ceph/src/crypto/isa-l/isa-l_crypto/include/aes_gcm.h

   1 /**********************************************************************
   2   Copyright(c) 2011-2016 Intel Corporation All rights reserved.
   3
   4   Redistribution and use in source and binary forms, with or without
   5   modification, are permitted provided that the following conditions
   6   are met:
   7     * Redistributions of source code must retain the above copyright
   8       notice, this list of conditions and the following disclaimer.
   9     * Redistributions in binary form must reproduce the above copyright
  10       notice, this list of conditions and the following disclaimer in
  11       the documentation and/or other materials provided with the
  12       distribution.
  13     * Neither the name of Intel Corporation nor the names of its
  14       contributors may be used to endorse or promote products derived
  15       from this software without specific prior written permission.
  16
  17   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  18   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  19   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  20   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  21   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  22   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  23   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  24   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  25   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  26   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  27   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  28 **********************************************************************/
  29
  30 /**
  31  *  @file aes_gcm.h
  32  *  @brief AES GCM encryption/decryption function prototypes.
  33  *
  34  * At build time there is an option to use non-temporal loads and stores
  35  * selected by defining the compile time option NT_LDST. The use of this option
  36  * places the following restriction on the gcm encryption functions:
  37  *
  38  * - The plaintext and cyphertext buffers must be aligned on a 16 byte boundary.
  39  *
  40  * - When using the streaming API, all partial input buffers must be a multiple
  41  *   of 16 bytes long except for the last input buffer.
  42  *
  43  * - In-place encryption/decryption is not recommended.
  44  *
  45  */
  46
  47 /*
  48 ; References:
  49 ;       This code was derived and highly optimized from the code described in paper:
  50 ;               Vinodh Gopal et. al. Optimized Galois-Counter-Mode Implementation on Intel Architecture Processors. August, 2010
  51 ;
  52 ;       For the shift-based reductions used in this code, we used the method described in paper:
  53 ;               Shay Gueron, Michael E. Kounavis. Intel Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode. January, 2010.
  54 ;
  55 ;
  56 ;
  57 ; Assumptions: Support for SSE4.1 or greater, AVX or AVX2
  58 ;
  59 ;
  60 ; iv:
  61 ;       0                   1                   2                   3
  62 ;       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  63 ;       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  64 ;       |                             Salt  (From the SA)               |
  65 ;       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  66 ;       |                     Initialization Vector                     |
  67 ;       |         (This is the sequence number from IPSec header)       |
  68 ;       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  69 ;       |                              0x1                              |
  70 ;       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  71 ;
  72 ; TLen:
  73 ;       from the definition of the spec, TLen can only be 8, 12 or 16 bytes.
  74 ;
  75  */
  76 #ifndef _AES_GCM_h
  77 #define _AES_GCM_h
  78
  79 #include <stdint.h>
  80
  81 #ifdef __cplusplus
  82 extern "C" {
  83 #endif
  84
  85 /* Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8. */
  86 #define MAX_TAG_LEN (16)
  87 //
  88 // IV data is limited to 16 bytes. The last DWORD (4 bytes) must be 0x1
  89 //
  90 #define GCM_IV_LEN (16)
  91 #define GCM_IV_DATA_LEN (12)
  92 #define GCM_IV_END_MARK {0x00, 0x00, 0x00, 0x01};
  93 #define GCM_IV_END_START (12)
  94
  95 #define LONGEST_TESTED_AAD_LENGTH (2* 1024)
  96
  97 // Key lengths of 128 and 256 supported
  98 #define GCM_128_KEY_LEN (16)
  99 #define GCM_256_KEY_LEN (32)
 100
 101 #define GCM_BLOCK_LEN  16
 102 #define GCM_ENC_KEY_LEN  16
 103 #define GCM_KEY_SETS (15) /*exp key + 14 exp round keys*/
 104 /** @brief holds intermediate key data needed to improve performance
 105  *
 106  * gcm_data hold internal key information used by gcm128 and gcm256.
