d9/d16/crypto__ia32_2aes__gcm_8c_source.html

 /*
  *------------------------------------------------------------------
  * Copyright (c) 2019 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *------------------------------------------------------------------
  */

 #include <vlib/vlib.h>
 #include <vnet/plugin/plugin.h>
 #include <vnet/crypto/crypto.h>
 #include <x86intrin.h>
 #include <crypto_ia32/crypto_ia32.h>
 #include <crypto_ia32/aesni.h>
 #include <crypto_ia32/ghash.h>

 #if __GNUC__ > 4  && !__clang__ && CLIB_DEBUG == 0
 #pragma GCC optimize ("O3")
 #endif

 typedef struct
 {
   /* pre-calculated hash key values */
   const __m128i Hi[8];
   /* extracted AES key */
   const __m128i Ke[15];
 } aes_gcm_key_data_t;

 static const __m128i last_byte_one = { 0, 1ULL << 56 };
 static const __m128i zero = { 0, 0 };

 static const u8x16 bswap_mask = {
   15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0
 };

 static const u8x16 byte_mask_scale = {
   0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
 };

 static_always_inline __m128i
 aesni_gcm_bswap (__m128i x)
 {
   return _mm_shuffle_epi8 (x, (__m128i) bswap_mask);
 }

 static_always_inline __m128i
 aesni_gcm_byte_mask (__m128i x, u8 n_bytes)
 {
   u8x16 mask = u8x16_is_greater (u8x16_splat (n_bytes), byte_mask_scale);

   return _mm_blendv_epi8 (zero, x, (__m128i) mask);
 }

 static_always_inline __m128i
 aesni_gcm_load_partial (__m128i * p, int n_bytes)
 {
   ASSERT (n_bytes <= 16);
 #ifdef __AVX512F__
   return _mm_mask_loadu_epi8 (zero, (1 << n_bytes) - 1, p);
 #else
   return aesni_gcm_byte_mask (CLIB_MEM_OVERFLOW_LOAD (_mm_loadu_si128, p),
                               n_bytes);
 #endif
 }

 static_always_inline void
 aesni_gcm_store_partial (void *p, __m128i r, int n_bytes)
 {
 #ifdef __AVX512F__
   _mm_mask_storeu_epi8 (p, (1 << n_bytes) - 1, r);
 #else
   u8x16 mask = u8x16_is_greater (u8x16_splat (n_bytes), byte_mask_scale);
   _mm_maskmoveu_si128 (r, (__m128i) mask, p);
 #endif
 }

 static_always_inline void
 aesni_gcm_load (__m128i * d, __m128i * inv, int n, int n_bytes)
 {
   for (int i = 0; i < n - 1; i++)
     d[i] = _mm_loadu_si128 (inv + i);
   d[n - 1] = n_bytes ? aesni_gcm_load_partial (inv + n - 1, n_bytes) :
     _mm_loadu_si128 (inv + n - 1);
 }

 static_always_inline void
 aesni_gcm_store (__m128i * d, __m128i * outv, int n, int n_bytes)
 {
   for (int i = 0; i < n - 1; i++)
     _mm_storeu_si128 (outv + i, d[i]);
   if (n_bytes & 0xf)
     aesni_gcm_store_partial (outv + n - 1, d[n - 1], n_bytes);
   else
     _mm_storeu_si128 (outv + n - 1, d[n - 1]);
 }

 static_always_inline void
 aesni_gcm_enc_first_round (__m128i * r, __m128i * Y, u32 * ctr, __m128i k,
                            int n_blocks)
 {
   u32 i;

   if (PREDICT_TRUE ((u8) ctr[0] < (256 - n_blocks)))
     {
       for (i = 0; i < n_blocks; i++)
         {
           Y[0] = _mm_add_epi32 (Y[0], last_byte_one);
           r[i] = k ^ Y[0];
         }
       ctr[0] += n_blocks;
     }
   else
     {
       for (i = 0; i < n_blocks; i++)
         {
           Y[0] = _mm_insert_epi32 (Y[0], clib_host_to_net_u32 (++ctr[0]), 3);
           r[i] = k ^ Y[0];
         }
     }
 }

 static_always_inline void
 aesni_gcm_enc_round (__m128i * r, __m128i k, int n_blocks)
 {
   for (int i = 0; i < n_blocks; i++)
     r[i] = _mm_aesenc_si128 (r[i], k);
 }

 static_always_inline void
 aesni_gcm_enc_last_round (__m128i * r, __m128i * d, const __m128i * k,
                           int rounds, int n_blocks)
 {

