Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp1074741lqt; Fri, 19 Apr 2024 23:01:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUzSZ8YudExOuVuTTJ/pazmbbKtegpC1a3goW5T4ib03mzeKyjD9CxCkpOVKJjqbJd/k1+bb8DgPfcBjOJyZ+m+ka6CXjpzNLBgyzlH7Q== X-Google-Smtp-Source: AGHT+IGuY5NFR0K5EELjGK1jz+9bFNeVsX+fHDNbBCvr8Fgs7dqdHVEiAG21Qv/9/2RqqVqR2H3V X-Received: by 2002:a2e:9cc2:0:b0:2dc:d7e7:d68f with SMTP id g2-20020a2e9cc2000000b002dcd7e7d68fmr2193276ljj.44.1713592874418; Fri, 19 Apr 2024 23:01:14 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713592874; cv=pass; d=google.com; s=arc-20160816; b=RJcYc3nj1nQ9BnvlIhgNpTYlEGyqPaE+vUN3NH8pQCL1DYc+jXHIv2z0u3mf2jQyzs I7Ho7+9OHltPl/RgIlFd1DEFdrxvnODHTAQpi9oToq6DG+aWBetJP7AHnnLjFIkrXSVp UwAx9LUYqmNFjYCuJiSwftiRb3ZU5mK+zv1I6SOtQ7uShC6UTVe5Ua0MI1GGnzbTYJcB aKf93r/AtqnMU7iksbJGo1Aiom/2/p17GwIR/XSmDpJALLU/wlJ4FO7I1HY1mRthxm7D AAAAjmFZzuPDJq5aKXDncBGJ4tNIqLwkKg8IBqOmpi10ogqFcR1iNkrFZr7d2ERZz1a3 tMcg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=Uek+UqvDIXmFd/RH0Ss6jjWr5buG8P5CXhcxWkWJnMM=; fh=Lug2gC1H4H+8fcBw+nZBVEmAqkXnHiXUuu9mnC9ge+k=; b=gpaofBV6Kfzm+MPc5JbnqT67hPr1f6yKKc1v2gXmKzpi8uBisGpsEkVWuVpdSEHPHy Rqs22YlFtGyQtzLXptq7CbhHEItEE6wvXpTAwOaagxmVJxVV2uBieKsB6qmfGj3AoUtY qRWR0i+O3u0OCtHU8FleXhEgPi2K1CJ7J2GxgURdTNt5Jwc2EH5CC5PSVJGfBnBvmAK2 74O9kDApBiYevleAsHP7eekvY6UTvVV9whNXjusJwvBnYJsvjIhvOavo6esR8dkIXT2z YYsfLcrwGzT+wddhm58W4OOsgAZhPkHCrfjrEqRDNvs1L8lMmRfEms8alF/lM9z9WtS3 E0/g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=esL7vgt6; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3730-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id g13-20020a50d5cd000000b0056e0967bfa6si3148652edj.215.2024.04.19.23.01.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 23:01:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=esL7vgt6; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3730-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 271871F2130D for ; Sat, 20 Apr 2024 06:01:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 72554F9DE; Sat, 20 Apr 2024 06:01:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="esL7vgt6" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FD09205E26 for ; Sat, 20 Apr 2024 06:01:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713592870; cv=none; b=KhvXAZntSJU29SeEhPH22GFTgr0Bz3UDoWtF578alXQv14yTp6mY7+Pjil/T4yRaT8C+40+O3oUN4ptGoYiKhijtZgHYUpmdx0RwupxfRHmUeR5D4ZKSNrJviC0eem7epokPlHdCWXx/AD4NqIXqsRFYs/VUbumfxuBWFU+aMeY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713592870; c=relaxed/simple; bh=nVCFnkdCM4jYahGEDbNGoUEOh5dARqC0bUdtLGNjuLk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=eT5MVxvvUNvJrERmlGO4LUFzqh+nj/xMFqSEGTFfFl1vb3crPuZfyJubZ9NaLXEDqS2T+99zpXnvybxEDvlAodApPogjBhu9g6oQN7zRnj8S3oxt9Zf9/I7wwXCX/Su9ZLDuM5ppO75VU2XLWBN02zhHGgugMclhECZCSXHWbdY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=esL7vgt6; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 991A6C072AA; Sat, 20 Apr 2024 06:01:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1713592869; bh=nVCFnkdCM4jYahGEDbNGoUEOh5dARqC0bUdtLGNjuLk=; h=From:To:Cc:Subject:Date:From; b=esL7vgt6qRC/hn3imzW6UhFutiPNE+3yYhlUkjEDzXx3HGY0Uun9C27Zd2jl5fDJw QICjzd3lTEkYoefZOSb6TBkrEtWq8imRtdOEUP92qcHOzcdDwJxMxSQLl1cDG6s/EV IgbiVYkNDr5v4jg4Isvkj6J4gebIB0dTSut5zqLAVVIkX+IBsp6I6R95TWwz1W7fn1 