diff --git a/ChangeLog b/ChangeLog index ca7d0c1fce916769c9c06d0aea82bd0006f80925..965d894d26afcfab844c4db00a4a014e51ae7a0d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,98 @@ +2013-09-28 Niels Möller <nisse@lysator.liu.se> + + * Merge aes-reorg branch. Changes below, + dated 2013-05-17 - 2013-08-13. + +2013-08-13 Niels Möller <nisse@lysator.liu.se> + + * yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx. + * yarrow256.c: Adapted to use new aes256 interface. + +2013-08-07 Niels Möller <nisse@lysator.liu.se> + + * umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx. + * umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface. + * umac32.c (umac32_digest): Likewise. + * umac64.c (umac64_digest): Likewise. + * umac96.c (umac96_digest): Likewise. + * umac128.c (umac128_digest): Likewise. + +2013-06-25 Niels Möller <nisse@lysator.liu.se> + + * aes-meta.c: Deleted file. + + Analogous changes for new aes192 and aes256 interface. + + * aes.h (struct aes128_ctx): New aes128 declarations. + * aes-decrypt.c (aes128_decrypt): New function. + * aes-encrypt.c (aes128_encrypt): New function. + * aes128-meta.c: New file. + * aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and + function. + * aes128-set-decrypt-key.c (aes128_set_decrypt_key) + (aes128_invert_key): New file and functions. + * Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c, + aes128-set-decrypt-key.c and aes128-meta.c. + + * nettle-internal.c (nettle_unified_aes128): For testing the old + AES interface. + * testsuite/aes-test.c (test_cipher2): New function. + (test_main): Test both nettle_aes128 and nettle_unified_aes128. + +2013-05-22 Niels Möller <nisse@lysator.liu.se> + + * Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and + aes-set-key-internal.c. + + * aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants. + Similarly also for aes192 and aes256. + + * aes-internal.h: Declare new functions. + + * aes-set-key-internal.c (_aes_set_key): New file and funxtion + extracted from aes_set_encrypt_key. + * aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key. + + * aes-invert-internal.c (_aes_invert): New file and function, + extracted from aes_invert_key. + * aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert. + + * arm/v6/aes-encrypt-internal.asm: Adapted to new interface. + Unfortunately, 4% slowdown on Cortex-A9, for unknown reason. + * arm/v6/aes-decrypt-internal.asm: Likewise. + * arm/aes-encrypt-internal.asm: Adapted to new interface. + * arm/aes-decrypt-internal.asm: Likewise. + +2013-05-21 Niels Möller <nisse@lysator.liu.se> + + * sparc32/aes-encrypt-internal.asm: Adapted to new interface. + * sparc32/aes-decrypt-internal.asm: Likewise. + * sparc64/aes-encrypt-internal.asm: Likewise. + * sparc64/aes-decrypt-internal.asm: Likewise. + + * x86/aes-encrypt-internal.asm: Adapted to new interface. + * x86/aes-decrypt-internal.asm: Likewise. + +2013-05-20 Niels Möller <nisse@lysator.liu.se> + + * x86_64/aes-encrypt-internal.asm: Adapted to new interface. + * x86_64/aes-decrypt-internal.asm: Likewise. + +2013-05-17 Niels Möller <nisse@lysator.liu.se> + + * aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved + first in the structure. + * aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming. + * aes-set-decrypt-key.c (aes_invert_key): Likewise. + + * aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and + subkeys as separate arguments, not a struct aes_ctx *. Updated + callers. + * aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise. + * aes-internal.h: Updated prototypes. + + * Start of aes-reorg changes. + 2013-09-28 Niels Möller <nisse@lysator.liu.se> * md4.h (struct md4_ctx): Use single uint64_t variable for block diff --git a/Makefile.in b/Makefile.in index 3e03f0b32c97a78dcba0d21d6b658e3e5618374f..253ccec361e55dd70a6c6224a85e56c4ca7f7c5a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -64,7 +64,14 @@ all-here: $(TARGETS) $(DOCTARGETS) nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ - aes-set-encrypt-key.c aes-set-decrypt-key.c aes-meta.c \ + aes-invert-internal.c aes-set-key-internal.c \ + aes-set-encrypt-key.c aes-set-decrypt-key.c \ + aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ + aes128-meta.c \ + aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ + aes192-meta.c \ + aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ + aes256-meta.c \ arcfour.c arcfour-crypt.c arcfour-meta.c \ arctwo.c arctwo-meta.c gosthash94-meta.c \ base16-encode.c base16-decode.c base16-meta.c \ diff --git a/aes-decrypt-internal.c b/aes-decrypt-internal.c index af2891e9fc2582ebfd79465dba302cffae88e2e5..be73e680dd23a06e76b66be06b46f3ce028af093 100644 --- a/aes-decrypt-internal.c +++ b/aes-decrypt-internal.c @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2002 Niels Möller + * Copyright (C) 2002, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -33,7 +33,7 @@ #include "macros.h" void -_nettle_aes_decrypt(const struct aes_ctx *ctx, +_nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) @@ -42,22 +42,22 @@ _nettle_aes_decrypt(const struct aes_ctx *ctx, { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; - unsigned round; + unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ - w0 = LE_READ_UINT32(src) ^ ctx->keys[0]; - w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1]; - w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2]; - w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3]; + w0 = LE_READ_UINT32(src) ^ keys[0]; + w1 = LE_READ_UINT32(src + 4) ^ keys[1]; + w2 = LE_READ_UINT32(src + 8) ^ keys[2]; + w3 = LE_READ_UINT32(src + 12) ^ keys[3]; - for (round = 1; round < ctx->nrounds; round++) + for (i = 1; i < rounds; i++) { - t0 = AES_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]); - t1 = AES_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]); - t2 = AES_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]); - t3 = AES_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]); + t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]); + t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); + t2 = AES_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); + t3 = AES_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, @@ -70,14 +70,14 @@ _nettle_aes_decrypt(const struct aes_ctx *ctx, /* Final round */ - t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]); - t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]); - t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]); - t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]); + t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]); + t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); + t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); + t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); - LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 4, t1); + LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } diff --git a/aes-decrypt.c b/aes-decrypt.c index 96862e4787018b6807926c2c364a65d6b00f7c03..d0fefc4f363b1bc447e6dc09be4f406ad1cc1a43 100644 --- a/aes-decrypt.c +++ b/aes-decrypt.c @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2002 Niels Möller + * Copyright (C) 2002, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -342,6 +342,36 @@ aes_decrypt(const struct aes_ctx *ctx, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(ctx, &_aes_decrypt_table, + _aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table, + length, dst, src); +} + +void +aes128_decrypt(const struct aes128_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table, + length, dst, src); +} + +void +aes192_decrypt(const struct aes192_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table, + length, dst, src); +} + +void +aes256_decrypt(const struct aes256_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table, length, dst, src); } diff --git a/aes-encrypt-internal.c b/aes-encrypt-internal.c index cf9d82475328b96543e796fe9fcaeddc74595334..2f34f21e877219f596062442b16ebf89300cc35a 100644 --- a/aes-encrypt-internal.c +++ b/aes-encrypt-internal.c @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2002 Niels Möller + * Copyright (C) 2002, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -33,7 +33,7 @@ #include "macros.h" void -_nettle_aes_encrypt(const struct aes_ctx *ctx, +_nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) @@ -42,22 +42,22 @@ _nettle_aes_encrypt(const struct aes_ctx *ctx, { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; - unsigned round; + unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ - w0 = LE_READ_UINT32(src) ^ ctx->keys[0]; - w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1]; - w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2]; - w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3]; + w0 = LE_READ_UINT32(src) ^ keys[0]; + w1 = LE_READ_UINT32(src + 4) ^ keys[1]; + w2 = LE_READ_UINT32(src + 8) ^ keys[2]; + w3 = LE_READ_UINT32(src + 12) ^ keys[3]; - for (round = 1; round < ctx->nrounds; round++) + for (i = 1; i < rounds; i++) { - t0 = AES_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]); - t1 = AES_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]); - t2 = AES_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]); - t3 = AES_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]); + t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]); + t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); + t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); + t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, @@ -70,14 +70,14 @@ _nettle_aes_encrypt(const struct aes_ctx *ctx, /* Final round */ - t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]); - t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]); - t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]); - t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]); + t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]); + t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); + t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); + t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); - LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 