/src/gnutls/lib/accelerated/x86/aes-gcm-x86-ssse3.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C) 2011-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2018 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | /* |
25 | | * The following code is an implementation of the AES-128-GCM cipher |
26 | | */ |
27 | | |
28 | | #include "errors.h" |
29 | | #include "gnutls_int.h" |
30 | | |
31 | | #ifdef HAVE_LIBNETTLE |
32 | | |
33 | | #include <gnutls/crypto.h> |
34 | | #include "errors.h" |
35 | | #include "aes-x86.h" |
36 | | #include "x86-common.h" |
37 | | #include <byteswap.h> |
38 | | #include <nettle/gcm.h> |
39 | | #include <nettle/version.h> |
40 | | #include <assert.h> |
41 | | |
42 | | /* GCM mode |
43 | | * It is used when the CPU doesn't include the PCLMUL instructions. |
44 | | */ |
45 | | struct gcm_x86_aes_ctx { |
46 | | struct GCM_CTX(AES_KEY) inner; |
47 | | size_t rekey_counter; |
48 | | }; |
49 | | |
50 | | static void x86_aes_encrypt(const void *_ctx, size_t length, uint8_t *dst, |
51 | | const uint8_t *src) |
52 | 0 | { |
53 | 0 | AES_KEY *ctx = (void *)_ctx; |
54 | 0 | unsigned i; |
55 | 0 | unsigned blocks = (length + 15) / 16; |
56 | |
|
57 | 0 | assert(blocks * 16 == length); |
58 | |
|
59 | 0 | for (i = 0; i < blocks; i++) { |
60 | 0 | vpaes_encrypt(src, dst, ctx); |
61 | 0 | dst += 16; |
62 | 0 | src += 16; |
63 | 0 | } |
64 | 0 | } |
65 | | |
66 | | static void x86_aes_128_set_encrypt_key(void *_ctx, const uint8_t *key) |
67 | 0 | { |
68 | 0 | AES_KEY *ctx = _ctx; |
69 | |
|
70 | 0 | vpaes_set_encrypt_key(key, 16 * 8, ctx); |
71 | 0 | } |
72 | | |
73 | | static void x86_aes_192_set_encrypt_key(void *_ctx, const uint8_t *key) |
74 | 0 | { |
75 | 0 | AES_KEY *ctx = _ctx; |
76 | |
|
77 | 0 | vpaes_set_encrypt_key(key, 24 * 8, ctx); |
78 | 0 | } |
79 | | |
80 | | static void x86_aes_256_set_encrypt_key(void *_ctx, const uint8_t *key) |
81 | 0 | { |
82 | 0 | AES_KEY *ctx = _ctx; |
83 | |
|
84 | 0 | vpaes_set_encrypt_key(key, 32 * 8, ctx); |
85 | 0 | } |
86 | | |
87 | | static int aes_gcm_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, |
88 | | int enc) |
89 | 0 | { |
90 | | /* we use key size to distinguish */ |
91 | 0 | if (algorithm != GNUTLS_CIPHER_AES_128_GCM && |
92 | 0 | algorithm != GNUTLS_CIPHER_AES_192_GCM && |
93 | 0 | algorithm != GNUTLS_CIPHER_AES_256_GCM) |
94 | 0 | return GNUTLS_E_INVALID_REQUEST; |
95 | | |
96 | 0 | *_ctx = gnutls_calloc(1, sizeof(struct gcm_x86_aes_ctx)); |
97 | 0 | if (*_ctx == NULL) { |
98 | 0 | gnutls_assert(); |
99 | 0 | return GNUTLS_E_MEMORY_ERROR; |
100 | 0 | } |
101 | | |
102 | 0 | return 0; |
103 | 0 | } |
104 | | |
105 | | static int aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize) |
106 | 0 | { |
107 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
108 | |
|
109 | 0 | if (keysize == 16) { |
110 | 0 | GCM_SET_KEY(&ctx->inner, x86_aes_128_set_encrypt_key, |
111 | 0 | x86_aes_encrypt, key); |
112 | 0 | } else if (keysize == 24) { |
113 | 0 | GCM_SET_KEY(&ctx->inner, x86_aes_192_set_encrypt_key, |
114 | 0 | x86_aes_encrypt, key); |
115 | 0 | } else if (keysize == 32) { |
116 | 0 | GCM_SET_KEY(&ctx->inner, x86_aes_256_set_encrypt_key, |
