CoCalc -- aesni.c

GitHub Repository: godotengine/godot
Path: blob/master/thirdparty/mbedtls/library/aesni.c
⁹⁸⁹⁸ views
1
/*
2
 *  AES-NI support functions
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7

8
/*
9
 * [AES-WP] https://www.intel.com/content/www/us/en/developer/articles/tool/intel-advanced-encryption-standard-aes-instructions-set.html
10
 * [CLMUL-WP] https://www.intel.com/content/www/us/en/develop/download/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode.html
11
 */
12

13
#include "common.h"
14

15
#if defined(MBEDTLS_AESNI_C)
16

17
#include "aesni.h"
18

19
#include <string.h>
20

21
#if defined(MBEDTLS_AESNI_HAVE_CODE)
22

23
#if MBEDTLS_AESNI_HAVE_CODE == 2
24
#if defined(__GNUC__)
25
#include <cpuid.h>
26
#elif defined(_MSC_VER)
27
#include <intrin.h>
28
#else
29
#error "`__cpuid` required by MBEDTLS_AESNI_C is not supported by the compiler"
30
#endif
31
#include <immintrin.h>
32
#endif
33

34
#if defined(MBEDTLS_ARCH_IS_X86)
35
#if defined(MBEDTLS_COMPILER_IS_GCC)
36
#pragma GCC push_options
37
#pragma GCC target ("pclmul,sse2,aes")
38
#define MBEDTLS_POP_TARGET_PRAGMA
39
#elif defined(__clang__) && (__clang_major__ >= 5)
40
#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function)
41
#define MBEDTLS_POP_TARGET_PRAGMA
42
#endif
43
#endif
44

45
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
46
/*
47
 * AES-NI support detection routine
48
 */
49
int mbedtls_aesni_has_support(unsigned int what)
50
{
51
    /* To avoid a race condition, tell the compiler that the assignment
52
     * `done = 1` and the assignment to `c` may not be reordered.
53
     * https://github.com/Mbed-TLS/mbedtls/issues/9840
54
     *
55
     * Note that we may also be worried about memory access reordering,
56
     * but fortunately the x86 memory model is not too wild: stores
57
     * from the same thread are observed consistently by other threads.
58
     * (See example 8-1 in Sewell et al., "x86-TSO: A Rigorous and Usable
59
     * Programmer’s Model for x86 Multiprocessors", CACM, 2010,
60
     * https://www.cl.cam.ac.uk/~pes20/weakmemory/cacm.pdf)
61
     */
62
    static volatile int done = 0;
63
    static volatile unsigned int c = 0;
64

65
    if (!done) {
66
#if MBEDTLS_AESNI_HAVE_CODE == 2
67
        static int info[4] = { 0, 0, 0, 0 };
68
#if defined(_MSC_VER)
69
        __cpuid(info, 1);
70
#else
71
        __cpuid(1, info[0], info[1], info[2], info[3]);
72
#endif
73
        c = info[2];
74
#else /* AESNI using asm */
75
        asm ("movl  $1, %%eax   \n\t"
76
             "cpuid             \n\t"
77
             : "=c" (c)
78
             :
79
             : "eax", "ebx", "edx");
80
#endif /* MBEDTLS_AESNI_HAVE_CODE */
81
        done = 1;
82
    }
83

84
    return (c & what) != 0;
85
}
86
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
87

88
#if MBEDTLS_AESNI_HAVE_CODE == 2
89

90
/*
91
 * AES-NI AES-ECB block en(de)cryption
92
 */
93
int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
94
                            int mode,
95
                            const unsigned char input[16],
96
                            unsigned char output[16])
97
{
98
    const __m128i *rk = (const __m128i *) (ctx->buf + ctx->rk_offset);
99
    unsigned nr = ctx->nr; // Number of remaining rounds
100

101
    // Load round key 0
102
    __m128i state;
103
    memcpy(&state, input, 16);
104
    state = _mm_xor_si128(state, rk[0]);  // state ^= *rk;
105
    ++rk;
106
    --nr;
107

108
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
109
    if (mode == MBEDTLS_AES_DECRYPT) {
110
        while (nr != 0) {
111
            state = _mm_aesdec_si128(state, *rk);
112
            ++rk;
113
            --nr;
114
        }
115
        state = _mm_aesdeclast_si128(state, *rk);
116
    } else
117
#else
118
    (void) mode;
119
#endif
120
    {
121
        while (nr != 0) {
122
            state = _mm_aesenc_si128(state, *rk);
123
            ++rk;
124
            --nr;
125
        }
126
        state = _mm_aesenclast_si128(state, *rk);
127
    }
128