 107  */
 108 struct gcm_data {
 109         uint8_t expanded_keys[GCM_ENC_KEY_LEN * GCM_KEY_SETS];
 110         uint8_t shifted_hkey_1[GCM_ENC_KEY_LEN];  // store HashKey <<1 mod poly here
 111         uint8_t shifted_hkey_2[GCM_ENC_KEY_LEN];  // store HashKey^2 <<1 mod poly here
 112         uint8_t shifted_hkey_3[GCM_ENC_KEY_LEN];  // store HashKey^3 <<1 mod poly here
 113         uint8_t shifted_hkey_4[GCM_ENC_KEY_LEN];  // store HashKey^4 <<1 mod poly here
 114         uint8_t shifted_hkey_5[GCM_ENC_KEY_LEN];  // store HashKey^5 <<1 mod poly here
 115         uint8_t shifted_hkey_6[GCM_ENC_KEY_LEN];  // store HashKey^6 <<1 mod poly here
 116         uint8_t shifted_hkey_7[GCM_ENC_KEY_LEN];  // store HashKey^7 <<1 mod poly here
 117         uint8_t shifted_hkey_8[GCM_ENC_KEY_LEN];  // store HashKey^8 <<1 mod poly here
 118         uint8_t shifted_hkey_1_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey <<1 mod poly here (for Karatsuba purposes)
 119         uint8_t shifted_hkey_2_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^2 <<1 mod poly here (for Karatsuba purposes)
 120         uint8_t shifted_hkey_3_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^3 <<1 mod poly here (for Karatsuba purposes)
 121         uint8_t shifted_hkey_4_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^4 <<1 mod poly here (for Karatsuba purposes)
 122         uint8_t shifted_hkey_5_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^5 <<1 mod poly here (for Karatsuba purposes)
 123         uint8_t shifted_hkey_6_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^6 <<1 mod poly here (for Karatsuba purposes)
 124         uint8_t shifted_hkey_7_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^7 <<1 mod poly here (for Karatsuba purposes)
 125         uint8_t shifted_hkey_8_k[GCM_ENC_KEY_LEN];  // store XOR of High 64 bits and Low 64 bits of  HashKey^8 <<1 mod poly here (for Karatsuba purposes)
 126         // init, update and finalize context data
 127         uint8_t  aad_hash[GCM_BLOCK_LEN];
 128         uint64_t aad_length;
 129         uint64_t in_length;
 130         uint8_t  partial_block_enc_key[GCM_BLOCK_LEN];
 131         uint8_t  orig_IV[GCM_BLOCK_LEN];
 132         uint8_t  current_counter[GCM_BLOCK_LEN];
 133         uint64_t  partial_block_length;
 134 };
 135
 136 /**
 137  * @brief GCM-AES Encryption using 128 bit keys
 138  *
 139  * @requires SSE4.1 and AESNI
 140  *
 141  */
 142 void aesni_gcm128_enc(struct gcm_data *my_ctx_data,
 143                    uint8_t * out,       //!< Ciphertext output. Encrypt in-place is allowed.
 144                    uint8_t const *in,   //!< Plaintext input
 145                    uint64_t plaintext_len,      //!< Length of data in Bytes for encryption.
 146                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialization Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 147                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 148                    uint64_t aad_len,    //!< Length of AAD.
 149                    uint8_t * auth_tag,  //!< Authenticated Tag output.
 150                    uint64_t auth_tag_len        //!< Authenticated Tag Length in bytes (must be a multiple of 4 bytes). Valid values are 16 (most likely), 12 or 8.
 151     );
 152
 153
 154 /**
 155  * @brief GCM-AES Decryption  using 128 bit keys
 156  *
 157  * @requires SSE4.1 and AESNI
 158  *
 159  */
 160 void aesni_gcm128_dec(struct gcm_data *my_ctx_data,
 161                    uint8_t * out,       //!< Plaintext output. Decrypt in-place is allowed.
