From 2fd1bb8f02c711e047889e10177d7360d256204c Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Thu, 12 Nov 2015 16:38:31 +0200 Subject: [PATCH 01/10] Add option to use smaller AES tables (table sizes reduced by 6144 bytes) This patch adds MBEDTLS_AES_SMALL_TABLES option to reduce number of AES look-up tables and thus save 6 KiB of memory. Enabling this option cause performance hit MBEDTLS_AES_SMALL_TABLES of ~7% on ARM and ~15% on x86-64. Benchmark on Cortex-A7 (armhf): Before: AES-CBC-128 : 14394 Kb/s, 0 cycles/byte AES-CBC-192 : 12442 Kb/s, 0 cycles/byte AES-CBC-256 : 10958 Kb/s, 0 cycles/byte After: AES-CBC-128 : 13342 Kb/s, 0 cycles/byte AES-CBC-192 : 11469 Kb/s, 0 cycles/byte AES-CBC-256 : 10058 Kb/s, 0 cycles/byte Benchmark on Intel Core i5-4570 (x86_64, 3.2 Ghz, no turbo): Before: AES-CBC-128 : 215759 Kb/s, 14 cycles/byte AES-CBC-192 : 190884 Kb/s, 16 cycles/byte AES-CBC-256 : 171536 Kb/s, 18 cycles/byte After: AES-CBC-128 : 185108 Kb/s, 16 cycles/byte AES-CBC-192 : 162839 Kb/s, 19 cycles/byte AES-CBC-256 : 144700 Kb/s, 21 cycles/byte --- include/mbedtls/config.h | 9 +++ library/aes.c | 140 +++++++++++++++++++++++++------------ library/version_features.c | 3 + 3 files changed, 106 insertions(+), 46 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c4b8995c1..44def95b8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -387,6 +387,15 @@ */ //#define MBEDTLS_AES_ROM_TABLES +/** + * \def MBEDTLS_AES_SMALL_TABLES + * + * Use less ROM/RAM for the AES implementation (saves about 6144 bytes). + * + * Uncomment this macro to use less memory for AES. + */ +//#define MBEDTLS_AES_SMALL_TABLES + /** * \def MBEDTLS_CAMELLIA_SMALL_MEMORY * diff --git a/library/aes.c b/library/aes.c index 5e01c4f2b..aabacf9f8 100644 --- a/library/aes.c +++ b/library/aes.c @@ -201,6 +201,8 @@ static const unsigned char FSb[256] = static const uint32_t FT0[256] = { FT }; #undef V +#ifndef MBEDTLS_AES_SMALL_TABLES + #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t FT1[256] = { FT }; #undef V @@ -213,6 +215,8 @@ static const uint32_t FT2[256] = { FT }; static const uint32_t FT3[256] = { FT }; #undef V +#endif /* !MBEDTLS_AES_SMALL_TABLES */ + #undef FT /* @@ -328,6 +332,8 @@ static const unsigned char RSb[256] = static const uint32_t RT0[256] = { RT }; #undef V +#ifndef MBEDTLS_AES_SMALL_TABLES + #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t RT1[256] = { RT }; #undef V @@ -340,6 +346,8 @@ static const uint32_t RT2[256] = { RT }; static const uint32_t RT3[256] = { RT }; #undef V +#endif /* !MBEDTLS_AES_SMALL_TABLES */ + #undef RT /* @@ -359,18 +367,22 @@ static const uint32_t RCON[10] = */ static unsigned char FSb[256]; static uint32_t FT0[256]; +#ifndef MBEDTLS_AES_SMALL_TABLES static uint32_t FT1[256]; static uint32_t FT2[256]; static uint32_t FT3[256]; +#endif /* !MBEDTLS_AES_SMALL_TABLES */ /* * Reverse S-box & tables */ static unsigned char RSb[256]; static uint32_t RT0[256]; +#ifndef MBEDTLS_AES_SMALL_TABLES static uint32_t RT1[256]; static uint32_t RT2[256]; static uint32_t RT3[256]; +#endif /* !MBEDTLS_AES_SMALL_TABLES */ /* * Round constants @@ -445,9 +457,11 @@ static void aes_gen_tables( void ) ( (uint32_t) x << 16 ) ^ ( (uint32_t) z << 24 ); +#ifndef MBEDTLS_AES_SMALL_TABLES FT1[i] = ROTL8( FT0[i] ); FT2[i] = ROTL8( FT1[i] ); FT3[i] = ROTL8( FT2[i] ); +#endif /* !MBEDTLS_AES_SMALL_TABLES */ x = RSb[i]; @@ -456,14 +470,48 @@ static void aes_gen_tables( void ) ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ ( (uint32_t) MUL( 0x0B, x ) << 24 ); +#ifndef MBEDTLS_AES_SMALL_TABLES RT1[i] = ROTL8( RT0[i] ); RT2[i] = ROTL8( RT1[i] ); RT3[i] = ROTL8( RT2[i] ); +#endif /* !MBEDTLS_AES_SMALL_TABLES */ } } +#undef ROTL8 + #endif /* MBEDTLS_AES_ROM_TABLES */ +#ifdef MBEDTLS_AES_SMALL_TABLES + +#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) +#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) +#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) + +#define AES_RT0(idx) RT0[idx] +#define AES_RT1(idx) ROTL8( RT0[idx] ) +#define AES_RT2(idx) ROTL16( RT0[idx] ) +#define AES_RT3(idx) ROTL24( RT0[idx] ) + +#define AES_FT0(idx) FT0[idx] +#define AES_FT1(idx) ROTL8( FT0[idx] ) +#define