diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-07-05 11:40:25 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-09-20 21:29:57 -0700 |
commit | e4db954045988241642e0d7d8817a43c79c2163f (patch) | |
tree | 81b5dacb05b25aab2d2f5e86154ad8f7b387c90d /third_party | |
parent | 11ef0269e90eba657bdb3e7c2ce2d9508d6221e1 (diff) | |
download | chrome-ec-e4db954045988241642e0d7d8817a43c79c2163f.tar.gz |
aes: Adapt AES code to build for EC
Update header, C code, and tweak the assembly for ARMv7-M.
Rename aes_now_* functions to AES_* to avoid the need for a
separate wrapper.
Also add a test with FIPS-197 test vectors, and speed test.
BRANCH=none
BUG=b:111160949
TEST=make run-aes -j
TEST=make BOARD=nocturne_fp test-aes -j
flash_fp_mcu aes.bin
runtest => pass
(C implementation speed: 11977 us for 1000 iterations)
(ASM implementation speed: 5815 us for 1000 iterations)
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Change-Id: I2048aae73decccb893bc1724b2617b0b902dd992
Reviewed-on: https://chromium-review.googlesource.com/1120340
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/boringssl/common/aes.c | 87 | ||||
-rw-r--r-- | third_party/boringssl/core/cortex-m/aes.S | 11 | ||||
-rw-r--r-- | third_party/boringssl/include/aes.h | 173 |
3 files changed, 84 insertions, 187 deletions
diff --git a/third_party/boringssl/common/aes.c b/third_party/boringssl/common/aes.c index f654cb1e73..aa213eb907 100644 --- a/third_party/boringssl/common/aes.c +++ b/third_party/boringssl/common/aes.c @@ -46,18 +46,17 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ -#include <openssl/aes.h> - -#include <assert.h> - -#include <openssl/cpu.h> - -#include "internal.h" -#include "../modes/internal.h" +#include "aes.h" +#include "common.h" +#include "endian.h" +static inline uint32_t GETU32(const void *in) { + return be32toh(*(uint32_t *)in); +} -#if defined(OPENSSL_NO_ASM) || \ - (!defined(OPENSSL_X86) && !defined(OPENSSL_X86_64) && !defined(OPENSSL_ARM)) +static inline void PUTU32(void *out, uint32_t v) { + *(uint32_t *)out = htobe32(v); +} // Te0[x] = S [x].[02, 01, 01, 03]; // Te1[x] = S [x].[03, 02, 01, 01]; @@ -534,8 +533,8 @@ static const uint32_t rcon[] = { // for 128-bit blocks, Rijndael never uses more than 10 rcon values }; -static int aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey) { +int aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits, + AES_KEY *aeskey) { uint32_t *rk; int i = 0; uint32_t temp; @@ -630,8 +629,8 @@ static int aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits, return 0; } -static int aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey) { +int aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits, + AES_KEY *aeskey) { uint32_t *rk; int i, j, status; uint32_t temp; @@ -679,13 +678,12 @@ static int aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits, return 0; } -static void aes_nohw_encrypt(const uint8_t *in, uint8_t *out, - const AES_KEY *key) { +void aes_nohw_encrypt(const uint8_t *in, uint8_t *out, + const AES_KEY *key) { const uint32_t *rk; uint32_t s0, s1, s2, s3, t0, t1, t2, t3; int r; - assert(in && out && key); rk = key->rd_key; // map byte array block to cipher state @@ -741,13 +739,12 @@ static void aes_nohw_encrypt(const uint8_t *in, uint8_t *out, PUTU32(out + 12, s3); } -static void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, - const AES_KEY *key) { +void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, + const AES_KEY *key) { const uint32_t *rk; uint32_t s0, s1, s2, s3, t0, t1, t2, t3; int r; - assert(in && out && key); rk = key->rd_key; // map byte array block to cipher state @@ -807,53 +804,3 @@ static void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, ((uint32_t)Td4[(t0) & 0xff]) ^ rk[3]; PUTU32(out + 12, s3); } - -#else // NO_ASM || (!X86 && !X86_64 && !ARM) - -// If not implemented in C, these functions will be provided by assembly code. -void aes_nohw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); -void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); -int aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey); -int aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey); - -#endif - -// Be aware that on x86(-64), the |aes_nohw_*| functions are incompatible with -// the aes_hw_* functions. The latter set |AES_KEY.rounds| to one less than the -// true value, which breaks the former. Therefore the two functions cannot mix. -// Also, on Aarch64, the plain-C code, above, is incompatible with the -// |aes_hw_*| functions. - -void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { - if (hwaes_capable()) { - aes_hw_encrypt(in, out, key); - } else { - aes_nohw_encrypt(in, out, key); - } -} - -void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { - if (hwaes_capable()) { - aes_hw_decrypt(in, out, key); - } else { - aes_nohw_decrypt(in, out, key); - } -} - -int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { - if (hwaes_capable()) { - return aes_hw_set_encrypt_key(key, bits, aeskey); - } else { - return aes_nohw_set_encrypt_key(key, bits, aeskey); - } -} - -int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { - if (hwaes_capable()) { - return aes_hw_set_decrypt_key(key, bits, aeskey); - } else { - return aes_nohw_set_decrypt_key(key, bits, aeskey); - } -} diff --git a/third_party/boringssl/core/cortex-m/aes.S b/third_party/boringssl/core/cortex-m/aes.S index 434df2e2a1..fe34ef2e46 100644 --- a/third_party/boringssl/core/cortex-m/aes.S +++ b/third_party/boringssl/core/cortex-m/aes.S @@ -38,16 +38,7 @@ @ Profiler-assisted and platform-specific optimization resulted in 16% @ improvement on Cortex A8 core and ~21.5 cycles per byte. -#ifndef __KERNEL__ -# include <openssl/arm_arch.h> -#else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ -#endif - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. (ARMv8 AES -@ instructions are in aesv8-armx.pl.) -.arch armv7-a +#define __ARM_ARCH__ 7 .text #if