~mdw / catacomb / blame
| Commit | Line | Data |
|---|---|---|
| 1a0c09c4 MW |
1 | /// -*- mode: asm; asm-comment-char: ?/ -*- |
| 2 | /// | |
| 3 | /// AESNI-based implementation of Rijndael | |
| 4 | /// | |
| 5 | /// (c) 2015 Straylight/Edgeware | |
| 6 | /// | |
| 7 | ||
| 8 | ///----- Licensing notice --------------------------------------------------- | |
| 9 | /// | |
| 10 | /// This file is part of Catacomb. | |
| 11 | /// | |
| 12 | /// Catacomb is free software; you can redistribute it and/or modify | |
| 13 | /// it under the terms of the GNU Library General Public License as | |
| 14 | /// published by the Free Software Foundation; either version 2 of the | |
| 15 | /// License, or (at your option) any later version. | |
| 16 | /// | |
| 17 | /// Catacomb is distributed in the hope that it will be useful, | |
| 18 | /// but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 19 | /// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 20 | /// GNU Library General Public License for more details. | |
| 21 | /// | |
| 22 | /// You should have received a copy of the GNU Library General Public | |
| 23 | /// License along with Catacomb; if not, write to the Free | |
| 24 | /// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, | |
| 25 | /// MA 02111-1307, USA. | |
| 26 | ||
| 27 | ///-------------------------------------------------------------------------- | |
| 28 | /// External definitions. | |
| 29 | ||
| 30 | #include "config.h" | |
| 31 | #include "asm-common.h" | |
| 32 | ||
| 33 | ///-------------------------------------------------------------------------- | |
| 34 | /// External definitions. | |
| 35 | ||
| 36 | .globl F(abort) | |
| 37 | .globl F(rijndael_rcon) | |
| 38 | ||
| 39 | ///-------------------------------------------------------------------------- | |
| 40 | /// Main code. | |
| 41 | ||
| 42 | .arch .aes | |
| 43 | .section .text | |
| 44 | ||
| 45 | /// The AESNI instructions implement a little-endian version of AES, but | |
| 46 | /// Catacomb's internal interface presents as big-endian so as to work better | |
| 47 | /// with things like GCM. We therefore maintain the round keys in | |
| 48 | /// little-endian form, and have to end-swap blocks in and out. | |
| 49 | /// | |
| 50 | /// For added amusement, the AESNI instructions don't implement the | |
| 51 | /// larger-block versions of Rijndael, so we have to end-swap the keys if | |
| 52 | /// we're preparing for one of those. | |
| 53 | ||
| 54 | // Useful constants. | |
| 55 | .equ maxrounds, 16 // maximum number of rounds | |
| 56 | .equ maxblksz, 32 // maximum block size, in bytes | |
| 57 | .equ kbufsz, maxblksz*(maxrounds + 1) // size of a key-schedule buffer | |
| 58 | ||
| 59 | // Context structure. | |
| 60 | .equ nr, 0 // number of rounds | |
| 61 | .equ w, nr + 4 // encryption key words | |
| 62 | .equ wi, w + kbufsz // decryption key words | |
| 63 | ||
| 64 | ///-------------------------------------------------------------------------- | |
| 65 | /// Key setup. | |
| 66 | ||
| 67 | FUNC(rijndael_setup_x86_aesni) | |
