint64(h2) * r1) + (uint64(h3) * r0) + (uint64(h4) * R4) |
||||
d4 := (d3 >> 26) + (uint64(h0) * r4) + (uint64(h1) * r3) + (uint64(h2) * r2) + (uint64(h3) * r1) + (uint64(h4) * r0) |
||||
|
||||
// h %= p
|
||||
h0 = uint32(d0) & 0x3ffffff |
||||
h1 = uint32(d1) & 0x3ffffff |
||||
h2 = uint32(d2) & 0x3ffffff |
||||
h3 = uint32(d3) & 0x3ffffff |
||||
h4 = uint32(d4) & 0x3ffffff |
||||
|
||||
h0 += uint32(d4>>26) * 5 |
||||
h1 += h0 >> 26 |
||||
h0 = h0 & 0x3ffffff |
||||
} |
||||
|
||||
// h %= p reduction
|
||||
h2 += h1 >> 26 |
||||
h1 &= 0x3ffffff |
||||
h3 += h2 >> 26 |
||||
h2 &= 0x3ffffff |
||||
h4 += h3 >> 26 |
||||
h3 &= 0x3ffffff |
||||
h0 += 5 * (h4 >> 26) |
||||
h4 &= 0x3ffffff |
||||
h1 += h0 >> 26 |
||||
h0 &= 0x3ffffff |
||||
|
||||
// h - p
|
||||
t0 := h0 + 5 |
||||
t1 := h1 + (t0 >> 26) |
||||
t2 := h2 + (t1 >> 26) |
||||
t3 := h3 + (t2 >> 26) |
||||
t4 := h4 + (t3 >> 26) - (1 << 26) |
||||
t0 &= 0x3ffffff |
||||
t1 &= 0x3ffffff |
||||
t2 &= 0x3ffffff |
||||
t3 &= 0x3ffffff |
||||
|
||||
// select h if h < p else h - p
|
||||
t_mask := (t4 >> 31) - 1 |
||||
h_mask := ^t_mask |
||||
h0 = (h0 & h_mask) | (t0 & t_mask) |
||||
h1 = (h1 & h_mask) | (t1 & t_mask) |
||||
h2 = (h2 & h_mask) | (t2 & t_mask) |
||||
h3 = (h3 & h_mask) | (t3 & t_mask) |
||||
h4 = (h4 & h_mask) | (t4 & t_mask) |
||||
|
||||
// h %= 2^128
|
||||
h0 |= h1 << 26 |
||||
h1 = ((h1 >> 6) | (h2 << 20)) |
||||
h2 = ((h2 >> 12) | (h3 << 14)) |
||||
h3 = ((h3 >> 18) | (h4 << 8)) |
||||
|
||||
// s: the s part of the key
|
||||
// tag = (h + s) % (2^128)
|
||||
t := uint64(h0) + uint64(binary.LittleEndian.Uint32(key[16:])) |
||||
h0 = uint32(t) |
||||
t = uint64(h1) + uint64(binary.LittleEndian.Uint32(key[20:])) + (t >> 32) |
||||
h1 = uint32(t) |
||||
t = uint64(h2) + uint64(binary.LittleEndian.Uint32(key[24:])) + (t >> 32) |
||||
h2 = uint32(t) |
||||
t = uint64(h3) + uint64(binary.LittleEndian.Uint32(key[28:])) + (t >> 32) |
||||
h3 = uint32(t) |
||||
|
||||
binary.LittleEndian.PutUint32(out[0:], h0) |
||||
binary.LittleEndian.PutUint32(out[4:], h1) |
||||
binary.LittleEndian.PutUint32(out[8:], h2) |
||||
binary.LittleEndian.PutUint32(out[12:], h3) |
||||
} |
||||
@ -0,0 +1,49 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build s390x,go1.11,!gccgo,!appengine
|
||||
|
||||
package poly1305 |
||||
|
||||
// hasVectorFacility reports whether the machine supports
|
||||
// the vector facility (vx).
|
||||
func hasVectorFacility() bool |
||||
|
||||
// hasVMSLFacility reports whether the machine supports
|
||||
// Vector Multiply Sum Logical (VMSL).
|
||||
func hasVMSLFacility() bool |
||||
|
||||
var hasVX = hasVectorFacility() |
||||
var hasVMSL = hasVMSLFacility() |
||||
|
||||
// poly1305vx is an assembly implementation of Poly1305 that uses vector
|
||||
// instructions. It must only be called if the vector facility (vx) is
|
||||
// available.
|
||||
//go:noescape
|
||||
func poly1305vx(out *[16]byte, m *byte, mlen uint64, key *[32]byte) |
||||
|
||||
// poly1305vmsl is an assembly implementation of Poly1305 that uses vector
|
||||
// instructions, including VMSL. It must only be called if the vector facility (vx) is
|
||||
// available and if VMSL is supported.
|
||||
//go:noescape
|
||||
func poly1305vmsl(out *[16]byte, m *byte, mlen uint64, key *[32]byte) |
||||
|
||||
// Sum generates an authenticator for m using a one-time key and puts the
|
||||
// 16-byte result into out. Authenticating two different messages with the same
|
||||
// key allows an attacker to forge messages at will.
|
||||
func Sum(out *[16]byte, m []byte, key *[32]byte) { |
||||
if hasVX { |
||||
var mPtr *byte |
||||
if len(m) > 0 { |
||||
mPtr = &m[0] |
||||
} |
||||
if hasVMSL && len(m) > 256 { |
||||
poly1305vmsl(out, mPtr, uint64(len(m)), key) |
||||
} else { |
||||
poly1305vx(out, mPtr, uint64(len(m)), key) |
||||
} |
||||
} else { |
||||
sumGeneric(out, m, key) |
||||
} |
||||
} |
||||
@ -0,0 +1,400 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
// +build s390x,go1.11,!gccgo,!appengine |
||||
|
||||
#include "textflag.h" |
||||
|
||||
// Implementation of Poly1305 using the vector facility (vx). |
||||
|
||||
// constants |
||||
#define MOD26 V0 |
||||
#define EX0 V1 |
||||
#define EX1 V2 |
||||
#define EX2 V3 |
||||
|
||||
// temporaries |
||||
#define T_0 V4 |
||||
#define T_1 V5 |
||||
#define T_2 V6 |
||||
#define T_3 V7 |
||||
#define T_4 V8 |
||||
|
||||
// key (r) |
||||
#define R_0 V9 |
||||
#define R_1 V10 |
||||
#define R_2 V11 |
||||
#define R_3 V12 |
||||
#define R_4 V13 |
||||
#define R5_1 V14 |
||||
#define R5_2 V15 |
||||
#define R5_3 V16 |
||||
#define R5_4 V17 |
||||
#define RSAVE_0 R5 |
||||
#define RSAVE_1 R6 |
||||
#define RSAVE_2 R7 |
||||
#define RSAVE_3 R8 |
||||
#define RSAVE_4 R9 |
||||
#define R5SAVE_1 V28 |
||||
#define R5SAVE_2 V29 |
||||
#define R5SAVE_3 V30 |
||||
#define R5SAVE_4 V31 |
||||
|
||||
// message block |
||||
#define F_0 V18 |
||||
#define F_1 V19 |
||||
#define F_2 V20 |
||||
#define F_3 V21 |
||||
#define F_4 V22 |
||||
|
||||
// accumulator |
||||
#define H_0 V23 |
||||
#define H_1 V24 |
||||
#define H_2 V25 |
||||
#define H_3 V26 |
||||
#define H_4 V27 |
||||
|
||||
GLOBL ·keyMask<>(SB), RODATA, $16 |
||||
DATA ·keyMask<>+0(SB)/8, $0xffffff0ffcffff0f |
||||
DATA ·keyMask<>+8(SB)/8, $0xfcffff0ffcffff0f |
||||
|
||||
GLOBL ·bswapMask<>(SB), RODATA, $16 |
||||
DATA ·bswapMask<>+0(SB)/8, $0x0f0e0d0c0b0a0908 |
||||
DATA ·bswapMask<>+8(SB)/8, $0x0706050403020100 |
||||
|
||||
GLOBL ·constants<>(SB), RODATA, $64 |
||||
// MOD26 |
||||
DATA ·constants<>+0(SB)/8, $0x3ffffff |
||||
DATA ·constants<>+8(SB)/8, $0x3ffffff |
||||
// EX0 |
||||
DATA ·constants<>+16(SB)/8, $0x0006050403020100 |
||||
DATA ·constants<>+24(SB)/8, $0x1016151413121110 |
||||
// EX1 |
||||
DATA ·constants<>+32(SB)/8, $0x060c0b0a09080706 |
||||
DATA ·constants<>+40(SB)/8, $0x161c1b1a19181716 |
||||
// EX2 |
||||
DATA ·constants<>+48(SB)/8, $0x0d0d0d0d0d0f0e0d |
||||
DATA ·constants<>+56(SB)/8, $0x1d1d1d1d1d1f1e1d |
||||
|
||||
// h = (f*g) % (2**130-5) [partial reduction] |
||||
#define MULTIPLY(f0, f1, f2, f3, f4, g0, g1, g2, g3, g4, g51, g52, g53, g54, h0, h1, h2, h3, h4) \ |
||||
VMLOF f0, g0, h0 \ |
||||
VMLOF f0, g1, h1 \ |
||||
VMLOF f0, g2, h2 \ |
||||
VMLOF f0, g3, h3 \ |
||||
VMLOF f0, g4, h4 \ |
||||
VMLOF f1, g54, T_0 \ |
||||
VMLOF f1, g0, T_1 \ |
||||
VMLOF f1, g1, T_2 \ |
||||
VMLOF f1, g2, T_3 \ |
||||
VMLOF f1, g3, T_4 \ |
||||
VMALOF f2, g53, h0, h0 \ |
||||
VMALOF f2, g54, h1, h1 \ |
||||
VMALOF f2, g0, h2, h2 \ |
||||
VMALOF f2, g1, h3, h3 \ |
||||
