[PATCH 13/13] GCM: Move gcm_table initialization to setkey
Jussi Kivilinna
jussi.kivilinna at iki.fi
Wed Nov 20 18:01:02 CET 2013
* cipher/cipher-gcm.c: Change all 'c->u_iv.iv' to
'c->u_mode.gcm.u_ghash_key.key'.
(_gcry_cipher_gcm_setkey): New.
(_gcry_cipher_gcm_initiv): Move ghash initialization to function above.
* cipher/cipher-internal.h (gcry_cipher_handle): Add
'u_mode.gcm.u_ghash_key'; Reorder 'u_mode.gcm' members for partial
clearing in gcry_cipher_reset.
(_gcry_cipher_gcm_setkey): New prototype.
* cipher/cipher.c (cipher_setkey): Add GCM setkey.
(cipher_reset): Clear 'u_mode' only partially for GCM.
--
GHASH tables can be generated at setkey time. No need to regenerate
for every new IV.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
cipher/cipher-gcm.c | 25 ++++++++++++++++---------
cipher/cipher-internal.h | 30 +++++++++++++++++++++---------
cipher/cipher.c | 23 +++++++++++++++++++++--
3 files changed, 58 insertions(+), 20 deletions(-)
diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
index 42cfc1e..457e337 100644
--- a/cipher/cipher-gcm.c
+++ b/cipher/cipher-gcm.c
@@ -344,7 +344,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf)
}
#define fillM(c, h) do { } while (0)
-#define GHASH(c, result, buf) do_ghash (c->u_iv.iv, result, buf)
+#define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf)
#endif /* !GCM_USE_TABLES */
@@ -581,7 +581,7 @@ ghash (gcry_cipher_hd_t c, byte *result, const byte *buf,
"pshufb %[be_mask], %%xmm1\n\t" /* be => le */
:
: [hash] "m" (*result), [be_mask] "m" (*be_mask),
- [hsub] "m" (*c->u_iv.iv));
+ [hsub] "m" (*c->u_mode.gcm.u_ghash_key.key));
#ifdef __x86_64__
if (nblocks >= 4)
@@ -687,9 +687,9 @@ setupM (gcry_cipher_hd_t c, byte *h)
c->u_mode.gcm.use_intel_pclmul = 1;
/* Swap endianness of hsub. */
- tmp[0] = buf_get_be64(c->u_iv.iv + 8);
- tmp[1] = buf_get_be64(c->u_iv.iv + 0);
- buf_cpy (c->u_iv.iv, tmp, GCRY_GCM_BLOCK_LEN);
+ tmp[0] = buf_get_be64(c->u_mode.gcm.u_ghash_key.key + 8);
+ tmp[1] = buf_get_be64(c->u_mode.gcm.u_ghash_key.key + 0);
+ buf_cpy (c->u_mode.gcm.u_ghash_key.key, tmp, GCRY_GCM_BLOCK_LEN);
#ifdef __x86_64__
asm volatile ("movdqu %[h_1], %%xmm0\n\t"
@@ -982,6 +982,17 @@ _gcry_cipher_gcm_authenticate (gcry_cipher_hd_t c,
}
+void
+_gcry_cipher_gcm_setkey (gcry_cipher_hd_t c)
+{
+ memset (c->u_mode.gcm.u_ghash_key.key, 0, GCRY_GCM_BLOCK_LEN);
+
+ c->spec->encrypt (&c->context.c, c->u_mode.gcm.u_ghash_key.key,
+ c->u_mode.gcm.u_ghash_key.key);
+ setupM (c, c->u_mode.gcm.u_ghash_key.key);
+}
+
+
static gcry_err_code_t
_gcry_cipher_gcm_initiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
{
@@ -995,10 +1006,6 @@ _gcry_cipher_gcm_initiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
if (ivlen == 0)
return GPG_ERR_INV_LENGTH;
- c->spec->encrypt (&c->context.c, c->u_iv.iv, c->u_mode.gcm.u_tag.tag);
-
- setupM (c, c->u_iv.iv);
-
if (ivlen != GCRY_GCM_BLOCK_LEN - 4)
{
u32 iv_bytes[2] = {0, 0};
diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index ede6f75..6fb3bac 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -179,6 +179,25 @@ struct gcry_cipher_handle
/* encrypted tag counter */
unsigned char tagiv[MAX_BLOCKSIZE];
+ unsigned int ghash_data_finalized:1;
+ unsigned int ghash_aad_finalized:1;
+
+ unsigned int datalen_over_limits:1;
+ unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
+
+ /* --- Following members are not cleared in gcry_cipher_reset --- */
+
+ /* GHASH multiplier from key. */
+ union {
+ cipher_context_alignment_t iv_align;
+ unsigned char key[MAX_BLOCKSIZE];
+ } u_ghash_key;
+
+#ifdef GCM_USE_INTEL_PCLMUL
+ /* Use Intel PCLMUL instructions for accelerated GHASH. */
+ unsigned int use_intel_pclmul:1;
+#endif
+
/* Pre-calculated table for GCM. */
#ifdef GCM_USE_TABLES
#if defined(HAVE_U64_TYPEDEF) && (SIZEOF_UNSIGNED_LONG == 8 \
@@ -190,15 +209,6 @@ struct gcry_cipher_handle
u32 gcm_table[4 * 16];
#endif
#endif
-
- unsigned int ghash_data_finalized:1;
- unsigned int ghash_aad_finalized:1;
-
- unsigned int datalen_over_limits:1;
- unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
-#ifdef GCM_USE_INTEL_PCLMUL
- unsigned int use_intel_pclmul:1;
-#endif
} gcm;
} u_mode;
@@ -302,6 +312,8 @@ gcry_err_code_t _gcry_cipher_gcm_get_tag
gcry_err_code_t _gcry_cipher_gcm_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
+void _gcry_cipher_gcm_setkey
+/* */ (gcry_cipher_hd_t c);
#endif /*G10_CIPHER_INTERNAL_H*/
diff --git a/cipher/cipher.c b/cipher/cipher.c
index a3c2c6f..516f44b 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -593,6 +593,11 @@ cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
case GCRY_CIPHER_MODE_CMAC:
_gcry_cipher_cmac_set_subkeys (c);
break;
+
+ case GCRY_CIPHER_MODE_GCM:
+ _gcry_cipher_gcm_setkey (c);
+ break;
+
default:
break;
};
@@ -670,9 +675,23 @@ cipher_reset (gcry_cipher_hd_t c)
c->u_mode.cmac.tag = 0;
break;
- default:
- memset (&c->u_mode, 0, sizeof c->u_mode);
+ case GCRY_CIPHER_MODE_GCM:
+ /* Only clear head of u_mode, keep ghash_key and gcm_table. */
+ {
+ byte *u_mode_pos = (void *)&c->u_mode;
+ byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
+ size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
+
+ memset (&c->u_mode, 0, u_mode_head_length);
+ }
+ break;
+
+ case GCRY_CIPHER_MODE_CCM:
+ memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
break;
+
+ default:
+ break; /* u_mode unused by other modes. */
}
}
More information about the Gcrypt-devel
mailing list