| 68 | ||
| 69 | // Initial state. We have four arguments: | |
| 70 | // [esp + 20] is the context pointer | |
| 71 | // [esp + 24] is the block size, in 32-bit words (4, 6, or 8) | |
| 72 | // [esp + 28] points to the key material, unaligned | |
| 73 | // [esp + 32] is the size of the key, in words | |
| 74 | // The key size has already been checked for validity, and the number | |
| 75 | // of rounds has been computed. Our job is only to fill in the `w' | |
| 76 | // and `wi' vectors. | |
| 77 | ||
| 78 | push ebp | |
| 79 | push ebx | |
| 80 | push esi | |
| 81 | push edi | |
| 82 | ||
| 83 | // The initial round key material is taken directly from the input | |
| 84 | // key, so copy it over. | |
| 85 | mov ebp, [esp + 20] // context base pointer | |
| 86 | mov ebx, [esp + 32] // key size, in words | |
| 87 | mov ecx, ebx | |
| 88 | mov esi, [esp + 28] | |
| 89 | lea edi, [ebp + w] | |
| 90 | rep movsd | |
| 91 | ||
| 92 | // Find out other useful things. | |
| 93 | mov edx, [ebp + nr] // number of rounds | |
| 94 | add edx, 1 | |
| 95 | imul edx, [esp + 24] // total key size in words | |
| 96 | sub edx, ebx // offset by the key size | |
| 97 | ||
| 98 | // Find the round constants. | |
| 99 | ldgot ecx | |
| 100 | leaext ecx, rijndael_rcon, ecx | |
| 101 | ||
| 102 | // Prepare for the main loop. | |
| 103 | lea esi, [ebp + w] | |
| 104 | mov eax, [esi + 4*ebx - 4] // most recent key word | |
| 105 | lea edx, [esi + 4*edx] // limit, offset by one key expansion | |
| 106 | ||
| 107 | // Main key expansion loop. The first word of each key-length chunk | |
| 108 | // needs special treatment. | |
| 109 | // | |
| 110 | // This is rather tedious because the Intel `AESKEYGENASSIST' | |
| 111 | // instruction is very strangely shaped. Firstly, it wants to | |
| 112 | // operate on vast SSE registers, even though we're data-blocked from | |
| 113 | // doing more than operation at a time unless we're doing two key | |
| 114 | // schedules simultaneously -- and even then we can't do more than | |
| 115 | // two, because the instruction ignores two of its input words | |
| 116 | // entirely, and produces two different outputs for each of the other | |
| 117 | // two. And secondly it insists on taking the magic round constant | |
| 118 | // as an immediate, so it's kind of annoying if you're not | |
| 119 | // open-coding the whole thing. It's much easier to leave that as | |
| 120 | // zero and XOR in the round constant by hand. | |
| 121 | 9: movd xmm0, eax | |
| 122 | pshufd xmm0, xmm0, 0x39 | |
| 123 | aeskeygenassist xmm1, xmm0, 0 | |
| 124 | pshufd xmm1, xmm1, 0x93 | |
| 125 | movd eax, xmm1 | |
| 126 | xor eax, [esi] | |
| 127 | xor al, [ecx] | |
| 128 | inc ecx | |
| 129 | mov [esi + 4*ebx], eax | |
| 130 | add esi, 4 | |
| 131 | cmp esi, edx | |
| 132 | jae 8f | |
| 133 | ||
| 134 | // The next three words are simple... | |
| 135 | xor eax, [esi] | |
| 136 | mov [esi + 4*ebx], eax | |
| 137 | add esi, 4 | |
| 138 | cmp esi, edx | |
| 139 | jae 8f | |
| 140 | ||
| 141 | // (Word 2...) | |
