Remove TABLE_BITS from gcm128.

TABLE_BITS is always currently defined as 4 - 8 is considered to be insecure due to timing leaks and 1 is considerably slower. Remove code that is not regularly tested, does not serve a lot of purpose and is making clean up harder than it needs to be. ok tb@
author: jsing <> 2025-05-17 14:43:17 +0000
committer: jsing <> 2025-05-17 14:43:17 +0000
commit: f44ddf9f41363e8a6de09b44beb526fdf57a4780 (patch)
tree: 83c580044873f027e70f6a1dfe68580cfb0b0f0c /src
parent: 9f33ea4d1589efc7e1fa264dce4ef8ebc435b0b1 (diff)
download: openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.tar.gz
openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.tar.bz2
openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.zip
2 files changed, 3 insertions, 248 deletions
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 422aa7d499..5eb616cef7 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.36 2025/05/16 15:09:26 jsing Exp $ */
+/* $OpenBSD: gcm128.c,v 1.37 2025/05/17 14:43:17 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -69,184 +69,6 @@
                }                                                       \
        } while(0)
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8. 8 is effectively reserved for testing purposes.
- * TABLE_BITS>1 are lookup-table-driven implementations referred to as
- * "Shoup's" in GCM specification. In other words OpenSSL does not cover
- * whole spectrum of possible table driven implementations. Why? In
- * non-"Shoup's" case memory access pattern is segmented in such manner,
- * that it's trivial to see that cache timing information can reveal
- * fair portion of intermediate hash value. Given that ciphertext is
- * always available to attacker, it's possible for him to attempt to
- * deduce secret parameter H and if successful, tamper with messages
- * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
- * not as trivial, but there is no reason to believe that it's resistant
- * to cache-timing attack. And the thing about "8-bit" implementation is
- * that it consumes 16 (sixteen) times more memory, 4KB per individual
- * key + 1KB shared. Well, on pros side it should be twice as fast as
- * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
- * was observed to run ~75% faster, closer to 100% for commercial
- * compilers... Yet "4-bit" procedure is preferred, because it's
- * believed to provide better security-performance balance and adequate
- * all-round performance. "All-round" refers to things like:
- *
- * - shorter setup time effectively improves overall timing for
- *   handling short messages;
- * - larger table allocation can become unbearable because of VM
- *   subsystem penalties (for example on Windows large enough free
- *   results in VM working set trimming, meaning that consequent
- *   malloc would immediately incur working set expansion);
- * - larger table has larger cache footprint, which can affect
- *   performance of other code paths (not necessarily even from same
- *   thread in Hyper-Threading world);
- *
- * Value of 1 is not appropriate for performance reasons.
- */
-#if     TABLE_BITS==8
-static void
-gcm_init_8bit(u128 Htable[256], u64 H[2])
-{
-        int  i, j;
-        u128 V;
-        Htable[0].hi = 0;
-        Htable[0].lo = 0;
-        V.hi = H[0];
-        V.lo = H[1];
-        for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
-                REDUCE1BIT(V);
-                Htable[i] = V;
-        }
-        for (i = 2; i < 256; i <<= 1) {
-                u128 *Hi = Htable + i, H0 = *Hi;
-                for (j = 1; j < i; ++j) {
-                        Hi[j].hi = H0.hi ^ Htable[j].hi;
-                        Hi[j].lo = H0.lo ^ Htable[j].lo;
-                }
-        }
-}
-static void
-gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
-{
-        u128 Z = { 0, 0};
-        const u8 *xi = (const u8 *)Xi + 15;
-        size_t rem, n = *xi;
-        static const size_t rem_8bit[256] = {
-                PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
-                PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
-                PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
-                PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
-                PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
-                PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
-                PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
-                PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
-                PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
-                PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
-                PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
-                PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
-                PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
-                PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
-                PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
-                PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
-                PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
-                PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
-                PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
-                PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
-                PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
-                PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
-                PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
-                PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
-                PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
-                PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
-                PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
-                PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
-                PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
-                PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
-                PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
-                PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
-                PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