117 | 0 | x86_aes_encrypt, key); |
118 | 0 | } else |
119 | 0 | return GNUTLS_E_INVALID_REQUEST; |
120 | | |
121 | 0 | ctx->rekey_counter = 0; |
122 | 0 | return 0; |
123 | 0 | } |
124 | | |
125 | | static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size) |
126 | 0 | { |
127 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
128 | |
|
129 | 0 | if (iv_size != GCM_BLOCK_SIZE - 4) |
130 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
131 | | |
132 | 0 | GCM_SET_IV(&ctx->inner, iv_size, iv); |
133 | |
|
134 | 0 | ctx->rekey_counter = 0; |
135 | 0 | return 0; |
136 | 0 | } |
137 | | |
138 | | static int aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size, |
139 | | void *dst, size_t length) |
140 | 0 | { |
141 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
142 | 0 | int ret; |
143 | |
|
144 | 0 | if (unlikely(length < src_size)) |
145 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
146 | | |
147 | 0 | ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size); |
148 | 0 | if (ret < 0) { |
149 | 0 | return gnutls_assert_val(ret); |
150 | 0 | } |
151 | | |
152 | 0 | GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); |
153 | |
|
154 | 0 | return 0; |
155 | 0 | } |
156 | | |
157 | | static int aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size, |
158 | | void *dst, size_t dst_size) |
159 | 0 | { |
160 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
161 | |
|
162 | 0 | if (unlikely(dst_size < src_size)) |
163 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
164 | | |
165 | 0 | GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src); |
166 | 0 | return 0; |
167 | 0 | } |
168 | | |
169 | | static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size) |
170 | 0 | { |
171 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
172 | |
|
173 | 0 | GCM_UPDATE(&ctx->inner, src_size, src); |
174 | |
|
175 | 0 | return 0; |
176 | 0 | } |
177 | | |
178 | | static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize) |
179 | 0 | { |
180 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
181 | 0 | uint8_t buffer[GCM_DIGEST_SIZE]; |
182 | |
|
183 | | #if NETTLE_VERSION_MAJOR >= 4 |
184 | | GCM_DIGEST(&ctx->inner, x86_aes_encrypt, buffer); |
185 | | #else |
186 | 0 | GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, buffer); |
187 | 0 | #endif |
188 | 0 | memcpy(tag, buffer, tagsize); |
189 | 0 | } |
190 | | |
191 | | static void aes_gcm_deinit(void *_ctx) |
192 | 0 | { |
193 | 0 | struct gcm_x86_aes_ctx *ctx = _ctx; |
194 | |
|
195 | 0 | zeroize_key(ctx, sizeof(*ctx)); |
196 | | gnutls_free(ctx); |
197 | 0 | } |
198 | | |
199 | | #include "aes-gcm-aead.h" |
200 | | |
201 | | const gnutls_crypto_cipher_st _gnutls_aes_gcm_x86_ssse3 = { |
202 | | .init = aes_gcm_cipher_init, |
203 | | .setkey = aes_gcm_cipher_setkey, |
204 | | .setiv = aes_gcm_setiv, |
205 | | .aead_encrypt = aes_gcm_aead_encrypt, |
206 | | .aead_decrypt = aes_gcm_aead_decrypt, |
207 | | .encrypt = aes_gcm_encrypt, |
208 | | .decrypt = aes_gcm_decrypt, |
209 | | .deinit = aes_gcm_deinit, |
210 | | .tag = aes_gcm_tag, |
211 | | .auth = aes_gcm_auth, |
212 | | }; |
213 | | |
214 | | #endif |