Domovská stránka Prehľadávať Pomoc
Registrovať Prihlásiť sa
cantushui
/
libh2o-win
1
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: 58fb27814a
Branche Tagy
libh2o-win
/
picotls
/
lib
/
fusion.c

fusion.c 108 KB
História Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249 
  1. /*
    2. 

  2.  * This source file is licensed under the Apache License 2.0 *and* the MIT
    3. 

  3.  * License. Please agree to *both* of the licensing terms!
    4. 

  4.  *
    5. 

  5.  *
    6. 

  6.  * `transformH` function is a derivative work of OpenSSL. The original work
    7. 

  7.  * is covered by the following license:
    8. 

  8.  *
    9. 

  9.  * Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
    10. 

  10.  *
    11. 

  11.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    12. 

  12.  * this file except in compliance with the License.  You can obtain a copy
    13. 

  13.  * in the file LICENSE in the source distribution or at
    14. 

  14.  * https://www.openssl.org/source/license.html
    15. 

  15.  *
    16. 

  16.  *
    17. 

  17.  * All other work, including modifications to the `transformH` function is
    18. 

  18.  * covered by the following MIT license:
    19. 

  19.  *
    20. 

  20.  * Copyright (c) 2020-2022 Fastly, Kazuho Oku
    21. 

  21.  *
    22. 

  22.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    23. 

  23.  * of this software and associated documentation files (the "Software"), to
    24. 

  24.  * deal in the Software without restriction, including without limitation the
    25. 

  25.  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
    26. 

  26.  * sell copies of the Software, and to permit persons to whom the Software is
    27. 

  27.  * furnished to do so, subject to the following conditions:
    28. 

  28.  *
    29. 

  29.  * The above copyright notice and this permission notice shall be included in
    30. 

  30.  * all copies or substantial portions of the Software.
    31. 

  31.  *
    32. 

  32.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    33. 

  33.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    34. 

  34.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    35. 

  35.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    36. 

  36.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
    37. 

  37.  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
    38. 

  38.  * IN THE SOFTWARE.
    39. 

  39.  */
    40. 

  40. #include <stdint.h>
    41. 

  41. 

  42. #include <stdlib.h>
    43. 

  43. #include <string.h>
    44. 

  44. #include <immintrin.h>
    45. 

  45. #include <tmmintrin.h>
    46. 

  46. #include <nmmintrin.h>
    47. 

  47. #include <wmmintrin.h>
    48. 

  48. #include "picotls.h"
    49. 

  49. #include "picotls/fusion.h"
    50. 

  50. 

  51. #if defined(__clang__)
    52. 

  52. #if __has_feature(address_sanitizer)
    53. 

  53. #define NO_SANITIZE_ADDRESS __attribute__((no_sanitize("address")))
    54. 

  54. #endif
    55. 

  55. #elif __SANITIZE_ADDRESS__ /* gcc */
    56. 

  56. #define NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
    57. 

  57. #endif
    58. 

  58. #ifndef NO_SANITIZE_ADDRESS
    59. 

  59. #define NO_SANITIZE_ADDRESS
    60. 

  60. #endif
    61. 

  61. 

  62. #ifdef _WINDOWS
    63. 

  63. #define aligned_alloc(a, s) _aligned_malloc((s), (a))
    64. 

  64. #define aligned_free(p) _aligned_free(p)
    65. 

  65. #else
    66. 

  66. #define aligned_free(p) free(p)
    67. 

  67. #endif
    68. 

  68. 

  69. struct ptls_fusion_aesgcm_context {
    70. 

  70.     ptls_fusion_aesecb_context_t ecb;
    71. 

  71.     size_t capacity;
    72. 

  72.     size_t ghash_cnt;
    73. 

  73. };
    74. 

  74. 

  75. struct ptls_fusion_aesgcm_context128 {
    76. 

  76.     struct ptls_fusion_aesgcm_context super;
    77. 

  77.     struct ptls_fusion_aesgcm_ghash_precompute128 {
    78. 

  78.         __m128i H;
    79. 

  79.         __m128i r;
    80. 

  80.     } ghash[0];
    81. 

  81. };
    82. 

  82. 

  83. struct ptls_fusion_aesgcm_context256 {
    84. 

  84.     struct ptls_fusion_aesgcm_context super;
    85. 

  85.     union ptls_fusion_aesgcm_ghash_precompute256 {
    86. 

  86.         struct {
    87. 

  87.             __m128i H[2];
    88. 

  88.             __m128i r[2];
    89. 

  89.         };
    90. 

  90.         struct {
    91. 

  91.             __m256i Hx2;
    92. 

  92.             __m256i rx2;
    93. 

  93.         };
    94. 

  94.     } ghash[0];
    95. 

  95. };
    96. 

  96. 

  97. struct ctr_context {
    98. 

  98.     ptls_cipher_context_t super;
    99. 

  99.     ptls_fusion_aesecb_context_t fusion;
    100. 

  100.     __m128i bits;
    101. 

  101.     uint8_t is_ready;
    102. 

  102. };
    103. 

  103. 

  104. struct aesgcm_context {
    105. 

  105.     ptls_aead_context_t super;
    106. 

  106.     ptls_fusion_aesgcm_context_t *aesgcm;
    107. 

  107.     /**
    108. 

  108.      * retains the static IV in the upper 96 bits (in little endian)
    109. 

  109.      */
    110. 

  110.     __m128i static_iv;
    111. 

  111. };
    112. 

  112. 

  113. static const uint64_t poly_[2] __attribute__((aligned(16))) = {1, 0xc200000000000000};
    114. 

  114. #define poly (*(__m128i *)poly_)
    115. 

  115. static const uint8_t byteswap_[32] __attribute__((aligned(32))) = {15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0,
    116. 

  116.                                                                    15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0};
    117. 

  117. #define byteswap128 (*(__m128i *)byteswap_)
    118. 

  118. #define byteswap256 (*(__m256i *)byteswap_)
    119. 

  119. static const uint8_t one_[16] __attribute__((aligned(16))) = {1};
    120. 

  120. #define one8 (*(__m128i *)one_)
    121. 

  121. static const uint8_t incr128x2_[32] __attribute__((aligned(32))) = {2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2};
    122. 

  122. #define incr128x2 (*(__m256i *)incr128x2_)
    123. 

  123. 

  124. /* This function is covered by the Apache License and the MIT License. The origin is crypto/modes/asm/ghash-x86_64.pl of openssl
    125. 

  125.  * at commit 33388b4. */
    126. 

  126. static __m128i transformH(__m128i H)
    127. 

  127. {
    128. 

  128.     //  # <<1 twist
    129. 

  129.     //  pshufd          \$0b11111111,$Hkey,$T2  # broadcast uppermost dword
    130. 

  130.     __m128i t2 = _mm_shuffle_epi32(H, 0xff);
    131. 

  131.     // movdqa          $Hkey,$T1
    132. 

  132.     __m128i t1 = H;
    133. 

  133.     // psllq           \$1,$Hkey
    134. 

  134.     H = _mm_slli_epi64(H, 1);
    135. 

  135.     // pxor            $T3,$T3                 #
    136. 

  136.     __m128i t3 = _mm_setzero_si128();
    137. 

  137.     // psrlq           \$63,$T1
    138. 

  138.     t1 = _mm_srli_epi64(t1, 63);
    139. 

  139.     // pcmpgtd         $T2,$T3                 # broadcast carry bit
    140. 

  140.     t3 = _mm_cmplt_epi32(t2, t3);
    141. 

  141.     //     pslldq          \$8,$T1
    142. 

  142.     t1 = _mm_slli_si128(t1, 8);
    143. 

  143.     // por             $T1,$Hkey               # H<<=1
    144. 

  144.     H = _mm_or_si128(t1, H);
    145. 

  145. 

  146.     // # magic reduction
    147. 

  147.     // pand            .L0x1c2_polynomial(%rip),$T3
    148. 

  148.     t3 = _mm_and_si128(t3, poly);
    149. 

  149.     // pxor            $T3,$Hkey               # if(carry) H^=0x1c2_polynomial
    150. 

  150.     H = _mm_xor_si128(t3, H);
    151. 

  151. 

  152.     return H;
    153. 

  153. }
    154. 

  154. // end of Apache License code
    155. 

  155. 

  156. static __m128i gfmul(__m128i x, __m128i y)
    157. 

  157. {
    158. 

  158.     __m128i lo = _mm_clmulepi64_si128(x, y, 0x00);
    159. 

  159.     __m128i hi = _mm_clmulepi64_si128(x, y, 0x11);
    160. 

  160. 

  161.     __m128i a = _mm_shuffle_epi32(x, 78);
    162. 

  162.     __m128i b = _mm_shuffle_epi32(y, 78);
    163. 

  163.     a = _mm_xor_si128(a, x);
    164. 

  164.     b = _mm_xor_si128(b, y);
    165. 

  165. 

  166.     a = _mm_clmulepi64_si128(a, b, 0x00);
    167. 

  167.     a = _mm_xor_si128(a, lo);
    168. 

  168.     a = _mm_xor_si128(a, hi);
    169. 

  169. 

  170.     b = _mm_slli_si128(a, 8);
    171. 

  171.     a = _mm_srli_si128(a, 8);
    172. 

  172. 

  173.     lo = _mm_xor_si128(lo, b);
    174. 

  174.     hi = _mm_xor_si128(hi, a);
    175. 

  175. 

  176.     // from https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf
    177. 

  177.     __m128i t = _mm_clmulepi64_si128(lo, poly, 0x10);
    178. 

  178.     lo = _mm_shuffle_epi32(lo, 78);
    179. 

  179.     lo = _mm_xor_si128(lo, t);
    180. 

  180.     t = _mm_clmulepi64_si128(lo, poly, 0x10);
    181. 

  181.     lo = _mm_shuffle_epi32(lo, 78);
    182. 

  182.     lo = _mm_xor_si128(lo, t);
    183. 

  183. 

  184.     return _mm_xor_si128(hi, lo);
    185. 

  185. }
    186. 

  186. 

  187. static inline __m128i gfmul_do_reduce(__m128i hi, __m128i lo, __m128i mid)
    188. 

  188. {
    189. 

  189.     mid = _mm_xor_si128(mid, hi);
    190. 

  190.     mid = _mm_xor_si128(mid, lo);
    191. 

  191.     lo = _mm_xor_si128(lo, _mm_slli_si128(mid, 8));
    192. 

  192.     hi = _mm_xor_si128(hi, _mm_srli_si128(mid, 8));
    193. 

  193. 

  194.     /* fast reduction, using https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf */
    195. 

  195.     __m128i r = _mm_clmulepi64_si128(lo, poly, 0x10);
    196. 

  196.     lo = _mm_shuffle_epi32(lo, 78);
    197. 

  197.     lo = _mm_xor_si128(lo, r);
    198. 

  198.     r = _mm_clmulepi64_si128(lo, poly, 0x10);
    199. 

  199.     lo = _mm_shuffle_epi32(lo, 78);
    200. 

  200.     lo = _mm_xor_si128(lo, r);
    201. 

  201.     lo = _mm_xor_si128(hi, lo);
    202. 

  202. 

  203.     return lo;
    204. 

  204. }
    205. 

  205. 

  206. struct ptls_fusion_gfmul_state128 {
    207. 

  207.     __m128i hi, lo, mid;
    208. 

  208. };
    209. 

  209. 

  210. #if defined(__GNUC__) && !defined(__clang__)
    211. 

  211. static inline __m128i xor128(__m128i x, __m128i y)
    212. 

  212. {
    213. 

  213.     __m128i ret;
    214. 

  214.     __asm__("vpxor %2, %1, %0" : "=x"(ret) : "x"(x), "xm"(y));
    215. 

  215.     return ret;
    216. 

  216. }
    217. 

  217. #else
    218. 

  218. #define xor128 _mm_xor_si128
    219. 

  219. #endif
    220. 

  220. 

  221. static inline void gfmul_do_step128(struct ptls_fusion_gfmul_state128 *gstate, __m128i X,
    222. 

  222.                                     struct ptls_fusion_aesgcm_ghash_precompute128 *precompute)
    223. 

  223. {
    224. 

  224.     __m128i t1 = _mm_clmulepi64_si128(precompute->H, X, 0x00);
    225. 

  225.     __m128i t2 = _mm_clmulepi64_si128(precompute->H, X, 0x11);
    226. 

  226.     __m128i t3 = _mm_shuffle_epi32(X, 78);
    227. 

  227.     t3 = _mm_xor_si128(t3, X);
    228. 

  228.     t3 = _mm_clmulepi64_si128(precompute->r, t3, 0x00);
    229. 

  229.     gstate->lo = xor128(gstate->lo, t1);
    230. 

  230.     gstate->hi = xor128(gstate->hi, t2);
    231. 

  231.     gstate->mid = xor128(gstate->mid, t3);
    232. 

  232. }
    233. 

  233. 

  234. #undef xor128
    235. 

  235. 

  236. static inline void gfmul_firststep128(struct ptls_fusion_gfmul_state128 *gstate, __m128i X,
    237. 

  237.                                       struct ptls_fusion_aesgcm_ghash_precompute128 *precompute)
    238. 

  238. {
    239. 

  239.     X = _mm_shuffle_epi8(X, byteswap128);
    240. 

  240.     X = _mm_xor_si128(gstate->lo, X);
    241. 

  241.     gstate->lo = _mm_setzero_si128();
    242. 

  242.     gstate->hi = _mm_setzero_si128();
    243. 

  243.     gstate->mid = _mm_setzero_si128();
    244. 

  244.     gfmul_do_step128(gstate, X, precompute);
    245. 

  245. }
    246. 

  246. 

  247. static inline void gfmul_nextstep128(struct ptls_fusion_gfmul_state128 *gstate, __m128i X,
    248. 

  248.                                      struct ptls_fusion_aesgcm_ghash_precompute128 *precompute)
    249. 

  249. {
    250. 

  250.     X = _mm_shuffle_epi8(X, byteswap128);
    251. 

  251.     gfmul_do_step128(gstate, X, precompute);
    252. 

  252. }
    253. 

  253. 

  254. static inline void gfmul_reduce128(struct ptls_fusion_gfmul_state128 *gstate)
    255. 

  255. {
    256. 

  256.     gstate->lo = gfmul_do_reduce(gstate->hi, gstate->lo, gstate->mid);
    257. 

  257. }
    258. 

  258. 

  259. static inline __m128i gfmul_get_tag128(struct ptls_fusion_gfmul_state128 *gstate, __m128i ek0)
    260. 

  260. {
    261. 

  261.     __m128i tag = _mm_shuffle_epi8(gstate->lo, byteswap128);
    262. 

  262.     tag = _mm_xor_si128(tag, ek0);
    263. 

  263.     return tag;
    264. 

  264. }
    265. 

  265. 

  266. struct ptls_fusion_gfmul_state256 {
    267. 

  267.     __m256i hi, lo, mid;
    268. 

  268. };
    269. 

  269. 

  270. static inline void gfmul_do_step256(struct ptls_fusion_gfmul_state256 *gstate, __m256i X,
    271. 

  271.                                     union ptls_fusion_aesgcm_ghash_precompute256 *precompute)
    272. 

  272. {
    273. 

  273.     __m256i t = _mm256_clmulepi64_epi128(precompute->Hx2, X, 0x00);
    274. 

  274.     gstate->lo = _mm256_xor_si256(gstate->lo, t);
    275. 

  275.     t = _mm256_clmulepi64_epi128(precompute->Hx2, X, 0x11);
    276. 

  276.     gstate->hi = _mm256_xor_si256(gstate->hi, t);
    277. 

  277.     t = _mm256_shuffle_epi32(X, 78);
    278. 

  278.     t = _mm256_xor_si256(t, X);
    279. 

  279.     t = _mm256_clmulepi64_epi128(precompute->rx2, t, 0x00);
    280. 

  280.     gstate->mid = _mm256_xor_si256(gstate->mid, t);
    281. 

  281. }
    282. 

  282. 

  283. static inline void gfmul_firststep256(struct ptls_fusion_gfmul_state256 *gstate, __m256i X, int half,
    284. 

  284.                                       union ptls_fusion_aesgcm_ghash_precompute256 *precompute)
    285. 

  285. {
    286. 

  286.     X = _mm256_shuffle_epi8(X, byteswap256);
    287. 

  287.     X = _mm256_xor_si256(gstate->lo, X);
    288. 

  288.     if (half)
    289. 

  289.         X = _mm256_permute2f128_si256(X, X, 0x08);
    290. 

  290.     gstate->lo = _mm256_setzero_si256();
    291. 

  291.     gstate->hi = _mm256_setzero_si256();
    292. 

  292.     gstate->mid = _mm256_setzero_si256();
    293. 

  293.     gfmul_do_step256(gstate, X, precompute);
    294. 

  294. }
    295. 

  295. 

  296. static inline void gfmul_nextstep256(struct ptls_fusion_gfmul_state256 *gstate, __m256i X,
    297. 

  297.                                      union ptls_fusion_aesgcm_ghash_precompute256 *precompute)
    298. 

  298. {
    299. 

  299.     X = _mm256_shuffle_epi8(X, byteswap256);
    300. 

  300.     gfmul_do_step256(gstate, X, precompute);
    301. 

  301. }
    302. 

  302. 

  303. static inline void gfmul_reduce256(struct ptls_fusion_gfmul_state256 *gstate)
    304. 

  304. {
    305. 

  305. #define XOR_256TO128(y) _mm_xor_si128(_mm256_castsi256_si128(y), _mm256_extractf128_si256((y), 1))
    306. 

  306.     __m128i hi = XOR_256TO128(gstate->hi);
    307. 

  307.     __m128i lo = XOR_256TO128(gstate->lo);
    308. 

  308.     __m128i mid = XOR_256TO128(gstate->mid);
    309. 

  309. #undef XOR_256TO128
    310. 

  310. 

  311.     lo = gfmul_do_reduce(hi, lo, mid);
    312. 

  312.     gstate->lo = _mm256_castsi128_si256(lo);
    313. 

  313. }
    314. 

  314. 

  315. static inline __m128i gfmul_get_tag256(struct ptls_fusion_gfmul_state256 *gstate, __m128i ek0)
    316. 

  316. {
    317. 

  317.     __m128i tag = _mm_shuffle_epi8(_mm256_castsi256_si128(gstate->lo), byteswap128);
    318. 

