2 *------------------------------------------------------------------
3 * Copyright (c) 2019 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *------------------------------------------------------------------
18 #include <vlib/vlib.h>
19 #include <vnet/plugin/plugin.h>
20 #include <vnet/crypto/crypto.h>
21 #include <crypto_native/crypto_native.h>
22 #include <crypto_native/aes.h>
23 #include <crypto_native/ghash.h>
25 #if __GNUC__ > 4 && !__clang__ && CLIB_DEBUG == 0
26 #pragma GCC optimize ("O3")
32 /* pre-calculated hash key values */
33 const u8x16 Hi[NUM_HI];
34 /* extracted AES key */
44 static const u32x4 ctr_inv_1 = { 0, 0, 0, 1 << 24 };
46 static_always_inline void
47 aes_gcm_load (u8x16 * d, u8x16u * inv, int n, int n_bytes)
49 for (int i = 0; i < n - 1; i++)
51 d[n - 1] = n_bytes ? aes_load_partial (inv + n - 1, n_bytes) : inv[n - 1];
54 static_always_inline void
55 aes_gcm_store (u8x16 * d, u8x16u * outv, int n, int n_bytes)
57 for (int i = 0; i < n - 1; i++)
60 aes_store_partial (outv + n - 1, d[n - 1], n_bytes);
62 outv[n - 1] = d[n - 1];
65 static_always_inline void
66 aes_gcm_enc_first_round (u8x16 * r, aes_gcm_counter_t * ctr, u8x16 k,
69 if (PREDICT_TRUE ((u8) ctr->counter < (256 - 2 * n_blocks)))
71 for (int i = 0; i < n_blocks; i++)
73 r[i] = k ^ (u8x16) ctr->Y;
76 ctr->counter += n_blocks;
80 for (int i = 0; i < n_blocks; i++)
82 r[i] = k ^ (u8x16) ctr->Y;
84 ctr->Y[3] = clib_host_to_net_u32 (ctr->counter + 1);
89 static_always_inline void
90 aes_gcm_enc_round (u8x16 * r, u8x16 k, int n_blocks)
92 for (int i = 0; i < n_blocks; i++)
93 r[i] = aes_enc_round (r[i], k);
96 static_always_inline void
97 aes_gcm_enc_last_round (u8x16 * r, u8x16 * d, u8x16 const *k,
98 int rounds, int n_blocks)
101 /* additional ronuds for AES-192 and AES-256 */
102 for (int i = 10; i < rounds; i++)
103 aes_gcm_enc_round (r, k[i], n_blocks);
105 for (int i = 0; i < n_blocks; i++)
106 d[i] ^= aes_enc_last_round (r[i], k[rounds]);
109 static_always_inline u8x16
110 aes_gcm_ghash_blocks (u8x16 T, aes_gcm_key_data_t * kd,
111 u8x16u * in, int n_blocks)
113 ghash_data_t _gd, *gd = &_gd;
114 u8x16 *Hi = (u8x16 *) kd->Hi + NUM_HI - n_blocks;
115 ghash_mul_first (gd, u8x16_reflect (in[0]) ^ T, Hi[0]);
116 for (int i = 1; i < n_blocks; i++)
117 ghash_mul_next (gd, u8x16_reflect ((in[i])), Hi[i]);
120 return ghash_final (gd);
123 static_always_inline u8x16
124 aes_gcm_ghash (u8x16 T, aes_gcm_key_data_t * kd, u8x16u * in, u32 n_left)
127 while (n_left >= 128)
129 T = aes_gcm_ghash_blocks (T, kd, in, 8);
136 T = aes_gcm_ghash_blocks (T, kd, in, 4);
143 T = aes_gcm_ghash_blocks (T, kd, in, 2);
150 T = aes_gcm_ghash_blocks (T, kd, in, 1);
157 u8x16 r = aes_load_partial (in, n_left);
158 T = ghash_mul (u8x16_reflect (r) ^ T, kd->Hi[NUM_HI - 1]);
163 static_always_inline u8x16
164 aes_gcm_calc (u8x16 T, aes_gcm_key_data_t * kd, u8x16 * d,
165 aes_gcm_counter_t * ctr, u8x16u * inv, u8x16u * outv,
166 int rounds, int n, int last_block_bytes, int with_ghash,
170 ghash_data_t _gd = { }, *gd = &_gd;
171 const u8x16 *rk = (u8x16 *) kd->Ke;
