[PATCH 4/5] block modes: move Galois shifts to block-internal.h

From: Dmitry Eremin-Solenikov dbaryshkov@gmail.com

Move Galois polynomial shifts to block-internal.h, simplifying common code. GCM is left unconverted for now, this will be fixed later.

Signed-off-by: Dmitry Eremin-Solenikov dbaryshkov@gmail.com --- Makefile.in | 2 +- block-internal.h | 76 +++++++++++++++++++++++++++++++++++++++++++++++ cmac-internal.h | 54 --------------------------------- cmac.c | 20 ++----------- cmac64.c | 21 ++----------- eax.c | 18 ++--------- gcm.c | 4 --- siv-cmac-aes128.c | 1 - siv-cmac-aes256.c | 1 - siv-cmac.c | 9 +++++- xts.c | 18 ++--------- 11 files changed, 94 insertions(+), 130 deletions(-) delete mode 100644 cmac-internal.h

diff --git a/Makefile.in b/Makefile.in index f6658c86341c..ae9c8a7563f9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -231,7 +231,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README desdata.stamp \ aes-internal.h block-internal.h \ - camellia-internal.h cmac-internal.h serpent-internal.h \ + camellia-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ diff --git a/block-internal.h b/block-internal.h index 84839c872f63..8cc30f6f5a02 100644 --- a/block-internal.h +++ b/block-internal.h @@ -90,4 +90,80 @@ block8_xor_bytes (union nettle_block8 *r, memxor3 (r->b, x->b, bytes, 8); }

+#define LSHIFT_WORD(x) ((((x) & 0x7f7f7f7f7f7f7f7f) << 1) | \ + (((x) & 0x8080808080808080) >> 15)) +#define RSHIFT_WORD(x) ((((x) & 0xfefefefefefefefe) >> 1) | \ + (((x) & 0x0001010101010101) << 15)) + +/* Galois multiplications by 2: + * functions differ in shifting right or left, big- or little- endianness + * and by defininy polynom. + * r == x is allowed. */ + +#if WORDS_BIGENDIAN +static inline void +block16_lshift_be (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = src->u64[0] >> 63; + dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); + dst->u64[1] = (src->u64[1] << 1) ^ (poly & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_lshift_be (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64[0] & 0x80) >> 7; + dst->u64[0] = LSHIFT_WORD(src->u64[0]) | ((src->u64[1] & 0x80) << 49); + dst->u64[1] = LSHIFT_WORD(src->u64[1]) ^ ((poly << 56) & -carry); +} +#endif /* !WORDS_BIGENDIAN */ + +#if WORDS_BIGENDIAN +static inline void +block16_lshift_le (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64[1] & 0x80) >> 7; + dst->u64[1] = LSHIFT_WORD(src->u64[1]) | ((src->u64[0] & 0x80) << 49); + dst->u64[0] = LSHIFT_WORD(src->u64[0]) ^ ((poly << 56) & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_lshift_le (union nettle_block16 *dst, + const union nettle_block16 *src, + uint64_t poly) +{ + uint64_t carry = src->u64[1] >> 63; + dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); + dst->u64[0] = (src->u64[0] << 1) ^ (poly & -carry); +} +#endif /* !WORDS_BIGNDIAN */ + +#if WORDS_BIGENDIAN +static inline void +block8_lshift_be (union nettle_block8 *dst, + const union nettle_block8 *src, + uint64_t poly) +{ + uint64_t carry = src->u64 >> 63; + + dst->u64 = (src->u64 << 1) ^ (poly & -carry); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block8_lshift_be (union nettle_block8 *dst, + const union nettle_block8 *src, + uint64_t poly) +{ + uint64_t carry = (src->u64 & 0x80) >> 7; + + dst->u64 = LSHIFT_WORD(src->u64) ^ ((poly << 56) & -carry); +} +#endif /* !WORDS_BIGENDIAN */ + #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff --git a/cmac-internal.h b/cmac-internal.h deleted file mode 100644 index 80db7fcc58cd..000000000000 --- a/cmac-internal.h +++ /dev/null @@ -1,54 +0,0 @@ -/* cmac-internal.h - - CMAC mode internal functions - - Copyright (C) 2017 Red Hat, Inc. - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_CMAC_INTERNAL_H_INCLUDED -#define NETTLE_CMAC_INTERNAL_H_INCLUDED - -#include "cmac.h" - -#ifdef __cplusplus -extern "C" { -#endif - -#define _cmac128_block_mulx _nettle_cmac128_block_mulx - -void _cmac128_block_mulx(union nettle_block16 *out, - const union nettle_block16 *in); - -#ifdef __cplusplus -} -#endif - -#endif /* CMAC_INTERNAL_H_INCLUDED */ diff --git a/cmac.c b/cmac.c index 194324421c58..9b745daaaf1b 100644 --- a/cmac.c +++ b/cmac.c @@ -44,32 +44,16 @@

#include "memxor.h" #include "nettle-internal.h" -#include "cmac-internal.h" #include "block-internal.h" #include "macros.h"

/* shift one and XOR with 0x87. */ -#if WORDS_BIGENDIAN -void -_cmac128_block_mulx(union nettle_block16 *dst, - const union nettle_block16 *src) -{ - uint64_t carry = src->u64[0] >> 63; - dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); - dst->u64[1] = (src->u64[1] << 1) ^ (0x87 & -carry); -} -#else /* !WORDS_BIGENDIAN */ -#define LE_SHIFT(x) ((((x) & 0x7f7f7f7f7f7f7f7f) << 1) | \ - (((x) & 0x8080808080808080) >> 15)) -void +static inline void _cmac128_block_mulx(union nettle_block16 *dst, const union nettle_block16 *src) { - uint64_t carry = (src->u64[0] & 0x80) >> 7; - dst->u64[0] = LE_SHIFT(src->u64[0]) | ((src->u64[1] & 0x80) << 49); - dst->u64[1] = LE_SHIFT(src->u64[1]) ^ (0x8700000000000000 & -carry); + block16_lshift_be(dst, src, 0x87); } -#endif /* !WORDS_BIGENDIAN */

void cmac128_set_key(struct cmac128_key *key, const void *cipher, diff --git a/cmac64.c b/cmac64.c index e7bb438580d6..c423a804145e 100644 --- a/cmac64.c +++ b/cmac64.c @@ -47,28 +47,13 @@ #include "block-internal.h" #include "macros.h"

-/* shift one and XOR with 0x87. */ -#if WORDS_BIGENDIAN -static void +/* shift one and XOR with 0x1b. */ +static inline void _cmac64_block_mulx(union nettle_block8 *dst, const union nettle_block8 *src) { - uint64_t carry = src->u64 >> 63; - - dst->u64 = (src->u64 << 1) ^ (0x1b & -carry); -} -#else /* !WORDS_BIGENDIAN */ -#define LE_SHIFT(x) ((((x) & 0x7f7f7f7f7f7f7f7f) << 1) | \ - (((x) & 0x8080808080808080) >> 15)) -static void -_cmac64_block_mulx(union nettle_block8 *dst, - const union nettle_block8 *src) -{ - uint64_t carry = (src->u64 & 0x80) >> 7; - - dst->u64 = LE_SHIFT(src->u64) ^ (0x1b00000000000000 & -carry); + block8_lshift_be(dst, src, 0x1b); } -#endif /* !WORDS_BIGENDIAN */

void cmac64_set_key(struct cmac64_key *key, const void *cipher, diff --git a/eax.c b/eax.c index 63f3ff82fe65..24f5b4f592fe 100644 --- a/eax.c +++ b/eax.c @@ -82,27 +82,13 @@ omac_final (union nettle_block16 *state, const struct eax_key *key, f (cipher, EAX_BLOCK_SIZE, state->b, state->b); }