4, t1); + LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } diff --git a/aes-encrypt.c b/aes-encrypt.c index f28ac3197c2a9b7983eb7f379e1749e8f1ef191b..8d55ca18d32103878f139e13ad96c8e39c6dbae7 100644 --- a/aes-encrypt.c +++ b/aes-encrypt.c @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2002 Niels Möller + * Copyright (C) 2002, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -40,6 +40,36 @@ aes_encrypt(const struct aes_ctx *ctx, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(ctx, &_aes_encrypt_table, + _aes_encrypt(ctx->rounds, ctx->keys, &_aes_encrypt_table, + length, dst, src); +} + +void +aes128_encrypt(const struct aes128_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_encrypt(_AES128_ROUNDS, ctx->keys, &_aes_encrypt_table, + length, dst, src); +} + +void +aes192_encrypt(const struct aes192_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_encrypt(_AES192_ROUNDS, ctx->keys, &_aes_encrypt_table, + length, dst, src); +} + +void +aes256_encrypt(const struct aes256_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % AES_BLOCK_SIZE) ); + _aes_encrypt(_AES256_ROUNDS, ctx->keys, &_aes_encrypt_table, length, dst, src); } diff --git a/aes-internal.h b/aes-internal.h index e361bde93e5bc1d7f6c58456aecbd6b20de41157..9f2b8cd79ab7c027d7fe7967f484c7c6377afa68 100644 --- a/aes-internal.h +++ b/aes-internal.h @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2001 Niels Möller + * Copyright (C) 2001, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -29,6 +29,8 @@ #include "aes.h" /* Name mangling */ +#define _aes_set_key _nettle_aes_set_key +#define _aes_invert _nettle_aes_invert #define _aes_encrypt _nettle_aes_encrypt #define _aes_decrypt _nettle_aes_decrypt #define _aes_encrypt_table _nettle_aes_encrypt_table @@ -51,13 +53,20 @@ struct aes_table }; void -_aes_encrypt(const struct aes_ctx *ctx, +_aes_set_key(unsigned nr, unsigned nk, + uint32_t *subkeys, const uint8_t *key); + +void +_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); + +void +_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); void -_aes_decrypt(const struct aes_ctx *ctx, +_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); diff --git a/aes-invert-internal.c b/aes-invert-internal.c new file mode 100644 index 0000000000000000000000000000000000000000..0ee4a38ebab7cdb4e7f9d96d4c8c2296d39b9975 --- /dev/null +++ b/aes-invert-internal.c @@ -0,0 +1,156 @@ +/* aes-invert-internal.c + * + * Inverse key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2000, 2001, 2002, Rafael R. Sevilla, Niels Möller + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Originally written by Rafael R. Sevilla <dido@pacific.net.ph> */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "aes-internal.h" + +#include "macros.h" + +/* NOTE: We don't include rotated versions of the table. */ +static const uint32_t mtable[0x100] = +{ + 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, + 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, + 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, + 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, + 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, + 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, + 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, + 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, + 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, + 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, + 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, + 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, + 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, + 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, + 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, + 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, + 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, + 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, + 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, + 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, + 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, + 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, + 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, + 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, + 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, + 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, + 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, + 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, + 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, + 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, + 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, + 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, + 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, + 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, + 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, + 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, + 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, + 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, + 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, + 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, + 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, + 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, + 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, + 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, + 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, + 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, + 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, + 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, + 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, + 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, + 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, + 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, + 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, + 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, + 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, + 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, + 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, + 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, + 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, + 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, + 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, + 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, + 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, + 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, +}; + +#define MIX_COLUMN(T, key) do { \ + uint32_t _k, _nk, _t; \ + _k = (key); \ + _nk = T[_k & 0xff]; \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(8, _t); \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(16, _t); \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(24, _t); \ + (key) = _nk; \ + } while(0) + + +#define SWAP(a, b) \ +do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) + +void +_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) +{ + unsigned i; + + /* Reverse the order of subkeys, in groups of 4. */ + /* FIXME: Instead of reordering the subkeys, change the access order + of aes_decrypt, since it's a separate function anyway? */ + if (src == dst) + { + unsigned j, k; + + for (i = 0, j = rounds * 4; + i < j; + i += 4, j -= 4) + for (k = 0; k<4; k++) + SWAP(dst[i+k], dst[j+k]); + } + else + { + unsigned k; + + for (i = 0; i <= rounds * 4; i += 4) + for (k = 0; k < 4; k++) + dst[i+k] = src[rounds * 4 - i + k]; + } + + /* Transform all subkeys but the first and last. */ + for (i = 4; i < 4 * rounds; i++) + MIX_COLUMN (mtable, dst[i]); +} diff --git a/aes-set-decrypt-key.c b/aes-set-decrypt-key.c index 04e4c992087b303278a911b0739c5f68e6eae6a1..84a644bac7d391e5aef948cab511ac92742139e3 100644 --- a/aes-set-decrypt-key.c +++ b/aes-set-decrypt-key.c @@ -6,6 +6,7 @@ /* nettle, low-level cryptographics library * * Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller + * Copyright (C) 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -31,132 +32,12 @@ #include "aes-internal.h" -#include "macros.h" - -/* NOTE: We don't include rotated versions of the table. */ -static const uint32_t mtable[0x100] = -{ - 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, - 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, - 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, - 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, - 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, - 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, - 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, - 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, - 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, - 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, - 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, - 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, - 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, - 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, - 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, - 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, - 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, - 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, - 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, - 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, - 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, - 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, - 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, - 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, - 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, - 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, - 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, - 