Commit 0d75de7e authored by Franziskus Kiefer's avatar Franziskus Kiefer

Bug 1357670 - AES-NI for all platforms that support it, r=ttaubert,mt

With this patch we use AES-NI whenever possible. The compile time flag USE_HW_AES
does NOT disable this new code. NSS_DISABLE_HW_AES can be used as runtime
flag to disable AES-NI and fall back to the software implementation.

Differential Revision: https://nss-review.dev.mozaws.net/D323

--HG--
extra : rebase_source : 40035bcd45711652feeef0b75b7326b8a371da80
extra : histedit_source : 552b54f8bf0bc5eb94092294313422a484490b52%2Cb18d7d5fd2c1b22e15e4ed5b57387a9d7780ccf0
parent 521fc92b
......@@ -137,16 +137,15 @@ class GHashTest : public ::testing::TestWithParam<ghash_kat_value> {
// Hash additional_data, cipher_text.
gcmHash_Reset(&ghashCtx,
const_cast<const unsigned char *>(additional_data.data()),
additional_data.size(), 16);
additional_data.size());
gcmHash_Update(&ghashCtx,
const_cast<const unsigned char *>(cipher_text.data()),
cipher_text.size(), 16);
cipher_text.size());
// Finalise (hash in the length).
uint8_t result_bytes[16];
unsigned int out_len;
ASSERT_EQ(SECSuccess,
gcmHash_Final(&ghashCtx, result_bytes, &out_len, 16, 16));
ASSERT_EQ(SECSuccess, gcmHash_Final(&ghashCtx, result_bytes, &out_len, 16));
ASSERT_EQ(16U, out_len);
EXPECT_EQ(expected, std::vector<uint8_t>(result_bytes, result_bytes + 16));
}
......
......@@ -22,8 +22,9 @@
#include "rijndael.h"
struct AESKeyWrapContextStr {
unsigned char iv[AES_KEY_WRAP_IV_BYTES];
AESContext aescx;
unsigned char iv[AES_KEY_WRAP_IV_BYTES];
void *mem; /* Pointer to beginning of allocated memory. */
};
/******************************************/
......@@ -34,8 +35,14 @@ struct AESKeyWrapContextStr {
AESKeyWrapContext *
AESKeyWrap_AllocateContext(void)
{
AESKeyWrapContext *cx = PORT_New(AESKeyWrapContext);
return cx;
/* aligned_alloc is C11 so we have to do it the old way. */
AESKeyWrapContext *ctx = PORT_ZAlloc(sizeof(AESKeyWrapContext) + 15);
if (ctx == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
ctx->mem = ctx;
return (AESKeyWrapContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F);
}
SECStatus
......@@ -77,7 +84,7 @@ AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv,
return NULL; /* error is already set */
rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0);
if (rv != SECSuccess) {
PORT_Free(cx);
PORT_Free(cx->mem);
cx = NULL; /* error should already be set */
}
return cx;
......@@ -94,8 +101,9 @@ AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
if (cx) {
AES_DestroyContext(&cx->aescx, PR_FALSE);
/* memset(cx, 0, sizeof *cx); */
if (freeit)
PORT_Free(cx);
if (freeit) {
PORT_Free(cx->mem);
}
}
}
......
......@@ -801,8 +801,7 @@ SEED_Decrypt(SEEDContext *cx, unsigned char *output,
** Create a new AES context suitable for AES encryption/decryption.
** "key" raw key data
** "keylen" the number of bytes of key data (16, 24, or 32)
** "blocklen" is the blocksize to use (16, 24, or 32)
** XXX currently only blocksize==16 has been tested!
** "blocklen" is the blocksize to use. NOTE: only 16 is supported!
*/
extern AESContext *
AES_CreateContext(const unsigned char *key, const unsigned char *iv,
......
......@@ -51,6 +51,18 @@ SEC_END_PROTOS
#define HAVE_NO_SANITIZE_ATTR 0
#endif
/* Alignment helpers. */
#if defined(_WINDOWS) && defined(NSS_X86_OR_X64)
#define pre_align __declspec(align(16))
#define post_align
#elif defined(NSS_X86_OR_X64)
#define pre_align
#define post_align __attribute__((aligned(16)))
#else
#define pre_align
#define post_align
#endif
#if defined(HAVE_UNALIGNED_ACCESS) && HAVE_NO_SANITIZE_ATTR
#define NO_SANITIZE_ALIGNMENT __attribute__((no_sanitize("alignment")))
#else
......