129
    memcpy(output, &state, 16);
130
    return 0;
131
}
132

133
/*
134
 * GCM multiplication: c = a times b in GF(2^128)
135
 * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
136
 */
137

138
static void gcm_clmul(const __m128i aa, const __m128i bb,
139
                      __m128i *cc, __m128i *dd)
140
{
141
    /*
142
     * Caryless multiplication dd:cc = aa * bb
143
     * using [CLMUL-WP] algorithm 1 (p. 12).
144
     */
145
    *cc = _mm_clmulepi64_si128(aa, bb, 0x00); // a0*b0 = c1:c0
146
    *dd = _mm_clmulepi64_si128(aa, bb, 0x11); // a1*b1 = d1:d0
147
    __m128i ee = _mm_clmulepi64_si128(aa, bb, 0x10); // a0*b1 = e1:e0
148
    __m128i ff = _mm_clmulepi64_si128(aa, bb, 0x01); // a1*b0 = f1:f0
149
    ff = _mm_xor_si128(ff, ee);                      // e1+f1:e0+f0
150
    ee = ff;                                         // e1+f1:e0+f0
151
    ff = _mm_srli_si128(ff, 8);                      // 0:e1+f1
152
    ee = _mm_slli_si128(ee, 8);                      // e0+f0:0
153
    *dd = _mm_xor_si128(*dd, ff);                    // d1:d0+e1+f1
154
    *cc = _mm_xor_si128(*cc, ee);                    // c1+e0+f0:c0
155
}
156

157
static void gcm_shift(__m128i *cc, __m128i *dd)
158
{
159
    /* [CMUCL-WP] Algorithm 5 Step 1: shift cc:dd one bit to the left,
160
     * taking advantage of [CLMUL-WP] eq 27 (p. 18). */
161
    //                                        // *cc = r1:r0
162
    //                                        // *dd = r3:r2
163
    __m128i cc_lo = _mm_slli_epi64(*cc, 1);   // r1<<1:r0<<1
164
    __m128i dd_lo = _mm_slli_epi64(*dd, 1);   // r3<<1:r2<<1
165
    __m128i cc_hi = _mm_srli_epi64(*cc, 63);  // r1>>63:r0>>63
166
    __m128i dd_hi = _mm_srli_epi64(*dd, 63);  // r3>>63:r2>>63
167
    __m128i xmm5 = _mm_srli_si128(cc_hi, 8);  // 0:r1>>63
168
    cc_hi = _mm_slli_si128(cc_hi, 8);         // r0>>63:0
169
    dd_hi = _mm_slli_si128(dd_hi, 8);         // 0:r1>>63
170

171
    *cc = _mm_or_si128(cc_lo, cc_hi);         // r1<<1|r0>>63:r0<<1
172
    *dd = _mm_or_si128(_mm_or_si128(dd_lo, dd_hi), xmm5); // r3<<1|r2>>62:r2<<1|r1>>63
173
}
174

175
static __m128i gcm_reduce(__m128i xx)
176
{
177
    //                                            // xx = x1:x0
178
    /* [CLMUL-WP] Algorithm 5 Step 2 */
179
    __m128i aa = _mm_slli_epi64(xx, 63);          // x1<<63:x0<<63 = stuff:a
180
    __m128i bb = _mm_slli_epi64(xx, 62);          // x1<<62:x0<<62 = stuff:b
181
    __m128i cc = _mm_slli_epi64(xx, 57);          // x1<<57:x0<<57 = stuff:c
182
    __m128i dd = _mm_slli_si128(_mm_xor_si128(_mm_xor_si128(aa, bb), cc), 8); // a+b+c:0
183
    return _mm_xor_si128(dd, xx);                 // x1+a+b+c:x0 = d:x0
184
}
185

186
static __m128i gcm_mix(__m128i dx)
187
{
188
    /* [CLMUL-WP] Algorithm 5 Steps 3 and 4 */
189
    __m128i ee = _mm_srli_epi64(dx, 1);           // e1:x0>>1 = e1:e0'
190
    __m128i ff = _mm_srli_epi64(dx, 2);           // f1:x0>>2 = f1:f0'
191
    __m128i gg = _mm_srli_epi64(dx, 7);           // g1:x0>>7 = g1:g0'
192

193
    // e0'+f0'+g0' is almost e0+f0+g0, except for some missing
194
    // bits carried from d. Now get those bits back in.
195
    __m128i eh = _mm_slli_epi64(dx, 63);          // d<<63:stuff
196
    __m128i fh = _mm_slli_epi64(dx, 62);          // d<<62:stuff
197
    __m128i gh = _mm_slli_epi64(dx, 57);          // d<<57:stuff
198
    __m128i hh = _mm_srli_si128(_mm_xor_si128(_mm_xor_si128(eh, fh), gh), 8); // 0:missing bits of d
199