   /* additional ronuds for AES-192 and AES-256 */
   for (int i = 10; i < rounds; i++)
     aesni_gcm_enc_round (r, k[i], n_blocks);

   for (int i = 0; i < n_blocks; i++)
     d[i] ^= _mm_aesenclast_si128 (r[i], k[rounds]);
 }

 static_always_inline __m128i
 aesni_gcm_ghash_blocks (__m128i T, aes_gcm_key_data_t * kd,
                         const __m128i * in, int n_blocks)
 {
   ghash_data_t _gd, *gd = &_gd;
   const __m128i *Hi = kd->Hi + n_blocks - 1;
   ghash_mul_first (gd, aesni_gcm_bswap (_mm_loadu_si128 (in)) ^ T, Hi[0]);
   for (int i = 1; i < n_blocks; i++)
     ghash_mul_next (gd, aesni_gcm_bswap (_mm_loadu_si128 (in + i)), Hi[-i]);
   ghash_reduce (gd);
   ghash_reduce2 (gd);
   return ghash_final (gd);
 }

 static_always_inline __m128i
 aesni_gcm_ghash (__m128i T, aes_gcm_key_data_t * kd, const __m128i * in,
                  u32 n_left)
 {

   while (n_left >= 128)
     {
       T = aesni_gcm_ghash_blocks (T, kd, in, 8);
       n_left -= 128;
       in += 8;
     }

   if (n_left >= 64)
     {
       T = aesni_gcm_ghash_blocks (T, kd, in, 4);
       n_left -= 64;
       in += 4;
     }

   if (n_left >= 32)
     {
       T = aesni_gcm_ghash_blocks (T, kd, in, 2);
       n_left -= 32;
       in += 2;
     }

   if (n_left >= 16)
     {
       T = aesni_gcm_ghash_blocks (T, kd, in, 1);
       n_left -= 16;
       in += 1;
     }

   if (n_left)
     {
       __m128i r = aesni_gcm_load_partial ((__m128i *) in, n_left);
       T = ghash_mul (aesni_gcm_bswap (r) ^ T, kd->Hi[0]);
     }
   return T;
 }

 static_always_inline __m128i
 aesni_gcm_calc (__m128i T, aes_gcm_key_data_t * kd, __m128i * d,
                 __m128i * Y, u32 * ctr, __m128i * inv, __m128i * outv,
                 int rounds, int n, int last_block_bytes, int with_ghash,
                 int is_encrypt)
 {
   __m128i r[n];
   ghash_data_t _gd = { }, *gd = &_gd;
   const __m128i *k = kd->Ke;
   int hidx = is_encrypt ? 4 : n, didx = 0;

   _mm_prefetch (inv + 4, _MM_HINT_T0);

   /* AES rounds 0 and 1 */
   aesni_gcm_enc_first_round (r, Y, ctr, k[0], n);
   aesni_gcm_enc_round (r, k[1], n);

   /* load data - decrypt round */
   if (is_encrypt == 0)
     aesni_gcm_load (d, inv, n, last_block_bytes);

   /* GHASH multiply block 1 */
   if (with_ghash)
     ghash_mul_first (gd, aesni_gcm_bswap (d[didx++]) ^ T, kd->Hi[--hidx]);

   /* AES rounds 2 and 3 */
   aesni_gcm_enc_round (r, k[2], n);
   aesni_gcm_enc_round (r, k[3], n);

   /* GHASH multiply block 2 */
   if (with_ghash && hidx)
     ghash_mul_next (gd, aesni_gcm_bswap (d[didx++]), kd->Hi[--hidx]);

   /* AES rounds 4 and 5 */
   aesni_gcm_enc_round (r, k[4], n);
   aesni_gcm_enc_round (r, k[5], n);

   /* GHASH multiply block 3 */
   if (with_ghash && hidx)
     ghash_mul_next (gd, aesni_gcm_bswap (d[didx++]), kd->Hi[--hidx]);

   /* AES rounds 6 and 7 */
   aesni_gcm_enc_round (r, k[6], n);
   aesni_gcm_enc_round (r, k[7], n);

   /* GHASH multiply block 4 */
   if (with_ghash && hidx)
     ghash_mul_next (gd, aesni_gcm_bswap (d[didx++]), kd->Hi[--hidx]);

   /* AES rounds 8 and 9 */
   aesni_gcm_enc_round (r, k[8], n);
   aesni_gcm_enc_round (r, k[9], n);

   /* GHASH reduce 1st step */
   if (with_ghash)
     ghash_reduce (gd);

   /* load data - encrypt round */
   if (is_encrypt)
     aesni_gcm_load (d, inv, n, last_block_bytes);

   /* GHASH reduce 2nd step */
   if (with_ghash)
     ghash_reduce2 (gd);

   /* AES last round(s) */
   aesni_gcm_enc_last_round (r, d, k, rounds, n);

   /* store data */
   aesni_gcm_store (d, outv, n, last_block_bytes);

   /* GHASH final step */
   if (with_ghash)
     T = ghash_final (gd);

   return T;
 }

 static_always_inline __m128i
 aesni_gcm_calc_double (__m128i T, aes_gcm_key_data_t * kd, __m128i * d,
                        __m128i * Y, u32 * ctr, __m128i * inv, __m128i * outv,
                        int rounds, int is_encrypt)
 {
   __m128i r[4];
   ghash_data_t _gd, *gd = &_gd;
   const __m128i *k = kd->Ke;

   /* AES rounds 0 and 1 */
   aesni_gcm_enc_first_round (r, Y, ctr, k[0], 4);
   aesni_gcm_enc_round (r, k[1], 4);

   /* load 4 blocks of data - decrypt round */
   if (is_encrypt == 0)
     aesni_gcm_load (d, inv, 4, 0);

   /* GHASH multiply block 0 */
   ghash_mul_first (gd, aesni_gcm_bswap (d[0]) ^ T, kd->Hi[7]);

   /* AES rounds 2 and 3 */
   aesni_gcm_enc_round (r, k[2], 4);
   aesni_gcm_enc_round (r, k[3], 4);

   /* GHASH multiply block 1 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[1]), kd->Hi[6]);

   /* AES rounds 4 and 5 */
   aesni_gcm_enc_round (r, k[4], 4);
   aesni_gcm_enc_round (r, k[5], 4);

   /* GHASH multiply block 2 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[2]), kd->Hi[5]);

   /* AES rounds 6 and 7 */
   aesni_gcm_enc_round (r, k[6], 4);
   aesni_gcm_enc_round (r, k[7], 4);

   /* GHASH multiply block 3 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[3]), kd->Hi[4]);

   /* AES rounds 8 and 9 */
   aesni_gcm_enc_round (r, k[8], 4);
   aesni_gcm_enc_round (r, k[9], 4);

   /* load 4 blocks of data - encrypt round */
   if (is_encrypt)
     aesni_gcm_load (d, inv, 4, 0);

   /* AES last round(s) */
   aesni_gcm_enc_last_round (r, d, k, rounds, 4);

   /* store 4 blocks of data */
   aesni_gcm_store (d, outv, 4, 0);

   /* load next 4 blocks of data data - decrypt round */
   if (is_encrypt == 0)
     aesni_gcm_load (d, inv + 4, 4, 0);

   /* GHASH multiply block 4 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[0]), kd->Hi[3]);

   /* AES rounds 0, 1 and 2 */
   aesni_gcm_enc_first_round (r, Y, ctr, k[0], 4);
   aesni_gcm_enc_round (r, k[1], 4);
   aesni_gcm_enc_round (r, k[2], 4);

   /* GHASH multiply block 5 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[1]), kd->Hi[2]);

   /* AES rounds 3 and 4 */
   aesni_gcm_enc_round (r, k[3], 4);
   aesni_gcm_enc_round (r, k[4], 4);

   /* GHASH multiply block 6 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[2]), kd->Hi[1]);

   /* AES rounds 5 and 6 */
   aesni_gcm_enc_round (r, k[5], 4);
   aesni_gcm_enc_round (r, k[6], 4);

   /* GHASH multiply block 7 */
   ghash_mul_next (gd, aesni_gcm_bswap (d[3]), kd->Hi[0]);

   /* AES rounds 7 and 8 */
   aesni_gcm_enc_round (r, k[7], 4);
   aesni_gcm_enc_round (r, k[8], 4);

   /* GHASH reduce 1st step */
   ghash_reduce (gd);

   /* AES round 9 */
   aesni_gcm_enc_round (r, k[9], 4);

   /* load data - encrypt round */
   if (is_encrypt)
     aesni_gcm_load (d, inv + 4, 4, 0);

   /* GHASH reduce 2nd step */
   ghash_reduce2 (gd);

   /* AES last round(s) */
   aesni_gcm_enc_last_round (r, d, k, rounds, 4);

   /* store data */
   aesni_gcm_store (d, outv + 4, 4, 0);

   /* GHASH final step */
   return ghash_final (gd);
 }

 static_always_inline __m128i
 aesni_gcm_ghash_last (__m128i T, aes_gcm_key_data_t * kd, __m128i * d,
                       int n_blocks, int n_bytes)
 {
   ghash_data_t _gd, *gd = &_gd;

   if (n_bytes)
     d[n_blocks - 1] = aesni_gcm_byte_mask (d[n_blocks - 1], n_bytes);

   ghash_mul_first (gd, aesni_gcm_bswap (d[0]) ^ T, kd->Hi[n_blocks - 1]);
   if (n_blocks > 1)
     ghash_mul_next (gd, aesni_gcm_bswap (d[1]), kd->Hi[n_blocks - 2]);
   if (n_blocks > 2)
     ghash_mul_next (gd, aesni_gcm_bswap (d[2]), kd->Hi[n_blocks - 3]);
   if (n_blocks > 3)
     ghash_mul_next (gd, aesni_gcm_bswap (d[3]), kd->Hi[n_blocks - 4]);
   ghash_reduce (gd);
   ghash_reduce2 (gd);
   return ghash_final (gd);
 }


 static_always_inline __m128i
 aesni_gcm_enc (__m128i T, aes_gcm_key_data_t * kd, __m128i Y, const u8 * in,
                const u8 * out, u32 n_left, int rounds)
 {
   __m128i *inv = (__m128i *) in, *outv = (__m128i *) out;
   __m128i d[4];
   u32 ctr = 1;

   if (n_left == 0)
     return T;

   if (n_left < 64)
     {
       if (n_left > 48)
         {
           n_left &= 0x0f;
           aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4, n_left,
                           /* with_ghash */ 0, /* is_encrypt */ 1);
           return aesni_gcm_ghash_last (T, kd, d, 4, n_left);
         }
       else if (n_left > 32)
         {
           n_left &= 0x0f;
           aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 3, n_left,
                           /* with_ghash */ 0, /* is_encrypt */ 1);
           return aesni_gcm_ghash_last (T, kd, d, 3, n_left);
         }
       else if (n_left > 16)
         {
           n_left &= 0x0f;
           aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 2, n_left,
                           /* with_ghash */ 0, /* is_encrypt */ 1);
           return aesni_gcm_ghash_last (T, kd, d, 2, n_left);
         }
       else
         {
           n_left &= 0x0f;
           aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 1, n_left,
                           /* with_ghash */ 0, /* is_encrypt */ 1);
           return aesni_gcm_ghash_last (T, kd, d, 1, n_left);
         }
     }

   aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4, 0,
                   /* with_ghash */ 0, /* is_encrypt */ 1);

   /* next */
   n_left -= 64;
   outv += 4;
   inv += 4;

   while (n_left >= 128)
     {
       T = aesni_gcm_calc_double (T, kd, d, &Y, &ctr, inv, outv, rounds,
                                  /* is_encrypt */ 1);

       /* next */
       n_left -= 128;
       outv += 8;
       inv += 8;
     }

   if (n_left >= 64)
     {
       T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4, 0,
                           /* with_ghash */ 1, /* is_encrypt */ 1);

       /* next */
       n_left -= 64;
       outv += 4;
       inv += 4;
     }

   if (n_left == 0)
     return aesni_gcm_ghash_last (T, kd, d, 4, 0);

   if (n_left > 48)
     {
       n_left &= 0x0f;
       T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4, n_left,
                           /* with_ghash */ 1, /* is_encrypt */ 1);
       return aesni_gcm_ghash_last (T, kd, d, 4, n_left);
     }

   if (n_left > 32)
     {
       n_left &= 0x0f;
       T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 3, n_left,
                           /* with_ghash */ 1, /* is_encrypt */ 1);
       return aesni_gcm_ghash_last (T, kd, d, 3, n_left);
     }

   if (n_left > 16)
     {
       n_left &= 0x0f;
       T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 2, n_left,
                           /* with_ghash */ 1, /* is_encrypt */ 1);
       return aesni_gcm_ghash_last (T, kd, d, 2, n_left);
     }

   n_left &= 0x0f;
   T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 1, n_left,
                       /* with_ghash */ 1, /* is_encrypt */ 1);
   return aesni_gcm_ghash_last (T, kd, d, 1, n_left);
 }

 static_always_inline __m128i
 aesni_gcm_dec (__m128i T, aes_gcm_key_data_t * kd, __m128i Y, const u8 * in,
                const u8 * out, u32 n_left, int rounds)
 {
   __m128i *inv = (__m128i *) in, *outv = (__m128i *) out;
   __m128i d[8];
   u32 ctr = 1;

   while (n_left >= 128)
     {
       T = aesni_gcm_calc_double (T, kd, d, &Y, &ctr, inv, outv, rounds,
                                  /* is_encrypt */ 0);

       /* next */
       n_left -= 128;
       outv += 8;
       inv += 8;
     }

   if (n_left >= 64)
     {
       T = aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4, 0, 1, 0);

       /* next */
       n_left -= 64;
       outv += 4;
       inv += 4;
     }

   if (n_left == 0)
     return T;

   if (n_left > 48)
     return aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 4,
                            n_left - 48,
                            /* with_ghash */ 1, /* is_encrypt */ 0);

   if (n_left > 32)
     return aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 3,
                            n_left - 32,
                            /* with_ghash */ 1, /* is_encrypt */ 0);

   if (n_left > 16)
     return aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 2,
                            n_left - 16,
                            /* with_ghash */ 1, /* is_encrypt */ 0);

   return aesni_gcm_calc (T, kd, d, &Y, &ctr, inv, outv, rounds, 1, n_left,
                          /* with_ghash */ 1, /* is_encrypt */ 0);
 }

 static_always_inline int
 aes_gcm (const u8 * in, u8 * out, const u8 * addt, const u8 * iv, u8 * tag,
          u32 data_bytes, u32 aad_bytes, u8 tag_len, aes_gcm_key_data_t * kd,
          int aes_rounds, int is_encrypt)
 {
   int i;
   __m128i r, Y0, T = { };
   ghash_data_t _gd, *gd = &_gd;

   _mm_prefetch (iv, _MM_HINT_T0);
   _mm_prefetch (in, _MM_HINT_T0);
   _mm_prefetch (in + CLIB_CACHE_LINE_BYTES, _MM_HINT_T0);

   /* calculate ghash for AAD - optimized for ipsec common cases */
   if (aad_bytes == 8)
     T = aesni_gcm_ghash (T, kd, (__m128i *) addt, 8);
   else if (aad_bytes == 12)
     T = aesni_gcm_ghash (T, kd, (__m128i *) addt, 12);
   else
     T = aesni_gcm_ghash (T, kd, (__m128i *) addt, aad_bytes);

   /* initalize counter */
   Y0 = CLIB_MEM_OVERFLOW_LOAD (_mm_loadu_si128, (__m128i *) iv);
   Y0 = _mm_insert_epi32 (Y0, clib_host_to_net_u32 (1), 3);

   /* ghash and encrypt/edcrypt  */
   if (is_encrypt)
     T = aesni_gcm_enc (T, kd, Y0, in, out, data_bytes, aes_rounds);
   else
     T = aesni_gcm_dec (T, kd, Y0, in, out, data_bytes, aes_rounds);

   _mm_prefetch (tag, _MM_HINT_T0);

   /* Finalize ghash */
   r[0] = data_bytes;
   r[1] = aad_bytes;

   /* bytes to bits */
   r <<= 3;

   /* interleaved computation of final ghash and E(Y0, k) */
   ghash_mul_first (gd, r ^ T, kd->Hi[0]);
   r = kd->Ke[0] ^ Y0;
   for (i = 1; i < 5; i += 1)
     r = _mm_aesenc_si128 (r, kd->Ke[i]);
   ghash_reduce (gd);
   ghash_reduce2 (gd);
   for (; i < 9; i += 1)
     r = _mm_aesenc_si128 (r, kd->Ke[i]);
   T = ghash_final (gd);
   for (; i < aes_rounds; i += 1)
     r = _mm_aesenc_si128 (r, kd->Ke[i]);
   r = _mm_aesenclast_si128 (r, kd->Ke[aes_rounds]);
   T = aesni_gcm_bswap (T) ^ r;

   /* tag_len 16 -> 0 */
   tag_len &= 0xf;

   if (is_encrypt)
     {
       /* store tag */
       if (tag_len)
         aesni_gcm_store_partial ((__m128i *) tag, T, (1 << tag_len) - 1);
       else
         _mm_storeu_si128 ((__m128i *) tag, T);
     }
   else
     {
       /* check tag */
       u16 tag_mask = tag_len ? (1 << tag_len) - 1 : 0xffff;
       r = _mm_loadu_si128 ((__m128i *) tag);
       if (_mm_movemask_epi8 (r == T) != tag_mask)
         return 0;
     }
   return 1;
 }

 static_always_inline u32
 aesni_ops_enc_aes_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
                        u32 n_ops, aesni_key_size_t ks)
 {
   crypto_ia32_main_t *cm = &crypto_ia32_main;
   vnet_crypto_op_t *op = ops[0];
   aes_gcm_key_data_t *kd;
   u32 n_left = n_ops;


 next:
   kd = (aes_gcm_key_data_t *) cm->key_data[op->key_index];
   aes_gcm (op->src, op->dst, op->aad, op->iv, op->tag, op->len, op->aad_len,
            op->tag_len, kd, AESNI_KEY_ROUNDS (ks), /* is_encrypt */ 1);
   op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;

   if (--n_left)
     {
       op += 1;
       goto next;
     }

   return n_ops;
 }

 static_always_inline u32
 aesni_ops_dec_aes_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[],
                        u32 n_ops, aesni_key_size_t ks)
 {
   crypto_ia32_main_t *cm = &crypto_ia32_main;
   vnet_crypto_op_t *op = ops[0];
   aes_gcm_key_data_t *kd;
   u32 n_left = n_ops;
   int rv;

 next:
   kd = (aes_gcm_key_data_t *) cm->key_data[op->key_index];
   rv = aes_gcm (op->src, op->dst, op->aad, op->iv, op->tag, op->len,
                 op->aad_len, op->tag_len, kd, AESNI_KEY_ROUNDS (ks),
                 /* is_encrypt */ 0);

   if (rv)
     {
       op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
     }
   else
     {
       op->status = VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC;
       n_ops--;
     }

   if (--n_left)
     {
       op += 1;
       goto next;
     }

   return n_ops;
 }

 static_always_inline void *
 aesni_gcm_key_exp (vnet_crypto_key_t * key, aesni_key_size_t ks)
 {
   aes_gcm_key_data_t *kd;
   __m128i H;
   int i;

   kd = clib_mem_alloc_aligned (sizeof (*kd), CLIB_CACHE_LINE_BYTES);

   /* expand AES key */
   aes_key_expand ((__m128i *) kd->Ke, key->data, ks);

   /* pre-calculate H */
   H = kd->Ke[0];
   for (i = 1; i < AESNI_KEY_ROUNDS (ks); i += 1)
     H = _mm_aesenc_si128 (H, kd->Ke[i]);
   H = _mm_aesenclast_si128 (H, kd->Ke[i]);
   H = aesni_gcm_bswap (H);
   ghash_precompute (H, (__m128i *) kd->Hi, 8);
   return kd;
 }

 #define foreach_aesni_gcm_handler_type _(128) _(192) _(256)

 #define _(x) \
 static u32 aesni_ops_dec_aes_gcm_##x                                         \
 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops)                      \
 { return aesni_ops_dec_aes_gcm (vm, ops, n_ops, AESNI_KEY_##x); }            \
 static u32 aesni_ops_enc_aes_gcm_##x                                         \
 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops)                      \
 { return aesni_ops_enc_aes_gcm (vm, ops, n_ops, AESNI_KEY_##x); }            \
 static void * aesni_gcm_key_exp_##x (vnet_crypto_key_t *key)                 \
 { return aesni_gcm_key_exp (key, AESNI_KEY_##x); }

 foreach_aesni_gcm_handler_type;
 #undef _

 clib_error_t *
 #ifdef __AVX512F__
 crypto_ia32_aesni_gcm_init_avx512 (vlib_main_t * vm)
 #elif __AVX2__
 crypto_ia32_aesni_gcm_init_avx2 (vlib_main_t * vm)
 #else
 crypto_ia32_aesni_gcm_init_sse42 (vlib_main_t * vm)
 #endif
 {
   crypto_ia32_main_t *cm = &crypto_ia32_main;

 #define _(x) \
   vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
                                     VNET_CRYPTO_OP_AES_##x##_GCM_ENC, \
                                     aesni_ops_enc_aes_gcm_##x); \
   vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
                                     VNET_CRYPTO_OP_AES_##x##_GCM_DEC, \
                                     aesni_ops_dec_aes_gcm_##x); \
   cm->key_fn[VNET_CRYPTO_ALG_AES_##x##_GCM] = aesni_gcm_key_exp_##x;
   foreach_aesni_gcm_handler_type;
 #undef _
   return 0;
 }

 /*
  * fd.io coding-style-patch-verification: ON
  *
  * Local Variables:
  * eval: (c-set-style "gnu")
  * End:
  */
vnet_crypto_op_t::dst
u8 * dst
Definition: crypto.h:139

crypto_ia32_main
crypto_ia32_main_t crypto_ia32_main
Definition: main.c:23

aesni_gcm_ghash
static_always_inline __m128i aesni_gcm_ghash(__m128i T, aes_gcm_key_data_t *kd, const __m128i *in, u32 n_left)
Definition: aes_gcm.c:166

aesni_gcm_store_partial
static_always_inline void aesni_gcm_store_partial(void *p, __m128i r, int n_bytes)
Definition: aes_gcm.c:76

vnet_crypto_key_t::data
u8 * data
Definition: crypto.h:101

last_byte_one
static const __m128i last_byte_one
Definition: aes_gcm.c:38

PREDICT_TRUE
#define PREDICT_TRUE(x)
Definition: clib.h:112

aesni_gcm_load
static_always_inline void aesni_gcm_load(__m128i *d, __m128i *inv, int n, int n_bytes)
Definition: aes_gcm.c:87

aes_gcm_key_data_t
Definition: aes_gcm.c:30

vnet_crypto_op_t::iv
u8 * iv
Definition: crypto.h:137

aesni_gcm_store
static_always_inline void aesni_gcm_store(__m128i *d, __m128i *outv, int n, int n_bytes)
Definition: aes_gcm.c:96

aesni_gcm_enc_round
static_always_inline void aesni_gcm_enc_round(__m128i *r, __m128i k, int n_blocks)
Definition: aes_gcm.c:132

vnet_crypto_op_t::tag_len
u8 tag_len
Definition: crypto.h:136

aesni_gcm_calc
static_always_inline __m128i aesni_gcm_calc(__m128i T, aes_gcm_key_data_t *kd, __m128i *d, __m128i *Y, u32 *ctr, __m128i *inv, __m128i *outv, int rounds, int n, int last_block_bytes, int with_ghash, int is_encrypt)
Definition: aes_gcm.c:207

i
int i
Definition: flowhash_template.h:376

crypto_ia32_aesni_gcm_init_sse42
clib_error_t * crypto_ia32_aesni_gcm_init_sse42(vlib_main_t *vm)
Definition: aes_gcm.c:754

AESNI_KEY_ROUNDS
#define AESNI_KEY_ROUNDS(x)
Definition: aesni.h:28

bswap_mask
static const u8x16 bswap_mask
Definition: aes_gcm.c:41

aes_key_expand
static_always_inline void aes_key_expand(__m128i *k, u8 *key, aesni_key_size_t ks)
Definition: aesni.h:181

u8
unsigned char u8
Definition: types.h:56

ghash_precompute
static_always_inline void ghash_precompute(__m128i H, __m128i *Hi, int count)
Definition: ghash.h:226

aes_gcm_key_data_t::Hi
const __m128i Hi[8]
Definition: aes_gcm.c:33

plugin.h

static_always_inline
#define static_always_inline
Definition: clib.h:99

byte_mask_scale
static const u8x16 byte_mask_scale
Definition: aes_gcm.c:45

aesni_key_size_t
aesni_key_size_t
Definition: aesni.h:21

crypto.h

ghash_data_t
Definition: ghash.h:119

aesni_ops_enc_aes_gcm
static_always_inline u32 aesni_ops_enc_aes_gcm(vlib_main_t *vm, vnet_crypto_op_t *ops[], u32 n_ops, aesni_key_size_t ks)
Definition: aes_gcm.c:652

ghash_reduce
static_always_inline void ghash_reduce(ghash_data_t *gd)
Definition: ghash.h:176

aes_gcm
static_always_inline int aes_gcm(const u8 *in, u8 *out, const u8 *addt, const u8 *iv, u8 *tag, u32 data_bytes, u32 aad_bytes, u8 tag_len, aes_gcm_key_data_t *kd, int aes_rounds, int is_encrypt)
Definition: aes_gcm.c:575

u32
unsigned int u32
Definition: types.h:88

ghash_reduce2
static_always_inline void ghash_reduce2(ghash_data_t *gd)
Definition: ghash.h:202

crypto_ia32_main_t
Definition: crypto_ia32.h:28

aesni_gcm_ghash_blocks
static_always_inline __m128i aesni_gcm_ghash_blocks(__m128i T, aes_gcm_key_data_t *kd, const __m128i *in, int n_blocks)
Definition: aes_gcm.c:152

aesni.h

cm
vnet_crypto_main_t * cm
Definition: quic_crypto.c:41

iv
static u8 iv[]
Definition: aes_cbc.c:24

aes_gcm_key_data_t::Ke
const __m128i Ke[15]
Definition: aes_gcm.c:35

crypto_ia32.h

zero
static const __m128i zero
Definition: aes_gcm.c:39

u16
unsigned short u16
Definition: types.h:57

aesni_gcm_load_partial
static_always_inline __m128i aesni_gcm_load_partial(__m128i *p, int n_bytes)
Definition: aes_gcm.c:64

ghash.h

crypto_ia32_aesni_gcm_init_avx512
clib_error_t * crypto_ia32_aesni_gcm_init_avx512(vlib_main_t *vm)

aesni_gcm_bswap
static_always_inline __m128i aesni_gcm_bswap(__m128i x)
Definition: aes_gcm.c:50

ghash_final
static_always_inline __m128i ghash_final(ghash_data_t *gd)
Definition: ghash.h:209

aesni_gcm_calc_double
static_always_inline __m128i aesni_gcm_calc_double(__m128i T, aes_gcm_key_data_t *kd, __m128i *d, __m128i *Y, u32 *ctr, __m128i *inv, __m128i *outv, int rounds, int is_encrypt)
Definition: aes_gcm.c:285

aesni_gcm_enc
static_always_inline __m128i aesni_gcm_enc(__m128i T, aes_gcm_key_data_t *kd, __m128i Y, const u8 *in, const u8 *out, u32 n_left, int rounds)
Definition: aes_gcm.c:418

vlib.h

ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69

vnet_crypto_op_t::len
u32 len
Definition: crypto.h:134

crypto_ia32_main_t::key_data
void ** key_data
Definition: crypto_ia32.h:33

aesni_gcm_enc_last_round
static_always_inline void aesni_gcm_enc_last_round(__m128i *r, __m128i *d, const __m128i *k, int rounds, int n_blocks)
Definition: aes_gcm.c:139

vnet_crypto_key_t
Definition: crypto.h:99

aesni_gcm_byte_mask
static_always_inline __m128i aesni_gcm_byte_mask(__m128i x, u8 n_bytes)
Definition: aes_gcm.c:56

u8x16_is_greater
static_always_inline u8x16 u8x16_is_greater(u8x16 v1, u8x16 v2)
Definition: vector_sse42.h:729

clib_error_t
Definition: clib_error.h:21

key
typedef key
Definition: ipsec_types.api:83

vnet_crypto_op_t::src
u8 * src
Definition: crypto.h:138

vlib_main_t
Definition: main.h:83

aesni_gcm_dec
static_always_inline __m128i aesni_gcm_dec(__m128i T, aes_gcm_key_data_t *kd, __m128i Y, const u8 *in, const u8 *out, u32 n_left, int rounds)
Definition: aes_gcm.c:524

crypto_ia32_aesni_gcm_init_avx2
clib_error_t * crypto_ia32_aesni_gcm_init_avx2(vlib_main_t *vm)

aesni_ops_dec_aes_gcm
static_always_inline u32 aesni_ops_dec_aes_gcm(vlib_main_t *vm, vnet_crypto_op_t *ops[], u32 n_ops, aesni_key_size_t ks)
Definition: aes_gcm.c:677

foreach_aesni_gcm_handler_type
#define foreach_aesni_gcm_handler_type
Definition: aes_gcm.c:733

aesni_gcm_key_exp
static_always_inline void * aesni_gcm_key_exp(vnet_crypto_key_t *key, aesni_key_size_t ks)
Definition: aes_gcm.c:712

aesni_gcm_enc_first_round
static_always_inline void aesni_gcm_enc_first_round(__m128i *r, __m128i *Y, u32 *ctr, __m128i k, int n_blocks)
Definition: aes_gcm.c:107

vnet_crypto_op_t::status
vnet_crypto_op_status_t status
Definition: crypto.h:129

clib_mem_alloc_aligned
static void * clib_mem_alloc_aligned(uword size, uword align)
Definition: mem.h:161

vnet_crypto_op_t::aad
u8 * aad
Definition: crypto.h:140

ghash_mul
static_always_inline __m128i ghash_mul(__m128i a, __m128i b)
Definition: ghash.h:216

CLIB_MEM_OVERFLOW_LOAD
#define CLIB_MEM_OVERFLOW_LOAD(f, src)
Definition: sanitizer.h:49

aesni_gcm_ghash_last
static_always_inline __m128i aesni_gcm_ghash_last(__m128i T, aes_gcm_key_data_t *kd, __m128i *d, int n_blocks, int n_bytes)
Definition: aes_gcm.c:396

ghash_mul_next
static_always_inline void ghash_mul_next(ghash_data_t *gd, __m128i a, __m128i b)
Definition: ghash.h:145

CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59

vnet_crypto_op_t::aad_len
u16 aad_len
Definition: crypto.h:135

vnet_crypto_op_t::key_index
u32 key_index
Definition: crypto.h:133

vnet_crypto_op_t
Definition: crypto.h:125

vnet_crypto_op_t::tag
u8 * tag
Definition: crypto.h:141

ghash_mul_first
static_always_inline void ghash_mul_first(ghash_data_t *gd, __m128i a, __m128i b)
Definition: ghash.h:129