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, - 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, - 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, - 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, - 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, - 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, - 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, - 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, - 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, - 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, - 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, - 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, - 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, - 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, - 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, - 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, - 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, - 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, - 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, - 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, - 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, - 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, - 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, - 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, - 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, - 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, - 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, - 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, - 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, - 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, - 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, - 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, - 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, - 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, - 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, - 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, - 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, -}; - -#define MIX_COLUMN(T, key) do { \ - uint32_t _k, _nk, _t; \ - _k = (key); \ - _nk = T[_k & 0xff]; \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(8, _t); \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(16, _t); \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(24, _t); \ - (key) = _nk; \ - } while(0) - - -#define SWAP(a, b) \ -do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) - void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) { - unsigned nrounds; - unsigned i; - - nrounds = src->nrounds; - - /* Reverse the order of subkeys, in groups of 4. */ - /* FIXME: Instead of reordering the subkeys, change the access order - of aes_decrypt, since it's a separate function anyway? */ - if (src == dst) - { - unsigned j, k; - - for (i = 0, j = nrounds * 4; - i < j; - i += 4, j -= 4) - for (k = 0; k<4; k++) - SWAP(dst->keys[i+k], dst->keys[j+k]); - } - else - { - unsigned k; - - dst->nrounds = nrounds; - for (i = 0; i <= nrounds * 4; i += 4) - for (k = 0; k < 4; k++) - dst->keys[i+k] = src->keys[nrounds * 4 - i + k]; - } - - /* Transform all subkeys but the first and last. */ - for (i = 4; i < 4 * nrounds; i++) - MIX_COLUMN (mtable, dst->keys[i]); + _aes_invert (src->rounds, dst->keys, src->keys); + dst->rounds = src->rounds; } void diff --git a/aes-set-encrypt-key.c b/aes-set-encrypt-key.c index 04f53270f38c8cef3ab54f63da0bcb6ae67601fd..a3f20a13d9d557f788ae03955554e30200c616c6 100644 --- a/aes-set-encrypt-key.c +++ b/aes-set-encrypt-key.c @@ -6,6 +6,7 @@ /* nettle, low-level cryptographics library * * Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller + * Copyright (C) 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -32,50 +33,28 @@ #include <assert.h> #include "aes-internal.h" -#include "macros.h" void aes_set_encrypt_key(struct aes_ctx *ctx, size_t keysize, const uint8_t *key) { - static const uint8_t rcon[10] = { - 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, - }; - unsigned nk, nr, i, lastkey; - uint32_t temp; - const uint8_t *rp; + unsigned nk, nr; assert(keysize >= AES_MIN_KEY_SIZE); assert(keysize <= AES_MAX_KEY_SIZE); /* Truncate keysizes to the valid key sizes provided by Rijndael */ - if (keysize == 32) { + if (keysize == AES256_KEY_SIZE) { nk = 8; - nr = 14; - } else if (keysize >= 24) { + nr = _AES256_ROUNDS; + } else if (keysize >= AES192_KEY_SIZE) { nk = 6; - nr = 12; + nr = _AES192_ROUNDS; } else { /* must be 16 or more */ nk = 4; - nr = 10; + nr = _AES128_ROUNDS; } - lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); - ctx->nrounds = nr; - - for (i=0, rp = rcon; i<nk; i++) - ctx->keys[i] = LE_READ_UINT32(key + i*4); - - for (i=nk; i<lastkey; i++) - { - temp = ctx->keys[i-1]; - if (i % nk == 0) - temp = SUBBYTE(ROTL32(24, temp), aes_sbox) ^ *rp++; - - else if (nk > 6 && (i%nk) == 4) - temp = SUBBYTE(temp, aes_sbox); - - ctx->keys[i] = ctx->keys[i-nk] ^ temp; - } + ctx->rounds = nr; + _aes_set_key (nr, nk, ctx->keys, key); } - diff --git a/aes-set-key-internal.c b/aes-set-key-internal.c new file mode 100644 index 0000000000000000000000000000000000000000..710cabc9a003602752c839afcb22f8f21ca7af6f --- /dev/null +++ b/aes-set-key-internal.c @@ -0,0 +1,63 @@ +/* aes-set-key-internal.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Originally written by Rafael R. Sevilla <dido@pacific.net.ph> */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "aes-internal.h" +#include "macros.h" + +void +_aes_set_key(unsigned nr, unsigned nk, + uint32_t *subkeys, const uint8_t *key) +{ + static const uint8_t rcon[10] = { + 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, + }; + const uint8_t *rp; + unsigned lastkey, i; + uint32_t t; + + lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); + + for (i=0, rp = rcon; i<nk; i++) + subkeys[i] = LE_READ_UINT32(key + i*4); + + for (i=nk; i<lastkey; i++) + { + t = subkeys[i-1]; + if (i % nk == 0) + t = SUBBYTE(ROTL32(24, t), aes_sbox) ^ *rp++; + + else if (nk > 6 && (i%nk) == 4) + t = SUBBYTE(t, aes_sbox); + + subkeys[i] = subkeys[i-nk] ^ t; + } +} diff --git a/aes.h b/aes.h index b3bb965912b9e65070c4cfc20e4a7d8f824f69fc..0982aa698212b8afb7a6c3a40e9caa1b86eb223f 100644 --- a/aes.h +++ b/aes.h @@ -5,7 +5,7 @@ /* nettle, low-level cryptographics library * - * Copyright (C) 2001 Niels Möller + * Copyright (C) 2001, 2013 Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -38,23 +38,44 @@ extern "C" { #define aes_invert_key nettle_aes_invert_key #define aes_encrypt nettle_aes_encrypt #define aes_decrypt nettle_aes_decrypt +#define aes128_set_encrypt_key nettle_aes128set_encrypt_key +#define aes128_set_decrypt_key nettle_aes128set_decrypt_key +#define aes128_invert_key nettle_aes128invert_key +#define aes128_encrypt nettle_aes128encrypt +#define aes128_decrypt nettle_aes128decrypt +#define aes192_set_encrypt_key nettle_aes192set_encrypt_key +#define aes192_set_decrypt_key nettle_aes192set_decrypt_key +#define aes192_invert_key nettle_aes192invert_key +#define aes192_encrypt nettle_aes192encrypt +#define aes192_decrypt nettle_aes192decrypt +#define aes256_set_encrypt_key nettle_aes256_set_encrypt_key +#define aes256_set_decrypt_key nettle_aes256_set_decrypt_key +#define aes256_invert_key nettle_aes256_invert_key +#define aes256_encrypt nettle_aes256_encrypt +#define aes256_decrypt nettle_aes256_decrypt #define AES_BLOCK_SIZE 16 +#define AES128_KEY_SIZE 16 +#define AES192_KEY_SIZE 24 +#define AES256_KEY_SIZE 32 +#define _AES128_ROUNDS 10 +#define _AES192_ROUNDS 12 +#define _AES256_ROUNDS 14 + /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ -#define AES_MIN_KEY_SIZE 16 -#define AES_MAX_KEY_SIZE 32 +#define AES_MIN_KEY_SIZE AES128_KEY_SIZE +#define AES_MAX_KEY_SIZE AES256_KEY_SIZE + +/* Older nettle-2.7 interface */ #define AES_KEY_SIZE 32 -/* FIXME: Change to put nrounds first, to make it possible to use a - truncated ctx struct, with less subkeys, for the shorter key - sizes? */ struct aes_ctx { - uint32_t keys[60]; /* maximum size of key schedule */ - unsigned nrounds; /* number of rounds to use for our key size */ + unsigned rounds; /* number of rounds to use for our key size */ + uint32_t keys[4*(_AES256_ROUNDS + 1)]; /* maximum size of key schedule */ }; void @@ -78,6 +99,69 @@ aes_decrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); +struct aes128_ctx +{ + uint32_t keys[4 * (_AES128_ROUNDS + 1)]; +}; + +void +aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key); +void +aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key); +void +aes128_invert_key(struct aes128_ctx *dst, + const struct aes128_ctx *src); +void +aes128_encrypt(const struct aes128_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); +void +aes128_decrypt(const struct aes128_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); + +struct aes192_ctx +{ + uint32_t keys[4 * (_AES192_ROUNDS + 1)]; +}; + +void +aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key); +void +aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key); +void +aes192_invert_key(struct aes192_ctx *dst, + const struct aes192_ctx *src); +void +aes192_encrypt(const struct aes192_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); +void +aes192_decrypt(const struct aes192_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); + +struct aes256_ctx +{ + uint32_t keys[4 * (_AES256_ROUNDS + 1)]; +}; + +void +aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key); +void +aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key); +void +aes256_invert_key(struct aes256_ctx *dst, + const struct aes256_ctx *src); +void +aes256_encrypt(const struct aes256_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); +void +aes256_decrypt(const struct aes256_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src); + #ifdef __cplusplus } #endif diff --git a/aes128-meta.c b/aes128-meta.c new file mode 100644 index 