gcm128.c: API modification and readability improvements,
authorAndy Polyakov <appro@openssl.org>
Fri, 9 Jul 2010 14:10:51 +0000 (14:10 +0000)
committerAndy Polyakov <appro@openssl.org>
Fri, 9 Jul 2010 14:10:51 +0000 (14:10 +0000)
add ghash benchmark to apps/speed.c.

apps/speed.c
crypto/modes/gcm128.c
crypto/modes/modes.h

index 85673ff..af86cee 100644 (file)
 #ifndef OPENSSL_NO_ECDH
 #include <openssl/ecdh.h>
 #endif
+#include <openssl/modes.h>
 
 #ifndef HAVE_FORK
 # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
@@ -214,7 +215,7 @@ static void print_result(int alg,int run_no,int count,double time_used);
 static int do_multi(int multi);
 #endif
 
-#define ALGOR_NUM      29
+#define ALGOR_NUM      30
 #define SIZE_NUM       5
 #define RSA_NUM                4
 #define DSA_NUM                3
@@ -229,7 +230,7 @@ static const char *names[ALGOR_NUM]={
   "aes-128 cbc","aes-192 cbc","aes-256 cbc",
   "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
   "evp","sha256","sha512","whirlpool",
-  "aes-128 ige","aes-192 ige","aes-256 ige"};
+  "aes-128 ige","aes-192 ige","aes-256 ige","ghash" };
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 #ifndef OPENSSL_NO_RSA
@@ -479,6 +480,7 @@ int MAIN(int argc, char **argv)
 #define D_IGE_128_AES   26
 #define D_IGE_192_AES   27
 #define D_IGE_256_AES   28
+#define D_GHASH         29
        double d=0.0;
        long c[ALGOR_NUM][SIZE_NUM];
 #define        R_DSA_512       0
@@ -904,6 +906,10 @@ int MAIN(int argc, char **argv)
                        doit[D_CBC_192_AES]=1;
                        doit[D_CBC_256_AES]=1;
                        }
+               else if (strcmp(*argv,"ghash") == 0)
+                       {
+                       doit[D_GHASH]=1;
+                       }
                else
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
@@ -1273,6 +1279,7 @@ int MAIN(int argc, char **argv)
        c[D_IGE_128_AES][0]=count;
        c[D_IGE_192_AES][0]=count;
        c[D_IGE_256_AES][0]=count;
+       c[D_GHASH][0]=count;
 
        for (i=1; i<SIZE_NUM; i++)
                {
@@ -1566,7 +1573,11 @@ int MAIN(int argc, char **argv)
                        print_message(names[D_SHA1],c[D_SHA1][j],lengths[j]);
                        Time_F(START);
                        for (count=0,run=1; COND(c[D_SHA1][j]); count++)
+#if 0
                                EVP_Digest(buf,(unsigned long)lengths[j],&(sha[0]),NULL,EVP_sha1(),NULL);
+#else
+                               SHA1(buf,lengths[j],sha);
+#endif
                        d=Time_F(STOP);
                        print_result(D_SHA1,j,count,d);
                        }
@@ -1763,7 +1774,22 @@ int MAIN(int argc, char **argv)
                        print_result(D_IGE_256_AES,j,count,d);
                        }
                }
+       if (doit[D_GHASH])
+               {
+               GCM128_CONTEXT *ctx = CRYPTO_gcm128_new(&aes_ks1,(block128_f)AES_encrypt);
+               CRYPTO_gcm128_setiv (ctx,"0123456789ab",12);
 
+               for (j=0; j<SIZE_NUM; j++)
+                       {
+                       print_message(names[D_GHASH],c[D_GHASH][j],lengths[j]);
+                       Time_F(START);
+                       for (count=0,run=1; COND(c[D_GHASH][j]); count++)
+                               CRYPTO_gcm128_aad(ctx,buf,lengths[j]);
+                       d=Time_F(STOP);
+                       print_result(D_GHASH,j,count,d);
+                       }
+               CRYPTO_gcm128_release(ctx);
+               }
 
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
index 8b1880c..6f1eb6d 100644 (file)
@@ -47,6 +47,7 @@
  * ====================================================================
  */
 
+#include "crypto.h"
 #include "modes_lcl.h"
 #include <string.h>
 
@@ -458,8 +459,8 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
     /*
      * Extra 256+16 bytes per-key plus 512 bytes shared tables
      * [should] give ~50% improvement... One could have PACK()-ed
-     * the rem_8bit even here, but priority is to minimize memory
-     * usage...
+     * the rem_8bit even here, but the priority is to minimize
+     * cache footprint...
      */ 
     u128 Hshr4[16];    /* Htable shifted right by 4 bits */
     u8   Hshl4[16];    /* Htable shifted left  by 4 bits */
@@ -496,7 +497,6 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
        0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
        0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
        0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE };
-
     /*
      * This pre-processing phase slows down procedure by approximately
      * same time as it makes each loop spin faster. In other words
@@ -512,24 +512,7 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
     }
 