AES_FT2(idx) ROTL16( FT0[idx] ) +#define AES_FT3(idx) ROTL24( FT0[idx] ) + +#else /* MBEDTLS_AES_SMALL_TABLES */ + +#define AES_RT0(idx) RT0[idx] +#define AES_RT1(idx) RT1[idx] +#define AES_RT2(idx) RT2[idx] +#define AES_RT3(idx) RT3[idx] + +#define AES_FT0(idx) FT0[idx] +#define AES_FT1(idx) FT1[idx] +#define AES_FT2(idx) FT2[idx] +#define AES_FT3(idx) FT3[idx] + +#endif /* MBEDTLS_AES_SMALL_TABLES */ + void mbedtls_aes_init( mbedtls_aes_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_aes_context ) ); @@ -641,10 +689,10 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, { for( j = 0; j < 4; j++, SK++ ) { - *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^ - RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^ - RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^ - RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ]; + *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ + AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ + AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ + AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); } } @@ -660,50 +708,50 @@ exit: } #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ -#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ -{ \ - X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \ - FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \ - FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \ - FT3[ ( Y3 >> 24 ) & 0xFF ]; \ - \ - X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \ - FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \ - FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \ - FT3[ ( Y0 >> 24 ) & 0xFF ]; \ - \ - X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \ - FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \ - FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \ - FT3[ ( Y1 >> 24 ) & 0xFF ]; \ - \ - X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \ - FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \ - FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \ - FT3[ ( Y2 >> 24 ) & 0xFF ]; \ +#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ +{ \ + X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \ + AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \ + AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \ + AES_FT3( ( Y3 >> 24 ) & 0xFF ); \ + \ + X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \ + AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \ + AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \ + AES_FT3( ( Y0 >> 24 ) & 0xFF ); \ + \ + X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \ + AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \ + AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \ + AES_FT3( ( Y1 >> 24 ) & 0xFF ); \ + \ + X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \ + AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \ + AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \ + AES_FT3( ( Y2 >> 24 ) & 0xFF ); \ } -#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ -{ \ - X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \ - RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \ - RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \ - RT3[ ( Y1 >> 24 ) & 0xFF ]; \ - \ - X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \ - RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \ - RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \ - RT3[ ( Y2 >> 24 ) & 0xFF ]; \ - \ - X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \ - RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \ - RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \ - RT3[ ( Y3 >> 24 ) & 0xFF ]; \ - \ - X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \ - RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \ - RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \ - RT3[ ( Y0 >> 24 ) & 0xFF ]; \ +#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ +{ \ + X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \ + AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \ + AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \ + AES_RT3( ( Y1 >> 24 ) & 0xFF ); \ + \ + X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \ + AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \ + AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \ + AES_RT3( ( Y2 >> 24 ) & 0xFF ); \ + \ + X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \ + AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \ + AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \ + AES_RT3( ( Y3 >> 24 ) & 0xFF ); \ + \ + X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \ + AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \ + AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \ + AES_RT3( ( Y0 >> 24 ) & 0xFF ); \ } /* diff --git a/library/version_features.c b/library/version_features.c index 9f97c7bc3..2b651996c 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -198,6 +198,9 @@ static const char *features[] = { #if defined(MBEDTLS_AES_ROM_TABLES) "MBEDTLS_AES_ROM_TABLES", #endif /* MBEDTLS_AES_ROM_TABLES */ +#if defined(MBEDTLS_AES_SMALL_TABLES) + "MBEDTLS_AES_SMALL_TABLES", +#endif /* MBEDTLS_AES_SMALL_TABLES */ #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) "MBEDTLS_CAMELLIA_SMALL_MEMORY", #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ From 177d3cf7bbc60e3576387fcc7563a465c7fb086e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 7 Jun 2017 15:52:48 +0100 Subject: [PATCH 02/10] Rename and document new configuration option for packing AES tables This commit renames the new AES table packing option introduced in the previous MBEDTLS_AES_PACK_TABLES and documents its use and memory vs. speed tradeoff. It also enhances the documentation of the other AES-related option MBEDTLS_AES_ROM_TABLES. --- include/mbedtls/config.h | 33 +++++++++++++++++++++++++++------ library/aes.c | 30 +++++++++++++++--------------- library/version_features.c | 6 +++--- 3 files changed, 45 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 44def95b8..37a9d079a 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -381,20 +381,41 @@ /** * \def MBEDTLS_AES_ROM_TABLES * - * Store the AES tables in ROM. + * Use precomputed AES tables stored in ROM. + * + * Uncomment this macro to use precomputed AES tables stored in ROM. + * Comment this macro to generate AES tables in RAM at runtime. + * + * Tradeoff: Using precomputed ROM tables reduces the time to setup + * an AES context but comes at the cost of additional 8192b ROM use + * (resp. 2048b if \c MBEDTLS_AES_FEWER_TABLES below is used). + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. * - * Uncomment this macro to store the AES tables in ROM. */ //#define MBEDTLS_AES_ROM_TABLES /** - * \def MBEDTLS_AES_SMALL_TABLES + * \def MBEDTLS_AES_FEWER_TABLES * - * Use less ROM/RAM for the AES implementation (saves about 6144 bytes). + * Use less ROM/RAM for AES tables. + * + * Uncommenting this macro omits 75% of the AES tables from + * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) + * by computing their values on the fly during operations + * (the tables are entry-wise rotations of one another). + * + * Tradeoff: Uncommenting this reduces the RAM / ROM footprint + * by 6144b but at the cost of more arithmetic operations during + * runtime. Specifically, one has to compare 4 accesses within + * different tables to 4 accesses with additional arithmetic + * operations within the same table. The performance gain/loss + * depends on the system and memory details. + * + * This option is independent of \c MBEDTLS_AES_ROM_TABLES. * - * Uncomment this macro to use less memory for AES. */ -//#define MBEDTLS_AES_SMALL_TABLES +//#define MBEDTLS_AES_FEWER_TABLES /** * \def MBEDTLS_CAMELLIA_SMALL_MEMORY diff --git a/library/aes.c b/library/aes.c index aabacf9f8..de43306a2 100644 --- a/library/aes.c +++ b/library/aes.c @@ -201,7 +201,7 @@ static const unsigned char FSb[256] = static const uint32_t FT0[256] = { FT }; #undef V -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t FT1[256] = { FT }; @@ -215,7 +215,7 @@ static const uint32_t FT2[256] = { FT }; static const uint32_t FT3[256] = { FT }; #undef V -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ #undef FT @@ -332,7 +332,7 @@ static const unsigned char RSb[256] = static const uint32_t RT0[256] = { RT }; #undef V -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t RT1[256] = { RT }; @@ -346,7 +346,7 @@ static const uint32_t RT2[256] = { RT }; static const uint32_t RT3[256] = { RT }; #undef V -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ #undef RT @@ -367,22 +367,22 @@ static const uint32_t RCON[10] = */ static unsigned char FSb[256]; static uint32_t FT0[256]; -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES static uint32_t FT1[256]; static uint32_t FT2[256]; static uint32_t FT3[256]; -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ /* * Reverse S-box & tables */ static unsigned char RSb[256]; static uint32_t RT0[256]; -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES static uint32_t RT1[256]; static uint32_t RT2[256]; static uint32_t RT3[256]; -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ /* * Round constants @@ -457,11 +457,11 @@ static void aes_gen_tables( void ) ( (uint32_t) x << 16 ) ^ ( (uint32_t) z << 24 ); -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES FT1[i] = ROTL8( FT0[i] ); FT2[i] = ROTL8( FT1[i] ); FT3[i] = ROTL8( FT2[i] ); -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ x = RSb[i]; @@ -470,11 +470,11 @@ static void aes_gen_tables( void ) ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ ( (uint32_t) MUL( 0x0B, x ) << 24 ); -#ifndef MBEDTLS_AES_SMALL_TABLES +#ifndef MBEDTLS_AES_FEWER_TABLES RT1[i] = ROTL8( RT0[i] ); RT2[i] = ROTL8( RT1[i] ); RT3[i] = ROTL8( RT2[i] ); -#endif /* !MBEDTLS_AES_SMALL_TABLES */ +#endif /* !MBEDTLS_AES_FEWER_TABLES */ } } @@ -482,7 +482,7 @@ static void aes_gen_tables( void ) #endif /* MBEDTLS_AES_ROM_TABLES */ -#ifdef MBEDTLS_AES_SMALL_TABLES +#ifdef MBEDTLS_AES_FEWER_TABLES #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) @@ -498,7 +498,7 @@ static void aes_gen_tables( void ) #define AES_FT2(idx) ROTL16( FT0[idx] ) #define AES_FT3(idx) ROTL24( FT0[idx] ) -#else /* MBEDTLS_AES_SMALL_TABLES */ +#else /* MBEDTLS_AES_FEWER_TABLES */ #define AES_RT0(idx) RT0[idx] #define AES_RT1(idx) RT1[idx] @@ -510,7 +510,7 @@ static void aes_gen_tables( void ) #define AES_FT2(idx) FT2[idx] #define AES_FT3(idx) FT3[idx] -#endif /* MBEDTLS_AES_SMALL_TABLES */ +#endif /* MBEDTLS_AES_FEWER_TABLES */ void mbedtls_aes_init( mbedtls_aes_context *ctx ) { diff --git a/library/version_features.c b/library/version_features.c index 2b651996c..549f40d46 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -198,9 +198,9 @@ static const char *features[] = { #if defined(MBEDTLS_AES_ROM_TABLES) "MBEDTLS_AES_ROM_TABLES", #endif /* MBEDTLS_AES_ROM_TABLES */ -#if defined(MBEDTLS_AES_SMALL_TABLES) - "MBEDTLS_AES_SMALL_TABLES", -#endif /* MBEDTLS_AES_SMALL_TABLES */ +#if defined(MBEDTLS_AES_FEWER_TABLES) + "MBEDTLS_AES_FEWER_TABLES", +#endif /* MBEDTLS_AES_FEWER_TABLES */ #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY) "MBEDTLS_CAMELLIA_SMALL_MEMORY", #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */ From 371f31c281fd986c33defafa4a99e08bd793728a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 7 Jun 2017 15:56:54 +0100 Subject: [PATCH 03/10] Adapt ChangeLog --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 1b6a3542d..1d0a90d65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,11 @@ Bugfix * In SSLv3, if refusing a renegotiation attempt, don't process any further data. +Features + * Add option MBEDTLS_AES_FEWER_TABLES to dynamically compute 3/4 of the AES tables + during runtime, thereby reducing the RAM/ROM footprint by 6144 bytes. Suggested + and contributed by jkivilin in #394. + Changes * Send fatal alerts in many more cases instead of dropping the connection. From ad049a973c4b55eb4284d6b71f7dbcce01fbfa4d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 19 Jun 2017 16:31:54 +0100 Subject: [PATCH 04/10] Replace #if(n)def by #if (!)defined --- library/aes.