GcmUtilities.cs 9.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. #if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
  2. #pragma warning disable
  3. using System;
  4. using System.Diagnostics;
  5. #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER || UNITY_2021_2_OR_NEWER
  6. using System.Runtime.CompilerServices;
  7. #endif
  8. #if NETCOREAPP3_0_OR_GREATER
  9. using System.Runtime.Intrinsics;
  10. using System.Runtime.Intrinsics.X86;
  11. #endif
  12. using Best.HTTP.SecureProtocol.Org.BouncyCastle.Crypto.Utilities;
  13. using Best.HTTP.SecureProtocol.Org.BouncyCastle.Math.Raw;
  14. using Best.HTTP.SecureProtocol.Org.BouncyCastle.Utilities;
  15. namespace Best.HTTP.SecureProtocol.Org.BouncyCastle.Crypto.Modes.Gcm
  16. {
  17. internal abstract class GcmUtilities
  18. {
  19. internal struct FieldElement
  20. {
  21. internal ulong n0, n1;
  22. }
  23. private const uint E1 = 0xe1000000;
  24. private const ulong E1UL = (ulong)E1 << 32;
  25. internal static void One(out FieldElement x)
  26. {
  27. x.n0 = 1UL << 63;
  28. x.n1 = 0UL;
  29. }
  30. #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER || UNITY_2021_2_OR_NEWER
  31. [MethodImpl(MethodImplOptions.AggressiveInlining)]
  32. #endif
  33. internal static void AsBytes(ulong x0, ulong x1, byte[] z)
  34. {
  35. Pack.UInt64_To_BE(x0, z, 0);
  36. Pack.UInt64_To_BE(x1, z, 8);
  37. }
  38. #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER || UNITY_2021_2_OR_NEWER
  39. [MethodImpl(MethodImplOptions.AggressiveInlining)]
  40. #endif
  41. internal static void AsBytes(ref FieldElement x, byte[] z)
  42. {
  43. AsBytes(x.n0, x.n1, z);
  44. }
  45. #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER || UNITY_2021_2_OR_NEWER
  46. [MethodImpl(MethodImplOptions.AggressiveInlining)]
  47. #endif
  48. internal static void AsFieldElement(byte[] x, out FieldElement z)
  49. {
  50. z.n0 = Pack.BE_To_UInt64(x, 0);
  51. z.n1 = Pack.BE_To_UInt64(x, 8);
  52. }
  53. internal static void DivideP(ref FieldElement x, out FieldElement z)
  54. {
  55. ulong x0 = x.n0, x1 = x.n1;
  56. ulong m = (ulong)((long)x0 >> 63);
  57. x0 ^= (m & E1UL);
  58. z.n0 = (x0 << 1) | (x1 >> 63);
  59. z.n1 = (x1 << 1) | (ulong)(-(long)m);
  60. }
  61. internal static void Multiply(byte[] x, byte[] y)
  62. {
  63. AsFieldElement(x, out FieldElement X);
  64. AsFieldElement(y, out FieldElement Y);
  65. Multiply(ref X, ref Y);
  66. AsBytes(ref X, x);
  67. }
  68. internal static void Multiply(ref FieldElement x, ref FieldElement y)
  69. {
  70. ulong z0, z1, z2, z3;
  71. #if NETCOREAPP3_0_OR_GREATER
  72. if (Pclmulqdq.IsSupported)
  73. {
  74. var X = Vector128.Create(x.n1, x.n0);
  75. var Y = Vector128.Create(y.n1, y.n0);
  76. var Z0 = Pclmulqdq.CarrylessMultiply(X, Y, 0x00);
  77. var Z1 = Sse2.Xor(
  78. Pclmulqdq.CarrylessMultiply(X, Y, 0x01),
  79. Pclmulqdq.CarrylessMultiply(X, Y, 0x10));
  80. var Z2 = Pclmulqdq.CarrylessMultiply(X, Y, 0x11);
  81. ulong t3 = Z0.GetElement(0);
  82. ulong t2 = Z0.GetElement(1) ^ Z1.GetElement(0);
  83. ulong t1 = Z2.GetElement(0) ^ Z1.GetElement(1);
  84. ulong t0 = Z2.GetElement(1);
  85. z0 = (t0 << 1) | (t1 >> 63);
  86. z1 = (t1 << 1) | (t2 >> 63);
  87. z2 = (t2 << 1) | (t3 >> 63);
  88. z3 = (t3 << 1);
  89. }
  90. else
  91. #endif
  92. {
  93. /*
  94. * "Three-way recursion" as described in "Batch binary Edwards", Daniel J. Bernstein.