  318.     tag = _mm_xor_si128(tag, ek0);
    319. 

  319.     return tag;
    320. 

  320. }
    321. 

  321. 

  322. static inline __m128i aesecb_encrypt(ptls_fusion_aesecb_context_t *ctx, __m128i v)
    323. 

  323. {
    324. 

  324. #define ROUNDKEY(i) (ctx->aesni256 ? _mm256_castsi256_si128(ctx->keys.m256[i]) : ctx->keys.m128[i])
    325. 

  325. 

  326.     v = _mm_xor_si128(v, ROUNDKEY(0));
    327. 

  327.     for (size_t i = 1; i < ctx->rounds; ++i)
    328. 

  328.         v = _mm_aesenc_si128(v, ROUNDKEY(i));
    329. 

  329.     v = _mm_aesenclast_si128(v, ROUNDKEY(ctx->rounds));
    330. 

  330. 

  331.     return v;
    332. 

  332. 

  333. #undef ROUNDKEY
    334. 

  334. }
    335. 

  335. 

  336. // 32-bytes of 0xff followed by 31-bytes of 0x00
    337. 

  337. static const uint8_t loadn_mask[63] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    338. 

  338.                                        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    339. 

  339.                                        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
    340. 

  340. static const uint8_t loadn_shuffle[31] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
    341. 

  341.                                           0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, // first 16 bytes map to byte offsets
    342. 

  342.                                           0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80,
    343. 

  343.                                           0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80}; // latter 15 bytes map to zero
    344. 

  344. 

  345. NO_SANITIZE_ADDRESS
    346. 

  346. static inline __m128i loadn_end_of_page(const void *p, size_t l)
    347. 

  347. {
    348. 

  348.     uintptr_t shift = (uintptr_t)p & 15;
    349. 

  349.     __m128i pattern = _mm_loadu_si128((const __m128i *)(loadn_shuffle + shift));
    350. 

  350.     return _mm_shuffle_epi8(_mm_load_si128((const __m128i *)((uintptr_t)p - shift)), pattern);
    351. 

  351. }
    352. 

  352. 

  353. NO_SANITIZE_ADDRESS
    354. 

  354. static inline __m128i loadn128(const void *p, size_t l)
    355. 

  355. {
    356. 

  356.     __m128i v, mask = _mm_loadu_si128((__m128i *)(loadn_mask + 32 - l));
    357. 

  357.     uintptr_t mod4k = (uintptr_t)p % 4096;
    358. 

  358. 

  359.     if (PTLS_LIKELY(mod4k <= 4096 - 16) || mod4k + l > 4096) {
    360. 

  360.         v = _mm_loadu_si128(p);
    361. 

  361.     } else {
    362. 

  362.         v = loadn_end_of_page(p, l);
    363. 

  363.     }
    364. 

  364.     v = _mm_and_si128(v, mask);
    365. 

  365. 

  366.     return v;
    367. 

  367. }
    368. 

  368. 

  369. NO_SANITIZE_ADDRESS
    370. 

  370. static inline __m256i loadn256(const void *p, size_t l)
    371. 

  371. {
    372. 

  372.     __m256i v, mask = _mm256_loadu_si256((__m256i *)(loadn_mask + 32 - l));
    373. 

  373.     uintptr_t mod4k = (uintptr_t)p % 4096;
    374. 

  374. 

  375.     if (PTLS_LIKELY(mod4k < 4096 - 32) || mod4k + l > 4096) {
    376. 

  376.         v = _mm256_loadu_si256(p);
    377. 

  377.     } else if (l > 16) {
    378. 

  378.         __m128i first16 = _mm_loadu_si128(p), second16 = loadn128((uint8_t *)p + 16, l - 16);
    379. 

  379.         v = _mm256_permute2f128_si256(_mm256_castsi128_si256(first16), _mm256_castsi128_si256(second16), 0x20);
    380. 

  380.     } else if (l == 16) {
    381. 

  381.         v = _mm256_castsi128_si256(_mm_loadu_si128(p));
    382. 

  382.     } else {
    383. 

  383.         v = _mm256_castsi128_si256(loadn_end_of_page(p, l));
    384. 

  384.     }
    385. 

  385.     v = _mm256_and_si256(v, mask);
    386. 

  386. 

  387.     return v;
    388. 

  388. }
    389. 

  389. 

  390. static inline void storen128(void *_p, size_t l, __m128i v)
    391. 

  391. {
    392. 

  392.     uint8_t buf[16], *p = _p;
    393. 

  393. 

  394.     *(__m128i *)buf = v;
    395. 

  395. 

  396.     for (size_t i = 0; i != l; ++i)
    397. 

  397.         p[i] = buf[i];
    398. 

  398. }
    399. 

  399. 

  400. void ptls_fusion_aesgcm_encrypt(ptls_fusion_aesgcm_context_t *_ctx, void *output, const void *input, size_t inlen, __m128i ctr,
    401. 

  401.                                 const void *_aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp)
    402. 

  402. {
    403. 

  403. /* init the bits (we can always run in full), but use the last slot for calculating ek0, if possible */
    404. 

  404. #define AESECB6_INIT()                                                                                                             \
    405. 

  405.     do {                                                                                                                           \
    406. 

  406.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    407. 

  407.         bits0 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    408. 

  408.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    409. 

  409.         bits1 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    410. 

  410.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    411. 

  411.         bits2 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    412. 

  412.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    413. 

  413.         bits3 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    414. 

  414.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    415. 

  415.         bits4 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    416. 

  416.         if (PTLS_LIKELY(srclen > 16 * 5)) {                                                                                        \
    417. 

  417.             ctr = _mm_add_epi64(ctr, one8);                                                                                        \
    418. 

  418.             bits5 = _mm_shuffle_epi8(ctr, byteswap128);                                                                            \
    419. 

  419.         } else {                                                                                                                   \
    420. 

  420.             if ((state & STATE_EK0_BEEN_FED) == 0) {                                                                               \
    421. 

  421.                 bits5 = ek0;                                                                                                       \
    422. 

  422.                 state |= STATE_EK0_BEEN_FED;                                                                                       \
    423. 

  423.             }                                                                                                                      \
    424. 

  424.             if ((state & STATE_SUPP_USED) != 0 && srclen <= 16 * 4 && (const __m128i *)supp->input + 1 <= dst_ghash) {             \
    425. 

  425.                 bits4 = _mm_loadu_si128(supp->input);                                                                              \
    426. 

  426.                 bits4keys = ((struct ctr_context *)supp->ctx)->fusion.keys.m128;                                                   \
    427. 

  427.                 state |= STATE_SUPP_IN_PROCESS;                                                                                    \
    428. 

  428.             }                                                                                                                      \
    429. 

  429.         }                                                                                                                          \
    430. 

  430.         __m128i k = ctx->super.ecb.keys.m128[0];                                                                                   \
    431. 

  431.         bits0 = _mm_xor_si128(bits0, k);                                                                                           \
    432. 

  432.         bits1 = _mm_xor_si128(bits1, k);                                                                                           \
    433. 

  433.         bits2 = _mm_xor_si128(bits2, k);                                                                                           \
    434. 

  434.         bits3 = _mm_xor_si128(bits3, k);                                                                                           \
    435. 

  435.         bits4 = _mm_xor_si128(bits4, bits4keys[0]);                                                                                \
    436. 

  436.         bits5 = _mm_xor_si128(bits5, k);                                                                                           \
    437. 

  437.     } while (0)
    438. 

  438. 

  439. /* aes block update */
    440. 

  440. #define AESECB6_UPDATE(i)                                                                                                          \
    441. 

  441.     do {                                                                                                                           \
    442. 

  442.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    443. 

  443.         bits0 = _mm_aesenc_si128(bits0, k);                                                                                        \
    444. 

  444.         bits1 = _mm_aesenc_si128(bits1, k);                                                                                        \
    445. 

  445.         bits2 = _mm_aesenc_si128(bits2, k);                                                                                        \
    446. 

  446.         bits3 = _mm_aesenc_si128(bits3, k);                                                                                        \
    447. 

  447.         bits4 = _mm_aesenc_si128(bits4, bits4keys[i]);                                                                             \
    448. 

  448.         bits5 = _mm_aesenc_si128(bits5, k);                                                                                        \
    449. 

  449.     } while (0)
    450. 

  450. 

  451. /* aesenclast */
    452. 

  452. #define AESECB6_FINAL(i)                                                                                                           \
    453. 

  453.     do {                                                                                                                           \
    454. 

  454.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    455. 

  455.         bits0 = _mm_aesenclast_si128(bits0, k);                                                                                    \
    456. 

  456.         bits1 = _mm_aesenclast_si128(bits1, k);                                                                                    \
    457. 

  457.         bits2 = _mm_aesenclast_si128(bits2, k);                                                                                    \
    458. 

  458.         bits3 = _mm_aesenclast_si128(bits3, k);                                                                                    \
    459. 

  459.         bits4 = _mm_aesenclast_si128(bits4, bits4keys[i]);                                                                         \
    460. 

  460.         bits5 = _mm_aesenclast_si128(bits5, k);                                                                                    \
    461. 

  461.     } while (0)
    462. 

  462. 

  463.     struct ptls_fusion_aesgcm_context128 *ctx = (void *)_ctx;
    464. 

  464.     __m128i ek0, bits0, bits1, bits2, bits3, bits4, bits5 = _mm_setzero_si128();
    465. 

  465.     const __m128i *bits4keys = ctx->super.ecb.keys.m128; /* is changed to supp->ctx.keys when calcurating suppout */
    466. 

  466.     struct ptls_fusion_gfmul_state128 gstate = {0};
    467. 

  467.     __m128i gdatabuf[6];
    468. 

  468.     __m128i ac = _mm_shuffle_epi8(_mm_set_epi32(0, (int)aadlen * 8, 0, (int)inlen * 8), byteswap128);
    469. 

  469. 

  470.     // src and dst are updated after the chunk is processed
    471. 

  471.     const __m128i *src = input;
    472. 

  472.     __m128i *dst = output;
    473. 

  473.     size_t srclen = inlen;
    474. 

  474.     // aad and src_ghash are updated before the chunk is processed (i.e., when the pointers are fed indo the processor)
    475. 

  475.     const __m128i *aad = _aad, *dst_ghash = dst;
    476. 

  476.     size_t dst_ghashlen = srclen;
    477. 

  477. 

  478.     struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute = ctx->ghash + (aadlen + 15) / 16 + (srclen + 15) / 16 + 1;
    479. 

  479. 

  480. #define STATE_EK0_BEEN_FED 0x3
    481. 

  481. #define STATE_EK0_INCOMPLETE 0x2
    482. 

  482. #define STATE_EK0_READY() ((state & STATE_EK0_BEEN_FED) == 0x1)
    483. 

  483. #define STATE_SUPP_USED 0x4
    484. 

  484. #define STATE_SUPP_IN_PROCESS 0x8
    485. 

  485.     int32_t state = supp != NULL ? STATE_SUPP_USED : 0;
    486. 

  486. 

  487.     /* build counter */
    488. 

  488.     ctr = _mm_insert_epi32(ctr, 1, 0);
    489. 

  489.     ek0 = _mm_shuffle_epi8(ctr, byteswap128);
    490. 

  490. 

  491.     /* start preparing AES */
    492. 

  492.     AESECB6_INIT();
    493. 

  493.     AESECB6_UPDATE(1);
    494. 

  494. 

  495.     /* build first ghash data (only AAD can be fed at this point, as this would be calculated alongside the first AES block) */
    496. 

  496.     const __m128i *gdata = gdatabuf; // points to the elements fed into GHASH
    497. 

  497.     size_t gdata_cnt = 0;
    498. 

  498.     if (PTLS_LIKELY(aadlen != 0)) {
    499. 

  499.         while (gdata_cnt < 6) {
    500. 

  500.             if (PTLS_LIKELY(aadlen < 16)) {
    501. 

  501.                 if (aadlen != 0) {
    502. 

  502.                     gdatabuf[gdata_cnt++] = loadn128(aad, aadlen);
    503. 

  503.                     aadlen = 0;
    504. 

  504.                 }
    505. 

  505.                 goto MainLoop;
    506. 

  506.             }
    507. 

  507.             gdatabuf[gdata_cnt++] = _mm_loadu_si128(aad++);
    508. 

  508.             aadlen -= 16;
    509. 

  509.         }
    510. 

  510.     }
    511. 

  511. 

  512.     /* the main loop */
    513. 

  513. MainLoop:
    514. 

  514.     while (1) {
    515. 

  515.         /* run AES and multiplication in parallel */
    516. 

  516.         size_t i;
    517. 

  517.         for (i = 2; i < gdata_cnt + 2; ++i) {
    518. 

  518.             AESECB6_UPDATE(i);
    519. 

  519.             gfmul_nextstep128(&gstate, _mm_loadu_si128(gdata++), --ghash_precompute);
    520. 

  520.         }
    521. 

  521.         for (; i < ctx->super.ecb.rounds; ++i)
    522. 

  522.             AESECB6_UPDATE(i);
    523. 

  523.         AESECB6_FINAL(i);
    524. 

  524. 

  525.         /* apply the bit stream to src and write to dest */
    526. 

  526.         if (PTLS_LIKELY(srclen >= 6 * 16)) {
    527. 

  527. #define APPLY(i) _mm_storeu_si128(dst + i, _mm_xor_si128(_mm_loadu_si128(src + i), bits##i))
    528. 

  528.             APPLY(0);
    529. 

  529.             APPLY(1);
    530. 

  530.             APPLY(2);
    531. 

  531.             APPLY(3);
    532. 

  532.             APPLY(4);
    533. 

  533.             APPLY(5);
    534. 

  534. #undef APPLY
    535. 

  535.             dst += 6;
    536. 

  536.             src += 6;
    537. 

  537.             srclen -= 6 * 16;
    538. 

  538.         } else {
    539. 

  539.             if ((state & STATE_EK0_BEEN_FED) == STATE_EK0_BEEN_FED) {
    540. 

  540.                 ek0 = bits5;
    541. 

  541.                 state &= ~STATE_EK0_INCOMPLETE;
    542. 

  542.             }
    543. 

  543.             if ((state & STATE_SUPP_IN_PROCESS) != 0) {
    544. 

  544.                 _mm_storeu_si128((__m128i *)supp->output, bits4);
    545. 

  545.                 state &= ~(STATE_SUPP_USED | STATE_SUPP_IN_PROCESS);
    546. 

  546.             }
    547. 

  547.             if (srclen != 0) {
    548. 

  548. #define APPLY(i)                                                                                                                   \
    549. 

  549.     do {                                                                                                                           \
    550. 

  550.         if (PTLS_LIKELY(srclen >= 16)) {                                                                                           \
    551. 

  551.             _mm_storeu_si128(dst++, _mm_xor_si128(_mm_loadu_si128(src++), bits##i));                                               \
    552. 

  552.             srclen -= 16;                                                                                                          \
    553. 

  553.         } else if (PTLS_LIKELY(srclen != 0)) {                                                                                     \
    554. 

  554.             bits0 = bits##i;                                                                                                       \
    555. 

  555.             goto ApplyRemainder;                                                                                                   \
    556. 

  556.         } else {                                                                                                                   \
    557. 

  557.             goto ApplyEnd;                                                                                                         \
    558. 

  558.         }                                                                                                                          \
    559. 

  559.     } while (0)
    560. 

  560.                 APPLY(0);
    561. 

  561.                 APPLY(1);
    562. 

  562.                 APPLY(2);
    563. 

  563.                 APPLY(3);
    564. 

  564.                 APPLY(4);
    565. 

  565.                 APPLY(5);
    566. 

  566. #undef APPLY
    567. 

  567.                 goto ApplyEnd;
    568. 

  568.             ApplyRemainder:
    569. 

  569.                 storen128(dst, srclen, _mm_xor_si128(loadn128(src, srclen), bits0));
    570. 

  570.                 dst = (__m128i *)((uint8_t *)dst + srclen);
    571. 

  571.                 srclen = 0;
    572. 

  572.             ApplyEnd:;
    573. 

  573.             }
    574. 

  574.         }
    575. 

  575. 

  576.         /* next block AES starts here */
    577. 

  577.         AESECB6_INIT();
    578. 

  578. 

  579.         AESECB6_UPDATE(1);
    580. 

  580. 

  581.         /* setup gdata */
    582. 

  582.         if (PTLS_UNLIKELY(aadlen != 0)) {
    583. 

  583.             gdata_cnt = 0;
    584. 

  584.             while (gdata_cnt < 6) {
    585. 

  585.                 if (aadlen < 16) {
    586. 

  586.                     if (aadlen != 0) {
    587. 

  587.                         gdatabuf[gdata_cnt++] = loadn128(aad, aadlen);
    588. 

  588.                         aadlen = 0;
    589. 

  589.                     }
    590. 

  590.                     goto GdataFillDST;
    591. 

  591.                 }
    592. 

  592.                 gdatabuf[gdata_cnt++] = _mm_loadu_si128(aad++);
    593. 

  593.                 aadlen -= 16;
    594. 

  594.             }
    595. 

  595.             gdata = gdatabuf;
    596. 

  596.         } else if (PTLS_LIKELY(dst_ghashlen >= 6 * 16)) {
    597. 

  597.             gdata = dst_ghash;
    598. 

  598.             gdata_cnt = 6;
    599. 

  599.             dst_ghash += 6;
    600. 

  600.             dst_ghashlen -= 96;
    601. 

  601.         } else {
    602. 

  602.             gdata_cnt = 0;
    603. 

  603.         GdataFillDST:
    604. 

  604.             while (gdata_cnt < 6) {
    605. 

  605.                 if (dst_ghashlen < 16) {
    606. 

  606.                     if (dst_ghashlen != 0) {
    607. 

  607.                         gdatabuf[gdata_cnt++] = loadn128(dst_ghash, dst_ghashlen);
    608. 

  608.                         dst_ghashlen = 0;
    609. 

  609.                     }
    610. 

  610.                     if (gdata_cnt < 6)
    611. 

  611.                         goto Finish;
    612. 

  612.                     break;
    613. 

  613.                 }
    614. 

  614.                 gdatabuf[gdata_cnt++] = _mm_loadu_si128(dst_ghash++);
    615. 

  615.                 dst_ghashlen -= 16;
    616. 

  616.             }
    617. 

  617.             gdata = gdatabuf;
    618. 