......@@ -19,30 +19,30 @@
SECStatus
CTR_InitContext(CTRContext *ctr, void *context, freeblCipherFunc cipher,
const unsigned char *param, unsigned int blocksize)
const unsigned char *param)
{
const CK_AES_CTR_PARAMS *ctrParams = (const CK_AES_CTR_PARAMS *)param;
if (ctrParams->ulCounterBits == 0 ||
ctrParams->ulCounterBits > blocksize * PR_BITS_PER_BYTE) {
ctrParams->ulCounterBits > AES_BLOCK_SIZE * PR_BITS_PER_BYTE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* Invariant: 0 < ctr->bufPtr <= blocksize */
/* Invariant: 0 < ctr->bufPtr <= AES_BLOCK_SIZE */
ctr->checkWrap = PR_FALSE;
ctr->bufPtr = blocksize; /* no unused data in the buffer */
ctr->bufPtr = AES_BLOCK_SIZE; /* no unused data in the buffer */
ctr->cipher = cipher;
ctr->context = context;
ctr->counterBits = ctrParams->ulCounterBits;
if (blocksize > sizeof(ctr->counter) ||
blocksize > sizeof(ctrParams->cb)) {
if (AES_BLOCK_SIZE > sizeof(ctr->counter) ||
AES_BLOCK_SIZE > sizeof(ctrParams->cb)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
PORT_Memcpy(ctr->counter, ctrParams->cb, blocksize);
PORT_Memcpy(ctr->counter, ctrParams->cb, AES_BLOCK_SIZE);
if (ctr->counterBits < 64) {
PORT_Memcpy(ctr->counterFirst, ctr->counter, blocksize);
PORT_Memcpy(ctr->counterFirst, ctr->counter, AES_BLOCK_SIZE);
ctr->checkWrap = PR_TRUE;
}
return SECSuccess;
......@@ -50,7 +50,7 @@ CTR_InitContext(CTRContext *ctr, void *context, freeblCipherFunc cipher,
CTRContext *
CTR_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *param, unsigned int blocksize)
const unsigned char *param)
{
CTRContext *ctr;
SECStatus rv;
......@@ -60,7 +60,7 @@ CTR_CreateContext(void *context, freeblCipherFunc cipher,
if (ctr == NULL) {
return NULL;
}
rv = CTR_InitContext(ctr, context, cipher, param, blocksize);
rv = CTR_InitContext(ctr, context, cipher, param);
if (rv != SECSuccess) {
CTR_DestroyContext(ctr, PR_TRUE);
ctr = NULL;
......
......@@ -23,8 +23,7 @@ struct CTRContextStr {
typedef struct CTRContextStr CTRContext;
SECStatus CTR_InitContext(CTRContext *ctr, void *context,
freeblCipherFunc cipher, const unsigned char *param,
unsigned int blocksize);
freeblCipherFunc cipher, const unsigned char *param);
/*
* The context argument is the inner cipher context to use with cipher. The
......@@ -34,7 +33,7 @@ SECStatus CTR_InitContext(CTRContext *ctr, void *context,
* The cipher argument is a block cipher in the ECB encrypt mode.
*/
CTRContext *CTR_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *param, unsigned int blocksize);
const unsigned char *param);
void CTR_DestroyContext(CTRContext *ctr, PRBool freeit);
......
......@@ -20,19 +20,15 @@ struct CTSContextStr {
CTSContext *
CTS_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *iv, unsigned int blocksize)
const unsigned char *iv)
{
CTSContext *cts;
if (blocksize > MAX_BLOCK_SIZE) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
cts = PORT_ZNew(CTSContext);
if (cts == NULL) {
return NULL;
}
PORT_Memcpy(cts->iv, iv, blocksize);
PORT_Memcpy(cts->iv, iv, MAX_BLOCK_SIZE);
cts->cipher = cipher;
cts->context = context;
return cts;
......
