aesni: Implement XCBC mode to provide a signer/prf
authorMartin Willi <martin@revosec.ch>
Fri, 27 Mar 2015 12:51:24 +0000 (13:51 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 15 Apr 2015 09:35:28 +0000 (11:35 +0200)
Compared to the xcbc plugin using AESNI-CBC as backend, this improves
performance of AES-XCBC by ~45%.

src/libstrongswan/plugins/aesni/Makefile.am
src/libstrongswan/plugins/aesni/aesni_plugin.c
src/libstrongswan/plugins/aesni/aesni_xcbc.c [new file with mode: 0644]
src/libstrongswan/plugins/aesni/aesni_xcbc.h [new file with mode: 0644]

index 5411131..e4f827b 100644 (file)
@@ -17,6 +17,7 @@ libstrongswan_aesni_la_SOURCES = \
        aesni_cbc.h aesni_cbc.c \
        aesni_ctr.h aesni_ctr.c \
        aesni_ccm.h aesni_ccm.c \
+       aesni_xcbc.h aesni_xcbc.c \
        aesni_plugin.h aesni_plugin.c
 
 libstrongswan_aesni_la_LDFLAGS = -module -avoid-version
index 764ecba..334db9c 100644 (file)
@@ -17,6 +17,7 @@
 #include "aesni_cbc.h"
 #include "aesni_ctr.h"
 #include "aesni_ccm.h"
+#include "aesni_xcbc.h"
 
 #include <stdio.h>
 
@@ -66,6 +67,10 @@ METHOD(plugin_t, get_features, int,
                        PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8,  32),
                        PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32),
                        PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32),
+               PLUGIN_REGISTER(PRF, aesni_xcbc_prf_create),
+                       PLUGIN_PROVIDE(PRF, PRF_AES128_XCBC),
+               PLUGIN_REGISTER(SIGNER, aesni_xcbc_signer_create),
+                       PLUGIN_PROVIDE(SIGNER, AUTH_AES_XCBC_96),
        };
 
