// rijndael-simd.cpp - written and placed in the public domain by // Jeffrey Walton, Uri Blumenthal and Marcel Raad. // AES-NI code originally written by Wei Dai. // // This source file uses intrinsics and built-ins to gain access to // AES-NI, ARMv8a AES and Power8 AES instructions. A separate source // file is needed because additional CXXFLAGS are required to enable // the appropriate instructions sets in some build configurations. // // ARMv8a AES code based on CriticalBlue code from Johannes Schneiders, // Skip Hovsmith and Barry O'Rourke for the mbedTLS project. Stepping // mbedTLS under a debugger was helped for us to determine problems // with our subkey generation and scheduling. // // AltiVec and Power8 code based on http://github.com/noloader/AES-Intrinsics and // http://www.ibm.com/developerworks/library/se-power8-in-core-cryptography/ // For Power8 do not remove the casts, even when const-ness is cast away. It causes // a 0.3 to 0.6 cpb drop in performance. The IBM documentation absolutely sucks. // Thanks to Andy Polyakov, Paul R and Trudeaun for answering questions and filling // the gaps in the IBM documentation. // #include "pch.h" #include "config.h" #include "misc.h" #include "adv-simd.h" // We set CRYPTOPP_ARM_AES_AVAILABLE based on compiler version. // If the crypto is not available, then we have to disable it here. #if !(defined(__ARM_FEATURE_CRYPTO) || defined(_MSC_VER)) # undef CRYPTOPP_ARM_AES_AVAILABLE #endif // We set CRYPTOPP_POWER8_CRYPTO_AVAILABLE based on compiler version. // If the crypto is not available, then we have to disable it here. #if !(defined(__CRYPTO) || defined(_ARCH_PWR8) || defined(_ARCH_PWR9)) # undef CRYPTOPP_POWER8_CRYPTO_AVAILABLE # undef CRYPTOPP_POWER8_AES_AVAILABLE #endif #if (CRYPTOPP_AESNI_AVAILABLE) # include # include #endif #if (CRYPTOPP_ARM_AES_AVAILABLE) # include # if defined(CRYPTOPP_ARM_ACLE_AVAILABLE) # include # endif #endif #if defined(CRYPTOPP_POWER8_AES_AVAILABLE) # include "ppc-simd.h" #endif #ifdef CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY # include # include #endif #ifndef EXCEPTION_EXECUTE_HANDLER # define EXCEPTION_EXECUTE_HANDLER 1 #endif // Clang __m128i casts, http://bugs.llvm.org/show_bug.cgi?id=20670 #define M128_CAST(x) ((__m128i *)(void *)(x)) #define CONST_M128_CAST(x) ((const __m128i *)(const void *)(x)) NAMESPACE_BEGIN(CryptoPP) #ifdef CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY extern "C" { typedef void (*SigHandler)(int); static jmp_buf s_jmpSIGILL; static void SigIllHandler(int) { longjmp(s_jmpSIGILL, 1); } }; #endif // Not CRYPTOPP_MS_STYLE_INLINE_ASSEMBLY #if (CRYPTOPP_BOOL_ARM32 || CRYPTOPP_BOOL_ARM64) bool CPU_ProbeAES() { #if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES) return false; #elif (CRYPTOPP_ARM_AES_AVAILABLE) # if defined(CRYPTOPP_MS_STYLE_INLINE_ASSEMBLY) volatile bool result = true; __try { // AES encrypt and decrypt uint8x16_t data = vdupq_n_u8(0), key = vdupq_n_u8(0); uint8x16_t r1 = vaeseq_u8(data, key); uint8x16_t r2 = vaesdq_u8(data, key); r1 = vaesmcq_u8(r1); r2 = vaesimcq_u8(r2); result = !!(vgetq_lane_u8(r1,0) | vgetq_lane_u8(r2,7)); } __except (EXCEPTION_EXECUTE_HANDLER) { return false; } return result; # else // longjmp and clobber warnings. Volatile is required. // http://github.com/weidai11/cryptopp/issues/24 and http://stackoverflow.com/q/7721854 volatile bool result = true; volatile SigHandler oldHandler = signal(SIGILL, SigIllHandler); if (oldHandler == SIG_ERR) return false; volatile sigset_t oldMask; if (sigprocmask(0, NULLPTR, (sigset_t*)&oldMask)) return false; if (setjmp(s_jmpSIGILL)) result = false; else { uint8x16_t data = vdupq_n_u8(0), key = vdupq_n_u8(0); uint8x16_t r1 = vaeseq_u8(data, key); uint8x16_t r2 = vaesdq_u8(data, key); r1 = vaesmcq_u8(r1); r2 = vaesimcq_u8(r2); // Hack... GCC optimizes away the code and returns true result = !!(vgetq_lane_u8(r1,0) | vgetq_lane_u8(r2,7)); } sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR); signal(SIGILL, oldHandler); return result; # endif #else return false; #endif // CRYPTOPP_ARM_AES_AVAILABLE } #endif // ARM32 or ARM64 // ***************************** ARMv8 ***************************** // #if (CRYPTOPP_ARM_AES_AVAILABLE) ANONYMOUS_NAMESPACE_BEGIN static inline void ARMV8_Enc_Block(uint64x2_t &data, const word32 *subkeys, unsigned int rounds) { CRYPTOPP_ASSERT(subkeys); const byte *keys = reinterpret_cast(subkeys); uint8x16_t block = vreinterpretq_u8_u64(data); // AES single round encryption block = vaeseq_u8(block, vld1q_u8(keys+0*16)); // AES mix columns block = vaesmcq_u8(block); for (unsigned int i=1; i(subkeys); uint8x16_t block0 = vreinterpretq_u8_u64(data0); uint8x16_t block1 = vreinterpretq_u8_u64(data1); uint8x16_t block2 = vreinterpretq_u8_u64(data2); uint8x16_t block3 = vreinterpretq_u8_u64(data3); uint8x16_t block4 = vreinterpretq_u8_u64(data4); uint8x16_t block5 = vreinterpretq_u8_u64(data5); uint8x16_t key; for (unsigned int i=0; i(subkeys); uint8x16_t block = vreinterpretq_u8_u64(data); // AES single round decryption block = vaesdq_u8(block, vld1q_u8(keys+0*16)); // AES inverse mix columns block = vaesimcq_u8(block); for (unsigned int i=1; i(subkeys); uint8x16_t block0 = vreinterpretq_u8_u64(data0); uint8x16_t block1 = vreinterpretq_u8_u64(data1); uint8x16_t block2 = vreinterpretq_u8_u64(data2); uint8x16_t block3 = vreinterpretq_u8_u64(data3); uint8x16_t block4 = vreinterpretq_u8_u64(data4); uint8x16_t block5 = vreinterpretq_u8_u64(data5); uint8x16_t key; for (unsigned int i=0; i(subkeys); block = _mm_xor_si128(block, skeys[0]); for (unsigned int i=1; i(subkeys); __m128i rk = skeys[0]; block0 = _mm_xor_si128(block0, rk); block1 = _mm_xor_si128(block1, rk); block2 = _mm_xor_si128(block2, rk); block3 = _mm_xor_si128(block3, rk); for (unsigned int i=1; i(subkeys); block = _mm_xor_si128(block, skeys[0]); for (unsigned int i=1; i(subkeys); __m128i rk = skeys[0]; block0 = _mm_xor_si128(block0, rk); block1 = _mm_xor_si128(block1, rk); block2 = _mm_xor_si128(block2, rk); block3 = _mm_xor_si128(block3, rk); for (unsigned int i=1; i(r0, r1); /* line 2 */ r3 = VectorEncryptLast(r3, r4); /* line 3 */ r1 = VectorXor(r1, r6); /* line 4 */ r6 = VectorShiftLeft<12>(r0, r1); /* line 5 */ r1 = VectorXor(r1, r6); /* line 6 */ r6 = VectorShiftLeft<12>(r0, r1); /* line 7 */ r1 = VectorXor(r1, r6); /* line 8 */ // Caller handles r4 (rcon) addition // r4 = VectorAdd(r4, r4); /* line 9 */ // r1 is ready for next round r1 = VectorXor(r1, r3); /* line 10 */ return r1; } static inline uint8_t* IncrementPointerAndStore(const uint8x16_p& r, uint8_t* p) { VectorStore(r, (p += 16)); return p; } static inline void POWER8_Enc_Block(uint32x4_p &block, const word32 *subkeys, unsigned int rounds) { CRYPTOPP_ASSERT(IsAlignedOn(subkeys, 16)); const byte *keys = reinterpret_cast(subkeys); uint32x4_p k = VectorLoadKey(keys); block = VectorXor(block, k); for (size_t i=1; i(subkeys); uint32x4_p k = VectorLoadKey(keys); block0 = VectorXor(block0, k); block1 = VectorXor(block1, k); block2 = VectorXor(block2, k); block3 = VectorXor(block3, k); block4 = VectorXor(block4, k); block5 = VectorXor(block5, k); for (size_t i=1; i(subkeys); uint32x4_p k = VectorLoadKey(rounds*16, keys); block = VectorXor(block, k); for (size_t i=rounds-1; i>1; i-=2) { block = VectorDecrypt(block, VectorLoadKey( i*16, keys)); block = VectorDecrypt(block, VectorLoadKey((i-1)*16, keys)); } block = VectorDecrypt(block, VectorLoadKey(16, keys)); block = VectorDecryptLast(block, VectorLoadKey(0, keys)); } static inline void POWER8_Dec_6_Blocks(uint32x4_p &block0, uint32x4_p &block1, uint32x4_p &block2, uint32x4_p &block3, uint32x4_p &block4, uint32x4_p &block5, const word32 *subkeys, unsigned int rounds) { CRYPTOPP_ASSERT(IsAlignedOn(subkeys, 16)); const byte *keys = reinterpret_cast(subkeys); uint32x4_p k = VectorLoadKey(rounds*16, keys); block0 = VectorXor(block0, k); block1 = VectorXor(block1, k); block2 = VectorXor(block2, k); block3 = VectorXor(block3, k); block4 = VectorXor(block4, k); block5 = VectorXor(block5, k); for (size_t i=rounds-1; i>0; --i) { k = VectorLoadKey(i*16, keys); block0 = VectorDecrypt(block0, k); block1 = VectorDecrypt(block1, k); block2 = VectorDecrypt(block2, k); block3 = VectorDecrypt(block3, k); block4 = VectorDecrypt(block4, k); block5 = VectorDecrypt(block5, k); } k = VectorLoadKey(0, keys); block0 = VectorDecryptLast(block0, k); block1 = VectorDecryptLast(block1, k); block2 = VectorDecryptLast(block2, k); block3 = VectorDecryptLast(block3, k); block4 = VectorDecryptLast(block4, k); block5 = VectorDecryptLast(block5, k); } ANONYMOUS_NAMESPACE_END // We still need rcon and Se to fallback to C/C++ for AES-192 and AES-256. // The IBM docs on AES sucks. Intel's docs on AESNI puts IBM to shame. void Rijndael_UncheckedSetKey_POWER8(const byte* userKey, size_t keyLen, word32* rk, const word32* rc, const byte* Se) { const size_t rounds = keyLen / 4 + 6; if (keyLen == 16) { std::memcpy(rk, userKey, keyLen); uint8_t* skptr = (uint8_t*)rk; uint8x16_p r1 = (uint8x16_p)VectorLoadKey(skptr); uint8x16_p r4 = (uint8x16_p)VectorLoadKey(s_rcon[0]); uint8x16_p r5 = (uint8x16_p)VectorLoadKey(s_mask); #if defined(CRYPTOPP_LITTLE_ENDIAN) // Only the user key requires byte reversing. // The subkeys are stored in proper endianess. ReverseByteArrayLE(skptr); #endif for (unsigned int i=0; i