From: Martin Willi Date: Fri, 27 Mar 2015 12:51:24 +0000 (+0100) Subject: aesni: Implement XCBC mode to provide a signer/prf X-Git-Tag: 5.3.1dr1~17^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d187f87112c0c9ee6a9206e60c39ba2cbaa3ade;p=thirdparty%2Fstrongswan.git aesni: Implement XCBC mode to provide a signer/prf Compared to the xcbc plugin using AESNI-CBC as backend, this improves performance of AES-XCBC by ~45%. --- diff --git a/src/libstrongswan/plugins/aesni/Makefile.am b/src/libstrongswan/plugins/aesni/Makefile.am index 5411131b47..e4f827bc17 100644 --- a/src/libstrongswan/plugins/aesni/Makefile.am +++ b/src/libstrongswan/plugins/aesni/Makefile.am @@ -17,6 +17,7 @@ libstrongswan_aesni_la_SOURCES = \ aesni_cbc.h aesni_cbc.c \ aesni_ctr.h aesni_ctr.c \ aesni_ccm.h aesni_ccm.c \ + aesni_xcbc.h aesni_xcbc.c \ aesni_plugin.h aesni_plugin.c libstrongswan_aesni_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/aesni/aesni_plugin.c b/src/libstrongswan/plugins/aesni/aesni_plugin.c index 764ecba18b..334db9c9a4 100644 --- a/src/libstrongswan/plugins/aesni/aesni_plugin.c +++ b/src/libstrongswan/plugins/aesni/aesni_plugin.c @@ -17,6 +17,7 @@ #include "aesni_cbc.h" #include "aesni_ctr.h" #include "aesni_ccm.h" +#include "aesni_xcbc.h" #include @@ -66,6 +67,10 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 32), PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32), PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32), + PLUGIN_REGISTER(PRF, aesni_xcbc_prf_create), + PLUGIN_PROVIDE(PRF, PRF_AES128_XCBC), + PLUGIN_REGISTER(SIGNER, aesni_xcbc_signer_create), + PLUGIN_PROVIDE(SIGNER, AUTH_AES_XCBC_96), }; *features = f; diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.c b/src/libstrongswan/plugins/aesni/aesni_xcbc.c new file mode 100644 index 0000000000..13bc2cc3ff --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_xcbc.c @@ -0,0 +1,378 @@ +/* + * Copyright (C) 2008-2015 Martin Willi + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_xcbc.h" +#include "aesni_key.h" + +#include +#include + +typedef struct private_aesni_mac_t private_aesni_mac_t; + +/** + * Private data of a mac_t object. + */ +struct private_aesni_mac_t { + + /** + * Public mac_t interface. + */ + mac_t public; + + /** + * Key schedule for K1 + */ + aesni_key_t *k1; + + /** + * k2 + */ + __m128i k2; + + /** + * k3 + */ + __m128i k3; + + /** + * E + */ + __m128i e; + + /** + * remaining, unprocessed bytes in append mode + */ + u_char rem[AES_BLOCK_SIZE]; + + /** + * number of bytes used in remaining + */ + int rem_size; + + /** + * TRUE if we have zero bytes to xcbc in final() + */ + bool zero; +}; + +METHOD(mac_t, get_mac, bool, + private_aesni_mac_t *this, chunk_t data, u_int8_t *out) +{ + __m128i k0, k1, k2, k3, k4, k5, k6, k7, k8, k9, k10; + __m128i e, *bi; + u_int blocks, rem, i; + + if (!this->k1) + { + return FALSE; + } + + k0 = this->k1->schedule[0]; + k1 = this->k1->schedule[1]; + k2 = this->k1->schedule[2]; + k3 = this->k1->schedule[3]; + k4 = this->k1->schedule[4]; + k5 = this->k1->schedule[5]; + k6 = this->k1->schedule[6]; + k7 = this->k1->schedule[7]; + k8 = this->k1->schedule[8]; + k9 = this->k1->schedule[9]; + k10 = this->k1->schedule[10]; + + e = this->e; + + if (data.len) + { + this->zero = FALSE; + } + + if (this->rem_size + data.len > AES_BLOCK_SIZE) + { + /* (3) For each block M[i], where i = 1 ... n-1: + * XOR M[i] with E[i-1], then encrypt the result with Key K1, + * yielding E[i]. + */ + + /* append data to remaining bytes, process block M[1] */ + memcpy(this->rem + this->rem_size, data.ptr, + AES_BLOCK_SIZE - this->rem_size); + data = chunk_skip(data, AES_BLOCK_SIZE - this->rem_size); + + e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem)); + + e = _mm_xor_si128(e, k0); + e = _mm_aesenc_si128(e, k1); + e = _mm_aesenc_si128(e, k2); + e = _mm_aesenc_si128(e, k3); + e = _mm_aesenc_si128(e, k4); + e = _mm_aesenc_si128(e, k5); + e = _mm_aesenc_si128(e, k6); + e = _mm_aesenc_si128(e, k7); + e = _mm_aesenc_si128(e, k8); + e = _mm_aesenc_si128(e, k9); + e = _mm_aesenclast_si128(e, k10); + + bi = (__m128i*)data.ptr; + rem = data.len % AES_BLOCK_SIZE; + blocks = data.len / AES_BLOCK_SIZE; + if (!rem && blocks) + { /* don't do last block */ + rem = AES_BLOCK_SIZE; + blocks--; + } + + /* process blocks M[2] ... M[n-1] */ + for (i = 0; i < blocks; i++) + { + e = _mm_xor_si128(e, _mm_loadu_si128(bi + i)); + + e = _mm_xor_si128(e, k0); + e = _mm_aesenc_si128(e, k1); + e = _mm_aesenc_si128(e, k2); + e = _mm_aesenc_si128(e, k3); + e = _mm_aesenc_si128(e, k4); + e = _mm_aesenc_si128(e, k5); + e = _mm_aesenc_si128(e, k6); + e = _mm_aesenc_si128(e, k7); + e = _mm_aesenc_si128(e, k8); + e = _mm_aesenc_si128(e, k9); + e = _mm_aesenclast_si128(e, k10); + } + + /* store remaining bytes of block M[n] */ + memcpy(this->rem, data.ptr + data.len - rem, rem); + this->rem_size = rem; + } + else + { + /* no complete block, just copy into remaining */ + memcpy(this->rem + this->rem_size, data.ptr, data.len); + this->rem_size += data.len; + } + + if (out) + { + /* (4) For block M[n]: */ + if (this->rem_size == AES_BLOCK_SIZE && !this->zero) + { + /* a) If the blocksize of M[n] is 128 bits: + * XOR M[n] with E[n-1] and Key K2, then encrypt the result with + * Key K1, yielding E[n]. + */ + e = _mm_xor_si128(e, this->k2); + } + else + { + /* b) If the blocksize of M[n] is less than 128 bits: + * + * i) Pad M[n] with a single "1" bit, followed by the number of + * "0" bits (possibly none) required to increase M[n]'s + * blocksize to 128 bits. + */ + if (this->rem_size < AES_BLOCK_SIZE) + { + memset(this->rem + this->rem_size, 0, + AES_BLOCK_SIZE - this->rem_size); + this->rem[this->rem_size] = 0x80; + } + /* ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result + * with Key K1, yielding E[n]. + */ + e = _mm_xor_si128(e, this->k3); + } + e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem)); + + e = _mm_xor_si128(e, k0); + e = _mm_aesenc_si128(e, k1); + e = _mm_aesenc_si128(e, k2); + e = _mm_aesenc_si128(e, k3); + e = _mm_aesenc_si128(e, k4); + e = _mm_aesenc_si128(e, k5); + e = _mm_aesenc_si128(e, k6); + e = _mm_aesenc_si128(e, k7); + e = _mm_aesenc_si128(e, k8); + e = _mm_aesenc_si128(e, k9); + e = _mm_aesenclast_si128(e, k10); + _mm_storeu_si128((__m128i*)out, e); + + /* (2) Define E[0] = 0x00000000000000000000000000000000 */ + e = _mm_setzero_si128(); + this->rem_size = 0; + this->zero = TRUE; + } + this->e = e; + return TRUE; +} + +METHOD(mac_t, get_mac_size, size_t, + private_aesni_mac_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(mac_t, set_key, bool, + private_aesni_mac_t *this, chunk_t key) +{ + __m128i t1, t2, t3; + u_char k1[AES_BLOCK_SIZE]; + u_int round; + chunk_t k; + + /* reset state */ + this->e = _mm_setzero_si128(); + this->rem_size = 0; + this->zero = TRUE; + + /* Create RFC4434 variable keys if required */ + if (key.len == AES_BLOCK_SIZE) + { + k = key; + } + else if (key.len < AES_BLOCK_SIZE) + { /* pad short keys */ + k = chunk_alloca(AES_BLOCK_SIZE); + memset(k.ptr, 0, k.len); + memcpy(k.ptr, key.ptr, key.len); + } + else + { /* shorten key using XCBC */ + k = chunk_alloca(AES_BLOCK_SIZE); + memset(k.ptr, 0, k.len); + if (!set_key(this, k) || !get_mac(this, key, k.ptr)) + { + return FALSE; + } + } + + /* + * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret + * key K, as follows: + * K1 = 0x01010101010101010101010101010101 encrypted with Key K + * K2 = 0x02020202020202020202020202020202 encrypted with Key K + * K3 = 0x03030303030303030303030303030303 encrypted with Key K + */ + + DESTROY_IF(this->k1); + this->k1 = aesni_key_create(TRUE, k); + if (!this->k1) + { + return FALSE; + } + + t1 = _mm_set1_epi8(0x01); + t2 = _mm_set1_epi8(0x02); + t3 = _mm_set1_epi8(0x03); + + t1 = _mm_xor_si128(t1, this->k1->schedule[0]); + t2 = _mm_xor_si128(t2, this->k1->schedule[0]); + t3 = _mm_xor_si128(t3, this->k1->schedule[0]); + + for (round = 1; round < this->k1->rounds; round++) + { + t1 = _mm_aesenc_si128(t1, this->k1->schedule[round]); + t2 = _mm_aesenc_si128(t2, this->k1->schedule[round]); + t3 = _mm_aesenc_si128(t3, this->k1->schedule[round]); + } + + t1 = _mm_aesenclast_si128(t1, this->k1->schedule[this->k1->rounds]); + t2 = _mm_aesenclast_si128(t2, this->k1->schedule[this->k1->rounds]); + t3 = _mm_aesenclast_si128(t3, this->k1->schedule[this->k1->rounds]); + + _mm_storeu_si128((__m128i*)k1, t1); + this->k2 = t2; + this->k3 = t3; + + this->k1->destroy(this->k1); + this->k1 = aesni_key_create(TRUE, chunk_from_thing(k1)); + + memwipe(k1, AES_BLOCK_SIZE); + return this->k1 != NULL; +} + +METHOD(mac_t, destroy, void, + private_aesni_mac_t *this) +{ + DESTROY_IF(this->k1); + memwipe(&this->k2, sizeof(this->k2)); + memwipe(&this->k3, sizeof(this->k3)); + free(this); +} + +/* + * Described in header + */ +mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size) +{ + private_aesni_mac_t *this; + + INIT(this, + .public = { + .get_mac = _get_mac, + .get_mac_size = _get_mac_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + return &this->public; +} + +/* + * Described in header. + */ +prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo) +{ + mac_t *xcbc; + + switch (algo) + { + case PRF_AES128_XCBC: + xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16); + break; + default: + return NULL; + } + if (xcbc) + { + return mac_prf_create(xcbc); + } + return NULL; +} + +/* + * Described in header + */ +signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo) +{ + size_t trunc; + mac_t *xcbc; + + switch (algo) + { + case AUTH_AES_XCBC_96: + xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16); + trunc = 12; + break; + default: + return NULL; + } + if (xcbc) + { + return mac_signer_create(xcbc, trunc); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.h b/src/libstrongswan/plugins/aesni/aesni_xcbc.h new file mode 100644 index 0000000000..53f559feb8 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_xcbc.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_xcbc aesni_xcbc + * @{ @ingroup aesni + */ + +#ifndef AESNI_XCBC_H_ +#define AESNI_XCBC_H_ + +#include +#include +#include + +/** + * Create a generic mac_t object using AESNI XCBC + * + * @param algo underlying encryption algorithm + * @param key_size size of encryption key, in bytes + */ +mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size); + +/** + * Creates a new prf_t object based AESNI XCBC. + * + * @param algo algorithm to implement + * @return prf_t object, NULL if not supported + */ +prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo); + +/** + * Creates a new signer_t object based on AESNI XCBC. + * + * @param algo algorithm to implement + * @return signer_t, NULL if not supported + */ +signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo); + +#endif /** AESNI_XCBC_H_ @}*/