Merge branch 'aesni-xts' into 'master'

accelerated: use AES-NI for AES-XTS when available

See merge request gnutls/gnutls!1244

5 files changed, 194 insertions, 1 deletions

diff --git a/lib/accelerated/x86/Makefile.am b/lib/accelerated/x86/Makefile.am
index 9ee9d0ac2e..58698af300 100644
--- a/lib/accelerated/x86/Makefile.am
+++ b/lib/accelerated/x86/Makefile.am
@@ -39,7 +39,7 @@ noinst_LTLIBRARIES = libx86.la
 
 libx86_la_SOURCES = x86-common.c aes-x86.h x86-common.h sha-x86-ssse3.c sha-x86.h hmac-x86-ssse3.c \
 	aes-gcm-x86-ssse3.c aes-gcm-x86-aesni.c aes-cbc-x86-ssse3.c aes-cbc-x86-aesni.c aes-gcm-aead.h \
-	aes-ccm-x86-aesni.c
+	aes-ccm-x86-aesni.c aes-xts-x86-aesni.c
 
 if ENABLE_PADLOCK
 libx86_la_SOURCES += sha-padlock.c hmac-padlock.c aes-padlock.c aes-gcm-padlock.c \
diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h
index 92f54a6a90..023b5f7be6 100644
--- a/lib/accelerated/x86/aes-x86.h
+++ b/lib/accelerated/x86/aes-x86.h
@@ -45,6 +45,14 @@ size_t aesni_gcm_encrypt(const void *inp, void *out, size_t len,
 size_t aesni_gcm_decrypt(const void *inp, void *out, size_t len,
 	const AES_KEY *key, const unsigned char iv[16], uint64_t* Xi);
 
+void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
+		       size_t len, const AES_KEY * key, const AES_KEY * key2,
+		       const unsigned char iv[16]);
+
+void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
+		       size_t len, const AES_KEY * key, const AES_KEY * key2,
+		       const unsigned char iv[16]);
+
 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);  
 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
 void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
@@ -56,6 +64,7 @@ extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_pclmul;
 extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_pclmul_avx;
 extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_x86_aesni;
 extern const gnutls_crypto_cipher_st _gnutls_aes_ccm_x86_aesni;
+extern const gnutls_crypto_cipher_st _gnutls_aes_xts_x86_aesni;
 extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_x86_ssse3;
 
 extern const gnutls_crypto_cipher_st _gnutls_aes_ssse3;
diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c
new file mode 100644
index 0000000000..3371d0812d
--- /dev/null
+++ b/lib/accelerated/x86/aes-xts-x86-aesni.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2011-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2020 Red Hat, Inc.
+ *
+ * Authors: Nikos Mavrogiannopoulos, Anderson Toshiyuki Sasaki
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+/*
+ * The following code wraps the CRYPTOGAMS implementation of the AES-XTS cipher
+ * using Intel's AES instruction set.
+ */
+
+#include "errors.h"
+#include "gnutls_int.h"
+#include "fips.h"
+#include <gnutls/crypto.h>
+#include <aes-x86.h>
+#include <x86-common.h>
+
+struct x86_aes_xts_ctx {
+	AES_KEY block_key;
+	AES_KEY tweak_key;
+	uint8_t iv[16];
+	int enc;
+};
+
+static int
+x86_aes_xts_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx,
+					int enc)
+{
+	if (algorithm != GNUTLS_CIPHER_AES_128_XTS &&
+		algorithm != GNUTLS_CIPHER_AES_256_XTS)
+		return GNUTLS_E_INVALID_REQUEST;
+
+	*_ctx = gnutls_calloc(1, sizeof(struct x86_aes_xts_ctx));
+	if (*_ctx == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	((struct x86_aes_xts_ctx *) (*_ctx))->enc = enc;
+
+	return 0;
+}
+
+static int
+x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
+{
+	struct x86_aes_xts_ctx *ctx = _ctx;
+	int ret;
+	size_t keybits;
+	const uint8_t *key = userkey;
+
+	if ((keysize != 32) && (keysize != 64))
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	/* Check key block according to FIPS-140-2 IG A.9 */
+	if (_gnutls_fips_mode_enabled()){
+		if (safe_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
+			_gnutls_switch_lib_state(LIB_STATE_ERROR);
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+	}
+
+	/* Size in bits of each half for block and tweak (=keysize * 8 / 2) */
+	keybits = keysize * 4;
+
+	if (ctx->enc)
+		ret =
+		    aesni_set_encrypt_key(key, keybits,
+					  ALIGN16(&ctx->block_key));
+	else
+		ret =
+		    aesni_set_decrypt_key(key, keybits,
+					  ALIGN16(&ctx->block_key));
+
+	if (ret != 0)
+		return gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
+
+	ret =
+	    aesni_set_encrypt_key(key + (keysize / 2), keybits,
+					  ALIGN16(&ctx->tweak_key));
+	if (ret != 0)
+		return gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
+
+	return 0;
+}
+
+static int x86_aes_xts_setiv(void *_ctx, const void *iv, size_t iv_size)
+{
+	struct x86_aes_xts_ctx *ctx = _ctx;
+
+	if (iv_size != 16)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	memcpy(ctx->iv, iv, 16);
+	return 0;
+}
+
+static int
+x86_aes_xts_encrypt(void *_ctx, const void *src, size_t src_size,
+	    void *dst, size_t dst_size)
+{
+	struct x86_aes_xts_ctx *ctx = _ctx;
+
+	if (src_size < 16)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	aesni_xts_encrypt(src, dst, src_size, ALIGN16(&ctx->block_key),
+			  ALIGN16(&ctx->tweak_key), ctx->iv);
+	return 0;
+}
+
+static int
+x86_aes_xts_decrypt(void *_ctx, const void *src, size_t src_size,
+	    void *dst, size_t dst_size)
+{
+	struct x86_aes_xts_ctx *ctx = _ctx;
+
+	if (src_size < 16)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	aesni_xts_decrypt(src, dst, src_size, ALIGN16(&ctx->block_key),
+			  ALIGN16(&ctx->tweak_key), ctx->iv);
+	return 0;
+}
+
+static void x86_aes_xts_deinit(void *_ctx)
+{
+	struct x86_aes_xts_ctx *ctx = _ctx;
+
+	zeroize_temp_key(ctx, sizeof(*ctx));
+	gnutls_free(ctx);
+}
+
+const gnutls_crypto_cipher_st _gnutls_aes_xts_x86_aesni = {
+	.init = x86_aes_xts_cipher_init,
+	.setkey = x86_aes_xts_cipher_setkey,
+	.setiv = x86_aes_xts_setiv,
+	.encrypt = x86_aes_xts_encrypt,
+	.decrypt = x86_aes_xts_decrypt,
+	.deinit = x86_aes_xts_deinit,
+};
+
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
index 516d6776c5..459397c118 100644
--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
@@ -723,6 +723,22 @@ void register_x86_intel_crypto(unsigned capabilities)
 			gnutls_assert();
 		}
 
+		ret =
+		    gnutls_crypto_single_cipher_register
+		    (GNUTLS_CIPHER_AES_128_XTS, 80,
+		     &_gnutls_aes_xts_x86_aesni, 0);
+		if (ret < 0) {
+			gnutls_assert();
+		}
+
+		ret =
+		    gnutls_crypto_single_cipher_register
+		    (GNUTLS_CIPHER_AES_256_XTS, 80,
+		     &_gnutls_aes_xts_x86_aesni, 0);
+		if (ret < 0) {
+			gnutls_assert();
+		}
+
 #ifdef ASM_X86_64
 		if (check_pclmul()) {
 			/* register GCM ciphers */
diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c
index 26d2c63c22..03e1d45fef 100644
--- a/src/benchmark-cipher.c
+++ b/src/benchmark-cipher.c
@@ -153,6 +153,12 @@ static void cipher_bench(int algo, int size, int aead)
 		return;
 	memset(_key, 0xf0, keysize);
 
+	/* For AES-XTS, the block and tweak key must be different */
+	if (algo == GNUTLS_CIPHER_AES_128_XTS ||
+		algo == GNUTLS_CIPHER_AES_256_XTS) {
+		memset((uint8_t *)_key + (keysize / 2), 0x0f, (keysize / 2));
+	}
+
 	_iv = malloc(ivsize);
 	if (_iv == NULL) {
 		free(_key);
@@ -303,6 +309,8 @@ void benchmark_cipher(int debug_level)
 	printf("\nChecking ciphers, payload size: %u\n", size * 1024);
 	cipher_bench(GNUTLS_CIPHER_3DES_CBC, size, 0);
 	cipher_bench(GNUTLS_CIPHER_AES_128_CBC, size, 0);
+	cipher_bench(GNUTLS_CIPHER_AES_128_XTS, size, 0);
+	cipher_bench(GNUTLS_CIPHER_AES_256_XTS, size, 0);
 	cipher_bench(GNUTLS_CIPHER_SALSA20_256, size, 0);
 	cipher_bench(GNUTLS_CIPHER_NULL, size, 1);
 #ifdef ENABLE_GOST