gcm128.c: API modification and readability improvements,

add ghash benchmark to apps/speed.c.
author: Andy Polyakov <appro@openssl.org> 2010-07-09 14:10:51 +0000
committer: Andy Polyakov <appro@openssl.org> 2010-07-09 14:10:51 +0000
commit: 6acb4ff3893c2f4f9aca81798b6abec379370df0 (patch)
tree: 604d651c57e595305dde99368665d17ba53d5b75 /crypto/modes/gcm128.c
parent: 874a3757aff5ede013a825eea4b82a3e8ba96d34 (diff)
download: openssl-6acb4ff3893c2f4f9aca81798b6abec379370df0.tar.gz
1 files changed, 36 insertions, 29 deletions
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 8b1880cf5d..6f1eb6d484 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -47,6 +47,7 @@
  * ====================================================================
  */
 
+#include "crypto.h"
 #include "modes_lcl.h"
 #include <string.h>
 
@@ -458,8 +459,8 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
     /*
      * Extra 256+16 bytes per-key plus 512 bytes shared tables
      * [should] give ~50% improvement... One could have PACK()-ed
-     * the rem_8bit even here, but priority is to minimize memory
-     * usage...
+     * the rem_8bit even here, but the priority is to minimize
+     * cache footprint...
      */ 
     u128 Hshr4[16];	/* Htable shifted right by 4 bits */
     u8   Hshl4[16];	/* Htable shifted left  by 4 bits */
@@ -496,7 +497,6 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
 	0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
 	0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
 	0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE };
-
     /*
      * This pre-processing phase slows down procedure by approximately
      * same time as it makes each loop spin faster. In other words
@@ -512,24 +512,7 @@ static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
     }
 
     do {
-	nlo  = ((const u8 *)Xi)[15];
-	nlo ^= inp[15];
-	nhi  = nlo>>4;
-	nlo &= 0xf;
-
-	Z.hi = Htable[nlo].hi;
-	Z.lo = Htable[nlo].lo;
-
-	rem = (size_t)Z.lo&0xff;
-
-	Z.lo = (Z.hi<<56)|(Z.lo>>8);
-	Z.hi = (Z.hi>>8);
-
-	Z.hi ^= Hshr4[nhi].hi;
-	Z.lo ^= Hshr4[nhi].lo;
-	Z.hi ^= (u64)rem_8bit[rem^Hshl4[nhi]]<<48;
-
-	for (cnt=14; cnt>0; --cnt) {
+	for (Z.lo=0, Z.hi=0, cnt=15; cnt; --cnt) {
 		nlo  = ((const u8 *)Xi)[cnt];
 		nlo ^= inp[cnt];
 		nhi  = nlo>>4;
@@ -733,7 +716,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 #if	TABLE_BITS==8
 	gcm_init_8bit(ctx->Htable,ctx->H.u);
 #elif	TABLE_BITS==4
-# if	defined(GHASH_ASM_IAX)
+# if	defined(GHASH_ASM_IAX)			/* both x86 and x86_64 */
 	if (OPENSSL_ia32cap_P[1]&(1<<1)) {
 		gcm_init_clmul(ctx->Htable,ctx->H.u);
 		ctx->gmult = gcm_gmult_clmul;
@@ -741,7 +724,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 		return;
 	}
 	gcm_init_4bit(ctx->Htable,ctx->H.u);
-#  if	defined(GHASH_ASM_X86)
+#  if	defined(GHASH_ASM_X86)			/* x86 only */
 	if (OPENSSL_ia32cap_P[0]&(1<<23)) {
 		ctx->gmult = gcm_gmult_4bit_mmx;
 		ctx->ghash = gcm_ghash_4bit_mmx;
@@ -1109,7 +1092,8 @@ void CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 	ctx->res = n;
 }
 
-void CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx)
+int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
+			size_t len)
 {
 	const union { long one; char little; } is_endian = {1};
 	u64 alen = ctx->len.u[0]<<3;
@@ -1139,6 +1123,29 @@ void CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx)
 
 	ctx->Xi.u[0] ^= ctx->EK0.u[0];
 	ctx->Xi.u[1] ^= ctx->EK0.u[1];
+
+	if (tag && len<=sizeof(ctx->Xi))
+		return memcmp(ctx->Xi.c,tag,len);
+	else
+		return -1;
+}
+
+GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
+{
+	GCM128_CONTEXT *ret;
+
+	if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT))))
+		CRYPTO_gcm128_init(ret,key,block);
+
+	return ret;
+}
+
+void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
+{
+	if (ctx) {
+		OPENSSL_cleanse(ctx,sizeof(*ctx));
+		OPENSSL_free(ctx);
+	}
 }
 
 #if defined(SELFTEST)
@@ -1365,15 +1372,15 @@ static const u8	IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
 	CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n));		\
 	if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n));	\
 	if (P##n) CRYPTO_gcm128_encrypt(&ctx,P##n,out,sizeof(out));	\
-	CRYPTO_gcm128_finish(&ctx);				\
-	if (memcmp(ctx.Xi.c,T##n,16) || (C##n && memcmp(out,C##n,sizeof(out))))	\
+	if (CRYPTO_gcm128_finish(&ctx,T##n,16) ||		\
+	    (C##n && memcmp(out,C##n,sizeof(out))))		\
 		ret++, printf ("encrypt test#%d failed.\n",n);\
 	CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n));		\
 	if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n));	\
 	if (C##n) CRYPTO_gcm128_decrypt(&ctx,C##n,out,sizeof(out));	\
-	CRYPTO_gcm128_finish(&ctx);				\
-	if (memcmp(ctx.Xi.c,T##n,16) || (P##n && memcmp(out,P##n,sizeof(out))))	\
-		ret++, printf ("decrypt test#%d failed.\n",n);\
+	if (CRYPTO_gcm128_finish(&ctx,T##n,16) ||		\
+	    (P##n && memcmp(out,P##n,sizeof(out))))		\
+		ret++, printf ("decrypt test#%d failed.\n",n);	\
 	} while(0)
 
 int main()
author	Andy Polyakov <appro@openssl.org>	2010-07-09 14:10:51 +0000
committer	Andy Polyakov <appro@openssl.org>	2010-07-09 14:10:51 +0000
commit	6acb4ff3893c2f4f9aca81798b6abec379370df0 (patch)
tree	604d651c57e595305dde99368665d17ba53d5b75 /crypto/modes/gcm128.c
parent	874a3757aff5ede013a825eea4b82a3e8ba96d34 (diff)
download	openssl-6acb4ff3893c2f4f9aca81798b6abec379370df0.tar.gz