200
    return _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(_mm_xor_si128(ee, ff), gg), hh), dx);
201
}
202

203
void mbedtls_aesni_gcm_mult(unsigned char c[16],
204
                            const unsigned char a[16],
205
                            const unsigned char b[16])
206
{
207
    __m128i aa = { 0 }, bb = { 0 }, cc, dd;
208

209
    /* The inputs are in big-endian order, so byte-reverse them */
210
    for (size_t i = 0; i < 16; i++) {
211
        ((uint8_t *) &aa)[i] = a[15 - i];
212
        ((uint8_t *) &bb)[i] = b[15 - i];
213
    }
214

215
    gcm_clmul(aa, bb, &cc, &dd);
216
    gcm_shift(&cc, &dd);
217
    /*
218
     * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
219
     * using [CLMUL-WP] algorithm 5 (p. 18).
220
     * Currently dd:cc holds x3:x2:x1:x0 (already shifted).
221
     */
222
    __m128i dx = gcm_reduce(cc);
223
    __m128i xh = gcm_mix(dx);
224
    cc = _mm_xor_si128(xh, dd); // x3+h1:x2+h0
225

226
    /* Now byte-reverse the outputs */
227
    for (size_t i = 0; i < 16; i++) {
228
        c[i] = ((uint8_t *) &cc)[15 - i];
229
    }
230

231
    return;
232
}
233

234
/*
235
 * Compute decryption round keys from encryption round keys
236
 */
237
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
238
void mbedtls_aesni_inverse_key(unsigned char *invkey,
239
                               const unsigned char *fwdkey, int nr)
240
{
241
    __m128i *ik = (__m128i *) invkey;
242
    const __m128i *fk = (const __m128i *) fwdkey + nr;
243

244
    *ik = *fk;
245
    for (--fk, ++ik; fk > (const __m128i *) fwdkey; --fk, ++ik) {
246
        *ik = _mm_aesimc_si128(*fk);
247
    }
248
    *ik = *fk;
249
}
250
#endif
251

252
/*
253
 * Key expansion, 128-bit case
254
 */
255
static __m128i aesni_set_rk_128(__m128i state, __m128i xword)
256
{
257
    /*
258
     * Finish generating the next round key.
259
     *
260
     * On entry state is r3:r2:r1:r0 and xword is X:stuff:stuff:stuff
261
     * with X = rot( sub( r3 ) ) ^ RCON (obtained with AESKEYGENASSIST).
262
     *
263
     * On exit, xword is r7:r6:r5:r4
264
     * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
265
     * and this is returned, to be written to the round key buffer.
266
     */
267
    xword = _mm_shuffle_epi32(xword, 0xff);   // X:X:X:X
268
    xword = _mm_xor_si128(xword, state);      // X+r3:X+r2:X+r1:r4
269
    state = _mm_slli_si128(state, 4);         // r2:r1:r0:0
270
    xword = _mm_xor_si128(xword, state);      // X+r3+r2:X+r2+r1:r5:r4
271
    state = _mm_slli_si128(state, 4);         // r1:r0:0:0
272
    xword = _mm_xor_si128(xword, state);      // X+r3+r2+r1:r6:r5:r4
273
    state = _mm_slli_si128(state, 4);         // r0:0:0:0
274
    state = _mm_xor_si128(xword, state);      // r7:r6:r5:r4
275
    return state;
276
}
277

278
static void aesni_setkey_enc_128(unsigned char *rk_bytes,
279
                                 const unsigned char *key)
280
{
281
    __m128i *rk = (__m128i *) rk_bytes;
282

283
    memcpy(&rk[0], key, 16);
284
    rk[1] = aesni_set_rk_128(rk[0], _mm_aeskeygenassist_si128(rk[0], 0x01));
285
    rk[2] = aesni_set_rk_128(rk[1], _mm_aeskeygenassist_si128(rk[1], 0x02));
286
    rk[3] = aesni_set_rk_128(rk[2], _mm_aeskeygenassist_si128(rk[2], 0x04));
287
    rk[4] = aesni_set_rk_128(rk[3], _mm_aeskeygenassist_si128(rk[3], 0x08));
288
    rk[5] = aesni_set_rk_128(rk[4], _mm_aeskeygenassist_si128(rk[4], 0x10));
289
    rk[6] = aesni_set_rk_128(rk[5], _mm_aeskeygenassist_si128(rk[5], 0x20));
290
    rk[7] = aesni_set_rk_128(rk[6], _mm_aeskeygenassist_si128(rk[6], 0x40));
291
    rk[8] = aesni_set_rk_128(rk[7], _mm_aeskeygenassist_si128(rk[7], 0x80));
292
    rk[9] = aesni_set_rk_128(rk[8], _mm_aeskeygenassist_si128(rk[8], 0x1B));
293
    rk[10] = aesni_set_rk_128(rk[9], _mm_aeskeygenassist_si128(rk[9], 0x36));
294
}
295