VMALOF f2, g2, h4, h4 \ |
||||
VMALOF f3, g52, T_0, T_0 \ |
||||
VMALOF f3, g53, T_1, T_1 \ |
||||
VMALOF f3, g54, T_2, T_2 \ |
||||
VMALOF f3, g0, T_3, T_3 \ |
||||
VMALOF f3, g1, T_4, T_4 \ |
||||
VMALOF f4, g51, h0, h0 \ |
||||
VMALOF f4, g52, h1, h1 \ |
||||
VMALOF f4, g53, h2, h2 \ |
||||
VMALOF f4, g54, h3, h3 \ |
||||
VMALOF f4, g0, h4, h4 \ |
||||
VAG T_0, h0, h0 \ |
||||
VAG T_1, h1, h1 \ |
||||
VAG T_2, h2, h2 \ |
||||
VAG T_3, h3, h3 \ |
||||
VAG T_4, h4, h4 |
||||
|
||||
// carry h0->h1 h3->h4, h1->h2 h4->h0, h0->h1 h2->h3, h3->h4 |
||||
#define REDUCE(h0, h1, h2, h3, h4) \ |
||||
VESRLG $26, h0, T_0 \ |
||||
VESRLG $26, h3, T_1 \ |
||||
VN MOD26, h0, h0 \ |
||||
VN MOD26, h3, h3 \ |
||||
VAG T_0, h1, h1 \ |
||||
VAG T_1, h4, h4 \ |
||||
VESRLG $26, h1, T_2 \ |
||||
VESRLG $26, h4, T_3 \ |
||||
VN MOD26, h1, h1 \ |
||||
VN MOD26, h4, h4 \ |
||||
VESLG $2, T_3, T_4 \ |
||||
VAG T_3, T_4, T_4 \ |
||||
VAG T_2, h2, h2 \ |
||||
VAG T_4, h0, h0 \ |
||||
VESRLG $26, h2, T_0 \ |
||||
VESRLG $26, h0, T_1 \ |
||||
VN MOD26, h2, h2 \ |
||||
VN MOD26, h0, h0 \ |
||||
VAG T_0, h3, h3 \ |
||||
VAG T_1, h1, h1 \ |
||||
VESRLG $26, h3, T_2 \ |
||||
VN MOD26, h3, h3 \ |
||||
VAG T_2, h4, h4 |
||||
|
||||
// expand in0 into d[0] and in1 into d[1] |
||||
#define EXPAND(in0, in1, d0, d1, d2, d3, d4) \ |
||||
VGBM $0x0707, d1 \ // d1=tmp |
||||
VPERM in0, in1, EX2, d4 \ |
||||
VPERM in0, in1, EX0, d0 \ |
||||
VPERM in0, in1, EX1, d2 \ |
||||
VN d1, d4, d4 \ |
||||
VESRLG $26, d0, d1 \ |
||||
VESRLG $30, d2, d3 \ |
||||
VESRLG $4, d2, d2 \ |
||||
VN MOD26, d0, d0 \ |
||||
VN MOD26, d1, d1 \ |
||||
VN MOD26, d2, d2 \ |
||||
VN MOD26, d3, d3 |
||||
|
||||
// pack h4:h0 into h1:h0 (no carry) |
||||
#define PACK(h0, h1, h2, h3, h4) \ |
||||
VESLG $26, h1, h1 \ |
||||
VESLG $26, h3, h3 \ |
||||
VO h0, h1, h0 \ |
||||
VO h2, h3, h2 \ |
||||
VESLG $4, h2, h2 \ |
||||
VLEIB $7, $48, h1 \ |
||||
VSLB h1, h2, h2 \ |
||||
VO h0, h2, h0 \ |
||||
VLEIB $7, $104, h1 \ |
||||
VSLB h1, h4, h3 \ |
||||
VO h3, h0, h0 \ |
||||
VLEIB $7, $24, h1 \ |
||||
VSRLB h1, h4, h1 |
||||
|
||||
// if h > 2**130-5 then h -= 2**130-5 |
||||
#define MOD(h0, h1, t0, t1, t2) \ |
||||
VZERO t0 \ |
||||
VLEIG $1, $5, t0 \ |
||||
VACCQ h0, t0, t1 \ |
||||
VAQ h0, t0, t0 \ |
||||
VONE t2 \ |
||||
VLEIG $1, $-4, t2 \ |
||||
VAQ t2, t1, t1 \ |
||||
VACCQ h1, t1, t1 \ |
||||
VONE t2 \ |
||||
VAQ t2, t1, t1 \ |
||||
VN h0, t1, t2 \ |
||||
VNC t0, t1, t1 \ |
||||
VO t1, t2, h0 |
||||
|
||||
// func poly1305vx(out *[16]byte, m *byte, mlen uint64, key *[32]key) |
||||
TEXT ·poly1305vx(SB), $0-32 |
||||
// This code processes up to 2 blocks (32 bytes) per iteration |
||||
// using the algorithm described in: |
||||
// NEON crypto, Daniel J. Bernstein & Peter Schwabe |
||||
// https://cryptojedi.org/papers/neoncrypto-20120320.pdf |
||||
LMG out+0(FP), R1, R4 // R1=out, R2=m, R3=mlen, R4=key |
||||
|
||||
// load MOD26, EX0, EX1 and EX2 |
||||
MOVD $·constants<>(SB), R5 |
||||
VLM (R5), MOD26, EX2 |
||||
|
||||
// setup r |
||||
VL (R4), T_0 |
||||
MOVD $·keyMask<>(SB), R6 |
||||
VL (R6), T_1 |
||||
VN T_0, T_1, T_0 |
||||
EXPAND(T_0, T_0, R_0, R_1, R_2, R_3, R_4) |
||||
|
||||
// setup r*5 |
||||
VLEIG $0, $5, T_0 |
||||
VLEIG $1, $5, T_0 |
||||
|
||||
// store r (for final block) |
||||
VMLOF T_0, R_1, R5SAVE_1 |
||||
VMLOF T_0, R_2, R5SAVE_2 |
||||
VMLOF T_0, R_3, R5SAVE_3 |
||||
VMLOF T_0, R_4, R5SAVE_4 |
||||
VLGVG $0, R_0, RSAVE_0 |
||||
VLGVG $0, R_1, RSAVE_1 |
||||
VLGVG $0, R_2, RSAVE_2 |
||||
VLGVG $0, R_3, RSAVE_3 |
||||
VLGVG $0, R_4, RSAVE_4 |
||||
|
||||
// skip r**2 calculation |
||||
CMPBLE R3, $16, skip |
||||
|
||||
// calculate r**2 |
||||
MULTIPLY(R_0, R_1, R_2, R_3, R_4, R_0, R_1, R_2, R_3, R_4, R5SAVE_1, R5SAVE_2, R5SAVE_3, R5SAVE_4, H_0, H_1, H_2, H_3, H_4) |
||||
REDUCE(H_0, H_1, H_2, H_3, H_4) |
||||
VLEIG $0, $5, T_0 |
||||
VLEIG $1, $5, T_0 |
||||
VMLOF T_0, H_1, R5_1 |
||||
VMLOF T_0, H_2, R5_2 |
||||
VMLOF T_0, H_3, R5_3 |
||||
VMLOF T_0, H_4, R5_4 |
||||
VLR H_0, R_0 |
||||
VLR H_1, R_1 |
||||
VLR H_2, R_2 |
||||
VLR H_3, R_3 |
||||
VLR H_4, R_4 |
||||
|
||||
// initialize h |
||||
VZERO H_0 |
||||
VZERO H_1 |
||||
VZERO H_2 |
||||
VZERO H_3 |
||||
VZERO H_4 |
||||
|
||||
loop: |
||||
CMPBLE R3, $32, b2 |
||||
VLM (R2), T_0, T_1 |
||||
SUB $32, R3 |
||||
MOVD $32(R2), R2 |
||||
EXPAND(T_0, T_1, F_0, F_1, F_2, F_3, F_4) |
||||
VLEIB $4, $1, F_4 |
||||
VLEIB $12, $1, F_4 |
||||
|
||||
multiply: |
||||
VAG H_0, F_0, F_0 |
||||
VAG H_1, F_1, F_1 |
||||
VAG H_2, F_2, F_2 |
||||
VAG H_3, F_3, F_3 |
||||
VAG H_4, F_4, F_4 |
||||
MULTIPLY(F_0, F_1, F_2, F_3, F_4, R_0, R_1, R_2, R_3, R_4, R5_1, R5_2, R5_3, R5_4, H_0, H_1, H_2, H_3, H_4) |
||||
REDUCE(H_0, H_1, H_2, H_3, H_4) |
||||
CMPBNE R3, $0, loop |
||||
|
||||
finish: |
||||
// sum vectors |
||||
VZERO T_0 |
||||
VSUMQG H_0, T_0, H_0 |
||||
VSUMQG H_1, T_0, H_1 |
||||
VSUMQG H_2, T_0, H_2 |
||||
VSUMQG H_3, T_0, H_3 |
||||
VSUMQG H_4, T_0, H_4 |
||||
|
||||
// h may be >= 2*(2**130-5) so we need to reduce it again |
||||
REDUCE(H_0, H_1, H_2, H_3, H_4) |
||||
|
||||
// carry h1->h4 |
||||
VESRLG $26, H_1, T_1 |
||||
VN MOD26, H_1, H_1 |
||||
VAQ T_1, H_2, H_2 |
||||
VESRLG $26, H_2, T_2 |
||||
VN MOD26, H_2, H_2 |
||||
VAQ T_2, H_3, H_3 |
||||
VESRLG $26, H_3, T_3 |
||||
VN MOD26, H_3, H_3 |
||||
VAQ T_3, H_4, H_4 |
||||
|
||||
// h is now < 2*(2**130-5) |
||||
// pack h into h1 (hi) and h0 (lo) |
||||
PACK(H_0, H_1, H_2, H_3, H_4) |
||||
|
||||
// if h > 2**130-5 then h -= 2**130-5 |
||||
MOD(H_0, H_1, T_0, T_1, T_2) |
||||
|
||||
// h += s |
||||
MOVD $·bswapMask<>(SB), R5 |
||||
VL (R5), T_1 |
||||
VL 16(R4), T_0 |
||||
VPERM T_0, T_0, T_1, T_0 // reverse bytes (to big) |
||||
VAQ T_0, H_0, H_0 |
||||
VPERM H_0, H_0, T_1, H_0 // reverse bytes (to little) |
||||
VST H_0, (R1) |
||||
|
||||
RET |
||||
|
||||
b2: |
||||
CMPBLE R3, $16, b1 |
||||
|
||||
// 2 blocks remaining |
||||
SUB $17, R3 |
||||
VL (R2), T_0 |
||||
VLL R3, 16(R2), T_1 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, T_1 |
||||
EXPAND(T_0, T_1, F_0, F_1, F_2, F_3, F_4) |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $12, $1, F_4 |
||||
VLEIB $4, $1, F_4 |
||||
|
||||
// setup [r²,r] |
||||
VLVGG $1, RSAVE_0, R_0 |
||||
VLVGG $1, RSAVE_1, R_1 |
||||
VLVGG $1, RSAVE_2, R_2 |
||||
VLVGG $1, RSAVE_3, R_3 |
||||
VLVGG $1, RSAVE_4, R_4 |
||||
VPDI $0, R5_1, R5SAVE_1, R5_1 |
||||
VPDI $0, R5_2, R5SAVE_2, R5_2 |
||||
VPDI $0, R5_3, R5SAVE_3, R5_3 |
||||
VPDI $0, R5_4, R5SAVE_4, R5_4 |
||||
|
||||
MOVD $0, R3 |
||||
BR multiply |
||||
|
||||
skip: |
||||