......@@ -17,7 +17,7 @@ typedef struct CTSContextStr CTSContext;
* The cipher argument is a block cipher in the CBC mode.
*/
CTSContext *CTS_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *iv, unsigned int blocksize);
const unsigned char *iv);
void CTS_DestroyContext(CTSContext *cts, PRBool freeit);
......
This diff is collapsed.
......@@ -28,7 +28,7 @@ typedef struct GCMContextStr GCMContext;
* The cipher argument is a block cipher in the ECB encrypt mode.
*/
GCMContext *GCM_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *params, unsigned int blocksize);
const unsigned char *params);
void GCM_DestroyContext(GCMContext *gcm, PRBool freeit);
SECStatus GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
......@@ -40,21 +40,10 @@ SECStatus GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
unsigned int blocksize);
/* These functions are here only so we can test them */
#if defined(_WINDOWS) && defined(NSS_X86_OR_X64)
#define pre_align __declspec(align(16))
#define post_align
#elif defined(NSS_X86_OR_X64)
#define pre_align
#define post_align __attribute__((aligned(16)))
#else
#define pre_align
#define post_align
#endif
#define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */
typedef struct gcmHashContextStr gcmHashContext;
typedef SECStatus (*ghash_t)(gcmHashContext *, const unsigned char *,
unsigned int, unsigned int);
unsigned int);
pre_align struct gcmHashContextStr {
#ifdef NSS_X86_OR_X64
__m128i x, h;
......@@ -70,14 +59,13 @@ pre_align struct gcmHashContextStr {
} post_align;
SECStatus gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf,
unsigned int len, unsigned int blocksize);
unsigned int len);
SECStatus gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
PRBool sw);
SECStatus gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD,
unsigned int AADLen, unsigned int blocksize);
unsigned int AADLen);
SECStatus gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
unsigned int blocksize);
unsigned int *outlen, unsigned int maxout);
SEC_END_PROTOS
......
......@@ -91,8 +91,6 @@ LOCAL bail
movdqu [rsp + 1*16], xmm7
movdqu [rsp + 2*16], xmm8
lea ctx, [48+ctx]
loop8:
cmp inputLen, 8*16
jb loop1
......@@ -555,9 +553,7 @@ LOCAL bail
movdqu [rsp + 1*16], xmm7
movdqu [rsp + 2*16], xmm8
lea ctx, [48+ctx]
movdqu xmm0, [-32+ctx]
movdqu xmm0, [256+ctx]
movdqu xmm2, [0*16 + ctx]
movdqu xmm3, [1*16 + ctx]
......@@ -597,7 +593,7 @@ loop1:
jmp loop1
bail:
movdqu [-32+ctx], xmm0
movdqu [256+ctx], xmm0
xor rax, rax
......@@ -625,8 +621,6 @@ LOCAL bail
movdqu [rsp + 1*16], xmm7
movdqu [rsp + 2*16], xmm8
lea ctx, [48+ctx]
loop8:
cmp inputLen, 8*16
jb dec1
......@@ -657,7 +651,7 @@ loop8:
ENDM
aes_dec_last_rnd rnds
movdqu xmm8, [-32 + ctx]
movdqu xmm8, [256 + ctx]
pxor xmm0, xmm8
movdqu xmm8, [0*16 + input]
pxor xmm1, xmm8
......@@ -683,7 +677,7 @@ loop8:
movdqu [5*16 + output], xmm5
movdqu [6*16 + output], xmm6
movdqu [7*16 + output], xmm7
movdqu [-32 + ctx], xmm8
movdqu [256 + ctx], xmm8
lea input, [8*16 + input]
lea output, [8*16 + output]
......@@ -691,7 +685,7 @@ loop8:
jmp loop8
dec1:
movdqu xmm3, [-32 + ctx]
movdqu xmm3, [256 + ctx]
loop1:
cmp inputLen, 1*16
......@@ -721,7 +715,7 @@ loop1:
jmp loop1
bail:
movdqu [-32 + ctx], xmm3
movdqu [256 + ctx], xmm3
xor rax, rax
movdqu xmm6, [rsp + 0*16]
......@@ -773,7 +767,6 @@ LOCAL bail
mov ctrCtx, ctx
mov ctx, [8+ctrCtx]
lea ctx, [48+ctx]
sub rsp, 3*16
movdqu [rsp + 0*16], xmm6
......