| 142 | xor eax, [esi] | |
| 143 | mov [esi + 4*ebx], eax | |
| 144 | add esi, 4 | |
| 145 | cmp esi, edx | |
| 146 | jae 8f | |
| 147 | ||
| 148 | // (Word 3...) | |
| 149 | xor eax, [esi] | |
| 150 | mov [esi + 4*ebx], eax | |
| 151 | add esi, 4 | |
| 152 | cmp esi, edx | |
| 153 | jae 8f | |
| 154 | ||
| 155 | // Word 4. If the key is /more/ than 6 words long, then we must | |
| 156 | // apply a substitution here. | |
| 157 | cmp ebx, 5 | |
| 158 | jb 9b | |
| 159 | cmp ebx, 7 | |
| 160 | jb 0f | |
| 161 | movd xmm0, eax | |
| 162 | pshufd xmm0, xmm0, 0x93 | |
| 163 | aeskeygenassist xmm1, xmm0, 0 | |
| 164 | movd eax, xmm1 | |
| 165 | 0: xor eax, [esi] | |
| 166 | mov [esi + 4*ebx], eax | |
| 167 | add esi, 4 | |
| 168 | cmp esi, edx | |
| 169 | jae 8f | |
| 170 | ||
| 171 | // (Word 5...) | |
| 172 | cmp ebx, 6 | |
| 173 | jb 9b | |
| 174 | xor eax, [esi] | |
| 175 | mov [esi + 4*ebx], eax | |
| 176 | add esi, 4 | |
| 177 | cmp esi, edx | |
| 178 | jae 8f | |
| 179 | ||
| 180 | // (Word 6...) | |
| 181 | cmp ebx, 7 | |
| 182 | jb 9b | |
| 183 | xor eax, [esi] | |
| 184 | mov [esi + 4*ebx], eax | |
| 185 | add esi, 4 | |
| 186 | cmp esi, edx | |
| 187 | jae 8f | |
| 188 | ||
| 189 | // (Word 7...) | |
| 190 | cmp ebx, 8 | |
| 191 | jb 9b | |
| 192 | xor eax, [esi] | |
| 193 | mov [esi + 4*ebx], eax | |
| 194 | add esi, 4 | |
| 195 | cmp esi, edx | |
| 196 | jae 8f | |
| 197 | ||
| 198 | // Must be done by now. | |
| 199 | jmp 9b | |
| 200 | ||
| 201 | // Next job is to construct the decryption keys. The keys for the | |
| 202 | // first and last rounds don't need to be mangled, but the remaining | |
| 203 | // ones do -- and they all need to be reordered too. | |
| 204 | // | |
| 205 | // The plan of action, then, is to copy the final encryption round's | |
| 206 | // keys into place first, then to do each of the intermediate rounds | |
| 207 | // in reverse order, and finally do the first round. | |
| 208 | // | |
| 209 | // Do all of the heavy lifting with SSE registers. The order we're | |
| 210 | // doing this in means that it's OK if we read or write too much, and | |
| 211 | // there's easily enough buffer space for the over-enthusiastic reads | |
| 212 | // and writes because the context has space for 32-byte blocks, which | |
| 213 | // is our maximum and an exact fit for two SSE registers. | |
| 214 | 8: mov ecx, [ebp + nr] // number of rounds | |
| 215 | mov ebx, [esp + 24] // block size (in words) | |
| 216 | mov edx, ecx | |
| 217 | imul edx, ebx | |
| 218 | lea edi, [ebp + wi] | |
| 219 | lea esi, [ebp + 4*edx + w] // last round's keys | |
| 220 | shl ebx, 2 // block size (in bytes now) | |
| 221 | ||
| 222 | // Copy the last encryption round's keys. | |
| 223 | movdqu xmm0, [esi] | |
| 224 | movdqu [edi], xmm0 | |
| 225 | cmp ebx, 16 | |
| 226 | jbe 9f | |
| 227 | movdqu xmm0, [esi + 16] | |
| 228 | movdqu [edi + 16], xmm0 | |
| 229 | ||
| 230 | // Update the loop variables and stop if we've finished. | |
| 231 | 9: add edi, ebx | |
| 232 | sub esi, ebx | |
| 233 | sub ecx, 1 | |
| 234 | jbe 0f | |
| 235 | ||