  618.         }
    619. 

  619.     }
    620. 

  620. 

  621. Finish:
    622. 

  622.     gdatabuf[gdata_cnt++] = ac;
    623. 

  623. 

  624.     /* We have complete set of data to be fed into GHASH. Let's finish the remaining calculation.
    625. 

  625.      * Note that by now, all AES operations for payload encryption and ek0 are complete. This is is because it is necessary for GCM
    626. 

  626.      * to process at least the same amount of data (i.e. payload-blocks + AC), and because AES is at least one 96-byte block ahead.
    627. 

  627.      */
    628. 

  628.     assert(STATE_EK0_READY());
    629. 

  629.     for (size_t i = 0; i < gdata_cnt; ++i)
    630. 

  630.         gfmul_nextstep128(&gstate, gdatabuf[i], --ghash_precompute);
    631. 

  631. 

  632.     gfmul_reduce128(&gstate);
    633. 

  633.     _mm_storeu_si128(dst, gfmul_get_tag128(&gstate, ek0));
    634. 

  634. 

  635.     /* Finish the calculation of supplemental vector. Done at the very last, because the sample might cover the GCM tag. */
    636. 

  636.     if ((state & STATE_SUPP_USED) != 0) {
    637. 

  637.         size_t i;
    638. 

  638.         if ((state & STATE_SUPP_IN_PROCESS) == 0) {
    639. 

  639.             bits4keys = ((struct ctr_context *)supp->ctx)->fusion.keys.m128;
    640. 

  640.             bits4 = _mm_xor_si128(_mm_loadu_si128(supp->input), bits4keys[0]);
    641. 

  641.             i = 1;
    642. 

  642.         } else {
    643. 

  643.             i = 2;
    644. 

  644.         }
    645. 

  645.         do {
    646. 

  646.             bits4 = _mm_aesenc_si128(bits4, bits4keys[i++]);
    647. 

  647.         } while (i != ctx->super.ecb.rounds);
    648. 

  648.         bits4 = _mm_aesenclast_si128(bits4, bits4keys[i]);
    649. 

  649.         _mm_storeu_si128((__m128i *)supp->output, bits4);
    650. 

  650.     }
    651. 

  651. 

  652. #undef AESECB6_INIT
    653. 

  653. #undef AESECB6_UPDATE
    654. 

  654. #undef AESECB6_FINAL
    655. 

  655. #undef STATE_EK0_BEEN_FOUND
    656. 

  656. #undef STATE_EK0_READY
    657. 

  657. #undef STATE_SUPP_IN_PROCESS
    658. 

  658. }
    659. 

  659. 

  660. int ptls_fusion_aesgcm_decrypt(ptls_fusion_aesgcm_context_t *_ctx, void *output, const void *input, size_t inlen, __m128i ctr,
    661. 

  661.                                const void *_aad, size_t aadlen, const void *tag)
    662. 

  662. {
    663. 

  663.     struct ptls_fusion_aesgcm_context128 *ctx = (void *)_ctx;
    664. 

  664.     __m128i ek0 = _mm_setzero_si128(), bits0, bits1 = _mm_setzero_si128(), bits2 = _mm_setzero_si128(), bits3 = _mm_setzero_si128(),
    665. 

  665.             bits4 = _mm_setzero_si128(), bits5 = _mm_setzero_si128();
    666. 

  666.     struct ptls_fusion_gfmul_state128 gstate = {0};
    667. 

  667.     __m128i gdatabuf[6];
    668. 

  668.     __m128i ac = _mm_shuffle_epi8(_mm_set_epi32(0, (int)aadlen * 8, 0, (int)inlen * 8), byteswap128);
    669. 

  669.     struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute = ctx->ghash + (aadlen + 15) / 16 + (inlen + 15) / 16 + 1;
    670. 

  670. 

  671.     const __m128i *gdata; // points to the elements fed into GHASH
    672. 

  672.     size_t gdata_cnt;
    673. 

  673. 

  674.     const __m128i *src_ghash = input, *src_aes = input, *aad = _aad;
    675. 

  675.     __m128i *dst = output;
    676. 

  676.     size_t nondata_aes_cnt = 0, src_ghashlen = inlen, src_aeslen = inlen;
    677. 

  677. 

  678.     /* schedule ek0 and suppkey */
    679. 

  679.     ctr = _mm_add_epi64(ctr, one8);
    680. 

  680.     bits0 = _mm_xor_si128(_mm_shuffle_epi8(ctr, byteswap128), ctx->super.ecb.keys.m128[0]);
    681. 

  681.     ++nondata_aes_cnt;
    682. 

  682. 

  683. #define STATE_IS_FIRST_RUN 0x1
    684. 

  684. #define STATE_GHASH_HAS_MORE 0x2
    685. 

  685.     int state = STATE_IS_FIRST_RUN | STATE_GHASH_HAS_MORE;
    686. 

  686. 

  687.     /* the main loop */
    688. 

  688.     while (1) {
    689. 

  689. 

  690.         /* setup gdata */
    691. 

  691.         if (PTLS_UNLIKELY(aadlen != 0)) {
    692. 

  692.             gdata = gdatabuf;
    693. 

  693.             gdata_cnt = 0;
    694. 

  694.             while (gdata_cnt < 6) {
    695. 

  695.                 if (aadlen < 16) {
    696. 

  696.                     if (aadlen != 0) {
    697. 

  697.                         gdatabuf[gdata_cnt++] = loadn128(aad, aadlen);
    698. 

  698.                         aadlen = 0;
    699. 

  699.                         ++nondata_aes_cnt;
    700. 

  700.                     }
    701. 

  701.                     goto GdataFillSrc;
    702. 

  702.                 }
    703. 

  703.                 gdatabuf[gdata_cnt++] = _mm_loadu_si128(aad++);
    704. 

  704.                 aadlen -= 16;
    705. 

  705.                 ++nondata_aes_cnt;
    706. 

  706.             }
    707. 

  707.         } else if (PTLS_LIKELY(src_ghashlen >= 6 * 16)) {
    708. 

  708.             gdata = src_ghash;
    709. 

  709.             gdata_cnt = 6;
    710. 

  710.             src_ghash += 6;
    711. 

  711.             src_ghashlen -= 6 * 16;
    712. 

  712.         } else {
    713. 

  713.             gdata = gdatabuf;
    714. 

  714.             gdata_cnt = 0;
    715. 

  715.         GdataFillSrc:
    716. 

  716.             while (gdata_cnt < 6) {
    717. 

  717.                 if (src_ghashlen < 16) {
    718. 

  718.                     if (src_ghashlen != 0) {
    719. 

  719.                         gdatabuf[gdata_cnt++] = loadn128(src_ghash, src_ghashlen);
    720. 

  720.                         src_ghash = (__m128i *)((uint8_t *)src_ghash + src_ghashlen);
    721. 

  721.                         src_ghashlen = 0;
    722. 

  722.                     }
    723. 

  723.                     if (gdata_cnt < 6 && (state & STATE_GHASH_HAS_MORE) != 0) {
    724. 

  724.                         gdatabuf[gdata_cnt++] = ac;
    725. 

  725.                         state &= ~STATE_GHASH_HAS_MORE;
    726. 

  726.                     }
    727. 

  727.                     break;
    728. 

  728.                 }
    729. 

  729.                 gdatabuf[gdata_cnt++] = _mm_loadu_si128(src_ghash++);
    730. 

  730.                 src_ghashlen -= 16;
    731. 

  731.             }
    732. 

  732.         }
    733. 

  733. 

  734.         /* setup aes bits */
    735. 

  735.         if (PTLS_LIKELY(nondata_aes_cnt == 0))
    736. 

  736.             goto InitAllBits;
    737. 

  737.         switch (nondata_aes_cnt) {
    738. 

  738. #define INIT_BITS(n, keys)                                                                                                         \
    739. 

  739.     case n:                                                                                                                        \
    740. 

  740.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    741. 

  741.         bits##n = _mm_xor_si128(_mm_shuffle_epi8(ctr, byteswap128), keys.m128[0]);
    742. 

  742.         InitAllBits:
    743. 

  743.             INIT_BITS(0, ctx->super.ecb.keys);
    744. 

  744.             INIT_BITS(1, ctx->super.ecb.keys);
    745. 

  745.             INIT_BITS(2, ctx->super.ecb.keys);
    746. 

  746.             INIT_BITS(3, ctx->super.ecb.keys);
    747. 

  747.             INIT_BITS(4, ctx->super.ecb.keys);
    748. 

  748.             INIT_BITS(5, ctx->super.ecb.keys);
    749. 

  749. #undef INIT_BITS
    750. 

  750.         }
    751. 

  751. 

  752.         { /* run aes and ghash */
    753. 

  753. #define AESECB6_UPDATE(i)                                                                                                          \
    754. 

  754.     do {                                                                                                                           \
    755. 

  755.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    756. 

  756.         bits0 = _mm_aesenc_si128(bits0, k);                                                                                        \
    757. 

  757.         bits1 = _mm_aesenc_si128(bits1, k);                                                                                        \
    758. 

  758.         bits2 = _mm_aesenc_si128(bits2, k);                                                                                        \
    759. 

  759.         bits3 = _mm_aesenc_si128(bits3, k);                                                                                        \
    760. 

  760.         bits4 = _mm_aesenc_si128(bits4, k);                                                                                        \
    761. 

  761.         bits5 = _mm_aesenc_si128(bits5, k);                                                                                        \
    762. 

  762.     } while (0)
    763. 

  763. 

  764.             size_t aesi;
    765. 

  765.             for (aesi = 1; aesi <= gdata_cnt; ++aesi) {
    766. 

  766.                 AESECB6_UPDATE(aesi);
    767. 

  767.                 gfmul_nextstep128(&gstate, _mm_loadu_si128(gdata++), --ghash_precompute);
    768. 

  768.             }
    769. 

  769.             for (; aesi < ctx->super.ecb.rounds; ++aesi)
    770. 

  770.                 AESECB6_UPDATE(aesi);
    771. 

  771.             __m128i k = ctx->super.ecb.keys.m128[aesi];
    772. 

  772.             bits0 = _mm_aesenclast_si128(bits0, k);
    773. 

  773.             bits1 = _mm_aesenclast_si128(bits1, k);
    774. 

  774.             bits2 = _mm_aesenclast_si128(bits2, k);
    775. 

  775.             bits3 = _mm_aesenclast_si128(bits3, k);
    776. 

  776.             bits4 = _mm_aesenclast_si128(bits4, k);
    777. 

  777.             bits5 = _mm_aesenclast_si128(bits5, k);
    778. 

  778. 

  779. #undef AESECB6_UPDATE
    780. 

  780.         }
    781. 

  781. 

  782.         /* apply aes bits */
    783. 

  783.         if (PTLS_LIKELY(nondata_aes_cnt == 0 && src_aeslen >= 6 * 16)) {
    784. 

  784. #define APPLY(i) _mm_storeu_si128(dst + i, _mm_xor_si128(_mm_loadu_si128(src_aes + i), bits##i))
    785. 

  785.             APPLY(0);
    786. 

  786.             APPLY(1);
    787. 

  787.             APPLY(2);
    788. 

  788.             APPLY(3);
    789. 

  789.             APPLY(4);
    790. 

  790.             APPLY(5);
    791. 

  791. #undef APPLY
    792. 

  792.             dst += 6;
    793. 

  793.             src_aes += 6;
    794. 

  794.             src_aeslen -= 6 * 16;
    795. 

  795.         } else {
    796. 

  796.             if ((state & STATE_IS_FIRST_RUN) != 0) {
    797. 

  797.                 ek0 = bits0;
    798. 

  798.                 state &= ~STATE_IS_FIRST_RUN;
    799. 

  799.             }
    800. 

  800.             switch (nondata_aes_cnt) {
    801. 

  801. #define APPLY(i)                                                                                                                   \
    802. 

  802.     case i:                                                                                                                        \
    803. 

  803.         if (PTLS_LIKELY(src_aeslen > 16)) {                                                                                        \
    804. 

  804.             _mm_storeu_si128(dst++, _mm_xor_si128(_mm_loadu_si128(src_aes++), bits##i));                                           \
    805. 

  805.             src_aeslen -= 16;                                                                                                      \
    806. 

  806.         } else {                                                                                                                   \
    807. 

  807.             bits0 = bits##i;                                                                                                       \
    808. 

  808.             goto Finish;                                                                                                           \
    809. 

  809.         }
    810. 

  810.                 APPLY(0);
    811. 

  811.                 APPLY(1);
    812. 

  812.                 APPLY(2);
    813. 

  813.                 APPLY(3);
    814. 

  814.                 APPLY(4);
    815. 

  815.                 APPLY(5);
    816. 

  816. #undef APPLY
    817. 

  817.             }
    818. 

  818.             nondata_aes_cnt = 0;
    819. 

  819.         }
    820. 

  820.     }
    821. 

  821. 

  822. Finish:
    823. 

  823.     if (src_aeslen == 16) {
    824. 

  824.         _mm_storeu_si128(dst, _mm_xor_si128(_mm_loadu_si128(src_aes), bits0));
    825. 

  825.     } else if (src_aeslen != 0) {
    826. 

  826.         storen128(dst, src_aeslen, _mm_xor_si128(loadn128(src_aes, src_aeslen), bits0));
    827. 

  827.     }
    828. 

  828. 

  829.     assert((state & STATE_IS_FIRST_RUN) == 0);
    830. 

  830. 

  831.     /* the only case where AES operation is complete and GHASH is not is when the application of AC is remaining */
    832. 

  832.     if ((state & STATE_GHASH_HAS_MORE) != 0) {
    833. 

  833.         assert(ghash_precompute - 1 == ctx->ghash);
    834. 

  834.         gfmul_nextstep128(&gstate, ac, --ghash_precompute);
    835. 

  835.     }
    836. 

  836. 

  837.     gfmul_reduce128(&gstate);
    838. 

  838.     __m128i calctag = gfmul_get_tag128(&gstate, ek0);
    839. 

  839. 

  840.     return _mm_movemask_epi8(_mm_cmpeq_epi8(calctag, _mm_loadu_si128(tag))) == 0xffff;
    841. 

  841. 

  842. #undef STATE_IS_FIRST_RUN
    843. 

  843. #undef STATE_GHASH_HAS_MORE
    844. 

  844. }
    845. 

  845. 

  846. static __m128i expand_key(__m128i key, __m128i temp)
    847. 

  847. {
    848. 

  848.     key = _mm_xor_si128(key, _mm_slli_si128(key, 4));
    849. 

  849.     key = _mm_xor_si128(key, _mm_slli_si128(key, 4));
    850. 

  850.     key = _mm_xor_si128(key, _mm_slli_si128(key, 4));
    851. 

  851. 

  852.     key = _mm_xor_si128(key, temp);
    853. 

  853. 

  854.     return key;
    855. 

  855. }
    856. 

  856. 

  857. void ptls_fusion_aesecb_init(ptls_fusion_aesecb_context_t *ctx, int is_enc, const void *key, size_t key_size, int aesni256)
    858. 

  858. {
    859. 

  859.     assert(is_enc && "decryption is not supported (yet)");
    860. 

  860. 

  861.     size_t i = 0;
    862. 

  862. 

  863.     switch (key_size) {
    864. 

  864.     case 16: /* AES128 */
    865. 

  865.         ctx->rounds = 10;
    866. 

  866.         break;
    867. 

  867.     case 32: /* AES256 */
    868. 

  868.         ctx->rounds = 14;
    869. 

  869.         break;
    870. 

  870.     default:
    871. 

  871.         assert(!"invalid key size; AES128 / AES256 are supported");
    872. 

  872.         break;
    873. 

  873.     }
    874. 

  874.     ctx->aesni256 = aesni256;
    875. 

  875. 

  876.     /* load and expand keys using keys.m128 */
    877. 

  877.     ctx->keys.m128[i++] = _mm_loadu_si128((__m128i *)key);
    878. 

  878.     if (key_size == 32)
    879. 

  879.         ctx->keys.m128[i++] = _mm_loadu_si128((__m128i *)key + 1);
    880. 

  880.     while (1) {
    881. 

  881. #define EXPAND(R)                                                                                                                  \
    882. 

  882.     {                                                                                                                              \
    883. 

  883.         ctx->keys.m128[i] =                                                                                                        \
    884. 

  884.             expand_key(ctx->keys.m128[i - key_size / 16],                                                                          \
    885. 

  885.                        _mm_shuffle_epi32(_mm_aeskeygenassist_si128(ctx->keys.m128[i - 1], R), _MM_SHUFFLE(3, 3, 3, 3)));           \
    886. 

  886.         if (i == ctx->rounds)                                                                                                      \
    887. 

  887.             break;                                                                                                                 \
    888. 

  888.         ++i;                                                                                                                       \
    889. 

  889.         if (key_size > 24) {                                                                                                       \
    890. 

  890.             ctx->keys.m128[i] =                                                                                                    \
    891. 

  891.                 expand_key(ctx->keys.m128[i - key_size / 16],                                                                      \
    892. 

  892.                            _mm_shuffle_epi32(_mm_aeskeygenassist_si128(ctx->keys.m128[i - 1], R), _MM_SHUFFLE(2, 2, 2, 2)));       \
    893. 

  893.             ++i;                                                                                                                   \
    894. 

  894.         }                                                                                                                          \
    895. 

  895.     }
    896. 

  896.         EXPAND(0x1);
    897. 

  897.         EXPAND(0x2);
    898. 

  898.         EXPAND(0x4);
    899. 

  899.         EXPAND(0x8);
    900. 

  900.         EXPAND(0x10);
    901. 

  901.         EXPAND(0x20);
    902. 

  902.         EXPAND(0x40);
    903. 

  903.         EXPAND(0x80);
    904. 

  904.         EXPAND(0x1b);
    905. 

  905.         EXPAND(0x36);
    906. 

  906. #undef EXPAND
    907. 

  907.     }
    908. 

  908. 

  909.     /* convert to keys.m256 if aesni256 is used */
    910. 

  910.     if (ctx->aesni256) {
    911. 

  911.         size_t i = ctx->rounds;
    912. 

  912.         do {
    913. 

  913.             ctx->keys.m256[i] = _mm256_broadcastsi128_si256(ctx->keys.m128[i]);
    914. 

  914.         } while (i-- != 0);
    915. 

  915.     }
    916. 

  916. }
    917. 

