/src/gnutls/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2011-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2018 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | /* |
25 | | * The following code is an implementation of the AES-128-GCM cipher |
26 | | * using intel's AES instruction set. |
27 | | */ |
28 | | |
29 | | #include "errors.h" |
30 | | #include "gnutls_int.h" |
31 | | #include <gnutls/crypto.h> |
32 | | #include "errors.h" |
33 | | #include "aes-x86.h" |
34 | | #include "x86-common.h" |
35 | | #include <nettle/memxor.h> |
36 | | #include <byteswap.h> |
37 | | |
38 | 0 | #define GCM_BLOCK_SIZE 16 |
39 | | |
40 | | /* GCM mode with PCLMUL and AVX optimization */ |
41 | | |
42 | | typedef struct { |
43 | | uint64_t hi, lo; |
44 | | } u128; |
45 | | |
46 | | /* This is the gcm128 structure used in openssl. It |
47 | | * is compatible with the included assembly code. |
48 | | */ |
49 | | struct gcm128_context { |
50 | | union { |
51 | | uint64_t u[2]; |
52 | | uint32_t d[4]; |
53 | | uint8_t c[16]; |
54 | | size_t t[16 / sizeof(size_t)]; |
55 | | } Yi, EKi, EK0, len, Xi, H; |
56 | | u128 Htable[16]; |
57 | | }; |
58 | | |
59 | | struct aes_gcm_ctx { |
60 | | AES_KEY expanded_key; |
61 | | struct gcm128_context gcm; |
62 | | unsigned finished; |
63 | | unsigned auth_finished; |
64 | | size_t rekey_counter; |
65 | | }; |
66 | | |
67 | | void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]); |
68 | | void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in, |
69 | | size_t len); |
70 | | void gcm_gmult_avx(uint64_t Xi[2], const u128 Htable[16]); |
71 | | |
72 | | static void aes_gcm_deinit(void *_ctx) |
73 | 0 | { |
74 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
75 | |
|
76 | 0 | zeroize_temp_key(ctx, sizeof(*ctx)); |
77 | 0 | gnutls_free(ctx); |
78 | 0 | } |
79 | | |
80 | | static int aes_gcm_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, |
81 | | int enc) |
82 | 0 | { |
83 | | /* we use key size to distinguish */ |
84 | 0 | if (algorithm != GNUTLS_CIPHER_AES_128_GCM && |
85 | 0 | algorithm != GNUTLS_CIPHER_AES_192_GCM && |
86 | 0 | algorithm != GNUTLS_CIPHER_AES_256_GCM) |
87 | 0 | return GNUTLS_E_INVALID_REQUEST; |
88 | | |
89 | 0 | *_ctx = gnutls_calloc(1, sizeof(struct aes_gcm_ctx)); |
90 | 0 | if (*_ctx == NULL) { |
91 | 0 | gnutls_assert(); |
92 | 0 | return GNUTLS_E_MEMORY_ERROR; |
93 | 0 | } |
94 | | |
95 | 0 | return 0; |
96 | 0 | } |
97 | | |
98 | | static int aes_gcm_cipher_setkey(void *_ctx, const void *userkey, |
99 | | size_t keysize) |
100 | 0 | { |
101 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
102 | 0 | int ret; |
103 | |
|
104 | 0 | CHECK_AES_KEYSIZE(keysize); |
105 | | |
106 | 0 | ret = aesni_set_encrypt_key(userkey, keysize * 8, |
107 | 0 | ALIGN16(&ctx->expanded_key)); |
108 | 0 | if (ret != 0) |
109 | 0 | return gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED); |
110 | | |
111 | 0 | aesni_ecb_encrypt(ctx->gcm.H.c, ctx->gcm.H.c, GCM_BLOCK_SIZE, |
112 | 0 | ALIGN16(&ctx->expanded_key), 1); |
113 | |
|
114 | 0 | ctx->gcm.H.u[0] = bswap_64(ctx->gcm.H.u[0]); |
115 | 0 | ctx->gcm.H.u[1] = bswap_64(ctx->gcm.H.u[1]); |
116 | |
|
117 | 0 | gcm_init_avx(ctx->gcm.Htable, ctx->gcm.H.u); |
118 | |
|
119 | 0 | ctx->rekey_counter = 0; |