defined(__thumb2__) && !defined(__APPLE__) diff --git a/third_party/boringssl/include/aes.h b/third_party/boringssl/include/aes.h index 115658542f..6418a350eb 100644 --- a/third_party/boringssl/include/aes.h +++ b/third_party/boringssl/include/aes.h @@ -46,125 +46,84 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ -#ifndef OPENSSL_HEADER_AES_H -#define OPENSSL_HEADER_AES_H - -#include <openssl/base.h> - -#if defined(__cplusplus) -extern "C" { -#endif - - -// Raw AES functions. +#ifndef __CROS_EC_AES_H +#define __CROS_EC_AES_H +#include <stdint.h> #define AES_ENCRYPT 1 #define AES_DECRYPT 0 -// AES_MAXNR is the maximum number of AES rounds. +/* AES_MAXNR is the maximum number of AES rounds. */ #define AES_MAXNR 14 #define AES_BLOCK_SIZE 16 -// aes_key_st should be an opaque type, but EVP requires that the size be -// known. +/* + * aes_key_st should be an opaque type, but EVP requires that the size be + * known. + */ struct aes_key_st { uint32_t rd_key[4 * (AES_MAXNR + 1)]; unsigned rounds; }; typedef struct aes_key_st AES_KEY; -// AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key, -// |key|. -// -// WARNING: unlike other OpenSSL functions, this returns zero on success and a -// negative number on error. -OPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey); - -// AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key, -// |key|. -// -// WARNING: unlike other OpenSSL functions, this returns zero on success and a -// negative number on error. -OPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits, - AES_KEY *aeskey); - -// AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in| -// and |out| pointers may overlap. -OPENSSL_EXPORT void AES_encrypt(const uint8_t *in, uint8_t *out, - const AES_KEY *key); - -// AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in| -// and |out| pointers may overlap. -OPENSSL_EXPORT void AES_decrypt(const uint8_t *in, uint8_t *out, - const AES_KEY *key); - - -// Block cipher modes. - -// AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call and |ivec| will be incremented. -OPENSSL_EXPORT void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, - size_t len, const AES_KEY *key, - uint8_t ivec[AES_BLOCK_SIZE], - uint8_t ecount_buf[AES_BLOCK_SIZE], - unsigned int *num); - -// AES_ecb_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) a single, -// 16 byte block from |in| to |out|. -OPENSSL_EXPORT void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, - const AES_KEY *key, const int enc); - -// AES_cbc_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len| -// bytes from |in| to |out|. The length must be a multiple of the block size. -OPENSSL_EXPORT void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const AES_KEY *key, uint8_t *ivec, - const int enc); - -// AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call. -OPENSSL_EXPORT void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, - size_t len, const AES_KEY *key, - uint8_t *ivec, int *num); - -// AES_cfb128_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call. -OPENSSL_EXPORT void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, - size_t len, const AES_KEY *key, - uint8_t *ivec, int *num, int enc); - - -// AES key wrap. -// -// These functions implement AES Key Wrap mode, as defined in RFC 3394. They -// should never be used except to interoperate with existing systems that use -// this mode. - -// AES_wrap_key performs AES key wrap on |in| which must be a multiple of 8 -// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV. -// |key| must have been configured for encryption. On success, it writes -// |in_len| + 8 bytes to |out| and returns |in_len| + 8. Otherwise, it returns -// -1. -OPENSSL_EXPORT int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, - uint8_t *out, const uint8_t *in, size_t in_len); - -// AES_unwrap_key performs AES key unwrap on |in| which must be a multiple of 8 -// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV. -// |key| must have been configured for decryption. On success, it writes -// |in_len| - 8 bytes to |out| and returns |in_len| - 8. Otherwise, it returns -// -1. -OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, - uint8_t *out, const uint8_t *in, - size_t in_len); - - -#if defined(__cplusplus) -} // extern C -#endif - -#endif // OPENSSL_HEADER_AES_H +/* + * These functions are provided by either common/aes.c, or assembly code, + * and should not be called directly. + */ +void aes_nohw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); +void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); +int aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits, + AES_KEY *aeskey); +int aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits, + AES_KEY *aeskey); + +/** + * AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key, + * |key|. + * + * WARNING: unlike other OpenSSL functions, this returns zero on success and a + * negative number on error. + */ +static inline int AES_set_encrypt_key(const uint8_t *key, unsigned int bits, + AES_KEY *aeskey) +{ + return aes_nohw_set_encrypt_key(key, bits, aeskey); +} + +/** + * AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key, + * |key|. + * + * WARNING: unlike other OpenSSL functions, this returns zero on success and a + * negative number on error. + */ +static inline int AES_set_decrypt_key(const uint8_t *key, unsigned int bits, + AES_KEY *aeskey) +{ + return aes_nohw_set_decrypt_key(key, bits, aeskey); +} + +/** + * AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in| + * and |out| pointers may overlap. + */ +static inline void AES_encrypt(const uint8_t *in, uint8_t *out, + const AES_KEY *key) +{ + aes_nohw_encrypt(in, out, key); +} + +/** + * AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in| + * and |out| pointers may overlap. + */ +static inline void AES_decrypt(const uint8_t *in, uint8_t *out, + const AES_KEY *key) +{ + aes_nohw_decrypt(in, out, key); +} + +#endif /* __CROS_EC_AES_H */ |