tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lib/crypto: aesgcm: Use GHASH library API

Make the AES-GCM library use the GHASH library instead of directly
calling gf128mul_lle(). This allows the architecture-optimized GHASH
implementations to be used, or the improved generic implementation if no
architecture-optimized implementation is usable.

Note: this means that <crypto/gcm.h> no longer needs to include
<crypto/gf128mul.h>. Remove that inclusion, and include
<crypto/gf128mul.h> explicitly from arch/x86/crypto/aesni-intel_glue.c
which previously was relying on the transitive inclusion.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260319061723.1140720-20-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Eric Biggers ea0c746f a78ae6e3

+32 -30
+1
arch/x86/crypto/aesni-intel_glue.c
··· 25 25 #include <crypto/aes.h> 26 26 #include <crypto/b128ops.h> 27 27 #include <crypto/gcm.h> 28 + #include <crypto/gf128mul.h> 28 29 #include <crypto/xts.h> 29 30 #include <asm/cpu_device_id.h> 30 31 #include <asm/simd.h>
+2 -2
include/crypto/gcm.h
··· 4 4 #include <linux/errno.h> 5 5 6 6 #include <crypto/aes.h> 7 - #include <crypto/gf128mul.h> 7 + #include <crypto/gf128hash.h> 8 8 9 9 #define GCM_AES_IV_SIZE 12 10 10 #define GCM_RFC4106_IV_SIZE 8 ··· 65 65 } 66 66 67 67 struct aesgcm_ctx { 68 - be128 ghash_key; 68 + struct ghash_key ghash_key; 69 69 struct aes_enckey aes_key; 70 70 unsigned int authsize; 71 71 };
+1 -1
lib/crypto/Kconfig
··· 41 41 config CRYPTO_LIB_AESGCM 42 42 tristate 43 43 select CRYPTO_LIB_AES 44 - select CRYPTO_LIB_GF128MUL 44 + select CRYPTO_LIB_GF128HASH 45 45 select CRYPTO_LIB_UTILS 46 46 47 47 config CRYPTO_LIB_ARC4
+28 -27
lib/crypto/aesgcm.c
··· 5 5 * Copyright 2022 Google LLC 6 6 */ 7 7 8 - #include <crypto/algapi.h> 9 8 #include <crypto/gcm.h> 10 - #include <crypto/ghash.h> 9 + #include <crypto/utils.h> 11 10 #include <linux/export.h> 12 11 #include <linux/module.h> 13 12 #include <asm/irqflags.h> ··· 44 45 int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key, 45 46 unsigned int keysize, unsigned int authsize) 46 47 { 47 - u8 kin[AES_BLOCK_SIZE] = {}; 48 + u8 h[AES_BLOCK_SIZE] = {}; 48 49 int ret; 49 50 50 51 ret = crypto_gcm_check_authsize(authsize) ?: ··· 53 54 return ret; 54 55 55 56 ctx->authsize = authsize; 56 - aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin); 57 - 57 + aesgcm_encrypt_block(&ctx->aes_key, h, h); 58 + ghash_preparekey(&ctx->ghash_key, h); 59 + memzero_explicit(h, sizeof(h)); 58 60 return 0; 59 61 } 60 62 EXPORT_SYMBOL(aesgcm_expandkey); 61 - 62 - static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src, 63 - int len) 64 - { 65 - while (len > 0) { 66 - crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE)); 67 - gf128mul_lle(ghash, key); 68 - 69 - src += GHASH_BLOCK_SIZE; 70 - len -= GHASH_BLOCK_SIZE; 71 - } 72 - } 73 63 74 64 /** 75 65 * aesgcm_mac - Generates the authentication tag using AES-GCM algorithm. ··· 76 88 static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len, 77 89 const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag) 78 90 { 79 - be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) }; 80 - u8 buf[AES_BLOCK_SIZE]; 81 - be128 ghash = {}; 91 + static const u8 zeroes[GHASH_BLOCK_SIZE]; 92 + __be64 tail[2] = { 93 + cpu_to_be64((u64)assoc_len * 8), 94 + cpu_to_be64((u64)src_len * 8), 95 + }; 96 + struct ghash_ctx ghash; 97 + u8 ghash_out[AES_BLOCK_SIZE]; 98 + u8 enc_ctr[AES_BLOCK_SIZE]; 82 99 83 - aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len); 84 - aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len); 85 - aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail)); 100 + ghash_init(&ghash, &ctx->ghash_key); 101 + 102 + ghash_update(&ghash, assoc, assoc_len); 103 + ghash_update(&ghash, zeroes, -assoc_len & (GHASH_BLOCK_SIZE - 1)); 104 + 105 + ghash_update(&ghash, src, src_len); 106 + ghash_update(&ghash, zeroes, -src_len & (GHASH_BLOCK_SIZE - 1)); 107 + 108 + ghash_update(&ghash, (const u8 *)&tail, sizeof(tail)); 109 + 110 + ghash_final(&ghash, ghash_out); 86 111 87 112 ctr[3] = cpu_to_be32(1); 88 - aesgcm_encrypt_block(&ctx->aes_key, buf, ctr); 89 - crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize); 113 + aesgcm_encrypt_block(&ctx->aes_key, enc_ctr, ctr); 114 + crypto_xor_cpy(authtag, ghash_out, enc_ctr, ctx->authsize); 90 115 91 - memzero_explicit(&ghash, sizeof(ghash)); 92 - memzero_explicit(buf, sizeof(buf)); 116 + memzero_explicit(ghash_out, sizeof(ghash_out)); 117 + memzero_explicit(enc_ctr, sizeof(enc_ctr)); 93 118 } 94 119 95 120 static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,