crypto/aesni/aesni_wrap.c

210409Skib/*-
247061Spjd * Copyright (C) 2008 Damien Miller <djm@mindrot.org>
210409Skib * Copyright (c) 2010 Konstantin Belousov <kib@FreeBSD.org>
226839Spjd * Copyright (c) 2010-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
255187Sjmg * Copyright 2012-2013 John-Mark Gurney <jmg@FreeBSD.org>
210409Skib * All rights reserved.
210409Skib *
210409Skib * Redistribution and use in source and binary forms, with or without
210409Skib * modification, are permitted provided that the following conditions
210409Skib * are met:
210409Skib * 1. Redistributions of source code must retain the above copyright
210409Skib *    notice, this list of conditions and the following disclaimer.
210409Skib * 2. Redistributions in binary form must reproduce the above copyright
210409Skib *    notice, this list of conditions and the following disclaimer in the
210409Skib *    documentation and/or other materials provided with the distribution.
210409Skib *
210409Skib * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
210409Skib * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
210409Skib * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
210409Skib * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
210409Skib * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
210409Skib * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
210409Skib * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
210409Skib * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
210409Skib * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
210409Skib * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
210409Skib * SUCH DAMAGE.
210409Skib */
210409Skib
210409Skib#include <sys/cdefs.h>
210409Skib__FBSDID("$FreeBSD: head/sys/crypto/aesni/aesni_wrap.c 267815 2014-06-24 06:55:49Z kib $");
255187Sjmg
210409Skib#include <sys/param.h>
210409Skib#include <sys/libkern.h>
210409Skib#include <sys/malloc.h>
210409Skib#include <sys/proc.h>
210409Skib#include <sys/systm.h>
210409Skib#include <crypto/aesni/aesni.h>
255187Sjmg
255187Sjmg#include "aesencdec.h"
210409Skib
210409SkibMALLOC_DECLARE(M_AESNI);
210409Skib
257757Sjmgstruct blocks8 {
257757Sjmg	__m128i	blk[8];
257757Sjmg} __packed;
257757Sjmg
210409Skibvoid
210409Skibaesni_encrypt_cbc(int rounds, const void *key_schedule, size_t len,
210409Skib    const uint8_t *from, uint8_t *to, const uint8_t iv[AES_BLOCK_LEN])
210409Skib{
255187Sjmg	__m128i tot, ivreg;
210409Skib	size_t i;
210409Skib
210409Skib	len /= AES_BLOCK_LEN;
255187Sjmg	ivreg = _mm_loadu_si128((const __m128i *)iv);
210409Skib	for (i = 0; i < len; i++) {
255187Sjmg		tot = aesni_enc(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from) ^ ivreg);
255187Sjmg		ivreg = tot;
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
210409Skibvoid
255187Sjmgaesni_decrypt_cbc(int rounds, const void *key_schedule, size_t len,
255187Sjmg    uint8_t *buf, const uint8_t iv[AES_BLOCK_LEN])
255187Sjmg{
255187Sjmg	__m128i blocks[8];
257757Sjmg	struct blocks8 *blks;
255187Sjmg	__m128i ivreg, nextiv;
255187Sjmg	size_t i, j, cnt;
255187Sjmg
255187Sjmg	ivreg = _mm_loadu_si128((const __m128i *)iv);
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (struct blocks8 *)buf;
257757Sjmg		aesni_dec8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], &blocks[0]);
255187Sjmg		for (j = 0; j < 8; j++) {
257757Sjmg			nextiv = blks->blk[j];
257757Sjmg			blks->blk[j] = blocks[j] ^ ivreg;
255187Sjmg			ivreg = nextiv;
255187Sjmg		}
255187Sjmg		buf += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
257757Sjmg		nextiv = _mm_loadu_si128((void *)buf);
257757Sjmg		_mm_storeu_si128((void *)buf,
257757Sjmg		    aesni_dec(rounds - 1, key_schedule, nextiv) ^ ivreg);
255187Sjmg		ivreg = nextiv;
255187Sjmg		buf += AES_BLOCK_LEN;
255187Sjmg	}
255187Sjmg}
255187Sjmg
255187Sjmgvoid
210409Skibaesni_encrypt_ecb(int rounds, const void *key_schedule, size_t len,
255187Sjmg    const uint8_t *from, uint8_t *to)
210409Skib{
255187Sjmg	__m128i tot;
257757Sjmg	__m128i tout[8];
257757Sjmg	struct blocks8 *top;
257757Sjmg	const struct blocks8 *blks;
255187Sjmg	size_t i, cnt;
210409Skib
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (const struct blocks8 *)from;
257757Sjmg		top = (struct blocks8 *)to;
257757Sjmg		aesni_enc8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], tout);
257757Sjmg		top->blk[0] = tout[0];
257757Sjmg		top->blk[1] = tout[1];
257757Sjmg		top->blk[2] = tout[2];
257757Sjmg		top->blk[3] = tout[3];
257757Sjmg		top->blk[4] = tout[4];
257757Sjmg		top->blk[5] = tout[5];
257757Sjmg		top->blk[6] = tout[6];
257757Sjmg		top->blk[7] = tout[7];
255187Sjmg		from += AES_BLOCK_LEN * 8;
255187Sjmg		to += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		tot = aesni_enc(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from));
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
210409Skibvoid
210409Skibaesni_decrypt_ecb(int rounds, const void *key_schedule, size_t len,
210409Skib    const uint8_t from[AES_BLOCK_LEN], uint8_t to[AES_BLOCK_LEN])
210409Skib{
255187Sjmg	__m128i tot;
257757Sjmg	__m128i tout[8];
257757Sjmg	const struct blocks8 *blks;
257757Sjmg	struct blocks8 *top;
255187Sjmg	size_t i, cnt;
210409Skib
255187Sjmg	cnt = len / AES_BLOCK_LEN / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
257757Sjmg		blks = (const struct blocks8 *)from;
257757Sjmg		top = (struct blocks8 *)to;
257757Sjmg		aesni_dec8(rounds - 1, key_schedule, blks->blk[0], blks->blk[1],
257757Sjmg		    blks->blk[2], blks->blk[3], blks->blk[4], blks->blk[5],
257757Sjmg		    blks->blk[6], blks->blk[7], tout);
257757Sjmg		top->blk[0] = tout[0];
257757Sjmg		top->blk[1] = tout[1];
257757Sjmg		top->blk[2] = tout[2];
257757Sjmg		top->blk[3] = tout[3];
257757Sjmg		top->blk[4] = tout[4];
257757Sjmg		top->blk[5] = tout[5];
257757Sjmg		top->blk[6] = tout[6];
257757Sjmg		top->blk[7] = tout[7];
255187Sjmg		from += AES_BLOCK_LEN * 8;
255187Sjmg		to += AES_BLOCK_LEN * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_BLOCK_LEN;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		tot = aesni_dec(rounds - 1, key_schedule,
255187Sjmg		    _mm_loadu_si128((const __m128i *)from));
255187Sjmg		_mm_storeu_si128((__m128i *)to, tot);
210409Skib		from += AES_BLOCK_LEN;
210409Skib		to += AES_BLOCK_LEN;
210409Skib	}
210409Skib}
210409Skib
213069Spjd#define	AES_XTS_BLOCKSIZE	16
213069Spjd#define	AES_XTS_IVSIZE		8
213069Spjd#define	AES_XTS_ALPHA		0x87	/* GF(2^128) generator polynomial */
213069Spjd
255187Sjmgstatic inline __m128i
255187Sjmgxts_crank_lfsr(__m128i inp)
255187Sjmg{
255187Sjmg	const __m128i alphamask = _mm_set_epi32(1, 1, 1, AES_XTS_ALPHA);
255187Sjmg	__m128i xtweak, ret;
255187Sjmg
255187Sjmg	/* set up xor mask */
255187Sjmg	xtweak = _mm_shuffle_epi32(inp, 0x93);
255187Sjmg	xtweak = _mm_srai_epi32(xtweak, 31);
255187Sjmg	xtweak &= alphamask;
255187Sjmg
255187Sjmg	/* next term */
255187Sjmg	ret = _mm_slli_epi32(inp, 1);
255187Sjmg	ret ^= xtweak;
255187Sjmg
255187Sjmg	return ret;
255187Sjmg}
255187Sjmg
213069Spjdstatic void
257757Sjmgaesni_crypt_xts_block(int rounds, const __m128i *key_schedule, __m128i *tweak,
257757Sjmg    const uint8_t *from, uint8_t *to, int do_encrypt)
213069Spjd{
255187Sjmg	__m128i block;
213069Spjd
257757Sjmg	block = _mm_loadu_si128((const __m128i *)from) ^ *tweak;
213069Spjd
213069Spjd	if (do_encrypt)
255187Sjmg		block = aesni_enc(rounds - 1, key_schedule, block);
213069Spjd	else
255187Sjmg		block = aesni_dec(rounds - 1, key_schedule, block);
213069Spjd
257757Sjmg	_mm_storeu_si128((__m128i *)to, block ^ *tweak);
213069Spjd
255187Sjmg	*tweak = xts_crank_lfsr(*tweak);
255187Sjmg}
226837Spjd
255187Sjmgstatic void
257757Sjmgaesni_crypt_xts_block8(int rounds, const __m128i *key_schedule, __m128i *tweak,
257757Sjmg    const uint8_t *from, uint8_t *to, int do_encrypt)
255187Sjmg{
255187Sjmg	__m128i tmptweak;
255187Sjmg	__m128i a, b, c, d, e, f, g, h;
255187Sjmg	__m128i tweaks[8];
255187Sjmg	__m128i tmp[8];
257757Sjmg	__m128i *top;
257757Sjmg	const __m128i *fromp;
255187Sjmg
255187Sjmg	tmptweak = *tweak;
255187Sjmg
255187Sjmg	/*
255187Sjmg	 * unroll the loop.  This lets gcc put values directly in the
255187Sjmg	 * register and saves memory accesses.
255187Sjmg	 */
257757Sjmg	fromp = (const __m128i *)from;
255187Sjmg#define PREPINP(v, pos) 					\
255187Sjmg		do {						\
255187Sjmg			tweaks[(pos)] = tmptweak;		\
257757Sjmg			(v) = _mm_loadu_si128(&fromp[pos]) ^	\
257757Sjmg			    tmptweak;				\
255187Sjmg			tmptweak = xts_crank_lfsr(tmptweak);	\
255187Sjmg		} while (0)
255187Sjmg	PREPINP(a, 0);
255187Sjmg	PREPINP(b, 1);
255187Sjmg	PREPINP(c, 2);
255187Sjmg	PREPINP(d, 3);
255187Sjmg	PREPINP(e, 4);
255187Sjmg	PREPINP(f, 5);
255187Sjmg	PREPINP(g, 6);
255187Sjmg	PREPINP(h, 7);
255187Sjmg	*tweak = tmptweak;
255187Sjmg
255187Sjmg	if (do_encrypt)
255187Sjmg		aesni_enc8(rounds - 1, key_schedule, a, b, c, d, e, f, g, h,
255187Sjmg		    tmp);
255187Sjmg	else
255187Sjmg		aesni_dec8(rounds - 1, key_schedule, a, b, c, d, e, f, g, h,
255187Sjmg		    tmp);
255187Sjmg
257757Sjmg	top = (__m128i *)to;
257757Sjmg	_mm_storeu_si128(&top[0], tmp[0] ^ tweaks[0]);
257757Sjmg	_mm_storeu_si128(&top[1], tmp[1] ^ tweaks[1]);
257757Sjmg	_mm_storeu_si128(&top[2], tmp[2] ^ tweaks[2]);
257757Sjmg	_mm_storeu_si128(&top[3], tmp[3] ^ tweaks[3]);
257757Sjmg	_mm_storeu_si128(&top[4], tmp[4] ^ tweaks[4]);
257757Sjmg	_mm_storeu_si128(&top[5], tmp[5] ^ tweaks[5]);
257757Sjmg	_mm_storeu_si128(&top[6], tmp[6] ^ tweaks[6]);
257757Sjmg	_mm_storeu_si128(&top[7], tmp[7] ^ tweaks[7]);
213069Spjd}
213069Spjd
213069Spjdstatic void
257757Sjmgaesni_crypt_xts(int rounds, const __m128i *data_schedule,
257757Sjmg    const __m128i *tweak_schedule, size_t len, const uint8_t *from,
257757Sjmg    uint8_t *to, const uint8_t iv[AES_BLOCK_LEN], int do_encrypt)
213069Spjd{
255187Sjmg	__m128i tweakreg;
255187Sjmg	uint8_t tweak[AES_XTS_BLOCKSIZE] __aligned(16);
255187Sjmg	size_t i, cnt;
213069Spjd
213069Spjd	/*
213069Spjd	 * Prepare tweak as E_k2(IV). IV is specified as LE representation
213069Spjd	 * of a 64-bit block number which we allow to be passed in directly.
213069Spjd	 */
226837Spjd#if BYTE_ORDER == LITTLE_ENDIAN
226837Spjd	bcopy(iv, tweak, AES_XTS_IVSIZE);
213069Spjd	/* Last 64 bits of IV are always zero. */
213069Spjd	bzero(tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
226837Spjd#else
226837Spjd#error Only LITTLE_ENDIAN architectures are supported.
226837Spjd#endif
255187Sjmg	tweakreg = _mm_loadu_si128((__m128i *)&tweak[0]);
255187Sjmg	tweakreg = aesni_enc(rounds - 1, tweak_schedule, tweakreg);
213069Spjd
255187Sjmg	cnt = len / AES_XTS_BLOCKSIZE / 8;
255187Sjmg	for (i = 0; i < cnt; i++) {
255187Sjmg		aesni_crypt_xts_block8(rounds, data_schedule, &tweakreg,
257757Sjmg		    from, to, do_encrypt);
255187Sjmg		from += AES_XTS_BLOCKSIZE * 8;
255187Sjmg		to += AES_XTS_BLOCKSIZE * 8;
255187Sjmg	}
255187Sjmg	i *= 8;
255187Sjmg	cnt = len / AES_XTS_BLOCKSIZE;
255187Sjmg	for (; i < cnt; i++) {
255187Sjmg		aesni_crypt_xts_block(rounds, data_schedule, &tweakreg,
257757Sjmg		    from, to, do_encrypt);
213069Spjd		from += AES_XTS_BLOCKSIZE;
213069Spjd		to += AES_XTS_BLOCKSIZE;
213069Spjd	}
213069Spjd}
213069Spjd
255187Sjmgvoid
213069Spjdaesni_encrypt_xts(int rounds, const void *data_schedule,
213069Spjd    const void *tweak_schedule, size_t len, const uint8_t *from, uint8_t *to,
213069Spjd    const uint8_t iv[AES_BLOCK_LEN])
213069Spjd{
213069Spjd
213069Spjd	aesni_crypt_xts(rounds, data_schedule, tweak_schedule, len, from, to,
213069Spjd	    iv, 1);
213069Spjd}
213069Spjd
255187Sjmgvoid
213069Spjdaesni_decrypt_xts(int rounds, const void *data_schedule,
213069Spjd    const void *tweak_schedule, size_t len, const uint8_t *from, uint8_t *to,
213069Spjd    const uint8_t iv[AES_BLOCK_LEN])
213069Spjd{
213069Spjd
213069Spjd	aesni_crypt_xts(rounds, data_schedule, tweak_schedule, len, from, to,
213069Spjd	    iv, 0);
213069Spjd}
213069Spjd
267815Skibint
213066Spjdaesni_cipher_setup_common(struct aesni_session *ses, const uint8_t *key,
213066Spjd    int keylen)
210409Skib{
210409Skib
213069Spjd	switch (ses->algo) {
213069Spjd	case CRYPTO_AES_CBC:
213069Spjd		switch (keylen) {
213069Spjd		case 128:
213069Spjd			ses->rounds = AES128_ROUNDS;
213069Spjd			break;
213069Spjd		case 192:
213069Spjd			ses->rounds = AES192_ROUNDS;
213069Spjd			break;
213069Spjd		case 256:
213069Spjd			ses->rounds = AES256_ROUNDS;
213069Spjd			break;
213069Spjd		default:
213069Spjd			return (EINVAL);
213069Spjd		}
210409Skib		break;
213069Spjd	case CRYPTO_AES_XTS:
213069Spjd		switch (keylen) {
213069Spjd		case 256:
213069Spjd			ses->rounds = AES128_ROUNDS;
213069Spjd			break;
213069Spjd		case 512:
213069Spjd			ses->rounds = AES256_ROUNDS;
213069Spjd			break;
213069Spjd		default:
213069Spjd			return (EINVAL);
213069Spjd		}
210409Skib		break;
210409Skib	default:
210409Skib		return (EINVAL);
210409Skib	}
213069Spjd
213066Spjd	aesni_set_enckey(key, ses->enc_schedule, ses->rounds);
213066Spjd	aesni_set_deckey(ses->enc_schedule, ses->dec_schedule, ses->rounds);
213166Spjd	if (ses->algo == CRYPTO_AES_CBC)
213069Spjd		arc4rand(ses->iv, sizeof(ses->iv), 0);
213069Spjd	else /* if (ses->algo == CRYPTO_AES_XTS) */ {
213069Spjd		aesni_set_enckey(key + keylen / 16, ses->xts_schedule,
213069Spjd		    ses->rounds);
213069Spjd	}
210409Skib
213066Spjd	return (0);
210409Skib}