......@@ -87,8 +87,6 @@ LOCAL bail
mov input, [esp + 2*4 + 4*4]
mov inputLen, [esp + 2*4 + 5*4]
lea ctx, [44+ctx]
loop7:
cmp inputLen, 7*16
jb loop1
......@@ -557,9 +555,7 @@ LOCAL bail
mov input, [esp + 2*4 + 4*4]
mov inputLen, [esp + 2*4 + 5*4]
lea ctx, [44+ctx]
movdqu xmm0, [-32+ctx]
movdqu xmm0, [252+ctx]
movdqu xmm2, [0*16 + ctx]
movdqu xmm3, [1*16 + ctx]
......@@ -597,7 +593,7 @@ loop1:
jmp loop1
bail:
movdqu [-32+ctx], xmm0
movdqu [252+ctx], xmm0
xor eax, eax
pop inputLen
......@@ -619,8 +615,6 @@ LOCAL bail
mov input, [esp + 2*4 + 4*4]
mov inputLen, [esp + 2*4 + 5*4]
lea ctx, [44+ctx]
loop7:
cmp inputLen, 7*16
jb dec1
......@@ -649,7 +643,7 @@ loop7:
ENDM
aes_dec_last_rnd rnds
movdqu xmm7, [-32 + ctx]
movdqu xmm7, [252 + ctx]
pxor xmm0, xmm7
movdqu xmm7, [0*16 + input]
pxor xmm1, xmm7
......@@ -672,7 +666,7 @@ loop7:
movdqu [4*16 + output], xmm4
movdqu [5*16 + output], xmm5
movdqu [6*16 + output], xmm6
movdqu [-32 + ctx], xmm7
movdqu [252 + ctx], xmm7
lea input, [7*16 + input]
lea output, [7*16 + output]
......@@ -680,7 +674,7 @@ loop7:
jmp loop7
dec1:
movdqu xmm3, [-32 + ctx]
movdqu xmm3, [252 + ctx]
loop1:
cmp inputLen, 1*16
......@@ -710,7 +704,7 @@ loop1:
jmp loop1
bail:
movdqu [-32 + ctx], xmm3
movdqu [252 + ctx], xmm3
xor eax, eax
pop inputLen
ret
......@@ -769,7 +763,6 @@ LOCAL bail
mov inputLen, [esp + 4*5 + 5*4]
mov ctx, [4+ctrCtx]
lea ctx, [44+ctx]
mov ebp, esp
sub esp, 7*16
......
......@@ -4,8 +4,7 @@
.text
#define IV_OFFSET 16
#define EXPANDED_KEY_OFFSET 48
#define IV_OFFSET 256
/*
* Warning: the length values used in this module are "unsigned int"
......@@ -144,9 +143,6 @@ key_expansion128:
.globl intel_aes_encrypt_ecb_128
.align 16
intel_aes_encrypt_ecb_128:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 160(%rdi), %xmm12
xor %eax, %eax
......@@ -328,9 +324,6 @@ intel_aes_encrypt_ecb_128:
.globl intel_aes_decrypt_ecb_128
.align 16
intel_aes_decrypt_ecb_128:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 160(%rdi), %xmm12
xorl %eax, %eax
......@@ -516,9 +509,7 @@ intel_aes_encrypt_cbc_128:
je 2f
// leaq IV_OFFSET(%rdi), %rdx
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0
movdqu (%rdi), %xmm2
......@@ -575,9 +566,7 @@ intel_aes_encrypt_cbc_128:
.align 16
intel_aes_decrypt_cbc_128:
// leaq IV_OFFSET(%rdi), %rdx
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0 /* iv */
movdqu (%rdi), %xmm2 /* first key block */
......@@ -902,9 +891,6 @@ key_expansion192:
.globl intel_aes_encrypt_ecb_192
.align 16
intel_aes_encrypt_ecb_192:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 192(%rdi), %xmm14
xorl %eax, %eax
......@@ -1109,9 +1095,6 @@ intel_aes_encrypt_ecb_192:
.globl intel_aes_decrypt_ecb_192
.align 16
intel_aes_decrypt_ecb_192:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 192(%rdi), %xmm14
xorl %eax, %eax
......@@ -1320,9 +1303,7 @@ intel_aes_encrypt_cbc_192:
je 2f
// leaq IV_OFFSET(%rdi), %rdx