296
/*
297
 * Key expansion, 192-bit case
298
 */
299
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
300
static void aesni_set_rk_192(__m128i *state0, __m128i *state1, __m128i xword,
301
                             unsigned char *rk)
302
{
303
    /*
304
     * Finish generating the next 6 quarter-keys.
305
     *
306
     * On entry state0 is r3:r2:r1:r0, state1 is stuff:stuff:r5:r4
307
     * and xword is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON
308
     * (obtained with AESKEYGENASSIST).
309
     *
310
     * On exit, state0 is r9:r8:r7:r6 and state1 is stuff:stuff:r11:r10
311
     * and those are written to the round key buffer.
312
     */
313
    xword = _mm_shuffle_epi32(xword, 0x55);   // X:X:X:X
314
    xword = _mm_xor_si128(xword, *state0);    // X+r3:X+r2:X+r1:X+r0
315
    *state0 = _mm_slli_si128(*state0, 4);     // r2:r1:r0:0
316
    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2:X+r2+r1:X+r1+r0:X+r0
317
    *state0 = _mm_slli_si128(*state0, 4);     // r1:r0:0:0
318
    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1:X+r2+r1+r0:X+r1+r0:X+r0
319
    *state0 = _mm_slli_si128(*state0, 4);     // r0:0:0:0
320
    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1+r0:X+r2+r1+r0:X+r1+r0:X+r0
321
    *state0 = xword;                          // = r9:r8:r7:r6
322

323
    xword = _mm_shuffle_epi32(xword, 0xff);   // r9:r9:r9:r9
324
    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5:r9+r4
325
    *state1 = _mm_slli_si128(*state1, 4);     // stuff:stuff:r4:0
326
    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5+r4:r9+r4
327
    *state1 = xword;                          // = stuff:stuff:r11:r10
328

329
    /* Store state0 and the low half of state1 into rk, which is conceptually
330
     * an array of 24-byte elements. Since 24 is not a multiple of 16,
331
     * rk is not necessarily aligned so just `*rk = *state0` doesn't work. */
332
    memcpy(rk, state0, 16);
333
    memcpy(rk + 16, state1, 8);
334
}
335

336
static void aesni_setkey_enc_192(unsigned char *rk,
337
                                 const unsigned char *key)
338
{
339
    /* First round: use original key */
340
    memcpy(rk, key, 24);
341
    /* aes.c guarantees that rk is aligned on a 16-byte boundary. */
342
    __m128i state0 = ((__m128i *) rk)[0];
343
    __m128i state1 = _mm_loadl_epi64(((__m128i *) rk) + 1);
344

345
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x01), rk + 24 * 1);
346
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x02), rk + 24 * 2);
347
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x04), rk + 24 * 3);
348
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x08), rk + 24 * 4);
349
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x10), rk + 24 * 5);
350
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x20), rk + 24 * 6);
351
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x40), rk + 24 * 7);
352
    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x80), rk + 24 * 8);
353
}
354
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
355

356
/*
357
 * Key expansion, 256-bit case
358
 */
359
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
360
static void aesni_set_rk_256(__m128i state0, __m128i state1, __m128i xword,
361
                             __m128i *rk0, __m128i *rk1)
362
{
363
    /*
364
     * Finish generating the next two round keys.
365
     *
366
     * On entry state0 is r3:r2:r1:r0, state1 is r7:r6:r5:r4 and
367
     * xword is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
368
     * (obtained with AESKEYGENASSIST).
369
     *
370
     * On exit, *rk0 is r11:r10:r9:r8 and *rk1 is r15:r14:r13:r12
371
     */
372
    xword = _mm_shuffle_epi32(xword, 0xff);
373
    xword = _mm_xor_si128(xword, state0);
374
    state0 = _mm_slli_si128(state0, 4);
375
    xword = _mm_xor_si128(xword, state0);
376
    state0 = _mm_slli_si128(state0, 4);
377
    xword = _mm_xor_si128(xword, state0);
378
    state0 = _mm_slli_si128(state0, 4);
379
    state0 = _mm_xor_si128(state0, xword);
380
    *rk0 = state0;
381