120 | 0 | return 0; |
121 | 0 | } |
122 | | |
123 | | static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) |
124 | 0 | { |
125 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
126 | |
|
127 | 0 | if (iv_size != GCM_BLOCK_SIZE - 4) |
128 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
129 | | |
130 | 0 | memset(ctx->gcm.Xi.c, 0, sizeof(ctx->gcm.Xi.c)); |
131 | 0 | memset(ctx->gcm.len.c, 0, sizeof(ctx->gcm.len.c)); |
132 | |
|
133 | 0 | memcpy(ctx->gcm.Yi.c, iv, GCM_BLOCK_SIZE - 4); |
134 | 0 | ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 4] = 0; |
135 | 0 | ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 3] = 0; |
136 | 0 | ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 2] = 0; |
137 | 0 | ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 1; |
138 | |
|
139 | 0 | aesni_ecb_encrypt(ctx->gcm.Yi.c, ctx->gcm.EK0.c, GCM_BLOCK_SIZE, |
140 | 0 | ALIGN16(&ctx->expanded_key), 1); |
141 | 0 | ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2; |
142 | 0 | ctx->finished = 0; |
143 | 0 | ctx->auth_finished = 0; |
144 | 0 | ctx->rekey_counter = 0; |
145 | 0 | return 0; |
146 | 0 | } |
147 | | |
148 | | static void gcm_ghash(struct aes_gcm_ctx *ctx, const uint8_t *src, |
149 | | size_t src_size) |
150 | 0 | { |
151 | 0 | size_t rest = src_size % GCM_BLOCK_SIZE; |
152 | 0 | size_t aligned_size = src_size - rest; |
153 | |
|
154 | 0 | if (aligned_size > 0) |
155 | 0 | gcm_ghash_avx(ctx->gcm.Xi.u, ctx->gcm.Htable, src, |
156 | 0 | aligned_size); |
157 | |
|
158 | 0 | if (rest > 0) { |
159 | 0 | memxor(ctx->gcm.Xi.c, src + aligned_size, rest); |
160 | 0 | gcm_gmult_avx(ctx->gcm.Xi.u, ctx->gcm.Htable); |
161 | 0 | } |
162 | 0 | } |
163 | | |
164 | | static inline void ctr_encrypt_last(struct aes_gcm_ctx *ctx, const uint8_t *src, |
165 | | uint8_t *dst, size_t pos, size_t length) |
166 | 0 | { |
167 | 0 | uint8_t tmp[GCM_BLOCK_SIZE]; |
168 | 0 | uint8_t out[GCM_BLOCK_SIZE]; |
169 | |
|
170 | 0 | memcpy(tmp, &src[pos], length); |
171 | 0 | aesni_ctr32_encrypt_blocks(tmp, out, 1, ALIGN16(&ctx->expanded_key), |
172 | 0 | ctx->gcm.Yi.c); |
173 | |
|
174 | 0 | memcpy(&dst[pos], out, length); |
175 | 0 | } |
176 | | |
177 | | static int aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, |
178 | | void *dst, size_t length) |
179 | 0 | { |
180 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
181 | 0 | int blocks = src_size / GCM_BLOCK_SIZE; |
182 | 0 | int exp_blocks = blocks * GCM_BLOCK_SIZE; |
183 | 0 | int rest = src_size - (exp_blocks); |
184 | 0 | uint32_t counter; |
185 | 0 | int ret; |
186 | |
|
187 | 0 | if (unlikely(ctx->finished)) |
188 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
189 | | |
190 | 0 | if (unlikely(length < src_size)) |
191 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
192 | | |
193 | 0 | ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); |
194 | 0 | if (ret < 0) { |
195 | 0 | return gnutls_assert_val(ret); |
196 | 0 | } |
197 | | |
198 | 0 | if (blocks > 0) { |
199 | 0 | aesni_ctr32_encrypt_blocks(src, dst, blocks, |
200 | 0 | ALIGN16(&ctx->expanded_key), |
201 | 0 | ctx->gcm.Yi.c); |
202 | |
|
203 | 0 | counter = _gnutls_read_uint32(ctx->gcm.Yi.c + 12); |
204 | 0 | counter += blocks; |
205 | 0 | _gnutls_write_uint32(counter, ctx->gcm.Yi.c + 12); |
