Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp1360072lqt; Sat, 20 Apr 2024 11:21:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWwXR+UuzZSZRCQmD1JkE0UZeWQri8CXfOJpZ7k9NnSwFKKNtZ9fb69H2dH8Irc4iIPJDr/Q7fe2gF+b4kw4KwieS3hLMYSphaoYjzcjA== X-Google-Smtp-Source: AGHT+IFOeVVVrQCCr/jVyRhkRl4GVomcjJpFkWJJgejfpzMeYbEEV7ujHVi0SpR4BqWJQKw2oYWU X-Received: by 2002:a05:6830:447:b0:6eb:7b6f:150d with SMTP id d7-20020a056830044700b006eb7b6f150dmr6725383otc.8.1713637275149; Sat, 20 Apr 2024 11:21:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713637275; cv=pass; d=google.com; s=arc-20160816; b=efXyzXl7MJPXZ7TKnUlNbhhZHYHaJNW7QSyLY7k2edRki6rVF9aBb6xDnfHzJwDbkR xWFp/YhIiYFQpDHq8rp8PVoQ4Zw3URrZwiO69Bfw6O4JysWHsNQVM++A7T3nbIhBF992 4MG/C711cp9YdL++Rx5R3qROeWXRwFjY7tTze5fD+E3l0WXmOxQpjw5H73iKgtCrzvMo hoiw1zH+rzGPWkn0K1INOVlRnRoMbI+sr/mcYg+d6uqLE3XuL6stLJub0oWM9n/HaerL NVPLCRxHTfdAm1v8aVu/lONHdhcNEW7UBqYLOybQq3qmMDEhPkZtddMx+x+XhQSqNUw5 rDqQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=VI5qUqWP7UMPdF+c7l5PbyfYQOcvvLtnTXwoN0vI3r4=; fh=Lug2gC1H4H+8fcBw+nZBVEmAqkXnHiXUuu9mnC9ge+k=; b=m6LEz0Gm0ktwbRGw8rseXUxjjR64S5Ylrj1uU+ptlqFY2IeqHS06Z4zUqTwob7tvSj 0pq9Y+a5tyOw8z2mOgTnW2Z5/jKBemI+Q4WWgchCQuCgoDDcbTCGjqSEOako5FJEddo+ fSnUG4rz6dyr05WA2NYrk9cDQW5XnPYhko+3OAZU2N5ROSgmalfhUzsjbPrsGzRxG5lC Lwq7l0nPtTZa05By+fuD7a6ueXye4UR3M3xlPo3SXQ/ZGXqPPWv4RwI47bORFCtMdF8Y /t4/3EveEk9A1cUBForqz2wZdNT85LV4dJ6r5immAIR2vjy7LyOs15o5SS4fuPF3fHBT QFPg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Kpl51H7X; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3732-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id t30-20020a05620a035e00b0078d632ee280si6617002qkm.673.2024.04.20.11.21.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Apr 2024 11:21:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Kpl51H7X; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-3732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3732-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C19D21C20A1D for ; Sat, 20 Apr 2024 18:21:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A6C103B185; Sat, 20 Apr 2024 18:21:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Kpl51H7X" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 664377F for ; Sat, 20 Apr 2024 18:21:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713637271; cv=none; b=hcb4oyIp6Vs189m4n85ysH5gj8WkMpkBPyelX3B9+7CtfYzG9j4/MOR0aGQNPrfYrJ4XTsXkS4lnsdLUggXOIFSY4dsRo/3KZs6IpSUhvKmr0AvkbV8zLLa5tmZ2ntoOMfOlYlSJA2fRr8SpBIAkPp1v4l4eVBSIMxKIwfvhhlE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713637271; c=relaxed/simple; bh=e1IAU92KdhkgArW6lttIIjoPSxON78AGdXlGCpSU+4I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iSGnGGL3CMvTSQHjFINV8wwid/kXJgiKOYNt1mn1JUbeHZ6NBO5dl/4UpIZO/MdgfmSk0Dw95H3tVbGUI6ZlacYXosOJADxe4iL0J/Yic+fSRx9uS4HMCBMlqw8XPyZKjy5m4F9Fffer1FLBjHupikd2BegCcr+Y9x9xrxQEMy0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Kpl51H7X; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30200C072AA; Sat, 20 Apr 2024 18:21:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1713637271; bh=e1IAU92KdhkgArW6lttIIjoPSxON78AGdXlGCpSU+4I=; h=From:To:Cc:Subject:Date:From; b=Kpl51H7XJIuWxrlSER3nNNhfvockhmztVEIZxhxrDR7gvLv2P4FUlCCXOaMx7iPRT HmN3ebpOAWGQ7LVasgkpcg+qkn+tOf8Pw4GIhPQ5aatoOvLW4BHq5vunZl/RCji+/Z YOPv4gWgrBkVREc4kaGW6BIsUrmGLUoRlYRBPbktQBd04lZ/UIFWS4hkYXdAUwQLRm 