382
    /* Set xword to stuff:Y:stuff:stuff with Y = subword( r11 )
383
     * and proceed to generate next round key from there */
384
    xword = _mm_aeskeygenassist_si128(state0, 0x00);
385
    xword = _mm_shuffle_epi32(xword, 0xaa);
386
    xword = _mm_xor_si128(xword, state1);
387
    state1 = _mm_slli_si128(state1, 4);
388
    xword = _mm_xor_si128(xword, state1);
389
    state1 = _mm_slli_si128(state1, 4);
390
    xword = _mm_xor_si128(xword, state1);
391
    state1 = _mm_slli_si128(state1, 4);
392
    state1 = _mm_xor_si128(state1, xword);
393
    *rk1 = state1;
394
}
395

396
static void aesni_setkey_enc_256(unsigned char *rk_bytes,
397
                                 const unsigned char *key)
398
{
399
    __m128i *rk = (__m128i *) rk_bytes;
400

401
    memcpy(&rk[0], key, 16);
402
    memcpy(&rk[1], key + 16, 16);
403

404
    /*
405
     * Main "loop" - Generating one more key than necessary,
406
     * see definition of mbedtls_aes_context.buf
407
     */
408
    aesni_set_rk_256(rk[0], rk[1], _mm_aeskeygenassist_si128(rk[1], 0x01), &rk[2], &rk[3]);
409
    aesni_set_rk_256(rk[2], rk[3], _mm_aeskeygenassist_si128(rk[3], 0x02), &rk[4], &rk[5]);
410
    aesni_set_rk_256(rk[4], rk[5], _mm_aeskeygenassist_si128(rk[5], 0x04), &rk[6], &rk[7]);
411
    aesni_set_rk_256(rk[6], rk[7], _mm_aeskeygenassist_si128(rk[7], 0x08), &rk[8], &rk[9]);
412
    aesni_set_rk_256(rk[8], rk[9], _mm_aeskeygenassist_si128(rk[9], 0x10), &rk[10], &rk[11]);
413
    aesni_set_rk_256(rk[10], rk[11], _mm_aeskeygenassist_si128(rk[11], 0x20), &rk[12], &rk[13]);
414
    aesni_set_rk_256(rk[12], rk[13], _mm_aeskeygenassist_si128(rk[13], 0x40), &rk[14], &rk[15]);
415
}
416
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
417

418
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
419
#if defined(__clang__)
420
#pragma clang attribute pop
421
#elif defined(__GNUC__)
422
#pragma GCC pop_options
423
#endif
424
#undef MBEDTLS_POP_TARGET_PRAGMA
425
#endif
426

427
#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
428

429
#if defined(__has_feature)
430
#if __has_feature(memory_sanitizer)
431
#warning \
432
    "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
433
#endif
434
#endif
435

436
/*
437
 * Binutils needs to be at least 2.19 to support AES-NI instructions.
438
 * Unfortunately, a lot of users have a lower version now (2014-04).
439
 * Emit bytecode directly in order to support "old" version of gas.
440
 *
441
 * Opcodes from the Intel architecture reference manual, vol. 3.
442
 * We always use registers, so we don't need prefixes for memory operands.
443
 * Operand macros are in gas order (src, dst) as opposed to Intel order
444
 * (dst, src) in order to blend better into the surrounding assembly code.
445
 */
446
#define AESDEC(regs)      ".byte 0x66,0x0F,0x38,0xDE," regs "\n\t"
447
#define AESDECLAST(regs)  ".byte 0x66,0x0F,0x38,0xDF," regs "\n\t"
448
#define AESENC(regs)      ".byte 0x66,0x0F,0x38,0xDC," regs "\n\t"
449
#define AESENCLAST(regs)  ".byte 0x66,0x0F,0x38,0xDD," regs "\n\t"
450
#define AESIMC(regs)      ".byte 0x66,0x0F,0x38,0xDB," regs "\n\t"
451
#define AESKEYGENA(regs, imm)  ".byte 0x66,0x0F,0x3A,0xDF," regs "," imm "\n\t"
452
#define PCLMULQDQ(regs, imm)   ".byte 0x66,0x0F,0x3A,0x44," regs "," imm "\n\t"
453

454
#define xmm0_xmm0   "0xC0"
455
#define xmm0_xmm1   "0xC8"
456
#define xmm0_xmm2   "0xD0"
457
#define xmm0_xmm3   "0xD8"
458
#define xmm0_xmm4   "0xE0"
459
#define xmm1_xmm0   "0xC1"
460
#define xmm1_xmm2   "0xD1"
461

462
/*
463
 * AES-NI AES-ECB block en(de)cryption
464
 */
465
int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
466
                            int mode,
467
                            const unsigned char input[16],
468
                            unsigned char output[16])
469
{
470
    asm ("movdqu    (%3), %%xmm0    \n\t" // load input
471
         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
472
         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
473
         "add       $16, %1         \n\t" // point to next round key
474
         "subl      $1, %0          \n\t" // normal rounds = nr - 1
475
         "test      %2, %2          \n\t" // mode?
476
         "jz        2f              \n\t" // 0 = decrypt
477

