Page MenuHomeFreeBSD
Differential D28501 Diff 83541 sys/crypto/armv8/armv8_crypto_wrap.c

Changeset View

Standalone View

View Options

sys/crypto/armv8/armv8_crypto_wrap.c

Show First 20 LinesShow All 257 Lines▼ Show 20 Linesarmv8_aes_encrypt_gcm(AES_key_t *aes_key, size_t len,
/* EK0 for a final GMAC round */ /* EK0 for a final GMAC round */
aes_v8_encrypt(aes_counter, EK0.c, aes_key); aes_v8_encrypt(aes_counter, EK0.c, aes_key);
/* GCM starts with 2 as counter, 1 is used for final xor of tag. */ /* GCM starts with 2 as counter, 1 is used for final xor of tag. */
aes_counter[AES_BLOCK_LEN - 1] = 2; aes_counter[AES_BLOCK_LEN - 1] = 2;
memset(Xi.c, 0, sizeof(Xi.c)); memset(Xi.c, 0, sizeof(Xi.c));
trailer = authdatalen % AES_BLOCK_LEN;
if (authdatalen - trailer > 0) {
gcm_ghash_v8(Xi.u, Htable, authdata, authdatalen - trailer);
authdata += authdatalen - trailer;
}
if (trailer > 0 || authdatalen == 0) {
memset(block, 0, sizeof(block)); memset(block, 0, sizeof(block));
memcpy(block, authdata, min(authdatalen, sizeof(block))); memcpy(block, authdata, trailer);
gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN);
}
from64 = (const uint64_t*)from; from64 = (const uint64_t*)from;
to64 = (uint64_t*)to; to64 = (uint64_t*)to;
trailer = len % AES_BLOCK_LEN; trailer = len % AES_BLOCK_LEN;
for (i = 0; i < (len - trailer); i += AES_BLOCK_LEN) { for (i = 0; i < (len - trailer); i += AES_BLOCK_LEN) {
aes_v8_encrypt(aes_counter, EKi.c, aes_key); aes_v8_encrypt(aes_counter, EKi.c, aes_key);
AES_INC_COUNTER(aes_counter); AES_INC_COUNTER(aes_counter);
to64[0] = from64[0] ^ EKi.u[0]; to64[0] = from64[0] ^ EKi.u[0];
to64[1] = from64[1] ^ EKi.u[1]; to64[1] = from64[1] ^ EKi.u[1];
gcm_ghash_v8(Xi.u, Htable, (uint8_t*)to64, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, (uint8_t*)to64, AES_BLOCK_LEN);
to64 += 2; to64 += 2;
from64 += 2; from64 += 2;
} }
to += (len - trailer); to += (len - trailer);
from += (len - trailer); from += (len - trailer);
if (trailer) { if (trailer) {
aes_v8_encrypt(aes_counter, EKi.c, aes_key); aes_v8_encrypt(aes_counter, EKi.c, aes_key);
AES_INC_COUNTER(aes_counter); AES_INC_COUNTER(aes_counter);
memset(block, 0, sizeof(block));
for (i = 0; i < trailer; i++) { for (i = 0; i < trailer; i++) {
block[i] = to[i] = from[i] ^ EKi.c[i % AES_BLOCK_LEN]; block[i] = to[i] = from[i] ^ EKi.c[i];
} }
for (; i < AES_BLOCK_LEN; i++)
block[i] = 0;
gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN);
} }
/* Lengths block */ /* Lengths block */
lenblock.u[0] = lenblock.u[1] = 0; lenblock.u[0] = lenblock.u[1] = 0;
lenblock.d[1] = htobe32(authdatalen * 8); lenblock.d[1] = htobe32(authdatalen * 8);
lenblock.d[3] = htobe32(len * 8); lenblock.d[3] = htobe32(len * 8);
gcm_ghash_v8(Xi.u, Htable, lenblock.c, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, lenblock.c, AES_BLOCK_LEN);
Show All 32 Linesarmv8_aes_decrypt_gcm(AES_key_t *aes_key, size_t len,
/* Setup the counter */ /* Setup the counter */
aes_counter[AES_BLOCK_LEN - 1] = 1; aes_counter[AES_BLOCK_LEN - 1] = 1;
/* EK0 for a final GMAC round */ /* EK0 for a final GMAC round */
aes_v8_encrypt(aes_counter, EK0.c, aes_key); aes_v8_encrypt(aes_counter, EK0.c, aes_key);
memset(Xi.c, 0, sizeof(Xi.c)); memset(Xi.c, 0, sizeof(Xi.c));
trailer = authdatalen % AES_BLOCK_LEN;
if (authdatalen - trailer > 0) {
gcm_ghash_v8(Xi.u, Htable, authdata, authdatalen - trailer);
authdata += authdatalen - trailer;
}
if (trailer > 0 || authdatalen == 0) {
memset(block, 0, sizeof(block)); memset(block, 0, sizeof(block));
memcpy(block, authdata, min(authdatalen, sizeof(block))); memcpy(block, authdata, trailer);
gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN);
}
trailer = len % AES_BLOCK_LEN; trailer = len % AES_BLOCK_LEN;
if (len - trailer > 0)
gcm_ghash_v8(Xi.u, Htable, from, len - trailer); gcm_ghash_v8(Xi.u, Htable, from, len - trailer);
if (trailer > 0) {
if (trailer) { memset(block, 0, sizeof(block));
for (i = 0; i < trailer; i++) memcpy(block, from + len - trailer, trailer);
block[i] = from[len - trailer + i];
for (; i < AES_BLOCK_LEN; i++)
block[i] = 0;
gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, block, AES_BLOCK_LEN);
} }
/* Lengths block */ /* Lengths block */
lenblock.u[0] = lenblock.u[1] = 0; lenblock.u[0] = lenblock.u[1] = 0;
lenblock.d[1] = htobe32(authdatalen * 8); lenblock.d[1] = htobe32(authdatalen * 8);
lenblock.d[3] = htobe32(len * 8); lenblock.d[3] = htobe32(len * 8);
gcm_ghash_v8(Xi.u, Htable, lenblock.c, AES_BLOCK_LEN); gcm_ghash_v8(Xi.u, Htable, lenblock.c, AES_BLOCK_LEN);
Show All 22 Linesarmv8_aes_decrypt_gcm(AES_key_t *aes_key, size_t len,
to += (len - trailer); to += (len - trailer);
from += (len - trailer); from += (len - trailer);
if (trailer) { if (trailer) {
aes_v8_encrypt(aes_counter, EKi.c, aes_key); aes_v8_encrypt(aes_counter, EKi.c, aes_key);
AES_INC_COUNTER(aes_counter); AES_INC_COUNTER(aes_counter);
for (i = 0; i < trailer; i++) for (i = 0; i < trailer; i++)
to[i] = from[i] ^ EKi.c[i % AES_BLOCK_LEN]; to[i] = from[i] ^ EKi.c[i];
} }
out: out:
explicit_bzero(aes_counter, sizeof(aes_counter)); explicit_bzero(aes_counter, sizeof(aes_counter));
explicit_bzero(Xi.c, sizeof(Xi.c)); explicit_bzero(Xi.c, sizeof(Xi.c));
explicit_bzero(EK0.c, sizeof(EK0.c)); explicit_bzero(EK0.c, sizeof(EK0.c));
explicit_bzero(EKi.c, sizeof(EKi.c)); explicit_bzero(EKi.c, sizeof(EKi.c));
explicit_bzero(lenblock.c, sizeof(lenblock.c)); explicit_bzero(lenblock.c, sizeof(lenblock.c));
return (error); return (error);
} }