diff options
Diffstat (limited to 'src/libstrongswan/plugins/aesni/aesni_key.c')
| -rw-r--r-- | src/libstrongswan/plugins/aesni/aesni_key.c | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/src/libstrongswan/plugins/aesni/aesni_key.c b/src/libstrongswan/plugins/aesni/aesni_key.c new file mode 100644 index 000000000..523266a30 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_key.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_key.h" + +/** + * Rounds used for each AES key size + */ +#define AES128_ROUNDS 10 +#define AES192_ROUNDS 12 +#define AES256_ROUNDS 14 + +typedef struct private_aesni_key_t private_aesni_key_t; + +/** + * Private data of an aesni_key_t object. + */ +struct private_aesni_key_t { + + /** + * Public aesni_key_t interface. + */ + aesni_key_t public; +}; + +/** + * Invert round encryption keys to get a decryption key schedule + */ +static void reverse_key(aesni_key_t *this) +{ + __m128i t[this->rounds + 1]; + int i; + + for (i = 0; i <= this->rounds; i++) + { + t[i] = this->schedule[i]; + } + this->schedule[this->rounds] = t[0]; + for (i = 1; i < this->rounds; i++) + { + this->schedule[this->rounds - i] = _mm_aesimc_si128(t[i]); + } + this->schedule[0] = t[this->rounds]; + + memwipe(t, sizeof(t)); +} + +/** + * Assist in creating a 128-bit round key + */ +static __m128i assist128(__m128i a, __m128i b) +{ + __m128i c; + + b = _mm_shuffle_epi32(b ,0xff); + c = _mm_slli_si128(a, 0x04); + a = _mm_xor_si128(a, c); + c = _mm_slli_si128(c, 0x04); + a = _mm_xor_si128(a, c); + c = _mm_slli_si128(c, 0x04); + a = _mm_xor_si128(a, c); + a = _mm_xor_si128(a, b); + + return a; +} + +/** + * Expand a 128-bit key to encryption round keys + */ +static void expand128(__m128i *key, __m128i *schedule) +{ + __m128i t; + + schedule[0] = t = _mm_loadu_si128(key); + schedule[1] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x01)); + schedule[2] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x02)); + schedule[3] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x04)); + schedule[4] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x08)); + schedule[5] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x10)); + schedule[6] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x20)); + schedule[7] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x40)); + schedule[8] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x80)); + schedule[9] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x1b)); + schedule[10] = assist128(t, _mm_aeskeygenassist_si128(t, 0x36)); +} + +/** + * Assist in creating a 192-bit round key + */ +static __m128i assist192(__m128i b, __m128i c, __m128i *a) +{ + __m128i t; + + b = _mm_shuffle_epi32(b, 0x55); + t = _mm_slli_si128(*a, 0x04); + *a = _mm_xor_si128(*a, t); + t = _mm_slli_si128(t, 0x04); + *a = _mm_xor_si128(*a, t); + t = _mm_slli_si128(t, 0x04); + *a = _mm_xor_si128(*a, t); + *a = _mm_xor_si128(*a, b); + b = _mm_shuffle_epi32(*a, 0xff); + t = _mm_slli_si128(c, 0x04); + t = _mm_xor_si128(c, t); + t = _mm_xor_si128(t, b); + + return t; +} + +/** + * return a[63:0] | b[63:0] << 64 + */ +static __m128i _mm_shuffle_i00(__m128i a, __m128i b) +{ + return (__m128i)_mm_shuffle_pd((__m128d)a, (__m128d)b, 0); +} + +/** + * return a[127:64] >> 64 | b[63:0] << 64 + */ +static __m128i _mm_shuffle_i01(__m128i a, __m128i b) +{ + return (__m128i)_mm_shuffle_pd((__m128d)a, (__m128d)b, 1); +} + +/** + * Expand a 192-bit encryption key to round keys + */ +static void expand192(__m128i *key, __m128i *schedule) +{ + __m128i t1, t2, t3; + + schedule[0] = t1 = _mm_loadu_si128(key); + t2 = t3 = _mm_loadu_si128(key + 1); + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x1), t2, &t1); + schedule[1] = _mm_shuffle_i00(t3, t1); + schedule[2] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128(t2, 0x2), t2, &t1); + schedule[3] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x4), t2, &t1); + schedule[4] = _mm_shuffle_i00(t3, t1); + schedule[5] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128(t2, 0x8), t2, &t1); + schedule[6] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128 (t2,0x10), t2, &t1); + schedule[7] = _mm_shuffle_i00(t3, t1); + schedule[8] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128 (t2,0x20), t2, &t1); + schedule[9] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x40), t2, &t1); + schedule[10] = _mm_shuffle_i00(t3, t1); + schedule[11] = _mm_shuffle_i01(t1, t2); + assist192(_mm_aeskeygenassist_si128(t2, 0x80), t2, &t1); + schedule[12] = t1; +} + +/** + * Assist in creating a 256-bit round key + */ +static __m128i assist256_1(__m128i a, __m128i b) +{ + __m128i x, y; + + b = _mm_shuffle_epi32(b, 0xff); + y = _mm_slli_si128(a, 0x04); + x = _mm_xor_si128(a, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128 (x, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + x = _mm_xor_si128(x, b); + + return x; +} + +/** + * Assist in creating a 256-bit round key + */ +static __m128i assist256_2(__m128i a, __m128i b) +{ + __m128i x, y, z; + + y = _mm_aeskeygenassist_si128(a, 0x00); + z = _mm_shuffle_epi32(y, 0xaa); + y = _mm_slli_si128(b, 0x04); + x = _mm_xor_si128(b, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + x = _mm_xor_si128(x, z); + + return x; +} + +/** + * Expand a 256-bit encryption key to round keys + */ +static void expand256(__m128i *key, __m128i *schedule) +{ + __m128i t1, t2; + + schedule[0] = t1 = _mm_loadu_si128(key); + schedule[1] = t2 = _mm_loadu_si128(key + 1); + + schedule[2] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x01)); + schedule[3] = t2 = assist256_2(t1, t2); + + schedule[4] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x02)); + schedule[5] = t2 = assist256_2(t1, t2); + + schedule[6] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x04)); + schedule[7] = t2 = assist256_2(t1, t2); + + schedule[8] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x08)); + schedule[9] = t2 = assist256_2(t1, t2); + + schedule[10] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x10)); + schedule[11] = t2 = assist256_2(t1, t2); + + schedule[12] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x20)); + schedule[13] = t2 = assist256_2(t1, t2); + + schedule[14] = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x40)); +} + +METHOD(aesni_key_t, destroy, void, + private_aesni_key_t *this) +{ + memwipe(this, sizeof(*this) + (this->public.rounds + 1) * AES_BLOCK_SIZE); + free_align(this); +} + +/** + * See header + */ +aesni_key_t *aesni_key_create(bool encrypt, chunk_t key) +{ + private_aesni_key_t *this; + int rounds; + + switch (key.len) + { + case 16: + rounds = AES128_ROUNDS; + break; + case 24: + rounds = AES192_ROUNDS; + break; + case 32: + rounds = AES256_ROUNDS; + break; + default: + return NULL; + } + + INIT_EXTRA_ALIGN(this, (rounds + 1) * AES_BLOCK_SIZE, sizeof(__m128i), + .public = { + .destroy = _destroy, + .rounds = rounds, + }, + ); + + switch (key.len) + { + case 16: + expand128((__m128i*)key.ptr, this->public.schedule); + break; + case 24: + expand192((__m128i*)key.ptr, this->public.schedule); + break; + case 32: + expand256((__m128i*)key.ptr, this->public.schedule); + break; + default: + break; + } + + if (!encrypt) + { + reverse_key(&this->public); + } + + return &this->public; +} |