VZERO H_0 |
||||
VZERO H_1 |
||||
VZERO H_2 |
||||
VZERO H_3 |
||||
VZERO H_4 |
||||
|
||||
CMPBEQ R3, $0, finish |
||||
|
||||
b1: |
||||
// 1 block remaining |
||||
SUB $1, R3 |
||||
VLL R3, (R2), T_0 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, T_0 |
||||
VZERO T_1 |
||||
EXPAND(T_0, T_1, F_0, F_1, F_2, F_3, F_4) |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $4, $1, F_4 |
||||
VLEIG $1, $1, R_0 |
||||
VZERO R_1 |
||||
VZERO R_2 |
||||
VZERO R_3 |
||||
VZERO R_4 |
||||
VZERO R5_1 |
||||
VZERO R5_2 |
||||
VZERO R5_3 |
||||
VZERO R5_4 |
||||
|
||||
// setup [r, 1] |
||||
VLVGG $0, RSAVE_0, R_0 |
||||
VLVGG $0, RSAVE_1, R_1 |
||||
VLVGG $0, RSAVE_2, R_2 |
||||
VLVGG $0, RSAVE_3, R_3 |
||||
VLVGG $0, RSAVE_4, R_4 |
||||
VPDI $0, R5SAVE_1, R5_1, R5_1 |
||||
VPDI $0, R5SAVE_2, R5_2, R5_2 |
||||
VPDI $0, R5SAVE_3, R5_3, R5_3 |
||||
VPDI $0, R5SAVE_4, R5_4, R5_4 |
||||
|
||||
MOVD $0, R3 |
||||
BR multiply |
||||
|
||||
TEXT ·hasVectorFacility(SB), NOSPLIT, $24-1 |
||||
MOVD $x-24(SP), R1 |
||||
XC $24, 0(R1), 0(R1) // clear the storage |
||||
MOVD $2, R0 // R0 is the number of double words stored -1 |
||||
WORD $0xB2B01000 // STFLE 0(R1) |
||||
XOR R0, R0 // reset the value of R0 |
||||
MOVBZ z-8(SP), R1 |
||||
AND $0x40, R1 |
||||
BEQ novector |
||||
|
||||
vectorinstalled: |
||||
// check if the vector instruction has been enabled |
||||
VLEIB $0, $0xF, V16 |
||||
VLGVB $0, V16, R1 |
||||
CMPBNE R1, $0xF, novector |
||||
MOVB $1, ret+0(FP) // have vx |
||||
RET |
||||
|
||||
novector: |
||||
MOVB $0, ret+0(FP) // no vx |
||||
RET |
||||
@ -0,0 +1,931 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
// +build s390x,go1.11,!gccgo,!appengine |
||||
|
||||
#include "textflag.h" |
||||
|
||||
// Implementation of Poly1305 using the vector facility (vx) and the VMSL instruction. |
||||
|
||||
// constants |
||||
#define EX0 V1 |
||||
#define EX1 V2 |
||||
#define EX2 V3 |
||||
|
||||
// temporaries |
||||
#define T_0 V4 |
||||
#define T_1 V5 |
||||
#define T_2 V6 |
||||
#define T_3 V7 |
||||
#define T_4 V8 |
||||
#define T_5 V9 |
||||
#define T_6 V10 |
||||
#define T_7 V11 |
||||
#define T_8 V12 |
||||
#define T_9 V13 |
||||
#define T_10 V14 |
||||
|
||||
// r**2 & r**4 |
||||
#define R_0 V15 |
||||
#define R_1 V16 |
||||
#define R_2 V17 |
||||
#define R5_1 V18 |
||||
#define R5_2 V19 |
||||
// key (r) |
||||
#define RSAVE_0 R7 |
||||
#define RSAVE_1 R8 |
||||
#define RSAVE_2 R9 |
||||
#define R5SAVE_1 R10 |
||||
#define R5SAVE_2 R11 |
||||
|
||||
// message block |
||||
#define M0 V20 |
||||
#define M1 V21 |
||||
#define M2 V22 |
||||
#define M3 V23 |
||||
#define M4 V24 |
||||
#define M5 V25 |
||||
|
||||
// accumulator |
||||
#define H0_0 V26 |
||||
#define H1_0 V27 |
||||
#define H2_0 V28 |
||||
#define H0_1 V29 |
||||
#define H1_1 V30 |
||||
#define H2_1 V31 |
||||
|
||||
GLOBL ·keyMask<>(SB), RODATA, $16 |
||||
DATA ·keyMask<>+0(SB)/8, $0xffffff0ffcffff0f |
||||
DATA ·keyMask<>+8(SB)/8, $0xfcffff0ffcffff0f |
||||
|
||||
GLOBL ·bswapMask<>(SB), RODATA, $16 |
||||
DATA ·bswapMask<>+0(SB)/8, $0x0f0e0d0c0b0a0908 |
||||
DATA ·bswapMask<>+8(SB)/8, $0x0706050403020100 |
||||
|
||||
GLOBL ·constants<>(SB), RODATA, $48 |
||||
// EX0 |
||||
DATA ·constants<>+0(SB)/8, $0x18191a1b1c1d1e1f |
||||
DATA ·constants<>+8(SB)/8, $0x0000050403020100 |
||||
// EX1 |
||||
DATA ·constants<>+16(SB)/8, $0x18191a1b1c1d1e1f |
||||
DATA ·constants<>+24(SB)/8, $0x00000a0908070605 |
||||
// EX2 |
||||
DATA ·constants<>+32(SB)/8, $0x18191a1b1c1d1e1f |
||||
DATA ·constants<>+40(SB)/8, $0x0000000f0e0d0c0b |
||||
|
||||
GLOBL ·c<>(SB), RODATA, $48 |
||||
// EX0 |
||||
DATA ·c<>+0(SB)/8, $0x0000050403020100 |
||||
DATA ·c<>+8(SB)/8, $0x0000151413121110 |
||||
// EX1 |
||||
DATA ·c<>+16(SB)/8, $0x00000a0908070605 |
||||
DATA ·c<>+24(SB)/8, $0x00001a1918171615 |
||||
// EX2 |
||||
DATA ·c<>+32(SB)/8, $0x0000000f0e0d0c0b |
||||
DATA ·c<>+40(SB)/8, $0x0000001f1e1d1c1b |
||||
|
||||
GLOBL ·reduce<>(SB), RODATA, $32 |
||||
// 44 bit |
||||
DATA ·reduce<>+0(SB)/8, $0x0 |
||||
DATA ·reduce<>+8(SB)/8, $0xfffffffffff |
||||
// 42 bit |
||||
DATA ·reduce<>+16(SB)/8, $0x0 |
||||
DATA ·reduce<>+24(SB)/8, $0x3ffffffffff |
||||
|
||||
// h = (f*g) % (2**130-5) [partial reduction] |
||||
// uses T_0...T_9 temporary registers |
||||
// input: m02_0, m02_1, m02_2, m13_0, m13_1, m13_2, r_0, r_1, r_2, r5_1, r5_2, m4_0, m4_1, m4_2, m5_0, m5_1, m5_2 |
||||
// temp: t0, t1, t2, t3, t4, t5, t6, t7, t8, t9 |
||||
// output: m02_0, m02_1, m02_2, m13_0, m13_1, m13_2 |
||||
#define MULTIPLY(m02_0, m02_1, m02_2, m13_0, m13_1, m13_2, r_0, r_1, r_2, r5_1, r5_2, m4_0, m4_1, m4_2, m5_0, m5_1, m5_2, t0, t1, t2, t3, t4, t5, t6, t7, t8, t9) \ |
||||
\ // Eliminate the dependency for the last 2 VMSLs |
||||
VMSLG m02_0, r_2, m4_2, m4_2 \ |
||||
VMSLG m13_0, r_2, m5_2, m5_2 \ // 8 VMSLs pipelined |
||||
VMSLG m02_0, r_0, m4_0, m4_0 \ |
||||
VMSLG m02_1, r5_2, V0, T_0 \ |
||||
VMSLG m02_0, r_1, m4_1, m4_1 \ |
||||
VMSLG m02_1, r_0, V0, T_1 \ |
||||
VMSLG m02_1, r_1, V0, T_2 \ |
||||
VMSLG m02_2, r5_1, V0, T_3 \ |
||||
VMSLG m02_2, r5_2, V0, T_4 \ |
||||
VMSLG m13_0, r_0, m5_0, m5_0 \ |
||||
VMSLG m13_1, r5_2, V0, T_5 \ |
||||
VMSLG m13_0, r_1, m5_1, m5_1 \ |
||||
VMSLG m13_1, r_0, V0, T_6 \ |
||||
VMSLG m13_1, r_1, V0, T_7 \ |
||||
VMSLG m13_2, r5_1, V0, T_8 \ |
||||
VMSLG m13_2, r5_2, V0, T_9 \ |
||||
VMSLG m02_2, r_0, m4_2, m4_2 \ |
||||
VMSLG m13_2, r_0, m5_2, m5_2 \ |
||||
VAQ m4_0, T_0, m02_0 \ |
||||
VAQ m4_1, T_1, m02_1 \ |
||||
VAQ m5_0, T_5, m13_0 \ |
||||
VAQ m5_1, T_6, m13_1 \ |
||||
VAQ m02_0, T_3, m02_0 \ |
||||
VAQ m02_1, T_4, m02_1 \ |
||||
VAQ m13_0, T_8, m13_0 \ |
||||
VAQ m13_1, T_9, m13_1 \ |
||||
VAQ m4_2, T_2, m02_2 \ |
||||
VAQ m5_2, T_7, m13_2 \ |
||||
|
||||
// SQUARE uses three limbs of r and r_2*5 to output square of r |
||||
// uses T_1, T_5 and T_7 temporary registers |
||||
// input: r_0, r_1, r_2, r5_2 |
||||
// temp: TEMP0, TEMP1, TEMP2 |
||||
// output: p0, p1, p2 |
||||
#define SQUARE(r_0, r_1, r_2, r5_2, p0, p1, p2, TEMP0, TEMP1, TEMP2) \ |
||||
VMSLG r_0, r_0, p0, p0 \ |
||||
VMSLG r_1, r5_2, V0, TEMP0 \ |
||||
VMSLG r_2, r5_2, p1, p1 \ |
||||
VMSLG r_0, r_1, V0, TEMP1 \ |
||||
VMSLG r_1, r_1, p2, p2 \ |
||||
VMSLG r_0, r_2, V0, TEMP2 \ |
||||
VAQ TEMP0, p0, p0 \ |
||||
VAQ TEMP1, p1, p1 \ |
||||
VAQ TEMP2, p2, p2 \ |
||||
VAQ TEMP0, p0, p0 \ |
||||
VAQ TEMP1, p1, p1 \ |
||||
VAQ TEMP2, p2, p2 \ |
||||
|
||||
// carry h0->h1->h2->h0 || h3->h4->h5->h3 |
||||
// uses T_2, T_4, T_5, T_7, T_8, T_9 |
||||
// t6, t7, t8, t9, t10, t11 |
||||
// input: h0, h1, h2, h3, h4, h5 |
