diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-10-01 03:50:58 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-10-02 14:37:53 +0200 |
commit | 30b08000fadb23358e48b382afa2097339ee9bba (patch) | |
tree | a7f4dfa99b0853156272b927860f1e54389ae14a /src | |
parent | crypto: use ZINC_ARCH macros (diff) | |
download | wireguard-linux-compat-30b08000fadb23358e48b382afa2097339ee9bba.tar.xz wireguard-linux-compat-30b08000fadb23358e48b382afa2097339ee9bba.zip |
poly1305: document rationale for base 2^26->2^64/32 conversion
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/crypto/zinc/poly1305/poly1305-arm-glue.h | 11 | ||||
-rw-r--r-- | src/crypto/zinc/poly1305/poly1305-x86_64-glue.h | 9 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/crypto/zinc/poly1305/poly1305-arm-glue.h b/src/crypto/zinc/poly1305/poly1305-arm-glue.h index c694524..92aa226 100644 --- a/src/crypto/zinc/poly1305/poly1305-arm-glue.h +++ b/src/crypto/zinc/poly1305/poly1305-arm-glue.h @@ -50,6 +50,17 @@ struct poly1305_arch_internal { }; #endif +/* The NEON code uses base 2^26, while the scalar code uses base 2^64 on 64-bit + * and base 2^32 on 32-bit. If we hit the unfortunate situation of using NEON + * and then having to go back to scalar -- because the user is silly and has + * called the update function from two separate contexts -- then we need to + * convert back to the original base before proceeding. The below function is + * written for 64-bit integers, and so we have to swap words at the end on + * big-endian 32-bit. It is possible to reason that the initial reduction below + * is sufficient given the implementation invariants. However, for an avoidance + * of doubt and because this is not performance critical, we do the full + * reduction anyway. + */ static void convert_to_base2_64(void *ctx) { struct poly1305_arch_internal *state = ctx; diff --git a/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h b/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h index b1248e8..585b579 100644 --- a/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h +++ b/src/crypto/zinc/poly1305/poly1305-x86_64-glue.h @@ -67,6 +67,15 @@ struct poly1305_arch_internal { struct { u32 r2, r1, r4, r3; } rn[9]; }; +/* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit + * the unfortunate situation of using AVX and then having to go back to scalar + * -- because the user is silly and has called the update function from two + * separate contexts -- then we need to convert back to the original base before + * proceeding. It is possible to reason that the initial reduction below is + * sufficient given the implementation invariants. However, for an avoidance of + * doubt and because this is not performance critical, we do the full reduction + * anyway. + */ static void convert_to_base2_64(void *ctx) { struct poly1305_arch_internal *state = ctx; |