  95. *
  96. * Without access to the high part of a 64x64 product x * y, we use a bit reversal to calculate it:
  97. * rev(x) * rev(y) == rev((x * y) << 1)
  98. */
  99. ulong x0 = x.n0, x1 = x.n1;
  100. ulong y0 = y.n0, y1 = y.n1;
  101. ulong x0r = Longs.Reverse(x0), x1r = Longs.Reverse(x1);
  102. ulong y0r = Longs.Reverse(y0), y1r = Longs.Reverse(y1);
  103. ulong h0 = Longs.Reverse(ImplMul64(x0r, y0r));
  104. ulong h1 = ImplMul64(x0, y0) << 1;
  105. ulong h2 = Longs.Reverse(ImplMul64(x1r, y1r));
  106. ulong h3 = ImplMul64(x1, y1) << 1;
  107. ulong h4 = Longs.Reverse(ImplMul64(x0r ^ x1r, y0r ^ y1r));
  108. ulong h5 = ImplMul64(x0 ^ x1, y0 ^ y1) << 1;
  109. z0 = h0;
  110. z1 = h1 ^ h0 ^ h2 ^ h4;
  111. z2 = h2 ^ h1 ^ h3 ^ h5;
  112. z3 = h3;
  113. }
  114. Debug.Assert(z3 << 63 == 0);
  115. z1 ^= z3 ^ (z3 >> 1) ^ (z3 >> 2) ^ (z3 >> 7);
  116. // z2 ^= (z3 << 63) ^ (z3 << 62) ^ (z3 << 57);
  117. z2 ^= (z3 << 62) ^ (z3 << 57);
  118. z0 ^= z2 ^ (z2 >> 1) ^ (z2 >> 2) ^ (z2 >> 7);
  119. z1 ^= (z2 << 63) ^ (z2 << 62) ^ (z2 << 57);
  120. x.n0 = z0;
  121. x.n1 = z1;
  122. }
  123. internal static void MultiplyP7(ref FieldElement x)
  124. {
  125. ulong x0 = x.n0, x1 = x.n1;
  126. ulong c = x1 << 57;
  127. x.n0 = (x0 >> 7) ^ c ^ (c >> 1) ^ (c >> 2) ^ (c >> 7);
  128. x.n1 = (x1 >> 7) | (x0 << 57);
  129. }
  130. internal static void MultiplyP8(ref FieldElement x)
  131. {
  132. ulong x0 = x.n0, x1 = x.n1;
  133. ulong c = x1 << 56;
  134. x.n0 = (x0 >> 8) ^ c ^ (c >> 1) ^ (c >> 2) ^ (c >> 7);
  135. x.n1 = (x1 >> 8) | (x0 << 56);
  136. }
  137. internal static void MultiplyP8(ref FieldElement x, out FieldElement y)
  138. {
  139. ulong x0 = x.n0, x1 = x.n1;
  140. ulong c = x1 << 56;
  141. y.n0 = (x0 >> 8) ^ c ^ (c >> 1) ^ (c >> 2) ^ (c >> 7);
  142. y.n1 = (x1 >> 8) | (x0 << 56);
  143. }
  144. internal static void MultiplyP16(ref FieldElement x)
  145. {
  146. ulong x0 = x.n0, x1 = x.n1;
  147. ulong c = x1 << 48;
  148. x.n0 = (x0 >> 16) ^ c ^ (c >> 1) ^ (c >> 2) ^ (c >> 7);
  149. x.n1 = (x1 >> 16) | (x0 << 48);
  150. }
  151. internal static void Square(ref FieldElement x)
  152. {
  153. ulong z1 = Interleave.Expand64To128Rev(x.n0, out ulong z0);
  154. ulong z3 = Interleave.Expand64To128Rev(x.n1, out ulong z2);
  155. Debug.Assert(z3 << 63 == 0);
  156. z1 ^= z3 ^ (z3 >> 1) ^ (z3 >> 2) ^ (z3 >> 7);
  157. // z2 ^= (z3 << 63) ^ (z3 << 62) ^ (z3 << 57);
  158. z2 ^= (z3 << 62) ^ (z3 << 57);
  159. Debug.Assert(z2 << 63 == 0);
  160. z0 ^= z2 ^ (z2 >> 1) ^ (z2 >> 2) ^ (z2 >> 7);
  161. // z1 ^= (z2 << 63) ^ (z2 << 62) ^ (z2 << 57);
  162. z1 ^= (z2 << 62) ^ (z2 << 57);
  163. x.n0 = z0;
  164. x.n1 = z1;