1+n1vIgGWqX07/z7Im94W8XxkNFCUk5tULt+6ZzPIsZ3aaD0Gi33KnHICXwSSxbrnK yknZ/r8igUjWnK1EtqnZ3YlxvL34zz6lu7aEx16ElsMX37oiAy09EU1ODOyWU8BG09 aKBPwwpVyuvWA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: x86@kernel.org Subject: [PATCH v2] crypto: x86/aes-gcm - simplify GCM hash subkey derivation Date: Sat, 20 Apr 2024 11:20:16 -0700 Message-ID: <20240420182016.28159-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Eric Biggers Remove a redundant expansion of the AES key, and use rodata for zeroes. Also rename rfc4106_set_hash_subkey() to aes_gcm_derive_hash_subkey() because it's used for both versions of AES-GCM, not just RFC4106. Signed-off-by: Eric Biggers --- arch/x86/crypto/aesni-intel_glue.c | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c index 110b3282a1f2..e582506306b1 100644 --- a/arch/x86/crypto/aesni-intel_glue.c +++ b/arch/x86/crypto/aesni-intel_glue.c @@ -38,11 +38,10 @@ #define AESNI_ALIGN 16 #define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN))) #define AES_BLOCK_MASK (~(AES_BLOCK_SIZE - 1)) -#define RFC4106_HASH_SUBKEY_SIZE 16 #define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1)) #define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA) #define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA) /* This data is stored at the end of the crypto_tfm struct. @@ -588,27 +587,16 @@ static int xctr_crypt(struct skcipher_request *req) err = skcipher_walk_done(&walk, nbytes); } return err; } -static int -rfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len) +static int aes_gcm_derive_hash_subkey(const struct crypto_aes_ctx *aes_key, + u8 hash_subkey[AES_BLOCK_SIZE]) { - struct crypto_aes_ctx ctx; - int ret; + static const u8 zeroes[AES_BLOCK_SIZE]; - ret = aes_expandkey(&ctx, key, key_len); - if (ret) - return ret; - - /* Clear the data in the hash sub key container to zero.*/ - /* We want to cipher all zeros to create the hash sub key. */ - memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE); - - aes_encrypt(&ctx, hash_subkey, hash_subkey); - - memzero_explicit(&ctx, sizeof(ctx)); + aes_encrypt(aes_key, hash_subkey, zeroes); return 0; } static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key, unsigned int key_len) @@ -622,11 +610,12 @@ static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key, key_len -= 4; memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce)); return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: - rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); + aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded, + ctx->hash_subkey); } /* This is the Integrity Check Value (aka the authentication tag) length and can * be 8, 12 or 16 bytes long. */ static int common_rfc4106_set_authsize(struct crypto_aead *aead, @@ -1328,11 +1317,12 @@ static int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key, unsigned int key_len) { struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead); return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: - rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); + aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded, + ctx->hash_subkey); } static int generic_gcmaes_encrypt(struct aead_request *req) { struct crypto_aead *tfm = crypto_aead_reqtfm(req); base-commit: 543ea178fbfadeaf79e15766ac989f3351349f02 -- 2.44.0