172 int ghash_blocks = is_encrypt ? 4 : n, gc = 1;
173 u8x16 *Hi = (u8x16 *) kd->Hi + NUM_HI - ghash_blocks;
175 clib_prefetch_load (inv + 4);
177 /* AES rounds 0 and 1 */
178 aes_gcm_enc_first_round (r, ctr, rk[0], n);
179 aes_gcm_enc_round (r, rk[1], n);
181 /* load data - decrypt round */
183 aes_gcm_load (d, inv, n, last_block_bytes);
185 /* GHASH multiply block 1 */
187 ghash_mul_first (gd, u8x16_reflect (d[0]) ^ T, Hi[0]);
189 /* AES rounds 2 and 3 */
190 aes_gcm_enc_round (r, rk[2], n);
191 aes_gcm_enc_round (r, rk[3], n);
193 /* GHASH multiply block 2 */
194 if (with_ghash && gc++ < ghash_blocks)
195 ghash_mul_next (gd, u8x16_reflect (d[1]), Hi[1]);
197 /* AES rounds 4 and 5 */
198 aes_gcm_enc_round (r, rk[4], n);
199 aes_gcm_enc_round (r, rk[5], n);
201 /* GHASH multiply block 3 */
202 if (with_ghash && gc++ < ghash_blocks)
203 ghash_mul_next (gd, u8x16_reflect (d[2]), Hi[2]);
205 /* AES rounds 6 and 7 */
206 aes_gcm_enc_round (r, rk[6], n);
207 aes_gcm_enc_round (r, rk[7], n);
209 /* GHASH multiply block 4 */
210 if (with_ghash && gc++ < ghash_blocks)
211 ghash_mul_next (gd, u8x16_reflect (d[3]), Hi[3]);
213 /* AES rounds 8 and 9 */
214 aes_gcm_enc_round (r, rk[8], n);
215 aes_gcm_enc_round (r, rk[9], n);
217 /* GHASH reduce 1st step */
221 /* load data - encrypt round */
223 aes_gcm_load (d, inv, n, last_block_bytes);
225 /* GHASH reduce 2nd step */
229 /* AES last round(s) */
230 aes_gcm_enc_last_round (r, d, rk, rounds, n);
233 aes_gcm_store (d, outv, n, last_block_bytes);
235 /* GHASH final step */
237 T = ghash_final (gd);
242 static_always_inline u8x16
243 aes_gcm_calc_double (u8x16 T, aes_gcm_key_data_t * kd, u8x16 * d,
244 aes_gcm_counter_t * ctr, u8x16u * inv, u8x16u * outv,
245 int rounds, int is_encrypt)
248 ghash_data_t _gd, *gd = &_gd;
249 const u8x16 *rk = (u8x16 *) kd->Ke;
250 u8x16 *Hi = (u8x16 *) kd->Hi + NUM_HI - 8;
252 /* AES rounds 0 and 1 */
253 aes_gcm_enc_first_round (r, ctr, rk[0], 4);
254 aes_gcm_enc_round (r, rk[1], 4);
256 /* load 4 blocks of data - decrypt round */
258 aes_gcm_load (d, inv, 4, 0);
260 /* GHASH multiply block 0 */
261 ghash_mul_first (gd, u8x16_reflect (d[0]) ^ T, Hi[0]);
263 /* AES rounds 2 and 3 */
264 aes_gcm_enc_round (r, rk[2], 4);
265 aes_gcm_enc_round (r, rk[3], 4);
267 /* GHASH multiply block 1 */
268 ghash_mul_next (gd, u8x16_reflect (d[1]), Hi[1]);
270 /* AES rounds 4 and 5 */
271 aes_gcm_enc_round (r, rk[4], 4);
272 aes_gcm_enc_round (r, rk[5], 4);
274 /* GHASH multiply block 2 */
275 ghash_mul_next (gd, u8x16_reflect (d[2]), Hi[2]);
277 /* AES rounds 6 and 7 */
278 aes_gcm_enc_round (r, rk[6], 4);
279 aes_gcm_enc_round (r, rk[7], 4);
281 /* GHASH multiply block 3 */
282 ghash_mul_next (gd, u8x16_reflect (d[3]), Hi[3]);
284 /* AES rounds 8 and 9 */
285 aes_gcm_enc_round (r, rk[8], 4);
286 aes_gcm_enc_round (r, rk[9], 4);
288 /* load 4 blocks of data - encrypt round */
290 aes_gcm_load (d, inv, 4, 0);
292 /* AES last round(s) */
293 aes_gcm_enc_last_round (r, d, rk, rounds, 4);
295 /* store 4 blocks of data */