478
         "1:                        \n\t" // encryption loop
479
         "movdqu    (%1), %%xmm1    \n\t" // load round key
480
         AESENC(xmm1_xmm0)                // do round
481
         "add       $16, %1         \n\t" // point to next round key
482
         "subl      $1, %0          \n\t" // loop
483
         "jnz       1b              \n\t"
484
         "movdqu    (%1), %%xmm1    \n\t" // load round key
485
         AESENCLAST(xmm1_xmm0)            // last round
486
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
487
         "jmp       3f              \n\t"
488

489
         "2:                        \n\t" // decryption loop
490
         "movdqu    (%1), %%xmm1    \n\t"
491
         AESDEC(xmm1_xmm0)                // do round
492
         "add       $16, %1         \n\t"
493
         "subl      $1, %0          \n\t"
494
         "jnz       2b              \n\t"
495
         "movdqu    (%1), %%xmm1    \n\t" // load round key
496
         AESDECLAST(xmm1_xmm0)            // last round
497
#endif
498

499
         "3:                        \n\t"
500
         "movdqu    %%xmm0, (%4)    \n\t" // export output
501
         :
502
         : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
503
         : "memory", "cc", "xmm0", "xmm1", "0", "1");
504

505

506
    return 0;
507
}
508

509
/*
510
 * GCM multiplication: c = a times b in GF(2^128)
511
 * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
512
 */
513
void mbedtls_aesni_gcm_mult(unsigned char c[16],
514
                            const unsigned char a[16],
515
                            const unsigned char b[16])
516
{
517
    unsigned char aa[16], bb[16], cc[16];
518
    size_t i;
519

520
    /* The inputs are in big-endian order, so byte-reverse them */
521
    for (i = 0; i < 16; i++) {
522
        aa[i] = a[15 - i];
523
        bb[i] = b[15 - i];
524
    }
525

526
    asm ("movdqu (%0), %%xmm0               \n\t" // a1:a0
527
         "movdqu (%1), %%xmm1               \n\t" // b1:b0
528

529
         /*
530
          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
531
          * using [CLMUL-WP] algorithm 1 (p. 12).
532
          */
533
         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
534
         "movdqa %%xmm1, %%xmm3             \n\t" // same
535
         "movdqa %%xmm1, %%xmm4             \n\t" // same
536
         PCLMULQDQ(xmm0_xmm1, "0x00")             // a0*b0 = c1:c0
537
         PCLMULQDQ(xmm0_xmm2, "0x11")             // a1*b1 = d1:d0
538
         PCLMULQDQ(xmm0_xmm3, "0x10")             // a0*b1 = e1:e0
539
         PCLMULQDQ(xmm0_xmm4, "0x01")             // a1*b0 = f1:f0
540
         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
541
         "movdqa %%xmm4, %%xmm3             \n\t" // same
542
         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
543
         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
544
         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
545
         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
546

547
         /*
548
          * Now shift the result one bit to the left,
549
          * taking advantage of [CLMUL-WP] eq 27 (p. 18)
550
          */
551
         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
552
         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
553
         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
554
         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
555
         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
556
         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
557
         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
558
         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
559
         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
560
         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
561
         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
562
         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
563
         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
564

565
         /*
566
          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
567
          * using [CLMUL-WP] algorithm 5 (p. 18).
568
          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
569
          */
570
         /* Step 2 (1) */
571
         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
572
         "movdqa %%xmm1, %%xmm4             \n\t" // same
573
         "movdqa %%xmm1, %%xmm5             \n\t" // same
574
         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
575
         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
576
         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
577

578
         /* Step 2 (2) */
579
         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
580
         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
581
         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
582
         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
583

584
         /* Steps 3 and 4 */
585
         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
586
         "movdqa %%xmm1,%%xmm4              \n\t" // same
587
         "movdqa %%xmm1,%%xmm5              \n\t" // same
588
         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
589
         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
590
         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
591
         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
592
         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
593
         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
594
         // bits carried from d. Now get those\t bits back in.
595
         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
596
         "movdqa %%xmm1,%%xmm4              \n\t" // same
597
         "movdqa %%xmm1,%%xmm5              \n\t" // same
598
         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
599
         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
600
         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
601
         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
602
         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
603
         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
604
         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
605
         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
606
         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
607

608
         "movdqu %%xmm0, (%2)               \n\t" // done
609
         :
610
         : "r" (aa), "r" (bb), "r" (cc)
611
         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5");
612

613
    /* Now byte-reverse the outputs */
614
    for (i = 0; i < 16; i++) {
615
        c[i] = cc[15 - i];
616
    }
617

618
    return;
619
}
620

621
/*
622
 * Compute decryption round keys from encryption round keys
623
 */
624
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
625
void mbedtls_aesni_inverse_key(unsigned char *invkey,
626
                               const unsigned char *fwdkey, int nr)
627
{
628
    unsigned char *ik = invkey;
629
    const unsigned char *fk = fwdkey + 16 * nr;
630

631
    memcpy(ik, fk, 16);
632

633
    for (fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16) {
634
        asm ("movdqu (%0), %%xmm0       \n\t"
635
             AESIMC(xmm0_xmm0)
636
             "movdqu %%xmm0, (%1)       \n\t"
637
             :
638
             : "r" (fk), "r" (ik)
639
             : "memory", "xmm0");
640
    }
641

642
    memcpy(ik, fk, 16);
643
}
644
#endif
645

646
/*
647
 * Key expansion, 128-bit case
648
 */
649
static void aesni_setkey_enc_128(unsigned char *rk,
650
                                 const unsigned char *key)
651
{
652
    asm ("movdqu (%1), %%xmm0               \n\t" // copy the original key
653
         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
654
         "jmp 2f                            \n\t" // skip auxiliary routine
655

656
         /*
657
          * Finish generating the next round key.
658
          *
659
          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
660
          * with X = rot( sub( r3 ) ) ^ RCON.
661
          *
662
          * On exit, xmm0 is r7:r6:r5:r4
663
          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
664
          * and those are written to the round key buffer.
665
          */
666
         "1:                                \n\t"
667
         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
668
         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
669
         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
670
         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
671
         "pslldq $4, %%xmm0                 \n\t" // etc
672
         "pxor %%xmm0, %%xmm1               \n\t"
673
         "pslldq $4, %%xmm0                 \n\t"
674
         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
675
         "add $16, %0                       \n\t" // point to next round key
676
         "movdqu %%xmm0, (%0)               \n\t" // write it
677
         "ret                               \n\t"
678

679
         /* Main "loop" */
680
         "2:                                \n\t"
681
         AESKEYGENA(xmm0_xmm1, "0x01")      "call 1b \n\t"
682
         AESKEYGENA(xmm0_xmm1, "0x02")      "call 1b \n\t"
683
         AESKEYGENA(xmm0_xmm1, "0x04")      "call 1b \n\t"
684
         AESKEYGENA(xmm0_xmm1, "0x08")      "call 1b \n\t"
685
         AESKEYGENA(xmm0_xmm1, "0x10")      "call 1b \n\t"
686
         AESKEYGENA(xmm0_xmm1, "0x20")      "call 1b \n\t"
687
         AESKEYGENA(xmm0_xmm1, "0x40")      "call 1b \n\t"
688
         AESKEYGENA(xmm0_xmm1, "0x80")      "call 1b \n\t"
689
         AESKEYGENA(xmm0_xmm1, "0x1B")      "call 1b \n\t"
690
         AESKEYGENA(xmm0_xmm1, "0x36")      "call 1b \n\t"
691
         :
692
         : "r" (rk), "r" (key)
693
         : "memory", "cc", "xmm0", "xmm1", "0");
694
}
695

696
/*
697
 * Key expansion, 192-bit case
698
 */
699
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
700
static void aesni_setkey_enc_192(unsigned char *rk,
701
                                 const unsigned char *key)
702
{
703
    asm ("movdqu (%1), %%xmm0   \n\t" // copy original round key
704
         "movdqu %%xmm0, (%0)   \n\t"
705
         "add $16, %0           \n\t"
706
         "movq 16(%1), %%xmm1   \n\t"
707
         "movq %%xmm1, (%0)     \n\t"
708
         "add $8, %0            \n\t"
709
         "jmp 2f                \n\t" // skip auxiliary routine
710

711
         /*
712
          * Finish generating the next 6 quarter-keys.
713
          *
714
          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
715
          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
716
          *
717
          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
718
          * and those are written to the round key buffer.
719
          */
720
         "1:                            \n\t"
721
         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
722
         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
723
         "pslldq $4, %%xmm0             \n\t" // etc
724
         "pxor %%xmm0, %%xmm2           \n\t"
725
         "pslldq $4, %%xmm0             \n\t"
726
         "pxor %%xmm0, %%xmm2           \n\t"
727
         "pslldq $4, %%xmm0             \n\t"
728
         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
729
         "movdqu %%xmm0, (%0)           \n\t"
730
         "add $16, %0                   \n\t"
731
         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
732
         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
733
         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
734
         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
735
         "movq %%xmm1, (%0)             \n\t"
736
         "add $8, %0                    \n\t"
737
         "ret                           \n\t"
738

739
         "2:                            \n\t"
740
         AESKEYGENA(xmm1_xmm2, "0x01")  "call 1b \n\t"
741
         AESKEYGENA(xmm1_xmm2, "0x02")  "call 1b \n\t"
742
         AESKEYGENA(xmm1_xmm2, "0x04")  "call 1b \n\t"
743
         AESKEYGENA(xmm1_xmm2, "0x08")  "call 1b \n\t"
744
         AESKEYGENA(xmm1_xmm2, "0x10")  "call 1b \n\t"
745
         AESKEYGENA(xmm1_xmm2, "0x20")  "call 1b \n\t"
746
         AESKEYGENA(xmm1_xmm2, "0x40")  "call 1b \n\t"
747
         AESKEYGENA(xmm1_xmm2, "0x80")  "call 1b \n\t"
748

749
         :
750
         : "r" (rk), "r" (key)
751
         : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
752
}
753
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
754

755
/*
756
 * Key expansion, 256-bit case
757
 */
758
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
759
static void aesni_setkey_enc_256(unsigned char *rk,
760
                                 const unsigned char *key)
761
{
762
    asm ("movdqu (%1), %%xmm0           \n\t"
763
         "movdqu %%xmm0, (%0)           \n\t"
764
         "add $16, %0                   \n\t"
765
         "movdqu 16(%1), %%xmm1         \n\t"
766
         "movdqu %%xmm1, (%0)           \n\t"
767
         "jmp 2f                        \n\t" // skip auxiliary routine
768

769
         /*
770
          * Finish generating the next two round keys.
771
          *
772
          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
773
          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
774
          *
775
          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
776
          * and those have been written to the output buffer.
777
          */
778
         "1:                                \n\t"
779
         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
780
         "pxor %%xmm0, %%xmm2               \n\t"
781
         "pslldq $4, %%xmm0                 \n\t"
782
         "pxor %%xmm0, %%xmm2               \n\t"
783
         "pslldq $4, %%xmm0                 \n\t"
784
         "pxor %%xmm0, %%xmm2               \n\t"
785
         "pslldq $4, %%xmm0                 \n\t"
786
         "pxor %%xmm2, %%xmm0               \n\t"
787
         "add $16, %0                       \n\t"
788
         "movdqu %%xmm0, (%0)               \n\t"
789

790
         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
791
          * and proceed to generate next round key from there */
792
         AESKEYGENA(xmm0_xmm2, "0x00")
793
         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
794
         "pxor %%xmm1, %%xmm2               \n\t"
795
         "pslldq $4, %%xmm1                 \n\t"
796
         "pxor %%xmm1, %%xmm2               \n\t"
797
         "pslldq $4, %%xmm1                 \n\t"
798
         "pxor %%xmm1, %%xmm2               \n\t"
799
         "pslldq $4, %%xmm1                 \n\t"
800
         "pxor %%xmm2, %%xmm1               \n\t"
801
         "add $16, %0                       \n\t"
802
         "movdqu %%xmm1, (%0)               \n\t"
803
         "ret                               \n\t"
804

805
         /*
806
          * Main "loop" - Generating one more key than necessary,
807
          * see definition of mbedtls_aes_context.buf
808
          */
809
         "2:                                \n\t"
810
         AESKEYGENA(xmm1_xmm2, "0x01")      "call 1b \n\t"
811
         AESKEYGENA(xmm1_xmm2, "0x02")      "call 1b \n\t"
812
         AESKEYGENA(xmm1_xmm2, "0x04")      "call 1b \n\t"
813
         AESKEYGENA(xmm1_xmm2, "0x08")      "call 1b \n\t"
814
         AESKEYGENA(xmm1_xmm2, "0x10")      "call 1b \n\t"
815
         AESKEYGENA(xmm1_xmm2, "0x20")      "call 1b \n\t"
816
         AESKEYGENA(xmm1_xmm2, "0x40")      "call 1b \n\t"
817
         :
818
         : "r" (rk), "r" (key)
819
         : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
820
}
821
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
822

823
#endif  /* MBEDTLS_AESNI_HAVE_CODE */
824

825
/*
826
 * Key expansion, wrapper
827
 */
828
int mbedtls_aesni_setkey_enc(unsigned char *rk,
829
                             const unsigned char *key,
830
                             size_t bits)
831
{
832
    switch (bits) {
833
        case 128: aesni_setkey_enc_128(rk, key); break;
834
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
835
        case 192: aesni_setkey_enc_192(rk, key); break;
836
        case 256: aesni_setkey_enc_256(rk, key); break;
837
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
838
        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
839
    }
840

841
    return 0;
842
}
843

844
#endif /* MBEDTLS_AESNI_HAVE_CODE */
845

846
#endif /* MBEDTLS_AESNI_C */
847

848
Product

Resources

Company