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/aes.c b/library/aes.c index de43306a2..6ed0956bf 100644 --- a/library/aes.c +++ b/library/aes.c @@ -201,7 +201,7 @@ static const unsigned char FSb[256] = static const uint32_t FT0[256] = { FT }; #undef V -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t FT1[256] = { FT }; @@ -332,7 +332,7 @@ static const unsigned char RSb[256] = static const uint32_t RT0[256] = { RT }; #undef V -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) #define V(a,b,c,d) 0x##b##c##d##a static const uint32_t RT1[256] = { RT }; @@ -367,7 +367,7 @@ static const uint32_t RCON[10] = */ static unsigned char FSb[256]; static uint32_t FT0[256]; -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) static uint32_t FT1[256]; static uint32_t FT2[256]; static uint32_t FT3[256]; @@ -378,7 +378,7 @@ static uint32_t FT3[256]; */ static unsigned char RSb[256]; static uint32_t RT0[256]; -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) static uint32_t RT1[256]; static uint32_t RT2[256]; static uint32_t RT3[256]; @@ -457,7 +457,7 @@ static void aes_gen_tables( void ) ( (uint32_t) x << 16 ) ^ ( (uint32_t) z << 24 ); -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) FT1[i] = ROTL8( FT0[i] ); FT2[i] = ROTL8( FT1[i] ); FT3[i] = ROTL8( FT2[i] ); @@ -470,7 +470,7 @@ static void aes_gen_tables( void ) ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ ( (uint32_t) MUL( 0x0B, x ) << 24 ); -#ifndef MBEDTLS_AES_FEWER_TABLES +#if !defined(MBEDTLS_AES_FEWER_TABLES) RT1[i] = ROTL8( RT0[i] ); RT2[i] = ROTL8( RT1[i] ); RT3[i] = ROTL8( RT2[i] ); @@ -482,7 +482,7 @@ static void aes_gen_tables( void ) #endif /* MBEDTLS_AES_ROM_TABLES */ -#ifdef MBEDTLS_AES_FEWER_TABLES +#if defined(MBEDTLS_AES_FEWER_TABLES) #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) From 08a5c187730c733485931ac2bb0c9ab245667378 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 19 Jun 2017 16:33:58 +0100 Subject: [PATCH 05/10] Be less specific about memory usage predictions --- ChangeLog | 2 +- include/mbedtls/config.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1d0a90d65..da5c64e97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,7 +20,7 @@ Bugfix Features * Add option MBEDTLS_AES_FEWER_TABLES to dynamically compute 3/4 of the AES tables - during runtime, thereby reducing the RAM/ROM footprint by 6144 bytes. Suggested + during runtime, thereby reducing the RAM/ROM footprint by ~6kb. Suggested and contributed by jkivilin in #394. Changes diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 37a9d079a..94e3efbc0 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -387,8 +387,8 @@ * Comment this macro to generate AES tables in RAM at runtime. * * Tradeoff: Using precomputed ROM tables reduces the time to setup - * an AES context but comes at the cost of additional 8192b ROM use - * (resp. 2048b if \c MBEDTLS_AES_FEWER_TABLES below is used). + * an AES context but comes at the cost of additional ~8kb ROM use + * (resp. ~2kb if \c MBEDTLS_AES_FEWER_TABLES below is used). * * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. * @@ -406,7 +406,7 @@ * (the tables are entry-wise rotations of one another). * * Tradeoff: Uncommenting this reduces the RAM / ROM footprint - * by 6144b but at the cost of more arithmetic operations during + * by ~6kb but at the cost of more arithmetic operations during * runtime. Specifically, one has to compare 4 accesses within * different tables to 4 accesses with additional arithmetic * operations within the same table. The performance gain/loss From 83ebf78404e49324ce3802c2e4f3184386f1920f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Jul 2017 12:29:15 +0100 Subject: [PATCH 06/10] Add test for AES_ROM_TABLES and AES_FEWER_TABLES to all.sh --- tests/scripts/all.sh | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7c33c5c2c..49b1653bd 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -428,6 +428,40 @@ make msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)" make test +msg "build: default config with AES_FEWER_TABLES enabled" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl set MBEDTLS_AES_FEWER_TABLES +CC=gcc CFLAGS='-Werror -Wall -Wextra' make + +msg "test: AES_FEWER_TABLES" +make test + +msg "build: default config with AES_ROM_TABLES enabled" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl set MBEDTLS_AES_ROM_TABLES +CC=gcc CFLAGS='-Werror -Wall -Wextra' make + +msg "test: AES_ROM_TABLES" +make test + +msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl set MBEDTLS_AES_FEWER_TABLES +scripts/config.pl set