From b4c9ab9a814edfb0d735a8c2e1f0c173847c0810 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 17 Nov 2013 11:43:06 +0100 Subject: Revert bytewise ghash implementation The performance gain is negligible, and OpenSSL avoids a bytewise implementation to mitigate timing attacks. This reverts commits d4916544299c28c4fb16da6d3306eea0a6d5d79f and 1b06460aa967e3afcfa6fc8d664874134ab6c739. --- src/crypto/mac/ghash/CMakeLists.txt | 1 - src/crypto/mac/ghash/builtin/ghash_builtin.c | 46 ++++----- src/crypto/mac/ghash/tiny/CMakeLists.txt | 3 - src/crypto/mac/ghash/tiny/ghash_tiny.c | 147 --------------------------- 4 files changed, 20 insertions(+), 177 deletions(-) delete mode 100644 src/crypto/mac/ghash/tiny/CMakeLists.txt delete mode 100644 src/crypto/mac/ghash/tiny/ghash_tiny.c (limited to 'src') diff --git a/src/crypto/mac/ghash/CMakeLists.txt b/src/crypto/mac/ghash/CMakeLists.txt index 481e77f..7d44b8a 100644 --- a/src/crypto/mac/ghash/CMakeLists.txt +++ b/src/crypto/mac/ghash/CMakeLists.txt @@ -1,3 +1,2 @@ fastd_mac(ghash) add_subdirectory(builtin) -add_subdirectory(tiny) diff --git a/src/crypto/mac/ghash/builtin/ghash_builtin.c b/src/crypto/mac/ghash/builtin/ghash_builtin.c index 947dc34..34e118a 100644 --- a/src/crypto/mac/ghash/builtin/ghash_builtin.c +++ b/src/crypto/mac/ghash/builtin/ghash_builtin.c @@ -28,7 +28,7 @@ struct fastd_mac_state { - fastd_block128_t H[16][256]; + fastd_block128_t H[32][16]; }; @@ -40,30 +40,22 @@ static inline uint8_t shr(fastd_block128_t *out, const fastd_block128_t *in, int uint8_t c = 0; for (i = 0; i < sizeof(fastd_block128_t); i++) { + uint8_t c2 = in->b[i] << (8-n); out->b[i] = (in->b[i] >> n) | c; - c = in->b[i] << (8-n); + c = c2; } return (c >> (8-n)); } -static inline uint8_t shr8(fastd_block128_t *out, const fastd_block128_t *in) { - size_t i; - - out->b[0] = 0; - - for (i = 1; i < sizeof(fastd_block128_t); i++) - out->b[i] = in->b[i-1]; - - return in->b[sizeof(fastd_block128_t)-1]; -} - static inline void mulH_a(fastd_block128_t *x, const fastd_mac_state_t *cstate) { fastd_block128_t out = {}; int i; - for (i = 0; i < 16; i++) - xor_a(&out, &cstate->H[i][x->b[i]]); + for (i = 0; i < 16; i++) { + xor_a(&out, &cstate->H[2*i][x->b[i]>>4]); + xor_a(&out, &cstate->H[2*i+1][x->b[i]&0xf]); + } *x = out; } @@ -78,16 +70,16 @@ static size_t ghash_key_length(fastd_context_t *ctx UNUSED, const fastd_mac_cont } static fastd_mac_state_t* ghash_init_state(fastd_context_t *ctx UNUSED, const fastd_mac_context_t *mctx UNUSED, const uint8_t *key) { - fastd_mac_state_t *state = calloc(1, sizeof(fastd_mac_state_t)); + fastd_mac_state_t *state = malloc(sizeof(fastd_mac_state_t)); - fastd_block128_t Hbase[8]; - fastd_block128_t Rbase[8]; + fastd_block128_t Hbase[4]; + fastd_block128_t Rbase[4]; memcpy(&Hbase[0], key, sizeof(fastd_block128_t)); Rbase[0] = r; int i; - for (i = 1; i < 8; i++) { + for (i = 1; i < 4; i++) { uint8_t carry = shr(&Hbase[i], &Hbase[i-1], 1); if (carry) xor_a(&Hbase[i], &r); @@ -95,23 +87,25 @@ static fastd_mac_state_t* ghash_init_state(fastd_context_t *ctx UNUSED, const fa shr(&Rbase[i], &Rbase[i-1], 1); } - fastd_block128_t R[256] = {}; + fastd_block128_t R[16]; + memset(state->H, 0, sizeof(state->H)); + memset(R, 0, sizeof(R)); - for (i = 0; i < 256; i++) { + for (i = 0; i < 16; i++) { int j; - for (j = 0; j < 8; j++) { - if (i & (0x80 >> j)) { + for (j = 0; j < 4; j++) { + if (i & (8 >> j)) { xor_a(&state->H[0][i], &Hbase[j]); xor_a(&R[i], &Rbase[j]); } } } - for (i = 1; i < 16; i++) { + for (i = 1; i < 