From 85b2c0ce7fdf597d60d8c366e8f7de24f674fc5a Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Tue, 16 Dec 2008 08:39:21 +0000 Subject: [PATCH] 128-bit block cipher modes consolidation. As consolidated functions rely on indirect call to block functions, they are not as fast as non-consolidated routines. However, performance loss(*) is within measurement error and consolidation advantages are considered to outweigh it. (*) actually one can observe performance *improvement* on e.g. CBC benchmarks thanks to optimization, which also becomes shared among ciphers. --- crypto/modes/Makefile | 81 ++++++++++++++ crypto/modes/cbc128.c | 208 ++++++++++++++++++++++++++++++++++ crypto/modes/cfb128.c | 251 ++++++++++++++++++++++++++++++++++++++++++ crypto/modes/ctr128.c | 188 +++++++++++++++++++++++++++++++ crypto/modes/modes.h | 34 ++++++ crypto/modes/ofb128.c | 130 ++++++++++++++++++++++ 6 files changed, 892 insertions(+) create mode 100644 crypto/modes/Makefile create mode 100644 crypto/modes/cbc128.c create mode 100644 crypto/modes/cfb128.c create mode 100644 crypto/modes/ctr128.c create mode 100644 crypto/modes/modes.h create mode 100644 crypto/modes/ofb128.c diff --git a/crypto/modes/Makefile b/crypto/modes/Makefile new file mode 100644 index 0000000000..94a28b612d --- /dev/null +++ b/crypto/modes/Makefile @@ -0,0 +1,81 @@ +# +# OpenSSL/crypto/modes/Makefile +# + +DIR= modes +TOP= ../.. +CC= cc +INCLUDES= -I.. -I$(TOP) -I../../include +CFLAG=-g +MAKEFILE= Makefile +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) + +GENERAL=Makefile +TEST= +APPS= + +LIB=$(TOP)/libcrypto.a +LIBSRC= cbc128.c ctr128.c cfb128.c ofb128.c +LIBOBJ= cbc128.o ctr128.o cfb128.o ofb128.o + +SRC= $(LIBSRC) + +#EXHEADER= store.h str_compat.h +EXHEADER= modes.h +HEADER= $(EXHEADER) + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +links: + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) + @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) + +install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... + @headerlist="$(EXHEADER)"; for i in $$headerlist; \ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + +tags: + ctags $(SRC) + +tests: + +lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +depend: + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +dclean: + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new + mv -f Makefile.new $(MAKEFILE) + +clean: + rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + +# DO NOT DELETE THIS LINE -- make depend depends on it. + +cbc128.o: cbc128.c modes.h +cfb128.o: cfb128.c modes.h +ctr128.o: ctr128.c modes.h +ofb128.o: modes.h ofb128.c diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c new file mode 100644 index 0000000000..af844b6ac4 --- /dev/null +++ b/crypto/modes/cbc128.c @@ -0,0 +1,208 @@ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ + +#include +#include + +#ifndef MODES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include + +#include "modes.h" + +#define STRICT_ALIGNMENT 1 +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ + defined(__s390__) || defined(__s390x__) +# undef STRICT_ALIGNMENT +# define STRICT_ALIGNMENT 0 +#endif + +void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], block_f block) +{ + size_t n; + const unsigned char *iv = ivec; + + assert(in && out && key && ivec); + +#if !defined(OPENSSL_SMALL_FOOTPRINT) + if (STRICT_ALIGNMENT && + ((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) { + while (len>=16) { + for(n=0; n<16; ++n) + out[n] = in[n] ^ iv[n]; + (*block)(out, out, key); + iv = out; + len -= 16; + in += 16; + out += 16; + } + } else { + while (len>=16) { + for(n=0; n<16; n+=sizeof(size_t)) + *(size_t*)(out+n) = + *(size_t*)(in+n) ^ *(size_t*)(iv+n); + (*block)(out, out, key); + iv = out; + len -= 16; + in += 16; + out += 16; + } + } +#endif + while (len) { + for(n=0; n<16 && n=16) { + (*block)(in, out, key); + for(n=0; n<16; ++n) + out[n] ^= iv[n]; + iv = in; + len -= 16; + in += 16; + out += 16; + } + } + else { + while (len>=16) { + (*block)(in, out, key); + for(n=0; n<16; n+=sizeof(size_t)) + *(size_t *)(out+n) ^= *(size_t *)(iv+n); + iv = in; + len -= 16; + in += 16; + out += 16; + } + } + memcpy(ivec,iv,16); + } else { + if (STRICT_ALIGNMENT && + ((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) { + unsigned char c; + while (len>=16) { + (*block)(in, tmp.c, key); + for(n=0; n<16; ++n) { + c = in[n]; + out[n] = tmp.c[n] ^ ivec[n]; + ivec[n] = c; + } + len -= 16; + in += 16; + out += 16; + } + } + else { + size_t c; + while (len>=16) { + (*block)(in, tmp.c, key); + for(n=0; n<16; n+=sizeof(size_t)) { + c = *(size_t *)(in+n); + *(size_t *)(out+n) = + *(size_t *)(tmp.c+n) ^ *(size_t *)(ivec+n); + *(size_t *)(ivec+n) = c; + } + len -= 16; + in += 16; + out += 16; + } + } + } +#endif + while (len) { + unsigned char c; + (*block)(in, tmp.c, key); + for(n=0; n<16 && n +#include + +#ifndef MODES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include + +#include "modes.h" + +#define STRICT_ALIGNMENT +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ + defined(__s390__) || defined(__s390x__) +# undef STRICT_ALIGNMENT +#endif + +/* The input and output encrypted as though 128bit cfb mode is being + * used. The extra state information to record how much of the + * 128bit block we have used is contained in *num; + */ +void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], int *num, + int enc, block_f block) +{ + unsigned int n; + size_t l = 0; + + assert(in && out && key && ivec && num); + + n = *num; + + if (enc) { +#if !defined(OPENSSL_SMALL_FOOTPRINT) + if (16%sizeof(size_t) == 0) do { /* always true actually */ + while (n && len) { + *(out++) = ivec[n] ^= *(in++); + --len; + n = (n+1) % 16; + } +#if defined(STRICT_ALIGNMENT) + if (((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) + break; +#endif + while (len>=16) { + (*block)(ivec, ivec, key); + for (n=0; n<16; n+=sizeof(size_t)) { + *(size_t*)(out+n) = + *(size_t*)(ivec+n) ^= *(size_t*)(in+n); + } + len -= 16; + out += 16; + in += 16; + } + n = 0; + if (len) { + (*block)(ivec, ivec, key); + while (len--) { + out[n] = ivec[n] ^= in[n]; + ++n; + } + } + *num = n; + return; + } while (0); + /* the rest would be commonly eliminated by x86* compiler */ +#endif + while (l=16) { + (*block)(ivec, ivec, key); + for (n=0; n<16; n+=sizeof(size_t)) { + size_t t = *(size_t*)(in+n); + *(size_t*)(out+n) = *(size_t*)(ivec+n) ^ t; + *(size_t*)(ivec+n) = t; + } + len -= 16; + out += 16; + in += 16; + } + n = 0; + if (len) { + (*block)(ivec, ivec, key); + while (len--) { + unsigned char c; + out[n] = ivec[n] ^ (c = in[n]); ivec[n] = c; + ++n; + } + } + *num = n; + return; + } while (0); + /* the rest would be commonly eliminated by x86* compiler */ +#endif + while (l128) return; + + /* fill in the first half of the new IV with the current IV */ + memcpy(ovec,ivec,16); + /* construct the new IV */ + (*block)(ivec,ivec,key); + num = (nbits+7)/8; + if (enc) /* encrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[16+n] = in[n] ^ ivec[n]); + else /* decrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[16+n] = in[n]) ^ ivec[n]; + /* shift ovec left... */ + rem = nbits%8; + num = nbits/8; + if(rem==0) + memcpy(ivec,ovec+num,16); + else + for(n=0 ; n < 16 ; ++n) + ivec[n] = ovec[n+num]<>(8-rem); + + /* it is not necessary to cleanse ovec, since the IV is not secret */ +} + +/* N.B. This expects the input to be packed, MS bit first */ +void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, + size_t bits, const void *key, + unsigned char ivec[16], int *num, + int enc, block_f block) +{ + size_t n; + unsigned char c[1],d[1]; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + memset(out,0,(bits+7)/8); + for(n=0 ; n> (n%8)); + } +} + +void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const void *key, + unsigned char ivec[16], int *num, + int enc, block_f block) +{ + size_t n; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + for(n=0 ; n +#include + +#ifndef MODES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include + +#include "modes.h" + +typedef unsigned int u32; +typedef unsigned char