  917. 

  918. void ptls_fusion_aesecb_dispose(ptls_fusion_aesecb_context_t *ctx)
    919. 

  919. {
    920. 

  920.     ptls_clear_memory(ctx, sizeof(*ctx));
    921. 

  921. }
    922. 

  922. 

  923. void ptls_fusion_aesecb_encrypt(ptls_fusion_aesecb_context_t *ctx, void *dst, const void *src)
    924. 

  924. {
    925. 

  925.     __m128i v = _mm_loadu_si128(src);
    926. 

  926.     v = aesecb_encrypt(ctx, v);
    927. 

  927.     _mm_storeu_si128(dst, v);
    928. 

  928. }
    929. 

  929. 

  930. /**
    931. 

  931.  * returns the number of ghash entries that is required to handle an AEAD block of given size
    932. 

  932.  */
    933. 

  933. static size_t aesgcm_calc_ghash_cnt(size_t capacity)
    934. 

  934. {
    935. 

  935.     // round-up by block size, add to handle worst split of the size between AAD and payload, plus context to hash AC
    936. 

  936.     return (capacity + 15) / 16 + 2;
    937. 

  937. }
    938. 

  938. 

  939. static void setup_one_ghash_entry(ptls_fusion_aesgcm_context_t *ctx)
    940. 

  940. {
    941. 

  941.     __m128i *H, *r, *Hprev, H0;
    942. 

  942. 

  943.     if (ctx->ecb.aesni256) {
    944. 

  944.         struct ptls_fusion_aesgcm_context256 *ctx256 = (void *)ctx;
    945. 

  945. #define GET_SLOT(i, mem) (&ctx256->ghash[(i) / 2].mem[(i) % 2 == 0])
    946. 

  946.         H = GET_SLOT(ctx->ghash_cnt, H);
    947. 

  947.         r = GET_SLOT(ctx->ghash_cnt, r);
    948. 

  948.         Hprev = ctx->ghash_cnt == 0 ? NULL : GET_SLOT(ctx->ghash_cnt - 1, H);
    949. 

  949. #undef GET_SLOT
    950. 

  950.         H0 = ctx256->ghash[0].H[1];
    951. 

  951.     } else {
    952. 

  952.         struct ptls_fusion_aesgcm_context128 *ctx128 = (void *)ctx;
    953. 

  953.         H = &ctx128->ghash[ctx->ghash_cnt].H;
    954. 

  954.         r = &ctx128->ghash[ctx->ghash_cnt].r;
    955. 

  955.         Hprev = ctx->ghash_cnt == 0 ? NULL : &ctx128->ghash[ctx->ghash_cnt - 1].H;
    956. 

  956.         H0 = ctx128->ghash[0].H;
    957. 

  957.     }
    958. 

  958. 

  959.     if (Hprev != NULL)
    960. 

  960.         *H = gfmul(*Hprev, H0);
    961. 

  961. 

  962.     *r = _mm_shuffle_epi32(*H, 78);
    963. 

  963.     *r = _mm_xor_si128(*r, *H);
    964. 

  964. 

  965.     ++ctx->ghash_cnt;
    966. 

  966. }
    967. 

  967. 

  968. static size_t calc_aesgcm_context_size(size_t *ghash_cnt, int aesni256)
    969. 

  969. {
    970. 

  970.     size_t sz;
    971. 

  971. 

  972.     if (aesni256) {
    973. 

  973.         if (*ghash_cnt % 2 != 0)
    974. 

  974.             ++*ghash_cnt;
    975. 

  975.         sz = offsetof(struct ptls_fusion_aesgcm_context256, ghash) +
    976. 

  976.              sizeof(union ptls_fusion_aesgcm_ghash_precompute256) * *ghash_cnt / 2;
    977. 

  977.     } else {
    978. 

  978.         sz = offsetof(struct ptls_fusion_aesgcm_context128, ghash) +
    979. 

  979.              sizeof(struct ptls_fusion_aesgcm_ghash_precompute128) * *ghash_cnt;
    980. 

  980.     }
    981. 

  981.     return sz;
    982. 

  982. }
    983. 

  983. 

  984. static ptls_fusion_aesgcm_context_t *new_aesgcm(const void *key, size_t key_size, size_t capacity, int aesni256)
    985. 

  985. {
    986. 

  986.     ptls_fusion_aesgcm_context_t *ctx;
    987. 

  987.     size_t ghash_cnt = aesgcm_calc_ghash_cnt(capacity), ctx_size = calc_aesgcm_context_size(&ghash_cnt, aesni256);
    988. 

  988. 

  989.     if ((ctx = aligned_alloc(32, ctx_size)) == NULL)
    990. 

  990.         return NULL;
    991. 

  991. 

  992.     ptls_fusion_aesecb_init(&ctx->ecb, 1, key, key_size, aesni256);
    993. 

  993. 

  994.     ctx->capacity = capacity;
    995. 

  995. 

  996.     __m128i H0 = aesecb_encrypt(&ctx->ecb, _mm_setzero_si128());
    997. 

  997.     H0 = _mm_shuffle_epi8(H0, byteswap128);
    998. 

  998.     H0 = transformH(H0);
    999. 

  999.     if (ctx->ecb.aesni256) {
    1000. 

  1000.         ((struct ptls_fusion_aesgcm_context256 *)ctx)->ghash[0].H[1] = H0;
    1001. 

  1001.     } else {
    1002. 

  1002.         ((struct ptls_fusion_aesgcm_context128 *)ctx)->ghash[0].H = H0;
    1003. 

  1003.     }
    1004. 

  1004. 

  1005.     ctx->ghash_cnt = 0;
    1006. 

  1006.     while (ctx->ghash_cnt < ghash_cnt)
    1007. 

  1007.         setup_one_ghash_entry(ctx);
    1008. 

  1008. 

  1009.     return ctx;
    1010. 

  1010. }
    1011. 

  1011. 

  1012. ptls_fusion_aesgcm_context_t *ptls_fusion_aesgcm_new(const void *key, size_t key_size, size_t capacity)
    1013. 

  1013. {
    1014. 

  1014.     return new_aesgcm(key, key_size, capacity, 0);
    1015. 

  1015. }
    1016. 

  1016. 

  1017. ptls_fusion_aesgcm_context_t *ptls_fusion_aesgcm_set_capacity(ptls_fusion_aesgcm_context_t *ctx, size_t capacity)
    1018. 

  1018. {
    1019. 

  1019.     size_t new_ghash_cnt = aesgcm_calc_ghash_cnt(capacity);
    1020. 

  1020. 

  1021.     if (new_ghash_cnt <= ctx->ghash_cnt)
    1022. 

  1022.         return ctx;
    1023. 

  1023. 

  1024.     size_t new_ctx_size = calc_aesgcm_context_size(&new_ghash_cnt, ctx->ecb.aesni256),
    1025. 

  1025.            old_ctx_size = calc_aesgcm_context_size(&ctx->ghash_cnt, ctx->ecb.aesni256);
    1026. 

  1026. 

  1027.     ptls_fusion_aesgcm_context_t *newp;
    1028. 

  1028.     if ((newp = aligned_alloc(32, new_ctx_size)) == NULL)
    1029. 

  1029.         return NULL;
    1030. 

  1030.     memcpy(newp, ctx, old_ctx_size);
    1031. 

  1031.     ptls_clear_memory(ctx, old_ctx_size);
    1032. 

  1032.     aligned_free(ctx);
    1033. 

  1033.     ctx = newp;
    1034. 

  1034. 

  1035.     ctx->capacity = capacity;
    1036. 

  1036.     while (ctx->ghash_cnt < new_ghash_cnt)
    1037. 

  1037.         setup_one_ghash_entry(ctx);
    1038. 

  1038. 

  1039.     return ctx;
    1040. 

  1040. }
    1041. 

  1041. 

  1042. void ptls_fusion_aesgcm_free(ptls_fusion_aesgcm_context_t *ctx)
    1043. 

  1043. {
    1044. 

  1044.     ptls_clear_memory(ctx, calc_aesgcm_context_size(&ctx->ghash_cnt, ctx->ecb.aesni256));
    1045. 

  1045.     /* skip ptls_fusion_aesecb_dispose, based on the knowledge that it does not allocate memory elsewhere */
    1046. 

  1046. 

  1047.     aligned_free(ctx);
    1048. 

  1048. }
    1049. 

  1049. 

  1050. static void ctr_dispose(ptls_cipher_context_t *_ctx)
    1051. 

  1051. {
    1052. 

  1052.     struct ctr_context *ctx = (struct ctr_context *)_ctx;
    1053. 

  1053.     ptls_fusion_aesecb_dispose(&ctx->fusion);
    1054. 

  1054.     _mm_storeu_si128(&ctx->bits, _mm_setzero_si128());
    1055. 

  1055. }
    1056. 

  1056. 

  1057. static void ctr_init(ptls_cipher_context_t *_ctx, const void *iv)
    1058. 

  1058. {
    1059. 

  1059.     struct ctr_context *ctx = (struct ctr_context *)_ctx;
    1060. 

  1060.     _mm_storeu_si128(&ctx->bits, aesecb_encrypt(&ctx->fusion, _mm_loadu_si128(iv)));
    1061. 

  1061.     ctx->is_ready = 1;
    1062. 

  1062. }
    1063. 

  1063. 

  1064. static void ctr_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
    1065. 

  1065. {
    1066. 

  1066.     struct ctr_context *ctx = (struct ctr_context *)_ctx;
    1067. 

  1067. 

  1068.     assert((ctx->is_ready && len <= 16) ||
    1069. 

  1069.            !"CTR transfomation is supported only once per call to `init` and the maximum size is limited  to 16 bytes");
    1070. 

  1070.     ctx->is_ready = 0;
    1071. 

  1071. 

  1072.     if (len < 16) {
    1073. 

  1073.         storen128(output, len, _mm_xor_si128(_mm_loadu_si128(&ctx->bits), loadn128(input, len)));
    1074. 

  1074.     } else {
    1075. 

  1075.         _mm_storeu_si128(output, _mm_xor_si128(_mm_loadu_si128(&ctx->bits), _mm_loadu_si128(input)));
    1076. 

  1076.     }
    1077. 

  1077. }
    1078. 

  1078. 

  1079. static int aesctr_setup(ptls_cipher_context_t *_ctx, int is_enc, const void *key, size_t key_size)
    1080. 

  1080. {
    1081. 

  1081.     struct ctr_context *ctx = (struct ctr_context *)_ctx;
    1082. 

  1082. 

  1083.     ctx->super.do_dispose = ctr_dispose;
    1084. 

  1084.     ctx->super.do_init = ctr_init;
    1085. 

  1085.     ctx->super.do_transform = ctr_transform;
    1086. 

  1086.     ptls_fusion_aesecb_init(&ctx->fusion, 1, key, key_size, 0 /* probably we do not need aesni256 for CTR? */);
    1087. 

  1087.     ctx->is_ready = 0;
    1088. 

  1088. 

  1089.     return 0;
    1090. 

  1090. }
    1091. 

  1091. 

  1092. static int aes128ctr_setup(ptls_cipher_context_t *ctx, int is_enc, const void *key)
    1093. 

  1093. {
    1094. 

  1094.     return aesctr_setup(ctx, is_enc, key, PTLS_AES128_KEY_SIZE);
    1095. 

  1095. }
    1096. 

  1096. 

  1097. static int aes256ctr_setup(ptls_cipher_context_t *ctx, int is_enc, const void *key)
    1098. 

  1098. {
    1099. 

  1099.     return aesctr_setup(ctx, is_enc, key, PTLS_AES256_KEY_SIZE);
    1100. 

  1100. }
    1101. 

  1101. 

  1102. static void aesgcm_dispose_crypto(ptls_aead_context_t *_ctx)
    1103. 

  1103. {
    1104. 

  1104.     struct aesgcm_context *ctx = (struct aesgcm_context *)_ctx;
    1105. 

  1105. 

  1106.     ptls_fusion_aesgcm_free(ctx->aesgcm);
    1107. 

  1107. }
    1108. 

  1108. 

  1109. static void aead_do_encrypt_init(ptls_aead_context_t *_ctx, uint64_t seq, const void *aad, size_t aadlen)
    1110. 

  1110. {
    1111. 

  1111.     assert(!"FIXME");
    1112. 

  1112. }
    1113. 

  1113. 

  1114. static size_t aead_do_encrypt_update(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen)
    1115. 

  1115. {
    1116. 

  1116.     assert(!"FIXME");
    1117. 

  1117.     return SIZE_MAX;
    1118. 

  1118. }
    1119. 

  1119. 

  1120. static size_t aead_do_encrypt_final(ptls_aead_context_t *_ctx, void *_output)
    1121. 

  1121. {
    1122. 

  1122.     assert(!"FIXME");
    1123. 

  1123.     return SIZE_MAX;
    1124. 

  1124. }
    1125. 

  1125. 

  1126. static inline __m128i calc_counter(struct aesgcm_context *ctx, uint64_t seq)
    1127. 

  1127. {
    1128. 

  1128.     __m128i ctr = _mm_setzero_si128();
    1129. 

  1129.     ctr = _mm_insert_epi64(ctr, seq, 0);
    1130. 

  1130.     ctr = _mm_slli_si128(ctr, 4);
    1131. 

  1131.     ctr = _mm_xor_si128(ctx->static_iv, ctr);
    1132. 

  1132.     return ctr;
    1133. 

  1133. }
    1134. 

  1134. 

  1135. void aead_do_encrypt(struct st_ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen, uint64_t seq,
    1136. 

  1136.                      const void *aad, size_t aadlen, ptls_aead_supplementary_encryption_t *supp)
    1137. 

  1137. {
    1138. 

  1138.     struct aesgcm_context *ctx = (void *)_ctx;
    1139. 

  1139. 

  1140.     if (inlen + aadlen > ctx->aesgcm->capacity)
    1141. 

  1141.         ctx->aesgcm = ptls_fusion_aesgcm_set_capacity(ctx->aesgcm, inlen + aadlen);
    1142. 

  1142.     ptls_fusion_aesgcm_encrypt(ctx->aesgcm, output, input, inlen, calc_counter(ctx, seq), aad, aadlen, supp);
    1143. 

  1143. }
    1144. 

  1144. 

  1145. static void aead_do_encrypt_v(struct st_ptls_aead_context_t *ctx, void *output, ptls_iovec_t *input, size_t incnt, uint64_t seq,
    1146. 

  1146.                               const void *aad, size_t aadlen)
    1147. 

  1147. {
    1148. 

  1148.     assert(!"FIXME");
    1149. 

  1149. }
    1150. 

  1150. 

  1151. static size_t aead_do_decrypt(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen, uint64_t seq,
    1152. 

  1152.                               const void *aad, size_t aadlen)
    1153. 

  1153. {
    1154. 

  1154.     struct aesgcm_context *ctx = (void *)_ctx;
    1155. 

  1155. 

  1156.     if (inlen < 16)
    1157. 

  1157.         return SIZE_MAX;
    1158. 

  1158. 

  1159.     size_t enclen = inlen - 16;
    1160. 

  1160.     if (enclen + aadlen > ctx->aesgcm->capacity)
    1161. 

  1161.         ctx->aesgcm = ptls_fusion_aesgcm_set_capacity(ctx->aesgcm, enclen + aadlen);
    1162. 

  1162.     if (!ptls_fusion_aesgcm_decrypt(ctx->aesgcm, output, input, enclen, calc_counter(ctx, seq), aad, aadlen,
    1163. 

  1163.                                     (const uint8_t *)input + enclen))
    1164. 

  1164.         return SIZE_MAX;
    1165. 

  1165.     return enclen;
    1166. 

  1166. }
    1167. 

  1167. 

  1168. static inline void aesgcm_get_iv(ptls_aead_context_t *_ctx, void *iv)
    1169. 

  1169. {
    1170. 

  1170.     struct aesgcm_context *ctx = (struct aesgcm_context *)_ctx;
    1171. 

  1171. 

  1172.     __m128i m128 = _mm_shuffle_epi8(ctx->static_iv, byteswap128);
    1173. 

  1173.     storen128(iv, PTLS_AESGCM_IV_SIZE, m128);
    1174. 

  1174. }
    1175. 

  1175. 

  1176. static inline void aesgcm_set_iv(ptls_aead_context_t *_ctx, const void *iv)
    1177. 

  1177. {
    1178. 

  1178.     struct aesgcm_context *ctx = (struct aesgcm_context *)_ctx;
    1179. 

  1179. 

  1180.     ctx->static_iv = loadn128(iv, PTLS_AESGCM_IV_SIZE);
    1181. 

  1181.     ctx->static_iv = _mm_shuffle_epi8(ctx->static_iv, byteswap128);
    1182. 

  1182. }
    1183. 

  1183. 

  1184. static int aesgcm_setup(ptls_aead_context_t *_ctx, int is_enc, const void *key, const void *iv, size_t key_size)
    1185. 

  1185. {
    1186. 

  1186.     struct aesgcm_context *ctx = (struct aesgcm_context *)_ctx;
    1187. 

  1187. 

  1188.     ctx->static_iv = loadn128(iv, PTLS_AESGCM_IV_SIZE);
    1189. 

  1189.     ctx->static_iv = _mm_shuffle_epi8(ctx->static_iv, byteswap128);
    1190. 

  1190.     if (key == NULL)
    1191. 

  1191.         return 0;
    1192. 

  1192. 

  1193.     ctx->super.dispose_crypto = aesgcm_dispose_crypto;
    1194. 

  1194.     ctx->super.do_get_iv = aesgcm_get_iv;
    1195. 

  1195.     ctx->super.do_set_iv = aesgcm_set_iv;
    1196. 

  1196.     ctx->super.do_encrypt_init = aead_do_encrypt_init;
    1197. 

  1197.     ctx->super.do_encrypt_update = aead_do_encrypt_update;
    1198. 

  1198.     ctx->super.do_encrypt_final = aead_do_encrypt_final;
    1199. 

  1199.     ctx->super.do_encrypt = aead_do_encrypt;
    1200. 

  1200.     ctx->super.do_encrypt_v = aead_do_encrypt_v;
    1201. 

  1201.     ctx->super.do_decrypt = aead_do_decrypt;
    1202. 

  1202. 

  1203.     ctx->aesgcm = new_aesgcm(key, key_size, 1500 /* assume ordinary packet size */, 0 /* no support for aesni256 yet */);
    1204. 

  1204. 

  1205.     return 0;
    1206. 

  1206. }
    1207. 

  1207. 

  1208. static int aes128gcm_setup(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
    1209. 

  1209. {
    1210. 

  1210.     return aesgcm_setup(ctx, is_enc, key, iv, PTLS_AES128_KEY_SIZE);
    1211. 

  1211. }
    1212. 

  1212. 

  1213. static int aes256gcm_setup(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
    1214. 

  1214. {
    1215. 

  1215.     return aesgcm_setup(ctx, is_enc, key, iv, PTLS_AES256_KEY_SIZE);
    1216. 

  1216. }
    1217. 

  1217. 

  1218. int ptls_fusion_can_aesni256 = 0;
    1219. 

  1219. ptls_cipher_algorithm_t ptls_fusion_aes128ctr = {"AES128-CTR",
    1220. 

  1220.                                                  PTLS_AES128_KEY_SIZE,
    1221. 

  1221.                                                  1, // block size
    1222. 

  1222.                                                  PTLS_AES_IV_SIZE,
    1223. 

  1223.                                                  sizeof(struct ctr_context),
    1224. 

  1224.                                                  aes128ctr_setup};
    1225. 

  1225. ptls_cipher_algorithm_t ptls_fusion_aes256ctr = {"AES256-CTR",
    1226. 

  1226.                                                  PTLS_AES256_KEY_SIZE,
    1227. 

  1227.                                                  1, // block size
    1228. 

  1228.                                                  PTLS_AES_IV_SIZE,
    1229. 

  1229.                                                  sizeof(struct ctr_context),
    1230. 

  1230.                                                  aes256ctr_setup};
    1231. 

  1231. ptls_aead_algorithm_t ptls_fusion_aes128gcm = {"AES128-GCM",
    1232. 

  1232.                                                PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
    1233. 

  1233.                                                PTLS_AESGCM_INTEGRITY_LIMIT,
    1234. 

  1234.                                                &ptls_fusion_aes128ctr,
    1235. 

  1235.                                                NULL, // &ptls_fusion_aes128ecb,
    1236. 

  1236.                                                PTLS_AES128_KEY_SIZE,
    1237. 

  1237.                                                PTLS_AESGCM_IV_SIZE,
    1238. 

  1238.                                                PTLS_AESGCM_TAG_SIZE,
    1239. 

  1239.                                                {0}, // while it may work, no reason to support TLS/1.2
    1240. 

  1240.                                                0,
    1241. 

  1241.                                                0,
    1242. 

  1242.                                                sizeof(struct aesgcm_context),
    1243. 

  1243.                                                aes128gcm_setup};
    1244. 

  1244. ptls_aead_algorithm_t ptls_fusion_aes256gcm = {"AES256-GCM",
    1245. 

  1245.                                                PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
    1246. 

  1246.                                                PTLS_AESGCM_INTEGRITY_LIMIT,
    1247. 

  1247.                                                &ptls_fusion_aes256ctr,
    1248. 

  1248.                                                NULL, // &ptls_fusion_aes256ecb,
    1249. 

  1249.                                                PTLS_AES256_KEY_SIZE,
    1250. 

  1250.                                                PTLS_AESGCM_IV_SIZE,
    1251. 

  1251.                                                PTLS_AESGCM_TAG_SIZE,
    1252. 

  1252.                                                {0}, // while it may work, no reason to support TLS/1.2
    1253. 

  1253.                                                0,
    1254. 

  1254.                                                0,
    1255. 

  1255.                                                sizeof(struct aesgcm_context),
    1256. 

  1256.                                                aes256gcm_setup};
    1257. 

  1257. 

  1258. static inline size_t calc_total_length(ptls_iovec_t *input, size_t incnt)
    1259. 

  1259. {
    1260. 

  1260.     size_t totlen = 0;
    1261. 

  1261.     for (size_t i = 0; i < incnt; ++i)
    1262. 

  1262.         totlen += input[i].len;
    1263. 

  1263.     return totlen;
    1264. 

  1264. }
    1265. 

  1265. 

  1266. static inline void reduce_aad128(struct ptls_fusion_gfmul_state128 *gstate, struct ptls_fusion_aesgcm_ghash_precompute128 *ghash,
    1267. 

  1267.                                  const void *_aad, size_t aadlen)
    1268. 

  1268. {
    1269. 

  1269.     struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute;
    1270. 

  1270.     const uint8_t *aad = _aad;
    1271. 

  1271. 

  1272.     while (PTLS_UNLIKELY(aadlen >= 6 * 16)) {
    1273. 

  1273.         ghash_precompute = ghash + 6;
    1274. 

  1274.         gfmul_firststep128(gstate, _mm_loadu_si128((void *)aad), --ghash_precompute);
    1275. 

  1275.         aad += 16;
    1276. 

  1276.         aadlen -= 16;
    1277. 

  1277.         for (int i = 1; i < 6; ++i) {
    1278. 

  1278.             gfmul_nextstep128(gstate, _mm_loadu_si128((void *)aad), --ghash_precompute);
    1279. 

  1279.             aad += 16;
    1280. 

  1280.             aadlen -= 16;
    1281. 

  1281.         }
    1282. 

  1282.         gfmul_reduce128(gstate);
    1283. 

  1283.     }
    1284. 

  1284. 

  1285.     if (PTLS_LIKELY(aadlen != 0)) {
    1286. 

  1286.         ghash_precompute = ghash + (aadlen + 15) / 16;
    1287. 

  1287.         if (PTLS_UNLIKELY(aadlen >= 16)) {
    1288. 

  1288.             gfmul_firststep128(gstate, _mm_loadu_si128((void *)aad), --ghash_precompute);
    1289. 

  1289.             aad += 16;
    1290. 

  1290.             aadlen -= 16;
    1291. 

  1291.             while (aadlen >= 16) {
    1292. 

  1292.                 gfmul_nextstep128(gstate, _mm_loadu_si128((void *)aad), --ghash_precompute);
    1293. 

  1293.                 aad += 16;
    1294. 

  1294.                 aadlen -= 16;
    1295. 

  1295.             }
    1296. 

  1296.             if (PTLS_LIKELY(aadlen != 0))
    1297. 

  1297.                 gfmul_nextstep128(gstate, loadn128(aad, aadlen), --ghash_precompute);
    1298. 

  1298.         } else {
    1299. 

  1299.             gfmul_firststep128(gstate, loadn128(aad, aadlen), --ghash_precompute);
    1300. 

  1300.         }
    1301. 

  1301.         assert(ghash == ghash_precompute);
    1302. 

  1302.         gfmul_reduce128(gstate);
    1303. 

  1303.     }
    1304. 

  1304. }
    1305. 

  1305. 

  1306. NO_SANITIZE_ADDRESS
    1307. 

  1307. static inline uint8_t *load_preceding_unaligned(uint8_t *encbuf, uint8_t **output)
    1308. 

  1308. {
    1309. 

  1309.     uint8_t *encp;
    1310. 

  1310. 

  1311.     if ((encp = encbuf + ((uintptr_t)*output & 63)) != encbuf) {
    1312. 

  1312.         _mm256_store_si256((void *)encbuf, _mm256_load_si256((void *)(*output - (encp - encbuf))));
    1313. 

  1313.         _mm256_store_si256((void *)(encbuf + 32), _mm256_load_si256((void *)(*output - (encp - encbuf) + 32)));
    1314. 

  1314.         *output -= encp - encbuf;
    1315. 

  1315.     }
    1316. 

  1316. 

  1317.     return encp;
    1318. 

  1318. }
    1319. 

  1319. 

  1320. NO_SANITIZE_ADDRESS
    1321. 

  1321. static inline void write_remaining_bytes(uint8_t *dst, const uint8_t *src, const uint8_t *end)
    1322. 

  1322. {
    1323. 

  1323.     /* Write in 64-byte chunks, using NT store instructions. Last partial block, if any, is written to cache, as that cache line
    1324. 

  1324.      * would likely be read when the next TLS record is being built. */
    1325. 

  1325. 

  1326.     for (; end - src >= 64; dst += 64, src += 64) {
    1327. 

  1327.         _mm256_stream_si256((void *)dst, _mm256_load_si256((void *)src));
    1328. 

  1328.         _mm256_stream_si256((void *)(dst + 32), _mm256_load_si256((void *)(src + 32)));
    1329. 

  1329.     }
    1330. 

  1330.     _mm_sfence(); /* weakly ordered writes have to be synced before being passed to NIC */
    1331. 

  1331.     if (src != end) {
    1332. 

  1332.         for (; end - src >= 16; dst += 16, src += 16)
    1333. 

  1333.             _mm_store_si128((void *)dst, _mm_load_si128((void *)src));
    1334. 

  1334.         if (src != end)
    1335. 

  1335.             storen128((void *)dst, end - src, loadn128((void *)src, end - src));
    1336. 

  1336.     }
    1337. 

  1337. }
    1338. 

  1338. 

  1339. NO_SANITIZE_ADDRESS
    1340. 

  1340. static void non_temporal_encrypt_v128(struct st_ptls_aead_context_t *_ctx, void *_output, ptls_iovec_t *input, size_t incnt,
    1341. 

  1341.                                       uint64_t seq, const void *aad, size_t aadlen)
    1342. 

  1342. {
    1343. 

  1343. /* init the bits (we can always run in full), but use the last slot for calculating ek0, if possible */
    1344. 

  1344. #define AESECB6_INIT()                                                                                                             \
    1345. 

  1345.     do {                                                                                                                           \
    1346. 

  1346.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1347. 

  1347.         bits0 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1348. 

  1348.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1349. 

  1349.         bits1 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1350. 

  1350.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1351. 

  1351.         bits2 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1352. 

  1352.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1353. 

  1353.         bits3 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1354. 

  1354.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1355. 

  1355.         bits4 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1356. 

  1356.         if (PTLS_LIKELY(srclen > 16 * 5) || src_vecleft != 0) {                                                                    \
    1357. 

  1357.             ctr = _mm_add_epi64(ctr, one8);                                                                                        \
    1358. 

  1358.             bits5 = _mm_shuffle_epi8(ctr, byteswap128);                                                                            \
    1359. 

  1359.         } else {                                                                                                                   \
    1360. 

  1360.             bits5 = ek0;                                                                                                           \
    1361. 

  1361.             state |= STATE_EK0_READY;                                                                                              \
    1362. 

  1362.         }                                                                                                                          \
    1363. 

  1363.         __m128i k = ctx->super.ecb.keys.m128[0];                                                                                   \
    1364. 

  1364.         bits0 = _mm_xor_si128(bits0, k);                                                                                           \
    1365. 

  1365.         bits1 = _mm_xor_si128(bits1, k);                                                                                           \
    1366. 

  1366.         bits2 = _mm_xor_si128(bits2, k);                                                                                           \
    1367. 

  1367.         bits3 = _mm_xor_si128(bits3, k);                                                                                           \
    1368. 

  1368.         bits4 = _mm_xor_si128(bits4, k);                                                                                           \
    1369. 

  1369.         bits5 = _mm_xor_si128(bits5, k);                                                                                           \
    1370. 

  1370.     } while (0)
    1371. 

  1371. 

  1372. /* aes block update */
    1373. 

  1373. #define AESECB6_UPDATE(i)                                                                                                          \
    1374. 

  1374.     do {                                                                                                                           \
    1375. 

  1375.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    1376. 

  1376.         bits0 = _mm_aesenc_si128(bits0, k);                                                                                        \
    1377. 

  1377.         bits1 = _mm_aesenc_si128(bits1, k);                                                                                        \
    1378. 

  1378.         bits2 = _mm_aesenc_si128(bits2, k);                                                                                        \
    1379. 

  1379.         bits3 = _mm_aesenc_si128(bits3, k);                                                                                        \
    1380. 

  1380.         bits4 = _mm_aesenc_si128(bits4, k);                                                                                        \
    1381. 

  1381.         bits5 = _mm_aesenc_si128(bits5, k);                                                                                        \
    1382. 

  1382.     } while (0)
    1383. 

  1383. 

  1384. /* aesenclast */
    1385. 

  1385. #define AESECB6_FINAL(i)                                                                                                           \
    1386. 

  1386.     do {                                                                                                                           \
    1387. 

  1387.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    1388. 

  1388.         bits0 = _mm_aesenclast_si128(bits0, k);                                                                                    \
    1389. 

  1389.         bits1 = _mm_aesenclast_si128(bits1, k);                                                                                    \
    1390. 

  1390.         bits2 = _mm_aesenclast_si128(bits2, k);                                                                                    \
    1391. 

  1391.         bits3 = _mm_aesenclast_si128(bits3, k);                                                                                    \
    1392. 

  1392.         bits4 = _mm_aesenclast_si128(bits4, k);                                                                                    \
    1393. 

  1393.         bits5 = _mm_aesenclast_si128(bits5, k);                                                                                    \
    1394. 

  1394.     } while (0)
    1395. 

  1395. 

  1396.     struct aesgcm_context *agctx = (void *)_ctx;
    1397. 

  1397.     uint8_t *output = _output;
    1398. 

  1398. 

  1399. #define STATE_EK0_READY 0x1
    1400. 

  1400. #define STATE_COPY_128B 0x2
    1401. 

  1401.     int32_t state = 0;
    1402. 

  1402. 

  1403.     /* Bytes are written here first then written using NT store instructions, 64 bytes at a time. */
    1404. 

  1404.     uint8_t encbuf[32 * 6] __attribute__((aligned(32))), *encp;
    1405. 

  1405. 

  1406.     /* `encbuf` should be large enough to store up to 63-bytes of unaligned bytes, 6 16-byte AES blocks, plus AEAD tag that is
    1407. 

  1407.      * append to the ciphertext before writing the bytes to main memory using NT store instructions. */
    1408. 

  1408.     PTLS_BUILD_ASSERT(sizeof(encbuf) >= 64 + 6 * 16 + 16);
    1409. 

  1409. 

  1410.     /* load unaligned data within same cache line preceding `output`, adjusting pointers accordingly */
    1411. 

  1411.     encp = load_preceding_unaligned(encbuf, &output);
    1412. 

  1412. 

  1413.     /* First write would be 128 bytes (32+6*16), if encbuf contains no less than 32 bytes already. */
    1414. 

  1414.     if (encp - encbuf >= 32)
    1415. 

  1415.         state |= STATE_COPY_128B;
    1416. 

  1416. 

  1417.     /* setup ctr, retain Ek(0), len(A) | len(C) to be fed into GCM */
    1418. 

  1418.     __m128i ctr = calc_counter(agctx, seq);
    1419. 

  1419.     ctr = _mm_insert_epi32(ctr, 1, 0);
    1420. 

  1420.     __m128i ek0 = _mm_shuffle_epi8(ctr, byteswap128);
    1421. 

  1421.     __m128i ac = _mm_shuffle_epi8(_mm_set_epi32(0, (int)aadlen * 8, 0, (int)calc_total_length(input, incnt) * 8), byteswap128);
    1422. 

  1422. 

  1423.     struct ptls_fusion_aesgcm_context128 *ctx = (void *)agctx->aesgcm;
    1424. 

  1424.     __m128i bits0, bits1, bits2, bits3, bits4, bits5 = _mm_setzero_si128();
    1425. 

  1425.     struct ptls_fusion_gfmul_state128 gstate = {0};
    1426. 

  1426. 

  1427.     /* find the first non-empty vec */
    1428. 

  1428.     const uint8_t *src = NULL;
    1429. 

  1429.     size_t srclen = 0, src_vecleft = incnt;
    1430. 

  1430.     while (srclen == 0 && src_vecleft != 0) {
    1431. 

  1431.         src = (void *)input[0].base;
    1432. 

  1432.         srclen = input[0].len;
    1433. 

  1433.         ++input;
    1434. 

  1434.         --src_vecleft;
    1435. 

  1435.     }
    1436. 

  1436. 

  1437.     /* Prepare first 6 blocks of bit stream, at the same time calculating ghash of AAD. */
    1438. 

  1438.     AESECB6_INIT();
    1439. 

  1439.     AESECB6_UPDATE(1);
    1440. 

  1440.     AESECB6_UPDATE(2);
    1441. 

  1441.     reduce_aad128(&gstate, ctx->ghash, aad, aadlen);
    1442. 

  1442.     for (size_t i = 3; i < ctx->super.ecb.rounds; ++i)
    1443. 

  1443.         AESECB6_UPDATE(i);
    1444. 

  1444.     AESECB6_FINAL(ctx->super.ecb.rounds);
    1445. 

  1445. 

  1446.     /* Main loop. This loop:
    1447. 

  1447.      *  1. using current keystream (bits0..bits5), xors a up to 6 * 16 bytes and writes to encbuf,
    1448. 

  1448.      *  2. then if there is no more data to be encrypted, exit the loop, otherwise,
    1449. 

  1449.      *  3. calculate ghash of the blocks being written to encbuf,
    1450. 

  1450.      *  4. calculate next 6 * 16 bytes of keystream,
    1451. 

  1451.      *  5. writes encbuf in 64-byte blocks
    1452. 

  1452.      * When exitting the loop, `remaining_ghash_from` represents the offset within `encbuf` from where ghash remains to be
    1453. 

  1453.      * calculated. */
    1454. 

  1454.     size_t remaining_ghash_from = encp - encbuf;
    1455. 

  1455.     if (srclen != 0) {
    1456. 

  1456.         while (1) {
    1457. 

  1457.             /* apply the bit stream to input, writing to encbuf */
    1458. 

  1458.             if (PTLS_LIKELY(srclen >= 6 * 16)) {
    1459. 

  1459. #define APPLY(i) _mm_storeu_si128((void *)(encp + i * 16), _mm_xor_si128(_mm_loadu_si128((void *)(src + i * 16)), bits##i))
    1460. 

  1460.                 APPLY(0);
    1461. 

  1461.                 APPLY(1);
    1462. 

  1462.                 APPLY(2);
    1463. 

  1463.                 APPLY(3);
    1464. 

  1464.                 APPLY(4);
    1465. 

  1465.                 APPLY(5);
    1466. 

  1466. #undef APPLY
    1467. 

  1467.                 encp += 6 * 16;
    1468. 

  1468.                 src += 6 * 16;
    1469. 

  1469.                 srclen -= 6 * 16;
    1470. 

  1470.                 if (PTLS_UNLIKELY(srclen == 0)) {
    1471. 

  1471.                     if (src_vecleft == 0) {
    1472. 

  1472.                         remaining_ghash_from = (encp - encbuf) - 96;
    1473. 

  1473.                         break;
    1474. 

  1474.                     }
    1475. 

  1475.                     src = (void *)input[0].base;
    1476. 

  1476.                     srclen = input[0].len;
    1477. 

  1477.                     ++input;
    1478. 

  1478.                     --src_vecleft;
    1479. 

  1479.                 }
    1480. 

  1480.             } else {
    1481. 

  1481.                 /* slow path, load at most 6 * 16 bytes to encbuf then encrypt in-place */
    1482. 

  1482.                 size_t bytes_copied = 0;
    1483. 

  1483.                 do {
    1484. 

  1484.                     if (srclen >= 16 && bytes_copied < 5 * 16) {
    1485. 

  1485.                         _mm_storeu_si128((void *)(encp + bytes_copied), _mm_loadu_si128((void *)src));
    1486. 

  1486.                         bytes_copied += 16;
    1487. 

  1487.                         src += 16;
    1488. 

  1488.                         srclen -= 16;
    1489. 

  1489.                     } else {
    1490. 

  1490.                         encp[bytes_copied++] = *src++;
    1491. 

  1491.                         --srclen;
    1492. 

  1492.                     }
    1493. 

  1493.                     if (PTLS_UNLIKELY(srclen == 0)) {
    1494. 

  1494.                         do {
    1495. 

  1495.                             if (src_vecleft == 0)
    1496. 

  1496.                                 break;
    1497. 

  1497.                             src = (void *)input[0].base;
    1498. 

  1498.                             srclen = input[0].len;
    1499. 

  1499.                             ++input;
    1500. 

  1500.                             --src_vecleft;
    1501. 

  1501.                         } while (srclen == 0);
    1502. 

  1502.                         if (srclen == 0)
    1503. 

  1503.                             break;
    1504. 

  1504.                     }
    1505. 

  1505.                 } while (bytes_copied < 6 * 16);
    1506. 

  1506. #define APPLY(i) _mm_storeu_si128((void *)(encp + i * 16), _mm_xor_si128(_mm_loadu_si128((void *)(encp + i * 16)), bits##i))
    1507. 

  1507.                 APPLY(0);
    1508. 

  1508.                 APPLY(1);
    1509. 

  1509.                 APPLY(2);
    1510. 

  1510.                 APPLY(3);
    1511. 

  1511.                 APPLY(4);
    1512. 

  1512.                 APPLY(5);
    1513. 

  1513. #undef APPLY
    1514. 

  1514.                 encp += bytes_copied;
    1515. 

  1515.                 if (PTLS_UNLIKELY(srclen == 0)) {
    1516. 

  1516.                     /* Calculate amonut of data left to be ghashed, as well as zero-clearing the remainedr of partial block, as it
    1517. 

  1517.                      * will be fed into ghash. */
    1518. 

  1518.                     remaining_ghash_from = (encp - encbuf) - bytes_copied;
    1519. 

  1519.                     if ((bytes_copied & 15) != 0)
    1520. 

  1520.                         _mm_storeu_si128((void *)encp, _mm_setzero_si128());
    1521. 

  1521.                     break;
    1522. 

  1522.                 }
    1523. 

  1523.             }
    1524. 

  1524. 

  1525.             /* Next 96-byte block starts here. Run AES and ghash in while writing output using non-temporal stores in 64-byte
    1526. 

  1526.              * blocks. */
    1527. 

  1527.             AESECB6_INIT();
    1528. 

  1528.             struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute = ctx->ghash + 6;
    1529. 

  1529.             gfmul_firststep128(&gstate, _mm_loadu_si128((void *)(encp - 6 * 16)), --ghash_precompute);
    1530. 

  1530.             AESECB6_UPDATE(1);
    1531. 

  1531.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encp - 5 * 16)), --ghash_precompute);
    1532. 

  1532.             AESECB6_UPDATE(2);
    1533. 

  1533.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encp - 4 * 16)), --ghash_precompute);
    1534. 

  1534.             AESECB6_UPDATE(3);
    1535. 

  1535.             _mm256_stream_si256((void *)output, _mm256_load_si256((void *)encbuf));
    1536. 

  1536.             _mm256_stream_si256((void *)(output + 32), _mm256_load_si256((void *)(encbuf + 32)));
    1537. 

  1537.             AESECB6_UPDATE(4);
    1538. 

  1538.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encp - 3 * 16)), --ghash_precompute);
    1539. 

  1539.             AESECB6_UPDATE(5);
    1540. 

  1540.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encp - 2 * 16)), --ghash_precompute);
    1541. 

  1541.             AESECB6_UPDATE(6);
    1542. 

  1542.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encp - 1 * 16)), --ghash_precompute);
    1543. 

  1543.             AESECB6_UPDATE(7);
    1544. 

  1544.             if ((state & STATE_COPY_128B) != 0) {
    1545. 

  1545.                 _mm256_stream_si256((void *)(output + 64), _mm256_load_si256((void *)(encbuf + 64)));
    1546. 

  1546.                 _mm256_stream_si256((void *)(output + 96), _mm256_load_si256((void *)(encbuf + 96)));
    1547. 

  1547.                 output += 128;
    1548. 

  1548.                 encp -= 128;
    1549. 

  1549.                 AESECB6_UPDATE(8);
    1550. 

  1550.                 _mm256_store_si256((void *)encbuf, _mm256_load_si256((void *)(encbuf + 128)));
    1551. 

  1551.                 _mm256_store_si256((void *)(encbuf + 32), _mm256_load_si256((void *)(encbuf + 160)));
    1552. 

  1552.             } else {
    1553. 

  1553.                 output += 64;
    1554. 

  1554.                 encp -= 64;
    1555. 

  1555.                 _mm256_store_si256((void *)encbuf, _mm256_load_si256((void *)(encbuf + 64)));
    1556. 

  1556.                 _mm256_store_si256((void *)(encbuf + 32), _mm256_load_si256((void *)(encbuf + 96)));
    1557. 

  1557.                 AESECB6_UPDATE(8);
    1558. 

  1558.             }
    1559. 

  1559.             state ^= STATE_COPY_128B;
    1560. 

  1560.             AESECB6_UPDATE(9);
    1561. 

  1561.             if (PTLS_UNLIKELY(ctx->super.ecb.rounds != 10)) {
    1562. 

  1562.                 for (size_t i = 10; PTLS_LIKELY(i < ctx->super.ecb.rounds); ++i)
    1563. 

  1563.                     AESECB6_UPDATE(i);
    1564. 

  1564.             }
    1565. 

  1565.             assert(ctx->ghash == ghash_precompute);
    1566. 

  1566.             gfmul_reduce128(&gstate);
    1567. 

  1567.             AESECB6_FINAL(ctx->super.ecb.rounds);
    1568. 

  1568.         }
    1569. 

  1569.     }
    1570. 

  1570. 

  1571.     /* Now, All the encrypted bits are built in encbuf. Calculate AEAD tag and append to encbuf. */
    1572. 

  1572. 

  1573.     { /* Run ghash against the remaining bytes, after appending `ac` (i.e., len(A) | len(C)). At this point, we might be ghashing 7
    1574. 

  1574.        * blocks at once. */
    1575. 

  1575.         size_t ac_off = remaining_ghash_from + ((encp - encbuf) - remaining_ghash_from + 15) / 16 * 16;
    1576. 

  1576.         _mm_storeu_si128((void *)(encbuf + ac_off), ac);
    1577. 

  1577.         size_t blocks = ((encp - encbuf) - remaining_ghash_from + 15) / 16 + 1; /* round up, +1 for AC */
    1578. 

  1578.         assert(blocks <= 7);
    1579. 

  1579.         struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute = ctx->ghash + blocks;
    1580. 

  1580.         gfmul_firststep128(&gstate, _mm_loadu_si128((void *)(encbuf + remaining_ghash_from)), --ghash_precompute);
    1581. 

  1581.         remaining_ghash_from += 16;
    1582. 

  1582.         while (ghash_precompute != ctx->ghash) {
    1583. 

  1583.             gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(encbuf + remaining_ghash_from)), --ghash_precompute);
    1584. 

  1584.             remaining_ghash_from += 16;
    1585. 

  1585.         }
    1586. 

  1586.         gfmul_reduce128(&gstate);
    1587. 

  1587.     }
    1588. 

  1588. 

  1589.     /* Calculate EK0, if in the unlikely case on not been done yet. When encoding in full size (16K), EK0 will be ready. */
    1590. 

  1590.     if (PTLS_UNLIKELY((state & STATE_EK0_READY) == 0)) {
    1591. 

  1591.         bits5 = _mm_xor_si128(ek0, ctx->super.ecb.keys.m128[0]);
    1592. 

  1592.         for (size_t i = 1; i < ctx->super.ecb.rounds; ++i)
    1593. 

  1593.             bits5 = _mm_aesenc_si128(bits5, ctx->super.ecb.keys.m128[i]);
    1594. 

  1594.         bits5 = _mm_aesenclast_si128(bits5, ctx->super.ecb.keys.m128[ctx->super.ecb.rounds]);
    1595. 

  1595.     }
    1596. 

  1596. 

  1597.     /* append tag to encbuf */
    1598. 

  1598.     _mm_storeu_si128((void *)encp, gfmul_get_tag128(&gstate, bits5));
    1599. 

  1599.     encp += 16;
    1600. 

  1600. 

  1601.     /* write remaining bytes */
    1602. 

  1602.     write_remaining_bytes(output, encbuf, encp);
    1603. 

  1603. 

  1604. #undef AESECB6_INIT
    1605. 

  1605. #undef AESECB6_UPDATE
    1606. 

  1606. #undef AESECB6_FINAL
    1607. 

  1607. #undef STATE_EK0_READY
    1608. 

  1608. #undef STATE_COPY_128B
    1609. 

  1609. }
    1610. 

  1610. 

  1611. static size_t non_temporal_decrypt128(ptls_aead_context_t *_ctx, void *_output, const void *_input, size_t inlen, uint64_t seq,
    1612. 

  1612.                                       const void *aad, size_t aadlen)
    1613. 

  1613. {
    1614. 

  1614.     /* Bail out if the input is too short, or remove tag from range. */
    1615. 

  1615.     if (inlen < 16)
    1616. 

  1616.         return SIZE_MAX;
    1617. 

  1617.     inlen -= 16;
    1618. 

  1618.     size_t textlen = inlen;
    1619. 

  1619. 

  1620. /* init the bits (we can always run in full), but use the last slot for calculating ek0, if possible */
    1621. 

  1621. #define AESECB6_INIT()                                                                                                             \
    1622. 

  1622.     do {                                                                                                                           \
    1623. 

  1623.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1624. 

  1624.         bits0 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1625. 

  1625.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1626. 

  1626.         bits1 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1627. 

  1627.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1628. 

  1628.         bits2 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1629. 

  1629.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1630. 

  1630.         bits3 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1631. 

  1631.         ctr = _mm_add_epi64(ctr, one8);                                                                                            \
    1632. 

  1632.         bits4 = _mm_shuffle_epi8(ctr, byteswap128);                                                                                \
    1633. 

  1633.         if (PTLS_LIKELY(inlen > 16 * 5)) {                                                                                         \
    1634. 

  1634.             ctr = _mm_add_epi64(ctr, one8);                                                                                        \
    1635. 

  1635.             bits5 = _mm_shuffle_epi8(ctr, byteswap128);                                                                            \
    1636. 

  1636.         } else {                                                                                                                   \
    1637. 

  1637.             bits5 = ek0;                                                                                                           \
    1638. 

  1638.             state |= STATE_EK0_READY;                                                                                              \
    1639. 

  1639.         }                                                                                                                          \
    1640. 

  1640.         __m128i k = ctx->super.ecb.keys.m128[0];                                                                                   \
    1641. 

  1641.         bits0 = _mm_xor_si128(bits0, k);                                                                                           \
    1642. 

  1642.         bits1 = _mm_xor_si128(bits1, k);                                                                                           \
    1643. 

  1643.         bits2 = _mm_xor_si128(bits2, k);                                                                                           \
    1644. 

  1644.         bits3 = _mm_xor_si128(bits3, k);                                                                                           \
    1645. 

  1645.         bits4 = _mm_xor_si128(bits4, k);                                                                                           \
    1646. 

  1646.         bits5 = _mm_xor_si128(bits5, k);                                                                                           \
    1647. 

  1647.     } while (0)
    1648. 

  1648. 

  1649. /* aes block update */
    1650. 

  1650. #define AESECB6_UPDATE(i)                                                                                                          \
    1651. 

  1651.     do {                                                                                                                           \
    1652. 

  1652.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    1653. 

  1653.         bits0 = _mm_aesenc_si128(bits0, k);                                                                                        \
    1654. 

  1654.         bits1 = _mm_aesenc_si128(bits1, k);                                                                                        \
    1655. 

  1655.         bits2 = _mm_aesenc_si128(bits2, k);                                                                                        \
    1656. 

  1656.         bits3 = _mm_aesenc_si128(bits3, k);                                                                                        \
    1657. 

  1657.         bits4 = _mm_aesenc_si128(bits4, k);                                                                                        \
    1658. 

  1658.         bits5 = _mm_aesenc_si128(bits5, k);                                                                                        \
    1659. 

  1659.     } while (0)
    1660. 

  1660. 

  1661. /* aesenclast */
    1662. 

  1662. #define AESECB6_FINAL(i)                                                                                                           \
    1663. 

  1663.     do {                                                                                                                           \
    1664. 

  1664.         __m128i k = ctx->super.ecb.keys.m128[i];                                                                                   \
    1665. 

  1665.         bits0 = _mm_aesenclast_si128(bits0, k);                                                                                    \
    1666. 

  1666.         bits1 = _mm_aesenclast_si128(bits1, k);                                                                                    \
    1667. 

  1667.         bits2 = _mm_aesenclast_si128(bits2, k);                                                                                    \
    1668. 

  1668.         bits3 = _mm_aesenclast_si128(bits3, k);                                                                                    \
    1669. 

  1669.         bits4 = _mm_aesenclast_si128(bits4, k);                                                                                    \
    1670. 

  1670.         bits5 = _mm_aesenclast_si128(bits5, k);                                                                                    \
    1671. 

  1671.     } while (0)
    1672. 

  1672. 

  1673.     struct aesgcm_context *agctx = (void *)_ctx;
    1674. 

  1674.     uint8_t *output = _output;
    1675. 

  1675.     const uint8_t *input = _input;
    1676. 

  1676. 

  1677. #define STATE_EK0_READY 0x1
    1678. 

  1678.     int32_t state = 0;
    1679. 

  1679. 

  1680.     /* setup ctr, retain Ek(0), len(A) | len(C) to be fed into GCM */
    1681. 

  1681.     __m128i ctr = calc_counter(agctx, seq);
    1682. 

  1682.     ctr = _mm_insert_epi32(ctr, 1, 0);
    1683. 

  1683.     __m128i ek0 = _mm_shuffle_epi8(ctr, byteswap128);
    1684. 

  1684.     __m128i ac = _mm_shuffle_epi8(_mm_set_epi32(0, (int)aadlen * 8, 0, (int)inlen * 8), byteswap128);
    1685. 

  1685. 

  1686.     struct ptls_fusion_aesgcm_context128 *ctx = (void *)agctx->aesgcm;
    1687. 

  1687.     __m128i bits0, bits1, bits2, bits3, bits4, bits5 = _mm_setzero_si128();
    1688. 

  1688.     struct ptls_fusion_gfmul_state128 gstate = {0};
    1689. 

  1689. 

  1690.     /* Prepare first 6 blocks of bit stream, at the same time calculating ghash of AAD. */
    1691. 

  1691.     AESECB6_INIT();
    1692. 

  1692.     AESECB6_UPDATE(1);
    1693. 

  1693.     AESECB6_UPDATE(2);
    1694. 

  1694.     reduce_aad128(&gstate, ctx->ghash, aad, aadlen);
    1695. 

  1695.     for (size_t i = 3; i < ctx->super.ecb.rounds; ++i)
    1696. 

  1696.         AESECB6_UPDATE(i);
    1697. 

  1697.     AESECB6_FINAL(ctx->super.ecb.rounds);
    1698. 

  1698. 

  1699.     /* Main loop. Operate in full blocks (6 * 16 bytes). */
    1700. 

  1700.     while (PTLS_LIKELY(inlen >= 6 * 16)) {
    1701. 

  1701. #define DECRYPT(i) _mm_storeu_si128((void *)(output + i * 16), _mm_xor_si128(bits##i, _mm_loadu_si128((void *)(input + i * 16))))
    1702. 

  1702.         DECRYPT(0);
    1703. 

  1703.         DECRYPT(1);
    1704. 

  1704.         DECRYPT(2);
    1705. 

  1705.         DECRYPT(3);
    1706. 

  1706.         DECRYPT(4);
    1707. 

  1707.         DECRYPT(5);
    1708. 

  1708. #undef DECRYPT
    1709. 

  1709. #define GFMUL_NEXT(i) gfmul_nextstep128(&gstate, _mm_loadu_si128((void *)(input + i * 16)), ctx->ghash + 5 - i)
    1710. 

  1710.         AESECB6_INIT();
    1711. 

  1711.         AESECB6_UPDATE(1);
    1712. 

  1712.         AESECB6_UPDATE(2);
    1713. 

  1713.         AESECB6_UPDATE(3);
    1714. 

  1714.         gfmul_firststep128(&gstate, _mm_loadu_si128((void *)input), ctx->ghash + 5);
    1715. 

  1715.         AESECB6_UPDATE(4);
    1716. 

  1716.         GFMUL_NEXT(1);
    1717. 

  1717.         AESECB6_UPDATE(5);
    1718. 

  1718.         GFMUL_NEXT(2);
    1719. 

  1719.         AESECB6_UPDATE(6);
    1720. 

  1720.         GFMUL_NEXT(3);
    1721. 

  1721.         AESECB6_UPDATE(7);
    1722. 

  1722.         GFMUL_NEXT(4);
    1723. 

  1723.         AESECB6_UPDATE(8);
    1724. 

  1724.         GFMUL_NEXT(5);
    1725. 

  1725.         AESECB6_UPDATE(9);
    1726. 

  1726.         gfmul_reduce128(&gstate);
    1727. 