32; i++) { int j; - for (j = 0; j < 256; j++) { - uint8_t carry = shr8(&state->H[i][j], &state->H[i-1][j]); + for (j = 0; j < 16; j++) { + uint8_t carry = shr(&state->H[i][j], &state->H[i-1][j], 4); xor_a(&state->H[i][j], &R[carry]); } } diff --git a/src/crypto/mac/ghash/tiny/CMakeLists.txt b/src/crypto/mac/ghash/tiny/CMakeLists.txt deleted file mode 100644 index d16d098..0000000 --- a/src/crypto/mac/ghash/tiny/CMakeLists.txt +++ /dev/null @@ -1,3 +0,0 @@ -fastd_mac_impl(ghash tiny - ghash_tiny.c -) diff --git a/src/crypto/mac/ghash/tiny/ghash_tiny.c b/src/crypto/mac/ghash/tiny/ghash_tiny.c deleted file mode 100644 index f4a06b0..0000000 --- a/src/crypto/mac/ghash/tiny/ghash_tiny.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - Copyright (c) 2012-2013, Matthias Schiffer - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -*/ - - -#include "../../../../fastd.h" - - -struct fastd_mac_state { - fastd_block128_t H[32][16]; -}; - - -static const fastd_block128_t r = { .b = {0xe1} }; - - -static inline uint8_t shr(fastd_block128_t *out, const fastd_block128_t *in, int n) { - size_t i; - uint8_t c = 0; - - for (i = 0; i < sizeof(fastd_block128_t); i++) { - uint8_t c2 = in->b[i] << (8-n); - out->b[i] = (in->b[i] >> n) | c; - c = c2; - } - - return (c >> (8-n)); -} - -static inline void mulH_a(fastd_block128_t *x, const fastd_mac_state_t *cstate) { - fastd_block128_t out = {}; - - int i; - for (i = 0; i < 16; i++) { - xor_a(&out, &cstate->H[2*i][x->b[i]>>4]); - xor_a(&out, &cstate->H[2*i+1][x->b[i]&0xf]); - } - - *x = out; -} - - -static fastd_mac_context_t* ghash_initialize(fastd_context_t *ctx UNUSED) { - return NULL; -} - -static size_t ghash_key_length(fastd_context_t *ctx UNUSED, const fastd_mac_context_t *cctx UNUSED) { - return sizeof(fastd_block128_t); -} - -static fastd_mac_state_t* ghash_init_state(fastd_context_t *ctx UNUSED, const fastd_mac_context_t *mctx UNUSED, const uint8_t *key) { - fastd_mac_state_t *state = malloc(sizeof(fastd_mac_state_t)); - - fastd_block128_t Hbase[4]; - fastd_block128_t Rbase[4]; - - memcpy(&Hbase[0], key, sizeof(fastd_block128_t)); - Rbase[0] = r; - - int i; - for (i = 1; i < 4; i++) { - uint8_t carry = shr(&Hbase[i], &Hbase[i-1], 1); - if (carry) - xor_a(&Hbase[i], &r); - - shr(&Rbase[i], &Rbase[i-1], 1); - } - - fastd_block128_t R[16]; - memset(state->H, 0, sizeof(state->H)); - memset(R, 0, sizeof(R)); - - for (i = 0; i < 16; i++) { - int j; - for (j = 0; j < 4; j++) { - if (i & (8 >> j)) { - xor_a(&state->H[0][i], &Hbase[j]); - xor_a(&R[i], &Rbase[j]); - } - } - } - - for (i = 1; i < 32; i++) { - int j; - - for (j = 0; j < 16; j++) { - uint8_t carry = shr(&state->H[i][j], &state->H[i-1][j], 4); - xor_a(&state->H[i][j], &R[carry]); - } - } - - return state; -} - -static bool ghash_hash(fastd_context_t *ctx UNUSED, const fastd_mac_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t n_blocks) { - memset(out, 0, sizeof(fastd_block128_t)); - - size_t i; - for (i = 0; i < n_blocks; i++) { - xor_a(out, &in[i]); - mulH_a(out, state); - } - - return true; -} - -static void ghash_free_state(fastd_context_t *ctx UNUSED, fastd_mac_state_t *state) { - free(state); -} - -static void ghash_free(fastd_context_t *ctx UNUSED, fastd_mac_context_t *mctx UNUSED) { -} - -const fastd_mac_t fastd_mac_ghash_tiny = { - .name = "tiny", - - .initialize = ghash_initialize, - - .key_length = ghash_key_length, - .init_state = ghash_init_state, - - .hash = ghash_hash, - - .free_state = ghash_free_state, - .free = ghash_free, -}; -- cgit v1.2.3