-                PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
-                PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
-                PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
-                PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
-                PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
-                PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
-                PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
-                PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
-                PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
-                PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
-                PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
-                PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
-                PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
-                PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
-                PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
-                PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
-                PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
-                PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
-                PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
-                PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
-                PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
-                PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
-                PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
-                PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
-                PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
-                PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
-                PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
-                PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
-                PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
-                PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
-                PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) };
-        while (1) {
-                Z.hi ^= Htable[n].hi;
-                Z.lo ^= Htable[n].lo;
-                if ((u8 *)Xi == xi)
-                        break;
-                n = *(--xi);
-                rem = (size_t)Z.lo & 0xff;
-                Z.lo = (Z.hi << 56)|(Z.lo >> 8);
-                Z.hi = (Z.hi >> 8);
-#if SIZE_MAX == 0xffffffffffffffff
-                Z.hi ^= rem_8bit[rem];
-#else
-                Z.hi ^= (u64)rem_8bit[rem] << 32;
-#endif
-        }
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
-}
-static inline void
-gcm_mul(GCM128_CONTEXT *ctx, u64 u[2])
-{
-        gcm_gmult_8bit(u, ctx->Htable);
-}
-static inline void
-gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
-{
-        size_t i;
-        while (len >= 16) {
-                for (i = 0; i < 16; ++i)
-                        ctx->Xi.c[i] ^= in[i];
-                gcm_mul(ctx, ctx->Xi.u);
-                in += 16;
-                len -= 16;
-        }
-}
-#elif   TABLE_BITS==4
 static void
 gcm_init_4bit(u128 Htable[16], u64 H[2])
 {
@@ -543,56 +365,6 @@ gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
 */
 #define GHASH_CHUNK       (3*1024)
-#else   /* TABLE_BITS */
-static void
-gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
-{
-        u128 V, Z = { 0, 0 };
-        u64 X;
-        int i, j;
-        V.hi = H[0];    /* H is in host byte order, no byte swapping */
-        V.lo = H[1];
-        for (j = 0; j < 2; j++) {
-                X = be64toh(Xi[j]);
-                for (i = 0; i < 64; i++) {
-                        u64 M = 0 - (X >> 63);
-                        Z.hi ^= V.hi & M;
-                        Z.lo ^= V.lo & M;
-                        X <<= 1;
-                        REDUCE1BIT(V);
-                }
-        }
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
-}
-static inline void
-gcm_mul(GCM128_CONTEXT *ctx, u64 u[2])
-{
-        gcm_gmult_1bit(u, ctx->H.u);
-}
-static inline void
-gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
-{
-        size_t i;
-        while (len >= 16) {
-                for (i = 0; i < 16; ++i)
-                        ctx->Xi.c[i] ^= in[i];
-                gcm_mul(ctx, ctx->Xi.u);
-                in += 16;
-                len -= 16;
-        }
-}
-#endif
 #if     defined(GHASH_ASM) &&                                           \
        (defined(__i386)        || defined(__i386__)    ||              \
         defined(__x86_64)      || defined(__x86_64__)  ||              \
@@ -600,7 +372,7 @@ gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
 #include "x86_arch.h"
 #endif
-#if     TABLE_BITS==4 && defined(GHASH_ASM)
+#if     defined(GHASH_ASM)
 # if    (defined(__i386)        || defined(__i386__)    ||              \
         defined(__x86_64)      || defined(__x86_64__)  ||              \
         defined(_M_IX86)       || defined(_M_AMD64)    || defined(_M_X64))
@@ -645,9 +417,6 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
        ctx->H.u[0] = be64toh(ctx->H.u[0]);
        ctx->H.u[1] = be64toh(ctx->H.u[1]);
-#if     TABLE_BITS==8
-        gcm_init_8bit(ctx->Htable, ctx->H.u);
-#elif   TABLE_BITS==4
 # if    defined(GHASH_ASM_X86_OR_64)
 #  if   !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
        /* check FXSR and PCLMULQDQ bits */
@@ -688,7 +457,6 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
 # else
        gcm_init_4bit(ctx->Htable, ctx->H.u);
 # endif
-#endif
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_init);
diff --git a/src/lib/libcrypto/modes/modes_local.h b/src/lib/libcrypto/modes/modes_local.h
index c04db034d0..81994876e3 100644
--- a/src/lib/libcrypto/modes/modes_local.h
+++ b/src/lib/libcrypto/modes/modes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: modes_local.h,v 1.4 2025/04/23 14:15:19 jsing Exp $ */
+/* $OpenBSD: modes_local.h,v 1.5 2025/05/17 14:43:17 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -33,15 +33,6 @@ typedef struct {
        u64 hi, lo;
 } u128;
-#ifdef  TABLE_BITS
-#undef  TABLE_BITS
-#endif
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8 [or 1]. For further information see gcm128.c.