 162                    uint8_t const *in,   //!< Ciphertext input
 163                    uint64_t plaintext_len,      //!< Length of data in Bytes for encryption.
 164                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 165                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 166                    uint64_t aad_len,    //!< Length of AAD.
 167                    uint8_t * auth_tag,  //!< Authenticated Tag output.
 168                    uint64_t auth_tag_len        //!< Authenticated Tag Length in bytes (must be a multiple of 4 bytes). Valid values are 16 (most likely), 12 or 8.
 169     );
 170
 171 /**
 172  * @brief start a AES-128-GCM Encryption message
 173  *
 174  * @requires SSE4.1 and AESNI
 175  *
 176  */
 177 void aesni_gcm128_init( struct gcm_data *my_ctx_data,
 178                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialization Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 179                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 180                    uint64_t aad_len     //!< Length of AAD.
 181     );
 182
 183 /**
 184  * @brief encrypt a block of a AES-128-GCM Encryption message
 185  *
 186  * @requires SSE4.1 and AESNI
 187  *
 188  */
 189 void aesni_gcm128_enc_update( struct gcm_data *my_ctx_data,
 190                 uint8_t         *out,                   //!< Ciphertext output. Encrypt in-place is allowed.
 191                 const uint8_t   *in,    //!< Plaintext input
 192                 uint64_t        plaintext_len //!< Length of data in Bytes for encryption.
 193     );
 194
 195 /**
 196  * @brief decrypt a block of a AES-128-GCM Encryption message
 197  *
 198  * @requires SSE4.1 and AESNI
 199  *
 200  */
 201 void aesni_gcm128_dec_update( struct gcm_data *my_ctx_data,
 202                 uint8_t         *out,                   //!< Ciphertext output. Encrypt in-place is allowed.
 203                 const uint8_t   *in,    //!< Plaintext input
 204                 uint64_t        plaintext_len //!< Length of data in Bytes for encryption.
 205     );
 206
 207 /**
 208  * @brief End encryption of a AES-128-GCM Encryption message
 209  *
 210  * @requires SSE4.1 and AESNI
 211  *
 212  */
 213 void aesni_gcm128_enc_finalize( struct gcm_data *my_ctx_data,
 214                 uint8_t                 *auth_tag, //!< Authenticated Tag output.
 215                 uint64_t                auth_tag_len //!< Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8.
 216     );
 217
 218 /**
 219  * @brief End decryption of a AES-128-GCM Encryption message
 220  *
 221  * @requires SSE4.1 and AESNI
 222  *
 223  */
 224 void aesni_gcm128_dec_finalize( struct gcm_data *my_ctx_data,
 225                 uint8_t                 *auth_tag, //!< Authenticated Tag output.
 226                 uint64_t                auth_tag_len //!< Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8.
 227     );
 228
 229 /**
 230  * @brief pre-processes key data
 231  *
 232  * Prefills the gcm data with key values for each round and the initial sub hash key for tag encoding
 233  */
 234 void aesni_gcm128_pre(uint8_t * key, struct gcm_data *gdata
 235         );
 236
 237 /**
 238  * @brief GCM-AES Encryption using 256 bit keys
 239  *
 240  * @requires SSE4.1 and AESNI
 241  *
 242  */
 243 void aesni_gcm256_enc(struct gcm_data *my_ctx_data,
 244                    uint8_t * out,       //!< Ciphertext output. Encrypt in-place is allowed.
 245                    uint8_t const *in,   //!< Plaintext input
 246                    uint64_t plaintext_len,      //!< Length of data in Bytes for encryption.
 247                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialization Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 248                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 249                    uint64_t aad_len,    //!< Length of AAD.
 250                    uint8_t * auth_tag,  //!< Authenticated Tag output.
 251                    uint64_t auth_tag_len        //!< Authenticated Tag Length in bytes (must be a multiple of 4 bytes). Valid values are 16 (most likely), 12 or 8.