||||
// temp: t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11 |
||||
// output: h0, h1, h2, h3, h4, h5 |
||||
#define REDUCE(h0, h1, h2, h3, h4, h5, t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11) \ |
||||
VLM (R12), t6, t7 \ // 44 and 42 bit clear mask |
||||
VLEIB $7, $0x28, t10 \ // 5 byte shift mask |
||||
VREPIB $4, t8 \ // 4 bit shift mask |
||||
VREPIB $2, t11 \ // 2 bit shift mask |
||||
VSRLB t10, h0, t0 \ // h0 byte shift |
||||
VSRLB t10, h1, t1 \ // h1 byte shift |
||||
VSRLB t10, h2, t2 \ // h2 byte shift |
||||
VSRLB t10, h3, t3 \ // h3 byte shift |
||||
VSRLB t10, h4, t4 \ // h4 byte shift |
||||
VSRLB t10, h5, t5 \ // h5 byte shift |
||||
VSRL t8, t0, t0 \ // h0 bit shift |
||||
VSRL t8, t1, t1 \ // h2 bit shift |
||||
VSRL t11, t2, t2 \ // h2 bit shift |
||||
VSRL t8, t3, t3 \ // h3 bit shift |
||||
VSRL t8, t4, t4 \ // h4 bit shift |
||||
VESLG $2, t2, t9 \ // h2 carry x5 |
||||
VSRL t11, t5, t5 \ // h5 bit shift |
||||
VN t6, h0, h0 \ // h0 clear carry |
||||
VAQ t2, t9, t2 \ // h2 carry x5 |
||||
VESLG $2, t5, t9 \ // h5 carry x5 |
||||
VN t6, h1, h1 \ // h1 clear carry |
||||
VN t7, h2, h2 \ // h2 clear carry |
||||
VAQ t5, t9, t5 \ // h5 carry x5 |
||||
VN t6, h3, h3 \ // h3 clear carry |
||||
VN t6, h4, h4 \ // h4 clear carry |
||||
VN t7, h5, h5 \ // h5 clear carry |
||||
VAQ t0, h1, h1 \ // h0->h1 |
||||
VAQ t3, h4, h4 \ // h3->h4 |
||||
VAQ t1, h2, h2 \ // h1->h2 |
||||
VAQ t4, h5, h5 \ // h4->h5 |
||||
VAQ t2, h0, h0 \ // h2->h0 |
||||
VAQ t5, h3, h3 \ // h5->h3 |
||||
VREPG $1, t6, t6 \ // 44 and 42 bit masks across both halves |
||||
VREPG $1, t7, t7 \ |
||||
VSLDB $8, h0, h0, h0 \ // set up [h0/1/2, h3/4/5] |
||||
VSLDB $8, h1, h1, h1 \ |
||||
VSLDB $8, h2, h2, h2 \ |
||||
VO h0, h3, h3 \ |
||||
VO h1, h4, h4 \ |
||||
VO h2, h5, h5 \ |
||||
VESRLG $44, h3, t0 \ // 44 bit shift right |
||||
VESRLG $44, h4, t1 \ |
||||
VESRLG $42, h5, t2 \ |
||||
VN t6, h3, h3 \ // clear carry bits |
||||
VN t6, h4, h4 \ |
||||
VN t7, h5, h5 \ |
||||
VESLG $2, t2, t9 \ // multiply carry by 5 |
||||
VAQ t9, t2, t2 \ |
||||
VAQ t0, h4, h4 \ |
||||
VAQ t1, h5, h5 \ |
||||
VAQ t2, h3, h3 \ |
||||
|
||||
// carry h0->h1->h2->h0 |
||||
// input: h0, h1, h2 |
||||
// temp: t0, t1, t2, t3, t4, t5, t6, t7, t8 |
||||
// output: h0, h1, h2 |
||||
#define REDUCE2(h0, h1, h2, t0, t1, t2, t3, t4, t5, t6, t7, t8) \ |
||||
VLEIB $7, $0x28, t3 \ // 5 byte shift mask |
||||
VREPIB $4, t4 \ // 4 bit shift mask |
||||
VREPIB $2, t7 \ // 2 bit shift mask |
||||
VGBM $0x003F, t5 \ // mask to clear carry bits |
||||
VSRLB t3, h0, t0 \ |
||||
VSRLB t3, h1, t1 \ |
||||
VSRLB t3, h2, t2 \ |
||||
VESRLG $4, t5, t5 \ // 44 bit clear mask |
||||
VSRL t4, t0, t0 \ |
||||
VSRL t4, t1, t1 \ |
||||
VSRL t7, t2, t2 \ |
||||
VESRLG $2, t5, t6 \ // 42 bit clear mask |
||||
VESLG $2, t2, t8 \ |
||||
VAQ t8, t2, t2 \ |
||||
VN t5, h0, h0 \ |
||||
VN t5, h1, h1 \ |
||||
VN t6, h2, h2 \ |
||||
VAQ t0, h1, h1 \ |
||||
VAQ t1, h2, h2 \ |
||||
VAQ t2, h0, h0 \ |
||||
VSRLB t3, h0, t0 \ |
||||
VSRLB t3, h1, t1 \ |
||||
VSRLB t3, h2, t2 \ |
||||
VSRL t4, t0, t0 \ |
||||
VSRL t4, t1, t1 \ |
||||
VSRL t7, t2, t2 \ |
||||
VN t5, h0, h0 \ |
||||
VN t5, h1, h1 \ |
||||
VESLG $2, t2, t8 \ |
||||
VN t6, h2, h2 \ |
||||
VAQ t0, h1, h1 \ |
||||
VAQ t8, t2, t2 \ |
||||
VAQ t1, h2, h2 \ |
||||
VAQ t2, h0, h0 \ |
||||
|
||||
// expands two message blocks into the lower halfs of the d registers |
||||
// moves the contents of the d registers into upper halfs |
||||
// input: in1, in2, d0, d1, d2, d3, d4, d5 |
||||
// temp: TEMP0, TEMP1, TEMP2, TEMP3 |
||||
// output: d0, d1, d2, d3, d4, d5 |
||||
#define EXPACC(in1, in2, d0, d1, d2, d3, d4, d5, TEMP0, TEMP1, TEMP2, TEMP3) \ |
||||
VGBM $0xff3f, TEMP0 \ |
||||
VGBM $0xff1f, TEMP1 \ |
||||
VESLG $4, d1, TEMP2 \ |
||||
VESLG $4, d4, TEMP3 \ |
||||
VESRLG $4, TEMP0, TEMP0 \ |
||||
VPERM in1, d0, EX0, d0 \ |
||||
VPERM in2, d3, EX0, d3 \ |
||||
VPERM in1, d2, EX2, d2 \ |
||||
VPERM in2, d5, EX2, d5 \ |
||||
VPERM in1, TEMP2, EX1, d1 \ |
||||
VPERM in2, TEMP3, EX1, d4 \ |
||||
VN TEMP0, d0, d0 \ |
||||
VN TEMP0, d3, d3 \ |
||||
VESRLG $4, d1, d1 \ |
||||
VESRLG $4, d4, d4 \ |
||||
VN TEMP1, d2, d2 \ |
||||
VN TEMP1, d5, d5 \ |
||||
VN TEMP0, d1, d1 \ |
||||
VN TEMP0, d4, d4 \ |
||||
|
||||
// expands one message block into the lower halfs of the d registers |
||||
// moves the contents of the d registers into upper halfs |
||||
// input: in, d0, d1, d2 |
||||
// temp: TEMP0, TEMP1, TEMP2 |
||||
// output: d0, d1, d2 |
||||
#define EXPACC2(in, d0, d1, d2, TEMP0, TEMP1, TEMP2) \ |
||||
VGBM $0xff3f, TEMP0 \ |
||||
VESLG $4, d1, TEMP2 \ |
||||
VGBM $0xff1f, TEMP1 \ |
||||
VPERM in, d0, EX0, d0 \ |
||||
VESRLG $4, TEMP0, TEMP0 \ |
||||
VPERM in, d2, EX2, d2 \ |
||||
VPERM in, TEMP2, EX1, d1 \ |
||||
VN TEMP0, d0, d0 \ |
||||
VN TEMP1, d2, d2 \ |
||||
VESRLG $4, d1, d1 \ |
||||
VN TEMP0, d1, d1 \ |
||||
|
||||
// pack h2:h0 into h1:h0 (no carry) |
||||
// input: h0, h1, h2 |
||||
// output: h0, h1, h2 |
||||
#define PACK(h0, h1, h2) \ |
||||
VMRLG h1, h2, h2 \ // copy h1 to upper half h2 |
||||
VESLG $44, h1, h1 \ // shift limb 1 44 bits, leaving 20 |
||||
VO h0, h1, h0 \ // combine h0 with 20 bits from limb 1 |
||||
VESRLG $20, h2, h1 \ // put top 24 bits of limb 1 into h1 |
||||
VLEIG $1, $0, h1 \ // clear h2 stuff from lower half of h1 |
||||
VO h0, h1, h0 \ // h0 now has 88 bits (limb 0 and 1) |
||||
VLEIG $0, $0, h2 \ // clear upper half of h2 |
||||
VESRLG $40, h2, h1 \ // h1 now has upper two bits of result |
||||
VLEIB $7, $88, h1 \ // for byte shift (11 bytes) |
||||
VSLB h1, h2, h2 \ // shift h2 11 bytes to the left |
||||
VO h0, h2, h0 \ // combine h0 with 20 bits from limb 1 |
||||
VLEIG $0, $0, h1 \ // clear upper half of h1 |
||||
|
||||
// if h > 2**130-5 then h -= 2**130-5 |
||||
// input: h0, h1 |
||||
// temp: t0, t1, t2 |
||||
// output: h0 |
||||
#define MOD(h0, h1, t0, t1, t2) \ |
||||
VZERO t0 \ |
||||
VLEIG $1, $5, t0 \ |
||||
VACCQ h0, t0, t1 \ |
||||
VAQ h0, t0, t0 \ |
||||
VONE t2 \ |
||||
VLEIG $1, $-4, t2 \ |
||||
VAQ t2, t1, t1 \ |
||||
VACCQ h1, t1, t1 \ |
||||
VONE t2 \ |
||||
VAQ t2, t1, t1 \ |
||||
VN h0, t1, t2 \ |
||||
VNC t0, t1, t1 \ |
||||
VO t1, t2, h0 \ |
||||
|
||||
// func poly1305vmsl(out *[16]byte, m *byte, mlen uint64, key *[32]key) |
||||
TEXT ·poly1305vmsl(SB), $0-32 |
||||
// This code processes 6 + up to 4 blocks (32 bytes) per iteration |
||||
// using the algorithm described in: |
||||
// NEON crypto, Daniel J. Bernstein & Peter Schwabe |
||||
// https://cryptojedi.org/papers/neoncrypto-20120320.pdf |
||||
// And as moddified for VMSL as described in |
||||
// Accelerating Poly1305 Cryptographic Message Authentication on the z14 |
||||
// O'Farrell et al, CASCON 2017, p48-55 |
||||
// https://ibm.ent.box.com/s/jf9gedj0e9d2vjctfyh186shaztavnht |
||||
|
||||
LMG out+0(FP), R1, R4 // R1=out, R2=m, R3=mlen, R4=key |
||||
VZERO V0 // c |
||||
|
||||
// load EX0, EX1 and EX2 |
||||
MOVD $·constants<>(SB), R5 |
||||
VLM (R5), EX0, EX2 // c |
||||
|
||||
// setup r |
||||
VL (R4), T_0 |
||||
MOVD $·keyMask<>(SB), R6 |
||||
VL (R6), T_1 |
||||
VN T_0, T_1, T_0 |
||||
VZERO T_2 // limbs for r |
||||
VZERO T_3 |
||||
VZERO T_4 |
||||
EXPACC2(T_0, T_2, T_3, T_4, T_1, T_5, T_7) |
||||
|
||||
// T_2, T_3, T_4: [0, r] |
||||
|
||||
// setup r*20 |
||||
VLEIG $0, $0, T_0 |
||||
VLEIG $1, $20, T_0 // T_0: [0, 20] |
||||
VZERO T_5 |
||||
VZERO T_6 |
||||
VMSLG T_0, T_3, T_5, T_5 |
||||
VMSLG T_0, T_4, T_6, T_6 |
||||
|
||||
// store r for final block in GR |
||||
VLGVG $1, T_2, RSAVE_0 // c |
||||
VLGVG $1, T_3, RSAVE_1 // c |
||||
VLGVG $1, T_4, RSAVE_2 // c |
||||
VLGVG $1, T_5, R5SAVE_1 // c |
||||
VLGVG $1, T_6, R5SAVE_2 // c |
||||
|
||||
// initialize h |
||||
VZERO H0_0 |
||||
VZERO H1_0 |
||||
VZERO H2_0 |
||||
VZERO H0_1 |
||||
VZERO H1_1 |
||||
VZERO H2_1 |
||||
|
||||
// initialize pointer for reduce constants |
||||
MOVD $·reduce<>(SB), R12 |
||||
|
||||
// calculate r**2 and 20*(r**2) |
||||
VZERO R_0 |
||||
VZERO R_1 |
||||
VZERO R_2 |
||||
SQUARE(T_2, T_3, T_4, T_6, R_0, R_1, R_2, T_1, T_5, T_7) |
||||
REDUCE2(R_0, R_1, R_2, M0, M1, M2, M3, M4, R5_1, R5_2, M5, T_1) |
||||
VZERO R5_1 |
||||
VZERO R5_2 |
||||
VMSLG T_0, R_1, R5_1, R5_1 |
||||
VMSLG T_0, R_2, R5_2, R5_2 |
||||
|
||||
// skip r**4 calculation if 3 blocks or less |
||||
CMPBLE R3, $48, b4 |
||||
|
||||
// calculate r**4 and 20*(r**4) |
||||
VZERO T_8 |
||||
VZERO T_9 |
||||
VZERO T_10 |
||||
SQUARE(R_0, R_1, R_2, R5_2, T_8, T_9, T_10, T_1, T_5, T_7) |
||||
REDUCE2(T_8, T_9, T_10, M0, M1, M2, M3, M4, T_2, T_3, M5, T_1) |
||||
VZERO T_2 |
||||
VZERO T_3 |
||||
VMSLG T_0, T_9, T_2, T_2 |
||||
VMSLG T_0, T_10, T_3, T_3 |
||||
|
||||
// put r**2 to the right and r**4 to the left of R_0, R_1, R_2 |
||||
VSLDB $8, T_8, T_8, T_8 |
||||
VSLDB $8, T_9, T_9, T_9 |
||||
VSLDB $8, T_10, T_10, T_10 |
||||
VSLDB $8, T_2, T_2, T_2 |
||||
VSLDB $8, T_3, T_3, T_3 |
||||
|
||||
VO T_8, R_0, R_0 |
||||
VO T_9, R_1, R_1 |
||||
VO T_10, R_2, R_2 |
||||
VO T_2, R5_1, R5_1 |
||||
VO T_3, R5_2, R5_2 |
||||
|
||||
CMPBLE R3, $80, load // less than or equal to 5 blocks in message |
||||
|
||||
// 6(or 5+1) blocks |
||||
SUB $81, R3 |
||||
VLM (R2), M0, M4 |
||||
VLL R3, 80(R2), M5 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBGE R3, $16, 2(PC) |
||||
VLVGB R3, R0, M5 |
||||
MOVD $96(R2), R2 |
||||
EXPACC(M0, M1, H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_0, T_1, T_2, T_3) |
||||
EXPACC(M2, M3, H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_0, T_1, T_2, T_3) |
||||
VLEIB $2, $1, H2_0 |
||||
VLEIB $2, $1, H2_1 |
||||
VLEIB $10, $1, H2_0 |
||||
VLEIB $10, $1, H2_1 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO T_4 |
||||
VZERO T_10 |
||||
EXPACC(M4, M5, M0, M1, M2, M3, T_4, T_10, T_0, T_1, T_2, T_3) |
||||
VLR T_4, M4 |
||||
VLEIB $10, $1, M2 |
||||
CMPBLT R3, $16, 2(PC) |
||||
VLEIB $10, $1, T_10 |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, T_10, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, M2, M3, M4, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
VMRHG V0, H0_1, H0_0 |
||||
VMRHG V0, H1_1, H1_0 |
||||
VMRHG V0, H2_1, H2_0 |
||||
VMRLG V0, H0_1, H0_1 |
||||
VMRLG V0, H1_1, H1_1 |
||||
VMRLG V0, H2_1, H2_1 |
||||
|
||||
SUB $16, R3 |
||||
CMPBLE R3, $0, square |
||||
|
||||
load: |
||||
// load EX0, EX1 and EX2 |
||||
MOVD $·c<>(SB), R5 |
||||
VLM (R5), EX0, EX2 |
||||
|
||||
loop: |
||||
CMPBLE R3, $64, add // b4 // last 4 or less blocks left |
||||
|
||||
// next 4 full blocks |
||||
VLM (R2), M2, M5 |
||||
SUB $64, R3 |
||||
MOVD $64(R2), R2 |
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, T_0, T_1, T_3, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
|
||||
// expacc in-lined to create [m2, m3] limbs |
||||
VGBM $0x3f3f, T_0 // 44 bit clear mask |
||||
VGBM $0x1f1f, T_1 // 40 bit clear mask |
||||
VPERM M2, M3, EX0, T_3 |
||||
VESRLG $4, T_0, T_0 // 44 bit clear mask ready |
||||
VPERM M2, M3, EX1, T_4 |
||||
VPERM M2, M3, EX2, T_5 |
||||
VN T_0, T_3, T_3 |
||||
VESRLG $4, T_4, T_4 |
||||
VN T_1, T_5, T_5 |
||||
VN T_0, T_4, T_4 |
||||
VMRHG H0_1, T_3, H0_0 |
||||
VMRHG H1_1, T_4, H1_0 |
||||
VMRHG H2_1, T_5, H2_0 |
||||
VMRLG H0_1, T_3, H0_1 |
||||
VMRLG H1_1, T_4, H1_1 |
||||
VMRLG H2_1, T_5, H2_1 |
||||
VLEIB $10, $1, H2_0 |
||||
VLEIB $10, $1, H2_1 |
||||
VPERM M4, M5, EX0, T_3 |
||||
VPERM M4, M5, EX1, T_4 |
||||
VPERM M4, M5, EX2, T_5 |
||||
VN T_0, T_3, T_3 |
||||
VESRLG $4, T_4, T_4 |
||||
VN T_1, T_5, T_5 |
||||
VN T_0, T_4, T_4 |
||||
VMRHG V0, T_3, M0 |
||||
VMRHG V0, T_4, M1 |
||||
VMRHG V0, T_5, M2 |
||||
VMRLG V0, T_3, M3 |
||||
VMRLG V0, T_4, M4 |
||||
VMRLG V0, T_5, M5 |
||||
VLEIB $10, $1, M2 |
||||
VLEIB $10, $1, M5 |
||||
|
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
CMPBNE R3, $0, loop |
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, M3, M4, M5, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
VMRHG V0, H0_1, H0_0 |
||||
VMRHG V0, H1_1, H1_0 |
||||
VMRHG V0, H2_1, H2_0 |
||||
VMRLG V0, H0_1, H0_1 |
||||
VMRLG V0, H1_1, H1_1 |
||||
VMRLG V0, H2_1, H2_1 |
||||
|
||||
// load EX0, EX1, EX2 |
||||
MOVD $·constants<>(SB), R5 |
||||
VLM (R5), EX0, EX2 |
||||
|
||||
// sum vectors |
||||
VAQ H0_0, H0_1, H0_0 |
||||
VAQ H1_0, H1_1, H1_0 |
||||
VAQ H2_0, H2_1, H2_0 |
||||
|
||||
// h may be >= 2*(2**130-5) so we need to reduce it again |
||||
// M0...M4 are used as temps here |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, T_9, T_10, H0_1, M5) |
||||
|
||||
next: // carry h1->h2 |
||||
VLEIB $7, $0x28, T_1 |
||||
VREPIB $4, T_2 |
||||
VGBM $0x003F, T_3 |
||||
VESRLG $4, T_3 |
||||
|
||||
// byte shift |
||||
VSRLB T_1, H1_0, T_4 |
||||
|
||||
// bit shift |
||||
VSRL T_2, T_4, T_4 |
||||
|
||||
// clear h1 carry bits |
||||
VN T_3, H1_0, H1_0 |
||||
|
||||
// add carry |
||||
VAQ T_4, H2_0, H2_0 |
||||
|
||||
// h is now < 2*(2**130-5) |
||||
// pack h into h1 (hi) and h0 (lo) |
||||
PACK(H0_0, H1_0, H2_0) |
||||
|
||||
// if h > 2**130-5 then h -= 2**130-5 |
||||
MOD(H0_0, H1_0, T_0, T_1, T_2) |
||||
|
||||
// h += s |
||||
MOVD $·bswapMask<>(SB), R5 |
||||
VL (R5), T_1 |