0000000000000000000000000000000000000000..c3068990392ae4744f0a87e7913daea329f96859 --- /dev/null +++ b/aes128-meta.c @@ -0,0 +1,57 @@ +/* aes128-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "aes.h" + +static nettle_set_key_func aes128_set_encrypt_key_wrapper; +static nettle_set_key_func aes128_set_decrypt_key_wrapper; + +static void +aes128_set_encrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES128_KEY_SIZE); + aes128_set_encrypt_key (ctx, key); +} + +static void +aes128_set_decrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES128_KEY_SIZE); + aes128_set_decrypt_key (ctx, key); +} + +const struct nettle_cipher nettle_aes128 = + { "aes128", sizeof(struct aes128_ctx), + AES_BLOCK_SIZE, AES128_KEY_SIZE, + aes128_set_encrypt_key_wrapper, + aes128_set_decrypt_key_wrapper, + (nettle_crypt_func *) aes128_encrypt, + (nettle_crypt_func *) aes128_decrypt + }; diff --git a/aes128-set-decrypt-key.c b/aes128-set-decrypt-key.c new file mode 100644 index 0000000000000000000000000000000000000000..ee3425693a036798d6a39ad86105982b4db1001a --- /dev/null +++ b/aes128-set-decrypt-key.c @@ -0,0 +1,46 @@ +/* aes128-set-decrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes-internal.h" +#include "macros.h" + +void +aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) +{ + _aes_invert (_AES128_ROUNDS, dst->keys, src->keys); +} + +void +aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) +{ + aes128_set_encrypt_key (ctx, key); + aes128_invert_key (ctx, ctx); +} diff --git a/aes-meta.c b/aes128-set-encrypt-key.c similarity index 73% rename from aes-meta.c rename to aes128-set-encrypt-key.c index 7b9af273ed2086661e5a93db5172064e1e10f1ff..e9413cb70e4bb9fac8380548c7b69e1e4ca9c5b3 100644 --- a/aes-meta.c +++ b/aes128-set-encrypt-key.c @@ -1,8 +1,11 @@ -/* aes-meta.c */ +/* aes128-set-encrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ /* nettle, low-level cryptographics library * - * Copyright (C) 2002 Niels Möller + * Copyright (C) 2013, Niels Möller * * The nettle library is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -24,15 +27,12 @@ # include "config.h" #endif -#include "nettle-meta.h" - -#include "aes.h" - -const struct nettle_cipher nettle_aes128 -= _NETTLE_CIPHER_SEP(aes, AES, 128); +#include <assert.h> -const struct nettle_cipher nettle_aes192 -= _NETTLE_CIPHER_SEP(aes, AES, 192); +#include "aes-internal.h" -const struct nettle_cipher nettle_aes256 -= _NETTLE_CIPHER_SEP(aes, AES, 256); +void +aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) +{ + _aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); +} diff --git a/aes192-meta.c b/aes192-meta.c new file mode 100644 index 0000000000000000000000000000000000000000..0ee0c1aa2974ffff4fcf6e4a67a4fd1b964dc3e7 --- /dev/null +++ b/aes192-meta.c @@ -0,0 +1,57 @@ +/* aes192-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "aes.h" + +static nettle_set_key_func aes192_set_encrypt_key_wrapper; +static nettle_set_key_func aes192_set_decrypt_key_wrapper; + +static void +aes192_set_encrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES192_KEY_SIZE); + aes192_set_encrypt_key (ctx, key); +} + +static void +aes192_set_decrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES192_KEY_SIZE); + aes192_set_decrypt_key (ctx, key); +} + +const struct nettle_cipher nettle_aes192 = + { "aes192", sizeof(struct aes192_ctx), + AES_BLOCK_SIZE, AES192_KEY_SIZE, + aes192_set_encrypt_key_wrapper, + aes192_set_decrypt_key_wrapper, + (nettle_crypt_func *) aes192_encrypt, + (nettle_crypt_func *) aes192_decrypt + }; diff --git a/aes192-set-decrypt-key.c b/aes192-set-decrypt-key.c new file mode 100644 index 0000000000000000000000000000000000000000..496bee69429af02d6eca1fd5d643908f31e3471d --- /dev/null +++ b/aes192-set-decrypt-key.c @@ -0,0 +1,46 @@ +/* aes192-set-decrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes-internal.h" +#include "macros.h" + +void +aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) +{ + _aes_invert (_AES192_ROUNDS, dst->keys, src->keys); +} + +void +aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) +{ + aes192_set_encrypt_key (ctx, key); + aes192_invert_key (ctx, ctx); +} diff --git a/aes192-set-encrypt-key.c b/aes192-set-encrypt-key.c new file mode 100644 index 0000000000000000000000000000000000000000..53bf36787b1ba4f9d57e147c5ee256c97a7b9ca8 --- /dev/null +++ b/aes192-set-encrypt-key.c @@ -0,0 +1,38 @@ +/* aes192-set-encrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes-internal.h" + +void +aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) +{ + _aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); +} diff --git a/aes256-meta.c b/aes256-meta.c new file mode 100644 index 0000000000000000000000000000000000000000..197441e0ed529f492c4be692e325a87c8c0bae18 --- /dev/null +++ b/aes256-meta.c @@ -0,0 +1,57 @@ +/* aes256-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "nettle-meta.h" + +#include "aes.h" + +static nettle_set_key_func aes256_set_encrypt_key_wrapper; +static nettle_set_key_func aes256_set_decrypt_key_wrapper; + +static void +aes256_set_encrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES256_KEY_SIZE); + aes256_set_encrypt_key (ctx, key); +} + +static void +aes256_set_decrypt_key_wrapper (void *ctx, size_t length, const uint8_t *key) +{ + assert (length == AES256_KEY_SIZE); + aes256_set_decrypt_key (ctx, key); +} + +const struct nettle_cipher nettle_aes256 = + { "aes256", sizeof(struct aes256_ctx), + AES_BLOCK_SIZE, AES256_KEY_SIZE, + aes256_set_encrypt_key_wrapper, + aes256_set_decrypt_key_wrapper, + (nettle_crypt_func *) aes256_encrypt, + (nettle_crypt_func *) aes256_decrypt + }; diff --git a/aes256-set-decrypt-key.c b/aes256-set-decrypt-key.c new file mode 100644 index 0000000000000000000000000000000000000000..60b70e294bb54b9816fb1a062a4b0c226dfc2753 --- /dev/null +++ b/aes256-set-decrypt-key.c @@ -0,0 +1,46 @@ +/* aes256-set-decrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes-internal.h" +#include "macros.h" + +void +aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) +{ + _aes_invert (_AES256_ROUNDS, dst->keys, src->keys); +} + +void +aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) +{ + aes256_set_encrypt_key (ctx, key); + aes256_invert_key (ctx, ctx); +} diff --git a/aes256-set-encrypt-key.c b/aes256-set-encrypt-key.c new file mode 100644 index 0000000000000000000000000000000000000000..9e11ff123e64a1e22c480beb880341192387d949 --- /dev/null +++ b/aes256-set-encrypt-key.c @@ -0,0 +1,38 @@ +/* aes256-set-encrypt-key.c + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include <assert.h> + +#include "aes-internal.h" + +void +aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) +{ + _aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); +} diff --git a/arm/aes-decrypt-internal.asm b/arm/aes-decrypt-internal.asm index 37abf1ec8ffd4f8f9fb064808603a6a0c9e70795..947178720101b9cdcfdf675df011ef7613295928 100644 --- a/arm/aes-decrypt-internal.asm +++ b/arm/aes-decrypt-internal.asm @@ -19,26 +19,32 @@ C MA 02111-1301, USA. include_src(<arm/aes.m4>) -C define(<CTX>, <r0>) -define(<TABLE>, <r1>) -define(<LENGTH>, <r2>) -define(<DST>, <r3>) -define(<SRC>, <r12>) - +define(<PARAM_ROUNDS>, <r0>) +define(<PARAM_KEYS>, <r1>) +define(<TABLE>, <r2>) +define(<PARAM_LENGTH>, <r3>) +C On stack: DST, SRC + define(<W0>, <r4>) define(<W1>, <r5>) define(<W2>, <r6>) define(<W3>, <r7>) define(<T0>, <r8>) -define(<KEY>, <r10>) -define(<ROUND>, <r11>) +define(<COUNT>, <r10>) +define(<KEY>, <r11>) -define(<X0>, <r2>) C Overlaps LENGTH, SRC, DST +define(<MASK>, <r0>) C Overlaps inputs, except TABLE +define(<X0>, <r1>) define(<X1>, <r3>) define(<X2>, <r12>) define(<X3>, <r14>) C lr -define(<MASK>, <r0>) C Overlaps CTX input -define(<CTX>, <[sp]>) + +define(<FRAME_ROUNDS>, <[sp]>) +define(<FRAME_KEYS>, <[sp, #+4]>) +define(<FRAME_LENGTH>, <[sp, #+8]>) +C 8 saved registers +define(<FRAME_DST>, <[sp, #+44]>) +define(<FRAME_SRC>, <[sp, #+48]>) define(<AES_DECRYPT_ROUND>, < @@ -103,29 +109,30 @@ define(<AES_DECRYPT_ROUND>, < .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) - teq LENGTH, #0 + teq PARAM_LENGTH, #0 beq .Lend - ldr SRC, [sp] - push {r0, r4,r5,r6,r7,r8,r10,r11,lr} + push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: - ldr KEY, CTX - ldr ROUND, [KEY, #+AES_NROUNDS] - AES_LOAD(SRC,KEY,W0) - AES_LOAD(SRC,KEY,W1) - AES_LOAD(SRC,KEY,W2) - AES_LOAD(SRC,KEY,W3) - - push {LENGTH, DST, SRC} + ldr X0, FRAME_SRC C Use X0 as SRC pointer + ldm sp, {COUNT, KEY} + + AES_LOAD(X0,KEY,W0) + AES_LOAD(X0,KEY,W1) + AES_LOAD(X0,KEY,W2) + AES_LOAD(X0,KEY,W3) + + str X0, FRAME_SRC + add TABLE, TABLE, #AES_TABLE0 b .Lentry @@ -135,31 +142,35 @@ PROLOGUE(_nettle_aes_decrypt) AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs ROUND, ROUND,#2 + subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop - lsr ROUND, MASK, #2 C Put the needed mask in the unused ROUND register + lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round - AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, ROUND) - AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, ROUND) - AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, ROUND) - AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, ROUND) + AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, COUNT) + AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, COUNT) + AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, COUNT) + AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, COUNT) - pop {LENGTH, DST, SRC} - - AES_STORE(DST,W0) - AES_STORE(DST,W1) - AES_STORE(DST,W2) - AES_STORE(DST,W3) + ldr X0, FRAME_DST + ldr X1, FRAME_LENGTH + + AES_STORE(X0,W0) + AES_STORE(X0,W1) + AES_STORE(X0,W2) + AES_STORE(X0,W3) + + subs X1, X1, #16 + str X0, FRAME_DST + str X1, FRAME_LENGTH - subs LENGTH, LENGTH, #16 bhi .Lblock_loop - add sp, sp, #4 C Drop saved r0 + add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/arm/aes-encrypt-internal.asm b/arm/aes-encrypt-internal.asm index eb2f1489dae6a2f2377948e816eda07711f07561..0d396185be3a722463ee2accf16ca2acd95d7108 100644 --- a/arm/aes-encrypt-internal.asm +++ b/arm/aes-encrypt-internal.asm @@ -19,32 +19,38 @@ C MA 02111-1301, USA. include_src(<arm/aes.m4>) -C Benchmarked at at 725, 930, 990 cycles/block on cortex A9, +C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. -C define(<CTX>, <r0>) -define(<TABLE>, <r1>) -define(<LENGTH>, <r2>) -define(<DST>, <r3>) -define(<SRC>, <r12>) - +define(<PARAM_ROUNDS>, <r0>) +define(<PARAM_KEYS>, <r1>) +define(<TABLE>, <r2>) +define(<PARAM_LENGTH>, <r3>) +C On stack: DST, SRC + define(<W0>, <r4>) define(<W1>, <r5>) define(<W2>, <r6>) define(<W3>, <r7>) define(<T0>, <r8>) -define(<KEY>, <r10>) -define(<ROUND>, <r11>) +define(<COUNT>, <r10>) +define(<KEY>, <r11>) -define(<X0>, <r2>) C Overlaps LENGTH, SRC, DST +define(<MASK>, <r0>) C Overlaps inputs, except TABLE +define(<X0>, <r1>) define(<X1>, <r3>) define(<X2>, <r12>) define(<X3>, <r14>) C lr -define(<MASK>, <r0>) C Overlaps CTX input -define(<CTX>, <[sp]>) + +define(<FRAME_ROUNDS>, <[sp]>) +define(<FRAME_KEYS>, <[sp, #+4]>) +define(<FRAME_LENGTH>, <[sp, #+8]>) +C 8 saved registers +define(<FRAME_DST>, <[sp, #+44]>) +define(<FRAME_SRC>, <[sp, #+48]>) C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) @@ -112,29 +118,30 @@ define(<AES_ENCRYPT_ROUND>, < .