  165. }
  166. internal static void Xor(byte[] x, byte[] y)
  167. {
  168. int i = 0;
  169. do
  170. {
  171. x[i] ^= y[i]; ++i;
  172. x[i] ^= y[i]; ++i;
  173. x[i] ^= y[i]; ++i;
  174. x[i] ^= y[i]; ++i;
  175. }
  176. while (i < 16);
  177. }
  178. internal static void Xor(byte[] x, byte[] y, int yOff)
  179. {
  180. int i = 0;
  181. do
  182. {
  183. x[i] ^= y[yOff + i]; ++i;
  184. x[i] ^= y[yOff + i]; ++i;
  185. x[i] ^= y[yOff + i]; ++i;
  186. x[i] ^= y[yOff + i]; ++i;
  187. }
  188. while (i < 16);
  189. }
  190. internal static void Xor(byte[] x, byte[] y, int yOff, int yLen)
  191. {
  192. while (--yLen >= 0)
  193. {
  194. x[yLen] ^= y[yOff + yLen];
  195. }
  196. }
  197. internal static void Xor(byte[] x, int xOff, byte[] y, int yOff, int len)
  198. {
  199. while (--len >= 0)
  200. {
  201. x[xOff + len] ^= y[yOff + len];
  202. }
  203. }
  204. internal static void Xor(ref FieldElement x, ref FieldElement y)
  205. {
  206. x.n0 ^= y.n0;
  207. x.n1 ^= y.n1;
  208. }
  209. internal static void Xor(ref FieldElement x, ref FieldElement y, out FieldElement z)
  210. {
  211. z.n0 = x.n0 ^ y.n0;
  212. z.n1 = x.n1 ^ y.n1;
  213. }
  214. #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER || UNITY_2021_2_OR_NEWER
  215. internal static void Xor(Span<byte> x, ReadOnlySpan<byte> y)
  216. {
  217. int i = 0;
  218. do
  219. {
  220. x[i] ^= y[i]; ++i;
  221. x[i] ^= y[i]; ++i;
  222. x[i] ^= y[i]; ++i;
  223. x[i] ^= y[i]; ++i;
  224. }
  225. while (i < 16);
  226. }
  227. internal static void Xor(Span<byte> x, ReadOnlySpan<byte> y, int len)
  228. {
  229. for (int i = 0; i < len; ++i)
  230. {
  231. x[i] ^= y[i];
  232. }
  233. }
  234. #endif
  235. private static ulong ImplMul64(ulong x, ulong y)
  236. {
  237. ulong x0 = x & 0x1111111111111111UL;
  238. ulong x1 = x & 0x2222222222222222UL;
  239. ulong x2 = x & 0x4444444444444444UL;
  240. ulong x3 = x & 0x8888888888888888UL;
  241. ulong y0 = y & 0x1111111111111111UL;
  242. ulong y1 = y & 0x2222222222222222UL;
  243. ulong y2 = y & 0x4444444444444444UL;
  244. ulong y3 = y & 0x8888888888888888UL;
  245. ulong z0 = (x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1);
  246. ulong z1 = (x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2);
  247. ulong z2 = (x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3);
  248. ulong z3 = (x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0);
  249. z0 &= 0x1111111111111111UL;
  250. z1 &= 0x2222222222222222UL;
  251. z2 &= 0x4444444444444444UL;
  252. z3 &= 0x8888888888888888UL;
  253. return z0 | z1 | z2 | z3;
  254. }
  255. }
  256. }
  257. #pragma warning restore
  258. #endif