-/* Allows r == a */ -static void -gf2_double (uint8_t *r, const uint8_t *a) -{ - unsigned high = - (a[0] >> 7); - unsigned i; - /* Shift left */ - for (i = 0; i < EAX_BLOCK_SIZE - 1; i++) - r[i] = (a[i] << 1) + (a[i+1] >> 7); - - /* Wrap around for x^{128} = x^7 + x^2 + x + 1 */ - r[EAX_BLOCK_SIZE - 1] = (a[EAX_BLOCK_SIZE - 1] << 1) ^ (high & 0x87); -} - void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); - gf2_double (key->pad_block.b, key->pad_block.b); - gf2_double (key->pad_partial.b, key->pad_block.b); + block16_lshift_be (&key->pad_block, &key->pad_block, 0x87); + block16_lshift_be (&key->pad_partial, &key->pad_block, 0x87); block16_xor (&key->pad_partial, &key->pad_block); }

diff --git a/gcm.c b/gcm.c index c550c5d810ef..17c889e67553 100644 --- a/gcm.c +++ b/gcm.c @@ -71,13 +71,9 @@ gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); r->u64[0] = (x->u64[0] >> 1) ^ (mask & ((uint64_t) GHASH_POLYNOMIAL << 56)); #else /* ! WORDS_BIGENDIAN */ -#define RSHIFT_WORD(x) \ - ((((x) & 0xfefefefefefefefeUL) >> 1) \ - | (((x) & 0x0001010101010101UL) << 15)) mask = - ((x->u64[1] >> 56) & 1); r->u64[1] = RSHIFT_WORD(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); r->u64[0] = RSHIFT_WORD(x->u64[0]) ^ (mask & GHASH_POLYNOMIAL); -# undef RSHIFT_WORD #endif /* ! WORDS_BIGENDIAN */ }

diff --git a/siv-cmac-aes128.c b/siv-cmac-aes128.c index 82ac16e91992..fd2e23a4513e 100644 --- a/siv-cmac-aes128.c +++ b/siv-cmac-aes128.c @@ -44,7 +44,6 @@ #include "ctr.h" #include "memxor.h" #include "memops.h" -#include "cmac-internal.h"

void siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) diff --git a/siv-cmac-aes256.c b/siv-cmac-aes256.c index 9401bbf119c5..eda7f1c27a55 100644 --- a/siv-cmac-aes256.c +++ b/siv-cmac-aes256.c @@ -44,7 +44,6 @@ #include "ctr.h" #include "memxor.h" #include "memops.h" -#include "cmac-internal.h"

void siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key) diff --git a/siv-cmac.c b/siv-cmac.c index 42f740cddf5d..c0c8fff900dd 100644 --- a/siv-cmac.c +++ b/siv-cmac.c @@ -44,10 +44,17 @@ #include "ctr.h" #include "memxor.h" #include "memops.h" -#include "cmac-internal.h" #include "nettle-internal.h" #include "block-internal.h"

+/* shift one and XOR with 0x87. */ +static inline void +_cmac128_block_mulx(union nettle_block16 *dst, + const union nettle_block16 *src) +{ + block16_lshift_be(dst, src, 0x87); +} + /* This is an implementation of S2V for the AEAD case where * vectors if zero, are considered as S empty components */ static void diff --git a/xts.c b/xts.c index 6730b3ad76ff..8f565751cac1 100644 --- a/xts.c +++ b/xts.c @@ -44,31 +44,17 @@ #include "macros.h" #include "memxor.h" #include "nettle-internal.h" +#include "block-internal.h"

/* shift left one and XOR with 0x87 if there is carry. */ /* the algorithm reads this as a 128bit Little Endian number */ /* src and dest can point to the same buffer for in-place operations */ -#if WORDS_BIGENDIAN -#define BE_SHIFT(x) ((((x) & 0x7f7f7f7f7f7f7f7f) << 1) | \ - (((x) & 0x8080808080808080) >> 15)) static void xts_shift(union nettle_block16 *dst, const union nettle_block16 *src) { - uint64_t carry = (src->u64[1] & 0x80) >> 7; - dst->u64[1] = BE_SHIFT(src->u64[1]) | ((src->u64[0] & 0x80) << 49); - dst->u64[0] = BE_SHIFT(src->u64[0]) ^ (0x8700000000000000 & -carry); + block16_lshift_le(dst, src, 0x87); } -#else /* !WORDS_BIGENDIAN */ -static void -xts_shift(union nettle_block16 *dst, - const union nettle_block16 *src) -{ - uint64_t carry = src->u64[1] >> 63; - dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); - dst->u64[0] = (src->u64[0] << 1) ^ (0x87 & -carry); -} -#endif /* !WORDS_BIGNDIAN */

static void check_length(size_t length, uint8_t *dst)