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0
movdqu (%rdi), %xmm2
......@@ -1382,8 +1363,8 @@ intel_aes_encrypt_cbc_192:
.globl intel_aes_decrypt_cbc_192
.align 16
intel_aes_decrypt_cbc_192:
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
// leaq IV_OFFSET(%rdi), %rdx
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0
movdqu (%rdi), %xmm2
......@@ -1738,9 +1719,6 @@ key_expansion256:
.globl intel_aes_encrypt_ecb_256
.align 16
intel_aes_encrypt_ecb_256:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 224(%rdi), %xmm15
xorl %eax, %eax
......@@ -1970,9 +1948,6 @@ intel_aes_encrypt_ecb_256:
.globl intel_aes_decrypt_ecb_256
.align 16
intel_aes_decrypt_ecb_256:
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 48(%rdi), %rdi
movdqu (%rdi), %xmm2
movdqu 224(%rdi), %xmm15
xorl %eax, %eax
......@@ -2206,9 +2181,7 @@ intel_aes_encrypt_cbc_256:
je 2f
// leaq IV_OFFSET(%rdi), %rdx
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0
movdqu (%rdi), %xmm8
......@@ -2274,9 +2247,7 @@ intel_aes_encrypt_cbc_256:
.align 16
intel_aes_decrypt_cbc_256:
// leaq IV_OFFSET(%rdi), %rdx
// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi
leaq 16(%rdi), %rdx
leaq 48(%rdi), %rdi
leaq 256(%rdi), %rdx
movdqu (%rdx), %xmm0
movdqu (%rdi), %xmm2
......
......@@ -41,8 +41,7 @@ struct intel_AES_GCMContextStr {
intel_AES_GCMContext *
intel_AES_GCM_CreateContext(void *context,
freeblCipherFunc cipher,
const unsigned char *params,
unsigned int blocksize)
const unsigned char *params)
{
intel_AES_GCMContext *gcm = NULL;
AESContext *aes = (AESContext *)context;
......@@ -59,10 +58,6 @@ intel_AES_GCM_CreateContext(void *context,
unsigned int j;
SECStatus rv;
if (blocksize != AES_BLOCK_SIZE) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
gcm = PORT_ZNew(intel_AES_GCMContext);
if (gcm == NULL) {
......
......@@ -496,8 +496,8 @@ LbeginENC:
vmovdqu CTR0, XMMWORD PTR[16*16 + 2*16 + Gctx]
vmovdqu BSWAPMASK, XMMWORD PTR[Lbswap_mask]
mov KS, [16*16 + 3*16 + Gctx]
mov NR, [4 + KS]
lea KS, [48 + KS]
mov NR, [244 + KS]
lea KS, [KS]
vpshufb CTR0, CTR0, BSWAPMASK
......@@ -994,8 +994,7 @@ LbeginDEC:
vmovdqu CTR0, XMMWORD PTR[16*16 + 2*16 + Gctx]
vmovdqu BSWAPMASK, XMMWORD PTR[Lbswap_mask]
mov KS, [16*16 + 3*16 + Gctx]
mov NR, [4 + KS]
lea KS, [48 + KS]
mov NR, [244 + KS]
vpshufb CTR0, CTR0, BSWAPMASK
......
......@@ -390,7 +390,7 @@ Htbl textequ <edx>
Gctx textequ <edx>
len textequ <DWORD PTR[ebp + 5*4 + 3*4]>
KS textequ <esi>
NR textequ <DWORD PTR[-40 + KS]>
NR textequ <DWORD PTR[244+KS]>
aluCTR textequ <ebx>
aluTMP textequ <edi>
......@@ -463,7 +463,6 @@ LbeginENC:
mov Gctx, [ebp + 5*4 + 2*4]
mov KS, [16*16 + 3*16 + Gctx]
lea KS, [44 + KS]
mov aluCTR, [16*16 + 2*16 + 3*4 + Gctx]
bswap aluCTR
......@@ -931,7 +930,6 @@ LbeginDEC:
mov Gctx, [ebp + 5*4 + 2*4]
mov KS, [16*16 + 3*16 + Gctx]
lea KS, [44 + KS]
mov aluCTR, [16*16 + 2*16 + 3*4 + Gctx]
bswap aluCTR
......
