On Wed, May 17, 2017 at 07:17:56PM +0200, Mike Belopuhov wrote:
> There are ways to improve perfomance but more work is required
> to get there. In the meantime if the consensus is that XTS
> performance is unacceptable we can roll it back to T-tables.
>
> Please test the diff below.
Works for me.
This restores my machine from 'very very slow' to just 'slow'.
Thanks!
> diff --git regress/sys/crypto/aesxts/Makefile
> regress/sys/crypto/aesxts/Makefile
> index 4c47348d9c8..5d7fea9f560 100644
> --- regress/sys/crypto/aesxts/Makefile
> +++ regress/sys/crypto/aesxts/Makefile
> @@ -19,11 +19,11 @@ CDIAGFLAGS+= -Wshadow
>
> REGRESS_TARGETS= run-regress-${PROG}
>
> .PATH: ${DIR}/crypto
> SRCS+= cast.c ecb_enc.c ecb3_enc.c gmac.c aes.c set_key.c
> -SRCS+= chachapoly.c poly1305.c
> +SRCS+= rijndael.c chachapoly.c poly1305.c
> SRCS+= xform.c
>
> run-regress-${PROG}: ${PROG}
> ./${PROG}
>
> diff --git regress/sys/crypto/aesxts/aes_xts.c
> regress/sys/crypto/aesxts/aes_xts.c
> index 861d143bac6..c43b4f56ef6 100644
> --- regress/sys/crypto/aesxts/aes_xts.c
> +++ regress/sys/crypto/aesxts/aes_xts.c
> @@ -24,23 +24,23 @@
> * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> */
>
> #include <sys/types.h>
> -#include <crypto/aes.h>
> +#include <crypto/rijndael.h>
> #include <err.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
> #define AES_XTS_BLOCKSIZE 16
>
> struct aes_xts_ctx {
> - AES_CTX key1;
> - AES_CTX key2;
> + rijndael_ctx key1;
> + rijndael_ctx key2;
> u_int8_t tweak[AES_XTS_BLOCKSIZE];
> };
>
> int aes_xts_setkey(void *, u_int8_t *, int);
> void aes_xts_encrypt(caddr_t, u_int8_t *);
> diff --git sys/crypto/aes.h sys/crypto/aes.h
> index a670a2b522c..9718115fc65 100644
> --- sys/crypto/aes.h
> +++ sys/crypto/aes.h
> @@ -24,11 +24,13 @@
> */
>
> #ifndef _AES_H_
> #define _AES_H_
>
> +#ifndef AES_MAXROUNDS
> #define AES_MAXROUNDS (14)
> +#endif
>
> typedef struct aes_ctx {
> uint32_t sk[60];
> uint32_t sk_exp[120];
>
> diff --git sys/crypto/xform.c sys/crypto/xform.c
> index 0579345f4f1..6955d1b0ad4 100644
> --- sys/crypto/xform.c
> +++ sys/crypto/xform.c
> @@ -57,10 +57,11 @@
> #include <crypto/sha1.h>
> #include <crypto/sha2.h>
> #include <crypto/rmd160.h>
> #include <crypto/blf.h>
> #include <crypto/cast.h>
> +#include <crypto/rijndael.h>
> #include <crypto/aes.h>
> #include <crypto/cryptodev.h>
> #include <crypto/xform.h>
> #include <crypto/gmac.h>
> #include <crypto/chachapoly.h>
> @@ -119,12 +120,12 @@ struct aes_ctr_ctx {
> #define AES_XTS_BLOCKSIZE 16
> #define AES_XTS_IVSIZE 8
> #define AES_XTS_ALPHA 0x87 /* GF(2^128) generator
> polynomial */
>
> struct aes_xts_ctx {
> - AES_CTX key1;
> - AES_CTX key2;
> + rijndael_ctx key1;
> + rijndael_ctx key2;
> u_int8_t tweak[AES_XTS_BLOCKSIZE];
> };
>
> /* Helper */
> void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int);
> @@ -494,11 +495,11 @@ aes_xts_reinit(caddr_t key, u_int8_t *iv)
> blocknum >>= 8;
> }
> /* Last 64 bits of IV are always zero */
> bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
>
> - AES_Encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
> + rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
> }
>
> void
> aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
> {
> @@ -507,13 +508,13 @@ aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data,
> u_int do_encrypt)
>
> for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
> block[i] = data[i] ^ ctx->tweak[i];
>
> if (do_encrypt)
> - AES_Encrypt(&ctx->key1, block, data);
> + rijndael_encrypt(&ctx->key1, block, data);
> else
> - AES_Decrypt(&ctx->key1, block, data);
> + rijndael_decrypt(&ctx->key1, block, data);
>
> for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
> data[i] ^= ctx->tweak[i];
>
> /* Exponentiate tweak */
> @@ -548,12 +549,12 @@ aes_xts_setkey(void *sched, u_int8_t *key, int len)
> if (len != 32 && len != 64)
> return -1;
>
> ctx = (struct aes_xts_ctx *)sched;
>
> - AES_Setkey(&ctx->key1, key, len / 2);
> - AES_Setkey(&ctx->key2, key + (len / 2), len / 2);
> + rijndael_set_key(&ctx->key1, key, len * 4);
> + rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
>
> return 0;
> }
>
> /*
>