  1727.         if (PTLS_UNLIKELY(ctx->super.ecb.rounds != 10)) {
    1728. 

  1728.             size_t i = 10;
    1729. 

  1729.             do {
    1730. 

  1730.                 AESECB6_UPDATE(i);
    1731. 

  1731.             } while (++i < ctx->super.ecb.rounds);
    1732. 

  1732.         }
    1733. 

  1733.         AESECB6_FINAL(ctx->super.ecb.rounds);
    1734. 

  1734.         output += 6 * 16;
    1735. 

  1735.         input += 6 * 16;
    1736. 

  1736.         inlen -= 6 * 16;
    1737. 

  1737. #undef GFMUL_NEXT
    1738. 

  1738.     }
    1739. 

  1739. 

  1740.     /* Decrypt the remainder as well as finishing GHASH calculation. */
    1741. 

  1741.     if (inlen != 0) {
    1742. 

  1742.         struct ptls_fusion_aesgcm_ghash_precompute128 *ghash_precompute = ctx->ghash + (inlen + 15) / 16 + 1;
    1743. 

  1743. #define ONEBLOCK(i)                                                                                                                \
    1744. 

  1744.     do {                                                                                                                           \
    1745. 

  1745.         if (inlen != 0) {                                                                                                          \
    1746. 

  1746.             __m128i b = inlen >= 16 ? _mm_loadu_si128((void *)input) : loadn128(input, inlen);                                     \
    1747. 

  1747.             if (i == 0) {                                                                                                          \
    1748. 

  1748.                 gfmul_firststep128(&gstate, b, --ghash_precompute);                                                                \
    1749. 

  1749.             } else {                                                                                                               \
    1750. 

  1750.                 gfmul_nextstep128(&gstate, b, --ghash_precompute);                                                                 \
    1751. 

  1751.             }                                                                                                                      \
    1752. 

  1752.             b = _mm_xor_si128(b, bits##i);                                                                                         \
    1753. 

  1753.             if (inlen >= 16) {                                                                                                     \
    1754. 

  1754.                 _mm_storeu_si128((void *)output, b);                                                                               \
    1755. 

  1755.                 output += 16;                                                                                                      \
    1756. 

  1756.                 input += 16;                                                                                                       \
    1757. 

  1757.                 inlen -= 16;                                                                                                       \
    1758. 

  1758.             } else {                                                                                                               \
    1759. 

  1759.                 storen128(output, inlen, b);                                                                                       \
    1760. 

  1760.                 output += inlen;                                                                                                   \
    1761. 

  1761.                 input += inlen;                                                                                                    \
    1762. 

  1762.                 inlen = 0;                                                                                                         \
    1763. 

  1763.             }                                                                                                                      \
    1764. 

  1764.         }                                                                                                                          \
    1765. 

  1765.     } while (0)
    1766. 

  1766.         ONEBLOCK(0);
    1767. 

  1767.         ONEBLOCK(1);
    1768. 

  1768.         ONEBLOCK(2);
    1769. 

  1769.         ONEBLOCK(3);
    1770. 

  1770.         ONEBLOCK(4);
    1771. 

  1771.         ONEBLOCK(5);
    1772. 

  1772. #undef ONEBLOCK
    1773. 

  1773.         gfmul_nextstep128(&gstate, ac, --ghash_precompute);
    1774. 

  1774.         assert(ghash_precompute == ctx->ghash);
    1775. 

  1775.     } else {
    1776. 

  1776.         gfmul_firststep128(&gstate, ac, ctx->ghash);
    1777. 

  1777.     }
    1778. 

  1778.     gfmul_reduce128(&gstate);
    1779. 

  1779. 

  1780.     /* Calculate EK0 if not yet available in bits5. */
    1781. 

  1781.     if ((state & STATE_EK0_READY) == 0) {
    1782. 

  1782.         bits5 = _mm_xor_si128(ek0, ctx->super.ecb.keys.m128[0]);
    1783. 

  1783.         for (size_t i = 1; i < ctx->super.ecb.rounds; ++i)
    1784. 

  1784.             bits5 = _mm_aesenc_si128(bits5, ctx->super.ecb.keys.m128[i]);
    1785. 

  1785.         bits5 = _mm_aesenclast_si128(bits5, ctx->super.ecb.keys.m128[ctx->super.ecb.rounds]);
    1786. 

  1786.     }
    1787. 

  1787. 

  1788.     /* Calculate GCM tag and compare. */
    1789. 

  1789.     __m128i calctag = gfmul_get_tag128(&gstate, bits5);
    1790. 

  1790.     __m128i recvtag = _mm_loadu_si128((void *)input);
    1791. 

  1791.     if (_mm_movemask_epi8(_mm_cmpeq_epi8(calctag, recvtag)) != 0xffff)
    1792. 

  1792.         return SIZE_MAX;
    1793. 

  1793. 

  1794.     return textlen;
    1795. 

  1795. 

  1796. #undef AESECB6_INIT
    1797. 

  1797. #undef AESECB6_UPDATE
    1798. 

  1798. #undef AESECB6_FINAL
    1799. 

  1799. #undef STATE_EK0_READY
    1800. 

  1800. }
    1801. 

  1801. 

  1802. NO_SANITIZE_ADDRESS
    1803. 

  1803. static void non_temporal_encrypt_v256(struct st_ptls_aead_context_t *_ctx, void *_output, ptls_iovec_t *input, size_t incnt,
    1804. 

  1804.                                       uint64_t seq, const void *_aad, size_t aadlen)
    1805. 

  1805. {
    1806. 

  1806. /* init the bits (we can always run in full), but use the last slot for calculating ek0, if possible */
    1807. 

  1807. #define AESECB6_INIT()                                                                                                             \
    1808. 

  1808.     do {                                                                                                                           \
    1809. 

  1809.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1810. 

  1810.         bits0 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1811. 

  1811.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1812. 

  1812.         bits1 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1813. 

  1813.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1814. 

  1814.         bits2 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1815. 

  1815.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1816. 

  1816.         bits3 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1817. 

  1817.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1818. 

  1818.         bits4 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1819. 

  1819.         ctr = _mm256_add_epi64(ctr, incr128x2);                                                                                    \
    1820. 

  1820.         bits5 = _mm256_shuffle_epi8(ctr, byteswap256);                                                                             \
    1821. 

  1821.         if (PTLS_UNLIKELY(srclen <= 32 * 6 - 16) && src_vecleft == 0) {                                                            \
    1822. 

  1822.             bits5 = _mm256_permute2f128_si256(bits5, ac_ek0, 0x30);                                                                \
    1823. 

  1823.             state |= STATE_EK0_READY;                                                                                              \
    1824. 

  1824.         }                                                                                                                          \
    1825. 

  1825.         __m256i k = ctx->super.ecb.keys.m256[0];                                                                                   \
    1826. 

  1826.         bits0 = _mm256_xor_si256(bits0, k);                                                                                        \
    1827. 

  1827.         bits1 = _mm256_xor_si256(bits1, k);                                                                                        \
    1828. 

  1828.         bits2 = _mm256_xor_si256(bits2, k);                                                                                        \
    1829. 

  1829.         bits3 = _mm256_xor_si256(bits3, k);                                                                                        \
    1830. 

  1830.         bits4 = _mm256_xor_si256(bits4, k);                                                                                        \
    1831. 

  1831.         bits5 = _mm256_xor_si256(bits5, k);                                                                                        \
    1832. 

  1832.     } while (0)
    1833. 

  1833. 

  1834. /* aes block update */
    1835. 

  1835. #define AESECB6_UPDATE(i)                                                                                                          \
    1836. 

  1836.     do {                                                                                                                           \
    1837. 

  1837.         __m256i k = ctx->super.ecb.keys.m256[i];                                                                                   \
    1838. 

  1838.         bits0 = _mm256_aesenc_epi128(bits0, k);                                                                                    \
    1839. 

  1839.         bits1 = _mm256_aesenc_epi128(bits1, k);                                                                                    \
    1840. 

  1840.         bits2 = _mm256_aesenc_epi128(bits2, k);                                                                                    \
    1841. 

  1841.         bits3 = _mm256_aesenc_epi128(bits3, k);                                                                                    \
    1842. 

  1842.         bits4 = _mm256_aesenc_epi128(bits4, k);                                                                                    \
    1843. 

  1843.         bits5 = _mm256_aesenc_epi128(bits5, k);                                                                                    \
    1844. 

  1844.     } while (0)
    1845. 

  1845. 

  1846. /* aesenclast */
    1847. 

  1847. #define AESECB6_FINAL(i)                                                                                                           \
    1848. 

  1848.     do {                                                                                                                           \
    1849. 

  1849.         __m256i k = ctx->super.ecb.keys.m256[i];                                                                                   \
    1850. 

  1850.         bits0 = _mm256_aesenclast_epi128(bits0, k);                                                                                \
    1851. 

  1851.         bits1 = _mm256_aesenclast_epi128(bits1, k);                                                                                \
    1852. 

  1852.         bits2 = _mm256_aesenclast_epi128(bits2, k);                                                                                \
    1853. 

  1853.         bits3 = _mm256_aesenclast_epi128(bits3, k);                                                                                \
    1854. 

  1854.         bits4 = _mm256_aesenclast_epi128(bits4, k);                                                                                \
    1855. 

  1855.         bits5 = _mm256_aesenclast_epi128(bits5, k);                                                                                \
    1856. 

  1856.     } while (0)
    1857. 

  1857. 

  1858.     struct aesgcm_context *agctx = (void *)_ctx;
    1859. 

  1859.     uint8_t *output = _output;
    1860. 

  1860.     const uint8_t *aad = _aad;
    1861. 

  1861. 

  1862. #define STATE_EK0_READY 0x1
    1863. 

  1863.     int32_t state = 0;
    1864. 

  1864. 

  1865.     /* Bytes are written here first then written using NT store instructions, 64 bytes at a time. */
    1866. 

  1866.     uint8_t encbuf[32 * 9] __attribute__((aligned(32))), *encp;
    1867. 

  1867. 

  1868.     /* `encbuf` should be large enough to store up to 63-bytes of unaligned bytes, 6 16-byte AES blocks, plus AEAD tag that is
    1869. 

  1869.      * append to the ciphertext before writing the bytes to main memory using NT store instructions. */
    1870. 

  1870.     PTLS_BUILD_ASSERT(sizeof(encbuf) >= 64 + 6 * 32 + 16);
    1871. 

  1871. 

  1872.     /* load unaligned data within same cache line preceding `output`, adjusting pointers accordingly */
    1873. 

  1873.     encp = load_preceding_unaligned(encbuf, &output);
    1874. 

  1874. 

  1875.     /* setup ctr, retaining Ek(0), len(A) | len(C) to be fed into GCM */
    1876. 

  1876.     __m256i ctr = _mm256_broadcastsi128_si256(calc_counter(agctx, seq));
    1877. 

  1877.     ctr = _mm256_insert_epi32(ctr, 1, 4);
    1878. 

  1878.     __m256i ac_ek0 = _mm256_permute2f128_si256(
    1879. 

  1879.         /* first half: ac */
    1880. 

  1880.         _mm256_castsi128_si256(
    1881. 

  1881.             _mm_shuffle_epi8(_mm_set_epi32(0, (int)aadlen * 8, 0, (int)calc_total_length(input, incnt) * 8), byteswap128)),
    1882. 

  1882.         /* second half: ek0 */
    1883. 

  1883.         _mm256_shuffle_epi8(ctr, byteswap256), 0x30);
    1884. 

  1884. 

  1885.     struct ptls_fusion_aesgcm_context256 *ctx = (void *)agctx->aesgcm;
    1886. 

  1886.     __m256i bits0, bits1, bits2, bits3, bits4, bits5 = _mm256_setzero_si256();
    1887. 

  1887.     struct ptls_fusion_gfmul_state256 gstate = {0};
    1888. 

  1888. 

  1889.     /* find the first non-empty vec */
    1890. 

  1890.     const uint8_t *src = NULL;
    1891. 

  1891.     size_t srclen = 0, src_vecleft = incnt;
    1892. 

  1892.     while (srclen == 0 && src_vecleft != 0) {
    1893. 

  1893.         src = (void *)input[0].base;
    1894. 

  1894.         srclen = input[0].len;
    1895. 

  1895.         ++input;
    1896. 

  1896.         --src_vecleft;
    1897. 

  1897.     }
    1898. 

  1898. 

  1899.     /* Prepare first 6 blocks of bit stream, at the same time calculating ghash of AAD. */
    1900. 

  1900.     AESECB6_INIT();
    1901. 

  1901.     AESECB6_UPDATE(1);
    1902. 

  1902.     AESECB6_UPDATE(2);
    1903. 

  1903.     if (PTLS_LIKELY(aadlen != 0)) {
    1904. 

  1904.         union ptls_fusion_aesgcm_ghash_precompute256 *ghash_precompute;
    1905. 

  1905.         while (PTLS_UNLIKELY(aadlen >= 6 * 32)) {
    1906. 

  1906.             ghash_precompute = ctx->ghash + 6;
    1907. 

  1907.             gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)aad), 0, --ghash_precompute);
    1908. 

  1908.             aad += 32;
    1909. 

  1909.             aadlen -= 32;
    1910. 

  1910.             for (int i = 1; i < 6; ++i) {
    1911. 

  1911.                 gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)aad), --ghash_precompute);
    1912. 

  1912.                 aad += 32;
    1913. 

  1913.                 aadlen -= 32;
    1914. 

  1914.             }
    1915. 

  1915.             gfmul_reduce256(&gstate);
    1916. 

  1916.         }
    1917. 

  1917.         if (PTLS_LIKELY(aadlen != 0)) {
    1918. 

  1918.             ghash_precompute = ctx->ghash + (aadlen + 31) / 32;
    1919. 

  1919.             if (PTLS_UNLIKELY(aadlen >= 32)) {
    1920. 

  1920.                 if (aadlen % 32 == 0 || aadlen % 32 > 16) {
    1921. 

  1921.                     gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)aad), 0, --ghash_precompute);
    1922. 

  1922.                     aad += 32;
    1923. 

  1923.                     aadlen -= 32;
    1924. 

  1924.                 } else {
    1925. 

  1925.                     gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)aad), 1, --ghash_precompute);
    1926. 

  1926.                     aad += 16;
    1927. 

  1927.                     aadlen -= 16;
    1928. 

  1928.                 }
    1929. 

  1929.                 while (aadlen >= 32) {
    1930. 

  1930.                     gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)aad), --ghash_precompute);
    1931. 

  1931.                     aad += 32;
    1932. 

  1932.                     aadlen -= 32;
    1933. 

  1933.                 }
    1934. 

  1934.                 if (PTLS_LIKELY(aadlen != 0)) {
    1935. 

  1935.                     assert(aadlen > 16);
    1936. 

  1936.                     gfmul_nextstep256(&gstate, loadn256(aad, aadlen), --ghash_precompute);
    1937. 

  1937.                 }
    1938. 

  1938.             } else {
    1939. 

  1939.                 gfmul_firststep256(&gstate, loadn256(aad, aadlen), aadlen <= 16, --ghash_precompute);
    1940. 

  1940.             }
    1941. 

  1941.             assert(ctx->ghash == ghash_precompute);
    1942. 

  1942.             gfmul_reduce256(&gstate);
    1943. 

  1943.         }
    1944. 

  1944.     }
    1945. 

  1945.     for (size_t i = 3; i < ctx->super.ecb.rounds; ++i)
    1946. 

  1946.         AESECB6_UPDATE(i);
    1947. 

  1947.     AESECB6_FINAL(ctx->super.ecb.rounds);
    1948. 

  1948. 

  1949.     /* Main loop. This loop:
    1950. 

  1950.      *  1. using current keystream (bits0..bits5), xors a up to 6 * 16 bytes and writes to encbuf,
    1951. 

  1951.      *  2. then if there is no more data to be encrypted, exit the loop, otherwise,
    1952. 

  1952.      *  3. calculate ghash of the blocks being written to encbuf,
    1953. 

  1953.      *  4. calculate next 6 * 16 bytes of keystream,
    1954. 

  1954.      *  5. writes encbuf in 64-byte blocks
    1955. 

  1955.      * When exitting the loop, `remaining_ghash_from` represents the offset within `encbuf` from where ghash remains to be
    1956. 

  1956.      * calculated. */
    1957. 

  1957.     size_t remaining_ghash_from = encp - encbuf;
    1958. 

  1958.     if (srclen != 0) {
    1959. 

  1959.         while (1) {
    1960. 

  1960.             /* apply the bit stream to input, writing to encbuf */
    1961. 

  1961.             if (PTLS_LIKELY(srclen >= 6 * 32)) {
    1962. 

  1962. #define APPLY(i) _mm256_storeu_si256((void *)(encp + i * 32), _mm256_xor_si256(_mm256_loadu_si256((void *)(src + i * 32)), bits##i))
    1963. 

  1963.                 APPLY(0);
    1964. 

  1964.                 APPLY(1);
    1965. 

  1965.                 APPLY(2);
    1966. 

  1966.                 APPLY(3);
    1967. 

  1967.                 APPLY(4);
    1968. 

  1968.                 APPLY(5);
    1969. 

  1969. #undef APPLY
    1970. 

  1970.                 encp += 6 * 32;
    1971. 

  1971.                 src += 6 * 32;
    1972. 

  1972.                 srclen -= 6 * 32;
    1973. 

  1973.                 if (PTLS_UNLIKELY(srclen == 0)) {
    1974. 

  1974.                     if (src_vecleft == 0) {
    1975. 

  1975.                         remaining_ghash_from = (encp - encbuf) - 6 * 32;
    1976. 

  1976.                         break;
    1977. 

  1977.                     }
    1978. 

  1978.                     src = (void *)input[0].base;
    1979. 

  1979.                     srclen = input[0].len;
    1980. 

  1980.                     ++input;
    1981. 

  1981.                     --src_vecleft;
    1982. 

  1982.                 }
    1983. 

  1983.             } else {
    1984. 

  1984.                 /* slow path, load at most 6 * 32 bytes to encbuf then encrypt in-place */
    1985. 

  1985.                 size_t bytes_copied = 0;
    1986. 

  1986.                 do {
    1987. 

  1987.                     if (srclen >= 32 && bytes_copied < 5 * 32) {
    1988. 