206 | 0 | } |
207 | |
|
208 | 0 | if (rest > 0) { /* last incomplete block */ |
209 | 0 | ctr_encrypt_last(ctx, src, dst, exp_blocks, rest); |
210 | 0 | ctx->finished = 1; |
211 | 0 | } |
212 | |
|
213 | 0 | gcm_ghash(ctx, dst, src_size); |
214 | 0 | ctx->gcm.len.u[1] += src_size; |
215 | |
|
216 | 0 | return 0; |
217 | 0 | } |
218 | | |
219 | | static int aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size, |
220 | | void *dst, size_t dst_size) |
221 | 0 | { |
222 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
223 | 0 | int blocks = src_size / GCM_BLOCK_SIZE; |
224 | 0 | int exp_blocks = blocks * GCM_BLOCK_SIZE; |
225 | 0 | int rest = src_size - (exp_blocks); |
226 | 0 | uint32_t counter; |
227 | |
|
228 | 0 | if (unlikely(ctx->finished)) |
229 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
230 | | |
231 | 0 | if (unlikely(dst_size < src_size)) |
232 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
233 | | |
234 | 0 | gcm_ghash(ctx, src, src_size); |
235 | 0 | ctx->gcm.len.u[1] += src_size; |
236 | |
|
237 | 0 | if (blocks > 0) { |
238 | 0 | aesni_ctr32_encrypt_blocks(src, dst, blocks, |
239 | 0 | ALIGN16(&ctx->expanded_key), |
240 | 0 | ctx->gcm.Yi.c); |
241 | |
|
242 | 0 | counter = _gnutls_read_uint32(ctx->gcm.Yi.c + 12); |
243 | 0 | counter += blocks; |
244 | 0 | _gnutls_write_uint32(counter, ctx->gcm.Yi.c + 12); |
245 | 0 | } |
246 | |
|
247 | 0 | if (rest > 0) { /* last incomplete block */ |
248 | 0 | ctr_encrypt_last(ctx, src, dst, exp_blocks, rest); |
249 | 0 | ctx->finished = 1; |
250 | 0 | } |
251 | |
|
252 | 0 | return 0; |
253 | 0 | } |
254 | | |
255 | | static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) |
256 | 0 | { |
257 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
258 | |
|
259 | 0 | if (unlikely(ctx->auth_finished)) |
260 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
261 | | |
262 | 0 | gcm_ghash(ctx, src, src_size); |
263 | 0 | ctx->gcm.len.u[0] += src_size; |
264 | |
|
265 | 0 | if (src_size % GCM_BLOCK_SIZE != 0) |
266 | 0 | ctx->auth_finished = 1; |
267 | |
|
268 | 0 | return 0; |
269 | 0 | } |
270 | | |
271 | | static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) |
272 | 0 | { |
273 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
274 | 0 | uint8_t buffer[GCM_BLOCK_SIZE]; |
275 | 0 | uint64_t alen, clen; |
276 | |
|
277 | 0 | alen = ctx->gcm.len.u[0] * 8; |
278 | 0 | clen = ctx->gcm.len.u[1] * 8; |
279 | |
|
280 | 0 | _gnutls_write_uint64(alen, buffer); |
281 | 0 | _gnutls_write_uint64(clen, &buffer[8]); |
282 | |
|
283 | 0 | gcm_ghash_avx(ctx->gcm.Xi.u, ctx->gcm.Htable, buffer, GCM_BLOCK_SIZE); |
284 | |
|
285 | 0 | ctx->gcm.Xi.u[0] ^= ctx->gcm.EK0.u[0]; |
286 | 0 | ctx->gcm.Xi.u[1] ^= ctx->gcm.EK0.u[1]; |
287 | |
|
288 | 0 | memcpy(tag, ctx->gcm.Xi.c, MIN(GCM_BLOCK_SIZE, tagsize)); |
289 | 0 | } |
290 | | |
291 | | #ifdef ASM_X86_64 |
292 | | /* requires AVX */ |
293 | | static int aesni_gcm_aead_encrypt(void *_ctx, const void *nonce, |
294 | | size_t nonce_size, const void *auth, |
295 | | size_t auth_size, size_t tag_size, |
296 | | const void *plain, size_t plain_size, |
297 | | void *encr, size_t encr_size) |
298 | 0 | { |
299 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
300 | 0 | size_t s = 0; |
301 | 0 | int ret; |
302 | |
|
303 | 0 | if (encr_size < plain_size + tag_size) |
304 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
305 | | |
306 | 0 | ret = aes_gcm_setiv(ctx, nonce, nonce_size); |
307 | 0 | if (ret < 0) { |
308 | 0 | return gnutls_assert_val(ret); |
309 | 0 | } |
310 | | |
311 | | /* Always succeeds in this call sequence. */ |
312 | 0 | (void)aes_gcm_auth(ctx, auth, auth_size); |
313 | |
|
314 | 0 | if (plain_size >= 96) { |
315 | 0 | s = aesni_gcm_encrypt(plain, encr, plain_size, |
316 | 0 | ALIGN16(&ctx->expanded_key), |
317 | 0 | ctx->gcm.Yi.c, ctx->gcm.Xi.u); |
318 | 0 | ctx->gcm.len.u[1] += s; |
319 | 0 | } |
320 | |
|
321 | 0 | if ((plain_size - s) > 0) |
322 | 0 | aes_gcm_encrypt(ctx, ((uint8_t *)plain) + s, plain_size - s, |
323 | 0 | ((uint8_t *)encr) + s, encr_size - s); |
324 | |
|
325 | 0 | aes_gcm_tag(ctx, ((uint8_t *)encr) + plain_size, tag_size); |
326 | |
|
327 | 0 | return 0; |
328 | 0 | } |
329 | | |
330 | | static int aesni_gcm_aead_decrypt(void *_ctx, const void *nonce, |
331 | | size_t nonce_size, const void *auth, |
332 | | size_t auth_size, size_t tag_size, |
333 | | const void *encr, size_t encr_size, |
334 | | void *plain, size_t plain_size) |
335 | 0 | { |
336 | 0 | struct aes_gcm_ctx *ctx = _ctx; |
337 | 0 | uint8_t tag[MAX_HASH_SIZE]; |
338 | 0 | size_t s = 0; |
339 | 0 | int ret; |
340 | |
|
341 | 0 | if (unlikely(encr_size < tag_size)) |
342 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
343 | | |
344 | 0 | if (unlikely(plain_size < encr_size - tag_size)) |
345 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
346 | | |
347 | 0 | ret = aes_gcm_setiv(ctx, nonce, nonce_size); |
348 | 0 | if (ret < 0) { |
349 | 0 | return gnutls_assert_val(ret); |
350 | 0 | } |
351 | | |
352 | | /* Always succeeds in this call sequence. */ |
353 | 0 | (void)aes_gcm_auth(ctx, auth, auth_size); |
354 | |
|
355 | 0 | encr_size -= tag_size; |
356 | |
|
357 | 0 | if (encr_size >= 96) { |
358 | 0 | s = aesni_gcm_decrypt(encr, plain, encr_size, |
359 | 0 | ALIGN16(&ctx->expanded_key), |
360 | 0 | ctx->gcm.Yi.c, ctx->gcm.Xi.u); |
361 | 0 | ctx->gcm.len.u[1] += s; |
362 | 0 | } |
363 | |
|
364 | 0 | if ((encr_size - s) > 0) { |
365 | 0 | aes_gcm_decrypt(ctx, ((uint8_t *)encr) + s, encr_size - s, |
366 | 0 | ((uint8_t *)plain) + s, plain_size - s); |
367 | 0 | } |
368 | |
|
369 | 0 | aes_gcm_tag(ctx, tag, tag_size); |
370 | |
|
371 | 0 | if (gnutls_memcmp(((uint8_t *)encr) + encr_size, tag, tag_size) != 0) |
372 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
373 | | |
374 | 0 | return 0; |
375 | 0 | } |
376 | | #else |
377 | | #define aesni_gcm_aead_decrypt aes_gcm_aead_decrypt |
378 | | #define aesni_gcm_aead_encrypt aes_gcm_aead_encrypt |
379 | | #include "aes-gcm-aead.h" |
380 | | #endif |
381 | | |
382 | | const gnutls_crypto_cipher_st _gnutls_aes_gcm_pclmul_avx = { |
383 | | .init = aes_gcm_cipher_init, |
384 | | .setkey = aes_gcm_cipher_setkey, |
385 | | .setiv = aes_gcm_setiv, |
386 | | .aead_encrypt = aesni_gcm_aead_encrypt, |
387 | | .aead_decrypt = aesni_gcm_aead_decrypt, |
388 | | .encrypt = aes_gcm_encrypt, |
389 | | .decrypt = aes_gcm_decrypt, |
390 | | .deinit = aes_gcm_deinit, |
391 | | .tag = aes_gcm_tag, |
392 | | .auth = aes_gcm_auth, |
393 | | }; |