ey3jtEnN0z+Poz2GhZF/f6lMo6yh8dBqrTQjDJsRxpH0fn3uHtDuhJrVPAcOjHMjSx eaSXeob8CuUITZVbR3h2Idj56WntGQp5nJH2TWq2nO4j2OIolbtjaIRuKP6J5Akcxq n+igs81panCYg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: x86@kernel.org Subject: [PATCH] crypto: x86/aes-gcm - simplify GCM hash subkey derivation Date: Fri, 19 Apr 2024 23:00:37 -0700 Message-ID: <20240420060037.26014-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Eric Biggers Remove a redundant expansion of the AES key, and utilize the zero page. Also rename rfc4106_set_hash_subkey() to aes_gcm_derive_hash_subkey() because it's used for both versions of AES-GCM, not just RFC4106. Signed-off-by: Eric Biggers --- arch/x86/crypto/aesni-intel_glue.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c index 110b3282a1f2..b4058c3d410d 100644 --- a/arch/x86/crypto/aesni-intel_glue.c +++ b/arch/x86/crypto/aesni-intel_glue.c @@ -38,11 +38,10 @@ #define AESNI_ALIGN 16 #define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN))) #define AES_BLOCK_MASK (~(AES_BLOCK_SIZE - 1)) -#define RFC4106_HASH_SUBKEY_SIZE 16 #define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1)) #define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA) #define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA) /* This data is stored at the end of the crypto_tfm struct. @@ -588,27 +587,14 @@ static int xctr_crypt(struct skcipher_request *req) err = skcipher_walk_done(&walk, nbytes); } return err; } -static int -rfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len) +static int aes_gcm_derive_hash_subkey(const struct crypto_aes_ctx *aes_key, + u8 hash_subkey[AES_BLOCK_SIZE]) { - struct crypto_aes_ctx ctx; - int ret; - - ret = aes_expandkey(&ctx, key, key_len); - if (ret) - return ret; - - /* Clear the data in the hash sub key container to zero.*/ - /* We want to cipher all zeros to create the hash sub key. */ - memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE); - - aes_encrypt(&ctx, hash_subkey, hash_subkey); - - memzero_explicit(&ctx, sizeof(ctx)); + aes_encrypt(aes_key, hash_subkey, page_address(ZERO_PAGE(0))); return 0; } static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key, unsigned int key_len) @@ -622,11 +608,12 @@ static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key, key_len -= 4; memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce)); return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: - rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); + aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded, + ctx->hash_subkey); } /* This is the Integrity Check Value (aka the authentication tag) length and can * be 8, 12 or 16 bytes long. */ static int common_rfc4106_set_authsize(struct crypto_aead *aead, @@ -1328,11 +1315,12 @@ static int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key, unsigned int key_len) { struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead); return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: - rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); + aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded, + ctx->hash_subkey); } static int generic_gcmaes_encrypt(struct aead_request *req) { struct crypto_aead *tfm = crypto_aead_reqtfm(req); base-commit: 543ea178fbfadeaf79e15766ac989f3351349f02 -- 2.44.0