| 236 | // Do another middle round's keys... | |
| 237 | movdqu xmm0, [esi] | |
| 238 | aesimc xmm0, xmm0 | |
| 239 | movdqu [edi], xmm0 | |
| 240 | cmp ebx, 16 | |
| 241 | jbe 9b | |
| 242 | movdqu xmm0, [esi + 16] | |
| 243 | aesimc xmm0, xmm0 | |
| 244 | movdqu [edi + 16], xmm0 | |
| 245 | jmp 9b | |
| 246 | ||
| 247 | // Finally do the first encryption round. | |
| 248 | 0: movdqu xmm0, [esi] | |
| 249 | movdqu [edi], xmm0 | |
| 250 | cmp ebx, 16 | |
| 251 | jbe 0f | |
| 252 | movdqu xmm0, [esi + 16] | |
| 253 | movdqu [edi + 16], xmm0 | |
| 254 | ||
| 255 | // If the block size is not exactly four words then we must end-swap | |
| 256 | // everything. We can use fancy SSE toys for this. | |
| 257 | 0: cmp ebx, 16 | |
| 258 | je 0f | |
| 259 | ||
| 260 | // Find the byte-reordering table. | |
| 261 | ldgot ecx | |
| 262 | movdqa xmm7, [INTADDR(endswap_tab, ecx)] | |
| 263 | ||
| 264 | // Calculate the number of subkey words again. (It's a good job | |
| 265 | // we've got a fast multiplier.) | |
| 266 | mov ecx, [ebp + nr] | |
| 267 | add ecx, 1 | |
| 268 | imul ecx, [esp + 24] // total keys in words | |
| 269 | ||
| 270 | // End-swap the encryption keys. | |
| 271 | mov eax, ecx | |
| 272 | lea esi, [ebp + w] | |
| 273 | call endswap_block | |
| 274 | ||
| 275 | // And the decryption keys. | |
| 276 | mov ecx, eax | |
| 277 | lea esi, [ebp + wi] | |
| 278 | call endswap_block | |
| 279 | ||
| 280 | // All done. | |
| 281 | 0: pop edi | |
| 282 | pop esi | |
| 283 | pop ebx | |
| 284 | pop ebp | |
| 285 | ret | |
| 286 | ||
| 287 | .align 16 | |
| 288 | endswap_block: | |
| 289 | // End-swap ECX words starting at ESI. The end-swapping table is | |
| 290 | // already loaded into XMM7; and it's OK to work in 16-byte chunks. | |
| 291 | movdqu xmm1, [esi] | |
| 292 | pshufb xmm1, xmm7 | |
| 293 | movdqu [esi], xmm1 | |
| 294 | add esi, 16 | |
| 295 | sub ecx, 4 | |
| 296 | ja endswap_block | |
| 297 | ret | |
| 298 | ||
| 299 | ENDFUNC | |
| 300 | ||
| 301 | ///-------------------------------------------------------------------------- | |
| 302 | /// Encrypting and decrypting blocks. | |
| 303 | ||
| 304 | FUNC(rijndael_eblk_x86_aesni) | |
| 305 | ||
| 306 | // On entry, we have: | |
| 307 | // [esp + 4] points to the context block | |
| 308 | // [esp + 8] points to the input data block | |
| 309 | // [esp + 12] points to the output buffer | |
| 310 | ||
| 311 | // Find the magic endianness-swapping table. | |
| 312 | ldgot ecx | |
| 313 | movdqa xmm7, [INTADDR(endswap_tab, ecx)] | |
| 314 | ||
| 315 | // Load the input block and end-swap it. Also, start loading the | |
| 316 | // keys. | |
| 317 | mov eax, [esp + 8] | |
| 318 | movdqu xmm0, [eax] | |
| 319 | pshufb xmm0, xmm7 | |
| 320 | mov eax, [esp + 4] | |
| 321 | lea edx, [eax + w] | |
| 322 | mov eax, [eax + nr] | |
| 323 | ||
| 324 | // Initial whitening. | |
| 325 | movdqu xmm1, [edx] | |
| 326 | add edx, 16 | |
| 327 | pxor xmm0, xmm1 | |
| 328 | ||
| 329 | // Dispatch to the correct code. | |
| 330 | cmp eax, 10 | |
| 331 | je er10 | |