- */
-#define TABLE_BITS 4
 struct gcm128_context {
        /* Following 6 names follow names in GCM specification */
        union {
@@ -52,14 +43,10 @@ struct gcm128_context {
        } Yi, EKi, EK0, len, Xi, H;
        /* Relative position of Xi, H and pre-computed Htable is used
         * in some assembler modules, i.e. don't change the order! */
-#if TABLE_BITS==8
-        u128 Htable[256];
-#else
        u128 Htable[16];
        void (*gmult)(u64 Xi[2], const u128 Htable[16]);
        void (*ghash)(u64 Xi[2], const u128 Htable[16], const u8 *inp,
            size_t len);
-#endif
        unsigned int mres, ares;
        block128_f block;
        void *key;
author	jsing <>	2025-05-17 14:43:17 +0000
committer	jsing <>	2025-05-17 14:43:17 +0000
commit	f44ddf9f41363e8a6de09b44beb526fdf57a4780 (patch)
tree	83c580044873f027e70f6a1dfe68580cfb0b0f0c /src
parent	9f33ea4d1589efc7e1fa264dce4ef8ebc435b0b1 (diff)
download	openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.tar.gz openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.tar.bz2 openbsd-f44ddf9f41363e8a6de09b44beb526fdf57a4780.zip

diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c index 422aa7d499..5eb616cef7 100644 --- a/src/lib/libcrypto/modes/gcm128.c +++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: gcm128.c,v 1.36 2025/05/16 15:09:26 jsing Exp $ */	1	/* $OpenBSD: gcm128.c,v 1.37 2025/05/17 14:43:17 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2010 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2010 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -69,184 +69,6 @@
69	} \	69	} \
70	} while(0)	70	} while(0)
71		71
72	/*
73	* Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
74	* never be set to 8. 8 is effectively reserved for testing purposes.
75	* TABLE_BITS>1 are lookup-table-driven implementations referred to as
76	* "Shoup's" in GCM specification. In other words OpenSSL does not cover
77	* whole spectrum of possible table driven implementations. Why? In
78	* non-"Shoup's" case memory access pattern is segmented in such manner,
79	* that it's trivial to see that cache timing information can reveal
80	* fair portion of intermediate hash value. Given that ciphertext is
81	* always available to attacker, it's possible for him to attempt to
82	* deduce secret parameter H and if successful, tamper with messages
83	* [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
84	* not as trivial, but there is no reason to believe that it's resistant
85	* to cache-timing attack. And the thing about "8-bit" implementation is
86	* that it consumes 16 (sixteen) times more memory, 4KB per individual
87	* key + 1KB shared. Well, on pros side it should be twice as fast as
88	* "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
89	* was observed to run ~75% faster, closer to 100% for commercial
90	* compilers... Yet "4-bit" procedure is preferred, because it's
91	* believed to provide better security-performance balance and adequate
92	* all-round performance. "All-round" refers to things like:
93	*
94	* - shorter setup time effectively improves overall timing for
95	* handling short messages;
96	* - larger table allocation can become unbearable because of VM
97	* subsystem penalties (for example on Windows large enough free
98	* results in VM working set trimming, meaning that consequent
99	* malloc would immediately incur working set expansion);
100	* - larger table has larger cache footprint, which can affect
101	* performance of other code paths (not necessarily even from same
102	* thread in Hyper-Threading world);
103	*
104	* Value of 1 is not appropriate for performance reasons.
