From abb03e21a8d0fc7f97a871f5aee5a8084176540f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 27 Jun 2025 17:10:45 +0000
Subject: Move AES-NI from EVP to AES for CTR mode.

The mode implementation for CTR has two variants - one takes the block
function, while the other takes a "ctr32" function. The latter is expected
to handle the lower 32 bits of the IV/counter, but is not expected to
handle overflow. The AES-NI implementation for CTR currently uses the
second variant.

Provide aes_ctr32_encrypt_internal() as a function that can be replaced on
a machine dependent basis, along with an aes_ctr32_encrypt_generic()
function that provides the default implementation and can be used as a
fallback. Wire up the AES-NI version for amd64 and i386, change
AES_ctr128_encrypt() to use CRYPTO_ctr128_encrypt_ctr32() (which calls
aes_ctr32_encrypt_internal()) and remove the various AES-NI specific
EVP_CIPHER methods for CTR.

Callers of AES_ctr128_encrypt() will now use AES-NI, if available.

ok tb@
---
 src/lib/libcrypto/aes/aes.c       | 53 ++++++++++++++++++++++++++++++++++++---
 src/lib/libcrypto/aes/aes_amd64.c | 20 ++++++++++++++-
 src/lib/libcrypto/aes/aes_i386.c  | 20 ++++++++++++++-
 3 files changed, 88 insertions(+), 5 deletions(-)

(limited to 'src/lib/libcrypto/aes')

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index e630c3f81a..e9dbe975e3 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.9 2025/06/03 08:42:15 kenjiro Exp $ */
+/* $OpenBSD: aes.c,v 1.10 2025/06/27 17:10:45 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -56,6 +56,7 @@
 #include <openssl/modes.h>
 
 #include "crypto_arch.h"
+#include "crypto_internal.h"
 
 static const unsigned char aes_wrap_default_iv[] = {
 	0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
@@ -170,13 +171,59 @@ AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, size_t length,
 }
 LCRYPTO_ALIAS(AES_cfb8_encrypt);
 
+void
+aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+	uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+	uint32_t ctr;
+	int i;
+
+	memcpy(iv, ivec, sizeof(iv));
+
+	ctr = crypto_load_be32toh(&iv[12]);
+
+	while (blocks > 0) {
+		crypto_store_htobe32(&iv[12], ctr);
+		aes_encrypt_internal(iv, buf, key);
+		ctr++;
+
+		for (i = 0; i < AES_BLOCK_SIZE; i++)
+			out[i] = in[i] ^ buf[i];
+
+		in += 16;
+		out += 16;
+		blocks--;
+	}
+}
+
+#ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
+void aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
+#else
+static inline void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+	aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+#endif
+
+void
+aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out, size_t blocks,
+    const void *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+	aes_ctr32_encrypt_internal(in, out, blocks, key, ivec);
+}
+
 void
 AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
     size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],
     unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)
 {
-	CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
-	    aes_encrypt_block128);
+	CRYPTO_ctr128_encrypt_ctr32(in, out, length, key, ivec, ecount_buf,
+	    num, aes_ctr32_encrypt_ctr128f);
 }
 LCRYPTO_ALIAS(AES_ctr128_encrypt);
 
diff --git a/src/lib/libcrypto/aes/aes_amd64.c b/src/lib/libcrypto/aes/aes_amd64.c
index 302d1ac91d..456409d186 100644
--- a/src/lib/libcrypto/aes/aes_amd64.c
+++ b/src/lib/libcrypto/aes/aes_amd64.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_amd64.c,v 1.1 2025/06/15 15:11:50 jsing Exp $ */
+/* $OpenBSD: aes_amd64.c,v 1.2 2025/06/27 17:10:45 jsing Exp $ */
 /*
  * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
  *
@@ -32,6 +32,9 @@ void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
 void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
     size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
 
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
     AES_KEY *key);
 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
@@ -45,6 +48,9 @@ void aesni_decrypt(const unsigned char *in, unsigned char *out,
 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
     size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
 
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+
 int
 aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
     AES_KEY *key)
@@ -100,3 +106,15 @@ aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
 
 	aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
 }
+
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+	if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+		aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+		return;
+	}
+
+	aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
diff --git a/src/lib/libcrypto/aes/aes_i386.c b/src/lib/libcrypto/aes/aes_i386.c
index 0b5c89af70..2da02a8d35 100644
--- a/src/lib/libcrypto/aes/aes_i386.c
+++ b/src/lib/libcrypto/aes/aes_i386.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_i386.c,v 1.1 2025/06/15 15:11:50 jsing Exp $ */
+/* $OpenBSD: aes_i386.c,v 1.2 2025/06/27 17:10:45 jsing Exp $ */
 /*
  * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
  *
@@ -32,6 +32,9 @@ void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
 void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
     size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
 
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
     AES_KEY *key);
 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
@@ -45,6 +48,9 @@ void aesni_decrypt(const unsigned char *in, unsigned char *out,
 void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
     size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
 
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+
 int
 aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
     AES_KEY *key)
@@ -100,3 +106,15 @@ aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
 
 	aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
 }
+
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+	if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+		aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+		return;
+	}
+
+	aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
-- 
cgit v1.2.3-55-g6feb