Skip to content

Commit ed265f7

Browse files
ebiggersherbertx
authored andcommitted
crypto: x86/aes-gcm - simplify GCM hash subkey derivation
Remove a redundant expansion of the AES key, and use rodata for zeroes. Also rename rfc4106_set_hash_subkey() to aes_gcm_derive_hash_subkey() because it's used for both versions of AES-GCM, not just RFC4106. Signed-off-by: Eric Biggers <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
1 parent a0bbb1c commit ed265f7

File tree

1 file changed

+8
-18
lines changed

1 file changed

+8
-18
lines changed

arch/x86/crypto/aesni-intel_glue.c

Lines changed: 8 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,6 @@
4040
#define AESNI_ALIGN 16
4141
#define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN)))
4242
#define AES_BLOCK_MASK (~(AES_BLOCK_SIZE - 1))
43-
#define RFC4106_HASH_SUBKEY_SIZE 16
4443
#define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1))
4544
#define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA)
4645
#define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA)
@@ -590,23 +589,12 @@ static int xctr_crypt(struct skcipher_request *req)
590589
return err;
591590
}
592591

593-
static int
594-
rfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len)
592+
static int aes_gcm_derive_hash_subkey(const struct crypto_aes_ctx *aes_key,
593+
u8 hash_subkey[AES_BLOCK_SIZE])
595594
{
596-
struct crypto_aes_ctx ctx;
597-
int ret;
595+
static const u8 zeroes[AES_BLOCK_SIZE];
598596

599-
ret = aes_expandkey(&ctx, key, key_len);
600-
if (ret)
601-
return ret;
602-
603-
/* Clear the data in the hash sub key container to zero.*/
604-
/* We want to cipher all zeros to create the hash sub key. */
605-
memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE);
606-
607-
aes_encrypt(&ctx, hash_subkey, hash_subkey);
608-
609-
memzero_explicit(&ctx, sizeof(ctx));
597+
aes_encrypt(aes_key, hash_subkey, zeroes);
610598
return 0;
611599
}
612600

@@ -624,7 +612,8 @@ static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key,
624612
memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce));
625613

626614
return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?:
627-
rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
615+
aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded,
616+
ctx->hash_subkey);
628617
}
629618

630619
/* This is the Integrity Check Value (aka the authentication tag) length and can
@@ -1327,7 +1316,8 @@ static int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key,
13271316
struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead);
13281317

13291318
return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?:
1330-
rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
1319+
aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded,
1320+
ctx->hash_subkey);
13311321
}
13321322

13331323
static int generic_gcmaes_encrypt(struct aead_request *req)

0 commit comments

Comments
 (0)