296 aes_gcm_store (d, outv, 4, 0);
298 /* load next 4 blocks of data data - decrypt round */
300 aes_gcm_load (d, inv + 4, 4, 0);
302 /* GHASH multiply block 4 */
303 ghash_mul_next (gd, u8x16_reflect (d[0]), Hi[4]);
305 /* AES rounds 0, 1 and 2 */
306 aes_gcm_enc_first_round (r, ctr, rk[0], 4);
307 aes_gcm_enc_round (r, rk[1], 4);
308 aes_gcm_enc_round (r, rk[2], 4);
310 /* GHASH multiply block 5 */
311 ghash_mul_next (gd, u8x16_reflect (d[1]), Hi[5]);
313 /* AES rounds 3 and 4 */
314 aes_gcm_enc_round (r, rk[3], 4);
315 aes_gcm_enc_round (r, rk[4], 4);
317 /* GHASH multiply block 6 */
318 ghash_mul_next (gd, u8x16_reflect (d[2]), Hi[6]);
320 /* AES rounds 5 and 6 */
321 aes_gcm_enc_round (r, rk[5], 4);
322 aes_gcm_enc_round (r, rk[6], 4);
324 /* GHASH multiply block 7 */
325 ghash_mul_next (gd, u8x16_reflect (d[3]), Hi[7]);
327 /* AES rounds 7 and 8 */
328 aes_gcm_enc_round (r, rk[7], 4);
329 aes_gcm_enc_round (r, rk[8], 4);
331 /* GHASH reduce 1st step */
335 aes_gcm_enc_round (r, rk[9], 4);
337 /* load data - encrypt round */
339 aes_gcm_load (d, inv + 4, 4, 0);
341 /* GHASH reduce 2nd step */
344 /* AES last round(s) */
345 aes_gcm_enc_last_round (r, d, rk, rounds, 4);
348 aes_gcm_store (d, outv + 4, 4, 0);
350 /* GHASH final step */
351 return ghash_final (gd);
354 static_always_inline u8x16
355 aes_gcm_ghash_last (u8x16 T, aes_gcm_key_data_t * kd, u8x16 * d,
356 int n_blocks, int n_bytes)
358 ghash_data_t _gd, *gd = &_gd;
359 u8x16 *Hi = (u8x16 *) kd->Hi + NUM_HI - n_blocks;
362 d[n_blocks - 1] = aes_byte_mask (d[n_blocks - 1], n_bytes);
364 ghash_mul_first (gd, u8x16_reflect (d[0]) ^ T, Hi[0]);
366 ghash_mul_next (gd, u8x16_reflect (d[1]), Hi[1]);
368 ghash_mul_next (gd, u8x16_reflect (d[2]), Hi[2]);
370 ghash_mul_next (gd, u8x16_reflect (d[3]), Hi[3]);
373 return ghash_final (gd);
377 static_always_inline u8x16
378 aes_gcm_enc (u8x16 T, aes_gcm_key_data_t * kd, aes_gcm_counter_t * ctr,
379 u8x16u * inv, u8x16u * outv, u32 n_left, int rounds)
391 aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, n_left,
392 /* with_ghash */ 0, /* is_encrypt */ 1);
393 return aes_gcm_ghash_last (T, kd, d, 4, n_left);
395 else if (n_left > 32)
398 aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 3, n_left,
399 /* with_ghash */ 0, /* is_encrypt */ 1);
400 return aes_gcm_ghash_last (T, kd, d, 3, n_left);
402 else if (n_left > 16)
405 aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 2, n_left,
406 /* with_ghash */ 0, /* is_encrypt */ 1);
407 return aes_gcm_ghash_last (T, kd, d, 2, n_left);
412 aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 1, n_left,
413 /* with_ghash */ 0, /* is_encrypt */ 1);
414 return aes_gcm_ghash_last (T, kd, d, 1, n_left);
418 aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, 0,
419 /* with_ghash */ 0, /* is_encrypt */ 1);
426 while (n_left >= 128)
428 T = aes_gcm_calc_double (T, kd, d, ctr, inv, outv, rounds,
439 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, 0,
440 /* with_ghash */ 1, /* is_encrypt */ 1);
449 return aes_gcm_ghash_last (T, kd, d, 4, 0);