MBEDTLS_AES_ROM_TABLES +CC=gcc CFLAGS='-Werror -Wall -Wextra' make + +msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" +make test + +if uname -a | grep -F Linux >/dev/null; then +msg "build/test: make shared" # ~ 40s +cleanup +make SHARED=1 all check +fi + if uname -a | grep -F Linux >/dev/null; then msg "build/test: make shared" # ~ 40s cleanup @@ -572,4 +606,3 @@ rm -rf "$OUT_OF_SOURCE_DIR" msg "Done, cleaning up" cleanup - From 783cb06e051b2d3f992147b1fbc8d103cbb80286 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Mar 2018 16:49:04 +0100 Subject: [PATCH 07/10] Remove duplicate test in all.sh --- tests/scripts/all.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 49b1653bd..d0dc8d67c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -462,12 +462,6 @@ cleanup make SHARED=1 all check fi -if uname -a | grep -F Linux >/dev/null; then -msg "build/test: make shared" # ~ 40s -cleanup -make SHARED=1 all check -fi - if uname -a | grep -F x86_64 >/dev/null; then msg "build: i386, make, gcc" # ~ 30s cleanup From 4c1dc3c2a4144696752091116c86279e24f148dd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Mar 2018 16:52:03 +0100 Subject: [PATCH 08/10] Improve documentation of MBEDTLS_AES_ROM_TABLES --- include/mbedtls/config.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 94e3efbc0..65d6ba8a2 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -386,9 +386,10 @@ * Uncomment this macro to use precomputed AES tables stored in ROM. * Comment this macro to generate AES tables in RAM at runtime. * - * Tradeoff: Using precomputed ROM tables reduces the time to setup - * an AES context but comes at the cost of additional ~8kb ROM use - * (resp. ~2kb if \c MBEDTLS_AES_FEWER_TABLES below is used). + * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb + * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the + * the time to setup an AES context. It comes at the cost of additional + * ~8kb ROM use (resp. ~2kb if \c MBEDTLS_AES_FEWER_TABLES below is used). * * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. * From 98a678674bb8e922de057c3652f2173ca0372605 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Mar 2018 17:10:09 +0100 Subject: [PATCH 09/10] Adapt changes to all.sh to work with --keep-going mode --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d0dc8d67c..3441ae048 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -432,7 +432,7 @@ msg "build: default config with AES_FEWER_TABLES enabled" cleanup cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl set MBEDTLS_AES_FEWER_TABLES -CC=gcc CFLAGS='-Werror -Wall -Wextra' make +make CC=gcc CFLAGS='-Werror -Wall -Wextra' msg "test: AES_FEWER_TABLES" make test @@ -441,7 +441,7 @@ msg "build: default config with AES_ROM_TABLES enabled" cleanup cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl set MBEDTLS_AES_ROM_TABLES -CC=gcc CFLAGS='-Werror -Wall -Wextra' make +make CC=gcc CFLAGS='-Werror -Wall -Wextra' msg "test: AES_ROM_TABLES" make test @@ -451,7 +451,7 @@ cleanup cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl set MBEDTLS_AES_FEWER_TABLES scripts/config.pl set MBEDTLS_AES_ROM_TABLES -CC=gcc CFLAGS='-Werror -Wall -Wextra' make +make CC=gcc CFLAGS='-Werror -Wall -Wextra' msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" make test From 6a92ce6fd96a97f53483d48a7a475952d203a1f1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 28 Mar 2018 11:42:05 +0100 Subject: [PATCH 10/10] Improve documentation of MBEDTLS_AES_FEWER_TABLES in config.h --- include/mbedtls/config.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 65d6ba8a2..d453f25e6 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -388,8 +388,10 @@ * * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the - * the time to setup an AES context. It comes at the cost of additional - * ~8kb ROM use (resp. ~2kb if \c MBEDTLS_AES_FEWER_TABLES below is used). + * initialization time before the first AES operation can be performed. + * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c + * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded + * performance if ROM access is slower than RAM access. * * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. *