Implement AES in different modes of operation, using AES-NI and

nss/lib/freebl/intel-gcm-wrap.c

Index: nss/lib/freebl/intel-gcm-wrap.c
diff --git a/nss/lib/freebl/intel-gcm-wrap.c b/nss/lib/freebl/intel-gcm-wrap.c
new file mode 100644
index 0000000000000000000000000000000000000000..d49592f71b89a4b05de53cda90cad3d9d9dfde70
--- /dev/null
+++ b/nss/lib/freebl/intel-gcm-wrap.c
@@ -0,0 +1,232 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* Copyright(c) 2013, Intel Corp. */
+
+/* Wrapper functions for Intel optimized implementation of AES-GCM */
+
+#ifdef USE_HW_AES
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "blapii.h"
+#include "blapit.h"
+#include "gcm.h"
+#include "ctr.h"
+#include "secerr.h"
+#include "prtypes.h"
+#include "pkcs11t.h"
+
+#include <limits.h>
+
+#include "intel-gcm.h"
+#include "rijndael.h"
+
+#include <emmintrin.h>
+#include <tmmintrin.h>
+
+
+struct intel_AES_GCMContextStr{
+    unsigned char Htbl[16*AES_BLOCK_SIZE];
+    unsigned char X0[AES_BLOCK_SIZE];
+    unsigned char T[AES_BLOCK_SIZE];
+    unsigned char CTR[AES_BLOCK_SIZE];
+    AESContext *aes_context;
+    unsigned long tagBits;
+    unsigned long Alen;
+    unsigned long Mlen;
+};
+
+intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, 
+               freeblCipherFunc cipher,
+               const unsigned char *params, 
+               unsigned int blocksize)
+{
+    intel_AES_GCMContext *gcm = NULL;
+    AESContext *aes = (AESContext*)context;
+    const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
+    unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */
+    
+    int IV_whole_len = gcmParams->ulIvLen&(~0xf);

[Ryan Sleevi, 2014/04/23 19:53:34]

type conversion warning - ulIvLen is ulong, but this is an int. I can't help but
feel nervous about this.

[wtc, 2014/04/24 01:04:10]

I will fix this in the NSS upstream.

+    int IV_remainder_len = gcmParams->ulIvLen&0xf;
+    int AAD_whole_len = gcmParams->ulAADLen&(~0xf);
+    int AAD_remainder_len = gcmParams->ulAADLen&0xf;

[Ryan Sleevi, 2014/04/23 19:53:34]

spaces between operators for readability?

[wtc, 2014/04/24 01:04:10]

I will fix these in the NSS upstream.

+    
+    __m128i BSWAP_MASK = _mm_setr_epi8(15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0);
+    __m128i ONE = _mm_set_epi32(0,0,0,1);
+    unsigned int j;
+    SECStatus rv;
+
+    if (blocksize != AES_BLOCK_SIZE) {
+      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+      return NULL;
+    }
+    gcm = PORT_ZNew(intel_AES_GCMContext);
+    
+    if (gcm == NULL) {
+        return NULL;
+    }
+    /* initialize context fields */
+    gcm->aes_context = aes;
+    gcm->tagBits = gcmParams->ulTagBits;
+    gcm->Alen = 0;
+    gcm->Mlen = 0;
+    /* first prepare H and its derivatives for ghash */
+    intel_aes_gcmINIT(gcm->Htbl, (unsigned char*)aes->expandedKey, aes->Nr);
+    /* Initial TAG value is zero*/
+    _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
+    _mm_storeu_si128((__m128i*)gcm->X0, _mm_setzero_si128());
+    /* Init the counter */

[Ryan Sleevi, 2014/04/23 19:53:34]

line breaks for readability between these logical steps? (line 71, 76, 78, 81,
87)

[wtc, 2014/04/24 01:04:10]

I will fix these in the NSS upstream.

+    if(gcmParams->ulIvLen == 12) {
+        _mm_storeu_si128((__m128i*)gcm->CTR, _mm_setr_epi32(((unsigned int*)gcmParams->pIv)[0], ((unsigned int*)gcmParams->pIv)[1], ((unsigned int*)gcmParams->pIv)[2], 0x01000000));

[Ryan Sleevi, 2014/04/23 19:53:34]

Undefined aliasing behaviour (the "unsigned int*" derefing into the byte array)

[wtc, 2014/04/24 01:04:10]

Acknowledged. Any suggestion on how to fix this? I guess I can use three
memcpy() calls to convert the bytes to ints.

+    } else {
+        /* If IV size is not 96 bits, then the initial counter value is GHASH of the IV */
+        intel_aes_gcmAAD(gcm->Htbl, gcmParams->pIv, IV_whole_len, gcm->T);
+        /* Partial block */
+        if(IV_remainder_len) {
+            PORT_Memset(buff, 0, AES_BLOCK_SIZE);
+            PORT_Memcpy(buff, gcmParams->pIv + IV_whole_len, IV_remainder_len);
+            intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
+         }
+         
+         intel_aes_gcmTAG
+         (

[Ryan Sleevi, 2014/04/23 19:53:34]

NSS style (eg: libpkix) has tended to keep the opening paren on the end of the
line (line 94)

This wrapping is inconsistent with the wrapping on line 83)

[wtc, 2014/04/24 01:04:10]

I will fix this in the NSS upstream.