454 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, n_left,
455 /* with_ghash */ 1, /* is_encrypt */ 1);
456 return aes_gcm_ghash_last (T, kd, d, 4, n_left);
462 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 3, n_left,
463 /* with_ghash */ 1, /* is_encrypt */ 1);
464 return aes_gcm_ghash_last (T, kd, d, 3, n_left);
470 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 2, n_left,
471 /* with_ghash */ 1, /* is_encrypt */ 1);
472 return aes_gcm_ghash_last (T, kd, d, 2, n_left);
476 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 1, n_left,
477 /* with_ghash */ 1, /* is_encrypt */ 1);
478 return aes_gcm_ghash_last (T, kd, d, 1, n_left);
481 static_always_inline u8x16
482 aes_gcm_dec (u8x16 T, aes_gcm_key_data_t * kd, aes_gcm_counter_t * ctr,
483 u8x16u * inv, u8x16u * outv, u32 n_left, int rounds)
487 while (n_left >= 128)
489 T = aes_gcm_calc_double (T, kd, d, ctr, inv, outv, rounds,
500 T = aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, 0, 1, 0);
512 return aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 4, n_left - 48,
513 /* with_ghash */ 1, /* is_encrypt */ 0);
516 return aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 3, n_left - 32,
517 /* with_ghash */ 1, /* is_encrypt */ 0);
520 return aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 2, n_left - 16,
521 /* with_ghash */ 1, /* is_encrypt */ 0);
523 return aes_gcm_calc (T, kd, d, ctr, inv, outv, rounds, 1, n_left,
524 /* with_ghash */ 1, /* is_encrypt */ 0);
527 static_always_inline int
528 aes_gcm (u8x16u * in, u8x16u * out, u8x16u * addt, u8x16u * iv, u8x16u * tag,
529 u32 data_bytes, u32 aad_bytes, u8 tag_len, aes_gcm_key_data_t * kd,
530 int aes_rounds, int is_encrypt)
535 ghash_data_t _gd, *gd = &_gd;
536 aes_gcm_counter_t _ctr, *ctr = &_ctr;
538 clib_prefetch_load (iv);
539 clib_prefetch_load (in);
540 clib_prefetch_load (in + 4);
542 /* calculate ghash for AAD - optimized for ipsec common cases */
544 T = aes_gcm_ghash (T, kd, addt, 8);
545 else if (aad_bytes == 12)
546 T = aes_gcm_ghash (T, kd, addt, 12);
548 T = aes_gcm_ghash (T, kd, addt, aad_bytes);
550 /* initalize counter */
552 Y0 = (u32x4) aes_load_partial (iv, 12) + ctr_inv_1;
553 ctr->Y = Y0 + ctr_inv_1;
555 /* ghash and encrypt/edcrypt */
557 T = aes_gcm_enc (T, kd, ctr, in, out, data_bytes, aes_rounds);
559 T = aes_gcm_dec (T, kd, ctr, in, out, data_bytes, aes_rounds);
561 clib_prefetch_load (tag);
563 /* Finalize ghash - data bytes and aad bytes converted to bits */
565 r = (u8x16) ((u64x2) {data_bytes, aad_bytes} << 3);
568 /* interleaved computation of final ghash and E(Y0, k) */
569 ghash_mul_first (gd, r ^ T, kd->Hi[NUM_HI - 1]);
570 r = kd->Ke[0] ^ (u8x16) Y0;
571 for (i = 1; i < 5; i += 1)
572 r = aes_enc_round (r, kd->Ke[i]);
575 for (; i < 9; i += 1)
576 r = aes_enc_round (r, kd->Ke[i]);
577 T = ghash_final (gd);
578 for (; i < aes_rounds; i += 1)
579 r = aes_enc_round (r, kd->Ke[i]);
580 r = aes_enc_last_round (r, kd->Ke[aes_rounds]);
581 T = u8x16_reflect (T) ^ r;
583 /* tag_len 16 -> 0 */
590 aes_store_partial (tag, T, tag_len);