 252     );
 253
 254
 255 /**
 256  * @brief GCM-AES Decryption using 256 bit keys
 257  *
 258  * @requires SSE4.1 and AESNI
 259  *
 260  */
 261 void aesni_gcm256_dec(struct gcm_data *my_ctx_data,
 262                    uint8_t * out,       //!< Plaintext output. Decrypt in-place is allowed.
 263                    uint8_t const *in,   //!< Ciphertext input
 264                    uint64_t plaintext_len,      //!< Length of data in Bytes for encryption.
 265                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 266                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 267                    uint64_t aad_len,    //!< Length of AAD.
 268                    uint8_t * auth_tag,  //!< Authenticated Tag output.
 269                    uint64_t auth_tag_len        //!< Authenticated Tag Length in bytes (must be a multiple of 4 bytes). Valid values are 16 (most likely), 12 or 8.
 270     );
 271
 272 /**
 273  * @brief start a AES-256-GCM Encryption message
 274  *
 275  * @requires SSE4.1 and AESNI
 276  *
 277  */
 278 void aesni_gcm256_init( struct gcm_data *my_ctx_data,
 279                    uint8_t * iv,        //!< Pre-counter block j0: 4 byte salt (from Security Association) concatenated with 8 byte Initialization Vector (from IPSec ESP Payload) concatenated with 0x00000001. 16-byte pointer.
 280                    uint8_t const *aad,  //!< Additional Authentication Data (AAD).
 281                    uint64_t aad_len     //!< Length of AAD.
 282     );
 283
 284 /**
 285  * @brief encrypt a block of a AES-256-GCM Encryption message
 286  *
 287  * @requires SSE4.1 and AESNI
 288  *
 289  */
 290 void aesni_gcm256_enc_update( struct gcm_data *my_ctx_data,
 291                 uint8_t         *out,                   //!< Ciphertext output. Encrypt in-place is allowed.
 292                 const           uint8_t *in,    //!< Plaintext input
 293                 uint64_t        plaintext_len //!< Length of data in Bytes for encryption.
 294     );
 295
 296 /**
 297  * @brief decrypt a block of a AES-256-GCM Encryption message
 298  *
 299  * @requires SSE4.1 and AESNI
 300  *
 301  */
 302 void aesni_gcm256_dec_update( struct gcm_data *my_ctx_data,
 303                 uint8_t         *out,                   //!< Ciphertext output. Encrypt in-place is allowed.
 304                 const           uint8_t *in,    //!< Plaintext input
 305                 uint64_t        plaintext_len //!< Length of data in Bytes for encryption.
 306     );
 307
 308 /**
 309  * @brief End encryption of a AES-256-GCM Encryption message
 310  *
 311  * @requires SSE4.1 and AESNI
 312  *
 313  */
 314 void aesni_gcm256_enc_finalize( struct gcm_data *my_ctx_data,
 315                 uint8_t                 *auth_tag, //!< Authenticated Tag output.
 316                 uint64_t                auth_tag_len //!< Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8.
 317     );
 318
 319 /**
 320  * @brief End decryption of a AES-256-GCM Encryption message
 321  *
 322  * @requires SSE4.1 and AESNI
 323  *
 324  */
 325 void aesni_gcm256_dec_finalize( struct gcm_data *my_ctx_data,
 326                 uint8_t                 *auth_tag, //!< Authenticated Tag output.
 327                 uint64_t                auth_tag_len //!< Authenticated Tag Length in bytes. Valid values are 16 (most likely), 12 or 8.
 328     );
 329
 330 /**
 331  * @brief pre-processes key data
 332  *
 333  * Prefills the gcm data with key values for each round and the initial sub hash key for tag encoding
 334  */
 335 void aesni_gcm256_pre(uint8_t * key, struct gcm_data *gdata);
 336
 337 #ifdef __cplusplus
 338 }
 339 #endif //__cplusplus
 340 #endif //ifndef _AES_GCM_h