  1988.                         _mm256_storeu_si256((void *)(encp + bytes_copied), _mm256_loadu_si256((void *)src));
    1989. 

  1989.                         bytes_copied += 32;
    1990. 

  1990.                         src += 32;
    1991. 

  1991.                         srclen -= 32;
    1992. 

  1992.                     } else {
    1993. 

  1993.                         encp[bytes_copied++] = *src++;
    1994. 

  1994.                         --srclen;
    1995. 

  1995.                     }
    1996. 

  1996.                     if (PTLS_UNLIKELY(srclen == 0)) {
    1997. 

  1997.                         do {
    1998. 

  1998.                             if (src_vecleft == 0)
    1999. 

  1999.                                 break;
    2000. 

  2000.                             src = (void *)input[0].base;
    2001. 

  2001.                             srclen = input[0].len;
    2002. 

  2002.                             ++input;
    2003. 

  2003.                             --src_vecleft;
    2004. 

  2004.                         } while (srclen == 0);
    2005. 

  2005.                         if (srclen == 0)
    2006. 

  2006.                             break;
    2007. 

  2007.                     }
    2008. 

  2008.                 } while (bytes_copied < 6 * 32);
    2009. 

  2009. #define APPLY(i)                                                                                                                   \
    2010. 

  2010.     _mm256_storeu_si256((void *)(encp + i * 32), _mm256_xor_si256(_mm256_loadu_si256((void *)(encp + i * 32)), bits##i))
    2011. 

  2011.                 APPLY(0);
    2012. 

  2012.                 APPLY(1);
    2013. 

  2013.                 APPLY(2);
    2014. 

  2014.                 APPLY(3);
    2015. 

  2015.                 APPLY(4);
    2016. 

  2016.                 APPLY(5);
    2017. 

  2017. #undef APPLY
    2018. 

  2018.                 encp += bytes_copied;
    2019. 

  2019.                 if (PTLS_UNLIKELY(srclen == 0)) {
    2020. 

  2020.                     /* Calculate amonut of data left to be ghashed, as well as zero-clearing the remainedr of partial block, as it
    2021. 

  2021.                      * will be fed into ghash. */
    2022. 

  2022.                     remaining_ghash_from = (encp - encbuf) - bytes_copied;
    2023. 

  2023.                     if ((bytes_copied & 15) != 0)
    2024. 

  2024.                         _mm_storeu_si128((void *)encp, _mm_setzero_si128());
    2025. 

  2025.                     break;
    2026. 

  2026.                 }
    2027. 

  2027.             }
    2028. 

  2028. 

  2029.             /* Next 96-byte block starts here. Run AES and ghash in parallel while writing output using non-temporal store
    2030. 

  2030.              * instructions. */
    2031. 

  2031.             AESECB6_INIT();
    2032. 

  2032.             union ptls_fusion_aesgcm_ghash_precompute256 *ghash_precompute = ctx->ghash + 6;
    2033. 

  2033.             gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)(encp - 6 * 32)), 0, --ghash_precompute);
    2034. 

  2034.             AESECB6_UPDATE(1);
    2035. 

  2035.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encp - 5 * 32)), --ghash_precompute);
    2036. 

  2036.             AESECB6_UPDATE(2);
    2037. 

  2037.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encp - 4 * 32)), --ghash_precompute);
    2038. 

  2038.             AESECB6_UPDATE(3);
    2039. 

  2039.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encp - 3 * 32)), --ghash_precompute);
    2040. 

  2040.             AESECB6_UPDATE(4);
    2041. 

  2041.             _mm256_stream_si256((void *)output, _mm256_load_si256((void *)encbuf));
    2042. 

  2042.             _mm256_stream_si256((void *)(output + 32), _mm256_load_si256((void *)(encbuf + 32)));
    2043. 

  2043.             _mm256_stream_si256((void *)(output + 64), _mm256_load_si256((void *)(encbuf + 64)));
    2044. 

  2044.             _mm256_stream_si256((void *)(output + 96), _mm256_load_si256((void *)(encbuf + 96)));
    2045. 

  2045.             _mm256_stream_si256((void *)(output + 128), _mm256_load_si256((void *)(encbuf + 128)));
    2046. 

  2046.             _mm256_stream_si256((void *)(output + 160), _mm256_load_si256((void *)(encbuf + 160)));
    2047. 

  2047.             AESECB6_UPDATE(5);
    2048. 

  2048.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encp - 2 * 32)), --ghash_precompute);
    2049. 

  2049.             AESECB6_UPDATE(6);
    2050. 

  2050.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encp - 1 * 32)), --ghash_precompute);
    2051. 

  2051.             output += 192;
    2052. 

  2052.             encp -= 192;
    2053. 

  2053.             AESECB6_UPDATE(7);
    2054. 

  2054.             _mm256_store_si256((void *)encbuf, _mm256_load_si256((void *)(encbuf + 192)));
    2055. 

  2055.             AESECB6_UPDATE(8);
    2056. 

  2056.             _mm256_store_si256((void *)(encbuf + 32), _mm256_load_si256((void *)(encbuf + 224)));
    2057. 

  2057.             AESECB6_UPDATE(9);
    2058. 

  2058.             if (PTLS_UNLIKELY(ctx->super.ecb.rounds != 10)) {
    2059. 

  2059.                 for (size_t i = 10; PTLS_LIKELY(i < ctx->super.ecb.rounds); ++i)
    2060. 

  2060.                     AESECB6_UPDATE(i);
    2061. 

  2061.             }
    2062. 

  2062.             assert(ctx->ghash == ghash_precompute);
    2063. 

  2063.             gfmul_reduce256(&gstate);
    2064. 

  2064.             AESECB6_FINAL(ctx->super.ecb.rounds);
    2065. 

  2065.         }
    2066. 

  2066.     }
    2067. 

  2067. 

  2068.     /* Now, All the encrypted bits are built in encbuf. Calculate AEAD tag and append to encbuf. */
    2069. 

  2069. 

  2070.     { /* Run ghash against the remaining bytes, after appending `ac` (i.e., len(A) | len(C)). At this point, we might be ghashing 7
    2071. 

  2071.        * blocks at once. */
    2072. 

  2072.         size_t ac_off = remaining_ghash_from + ((encp - encbuf) - remaining_ghash_from + 15) / 16 * 16;
    2073. 

  2073.         _mm_storeu_si128((void *)(encbuf + ac_off), _mm256_castsi256_si128(ac_ek0));
    2074. 

  2074.         size_t blocks = ((encp - encbuf) - remaining_ghash_from + 15) / 16 + 1; /* round up, +1 for AC */
    2075. 

  2075.         assert(blocks <= 13);
    2076. 

  2076.         union ptls_fusion_aesgcm_ghash_precompute256 *ghash_precompute = ctx->ghash + blocks / 2;
    2077. 

  2077.         if (blocks % 2 != 0) {
    2078. 

  2078.             gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)(encbuf + remaining_ghash_from)), 1, ghash_precompute);
    2079. 

  2079.             remaining_ghash_from += 16;
    2080. 

  2080.         } else {
    2081. 

  2081.             gfmul_firststep256(&gstate, _mm256_loadu_si256((void *)(encbuf + remaining_ghash_from)), 0, --ghash_precompute);
    2082. 

  2082.             remaining_ghash_from += 32;
    2083. 

  2083.         }
    2084. 

  2084.         while (ghash_precompute != ctx->ghash) {
    2085. 

  2085.             gfmul_nextstep256(&gstate, _mm256_loadu_si256((void *)(encbuf + remaining_ghash_from)), --ghash_precompute);
    2086. 

  2086.             remaining_ghash_from += 32;
    2087. 

  2087.         }
    2088. 

  2088.         gfmul_reduce256(&gstate);
    2089. 

  2089.     }
    2090. 

  2090. 

  2091.     /* Calculate EK0, if in the unlikely case on not been done yet. When encoding in full size (16K), EK0 will be ready. */
    2092. 

  2092.     if (PTLS_UNLIKELY((state & STATE_EK0_READY) == 0)) {
    2093. 

  2093.         bits5 = ac_ek0;
    2094. 

  2094.         bits5 = _mm256_xor_si256(bits5, ctx->super.ecb.keys.m256[0]);
    2095. 

  2095.         for (size_t i = 1; i < ctx->super.ecb.rounds; ++i)
    2096. 

  2096.             bits5 = _mm256_aesenc_epi128(bits5, ctx->super.ecb.keys.m256[i]);
    2097. 

  2097.         bits5 = _mm256_aesenclast_epi128(bits5, ctx->super.ecb.keys.m256[ctx->super.ecb.rounds]);
    2098. 

  2098.     }
    2099. 

  2099. 

  2100.     /* append tag to encbuf */
    2101. 

  2101.     _mm_storeu_si128((void *)encp,
    2102. 

  2102.                      gfmul_get_tag256(&gstate, _mm256_castsi256_si128(_mm256_permute2f128_si256(bits5, bits5, 0x11))));
    2103. 

  2103.     encp += 16;
    2104. 

  2104. 

  2105.     /* write remaining bytes */
    2106. 

  2106.     write_remaining_bytes(output, encbuf, encp);
    2107. 

  2107. }
    2108. 

  2108. 

  2109. static int non_temporal_setup(ptls_aead_context_t *_ctx, int is_enc, const void *key, const void *iv, size_t key_size)
    2110. 

  2110. {
    2111. 

  2111.     struct aesgcm_context *ctx = (struct aesgcm_context *)_ctx;
    2112. 

  2112.     int aesni256 = is_enc && ptls_fusion_can_aesni256;
    2113. 

  2113. 

  2114.     ctx->static_iv = loadn128(iv, PTLS_AESGCM_IV_SIZE);
    2115. 

  2115.     ctx->static_iv = _mm_shuffle_epi8(ctx->static_iv, byteswap128);
    2116. 

  2116.     if (key == NULL)
    2117. 

  2117.         return 0;
    2118. 

  2118. 

  2119.     ctx->super.dispose_crypto = aesgcm_dispose_crypto;
    2120. 

  2120.     ctx->super.do_get_iv = aesgcm_get_iv;
    2121. 

  2121.     ctx->super.do_set_iv = aesgcm_set_iv;
    2122. 

  2122.     ctx->super.do_encrypt_init = NULL;
    2123. 

  2123.     ctx->super.do_encrypt_update = NULL;
    2124. 

  2124.     ctx->super.do_encrypt_final = NULL;
    2125. 

  2125.     if (is_enc) {
    2126. 

  2126.         ctx->super.do_encrypt = ptls_aead__do_encrypt;
    2127. 

  2127.         ctx->super.do_encrypt_v = aesni256 ? non_temporal_encrypt_v256 : non_temporal_encrypt_v128;
    2128. 

  2128.         ctx->super.do_decrypt = NULL;
    2129. 

  2129.     } else {
    2130. 

  2130.         assert(!aesni256);
    2131. 

  2131.         ctx->super.do_encrypt = NULL;
    2132. 

  2132.         ctx->super.do_encrypt_v = NULL;
    2133. 

  2133.         ctx->super.do_decrypt = non_temporal_decrypt128;
    2134. 

  2134.     }
    2135. 

  2135. 

  2136.     ctx->aesgcm =
    2137. 

  2137.         new_aesgcm(key, key_size,
    2138. 

  2138.                    7 * (ptls_fusion_can_aesni256 ? 32 : 16), // 6 blocks at once, plus len(A) | len(C) that we might append
    2139. 

  2139.                    aesni256);
    2140. 

  2140. 

  2141.     return 0;
    2142. 

  2142. }
    2143. 

  2143. 

  2144. static int non_temporal_aes128gcm_setup(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
    2145. 

  2145. {
    2146. 

  2146.     return non_temporal_setup(ctx, is_enc, key, iv, PTLS_AES128_KEY_SIZE);
    2147. 

  2147. }
    2148. 

  2148. 

  2149. static int non_temporal_aes256gcm_setup(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
    2150. 

  2150. {
    2151. 

  2151.     return non_temporal_setup(ctx, is_enc, key, iv, PTLS_AES256_KEY_SIZE);
    2152. 

  2152. }
    2153. 

  2153. 

  2154. ptls_aead_algorithm_t ptls_non_temporal_aes128gcm = {"AES128-GCM",
    2155. 

  2155.                                                      PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
    2156. 

  2156.                                                      PTLS_AESGCM_INTEGRITY_LIMIT,
    2157. 

  2157.                                                      &ptls_fusion_aes128ctr,
    2158. 

  2158.                                                      NULL, // &ptls_fusion_aes128ecb,
    2159. 

  2159.                                                      PTLS_AES128_KEY_SIZE,
    2160. 

  2160.                                                      PTLS_AESGCM_IV_SIZE,
    2161. 

  2161.                                                      PTLS_AESGCM_TAG_SIZE,
    2162. 

  2162.                                                      {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE},
    2163. 

  2163.                                                      1,
    2164. 

  2164.                                                      PTLS_X86_CACHE_LINE_ALIGN_BITS,
    2165. 

  2165.                                                      sizeof(struct aesgcm_context),
    2166. 

  2166.                                                      non_temporal_aes128gcm_setup};
    2167. 

  2167. ptls_aead_algorithm_t ptls_non_temporal_aes256gcm = {"AES256-GCM",
    2168. 

  2168.                                                      PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
    2169. 

  2169.                                                      PTLS_AESGCM_INTEGRITY_LIMIT,
    2170. 

  2170.                                                      &ptls_fusion_aes256ctr,
    2171. 

  2171.                                                      NULL, // &ptls_fusion_aes128ecb,
    2172. 

  2172.                                                      PTLS_AES256_KEY_SIZE,
    2173. 

  2173.                                                      PTLS_AESGCM_IV_SIZE,
    2174. 

  2174.                                                      PTLS_AESGCM_TAG_SIZE,
    2175. 

  2175.                                                      {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE},
    2176. 

  2176.                                                      1,
    2177. 

  2177.                                                      PTLS_X86_CACHE_LINE_ALIGN_BITS,
    2178. 

  2178.                                                      sizeof(struct aesgcm_context),
    2179. 

  2179.                                                      non_temporal_aes256gcm_setup};
    2180. 

  2180. 

  2181. #ifdef _WINDOWS
    2182. 

  2182. /**
    2183. 

  2183.  * ptls_fusion_is_supported_by_cpu:
    2184. 

  2184.  * Check that the CPU has extended instructions for PCMUL, AES and AVX2.
    2185. 

  2185.  * This test assumes that the CPU is following the x86/x64 architecture.
    2186. 

  2186.  * A slightly more refined test could check that the cpu_info spells out
    2187. 

  2187.  * "genuineIntel" or "authenticAMD", but would fail in presence of
    2188. 

  2188.  * little known CPU brands or some VM */
    2189. 

  2189. int ptls_fusion_is_supported_by_cpu(void)
    2190. 

  2190. {
    2191. 

  2191.     uint32_t cpu_info[4];
    2192. 

  2192.     uint32_t nb_ids;
    2193. 

  2193.     int is_supported = 0;
    2194. 

  2194. 

  2195.     __cpuid(cpu_info, 0);
    2196. 

  2196.     nb_ids = cpu_info[0];
    2197. 

  2197. 

  2198.     if (nb_ids >= 7) {
    2199. 

  2199.         uint32_t leaf1_ecx;
    2200. 

  2200.         __cpuid(cpu_info, 1);
    2201. 

  2201.         leaf1_ecx = cpu_info[2];
    2202. 

  2202. 

  2203.         if (/* PCLMUL */ (leaf1_ecx & (1 << 5)) != 0 && /* AES */ (leaf1_ecx & (1 << 25)) != 0) {
    2204. 

  2204.             uint32_t leaf7_ebx, leaf7_ecx;
    2205. 

  2205.             __cpuid(cpu_info, 7);
    2206. 

  2206.             leaf7_ebx = cpu_info[1];
    2207. 

  2207.             leaf7_ecx = cpu_info[2];
    2208. 

  2208. 

  2209.             is_supported = /* AVX2 */ (leaf7_ebx & (1 << 5)) != 0;
    2210. 

  2210. 

  2211.             /* enable 256-bit mode if possible */
    2212. 

  2212.             if (is_supported && (leaf7_ecx & 0x600) != 0 && !ptls_fusion_can_aesni256)
    2213. 

  2213.                 ptls_fusion_can_aesni256 = 1;
    2214. 

  2214.         }
    2215. 

  2215.     }
    2216. 

  2216. 

  2217.     return is_supported;
    2218. 

  2218. }
    2219. 

  2219. #else
    2220. 

  2220. int ptls_fusion_is_supported_by_cpu(void)
    2221. 

  2221. {
    2222. 

  2222.     unsigned leaf1_ecx, leaf7_ebx, leaf7_ecx;
    2223. 

  2223. 

  2224.     { /* GCC-specific code to obtain CPU features */
    2225. 

  2225.         unsigned leaf_cnt;
    2226. 

  2226.         __asm__("cpuid" : "=a"(leaf_cnt) : "a"(0) : "ebx", "ecx", "edx");
    2227. 

  2227.         if (leaf_cnt < 7)
    2228. 

  2228.             return 0;
    2229. 

  2229.         __asm__("cpuid" : "=c"(leaf1_ecx) : "a"(1) : "ebx", "edx");
    2230. 

  2230.         __asm__("cpuid" : "=b"(leaf7_ebx), "=c"(leaf7_ecx) : "a"(7), "c"(0) : "edx");
    2231. 

  2231.     }
    2232. 

  2232. 

  2233.     /* AVX2 */
    2234. 

  2234.     if ((leaf7_ebx & (1 << 5)) == 0)
    2235. 

  2235.         return 0;
    2236. 

  2236.     /* AES */
    2237. 

  2237.     if ((leaf1_ecx & (1 << 25)) == 0)
    2238. 

  2238.         return 0;
    2239. 

  2239.     /* PCLMUL */
    2240. 

  2240.     if ((leaf1_ecx & (1 << 1)) == 0)
    2241. 

  2241.         return 0;
    2242. 

  2242. 

  2243.     /* enable 256-bit mode if possible */
    2244. 

  2244.     if ((leaf7_ecx & 0x600) != 0 && !ptls_fusion_can_aesni256)
    2245. 

  2245.         ptls_fusion_can_aesni256 = 1;
    2246. 

  2246. 

  2247.     return 1;
    2248. 

  2248. }
    2249. 

  2249. #endif
    2250.