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) - teq LENGTH, #0 + teq PARAM_LENGTH, #0 beq .Lend - ldr SRC, [sp] - push {r0, r4,r5,r6,r7,r8,r10,r11,lr} + push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: - ldr KEY, CTX - ldr ROUND, [KEY, #+AES_NROUNDS] - AES_LOAD(SRC,KEY,W0) - AES_LOAD(SRC,KEY,W1) - AES_LOAD(SRC,KEY,W2) - AES_LOAD(SRC,KEY,W3) - - push {LENGTH, DST, SRC} + ldr X0, FRAME_SRC C Use X0 as SRC pointer + ldm sp, {COUNT, KEY} + + AES_LOAD(X0,KEY,W0) + AES_LOAD(X0,KEY,W1) + AES_LOAD(X0,KEY,W2) + AES_LOAD(X0,KEY,W3) + + str X0, FRAME_SRC + add TABLE, TABLE, #AES_TABLE0 b .Lentry @@ -144,31 +151,35 @@ PROLOGUE(_nettle_aes_encrypt) AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs ROUND, ROUND,#2 + subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop - lsr ROUND, MASK, #2 C Put the needed mask in the unused ROUND register + lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round - AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, ROUND) - AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, ROUND) - AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, ROUND) - AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, ROUND) + AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, COUNT) + AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, COUNT) + AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, COUNT) + AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, COUNT) - pop {LENGTH, DST, SRC} - - AES_STORE(DST,W0) - AES_STORE(DST,W1) - AES_STORE(DST,W2) - AES_STORE(DST,W3) + ldr X0, FRAME_DST + ldr X1, FRAME_LENGTH + + AES_STORE(X0,W0) + AES_STORE(X0,W1) + AES_STORE(X0,W2) + AES_STORE(X0,W3) + + subs X1, X1, #16 + str X0, FRAME_DST + str X1, FRAME_LENGTH - subs LENGTH, LENGTH, #16 bhi .Lblock_loop - add sp, sp, #4 C Drop saved r0 + add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/arm/v6/aes-decrypt-internal.asm b/arm/v6/aes-decrypt-internal.asm index f550506ddb3d4a10737ef32507715f7c0a0c15df..f9f0b7ad8e05daead1c0a39038da474822c269fe 100644 --- a/arm/v6/aes-decrypt-internal.asm +++ b/arm/v6/aes-decrypt-internal.asm @@ -19,25 +19,33 @@ C MA 02111-1301, USA. include_src(<arm/aes.m4>) -define(<CTX>, <r0>) -define(<TABLE>, <r1>) -define(<LENGTH>, <r2>) -define(<DST>, <r3>) -define(<SRC>, <r12>) +define(<PARAM_ROUNDS>, <r0>) +define(<PARAM_KEYS>, <r1>) +define(<TABLE>, <r2>) +define(<LENGTH>, <r3>) +C On stack: DST, SRC define(<W0>, <r4>) define(<W1>, <r5>) define(<W2>, <r6>) define(<W3>, <r7>) define(<T0>, <r8>) -define(<KEY>, <r10>) -define(<ROUND>, <r11>) +define(<COUNT>, <r10>) +define(<KEY>, <r11>) -define(<X0>, <r2>) C Overlaps LENGTH, SRC, DST -define(<X1>, <r3>) +define(<X0>, <r0>) C Overlaps PARAM_ROUNDS and PARAM_KEYS +define(<X1>, <r1>) define(<X2>, <r12>) define(<X3>, <r14>) C lr +define(<FRAME_ROUNDS>>, <[sp]>) +define(<FRAME_KEYS>, <[sp, #+4]>) +C 8 saved registers +define(<FRAME_DST>, <[sp, #+40]>) +define(<FRAME_SRC>, <[sp, #+44]>) + +define(<SRC>, <%r12>) C Overlap registers used in inner loop. +define(<DST>, <COUNT>) C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(<AES_DECRYPT_ROUND>, < @@ -102,7 +110,7 @@ define(<AES_DECRYPT_ROUND>, < .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -111,22 +119,23 @@ define(<AES_DECRYPT_ROUND>, < PROLOGUE(_nettle_aes_decrypt) teq LENGTH, #0 beq .Lend - ldr SRC, [sp] - push {r4,r5,r6,r7,r8,r10,r11,lr} - nop C For some mysterious reason, taking out this nop - C slows this function down by 10(!) % on Cortex-A9. + ldr SRC, [sp, #+4] + + push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} + ALIGN(16) .Lblock_loop: - mov KEY, CTX + ldm sp, {COUNT, KEY} + + add TABLE, TABLE, #AES_TABLE0 + AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) - push {LENGTH, DST, SRC} - ldr ROUND, [CTX, #+AES_NROUNDS] - add TABLE, TABLE, #AES_TABLE0 + str SRC, FRAME_SRC b .Lentry ALIGN(16) @@ -135,29 +144,34 @@ PROLOGUE(_nettle_aes_decrypt) AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs ROUND, ROUND,#2 + subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 + C Final round + ldr DST, FRAME_DST + AES_FINAL_ROUND_V6(X0, X3, X2, X1, KEY, W0) AES_FINAL_ROUND_V6(X1, X0, X3, X2, KEY, W1) AES_FINAL_ROUND_V6(X2, X1, X0, X3, KEY, W2) AES_FINAL_ROUND_V6(X3, X2, X1, X0, KEY, W3) - pop {LENGTH, DST, SRC} + ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) + str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop + add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/arm/v6/aes-encrypt-internal.asm b/arm/v6/aes-encrypt-internal.asm index 3cf13072c29aeaa8e7d8a32ce6241aacc1c364d2..3c817de18d27e70421652cc52e1670ba8b2ab079 100644 --- a/arm/v6/aes-encrypt-internal.asm +++ b/arm/v6/aes-encrypt-internal.asm @@ -19,31 +19,39 @@ C MA 02111-1301, USA. include_src(<arm/aes.m4>) -C Benchmarked at at 680, 818, 929 cycles/block on cortex A9, +C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. -define(<CTX>, <r0>) -define(<TABLE>, <r1>) -define(<LENGTH>, <r2>) -define(<DST>, <r3>) -define(<SRC>, <r12>) +define(<PARAM_ROUNDS>, <r0>) +define(<PARAM_KEYS>, <r1>) +define(<TABLE>, <r2>) +define(<LENGTH>, <r3>) +C On stack: DST, SRC define(<W0>, <r4>) define(<W1>, <r5>) define(<W2>, <r6>) define(<W3>, <r7>) define(<T0>, <r8>) -define(<KEY>, <r10>) -define(<ROUND>, <r11>) +define(<COUNT>, <r10>) +define(<KEY>, <r11>) -define(<X0>, <r2>) C Overlaps LENGTH, SRC, DST -define(<X1>, <r3>) +define(<X0>, <r0>) C Overlaps PARAM_ROUNDS and PARAM_KEYS +define(<X1>, <r1>) define(<X2>, <r12>) define(<X3>, <r14>) C lr +define(<FRAME_ROUNDS>>, <[sp]>) +define(<FRAME_KEYS>, <[sp, #+4]>) +C 8 saved registers +define(<FRAME_DST>, <[sp, #+40]>) +define(<FRAME_SRC>, <[sp, #+44]>) + +define(<SRC>, <%r12>) C Overlap registers used in inner loop. +define(<DST>, <COUNT>) C 53 instr. C It's tempting to use eor with rotation, but that's slower. @@ -110,7 +118,7 @@ define(<AES_ENCRYPT_ROUND>, < .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -119,20 +127,23 @@ define(<AES_ENCRYPT_ROUND>, < PROLOGUE(_nettle_aes_encrypt) teq LENGTH, #0 beq .Lend - ldr SRC, [sp] - push {r4,r5,r6,r7,r8,r10,r11,lr} + ldr SRC, [sp, #+4] + + push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} + ALIGN(16) .Lblock_loop: - mov KEY, CTX + ldm sp, {COUNT, KEY} + + add TABLE, TABLE, #AES_TABLE0 + AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) - push {LENGTH, DST, SRC} - ldr ROUND, [CTX, #+AES_NROUNDS] - add TABLE, TABLE, #AES_TABLE0 + str SRC, FRAME_SRC b .Lentry ALIGN(16) @@ -141,29 +152,34 @@ PROLOGUE(_nettle_aes_encrypt) AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs ROUND, ROUND,#2 + subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 + C Final round + ldr DST, FRAME_DST + AES_FINAL_ROUND_V6(X0, X1, X2, X3, KEY, W0) AES_FINAL_ROUND_V6(X1, X2, X3, X0, KEY, W1) AES_FINAL_ROUND_V6(X2, X3, X0, X1, KEY, W2) AES_FINAL_ROUND_V6(X3, X0, X1, X2, KEY, W3) - pop {LENGTH, DST, SRC} + ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) + str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop + add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/nettle-internal.c b/nettle-internal.c index 5cd582884d0c9355a5e1fdbd803d06cb9565b6c9..8308df69f1a99090996377ea82a984357e49c553 100644 --- a/nettle-internal.c +++ b/nettle-internal.c @@ -112,3 +112,13 @@ const struct nettle_aead nettle_gcm_aes192 = _NETTLE_AEAD(gcm, GCM, aes, 192); const struct nettle_aead nettle_gcm_aes256 = _NETTLE_AEAD(gcm, GCM, aes, 256); + +/* Old, unified, interface */ +const struct nettle_cipher nettle_unified_aes128 += _NETTLE_CIPHER_SEP(aes, AES, 128); + +const struct nettle_cipher nettle_unified_aes192 += _NETTLE_CIPHER_SEP(aes, AES, 192); + +const struct nettle_cipher nettle_unified_aes256 += _NETTLE_CIPHER_SEP(aes, AES, 256); diff --git a/nettle-internal.h b/nettle-internal.h index e094064f6f32c6daf7f33324b288d96f1b0cf6e3..09881ce9b607228d03ab393645a60085c08a1ba0 100644 --- a/nettle-internal.h +++ b/nettle-internal.h @@ -64,6 +64,10 @@ extern const struct nettle_cipher nettle_blowfish128; extern const struct nettle_cipher nettle_salsa20; extern const struct nettle_cipher nettle_salsa20r12; +extern const struct nettle_cipher nettle_unified_aes128; +extern const struct nettle_cipher nettle_unified_aes192; +extern const struct nettle_cipher nettle_unified_aes256; + /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ extern const struct nettle_cipher nettle_openssl_aes128; diff --git a/sparc32/aes-decrypt-internal.asm b/sparc32/aes-decrypt-internal.asm index cbcf43c56e4f03d5d1526a25ce20f4393f8e3e8a..eac60ed56c5b387fbfddb53bf2fe138899e0a0d6 100644 --- a/sparc32/aes-decrypt-internal.asm +++ b/sparc32/aes-decrypt-internal.asm @@ -1,6 +1,6 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2002, 2005 Niels Möller +C Copyright (C) 2002, 2005, 2013 Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -20,11 +20,12 @@ C MA 02111-1301, USA. include_src(<sparc32/aes.m4>) C Arguments -define(<CTX>, <%i0>) -define(<T>, <%i1>) -define(<LENGTH>,<%i2>) -define(<DST>, <%i3>) -define(<SRC>, <%i4>) +define(<ROUNDS>,<%i0>) +define(<KEYS>, <%i1>) +define(<T>, <%i2>) +define(<LENGTH>,<%i3>) +define(<DST>, <%i4>) +define(<SRC>, <%i5>) C AES state, two copies for unrolling @@ -40,7 +41,7 @@ define(<X3>, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(<KEY>, <%o4>) -define(<ROUND>, <%o5>) +define(<COUNT>, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -53,7 +54,7 @@ define(<FRAME_SIZE>, 104) .