        *features = f;
diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.c b/src/libstrongswan/plugins/aesni/aesni_xcbc.c
new file mode 100644 (file)
index 0000000..13bc2cc
--- /dev/null
@@ -0,0 +1,378 @@
+/*
+ * Copyright (C) 2008-2015 Martin Willi
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "aesni_xcbc.h"
+#include "aesni_key.h"
+
+#include <crypto/prfs/mac_prf.h>
+#include <crypto/signers/mac_signer.h>
+
+typedef struct private_aesni_mac_t private_aesni_mac_t;
+
+/**
+ * Private data of a mac_t object.
+ */
+struct private_aesni_mac_t {
+
+       /**
+        * Public mac_t interface.
+        */
+       mac_t public;
+
+       /**
+        * Key schedule for K1
+        */
+       aesni_key_t *k1;
+
+       /**
+        * k2
+        */
+       __m128i k2;
+
+       /**
+        * k3
+        */
+       __m128i k3;
+
+       /**
+        * E
+        */
+       __m128i e;
+
+       /**
+        * remaining, unprocessed bytes in append mode
+        */
+       u_char rem[AES_BLOCK_SIZE];
+
+       /**
+        * number of bytes used in remaining
+        */
+       int rem_size;
+
+       /**
+        * TRUE if we have zero bytes to xcbc in final()
+        */
+       bool zero;
+};
+
+METHOD(mac_t, get_mac, bool,
+       private_aesni_mac_t *this, chunk_t data, u_int8_t *out)
+{
+       __m128i k0, k1, k2, k3, k4, k5, k6, k7, k8, k9, k10;
+       __m128i e, *bi;
+       u_int blocks, rem, i;
+
+       if (!this->k1)
+       {
+               return FALSE;
+       }
+
+       k0 = this->k1->schedule[0];
+       k1 = this->k1->schedule[1];
+       k2 = this->k1->schedule[2];
+       k3 = this->k1->schedule[3];
+       k4 = this->k1->schedule[4];
+       k5 = this->k1->schedule[5];
+       k6 = this->k1->schedule[6];
+       k7 = this->k1->schedule[7];
+       k8 = this->k1->schedule[8];
+       k9 = this->k1->schedule[9];
+       k10 = this->k1->schedule[10];
+
+       e = this->e;
+
+       if (data.len)
+       {
+               this->zero = FALSE;
+       }
+
+       if (this->rem_size + data.len > AES_BLOCK_SIZE)
+       {
+               /* (3) For each block M[i], where i = 1 ... n-1:
+                *     XOR M[i] with E[i-1], then encrypt the result with Key K1,
+                *     yielding E[i].
+                */
+
+               /* append data to remaining bytes, process block M[1] */
+               memcpy(this->rem + this->rem_size, data.ptr,
+                          AES_BLOCK_SIZE - this->rem_size);
+               data = chunk_skip(data, AES_BLOCK_SIZE - this->rem_size);
+
+               e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem));
+
+               e = _mm_xor_si128(e, k0);
+               e = _mm_aesenc_si128(e, k1);
+               e = _mm_aesenc_si128(e, k2);
+               e = _mm_aesenc_si128(e, k3);
+               e = _mm_aesenc_si128(e, k4);
+               e = _mm_aesenc_si128(e, k5);
+               e = _mm_aesenc_si128(e, k6);
+               e = _mm_aesenc_si128(e, k7);
+               e = _mm_aesenc_si128(e, k8);
+               e = _mm_aesenc_si128(e, k9);
+               e = _mm_aesenclast_si128(e, k10);
+
+               bi = (__m128i*)data.ptr;
+               rem = data.len % AES_BLOCK_SIZE;
+               blocks = data.len / AES_BLOCK_SIZE;
+               if (!rem && blocks)
+               {       /* don't do last block */
+                       rem = AES_BLOCK_SIZE;
+                       blocks--;
+               }
+
+               /* process blocks M[2] ... M[n-1] */
+               for (i = 0; i < blocks; i++)
+               {
+                       e = _mm_xor_si128(e, _mm_loadu_si128(bi + i));
+
+                       e = _mm_xor_si128(e, k0);
+                       e = _mm_aesenc_si128(e, k1);
+                       e = _mm_aesenc_si128(e, k2);
+                       e = _mm_aesenc_si128(e, k3);
+                       e = _mm_aesenc_si128(e, k4);
+                       e = _mm_aesenc_si128(e, k5);
+                       e = _mm_aesenc_si128(e, k6);
+                       e = _mm_aesenc_si128(e, k7);
+                       e = _mm_aesenc_si128(e, k8);
+                       e = _mm_aesenc_si128(e, k9);
+                       e = _mm_aesenclast_si128(e, k10);
+               }
+
+               /* store remaining bytes of block M[n] */
+               memcpy(this->rem, data.ptr + data.len - rem, rem);
+               this->rem_size = rem;
+       }
+       else
+       {
+               /* no complete block, just copy into remaining */
+               memcpy(this->rem + this->rem_size, data.ptr, data.len);
+               this->rem_size += data.len;
+       }
+
+       if (out)
+       {
+               /* (4) For block M[n]: */
+               if (this->rem_size == AES_BLOCK_SIZE && !this->zero)
+               {
+                       /* a) If the blocksize of M[n] is 128 bits:
+                        *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
+                        *    Key K1, yielding E[n].
+                        */
+                       e = _mm_xor_si128(e, this->k2);
+               }
+               else
+               {
+                       /* b) If the blocksize of M[n] is less than 128 bits:
+                        *
+                        *  i) Pad M[n] with a single "1" bit, followed by the number of
+                        *     "0" bits (possibly none) required to increase M[n]'s
+                        *     blocksize to 128 bits.
+                        */
+                       if (this->rem_size < AES_BLOCK_SIZE)
+                       {
+                               memset(this->rem + this->rem_size, 0,
+                                          AES_BLOCK_SIZE - this->rem_size);
+                               this->rem[this->rem_size] = 0x80;
+                       }
+                       /*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
+                        *      with Key K1, yielding E[n].
+                        */
+                       e = _mm_xor_si128(e, this->k3);
+               }
+               e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem));
+
+               e = _mm_xor_si128(e, k0);