| 332 | jb bogus | |
| 333 | cmp eax, 14 | |
| 334 | je er14 | |
| 335 | ja bogus | |
| 336 | cmp eax, 12 | |
| 337 | je er12 | |
| 338 | jb er11 | |
| 339 | jmp er13 | |
| 340 | ||
| 341 | .align 2 | |
| 342 | ||
| 343 | // 14 rounds... | |
| 344 | er14: movdqu xmm1, [edx] | |
| 345 | add edx, 16 | |
| 346 | aesenc xmm0, xmm1 | |
| 347 | ||
| 348 | // 13 rounds... | |
| 349 | er13: movdqu xmm1, [edx] | |
| 350 | add edx, 16 | |
| 351 | aesenc xmm0, xmm1 | |
| 352 | ||
| 353 | // 12 rounds... | |
| 354 | er12: movdqu xmm1, [edx] | |
| 355 | add edx, 16 | |
| 356 | aesenc xmm0, xmm1 | |
| 357 | ||
| 358 | // 11 rounds... | |
| 359 | er11: movdqu xmm1, [edx] | |
| 360 | add edx, 16 | |
| 361 | aesenc xmm0, xmm1 | |
| 362 | ||
| 363 | // 10 rounds... | |
| 364 | er10: movdqu xmm1, [edx] | |
| 365 | aesenc xmm0, xmm1 | |
| 366 | ||
| 367 | // 9 rounds... | |
| 368 | movdqu xmm1, [edx + 16] | |
| 369 | aesenc xmm0, xmm1 | |
| 370 | ||
| 371 | // 8 rounds... | |
| 372 | movdqu xmm1, [edx + 32] | |
| 373 | aesenc xmm0, xmm1 | |
| 374 | ||
| 375 | // 7 rounds... | |
| 376 | movdqu xmm1, [edx + 48] | |
| 377 | aesenc xmm0, xmm1 | |
| 378 | ||
| 379 | // 6 rounds... | |
| 380 | movdqu xmm1, [edx + 64] | |
| 381 | aesenc xmm0, xmm1 | |
| 382 | ||
| 383 | // 5 rounds... | |
| 384 | movdqu xmm1, [edx + 80] | |
| 385 | aesenc xmm0, xmm1 | |
| 386 | ||
| 387 | // 4 rounds... | |
| 388 | movdqu xmm1, [edx + 96] | |
| 389 | aesenc xmm0, xmm1 | |
| 390 | ||
| 391 | // 3 rounds... | |
| 392 | movdqu xmm1, [edx + 112] | |
| 393 | aesenc xmm0, xmm1 | |
| 394 | ||
| 395 | // 2 rounds... | |
| 396 | movdqu xmm1, [edx + 128] | |
| 397 | aesenc xmm0, xmm1 | |
| 398 | ||
| 399 | // Final round... | |
| 400 | movdqu xmm1, [edx + 144] | |
| 401 | aesenclast xmm0, xmm1 | |
| 402 | ||
| 403 | // Unpermute the ciphertext block and store it. | |
| 404 | pshufb xmm0, xmm7 | |
| 405 | mov eax, [esp + 12] | |
| 406 | movdqu [eax], xmm0 | |
| 407 | ||
| 408 | // And we're done. | |
| 409 | ret | |
| 410 | ||
| 411 | ENDFUNC | |
| 412 | ||
| 413 | FUNC(rijndael_dblk_x86_aesni) | |
| 414 | ||
| 415 | // On entry, we have: | |
| 416 | // [esp + 4] points to the context block | |
| 417 | // [esp + 8] points to the input data block | |
| 418 | // [esp + 12] points to the output buffer | |
| 419 | ||
| 420 | // Find the magic endianness-swapping table. | |
| 421 | ldgot ecx | |
| 422 | movdqa xmm7, [INTADDR(endswap_tab, ecx)] | |
| 423 | ||
| 424 | // Load the input block and end-swap it. Also, start loading the | |
| 425 | // keys. | |
| 426 | mov eax, [esp + 8] | |
| 427 | movdqu xmm0, [eax] | |
| 428 | pshufb xmm0, xmm7 | |
| 429 | mov eax, [esp + 4] | |
| 430 | lea edx, [eax + wi] | |
| 431 | mov eax, [eax + nr] | |
| 432 | ||
| 433 | // Initial whitening. | |
| 434 | movdqu xmm1, [edx] | |
| 435 | add edx, 16 | |
| 436 | pxor xmm0, xmm1 | |
| 437 | ||
| 438 | // Dispatch to the correct code. | |
| 439 | cmp eax, 10 | |
| 440 | je dr10 | |
| 441 | jb bogus | |
| 442 | cmp eax, 14 | |
| 443 | je dr14 | |
| 444 | ja bogus | |
| 445 | cmp eax, 12 | |
| 446 | je dr12 | |
