From: jsing <jsing@openbsd.org>
Date: Wed, 27 Mar 2024 08:24:13 +0000 (+0000)
Subject: Remove near duplicate AES_set_{encrypt,decrypt}_key() functions.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=cc1e018af35d0763c702c77cef1ee8db6df14bf4;p=openbsd

Remove near duplicate AES_set_{encrypt,decrypt}_key() functions.

There are currently three ways in which AES is implemented - all in
assembly (amd64 et al), all in C (aarch64 et al) and, half in C and
half in assembly (hppa and sparc64). The last of these cases currently
makes use of a near duplicate AES_set_{encrypt,decrypt}_key()
implementation that avoids using the AES tables.

Remove the near duplicate version and if only a half assembly version is
implemented, use the same C version of AES_set_{encrypt,decrypt}_key() as
everyone else. This adds around 8KB of rodata to libcrypto on these two
platforms.

Discussed with beck and tb.
---

diff --git a/lib/libcrypto/aes/aes_core.c b/lib/libcrypto/aes/aes_core.c
index 9ec84a5c82c..6449ca7cfad 100644
--- a/lib/libcrypto/aes/aes_core.c
+++ b/lib/libcrypto/aes/aes_core.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_core.c,v 1.17 2024/03/27 06:51:59 jsing Exp $ */
+/* $OpenBSD: aes_core.c,v 1.18 2024/03/27 08:24:13 jsing Exp $ */
 /**
  * rijndael-alg-fst.c
  *
@@ -37,7 +37,6 @@
 #include "aes_local.h"
 #include "crypto_internal.h"
 
-#ifndef AES_ASM
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -780,6 +779,7 @@ AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
 	return 0;
 }
 
+#ifndef AES_ASM
 /*
  * Encrypt a single block
  * in and out can overlap
@@ -1159,210 +1159,4 @@ AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
 	    rk[3];
 	PUTU32(out + 12, s3);
 }
-
-#else /* AES_ASM */
-
-static const u8 Te4[256] = {
-	0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U,
-	0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U,
-	0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U,
-	0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U,
-	0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU,
-	0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U,
-	0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU,
-	0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U,
-	0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U,
-	0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U,
-	0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU,
-	0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU,
-	0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U,
-	0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U,
-	0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U,
-	0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U,
-	0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U,
-	0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U,
-	0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U,
-	0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU,
-	0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU,
-	0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U,
-	0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U,
-	0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U,
-	0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U,
-	0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU,
-	0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU,
-	0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU,
-	0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U,
-	0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU,
-	0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U,
-	0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U
-};
-static const u32 rcon[] = {
-	0x01000000, 0x02000000, 0x04000000, 0x08000000,
-	0x10000000, 0x20000000, 0x40000000, 0x80000000,
-	0x1B000000, 0x36000000,
-	/* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
-};
-
-/**
- * Expand the cipher key into the encryption key schedule.
- */
-int
-AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
-{
-	u32 *rk;
-	int i = 0;
-	u32 temp;
-
-	if (!userKey || !key)
-		return -1;
-	if (bits != 128 && bits != 192 && bits != 256)
-		return -2;
-
-	rk = key->rd_key;
-
-	if (bits == 128)
-		key->rounds = 10;
-	else if (bits == 192)
-		key->rounds = 12;
-	else
-		key->rounds = 14;
-
-	rk[0] = GETU32(userKey);
-	rk[1] = GETU32(userKey +  4);
-	rk[2] = GETU32(userKey +  8);
-	rk[3] = GETU32(userKey + 12);
-	if (bits == 128) {
-		while (1) {
-			temp = rk[3];
-			rk[4] = rk[0] ^
-			    (Te4[(temp >> 16) & 0xff] << 24) ^
-			    (Te4[(temp >> 8) & 0xff] << 16) ^
-			    (Te4[(temp) & 0xff] << 8) ^
-			    (Te4[(temp >> 24)]) ^
-			    rcon[i];
-			rk[5] = rk[1] ^ rk[4];
-			rk[6] = rk[2] ^ rk[5];
-			rk[7] = rk[3] ^ rk[6];
-			if (++i == 10) {
-				return 0;
-			}
-			rk += 4;
-		}
-	}
-	rk[4] = GETU32(userKey + 16);
-	rk[5] = GETU32(userKey + 20);
-	if (bits == 192) {
-		while (1) {
-			temp = rk[5];
-			rk[6] = rk[0] ^
-			    (Te4[(temp >> 16) & 0xff] << 24) ^
-			    (Te4[(temp >> 8) & 0xff] << 16) ^
-			    (Te4[(temp) & 0xff] << 8) ^
-			    (Te4[(temp >> 24)]) ^
-			    rcon[i];
-			rk[7] = rk[1] ^ rk[6];
-			rk[8] = rk[2] ^ rk[7];
-			rk[9] = rk[3] ^ rk[8];
-			if (++i == 8) {
-				return 0;
-			}
-			rk[10] = rk[4] ^ rk[9];
-			rk[11] = rk[5] ^ rk[10];
-			rk += 6;
-		}
-	}
-	rk[6] = GETU32(userKey + 24);
-	rk[7] = GETU32(userKey + 28);
-	if (bits == 256) {
-		while (1) {
-			temp = rk[7];
-			rk[8] = rk[0] ^
-			    (Te4[(temp >> 16) & 0xff] << 24) ^
-			    (Te4[(temp >> 8) & 0xff] << 16) ^
-			    (Te4[(temp) & 0xff] << 8) ^
-			    (Te4[(temp >> 24)]) ^
-			    rcon[i];
-			rk[9] = rk[1] ^ rk[8];
-			rk[10] = rk[2] ^ rk[9];
-			rk[11] = rk[3] ^ rk[10];
-			if (++i == 7) {
-				return 0;
-			}
-			temp = rk[11];
-			rk[12] = rk[4] ^
-			    (Te4[(temp >> 24)] << 24) ^
-			    (Te4[(temp >> 16) & 0xff] << 16) ^
-			    (Te4[(temp >> 8) & 0xff] << 8) ^
-			    (Te4[(temp) & 0xff]);
-			rk[13] = rk[5] ^ rk[12];
-			rk[14] = rk[6] ^ rk[13];
-			rk[15] = rk[7] ^ rk[14];
-
-			rk += 8;
-		}
-	}
-	return 0;
-}
-
-/**
- * Expand the cipher key into the decryption key schedule.
- */
-int
-AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-    AES_KEY *key)
-{
-	u32 *rk;
-	int i, j, status;
-	u32 temp;
-
-	/* first, start with an encryption schedule */
-	status = AES_set_encrypt_key(userKey, bits, key);
-	if (status < 0)
-		return status;
-
-	rk = key->rd_key;
-
-	/* invert the order of the round keys: */
-	for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
-		temp = rk[i];
-		rk[i] = rk[j];
-		rk[j] = temp;
-		temp = rk[i + 1];
-		rk[i + 1] = rk[j + 1];
-		rk[j + 1] = temp;
-		temp = rk[i + 2];
-		rk[i + 2] = rk[j + 2];
-		rk[j + 2] = temp;
-		temp = rk[i + 3];
-		rk[i + 3] = rk[j + 3];
-		rk[j + 3] = temp;
-	}
-	/* apply the inverse MixColumn transform to all round keys but the first and the last: */
-	for (i = 1; i < (key->rounds); i++) {
-		rk += 4;
-		for (j = 0; j < 4; j++) {
-			u32 tp1, tp2, tp4, tp8, tp9, tpb, tpd, tpe, m;
-
-			tp1 = rk[j];
-			m = tp1 & 0x80808080;
-			tp2 = ((tp1 & 0x7f7f7f7f) << 1) ^
-			    ((m - (m >> 7)) & 0x1b1b1b1b);
-			m = tp2 & 0x80808080;
-			tp4 = ((tp2 & 0x7f7f7f7f) << 1) ^
-			    ((m - (m >> 7)) & 0x1b1b1b1b);
-			m = tp4 & 0x80808080;
-			tp8 = ((tp4 & 0x7f7f7f7f) << 1) ^
-			    ((m - (m >> 7)) & 0x1b1b1b1b);
-			tp9 = tp8 ^ tp1;
-			tpb = tp9 ^ tp2;
-			tpd = tp9 ^ tp4;
-			tpe = tp8 ^ tp4 ^ tp2;
-
-			rk[j] = tpe ^ crypto_rol_u32(tpd, 16) ^
-			    crypto_rol_u32(tp9, 24) ^ crypto_rol_u32(tpb, 8);
-		}
-	}
-	return 0;
-}
-
 #endif /* AES_ASM */