Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3073474ybt; Mon, 29 Jun 2020 14:36:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzeovUCYAI8o5P+qsJZHHUoN4231OqKXjpkHPXmPPI/XjjX0n6zh1/BLqJv812L0hoea43p X-Received: by 2002:a17:906:c056:: with SMTP id bm22mr5904916ejb.444.1593466582201; Mon, 29 Jun 2020 14:36:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593466582; cv=none; d=google.com; s=arc-20160816; b=QxmmEsr0ZQH2boEm+pZy0QCY1tGwC4FUYnFgFjztlmv+4btRTOSLoabujpg5y7maBS x38rj0GnDmq+DonaoVOhYRKaRcwrFLdb732eGRGvGF0JC7G8WpGHyGYCnHMoH4+EISr7 ZIXorZR9vFLCWWmLyObRy4hCu061DS4e3LKdvHBZKuhz/3uewM5jvSYXavbwwCT68MEp 2AhU2Mu+2Yr4yaxfwgoXosSlGdsCIBCObTbtS9hCbhvGsyMkxstyL97LKFa/3DcLXkbE 3WM5u/TwpnD+DXrhc/xmTNB/xcXMbBWJJG41rrRULQ/2DgHBW38dKq6OZQvRa23moD6N /LeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+drZt5baPbuRnr+zn8KD5orVu8hmouv5MX3ghVTOR/I=; b=bueG5SEZ7MTV7qlXmk9COOOe08CvQ0L84dLRt/gL41SE5cSGdgHH3d+BLhJhdN28/Q qNH+DMClclVP9snG2BeANWF+vR+VsPfqRvFpsEEp0Suk3Lm8fGVAHaFXWUhbMSQFEins PjTRdDK+e0/5psgtt2IlHp4NDzABRHmD39k1PWwaW+sdxEftHX73ozeo6SFU1SsTyTDx rvDTtPdAe/COaG4KGLDdb2d9raPkEHf6COWbaES90D+mMy9cRKzEASYDsyQwqPIAlAhd EKjxHg5UuNtIjNBsbhyFoct8nXpPSu90L9fjXCcZaIqzCxRfpVQEfTVJ8FZkcxeNvUer l2+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n+KrZoCO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f12si381743ejf.650.2020.06.29.14.35.58; Mon, 29 Jun 2020 14:36:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n+KrZoCO; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728553AbgF2VfU (ORCPT + 99 others); Mon, 29 Jun 2020 17:35:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:60654 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728540AbgF2Skv (ORCPT ); Mon, 29 Jun 2020 14:40:51 -0400 Received: from localhost.localdomain (82-64-249-211.subs.proxad.net [82.64.249.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F0E182332F; Mon, 29 Jun 2020 07:39:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593416383; bh=Su7HU4/4Njg23ZZQtRTkcf+M77/lB+jIRd2dvvCy4us=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n+KrZoCO4G6IqiPX5EXjHn7vte4GO25rf9XwqVXS8OocSqW+c8WR02lf/cl57ZVMp K5+xg59JUNi2xHNbSx+iuNF8TsYu6P4spme3FKP0hYZTjfO8QDA1d9jUoKN8/2SeYg FC7hWrIGWhfw6m0SUg6AaK8pbJWMKPQZANsZ/4xg= From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, Ard Biesheuvel Subject: [PATCH 2/5] crypto: arm64/gcm - disentangle ghash and gcm setkey() routines Date: Mon, 29 Jun 2020 09:39:22 +0200 Message-Id: <20200629073925.127538-3-ardb@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200629073925.127538-1-ardb@kernel.org> References: <20200629073925.127538-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The remaining ghash implementation does not support aggregation, and so there is no point in including the precomputed powers of H in the key struct. So move that into the GCM setkey routine, and get rid of the shared sub-routine entirely. Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/ghash-ce-glue.c | 47 +++++++++----------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c index be63d8b5152c..921fa69b5ded 100644 --- a/arch/arm64/crypto/ghash-ce-glue.c +++ b/arch/arm64/crypto/ghash-ce-glue.c @@ -184,29 +184,6 @@ static void ghash_reflect(u64 h[], const be128 *k) h[1] ^= 0xc200000000000000UL; } -static int __ghash_setkey(struct ghash_key *key, - const u8 *inkey, unsigned int keylen) -{ - be128 h; - - /* needed for the fallback */ - memcpy(&key->k, inkey, GHASH_BLOCK_SIZE); - - ghash_reflect(key->h, &key->k); - - h = key->k; - gf128mul_lle(&h, &key->k); - ghash_reflect(key->h2, &h); - - gf128mul_lle(&h, &key->k); - ghash_reflect(key->h3, &h); - - gf128mul_lle(&h, &key->k); - ghash_reflect(key->h4, &h); - - return 0; -} - static int ghash_setkey(struct crypto_shash *tfm, const u8 *inkey, unsigned int keylen) { @@ -215,7 +192,11 @@ static int ghash_setkey(struct crypto_shash *tfm, if (keylen != GHASH_BLOCK_SIZE) return -EINVAL; - return __ghash_setkey(key, inkey, keylen); + /* needed for the fallback */ + memcpy(&key->k, inkey, GHASH_BLOCK_SIZE); + + ghash_reflect(key->h, &key->k); + return 0; } static struct shash_alg ghash_alg = { @@ -251,6 +232,7 @@ static int gcm_setkey(struct crypto_aead *tfm, const u8 *inkey, { struct gcm_aes_ctx *ctx = crypto_aead_ctx(tfm); u8 key[GHASH_BLOCK_SIZE]; + be128 h; int ret; ret = aes_expandkey(&ctx->aes_key, inkey, keylen); @@ -259,7 +241,22 @@ static int gcm_setkey(struct crypto_aead *tfm, const u8 *inkey, aes_encrypt(&ctx->aes_key, key, (u8[AES_BLOCK_SIZE]){}); - return __ghash_setkey(&ctx->ghash_key, key, sizeof(be128)); + /* needed for the fallback */ + memcpy(&ctx->ghash_key.k, key, GHASH_BLOCK_SIZE); + + ghash_reflect(ctx->ghash_key.h, &ctx->ghash_key.k); + + h = ctx->ghash_key.k; + gf128mul_lle(&h, &ctx->ghash_key.k); + ghash_reflect(ctx->ghash_key.h2, &h); + + gf128mul_lle(&h, &ctx->ghash_key.k); + ghash_reflect(ctx->ghash_key.h3, &h); + + gf128mul_lle(&h, &ctx->ghash_key.k); + ghash_reflect(ctx->ghash_key.h4, &h); + + return 0; } static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) -- 2.20.1