597 u16 tag_mask = tag_len ? (1 << tag_len) - 1 : 0xffff;
598 if ((u8x16_msb_mask (tag[0] == T) & tag_mask) != tag_mask)
604 static_always_inline u32
605 aes_ops_enc_aes_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
606 u32 n_ops, aes_key_size_t ks)
608 crypto_native_main_t *cm = &crypto_native_main;
609 vnet_crypto_op_t *op = ops[0];
610 aes_gcm_key_data_t *kd;
615 kd = (aes_gcm_key_data_t *) cm->key_data[op->key_index];
616 aes_gcm ((u8x16u *) op->src, (u8x16u *) op->dst, (u8x16u *) op->aad,
617 (u8x16u *) op->iv, (u8x16u *) op->tag, op->len, op->aad_len,
618 op->tag_len, kd, AES_KEY_ROUNDS (ks), /* is_encrypt */ 1);
619 op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
630 static_always_inline u32
631 aes_ops_dec_aes_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops,
634 crypto_native_main_t *cm = &crypto_native_main;
635 vnet_crypto_op_t *op = ops[0];
636 aes_gcm_key_data_t *kd;
641 kd = (aes_gcm_key_data_t *) cm->key_data[op->key_index];
642 rv = aes_gcm ((u8x16u *) op->src, (u8x16u *) op->dst, (u8x16u *) op->aad,
643 (u8x16u *) op->iv, (u8x16u *) op->tag, op->len,
644 op->aad_len, op->tag_len, kd, AES_KEY_ROUNDS (ks),
649 op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
653 op->status = VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC;
666 static_always_inline void *
667 aes_gcm_key_exp (vnet_crypto_key_t * key, aes_key_size_t ks)
669 aes_gcm_key_data_t *kd;
672 kd = clib_mem_alloc_aligned (sizeof (*kd), CLIB_CACHE_LINE_BYTES);
675 aes_key_expand ((u8x16 *) kd->Ke, key->data, ks);
677 /* pre-calculate H */
678 H = aes_encrypt_block (u8x16_splat (0), kd->Ke, ks);
679 H = u8x16_reflect (H);
680 ghash_precompute (H, (u8x16 *) kd->Hi, NUM_HI);
684 #define foreach_aes_gcm_handler_type _(128) _(192) _(256)
687 static u32 aes_ops_dec_aes_gcm_##x \
688 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops) \
689 { return aes_ops_dec_aes_gcm (vm, ops, n_ops, AES_KEY_##x); } \
690 static u32 aes_ops_enc_aes_gcm_##x \
691 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops) \
692 { return aes_ops_enc_aes_gcm (vm, ops, n_ops, AES_KEY_##x); } \
693 static void * aes_gcm_key_exp_##x (vnet_crypto_key_t *key) \
694 { return aes_gcm_key_exp (key, AES_KEY_##x); }
696 foreach_aes_gcm_handler_type;
701 crypto_native_aes_gcm_init_vaes (vlib_main_t * vm)
703 crypto_native_aes_gcm_init_avx512 (vlib_main_t * vm)
705 crypto_native_aes_gcm_init_avx2 (vlib_main_t * vm)
707 crypto_native_aes_gcm_init_neon (vlib_main_t * vm)
709 crypto_native_aes_gcm_init_sse42 (vlib_main_t * vm)
712 crypto_native_main_t *cm = &crypto_native_main;
715 vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
716 VNET_CRYPTO_OP_AES_##x##_GCM_ENC, \
717 aes_ops_enc_aes_gcm_##x); \
718 vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
719 VNET_CRYPTO_OP_AES_##x##_GCM_DEC, \
720 aes_ops_dec_aes_gcm_##x); \
721 cm->key_fn[VNET_CRYPTO_ALG_AES_##x##_GCM] = aes_gcm_key_exp_##x;
722 foreach_aes_gcm_handler_type;
728 * fd.io coding-style-patch-verification: ON
731 * eval: (c-set-style "gnu")