||||
VL 16(R4), T_0 |
||||
VPERM T_0, T_0, T_1, T_0 // reverse bytes (to big) |
||||
VAQ T_0, H0_0, H0_0 |
||||
VPERM H0_0, H0_0, T_1, H0_0 // reverse bytes (to little) |
||||
VST H0_0, (R1) |
||||
RET |
||||
|
||||
add: |
||||
// load EX0, EX1, EX2 |
||||
MOVD $·constants<>(SB), R5 |
||||
VLM (R5), EX0, EX2 |
||||
|
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, M3, M4, M5, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
VMRHG V0, H0_1, H0_0 |
||||
VMRHG V0, H1_1, H1_0 |
||||
VMRHG V0, H2_1, H2_0 |
||||
VMRLG V0, H0_1, H0_1 |
||||
VMRLG V0, H1_1, H1_1 |
||||
VMRLG V0, H2_1, H2_1 |
||||
CMPBLE R3, $64, b4 |
||||
|
||||
b4: |
||||
CMPBLE R3, $48, b3 // 3 blocks or less |
||||
|
||||
// 4(3+1) blocks remaining |
||||
SUB $49, R3 |
||||
VLM (R2), M0, M2 |
||||
VLL R3, 48(R2), M3 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, M3 |
||||
MOVD $64(R2), R2 |
||||
EXPACC(M0, M1, H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_0, T_1, T_2, T_3) |
||||
VLEIB $10, $1, H2_0 |
||||
VLEIB $10, $1, H2_1 |
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
VZERO T_4 |
||||
VZERO T_10 |
||||
EXPACC(M2, M3, M0, M1, M4, M5, T_4, T_10, T_0, T_1, T_2, T_3) |
||||
VLR T_4, M2 |
||||
VLEIB $10, $1, M4 |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $10, $1, T_10 |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M4, M5, M2, T_10, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, M3, M4, M5, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
VMRHG V0, H0_1, H0_0 |
||||
VMRHG V0, H1_1, H1_0 |
||||
VMRHG V0, H2_1, H2_0 |
||||
VMRLG V0, H0_1, H0_1 |
||||
VMRLG V0, H1_1, H1_1 |
||||
VMRLG V0, H2_1, H2_1 |
||||
SUB $16, R3 |
||||
CMPBLE R3, $0, square // this condition must always hold true! |
||||
|
||||
b3: |
||||
CMPBLE R3, $32, b2 |
||||
|
||||
// 3 blocks remaining |
||||
|
||||
// setup [r²,r] |
||||
VSLDB $8, R_0, R_0, R_0 |
||||
VSLDB $8, R_1, R_1, R_1 |
||||
VSLDB $8, R_2, R_2, R_2 |
||||
VSLDB $8, R5_1, R5_1, R5_1 |
||||
VSLDB $8, R5_2, R5_2, R5_2 |
||||
|
||||
VLVGG $1, RSAVE_0, R_0 |
||||
VLVGG $1, RSAVE_1, R_1 |
||||
VLVGG $1, RSAVE_2, R_2 |
||||
VLVGG $1, R5SAVE_1, R5_1 |
||||
VLVGG $1, R5SAVE_2, R5_2 |
||||
|
||||
// setup [h0, h1] |
||||
VSLDB $8, H0_0, H0_0, H0_0 |
||||
VSLDB $8, H1_0, H1_0, H1_0 |
||||
VSLDB $8, H2_0, H2_0, H2_0 |
||||
VO H0_1, H0_0, H0_0 |
||||
VO H1_1, H1_0, H1_0 |
||||
VO H2_1, H2_0, H2_0 |
||||
VZERO H0_1 |
||||
VZERO H1_1 |
||||
VZERO H2_1 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
|
||||
// H*[r**2, r] |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, H0_1, H1_1, T_10, M5) |
||||
|
||||
SUB $33, R3 |
||||
VLM (R2), M0, M1 |
||||
VLL R3, 32(R2), M2 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, M2 |
||||
|
||||
// H += m0 |
||||
VZERO T_1 |
||||
VZERO T_2 |
||||
VZERO T_3 |
||||
EXPACC2(M0, T_1, T_2, T_3, T_4, T_5, T_6) |
||||
VLEIB $10, $1, T_3 |
||||
VAG H0_0, T_1, H0_0 |
||||
VAG H1_0, T_2, H1_0 |
||||
VAG H2_0, T_3, H2_0 |
||||
|
||||
VZERO M0 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
VZERO T_10 |
||||
|
||||
// (H+m0)*r |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M3, M4, M5, V0, T_10, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M3, M4, M5, T_10, H0_1, H1_1, H2_1, T_9) |
||||
|
||||
// H += m1 |
||||
VZERO V0 |
||||
VZERO T_1 |
||||
VZERO T_2 |
||||
VZERO T_3 |
||||
EXPACC2(M1, T_1, T_2, T_3, T_4, T_5, T_6) |
||||
VLEIB $10, $1, T_3 |
||||
VAQ H0_0, T_1, H0_0 |
||||
VAQ H1_0, T_2, H1_0 |
||||
VAQ H2_0, T_3, H2_0 |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M3, M4, M5, T_9, H0_1, H1_1, H2_1, T_10) |
||||
|
||||
// [H, m2] * [r**2, r] |
||||
EXPACC2(M2, H0_0, H1_0, H2_0, T_1, T_2, T_3) |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $10, $1, H2_0 |
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, H0_1, H1_1, M5, T_10) |
||||
SUB $16, R3 |
||||
CMPBLE R3, $0, next // this condition must always hold true! |
||||
|
||||
b2: |
||||
CMPBLE R3, $16, b1 |
||||
|
||||
// 2 blocks remaining |
||||
|
||||
// setup [r²,r] |
||||
VSLDB $8, R_0, R_0, R_0 |
||||
VSLDB $8, R_1, R_1, R_1 |
||||
VSLDB $8, R_2, R_2, R_2 |
||||
VSLDB $8, R5_1, R5_1, R5_1 |
||||
VSLDB $8, R5_2, R5_2, R5_2 |
||||
|
||||
VLVGG $1, RSAVE_0, R_0 |
||||
VLVGG $1, RSAVE_1, R_1 |
||||
VLVGG $1, RSAVE_2, R_2 |
||||
VLVGG $1, R5SAVE_1, R5_1 |
||||
VLVGG $1, R5SAVE_2, R5_2 |
||||
|
||||
// setup [h0, h1] |
||||
VSLDB $8, H0_0, H0_0, H0_0 |
||||
VSLDB $8, H1_0, H1_0, H1_0 |
||||
VSLDB $8, H2_0, H2_0, H2_0 |
||||
VO H0_1, H0_0, H0_0 |
||||
VO H1_1, H1_0, H1_0 |
||||
VO H2_1, H2_0, H2_0 |
||||
VZERO H0_1 |
||||
VZERO H1_1 |
||||
VZERO H2_1 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
|
||||
// H*[r**2, r] |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, T_10, M0, M1, M2, M3, M4, T_4, T_5, T_2, T_7, T_8, T_9) |
||||
VMRHG V0, H0_1, H0_0 |
||||
VMRHG V0, H1_1, H1_0 |
||||
VMRHG V0, H2_1, H2_0 |
||||
VMRLG V0, H0_1, H0_1 |
||||
VMRLG V0, H1_1, H1_1 |
||||
VMRLG V0, H2_1, H2_1 |
||||
|
||||
// move h to the left and 0s at the right |
||||
VSLDB $8, H0_0, H0_0, H0_0 |
||||
VSLDB $8, H1_0, H1_0, H1_0 |
||||
VSLDB $8, H2_0, H2_0, H2_0 |
||||
|
||||
// get message blocks and append 1 to start |
||||
SUB $17, R3 |
||||
VL (R2), M0 |
||||
VLL R3, 16(R2), M1 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, M1 |
||||
VZERO T_6 |
||||
VZERO T_7 |
||||
VZERO T_8 |
||||
EXPACC2(M0, T_6, T_7, T_8, T_1, T_2, T_3) |
||||
EXPACC2(M1, T_6, T_7, T_8, T_1, T_2, T_3) |
||||
VLEIB $2, $1, T_8 |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $10, $1, T_8 |
||||
|
||||
// add [m0, m1] to h |
||||
VAG H0_0, T_6, H0_0 |
||||
VAG H1_0, T_7, H1_0 |
||||
VAG H2_0, T_8, H2_0 |
||||
|
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
VZERO T_10 |
||||
VZERO M0 |
||||
|
||||
// at this point R_0 .. R5_2 look like [r**2, r] |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M2, M3, M4, M5, T_10, M0, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M2, M3, M4, M5, T_9, H0_1, H1_1, H2_1, T_10) |
||||
SUB $16, R3, R3 |
||||
CMPBLE R3, $0, next |
||||
|
||||
b1: |
||||
CMPBLE R3, $0, next |
||||
|
||||
// 1 block remaining |
||||
|
||||
// setup [r²,r] |
||||
VSLDB $8, R_0, R_0, R_0 |
||||
VSLDB $8, R_1, R_1, R_1 |
||||
VSLDB $8, R_2, R_2, R_2 |
||||
VSLDB $8, R5_1, R5_1, R5_1 |
||||
VSLDB $8, R5_2, R5_2, R5_2 |
||||
|
||||
VLVGG $1, RSAVE_0, R_0 |
||||
VLVGG $1, RSAVE_1, R_1 |
||||
VLVGG $1, RSAVE_2, R_2 |
||||
VLVGG $1, R5SAVE_1, R5_1 |
||||
VLVGG $1, R5SAVE_2, R5_2 |
||||
|
||||
// setup [h0, h1] |
||||
VSLDB $8, H0_0, H0_0, H0_0 |
||||
VSLDB $8, H1_0, H1_0, H1_0 |
||||
VSLDB $8, H2_0, H2_0, H2_0 |
||||
VO H0_1, H0_0, H0_0 |
||||
VO H1_1, H1_0, H1_0 |
||||
VO H2_1, H2_0, H2_0 |
||||
VZERO H0_1 |
||||
VZERO H1_1 |
||||
VZERO H2_1 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
|
||||
// H*[r**2, r] |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, T_9, T_10, H0_1, M5) |
||||
|
||||
// set up [0, m0] limbs |
||||
SUB $1, R3 |
||||
VLL R3, (R2), M0 |
||||
ADD $1, R3 |
||||
MOVBZ $1, R0 |
||||
CMPBEQ R3, $16, 2(PC) |
||||
VLVGB R3, R0, M0 |
||||
VZERO T_1 |
||||
VZERO T_2 |
||||
VZERO T_3 |
||||
EXPACC2(M0, T_1, T_2, T_3, T_4, T_5, T_6)// limbs: [0, m] |
||||
CMPBNE R3, $16, 2(PC) |
||||
VLEIB $10, $1, T_3 |
||||
|
||||
// h+m0 |
||||
VAQ H0_0, T_1, H0_0 |
||||
VAQ H1_0, T_2, H1_0 |
||||
VAQ H2_0, T_3, H2_0 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, T_9, T_10, H0_1, M5) |
||||
|
||||
BR next |
||||
|
||||
square: |
||||
// setup [r²,r] |
||||
VSLDB $8, R_0, R_0, R_0 |
||||
VSLDB $8, R_1, R_1, R_1 |
||||
VSLDB $8, R_2, R_2, R_2 |
||||
VSLDB $8, R5_1, R5_1, R5_1 |
||||
VSLDB $8, R5_2, R5_2, R5_2 |
||||
|
||||
VLVGG $1, RSAVE_0, R_0 |
||||
VLVGG $1, RSAVE_1, R_1 |
||||
VLVGG $1, RSAVE_2, R_2 |
||||
VLVGG $1, R5SAVE_1, R5_1 |
||||
VLVGG $1, R5SAVE_2, R5_2 |
||||
|
||||
// setup [h0, h1] |
||||
VSLDB $8, H0_0, H0_0, H0_0 |
||||
VSLDB $8, H1_0, H1_0, H1_0 |
||||
VSLDB $8, H2_0, H2_0, H2_0 |
||||
VO H0_1, H0_0, H0_0 |
||||
VO H1_1, H1_0, H1_0 |
||||
VO H2_1, H2_0, H2_0 |
||||
VZERO H0_1 |
||||
VZERO H1_1 |
||||
VZERO H2_1 |
||||
|
||||
VZERO M0 |
||||
VZERO M1 |
||||
VZERO M2 |
||||
VZERO M3 |
||||
VZERO M4 |
||||
VZERO M5 |
||||
|
||||
// (h0*r**2) + (h1*r) |
||||
MULTIPLY(H0_0, H1_0, H2_0, H0_1, H1_1, H2_1, R_0, R_1, R_2, R5_1, R5_2, M0, M1, M2, M3, M4, M5, T_0, T_1, T_2, T_3, T_4, T_5, T_6, T_7, T_8, T_9) |
||||
REDUCE2(H0_0, H1_0, H2_0, M0, M1, M2, M3, M4, T_9, T_10, H0_1, M5) |
||||
BR next |
||||
|
||||
TEXT ·hasVMSLFacility(SB), NOSPLIT, $24-1 |
||||
MOVD $x-24(SP), R1 |
||||
XC $24, 0(R1), 0(R1) // clear the storage |
||||
MOVD $2, R0 // R0 is the number of double words stored -1 |
||||
WORD $0xB2B01000 // STFLE 0(R1) |
||||
XOR R0, R0 // reset the value of R0 |
||||
MOVBZ z-8(SP), R1 |
||||
AND $0x01, R1 |
||||
BEQ novmsl |
||||
|
||||
vectorinstalled: |
||||
// check if the vector instruction has been enabled |
||||
VLEIB $0, $0xF, V16 |
||||
VLGVB $0, V16, R1 |
||||
CMPBNE R1, $0xF, novmsl |
||||
MOVB $1, ret+0(FP) // have vx |
||||
RET |
||||
|
||||
novmsl: |
||||
MOVB $0, ret+0(FP) // no vx |
||||
RET |
||||
@ -0,0 +1,27 @@ |
||||
// Copyright 2017 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//+build gccgo appengine !s390x
|
||||
|
||||
package sha3 |
||||
|
||||
import ( |
||||
"hash" |
||||
) |
||||
|
||||
// new224Asm returns an assembly implementation of SHA3-224 if available,
|
||||
// otherwise it returns nil.
|
||||
func new224Asm() hash.Hash { return nil } |
||||
|
||||
// new256Asm returns an assembly implementation of SHA3-256 if available,
|
||||
// otherwise it returns nil.
|
||||
func new256Asm() hash.Hash { return nil } |
||||
|
||||
// new384Asm returns an assembly implementation of SHA3-384 if available,
|
||||
// otherwise it returns nil.
|
||||
func new384Asm() hash.Hash { return nil } |
||||
|
||||
// new512Asm returns an assembly implementation of SHA3-512 if available,
|
||||
// otherwise it returns nil.
|
||||
func new512Asm() hash.Hash { return nil } |
||||
2
crypto/sha3/keccakf_amd64.go → vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
generated
vendored
2
crypto/sha3/keccakf_amd64.go → vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
generated
vendored
@ -0,0 +1,289 @@ |
||||
// Copyright 2017 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//+build !gccgo,!appengine
|
||||
|
||||
package sha3 |
||||
|
||||
// This file contains code for using the 'compute intermediate
|
||||
// message digest' (KIMD) and 'compute last message digest' (KLMD)
|
||||
// instructions to compute SHA-3 and SHAKE hashes on IBM Z.
|
||||
|
||||
import ( |
||||
"hash" |
||||
) |
||||
|
||||
// codes represent 7-bit KIMD/KLMD function codes as defined in
|
||||
// the Principles of Operation.
|
||||
type code uint64 |
||||
|
||||
const ( |
||||
// function codes for KIMD/KLMD
|
||||
sha3_224 code = 32 |
||||
sha3_256 = 33 |
||||
sha3_384 = 34 |
||||
sha3_512 = 35 |
||||
shake_128 = 36 |
||||
shake_256 = 37 |
||||
nopad = 0x100 |
||||
) |
||||
|
||||
// hasMSA6 reports whether the machine supports the SHA-3 and SHAKE function
|
||||
// codes, as defined in message-security-assist extension 6.
|
||||
func hasMSA6() bool |
||||
|
||||
// hasAsm caches the result of hasMSA6 (which might be expensive to call).
|
||||
var hasAsm = hasMSA6() |
||||
|
||||
// kimd is a wrapper for the 'compute intermediate message digest' instruction.
|
||||
// src must be a multiple of the rate for the given function code.
|
||||
//go:noescape
|
||||
func kimd(function code, chain *[200]byte, src []byte) |
||||
|
||||
// klmd is a wrapper for the 'compute last message digest' instruction.
|
||||
// src padding is handled by the instruction.
|
||||
//go:noescape
|
||||
func klmd(function code, chain *[200]byte, dst, src []byte) |
||||
|
||||
type asmState struct { |
||||
a [200]byte // 1600 bit state
|
||||
buf []byte // care must be taken to ensure cap(buf) is a multiple of rate
|
||||
rate int // equivalent to block size
|
||||
storage [3072]byte // underlying storage for buf
|
||||
outputLen int // output length if fixed, 0 if not
|
||||
function code // KIMD/KLMD function code
|
||||
state spongeDirection // whether the sponge is absorbing or squeezing
|
||||
} |
||||
|
||||
func newAsmState(function code) *asmState { |
||||
var s asmState |
||||
s.function = function |
||||
switch function { |
||||
case sha3_224: |
||||
s.rate = 144 |
||||
s.outputLen = 28 |
||||
case sha3_256: |
||||
s.rate = 136 |
||||
s.outputLen = 32 |
||||
case sha3_384: |
||||
s.rate = 104 |
||||
s.outputLen = 48 |
||||
case sha3_512: |
||||
s.rate = 72 |
||||
s.outputLen = 64 |
||||
case shake_128: |
||||
s.rate = 168 |
||||
case shake_256: |
||||
s.rate = 136 |
||||
default: |
||||
panic("sha3: unrecognized function code") |
||||
} |
||||
|
||||
// limit s.buf size to a multiple of s.rate
|
||||
s.resetBuf() |
||||
return &s |
||||
} |
||||
|
||||
func (s *asmState) clone() *asmState { |
||||
c := *s |
||||
c.buf = c.storage[:len(s.buf):cap(s.buf)] |
||||
return &c |
||||
} |
||||
|
||||
// copyIntoBuf copies b into buf. It will panic if there is not enough space to
|
||||
// store all of b.
|
||||
func (s *asmState) copyIntoBuf(b []byte) { |
||||
bufLen := len(s.buf) |
||||
s.buf = s.buf[:len(s.buf)+len(b)] |
||||
copy(s.buf[bufLen:], b) |
||||
} |
||||
|
||||
// resetBuf points buf at storage, sets the length to 0 and sets cap to be a
|
||||
// multiple of the rate.
|
||||
func (s *asmState) resetBuf() { |
||||
max := (cap(s.storage) / s.rate) * s.rate |
||||
s.buf = s.storage[:0:max] |
||||
} |
||||
|
||||
// Write (via the embedded io.Writer interface) adds more data to the running hash.
|
||||
// It never returns an error.
|
||||
func (s *asmState) Write(b []byte) (int, error) { |
||||
if s.state != spongeAbsorbing { |
||||
panic("sha3: write to sponge after read") |
||||
} |
||||
length := len(b) |
||||
for len(b) > 0 { |
||||
if len(s.buf) == 0 && len(b) >= cap(s.buf) { |
||||
// Hash the data directly and push any remaining bytes
|
||||
// into the buffer.
|
||||
remainder := len(s.buf) % s.rate |
||||
kimd(s.function, &s.a, b[:len(b)-remainder]) |
||||
if remainder != 0 { |
||||
s.copyIntoBuf(b[len(b)-remainder:]) |
||||
} |
||||
return length, nil |
||||
} |
||||
|
||||
if len(s.buf) == cap(s.buf) { |
||||
// flush the buffer
|
||||
kimd(s.function, &s.a, s.buf) |
||||
s.buf = s.buf[:0] |
||||
} |
||||
|
||||
// copy as much as we can into the buffer
|
||||
n := len(b) |
||||
if len(b) > cap(s.buf)-len(s.buf) { |
||||
n = cap(s.buf) - len(s.buf) |
||||
} |
||||
s.copyIntoBuf(b[:n]) |
||||
b = b[n:] |
||||
} |
||||
return length, nil |
||||
} |
||||
|
||||
// Read squeezes an arbitrary number of bytes from the sponge.
|
||||
func (s *asmState) Read(out []byte) (n int, err error) { |
||||
n = len(out) |
||||
|
||||
// need to pad if we were absorbing
|
||||
if s.state == spongeAbsorbing { |
||||
s.state = spongeSqueezing |
||||
|
||||
// write hash directly into out if possible
|
||||
if len(out)%s.rate == 0 { |
||||
klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
|
||||
s.buf = s.buf[:0] |
||||
return |
||||
} |
||||
|
||||
// write hash into buffer
|
||||
max := cap(s.buf) |
||||
if max > len(out) { |
||||
max = (len(out)/s.rate)*s.rate + s.rate |
||||
} |
||||
klmd(s.function, &s.a, s.buf[:max], s.buf) |
||||
s.buf = s.buf[:max] |
||||
} |
||||
|
||||
for len(out) > 0 { |
||||
// flush the buffer
|
||||
if len(s.buf) != 0 { |
||||
c := copy(out, s.buf) |
||||
out = out[c:] |
||||
s.buf = s.buf[c:] |
||||
continue |
||||
} |
||||
|
||||
// write hash directly into out if possible
|
||||
if len(out)%s.rate == 0 { |
||||
klmd(s.function|nopad, &s.a, out, nil) |
||||
return |
||||
} |
||||
|
||||
// write hash into buffer
|
||||
s.resetBuf() |
||||
if cap(s.buf) > len(out) { |
||||
s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate] |
||||
} |
||||
klmd(s.function|nopad, &s.a, s.buf, nil) |
||||
} |
||||
return |
||||
} |
||||
|
||||
// Sum appends the current hash to b and returns the resulting slice.
|
||||
// It does not change the underlying hash state.
|
||||
func (s *asmState) Sum(b []byte) []byte { |
||||
if s.outputLen == 0 { |
||||
panic("sha3: cannot call Sum on SHAKE functions") |
||||
} |
||||
|
||||
// Copy the state to preserve the original.
|
||||
a := s.a |
||||
|
||||
// Hash the buffer. Note that we don't clear it because we
|
||||
// aren't updating the state.
|
||||
klmd(s.function, &a, nil, s.buf) |
||||
return append(b, a[:s.outputLen]...) |
||||
} |
||||
|
||||
// Reset resets the Hash to its initial state.
|
||||
func (s *asmState) Reset() { |
||||
for i := range s.a { |
||||
s.a[i] = 0 |
||||
} |
||||
s.resetBuf() |
||||
s.state = spongeAbsorbing |
||||
} |
||||
|
||||
// Size returns the number of bytes Sum will return.
|
||||
func (s *asmState) Size() int { |
||||
return s.outputLen |
||||
} |
||||
|
||||
// BlockSize returns the hash's underlying block size.
|
||||
// The Write method must be able to accept any amount
|
||||
// of data, but it may operate more efficiently if all writes
|
||||
// are a multiple of the block size.
|
||||
func (s *asmState) BlockSize() int { |
||||
return s.rate |
||||
} |
||||
|
||||
// Clone returns a copy of the ShakeHash in its current state.
|
||||
func (s *asmState) Clone() ShakeHash { |
||||
return s.clone() |
||||
} |
||||
|
||||
// new224Asm returns an assembly implementation of SHA3-224 if available,
|
||||
// otherwise it returns nil.
|
||||
func new224Asm() hash.Hash { |
||||
if hasAsm { |
||||
return newAsmState(sha3_224) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// new256Asm returns an assembly implementation of SHA3-256 if available,
|
||||
// otherwise it returns nil.
|
||||
func new256Asm() hash.Hash { |
||||
if hasAsm { |
||||
return newAsmState(sha3_256) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// new384Asm returns an assembly implementation of SHA3-384 if available,
|
||||
// otherwise it returns nil.
|
||||
func new384Asm() hash.Hash { |
||||
if hasAsm { |
||||
return newAsmState(sha3_384) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// new512Asm returns an assembly implementation of SHA3-512 if available,
|
||||
// otherwise it returns nil.
|
||||
func new512Asm() hash.Hash { |
||||
if hasAsm { |
||||
return newAsmState(sha3_512) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// newShake128Asm returns an assembly implementation of SHAKE-128 if available,
|
||||
// otherwise it returns nil.
|
||||
func newShake128Asm() ShakeHash { |
||||
if hasAsm { |
||||
return newAsmState(shake_128) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// newShake256Asm returns an assembly implementation of SHAKE-256 if available,
|
||||
// otherwise it returns nil.
|
||||
func newShake256Asm() ShakeHash { |
||||
if hasAsm { |
||||
return newAsmState(shake_256) |
||||
} |
||||
return nil |
||||
} |
||||
@ -0,0 +1,49 @@ |
||||
// Copyright 2017 The Go Authors. All rights reserved. |
||||
// Use of this source code is governed by a BSD-style |
||||
// license that can be found in the LICENSE file. |
||||
|
||||
//+build !gccgo,!appengine |
||||
|
||||
#include "textflag.h" |
||||
|
||||
TEXT ·hasMSA6(SB), NOSPLIT, $16-1 |
||||
MOVD $0, R0 // KIMD-Query function code |
||||
MOVD $tmp-16(SP), R1 // parameter block |
||||
XC $16, (R1), (R1) // clear the parameter block |
||||
WORD $0xB93E0002 // KIMD --, -- |
||||
WORD $0x91FC1004 // TM 4(R1), 0xFC (test bits [32-37]) |
||||
BVS yes |
||||
|
||||
no: |
||||
MOVB $0, ret+0(FP) |
||||
RET |
||||
|
||||
yes: |
||||
MOVB $1, ret+0(FP) |
||||
RET |
||||
|
||||
// func kimd(function code, params *[200]byte, src []byte) |
||||
TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40 |
||||
MOVD function+0(FP), R0 |
||||
MOVD params+8(FP), R1 |
||||
LMG src+16(FP), R2, R3 // R2=base, R3=len |
||||
|
||||
continue: |
||||
WORD $0xB93E0002 // KIMD --, R2 |
||||
BVS continue // continue if interrupted |
||||
MOVD $0, R0 // reset R0 for pre-go1.8 compilers |
||||
RET |
||||
|
||||
// func klmd(function code, params *[200]byte, dst, src []byte) |
||||
TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64 |
||||
// TODO: SHAKE support |
||||
MOVD function+0(FP), R0 |
||||
MOVD params+8(FP), R1 |
||||
LMG dst+16(FP), R2, R3 // R2=base, R3=len |
||||
LMG src+40(FP), R4, R5 // R4=base, R5=len |
||||
|
||||
continue: |
||||
WORD $0xB93F0024 // KLMD R2, R4 |
||||
BVS continue // continue if interrupted |
||||
MOVD $0, R0 // reset R0 for pre-go1.8 compilers |
||||
RET |
||||
@ -0,0 +1,19 @@ |
||||
// Copyright 2017 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//+build gccgo appengine !s390x
|
||||
|
||||
package sha3 |
||||
|
||||
// newShake128Asm returns an assembly implementation of SHAKE-128 if available,
|
||||
// otherwise it returns nil.
|
||||
func newShake128Asm() ShakeHash { |
||||
return nil |
||||
} |
||||
|
||||
// newShake256Asm returns an assembly implementation of SHAKE-256 if available,
|
||||
// otherwise it returns nil.
|
||||
func newShake256Asm() ShakeHash { |
||||
return nil |
||||
} |
||||
0
crypto/sha3/xor_unaligned.go → vendor/golang.org/x/crypto/sha3/xor_unaligned.go
generated
vendored
0
crypto/sha3/xor_unaligned.go → vendor/golang.org/x/crypto/sha3/xor_unaligned.go
generated
vendored
@ -0,0 +1,12 @@ |
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build aix
|
||||
|
||||
package terminal |
||||
|
||||
import "golang.org/x/sys/unix" |
||||
|
||||
const ioctlReadTermios = unix.TCGETS |
||||
const ioctlWriteTermios = unix.TCSETS |
||||
Loading…
Reference in new issue