+            gcm->Htbl,
+            gcm->T,
+            gcmParams->ulIvLen,
+            0,
+            gcm->X0,
+            gcm->CTR
+         );

[Ryan Sleevi, 2014/04/23 19:53:34]

indent off by one from lines 92 through 102

[wtc, 2014/04/24 01:04:10]

I will fix this in the NSS upstream.

+        /* TAG should be zero again */
+        _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
+    }
+    /* Encrypt the initial counter, will be used to encrypt the GHASH value, in the end */
+    rv = (*cipher)(context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Promote the counter by 1 */
+    _mm_storeu_si128((__m128i*)gcm->CTR, _mm_shuffle_epi8(_mm_add_epi32(ONE, _mm_shuffle_epi8(_mm_loadu_si128((__m128i*)gcm->CTR), BSWAP_MASK)), BSWAP_MASK));
+
+/*     Now hash AAD - it would actually make sense to seperate the context creation from the AAD, 
+ *     because that would allow to reuse the H, which only changes when the AES key changes, 
+ *     and not every package, like the IV and AAD */
+    intel_aes_gcmAAD(gcm->Htbl, gcmParams->pAAD, AAD_whole_len, gcm->T);
+    if(AAD_remainder_len) {
+        PORT_Memset(buff, 0, AES_BLOCK_SIZE);
+        PORT_Memcpy(buff, gcmParams->pAAD + AAD_whole_len, AAD_remainder_len);
+        intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
+    }
+    gcm->Alen += gcmParams->ulAADLen;
+    return gcm;
+    
+    loser:
+    if (gcm) {
+        PORT_Free(gcm);
+    }
+    return NULL;
+}
+
+void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
+{
+    if (freeit) {
+        PORT_Free(gcm);
+    }
+}
+
+SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm, 
+            unsigned char *outbuf,

[Ryan Sleevi, 2014/04/23 19:53:34]

indent style

[wtc, 2014/04/24 01:04:10]

Done.

+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    int j;
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
+    if (UINT_MAX - inlen < tagBytes) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    if (maxout < inlen + tagBytes) {
+        *outlen = inlen + tagBytes;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    intel_aes_gcmENC(
+        inbuf,
+        outbuf,
+        gcm,
+        inlen);
+
+    gcm->Mlen += inlen;
+      
+    intel_aes_gcmTAG(
+        gcm->Htbl,
+        gcm->T,
+        gcm->Mlen,
+        gcm->Alen,
+        gcm->X0,
+        T);

[Ryan Sleevi, 2014/04/23 19:53:34]

Inconsistent wrapping behaviour here and on line 161 when compared with lines 94
and 83/112

[wtc, 2014/04/24 01:04:10]

In the NSS upstream, I will change line 94 to match the style used here. I will
wrap line 83 in a better way, but leave line 112 alone. I don't know how to wrap
line 112 in a readable way :-)

+
+    *outlen = inlen + tagBytes;
+
+    for(j=0; j<tagBytes; j++)
+    {

[Ryan Sleevi, 2014/04/23 19:53:34]

inconsistent brace style compared with lines 155, 151

[wtc, 2014/04/24 01:04:10]

I will fix this in the NSS upstream.

+        outbuf[inlen+j] = T[j];
+    }
+    return SECSuccess;
+}
+
+SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, 
+            unsigned char *outbuf,

[Ryan Sleevi, 2014/04/23 19:53:34]

indent

[wtc, 2014/04/24 01:04:10]

Done.

+			unsigned int *outlen, unsigned int maxout,
+			const unsigned char *inbuf, unsigned int inlen,
+			unsigned int blocksize)
+{
+    unsigned int tagBytes;
+    unsigned char T[AES_BLOCK_SIZE];
+    const unsigned char *intag;
+
+    tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
+ 
+    /* get the authentication block */
+    if (inlen < tagBytes) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    inlen -= tagBytes;
+    intag = inbuf + inlen;
+
+    intel_aes_gcmDEC(
+         inbuf,
+         outbuf,
+         gcm,
+         inlen);
+
+    gcm->Mlen += inlen;
+    intel_aes_gcmTAG(
+         gcm->Htbl,
+         gcm->T,
+         gcm->Mlen,
+         gcm->Alen,
+         gcm->X0,
+         T);
+
+    if (NSS_SecureMemcmp(T, intag, tagBytes) != 0) {
+        /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;

[Ryan Sleevi, 2014/04/23 19:53:34]

You should set *outlen to zero here - you still leave the decrypted data in
outbuf, so a misbehaving application (that doesn't check the return value) could
end up using the decrypted data even though the tag check failed, and things
would Just Work

[wtc, 2014/04/24 01:04:10]

Done.

+    }
+    *outlen = inlen;
+
+    return SECSuccess;
+}
+
+#endif