105	*/
106	#if TABLE_BITS==8
107
108	static void
109	gcm_init_8bit(u128 Htable[256], u64 H[2])
110	{
111	int i, j;
112	u128 V;
113
114	Htable[0].hi = 0;
115	Htable[0].lo = 0;
116	V.hi = H[0];
117	V.lo = H[1];
118
119	for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
120	REDUCE1BIT(V);
121	Htable[i] = V;
122	}
123
124	for (i = 2; i < 256; i <<= 1) {
125	u128 Hi = Htable + i, H0 = Hi;
126	for (j = 1; j < i; ++j) {
127	Hi[j].hi = H0.hi ^ Htable[j].hi;
128	Hi[j].lo = H0.lo ^ Htable[j].lo;
129	}
130	}
131	}
132
133	static void
134	gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
135	{
136	u128 Z = { 0, 0};
137	const u8 xi = (const u8 )Xi + 15;
138	size_t rem, n = *xi;
139	static const size_t rem_8bit[256] = {
140	PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
141	PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
142	PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
143	PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
144	PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
145	PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
146	PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
147	PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
148	PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
149	PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
150	PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
151	PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
152	PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
153	PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
154	PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
155	PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
156	PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
157	PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
158	PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
159	PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
160	PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
161	PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
162	PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
163	PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
164	PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
165	PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
166	PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
167	PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
168	PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
169	PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
170	PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
171	PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
172	PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
173	PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
174	PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
175	PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
176	PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
177	PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
178	PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
179	PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
180	PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
181	PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
182	PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
183	PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
184	PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
185	PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
186	PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
187	PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
188	PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
189	PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
190	PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
191	PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
192	PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
193	PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
194	PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
195	PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
196	PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
197	PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
198	PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
199	PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
200	PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
201	PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
202	PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
203	PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) };
204
205	while (1) {
206	Z.hi ^= Htable[n].hi;
207	Z.lo ^= Htable[n].lo;
208
209	if ((u8 *)Xi == xi)
210	break;
211
212	n = *(--xi);
213
214	rem = (size_t)Z.lo & 0xff;
215	Z.lo = (Z.hi << 56)\|(Z.lo >> 8);
216	Z.hi = (Z.hi >> 8);
217	#if SIZE_MAX == 0xffffffffffffffff
218	Z.hi ^= rem_8bit[rem];
219	#else
220	Z.hi ^= (u64)rem_8bit[rem] << 32;
221	#endif
222	}
223
224	Xi[0] = htobe64(Z.hi);
225	Xi[1] = htobe64(Z.lo);
226	}
227
228	static inline void
229	gcm_mul(GCM128_CONTEXT *ctx, u64 u[2])
230	{
231	gcm_gmult_8bit(u, ctx->Htable);
232	}
233
234	static inline void
235	gcm_ghash(GCM128_CONTEXT ctx, const uint8_t in, size_t len)
236	{