+               e = _mm_aesenc_si128(e, k1);
+               e = _mm_aesenc_si128(e, k2);
+               e = _mm_aesenc_si128(e, k3);
+               e = _mm_aesenc_si128(e, k4);
+               e = _mm_aesenc_si128(e, k5);
+               e = _mm_aesenc_si128(e, k6);
+               e = _mm_aesenc_si128(e, k7);
+               e = _mm_aesenc_si128(e, k8);
+               e = _mm_aesenc_si128(e, k9);
+               e = _mm_aesenclast_si128(e, k10);
+               _mm_storeu_si128((__m128i*)out, e);
+
+               /* (2) Define E[0] = 0x00000000000000000000000000000000 */
+               e = _mm_setzero_si128();
+               this->rem_size = 0;
+               this->zero = TRUE;
+       }
+       this->e = e;
+       return TRUE;
+}
+
+METHOD(mac_t, get_mac_size, size_t,
+       private_aesni_mac_t *this)
+{
+       return AES_BLOCK_SIZE;
+}
+
+METHOD(mac_t, set_key, bool,
+       private_aesni_mac_t *this, chunk_t key)
+{
+       __m128i t1, t2, t3;
+       u_char k1[AES_BLOCK_SIZE];
+       u_int round;
+       chunk_t k;
+
+       /* reset state */
+       this->e = _mm_setzero_si128();
+       this->rem_size = 0;
+       this->zero = TRUE;
+
+       /* Create RFC4434 variable keys if required */
+       if (key.len == AES_BLOCK_SIZE)
+       {
+               k = key;
+       }
+       else if (key.len < AES_BLOCK_SIZE)
+       {       /* pad short keys */
+               k = chunk_alloca(AES_BLOCK_SIZE);
+               memset(k.ptr, 0, k.len);
+               memcpy(k.ptr, key.ptr, key.len);
+       }
+       else
+       {       /* shorten key using XCBC */
+               k = chunk_alloca(AES_BLOCK_SIZE);
+               memset(k.ptr, 0, k.len);
+               if (!set_key(this, k) || !get_mac(this, key, k.ptr))
+               {
+                       return FALSE;
+               }
+       }
+
+       /*
+        * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
+        *     key K, as follows:
+        *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
+        *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
+        *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
+        */
+
+       DESTROY_IF(this->k1);
+       this->k1 = aesni_key_create(TRUE, k);
+       if (!this->k1)
+       {
+               return FALSE;
+       }
+
+       t1 = _mm_set1_epi8(0x01);
+       t2 = _mm_set1_epi8(0x02);
+       t3 = _mm_set1_epi8(0x03);
+
+       t1 = _mm_xor_si128(t1, this->k1->schedule[0]);
+       t2 = _mm_xor_si128(t2, this->k1->schedule[0]);
+       t3 = _mm_xor_si128(t3, this->k1->schedule[0]);
+
+       for (round = 1; round < this->k1->rounds; round++)
+       {
+               t1 = _mm_aesenc_si128(t1, this->k1->schedule[round]);
+               t2 = _mm_aesenc_si128(t2, this->k1->schedule[round]);
+               t3 = _mm_aesenc_si128(t3, this->k1->schedule[round]);
+       }
+
+       t1 = _mm_aesenclast_si128(t1, this->k1->schedule[this->k1->rounds]);
+       t2 = _mm_aesenclast_si128(t2, this->k1->schedule[this->k1->rounds]);
+       t3 = _mm_aesenclast_si128(t3, this->k1->schedule[this->k1->rounds]);
+
+       _mm_storeu_si128((__m128i*)k1, t1);
+       this->k2 = t2;
+       this->k3 = t3;
+
+       this->k1->destroy(this->k1);
+       this->k1 = aesni_key_create(TRUE, chunk_from_thing(k1));
+
+       memwipe(k1, AES_BLOCK_SIZE);
+       return this->k1 != NULL;
+}
+
+METHOD(mac_t, destroy, void,
+       private_aesni_mac_t *this)
+{
+       DESTROY_IF(this->k1);
+       memwipe(&this->k2, sizeof(this->k2));
+       memwipe(&this->k3, sizeof(this->k3));
+       free(this);
+}
+
+/*
+ * Described in header
+ */
+mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size)
+{
+       private_aesni_mac_t *this;
+
+       INIT(this,
+               .public = {
+                       .get_mac = _get_mac,
+                       .get_mac_size = _get_mac_size,
+                       .set_key = _set_key,
+                       .destroy = _destroy,
+               },
+       );
+
+       return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo)
+{
+       mac_t *xcbc;
+
+       switch (algo)
+       {
+               case PRF_AES128_XCBC:
+                       xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16);
+                       break;
+               default:
+                       return NULL;
+       }
+       if (xcbc)
+       {
+               return mac_prf_create(xcbc);
+       }
+       return NULL;
+}
+
+/*
+ * Described in header
+ */
+signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo)
+{
+       size_t trunc;
+       mac_t *xcbc;
+
+       switch (algo)
+       {
+               case AUTH_AES_XCBC_96:
+                       xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16);
+                       trunc = 12;
+                       break;
+               default:
+                       return NULL;
+       }
+       if (xcbc)
+       {
+               return mac_signer_create(xcbc, trunc);
+       }
+       return NULL;
+}
diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.h b/src/libstrongswan/plugins/aesni/aesni_xcbc.h
new file mode 100644 (file)
index 0000000..53f559f
--- /dev/null
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aesni_xcbc aesni_xcbc
+ * @{ @ingroup aesni
+ */
+
+#ifndef AESNI_XCBC_H_
+#define AESNI_XCBC_H_
+
+#include <crypto/mac.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * Create a generic mac_t object using AESNI XCBC
+ *
+ * @param algo         underlying encryption algorithm
+ * @param key_size     size of encryption key, in bytes
+ */
+mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size);
+
+/**
+ * Creates a new prf_t object based AESNI XCBC.
+ *
+ * @param algo         algorithm to implement
+ * @return                     prf_t object, NULL if not supported
+ */
+prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo);
+
+/**
+ * Creates a new signer_t object based on AESNI XCBC.
+ *
+ * @param algo         algorithm to implement
+ * @return                     signer_t, NULL if not supported
+ */
+signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo);
+
+#endif /** AESNI_XCBC_H_ @}*/