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -74,22 +75,23 @@ PROLOGUE(_nettle_aes_decrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 + C Must be even, and includes the final round + srl ROUNDS, 1, ROUNDS + C Last two rounds handled specially + sub ROUNDS, 1, ROUNDS + .Lblock_loop: C Read src, and add initial subkey - add CTX, AES_KEYS, KEY + mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - C Must be even, and includes the final round - ld [AES_NROUNDS + CTX], ROUND + mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY - srl ROUND, 1, ROUND - C Last two rounds handled specially - sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -104,7 +106,7 @@ PROLOGUE(_nettle_aes_decrypt) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) - subcc ROUND, 1, ROUND + subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY diff --git a/sparc32/aes-encrypt-internal.asm b/sparc32/aes-encrypt-internal.asm index 490886fa029678b15f77e7686e8b87e9d624da85..fe99fa6cf3c2a19b500d5c79fc7a83127cd776e8 100644 --- a/sparc32/aes-encrypt-internal.asm +++ b/sparc32/aes-encrypt-internal.asm @@ -1,6 +1,6 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2002, 2005 Niels Möller +C Copyright (C) 2002, 2005, 2013 Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -20,11 +20,12 @@ C MA 02111-1301, USA. include_src(<sparc32/aes.m4>) C Arguments -define(<CTX>, <%i0>) -define(<T>, <%i1>) -define(<LENGTH>,<%i2>) -define(<DST>, <%i3>) -define(<SRC>, <%i4>) +define(<ROUNDS>,<%i0>) +define(<KEYS>, <%i1>) +define(<T>, <%i2>) +define(<LENGTH>,<%i3>) +define(<DST>, <%i4>) +define(<SRC>, <%i5>) C AES state, two copies for unrolling @@ -40,7 +41,7 @@ define(<X3>, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(<KEY>, <%o4>) -define(<ROUND>, <%o5>) +define(<COUNT>, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -58,7 +59,7 @@ define(<FRAME_SIZE>, 104) .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -79,22 +80,23 @@ PROLOGUE(_nettle_aes_encrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 + C Must be even, and includes the final round + srl ROUNDS, 1, ROUNDS + C Last two rounds handled specially + sub ROUNDS, 1, ROUNDS + .Lblock_loop: C Read src, and add initial subkey - add CTX, AES_KEYS, KEY + mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - C Must be even, and includes the final round - ld [AES_NROUNDS + CTX], ROUND + mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY - srl ROUND, 1, ROUND - C Last two rounds handled specially - sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -109,7 +111,7 @@ PROLOGUE(_nettle_aes_encrypt) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) - subcc ROUND, 1, ROUND + subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY diff --git a/sparc64/aes-decrypt-internal.asm b/sparc64/aes-decrypt-internal.asm index 4f70c32c95fb19f39da9267464af34691094bee5..c5269c6762d8c580c4f2ea9d29c8a705155da9d1 100644 --- a/sparc64/aes-decrypt-internal.asm +++ b/sparc64/aes-decrypt-internal.asm @@ -1,6 +1,6 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2002, 2005 Niels Möller +C Copyright (C) 2002, 2005, 2013 Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -23,14 +23,15 @@ C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. -include_src(sparc32/aes.m4) +include_src(<sparc32/aes.m4>) C Arguments -define(<CTX>, <%i0>) -define(<T>, <%i1>) -define(<LENGTH>,<%i2>) -define(<DST>, <%i3>) -define(<SRC>, <%i4>) +define(<ROUNDS>,<%i0>) +define(<KEYS>, <%i1>) +define(<T>, <%i2>) +define(<LENGTH>,<%i3>) +define(<DST>, <%i4>) +define(<SRC>, <%i5>) C AES state, two copies for unrolling @@ -46,7 +47,7 @@ define(<X3>, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(<KEY>, <%o4>) -define(<ROUND>, <%o5>) +define(<COUNT>, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -59,7 +60,7 @@ define(<FRAME_SIZE>, 192) .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -80,22 +81,23 @@ PROLOGUE(_nettle_aes_decrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 + C Must be even, and includes the final round + srl ROUNDS, 1, ROUNDS + C Last two rounds handled specially + sub ROUNDS, 1, ROUNDS + .Lblock_loop: C Read src, and add initial subkey - add CTX, AES_KEYS, KEY + mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - C Must be even, and includes the final round - ld [AES_NROUNDS + CTX], ROUND + mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY - srl ROUND, 1, ROUND - C Last two rounds handled specially - sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -110,7 +112,7 @@ PROLOGUE(_nettle_aes_decrypt) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) - subcc ROUND, 1, ROUND + subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY diff --git a/sparc64/aes-encrypt-internal.asm b/sparc64/aes-encrypt-internal.asm index f24157555720da6c6fccec3bc8fc746e8515c74e..7d1631600867c2080aa14ca36e27a4755b5b6417 100644 --- a/sparc64/aes-encrypt-internal.asm +++ b/sparc64/aes-encrypt-internal.asm @@ -1,6 +1,6 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2002, 2005 Niels Möller +C Copyright (C) 2002, 2005, 2013 Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -23,14 +23,15 @@ C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. -include_src(sparc32/aes.m4) +include_src(<sparc32/aes.m4>) C Arguments -define(<CTX>, <%i0>) -define(<T>, <%i1>) -define(<LENGTH>,<%i2>) -define(<DST>, <%i3>) -define(<SRC>, <%i4>) +define(<ROUNDS>,<%i0>) +define(<KEYS>, <%i1>) +define(<T>, <%i2>) +define(<LENGTH>,<%i3>) +define(<DST>, <%i4>) +define(<SRC>, <%i5>) C AES state, two copies for unrolling @@ -46,10 +47,10 @@ define(<X3>, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(<KEY>, <%o4>) -define(<ROUND>, <%o5>) +define(<COUNT>, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 - + C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field @@ -59,7 +60,7 @@ define(<FRAME_SIZE>, 192) .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -80,22 +81,23 @@ PROLOGUE(_nettle_aes_encrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 + C Must be even, and includes the final round + srl ROUNDS, 1, ROUNDS + C Last two rounds handled specially + sub ROUNDS, 1, ROUNDS + .Lblock_loop: C Read src, and add initial subkey - add CTX, AES_KEYS, KEY + mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - C Must be even, and includes the final round - ld [AES_NROUNDS + CTX], ROUND + mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY - srl ROUND, 1, ROUND - C Last two rounds handled specially - sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -110,7 +112,7 @@ PROLOGUE(_nettle_aes_encrypt) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) - subcc ROUND, 1, ROUND + subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY diff --git a/testsuite/aes-test.c b/testsuite/aes-test.c index 62936d1b74c3612da06d4e6300a20106d73c7d49..964114e3c84b0c221921b94d86e39cb75f8a4103 100644 --- a/testsuite/aes-test.c +++ b/testsuite/aes-test.c @@ -1,5 +1,6 @@ #include "testutils.h" #include "aes.h" +#include "nettle-internal.h" static void test_invert(const struct tstring *key, @@ -45,58 +46,69 @@ test_invert(const struct tstring *key, free (data); } +static void +test_cipher2(const struct nettle_cipher *c1, + const struct nettle_cipher *c2, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext) +{ + test_cipher (c1, key, cleartext, ciphertext); + test_cipher (c2, key, cleartext, ciphertext); +} + void test_main(void) { + /* Test both the new interface and the older unified interface. */ + /* 128 bit keys */ - test_cipher(&nettle_aes128, - SHEX("0001020305060708 0A0B0C0D0F101112"), - SHEX("506812A45F08C889 B97F5980038B8359"), - SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); + test_cipher2(&nettle_aes128, &nettle_unified_aes128, + SHEX("0001020305060708 0A0B0C0D0F101112"), + SHEX("506812A45F08C889 B97F5980038B8359"), + SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); - test_cipher(&nettle_aes128, - SHEX("14151617191A1B1C 1E1F202123242526"), - SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), - SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); - - test_cipher(&nettle_aes128, - SHEX("28292A2B2D2E2F30 323334353738393A"), - SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), - SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); + test_cipher2(&nettle_aes128, &nettle_unified_aes128, + SHEX("14151617191A1B1C 1E1F202123242526"), + SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), + SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); + + test_cipher2(&nettle_aes128, &nettle_unified_aes128, + SHEX("28292A2B2D2E2F30 323334353738393A"), + SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), + SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); - test_cipher(&nettle_aes128, - SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), - SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), - SHEX("CE52AF650D088CA5 59425223F4D32694")); + test_cipher2(&nettle_aes128, &nettle_unified_aes128, + SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), + SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), + SHEX("CE52AF650D088CA5 59425223F4D32694")); /* 192 bit keys */ - - test_cipher(&nettle_aes192, - SHEX("0001020305060708 0A0B0C0D0F101112" - "14151617191A1B1C"), - SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), - SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); + test_cipher2(&nettle_aes192, &nettle_unified_aes192, + SHEX("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C"), + SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), + SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); /* 256 bit keys */ - - test_cipher(&nettle_aes256, - SHEX("0001020305060708 0A0B0C0D0F101112" - "14151617191A1B1C 1E1F202123242526"), - SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), - SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); + test_cipher2(&nettle_aes256, &nettle_unified_aes256, + SHEX("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C 1E1F202123242526"), + SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), + SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); /* This test case has been problematic with the CBC test case */ - test_cipher(&nettle_aes256, - SHEX("8d ae 93 ff fc 78 c9 44" - "2a bd 0c 1e 68 bc a6 c7" - "05 c7 84 e3 5a a9 11 8b" - "d3 16 aa 54 9b 44 08 9e"), - SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), - /* In the cbc test, I once got the bad value - * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ - SHEX("1f 94 fc 85 f2 36 21 06" - "4a ea e3 c9 cc 38 01 0e")); + test_cipher2(&nettle_aes256, &nettle_unified_aes256, + SHEX("8d ae 93 ff fc 78 c9 44" + "2a bd 0c 1e 68 bc a6 c7" + "05 c7 84 e3 5a a9 11 8b" + "d3 16 aa 54 9b 44 08 9e"), + SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), + /* In the cbc test, I once got the bad value + * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ + SHEX("1f 94 fc 85 f2 36 21 06" + "4a ea e3 c9 cc 38 01 0e")); /* From draft NIST spec on AES modes. * @@ -104,42 +116,42 @@ test_main(void) * F.1.1 ECB-AES128-Encrypt */ - test_cipher(&nettle_aes128, - SHEX("2b7e151628aed2a6abf7158809cf4f3c"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("3ad77bb40d7a3660a89ecaf32466ef97" - "f5d3d58503b9699de785895a96fdbaaf" - "43b1cd7f598ece23881b00e3ed030688" - "7b0c785e27e8ad3f8223207104725dd4")); + test_cipher2(&nettle_aes128, &nettle_unified_aes128, + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("3ad77bb40d7a3660a89ecaf32466ef97" + "f5d3d58503b9699de785895a96fdbaaf" + "43b1cd7f598ece23881b00e3ed030688" + "7b0c785e27e8ad3f8223207104725dd4")); /* F.1.3 ECB-AES192-Encrypt */ - test_cipher(&nettle_aes192, - SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("bd334f1d6e45f25ff712a214571fa5cc" - "974104846d0ad3ad7734ecb3ecee4eef" - "ef7afd2270e2e60adce0ba2face6444e" - "9a4b41ba738d6c72fb16691603c18e0e")); + test_cipher2(&nettle_aes192, &nettle_unified_aes192, + SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("bd334f1d6e45f25ff712a214571fa5cc" + "974104846d0ad3ad7734ecb3ecee4eef" + "ef7afd2270e2e60adce0ba2face6444e" + "9a4b41ba738d6c72fb16691603c18e0e")); /* F.1.5 ECB-AES256-Encrypt */ - test_cipher(&nettle_aes256, - SHEX("603deb1015ca71be2b73aef0857d7781" - "1f352c073b6108d72d9810a30914dff4"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" - "591ccb10d410ed26dc5ba74a31362870" - "b6ed21b99ca6f4f9f153e7b1beafed1d" - "23304b7a39f9f3ff067d8d8f9e24ecc7")); + test_cipher2(&nettle_aes256, &nettle_unified_aes256, + SHEX("603deb1015ca71be2b73aef0857d7781" + "1f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" + "591ccb10d410ed26dc5ba74a31362870" + "b6ed21b99ca6f4f9f153e7b1beafed1d" + "23304b7a39f9f3ff067d8d8f9e24ecc7")); /* Test aes_invert_key with src != dst */ test_invert(SHEX("0001020305060708 0A0B0C0D0F101112"), diff --git a/umac-set-key.c b/umac-set-key.c index 03057a460f8d9e075fd6ad041e98723bb35a3571..63a1a7e3ffa034acf5226b967e35e36f403442dc 100644 --- a/umac-set-key.c +++ b/umac-set-key.c @@ -32,7 +32,7 @@ #include "macros.h" static void -umac_kdf (struct aes_ctx *aes, unsigned index, unsigned length, uint8_t *dst) +umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) { uint8_t block[AES_BLOCK_SIZE]; uint64_t count; @@ -41,12 +41,12 @@ umac_kdf (struct aes_ctx *aes, unsigned index, unsigned length, uint8_t *dst) length -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE, count++) { WRITE_UINT64 (block + 8, count); - aes_encrypt (aes, AES_BLOCK_SIZE, dst, block); + aes128_encrypt (aes, AES_BLOCK_SIZE, dst, block); } if (length > 0) { WRITE_UINT64 (block + 8, count); - aes_encrypt (aes, AES_BLOCK_SIZE, block, block); + aes128_encrypt (aes, AES_BLOCK_SIZE, block, block); memcpy (dst, block, length); } } @@ -71,12 +71,12 @@ umac_kdf (struct aes_ctx *aes, unsigned index, unsigned length, uint8_t *dst) void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, - struct aes_ctx *aes, const uint8_t *key, unsigned n) + struct aes128_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; - aes_set_encrypt_key (aes, UMAC_KEY_SIZE, key); + aes128_set_encrypt_key (aes, key); size = UMAC_DATA_SIZE / 4 + 4*(n-1); umac_kdf (aes, 1, size * sizeof(uint32_t), (uint8_t *) l1_key); @@ -94,5 +94,5 @@ _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); umac_kdf (aes, 0, UMAC_KEY_SIZE, buffer); - aes_set_encrypt_key (aes, UMAC_KEY_SIZE, buffer); + aes128_set_encrypt_key (aes, buffer); } diff --git a/umac.h b/umac.h index b6cec8aa656f7997c1511311c12d7981c7c1428e..ab66d9a7300b98cfb9e5dd5ff0dd5d88c92843be 100644 --- a/umac.h +++ b/umac.h @@ -61,7 +61,7 @@ extern "C" { #include "nettle-types.h" #include "aes.h" -#define UMAC_KEY_SIZE 16 +#define UMAC_KEY_SIZE AES128_KEY_SIZE #define UMAC32_DIGEST_SIZE 4 #define UMAC64_DIGEST_SIZE 8 #define UMAC96_DIGEST_SIZE 12 @@ -76,7 +76,7 @@ extern "C" { uint64_t l3_key1[8*(n)]; \ uint32_t l3_key2[(n)]; \ /* AES cipher for encrypting the nonce */ \ - struct aes_ctx pdf_key; \ + struct aes128_ctx pdf_key; \ /* The l2_state consists of 2*n uint64_t, for poly64 \ and poly128 hashing, followed by n additional \ uint64_t used as an input buffer. */ \ @@ -192,7 +192,7 @@ umac128_digest (struct umac128_ctx *ctx, void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, - struct aes_ctx *pad, const uint8_t *key, unsigned n); + struct aes128_ctx *pad, const uint8_t *key, unsigned n); uint64_t _umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); diff --git a/umac128.c b/umac128.c index 3ce0c05ed8fd6d58cb7375e11416e2fbddacf147..56d15d759e4a3f79e58b01ca77e841e1d7d9a549 100644 --- a/umac128.c +++ b/umac128.c @@ -103,8 +103,8 @@ umac128_digest (struct umac128_ctx *ctx, } assert (ctx->count > 0); - aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) tag, ctx->nonce); + aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); diff --git a/umac32.c b/umac32.c index c266a4166dc6ac43aec9e1effed723f5cfa9d358..8d6eb7dccd320c321552f4d2c5406e88554f3b96 100644 --- a/umac32.c +++ b/umac32.c @@ -100,8 +100,8 @@ umac32_digest (struct umac32_ctx *ctx, assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { - aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) ctx->pad_cache, ctx->nonce); + aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } diff --git a/umac64.c b/umac64.c index 133f2783588ba84e3aa8deb16c7ea017522bf707..01b9dc81525935e94494304b15fc29fb59c64f7e 100644 --- a/umac64.c +++ b/umac64.c @@ -103,8 +103,8 @@ umac64_digest (struct umac64_ctx *ctx, assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { - aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) ctx->pad_cache, ctx->nonce); + aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache + 2*(ctx->nonce_low & 1); diff --git a/umac96.c b/umac96.c index 3c7905a9a4df9c52e95fac5e81632f43ac119f71..0dc51418db08e1c1316dbef818bc0069a8171936 100644 --- a/umac96.c +++ b/umac96.c @@ -101,8 +101,8 @@ umac96_digest (struct umac96_ctx *ctx, } assert (ctx->count > 0); - aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) tag, ctx->nonce); + aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); diff --git a/x86/aes-decrypt-internal.asm b/x86/aes-decrypt-internal.asm index 6220c11d3eb5fac2a4602f3bdc9f7ab4a7453fee..61339e2f5a40fd7f28d356a14a0a563f7e6aad69 100644 --- a/x86/aes-decrypt-internal.asm +++ b/x86/aes-decrypt-internal.asm @@ -1,6 +1,7 @@ C nettle, low-level cryptographics library C C Copyright (C) 2001, 2002, 2005 Rafael R. Sevilla, Niels Möller +C Copyright (C) 2013, Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -32,11 +33,12 @@ define(<T>,<%ebp>) define(<TMP>,<%edi>) define(<KEY>,<%esi>) -define(<FRAME_CTX>, <40(%esp)>) -define(<FRAME_TABLE>, <44(%esp)>) -define(<FRAME_LENGTH>, <48(%esp)>) -define(<FRAME_DST>, <52(%esp)>) -define(<FRAME_SRC>, <56(%esp)>) +define(<PARAM_ROUNDS>, <40(%esp)>) +define(<PARAM_KEYS>, <44(%esp)>) +define(<PARAM_TABLE>, <48(%esp)>) +define(<PARAM_LENGTH>, <52(%esp)>) +define(<PARAM_DST>, <56(%esp)>) +define(<PARAM_SRC>, <60(%esp)>) define(<FRAME_KEY>, <16(%esp)>) define(<FRAME_COUNT>, <12(%esp)>) @@ -55,7 +57,7 @@ C %edi is a temporary, often used as an accumulator. .