u8; + +# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3])) +# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); } + +#define STRICT_ALIGNMENT +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ + defined(__s390__) || defined(__s390x__) +# undef STRICT_ALIGNMENT +#endif + +/* NOTE: the IV/counter CTR mode is big-endian. The code itself + * is endian-neutral. */ + +/* increment counter (128-bit int) by 1 */ +static void ctr128_inc(unsigned char *counter) { + u32 c,n=16; + + do { + n -= 4; + c = GETU32(counter+n); + ++c; c &= 0xFFFFFFFF; + PUTU32(counter + n, c); + if (c) return; + } while (n); +} + +#if !defined(OPENSSL_SMALL_FOORPRINT) +static void ctr128_inc_aligned(unsigned char *counter) { + size_t *data,c,n; + const union { long one; char little; } is_endian = {1}; + + if (is_endian.little) { + ctr128_inc(counter); + return; + } + + data = (size_t *)counter; + n = 16/sizeof(size_t); + do { + --n; + c = data[n]; + ++c; + data[n] = c; + if (c) return; + } while (n); +} +#endif + +/* The input encrypted as though 128bit counter mode is being + * used. The extra state information to record how much of the + * 128bit block we have used is contained in *num, and the + * encrypted counter is kept in ecount_buf. Both *num and + * ecount_buf must be initialised with zeros before the first + * call to CRYPTO_ctr128_encrypt(). + * + * This algorithm assumes that the counter is in the x lower bits + * of the IV (ivec), and that the application has full control over + * overflow and the rest of the IV. This implementation takes NO + * responsability for checking that the counter doesn't overflow + * into the rest of the IV when incremented. + */ +void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], unsigned char ecount_buf[16], + unsigned int *num, block_f block) +{ + unsigned int n; + size_t l=0; + + assert(in && out && key && ecount_buf && num); + assert(*num < 16); + + n = *num; + +#if !defined(OPENSSL_SMALL_FOOTPRINT) + if (16%sizeof(size_t) == 0) do { /* always true actually */ + while (n && len) { + *(out++) = *(in++) ^ ecount_buf[n]; + --len; + n = (n+1) % 16; + } + +#if defined(STRICT_ALIGNMENT) + if (((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) + break; +#endif + while (len>=16) { + (*block)(ivec, ecount_buf, key); + ctr128_inc_aligned(ivec); + for (n=0; n<16; n+=sizeof(size_t)) + *(size_t *)(out+n) = + *(size_t *)(in+n) ^ *(size_t *)(ecount_buf+n); + len -= 16; + out += 16; + in += 16; + } + n = 0; + if (len) { + (*block)(ivec, ecount_buf, key); + ctr128_inc_aligned(ivec); + while (len--) { + out[n] = in[n] ^ ecount_buf[n]; + ++n; + } + } + *num = n; + return; + } while(0); + /* the rest would be commonly eliminated by x86* compiler */ +#endif + while (l +#include + +#ifndef MODES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include + +#include "modes.h" + +#define STRICT_ALIGNMENT +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ + defined(__s390__) || defined(__s390x__) +# undef STRICT_ALIGNMENT +#endif + +/* The input and output encrypted as though 128bit ofb mode is being + * used. The extra state information to record how much of the + * 128bit block we have used is contained in *num; + */ +void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], int *num, + block_f block) +{ + unsigned int n; + size_t l=0; + + assert(in && out && key && ivec && num); + + n = *num; + +#if !defined(OPENSSL_SMALL_FOOTPRINT) + if (16%sizeof(size_t) == 0) do { /* always true actually */ + while (n && len) { + *(out++) = *(in++) ^ ivec[n]; + --len; + n = (n+1) % 16; + } +#if defined(STRICT_ALIGNMENT) + if (((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) + break; +#endif + while (len>=16) { + (*block)(ivec, ivec, key); + for (n=0; n<16; n+=sizeof(size_t)) + *(size_t*)(out+n) = + *(size_t*)(in+n) ^ *(size_t*)(ivec+n); + len -= 16; + out += 16; + in += 16; + } + n = 0; + if (len) { + (*block)(ivec, ivec, key); + while (len--) { + out[n] = in[n] ^ ivec[n]; + ++n; + } + } + *num = n; + return; + } while(0); + /* the rest would be commonly eliminated by x86* compiler */ +#endif + while (l