| 447 | jb dr11 | |
| 448 | jmp dr13 | |
| 449 | ||
| 450 | .align 2 | |
| 451 | ||
| 452 | // 14 rounds... | |
| 453 | dr14: movdqu xmm1, [edx] | |
| 454 | add edx, 16 | |
| 455 | aesdec xmm0, xmm1 | |
| 456 | ||
| 457 | // 13 rounds... | |
| 458 | dr13: movdqu xmm1, [edx] | |
| 459 | add edx, 16 | |
| 460 | aesdec xmm0, xmm1 | |
| 461 | ||
| 462 | // 12 rounds... | |
| 463 | dr12: movdqu xmm1, [edx] | |
| 464 | add edx, 16 | |
| 465 | aesdec xmm0, xmm1 | |
| 466 | ||
| 467 | // 11 rounds... | |
| 468 | dr11: movdqu xmm1, [edx] | |
| 469 | add edx, 16 | |
| 470 | aesdec xmm0, xmm1 | |
| 471 | ||
| 472 | // 10 rounds... | |
| 473 | dr10: movdqu xmm1, [edx] | |
| 474 | aesdec xmm0, xmm1 | |
| 475 | ||
| 476 | // 9 rounds... | |
| 477 | movdqu xmm1, [edx + 16] | |
| 478 | aesdec xmm0, xmm1 | |
| 479 | ||
| 480 | // 8 rounds... | |
| 481 | movdqu xmm1, [edx + 32] | |
| 482 | aesdec xmm0, xmm1 | |
| 483 | ||
| 484 | // 7 rounds... | |
| 485 | movdqu xmm1, [edx + 48] | |
| 486 | aesdec xmm0, xmm1 | |
| 487 | ||
| 488 | // 6 rounds... | |
| 489 | movdqu xmm1, [edx + 64] | |
| 490 | aesdec xmm0, xmm1 | |
| 491 | ||
| 492 | // 5 rounds... | |
| 493 | movdqu xmm1, [edx + 80] | |
| 494 | aesdec xmm0, xmm1 | |
| 495 | ||
| 496 | // 4 rounds... | |
| 497 | movdqu xmm1, [edx + 96] | |
| 498 | aesdec xmm0, xmm1 | |
| 499 | ||
| 500 | // 3 rounds... | |
| 501 | movdqu xmm1, [edx + 112] | |
| 502 | aesdec xmm0, xmm1 | |
| 503 | ||
| 504 | // 2 rounds... | |
| 505 | movdqu xmm1, [edx + 128] | |
| 506 | aesdec xmm0, xmm1 | |
| 507 | ||
| 508 | // Final round... | |
| 509 | movdqu xmm1, [edx + 144] | |
| 510 | aesdeclast xmm0, xmm1 | |
| 511 | ||
| 512 | // Unpermute the ciphertext block and store it. | |
| 513 | pshufb xmm0, xmm7 | |
| 514 | mov eax, [esp + 12] | |
| 515 | movdqu [eax], xmm0 | |
| 516 | ||
| 517 | // And we're done. | |
| 518 | ret | |
| 519 | ||
| 520 | ENDFUNC | |
| 521 | ||
| 522 | ///-------------------------------------------------------------------------- | |
| 523 | /// Random utilities. | |
| 524 | ||
| 525 | .align 16 | |
| 526 | // Abort the process because of a programming error. Indirecting | |
| 527 | // through this point serves several purposes: (a) by CALLing, rather | |
| 528 | // than branching to, `abort', we can save the return address, which | |
| 529 | // might at least provide a hint as to what went wrong; (b) we don't | |
| 530 | // have conditional CALLs (and they'd be big anyway); and (c) we can | |
| 531 | // write a HLT here as a backstop against `abort' being mad. | |
| 532 | bogus: callext F(abort) | |
| 533 | 0: hlt | |
| 534 | jmp 0b | |
| 535 | ||
| 536 | gotaux ecx | |
| 537 | ||
| 538 | ///-------------------------------------------------------------------------- | |
| 539 | /// Data tables. | |
| 540 | ||
| 541 | .align 16 | |
| 542 | endswap_tab: | |
| 543 | .byte 3, 2, 1, 0 | |
| 544 | .byte 7, 6, 5, 4 | |
| 545 | .byte 11, 10, 9, 8 | |
| 546 | .byte 15, 14, 13, 12 | |
| 547 | ||
| 548 | ///----- That's all, folks -------------------------------------------------- |