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -70,24 +72,21 @@ PROLOGUE(_nettle_aes_decrypt) subl $20, %esp C loop counter and save area for the key pointer - movl FRAME_LENGTH, %ebp + movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend - shrl $4, FRAME_LENGTH - + shrl $4, PARAM_LENGTH + subl $1, PARAM_ROUNDS .Lblock_loop: - movl FRAME_CTX,KEY C address of context struct ctx + movl PARAM_KEYS, KEY C address of subkeys - movl FRAME_SRC,TMP C address of plaintext + movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) - addl $16, FRAME_SRC C Increment src pointer - movl FRAME_TABLE, T - - C get number of rounds to do from ctx struct - movl AES_NROUNDS (KEY),TMP - subl $1,TMP + addl $16, PARAM_SRC C Increment src pointer + movl PARAM_TABLE, T + movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT @@ -140,18 +139,18 @@ PROLOGUE(_nettle_aes_decrypt) C Inverse S-box substitution mov $3,TMP .Lsubst: - AES_SUBST_BYTE(SA,SB,SC,SD,T, KEY) + AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store decrypted data - movl FRAME_DST,TMP + movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) - addl $16, FRAME_DST C Increment destination pointer - decl FRAME_LENGTH + addl $16, PARAM_DST C Increment destination pointer + decl PARAM_LENGTH jnz .Lblock_loop diff --git a/x86/aes-encrypt-internal.asm b/x86/aes-encrypt-internal.asm index 86985ec62c569d3701c9b6c00cda29873cbd31f1..6ddda58dcef5983555615daa6ff05a6a029dfb9c 100644 --- a/x86/aes-encrypt-internal.asm +++ b/x86/aes-encrypt-internal.asm @@ -1,6 +1,7 @@ C nettle, low-level cryptographics library C C Copyright (C) 2001, 2002, 2005 Rafael R. Sevilla, Niels Möller +C Copyright (C) 2013, Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -32,11 +33,12 @@ define(<T>,<%ebp>) define(<TMP>,<%edi>) define(<KEY>,<%esi>) -define(<FRAME_CTX>, <40(%esp)>) -define(<FRAME_TABLE>, <44(%esp)>) -define(<FRAME_LENGTH>, <48(%esp)>) -define(<FRAME_DST>, <52(%esp)>) -define(<FRAME_SRC>, <56(%esp)>) +define(<PARAM_ROUNDS>, <40(%esp)>) +define(<PARAM_KEYS>, <44(%esp)>) +define(<PARAM_TABLE>, <48(%esp)>) +define(<PARAM_LENGTH>, <52(%esp)>) +define(<PARAM_DST>, <56(%esp)>) +define(<PARAM_SRC>, <60(%esp)>) define(<FRAME_KEY>, <16(%esp)>) define(<FRAME_COUNT>, <12(%esp)>) @@ -55,7 +57,7 @@ C %edi is a temporary, often used as an accumulator. .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) @@ -70,24 +72,21 @@ PROLOGUE(_nettle_aes_encrypt) subl $20, %esp C loop counter and save area for the key pointer - movl FRAME_LENGTH, %ebp + movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend - shrl $4, FRAME_LENGTH - + shrl $4, PARAM_LENGTH + subl $1, PARAM_ROUNDS .Lblock_loop: - movl FRAME_CTX,KEY C address of context struct ctx + movl PARAM_KEYS, KEY C address of subkeys - movl FRAME_SRC,TMP C address of plaintext + movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) - addl $16, FRAME_SRC C Increment src pointer - movl FRAME_TABLE, T - - C get number of rounds to do from ctx struct - movl AES_NROUNDS (KEY),TMP - subl $1,TMP + addl $16, PARAM_SRC C Increment src pointer + movl PARAM_TABLE, T + movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT @@ -146,12 +145,12 @@ PROLOGUE(_nettle_aes_encrypt) jnz .Lsubst C Add last subkey, and store encrypted data - movl FRAME_DST,TMP + movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) - addl $16, FRAME_DST C Increment destination pointer - decl FRAME_LENGTH + addl $16, PARAM_DST C Increment destination pointer + decl PARAM_LENGTH jnz .Lblock_loop diff --git a/x86_64/aes-decrypt-internal.asm b/x86_64/aes-decrypt-internal.asm index 606b7c89e559dd69e1006e2001093d1665ea2476..f3451deb7ade185d4f3b0172bdac78f0e2468e67 100644 --- a/x86_64/aes-decrypt-internal.asm +++ b/x86_64/aes-decrypt-internal.asm @@ -1,7 +1,8 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2001, 2002, 2005, 2008 Rafael R. Sevilla, Niels Möller -C +C Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller +C Copyright (C) 2008, 2013 Niels Möller +C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by C the Free Software Foundation; either version 2.1 of the License, or (at your @@ -31,16 +32,17 @@ define(<TA>,<%r10d>) define(<TB>,<%r11d>) define(<TC>,<%r12d>) -define(<CTX>, <%rdi>) -define(<TABLE>, <%rsi>) -define(<PARAM_LENGTH>,<%rdx>) -define(<PARAM_DST>, <%rcx>) -define(<SRC>, <%r8>) +C Input argument +define(<ROUNDS>, <%rdi>) +define(<KEYS>, <%rsi>) +define(<PARAM_TABLE>, <%rdx>) +define(<PARAM_LENGTH>,<%rcx>) +define(<DST>, <%r8>) +define(<SRC>, <%r9>) -define(<DST>, <%r9>) -define(<KEY>,<%r14>) -define(<COUNT>, <%r15d>) -define(<BLOCK_COUNT>, <%r13>) +define(<TABLE>, <%r13>) +define(<LENGTH>,<%r14>) +define(<KEY>, <%r15>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. @@ -48,14 +50,14 @@ define(<TMP>,<%rbp>) .file "aes-decrypt-internal.asm" - C _aes_decrypt(struct aes_context *ctx, + C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) - W64_ENTRY(5, 0) + W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend @@ -67,20 +69,21 @@ PROLOGUE(_nettle_aes_decrypt) push %r14 push %r15 - mov PARAM_DST, DST - mov PARAM_LENGTH, BLOCK_COUNT - shr $4, BLOCK_COUNT + subl $1, XREG(ROUNDS) + push ROUNDS C Rounds at (%rsp) + + mov PARAM_TABLE, TABLE + mov PARAM_LENGTH, LENGTH + shr $4, LENGTH .Lblock_loop: - mov CTX,KEY + mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer - C get number of rounds to do from ctx struct - movl AES_NROUNDS (CTX), COUNT - subl $1, COUNT + movl (%rsp), XREG(ROUNDS) - add $16,KEY C point to next key + add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP) @@ -97,8 +100,8 @@ PROLOGUE(_nettle_aes_decrypt) xorl 8(KEY),SC xorl 12(KEY),SD - add $16,KEY C point to next key - decl COUNT + add $16, KEY C point to next key + decl XREG(ROUNDS) jnz .Lround_loop C last round @@ -108,28 +111,29 @@ PROLOGUE(_nettle_aes_decrypt) AES_FINAL_ROUND(SD,SC,SB,SA, TABLE, SD, TMP) C Inverse S-box substitution - mov $3, COUNT + mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) - decl COUNT + decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store decrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST - dec BLOCK_COUNT + dec LENGTH jnz .Lblock_loop - pop %r15 + lea 8(%rsp), %rsp C Drop ROUNDS + pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: - W64_EXIT(5, 0) + W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_decrypt) diff --git a/x86_64/aes-encrypt-internal.asm b/x86_64/aes-encrypt-internal.asm index e1003c69941710e6e6c621f1867784fefaca8e54..27b031b57a7b92bd32f5cad0187ba1a40ae06fcc 100644 --- a/x86_64/aes-encrypt-internal.asm +++ b/x86_64/aes-encrypt-internal.asm @@ -1,6 +1,7 @@ C nettle, low-level cryptographics library C -C Copyright (C) 2001, 2002, 2005, 2008 Rafael R. Sevilla, Niels Möller +C Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller +C Copyright (C) 2008, 2013 Niels Möller C C The nettle library is free software; you can redistribute it and/or modify C it under the terms of the GNU Lesser General Public License as published by @@ -31,16 +32,17 @@ define(<TA>,<%r10d>) define(<TB>,<%r11d>) define(<TC>,<%r12d>) -define(<CTX>, <%rdi>) -define(<TABLE>, <%rsi>) -define(<PARAM_LENGTH>,<%rdx>) -define(<PARAM_DST>, <%rcx>) -define(<SRC>, <%r8>) +C Input argument +define(<ROUNDS>, <%rdi>) +define(<KEYS>, <%rsi>) +define(<PARAM_TABLE>, <%rdx>) +define(<PARAM_LENGTH>,<%rcx>) +define(<DST>, <%r8>) +define(<SRC>, <%r9>) -define(<DST>, <%r9>) -define(<KEY>,<%r14>) -define(<COUNT>, <%r15d>) -define(<BLOCK_COUNT>, <%r13>) +define(<TABLE>, <%r13>) +define(<LENGTH>,<%r14>) +define(<KEY>, <%r15>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. @@ -48,14 +50,14 @@ define(<TMP>,<%rbp>) .file "aes-encrypt-internal.asm" - C _aes_encrypt(struct aes_context *ctx, + C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) - W64_ENTRY(5, 0) + W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend @@ -67,20 +69,21 @@ PROLOGUE(_nettle_aes_encrypt) push %r14 push %r15 - mov PARAM_DST, DST - mov PARAM_LENGTH, BLOCK_COUNT - shr $4, BLOCK_COUNT + subl $1, XREG(ROUNDS) + push ROUNDS C Rounds at (%rsp) + + mov PARAM_TABLE, TABLE + mov PARAM_LENGTH, LENGTH + shr $4, LENGTH .Lblock_loop: - mov CTX,KEY + mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer - C get number of rounds to do from ctx struct - movl AES_NROUNDS (CTX), COUNT - subl $1, COUNT + movl (%rsp), XREG(ROUNDS) - add $16,KEY C point to next key + add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SB,SC,SD, TA, TMP) @@ -97,8 +100,8 @@ PROLOGUE(_nettle_aes_encrypt) xorl 8(KEY),SC xorl 12(KEY),SD - add $16,KEY C point to next key - decl COUNT + add $16, KEY C point to next key + decl XREG(ROUNDS) jnz .Lround_loop C last round @@ -108,28 +111,29 @@ PROLOGUE(_nettle_aes_encrypt) AES_FINAL_ROUND(SD,SA,SB,SC, TABLE, SD, TMP) C S-box substitution - mov $3, COUNT + mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) - decl COUNT + decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store encrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST - dec BLOCK_COUNT + dec LENGTH jnz .Lblock_loop - pop %r15 + lea 8(%rsp), %rsp C Drop ROUNDS + pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: - W64_EXIT(5, 0) + W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_encrypt) diff --git a/yarrow.h b/yarrow.h index fc6ccf9cbbb2668846f0d1b64880c8bd2823fda9..d54122df950c31726472ede3a5b2b7a6c3bd2667 100644 --- a/yarrow.h +++ b/yarrow.h @@ -72,7 +72,7 @@ struct yarrow256_ctx int seeded; /* The current key and counter block */ - struct aes_ctx key; + struct aes256_ctx key; uint8_t counter[AES_BLOCK_SIZE]; /* The entropy sources */ diff --git a/yarrow256.c b/yarrow256.c index 800e4fd658f516a7d40a905a54b35ff57a14a24c..270a36d91510b495608f9c02dfadc24295467c4e 100644 --- a/yarrow256.c +++ b/yarrow256.c @@ -118,7 +118,7 @@ yarrow_generate_block(struct yarrow256_ctx *ctx, { unsigned i; - aes_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); + aes256_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); /* Increment counter, treating it as a big-endian number. This is * machine independent, and follows appendix B of the NIST @@ -190,12 +190,12 @@ yarrow256_fast_reseed(struct yarrow256_ctx *ctx) /* Iterate */ yarrow_iterate(digest); - aes_set_encrypt_key(&ctx->key, sizeof(digest), digest); + aes256_set_encrypt_key(&ctx->key, digest); ctx->seeded = 1; /* Derive new counter value */ memset(ctx->counter, 0, sizeof(ctx->counter)); - aes_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); + aes256_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); /* Reset estimates. */ for (i = 0; i<ctx->nsources; i++) @@ -305,13 +305,13 @@ yarrow256_update(struct yarrow256_ctx *ctx, static void yarrow_gate(struct yarrow256_ctx *ctx) { - uint8_t key[AES_MAX_KEY_SIZE]; + uint8_t key[AES256_KEY_SIZE]; unsigned i; for (i = 0; i < sizeof(key); i+= AES_BLOCK_SIZE) yarrow_generate_block(ctx, key + i); - aes_set_encrypt_key(&ctx->key, sizeof(key), key); + aes256_set_encrypt_key(&ctx->key, key); } void