237	size_t i;
238
239	while (len >= 16) {
240	for (i = 0; i < 16; ++i)
241	ctx->Xi.c[i] ^= in[i];
242	gcm_mul(ctx, ctx->Xi.u);
243	in += 16;
244	len -= 16;
245	}
246	}
247
248	#elif TABLE_BITS==4
249
250	static void	72	static void
251	gcm_init_4bit(u128 Htable[16], u64 H[2])	73	gcm_init_4bit(u128 Htable[16], u64 H[2])
252	{	74	{
@@ -543,56 +365,6 @@ gcm_ghash(GCM128_CONTEXT ctx, const uint8_t in, size_t len)
543	*/	365	*/
544	#define GHASH_CHUNK (3*1024)	366	#define GHASH_CHUNK (3*1024)
545		367
546	#else /* TABLE_BITS */
547
548	static void
549	gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
550	{
551	u128 V, Z = { 0, 0 };
552	u64 X;
553	int i, j;
554
555	V.hi = H[0]; /* H is in host byte order, no byte swapping */
556	V.lo = H[1];
557
558	for (j = 0; j < 2; j++) {
559	X = be64toh(Xi[j]);
560
561	for (i = 0; i < 64; i++) {
562	u64 M = 0 - (X >> 63);
563	Z.hi ^= V.hi & M;
564	Z.lo ^= V.lo & M;
565	X <<= 1;
566
567	REDUCE1BIT(V);
568	}
569	}
570
571	Xi[0] = htobe64(Z.hi);
572	Xi[1] = htobe64(Z.lo);
573	}
574
575	static inline void
576	gcm_mul(GCM128_CONTEXT *ctx, u64 u[2])
577	{
578	gcm_gmult_1bit(u, ctx->H.u);
579	}
580
581	static inline void
582	gcm_ghash(GCM128_CONTEXT ctx, const uint8_t in, size_t len)
583	{
584	size_t i;
585
586	while (len >= 16) {
587	for (i = 0; i < 16; ++i)
588	ctx->Xi.c[i] ^= in[i];
589	gcm_mul(ctx, ctx->Xi.u);
590	in += 16;
591	len -= 16;
592	}
593	}
594	#endif
595
596	#if defined(GHASH_ASM) && \	368	#if defined(GHASH_ASM) && \
597	(defined(__i386) \|\| defined(__i386__) \|\| \	369	(defined(__i386) \|\| defined(__i386__) \|\| \
598	defined(__x86_64) \|\| defined(__x86_64__) \|\| \	370	defined(__x86_64) \|\| defined(__x86_64__) \|\| \
@@ -600,7 +372,7 @@ gcm_ghash(GCM128_CONTEXT ctx, const uint8_t in, size_t len)
600	#include "x86_arch.h"	372	#include "x86_arch.h"
601	#endif	373	#endif
602		374
603	#if TABLE_BITS==4 && defined(GHASH_ASM)	375	#if defined(GHASH_ASM)
604	# if (defined(__i386) \|\| defined(__i386__) \|\| \	376	# if (defined(__i386) \|\| defined(__i386__) \|\| \
605	defined(__x86_64) \|\| defined(__x86_64__) \|\| \	377	defined(__x86_64) \|\| defined(__x86_64__) \|\| \
606	defined(_M_IX86) \|\| defined(_M_AMD64) \|\| defined(_M_X64))	378	defined(_M_IX86) \|\| defined(_M_AMD64) \|\| defined(_M_X64))
@@ -645,9 +417,6 @@ CRYPTO_gcm128_init(GCM128_CONTEXT ctx, void key, block128_f block)
645	ctx->H.u[0] = be64toh(ctx->H.u[0]);	417	ctx->H.u[0] = be64toh(ctx->H.u[0]);
646	ctx->H.u[1] = be64toh(ctx->H.u[1]);	418	ctx->H.u[1] = be64toh(ctx->H.u[1]);
647		419
648	#if TABLE_BITS==8
649	gcm_init_8bit(ctx->Htable, ctx->H.u);
650	#elif TABLE_BITS==4
651	# if defined(GHASH_ASM_X86_OR_64)	420	# if defined(GHASH_ASM_X86_OR_64)
652	# if !defined(GHASH_ASM_X86) \|\| defined(OPENSSL_IA32_SSE2)	421	# if !defined(GHASH_ASM_X86) \|\| defined(OPENSSL_IA32_SSE2)
653	/* check FXSR and PCLMULQDQ bits */	422	/* check FXSR and PCLMULQDQ bits */
@@ -688,7 +457,6 @@ CRYPTO_gcm128_init(GCM128_CONTEXT ctx, void key, block128_f block)
688	# else	457	# else
689	gcm_init_4bit(ctx->Htable, ctx->H.u);	458	gcm_init_4bit(ctx->Htable, ctx->H.u);
690	# endif	459	# endif
691	#endif
692	}	460	}
693	LCRYPTO_ALIAS(CRYPTO_gcm128_init);	461	LCRYPTO_ALIAS(CRYPTO_gcm128_init);
694		462


diff --git a/src/lib/libcrypto/modes/modes_local.h b/src/lib/libcrypto/modes/modes_local.h index c04db034d0..81994876e3 100644 --- a/src/lib/libcrypto/modes/modes_local.h +++ b/src/lib/libcrypto/modes/modes_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: modes_local.h,v 1.4 2025/04/23 14:15:19 jsing Exp $ */	1	/* $OpenBSD: modes_local.h,v 1.5 2025/05/17 14:43:17 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2010 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2010 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -33,15 +33,6 @@ typedef struct {
33	u64 hi, lo;	33	u64 hi, lo;
34	} u128;	34	} u128;
35		35
36	#ifdef TABLE_BITS
37	#undef TABLE_BITS
38	#endif
39	/*
40	* Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
41	* never be set to 8 [or 1]. For further information see gcm128.c.
42	*/
43	#define TABLE_BITS 4
44
45	struct gcm128_context {	36	struct gcm128_context {
46	/* Following 6 names follow names in GCM specification */	37	/* Following 6 names follow names in GCM specification */
47	union {	38	union {
@@ -52,14 +43,10 @@ struct gcm128_context {
52	} Yi, EKi, EK0, len, Xi, H;	43	} Yi, EKi, EK0, len, Xi, H;
53	/* Relative position of Xi, H and pre-computed Htable is used	44	/* Relative position of Xi, H and pre-computed Htable is used
54	* in some assembler modules, i.e. don't change the order! */	45	* in some assembler modules, i.e. don't change the order! */
55	#if TABLE_BITS==8
56	u128 Htable[256];
57	#else
58	u128 Htable[16];	46	u128 Htable[16];
59	void (*gmult)(u64 Xi[2], const u128 Htable[16]);	47	void (*gmult)(u64 Xi[2], const u128 Htable[16]);
60	void (ghash)(u64 Xi[2], const u128 Htable[16], const u8 inp,	48	void (ghash)(u64 Xi[2], const u128 Htable[16], const u8 inp,
61	size_t len);	49	size_t len);
62	#endif
63	unsigned int mres, ares;	50	unsigned int mres, ares;
64	block128_f block;	51	block128_f block;
65	void *key;	52	void *key;