     do {
-       nlo  = ((const u8 *)Xi)[15];
-       nlo ^= inp[15];
-       nhi  = nlo>>4;
-       nlo &= 0xf;
-
-       Z.hi = Htable[nlo].hi;
-       Z.lo = Htable[nlo].lo;
-
-       rem = (size_t)Z.lo&0xff;
-
-       Z.lo = (Z.hi<<56)|(Z.lo>>8);
-       Z.hi = (Z.hi>>8);
-
-       Z.hi ^= Hshr4[nhi].hi;
-       Z.lo ^= Hshr4[nhi].lo;
-       Z.hi ^= (u64)rem_8bit[rem^Hshl4[nhi]]<<48;
-
-       for (cnt=14; cnt>0; --cnt) {
+       for (Z.lo=0, Z.hi=0, cnt=15; cnt; --cnt) {
                nlo  = ((const u8 *)Xi)[cnt];
                nlo ^= inp[cnt];
                nhi  = nlo>>4;
@@ -733,7 +716,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 #if    TABLE_BITS==8
        gcm_init_8bit(ctx->Htable,ctx->H.u);
 #elif  TABLE_BITS==4
-# if   defined(GHASH_ASM_IAX)
+# if   defined(GHASH_ASM_IAX)                  /* both x86 and x86_64 */
        if (OPENSSL_ia32cap_P[1]&(1<<1)) {
                gcm_init_clmul(ctx->Htable,ctx->H.u);
                ctx->gmult = gcm_gmult_clmul;
@@ -741,7 +724,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
                return;
        }
        gcm_init_4bit(ctx->Htable,ctx->H.u);
-#  if  defined(GHASH_ASM_X86)
+#  if  defined(GHASH_ASM_X86)                  /* x86 only */
        if (OPENSSL_ia32cap_P[0]&(1<<23)) {
                ctx->gmult = gcm_gmult_4bit_mmx;
                ctx->ghash = gcm_ghash_4bit_mmx;
@@ -1109,7 +1092,8 @@ void CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
        ctx->res = n;
 }
 
-void CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx)
+int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
+                       size_t len)
 {
        const union { long one; char little; } is_endian = {1};
        u64 alen = ctx->len.u[0]<<3;
@@ -1139,6 +1123,29 @@ void CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx)
 
        ctx->Xi.u[0] ^= ctx->EK0.u[0];
        ctx->Xi.u[1] ^= ctx->EK0.u[1];
+
+       if (tag && len<=sizeof(ctx->Xi))
+               return memcmp(ctx->Xi.c,tag,len);
+       else
+               return -1;
+}
+
+GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
+{
+       GCM128_CONTEXT *ret;
+
+       if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT))))
+               CRYPTO_gcm128_init(ret,key,block);
+
+       return ret;
+}
+
+void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
+{
+       if (ctx) {
+               OPENSSL_cleanse(ctx,sizeof(*ctx));
+               OPENSSL_free(ctx);
+       }
 }
 
 #if defined(SELFTEST)
@@ -1365,15 +1372,15 @@ static const u8 IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
        CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n));          \
        if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n));    \
        if (P##n) CRYPTO_gcm128_encrypt(&ctx,P##n,out,sizeof(out));     \
-       CRYPTO_gcm128_finish(&ctx);                             \
-       if (memcmp(ctx.Xi.c,T##n,16) || (C##n && memcmp(out,C##n,sizeof(out)))) \
+       if (CRYPTO_gcm128_finish(&ctx,T##n,16) ||               \
+           (C##n && memcmp(out,C##n,sizeof(out))))             \
                ret++, printf ("encrypt test#%d failed.\n",n);\
        CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n));          \
        if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n));    \
        if (C##n) CRYPTO_gcm128_decrypt(&ctx,C##n,out,sizeof(out));     \
-       CRYPTO_gcm128_finish(&ctx);                             \
-       if (memcmp(ctx.Xi.c,T##n,16) || (P##n && memcmp(out,P##n,sizeof(out)))) \
-               ret++, printf ("decrypt test#%d failed.\n",n);\
+       if (CRYPTO_gcm128_finish(&ctx,T##n,16) ||               \
+           (P##n && memcmp(out,P##n,sizeof(out))))             \
+               ret++, printf ("decrypt test#%d failed.\n",n);  \
        } while(0)
 
 int main()
index 10ce576..1087646 100644 (file)
@@ -82,15 +82,17 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 
 typedef struct gcm128_context GCM128_CONTEXT;
 
-void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block);
+GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block);
 void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
-                        size_t len);
+                       size_t len);
 void CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad,
-                      size_t len);
+                       size_t len);
 void CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
-                          const unsigned char *in, unsigned char *out,
-                          size_t len);
+                       const unsigned char *in, unsigned char *out,
+                       size_t len);
 void CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
-                          const unsigned char *in, unsigned char *out,
-                          size_t len);
-void CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx);
+                       const unsigned char *in, unsigned char *out,
+                       size_t len);
+int  CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
+                       size_t len);
+void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx);