Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AES-GCM ARM asm: fixes from GCM changes #6582

Merged
merged 1 commit into from
Jul 7, 2023
Merged

AES-GCM ARM asm: fixes from GCM changes #6582

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 24 additions & 24 deletions wolfcrypt/src/port/arm/armv8-aes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4220,7 +4220,7 @@ int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
* on ARMv8". Shifting left to account for bit reflection is based on
* "Carry-Less Multiplication and Its Usage for Computing the GCM mode"
*/
static void GMULT(byte* X, byte* Y)
void GMULT(byte* X, byte* Y)
{
__asm__ __volatile__ (
"VLD1.32 {q0}, [%[x]] \n"
Expand Down Expand Up @@ -4279,13 +4279,13 @@ static void GMULT(byte* X, byte* Y)
}


void GHASH(Aes* aes, const byte* a, word32 aSz,
const byte* c, word32 cSz, byte* s, word32 sSz)
void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz,
byte* s, word32 sSz)
{
byte x[AES_BLOCK_SIZE];
byte scratch[AES_BLOCK_SIZE];
word32 blocks, partial;
byte* h = aes->gcm.H;
byte* h = gcm->H;

XMEMSET(x, 0, AES_BLOCK_SIZE);

Expand Down Expand Up @@ -5967,15 +5967,15 @@ static WC_INLINE void RIGHTSHIFTX(byte* x)
x[0] ^= borrow;
}

static void GenerateM0(Aes* aes)
void GenerateM0(Gcm* gcm)
{
int i;
byte (*m)[AES_BLOCK_SIZE] = aes->M0;
byte (*m)[AES_BLOCK_SIZE] = gcm->M0;

/* 0 times -> 0x0 */
XMEMSET(m[0x0], 0, AES_BLOCK_SIZE);
/* 1 times -> 0x8 */
XMEMCPY(m[0x8], aes->gcm.H, AES_BLOCK_SIZE);
XMEMCPY(m[0x8], gcm->H, AES_BLOCK_SIZE);
/* 2 times -> 0x4 */
XMEMCPY(m[0x4], m[0x8], AES_BLOCK_SIZE);
RIGHTSHIFTX(m[0x4]);
Expand Down Expand Up @@ -6015,7 +6015,7 @@ static void GenerateM0(Aes* aes)
xorbuf (m[0xf], m[0x7], AES_BLOCK_SIZE);

for (i = 0; i < 16; i++) {
word32* m32 = (word32*)aes->M0[i];
word32* m32 = (word32*)gcm->M0[i];
m32[0] = ByteReverseWord32(m32[0]);
m32[1] = ByteReverseWord32(m32[1]);
m32[2] = ByteReverseWord32(m32[2]);
Expand All @@ -6042,7 +6042,7 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
if (ret == 0) {
AES_ECB_encrypt(iv, aes->gcm.H, AES_BLOCK_SIZE,
(const unsigned char*)aes->key, aes->rounds);
GenerateM0(aes);
GenerateM0(&aes->gcm);
}

return ret;
Expand Down Expand Up @@ -6094,13 +6094,13 @@ static void gcm_ghash_arm32(Aes* aes, const byte* a, word32 aSz, const byte* c,
blocks = aSz / AES_BLOCK_SIZE;
partial = aSz % AES_BLOCK_SIZE;
if (blocks > 0) {
GCM_gmult_len(x, aes->M0, a, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, a, blocks * AES_BLOCK_SIZE);
a += blocks * AES_BLOCK_SIZE;
}
if (partial != 0) {
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, a, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
}
}

Expand All @@ -6109,20 +6109,20 @@ static void gcm_ghash_arm32(Aes* aes, const byte* a, word32 aSz, const byte* c,
blocks = cSz / AES_BLOCK_SIZE;
partial = cSz % AES_BLOCK_SIZE;
if (blocks > 0) {
GCM_gmult_len(x, aes->M0, c, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, c, blocks * AES_BLOCK_SIZE);
c += blocks * AES_BLOCK_SIZE;
}
if (partial != 0) {
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, c, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
}
}

/* Hash in the lengths of A and C in bits */
FlattenSzInBits(&scratch[0], aSz);
FlattenSzInBits(&scratch[8], cSz);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);

/* Copy the result into s. */
XMEMCPY(s, x, sSz);
Expand Down Expand Up @@ -6173,13 +6173,13 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
blocks = authInSz / AES_BLOCK_SIZE;
partial = authInSz % AES_BLOCK_SIZE;
if (blocks > 0) {
GCM_gmult_len(x, aes->M0, authIn, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, authIn, blocks * AES_BLOCK_SIZE);
authIn += blocks * AES_BLOCK_SIZE;
}
if (partial != 0) {
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, authIn, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
}
}

Expand All @@ -6189,7 +6189,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
if (blocks > 0) {
AES_GCM_encrypt(in, out, blocks * AES_BLOCK_SIZE,
(const unsigned char*)aes->key, aes->rounds, counter);
GCM_gmult_len(x, aes->M0, out, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, out, blocks * AES_BLOCK_SIZE);
in += blocks * AES_BLOCK_SIZE;
out += blocks * AES_BLOCK_SIZE;
}
Expand All @@ -6202,14 +6202,14 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,

XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, out, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
}

/* Hash in the lengths of A and C in bits */
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
FlattenSzInBits(&scratch[0], authInSz);
FlattenSzInBits(&scratch[8], sz);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
if (authTagSz > AES_BLOCK_SIZE) {
XMEMCPY(authTag, x, AES_BLOCK_SIZE);
}
Expand Down Expand Up @@ -6261,21 +6261,21 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
blocks = authInSz / AES_BLOCK_SIZE;
partial = authInSz % AES_BLOCK_SIZE;
if (blocks > 0) {
GCM_gmult_len(x, aes->M0, authIn, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, authIn, blocks * AES_BLOCK_SIZE);
authIn += blocks * AES_BLOCK_SIZE;
}
if (partial != 0) {
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, authIn, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
}
}

blocks = sz / AES_BLOCK_SIZE;
partial = sz % AES_BLOCK_SIZE;
/* do as many blocks as possible */
if (blocks > 0) {
GCM_gmult_len(x, aes->M0, in, blocks * AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, in, blocks * AES_BLOCK_SIZE);

AES_GCM_encrypt(in, out, blocks * AES_BLOCK_SIZE,
(const unsigned char*)aes->key, aes->rounds, counter);
Expand All @@ -6285,7 +6285,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
if (partial != 0) {
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
XMEMCPY(scratch, in, partial);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);

AES_GCM_encrypt(in, scratch, AES_BLOCK_SIZE,
(const unsigned char*)aes->key, aes->rounds, counter);
Expand All @@ -6295,7 +6295,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
XMEMSET(scratch, 0, AES_BLOCK_SIZE);
FlattenSzInBits(&scratch[0], authInSz);
FlattenSzInBits(&scratch[8], sz);
GCM_gmult_len(x, aes->M0, scratch, AES_BLOCK_SIZE);
GCM_gmult_len(x, aes->gcm.M0, scratch, AES_BLOCK_SIZE);
AES_ECB_encrypt(initialCounter, scratch, AES_BLOCK_SIZE,
(const unsigned char*)aes->key, aes->rounds);
xorbuf(x, scratch, authTagSz);
Expand Down