......@@ -27,7 +27,7 @@
typedef struct intel_AES_GCMContextStr intel_AES_GCMContext;
intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *params, unsigned int blocksize);
const unsigned char *params);
void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit);
......
......@@ -467,8 +467,8 @@ intel_aes_gcmENC:
vmovdqu 288(Gctx), CTR
vmovdqu 272(Gctx), T
mov 304(Gctx), KS
mov 4(KS), NR
lea 48(KS), KS
# AESContext->Nr
mov 244(KS), NR
vpshufb .Lbswap_mask(%rip), CTR, CTR
vpshufb .Lbswap_mask(%rip), T, T
......@@ -1001,8 +1001,8 @@ intel_aes_gcmDEC:
vmovdqu 288(Gctx), CTR
vmovdqu 272(Gctx), T
mov 304(Gctx), KS
mov 4(KS), NR
lea 48(KS), KS
# AESContext->Nr
mov 244(KS), NR
vpshufb .Lbswap_mask(%rip), CTR, CTR
vpshufb .Lbswap_mask(%rip), T, T
......
This diff is collapsed.
......@@ -6,13 +6,15 @@
#define _RIJNDAEL_H_ 1
#include "blapii.h"
#include <stdint.h>
#define RIJNDAEL_MIN_BLOCKSIZE 16 /* bytes */
#define RIJNDAEL_MAX_BLOCKSIZE 32 /* bytes */
#ifdef NSS_X86_OR_X64
#include <wmmintrin.h> /* aes-ni */
#endif
typedef SECStatus AESBlockFunc(AESContext *cx,
unsigned char *output,
const unsigned char *input);
typedef void AESBlockFunc(AESContext *cx,
unsigned char *output,
const unsigned char *input);
/* RIJNDAEL_NUM_ROUNDS
*
......@@ -23,24 +25,18 @@ typedef SECStatus AESBlockFunc(AESContext *cx,
#define RIJNDAEL_NUM_ROUNDS(Nk, Nb) \
(PR_MAX(Nk, Nb) + 6)
/* RIJNDAEL_MAX_STATE_SIZE
*
* Maximum number of bytes in the state (spec includes up to 256-bit block
* size)
*/
#define RIJNDAEL_MAX_STATE_SIZE 32
/*
* This magic number is (Nb_max * (Nr_max + 1))
* where Nb_max is the maximum block size in 32-bit words,
* Nr_max is the maximum number of rounds, which is Nb_max + 6
*/
#define RIJNDAEL_MAX_EXP_KEY_SIZE (8 * 15)
#define RIJNDAEL_MAX_EXP_KEY_SIZE (4 * 15)
/* AESContextStr
*
* Values which maintain the state for Rijndael encryption/decryption.
*
* keySchedule - 128-bit registers for the key-schedule
* iv - initialization vector for CBC mode
* Nb - the number of bytes in a block, specified by user
* Nr - the number of rounds, specified by a table
......@@ -51,17 +47,23 @@ typedef SECStatus AESBlockFunc(AESContext *cx,
* isBlock - is the mode of operation a block cipher or a stream cipher?
*/
struct AESContextStr {
/* NOTE: Offsets to members in this struct are hardcoded in assembly.
* Don't change the struct without updating intel-aes.s and intel-gcm.s. */
union {
#if defined(NSS_X86_OR_X64)
__m128i keySchedule[15];
#endif
PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE];
};
unsigned int Nb;
unsigned int Nr;
freeblCipherFunc worker;
/* NOTE: The offsets of iv and expandedKey are hardcoded in intel-aes.s.
* Don't add new members before them without updating intel-aes.s. */
unsigned char iv[RIJNDAEL_MAX_BLOCKSIZE];
PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE];
unsigned char iv[AES_BLOCK_SIZE];
freeblDestroyFunc destroy;
void *worker_cx;
PRBool isBlock;
int mode;
void *mem; /* Start of the allocated memory to free. */
};
#endif /* _RIJNDAEL_H_ */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment