Use aesni_gcm_mult() if available

2013-12-26 16:09:58 +01:00 · 2013-12-26 16:09:58 +01:00 · 80637c7520
commit 80637c7520
parent d333f67f8c
1 changed files with 29 additions and 4 deletions
--- a/library/gcm.c
+++ b/library/gcm.c
@ -39,6 +39,10 @@

 #include "polarssl/gcm.h"

+#if defined(POLARSSL_AESNI_C)
+#include "polarssl/aesni.h"
+#endif
+
 /*
 * 32-bit integer manipulation macros (big endian)
 */
@ -82,10 +86,7 @@ static int gcm_gen_table( gcm_context *ctx )
    if( ( ret = cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
        return( ret );

-    /* 0 corresponds to 0 in GF(2^128) */
-    ctx->HH[0] = 0;
-    ctx->HL[0] = 0;
-
+    /* pack h as two 64-bits ints, big-endian */
    GET_UINT32_BE( hi, h,  0  );
    GET_UINT32_BE( lo, h,  4  );
    vh = (uint64_t) hi << 32 | lo;
@ -98,6 +99,16 @@ static int gcm_gen_table( gcm_context *ctx )
    ctx->HL[8] = vl;
    ctx->HH[8] = vh;

+#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if( aesni_supports( POLARSSL_AESNI_CLMUL ) )
+        return( 0 );
+#endif
+
+    /* 0 corresponds to 0 in GF(2^128) */
+    ctx->HH[0] = 0;
+    ctx->HL[0] = 0;
+
    for( i = 4; i > 0; i >>= 1 )
    {
        uint32_t T = ( vl & 1 ) * 0xe1000000U;
@ -178,6 +189,20 @@ static void gcm_mult( gcm_context *ctx, const unsigned char x[16],
    unsigned char lo, hi, rem;
    uint64_t zh, zl;

+#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
+    if( aesni_supports( POLARSSL_AESNI_CLMUL ) ) {
+        unsigned char h[16];
+
+        PUT_UINT32_BE( ctx->HH[8] >> 32, h,  0 );
+        PUT_UINT32_BE( ctx->HH[8],       h,  4 );
+        PUT_UINT32_BE( ctx->HL[8] >> 32, h,  8 );
+        PUT_UINT32_BE( ctx->HL[8],       h, 12 );
+
+        (void) aesni_gcm_mult( output, x, h );
+        return;
+    }
+#endif
+
    memset( z, 0x00, 16 );

    lo = x[15] & 0xf;