[PATCH] Do not precalculate OCB offset L0+L1+L0

Jussi Kivilinna jussi.kivilinna at iki.fi
Sun Jan 27 12:01:28 CET 2019 

* cipher/cipher-internal.h (gcry_cipher_handle): Remove OCB L0L1L0.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_setkey): Ditto.
* cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec)
(_gcry_aes_aesni_ocb_auth): Replace L0L1L0 use with L1.
--

Patch fixes L0+L1+L0 thinko. This is same as L1 (L0 xor L1 xor L0).
---
 0 files changed

diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index 79de140dd..5ece774e6 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -322,7 +322,6 @@ struct gcry_cipher_handle
       unsigned char L_star[OCB_BLOCK_LEN];
       unsigned char L_dollar[OCB_BLOCK_LEN];
       unsigned char L0L1[OCB_BLOCK_LEN];
-      unsigned char L0L1L0[OCB_BLOCK_LEN];
       unsigned char L[OCB_L_TABLE_SIZE][OCB_BLOCK_LEN];
 
       /* --- Following members are cleared in gcry_cipher_reset --- */
diff --git a/cipher/cipher-ocb.c b/cipher/cipher-ocb.c
index be6b8dffb..308b04952 100644
--- a/cipher/cipher-ocb.c
+++ b/cipher/cipher-ocb.c
@@ -141,11 +141,9 @@ void _gcry_cipher_ocb_setkey (gcry_cipher_hd_t c)
   double_block_cpy (c->u_mode.ocb.L[0], c->u_mode.ocb.L_dollar);
   for (i = 1; i < OCB_L_TABLE_SIZE; i++)
     double_block_cpy (c->u_mode.ocb.L[i], c->u_mode.ocb.L[i-1]);
-  /* Precalculated offsets L0+L1, L0+L1+L0 */
+  /* Precalculated offset L0+L1 */
   cipher_block_xor (c->u_mode.ocb.L0L1,
 		    c->u_mode.ocb.L[0], c->u_mode.ocb.L[1], OCB_BLOCK_LEN);
-  cipher_block_xor (c->u_mode.ocb.L0L1L0,
-		    c->u_mode.ocb.L[0], c->u_mode.ocb.L0L1, OCB_BLOCK_LEN);
 
   /* Cleanup */
   wipememory (ktop, sizeof ktop);
diff --git a/cipher/rijndael-aesni.c b/cipher/rijndael-aesni.c
index ec9f4d4a5..9883861a2 100644
--- a/cipher/rijndael-aesni.c
+++ b/cipher/rijndael-aesni.c
@@ -2429,11 +2429,11 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg,
 	  l = aes_ocb_get_l(c, n);
 
 	  asm volatile ("movdqu %[l0l1],   %%xmm10\n\t"
-			"movdqu %[l0l1l0], %%xmm11\n\t"
+			"movdqu %[l1],     %%xmm11\n\t"
 			"movdqu %[l3],     %%xmm15\n\t"
 			:
 			: [l0l1] "m" (*c->u_mode.ocb.L0L1),
-			  [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0),
+			  [l1] "m" (*c->u_mode.ocb.L[1]),
 			  [l3] "m" (*l)
 			: "memory" );
 
@@ -2561,13 +2561,13 @@ aesni_ocb_enc (gcry_cipher_hd_t c, void *outbuf_arg,
 		      [l0l1] "m" (*c->u_mode.ocb.L0L1),
 		      [inbuf0] "m" (*(inbuf + 0 * BLOCKSIZE))
 		    : "memory" );
-      asm volatile ("movdqu %[l0l1l0], %%xmm4\n\t"
+      asm volatile ("movdqu %[l1],     %%xmm4\n\t"
 		    "movdqu %[l3],     %%xmm6\n\t"
 		    "pxor   %%xmm5,    %%xmm0\n\t"
 		    "pxor   %%xmm0,    %%xmm1\n\t"
 		    "movdqu %%xmm0,    %[outbuf0]\n\t"
 		    : [outbuf0] "=m" (*(outbuf + 0 * BLOCKSIZE))
-		    : [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0),
+		    : [l1] "m" (*c->u_mode.ocb.L[1]),
 		      [l3] "m" (*l)
 		    : "memory" );
       asm volatile ("movdqu %[inbuf1], %%xmm2\n\t"
@@ -2730,11 +2730,11 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg,
 	  l = aes_ocb_get_l(c, n);
 
 	  asm volatile ("movdqu %[l0l1],   %%xmm10\n\t"
-			"movdqu %[l0l1l0], %%xmm11\n\t"
+			"movdqu %[l1],     %%xmm11\n\t"
 			"movdqu %[l3],     %%xmm15\n\t"
 			:
 			: [l0l1] "m" (*c->u_mode.ocb.L0L1),
-			  [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0),
+			  [l1] "m" (*c->u_mode.ocb.L[1]),
 			  [l3] "m" (*l)
 			: "memory" );
 
@@ -2862,13 +2862,13 @@ aesni_ocb_dec (gcry_cipher_hd_t c, void *outbuf_arg,
 		      [l0l1] "m" (*c->u_mode.ocb.L0L1),
 		      [inbuf0] "m" (*(inbuf + 0 * BLOCKSIZE))
 		    : "memory" );
-      asm volatile ("movdqu %[l0l1l0], %%xmm4\n\t"
+      asm volatile ("movdqu %[l1],     %%xmm4\n\t"
 		    "movdqu %[l3],     %%xmm6\n\t"
 		    "pxor   %%xmm5,    %%xmm0\n\t"
 		    "pxor   %%xmm0,    %%xmm1\n\t"
 		    "movdqu %%xmm0,    %[outbuf0]\n\t"
 		    : [outbuf0] "=m" (*(outbuf + 0 * BLOCKSIZE))
-		    : [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0),
+		    : [l1] "m" (*c->u_mode.ocb.L[1]),
 		      [l3] "m" (*l)
 		    : "memory" );
       asm volatile ("movdqu %[inbuf1], %%xmm2\n\t"
@@ -3028,11 +3028,11 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg,
 
       asm volatile ("movdqu %[l0],     %%xmm7\n\t"
 		    "movdqu %[l0l1],   %%xmm12\n\t"
-		    "movdqu %[l0l1l0], %%xmm13\n\t"
+		    "movdqu %[l1],     %%xmm13\n\t"
 		    :
 		    : [l0] "m" (*c->u_mode.ocb.L[0]),
 		      [l0l1] "m" (*c->u_mode.ocb.L0L1),
-		      [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0)
+		      [l1] "m" (*c->u_mode.ocb.L[1])
 		    : "memory" );
 
       for ( ;nblocks >= 8 ; nblocks -= 8 )
@@ -3138,12 +3138,12 @@ _gcry_aes_aesni_ocb_auth (gcry_cipher_hd_t c, const void *abuf_arg,
 		      [l0l1] "m" (*c->u_mode.ocb.L0L1),
 		      [abuf0] "m" (*(abuf + 0 * BLOCKSIZE))
 		    : "memory" );
-      asm volatile ("movdqu %[l0l1l0], %%xmm4\n\t"
+      asm volatile ("movdqu %[l1],     %%xmm4\n\t"
 		    "movdqu %[l3],     %%xmm7\n\t"
 		    "pxor   %%xmm5,    %%xmm0\n\t"
 		    "pxor   %%xmm0,    %%xmm1\n\t"
 		    :
-		    : [l0l1l0] "m" (*c->u_mode.ocb.L0L1L0),
+		    : [l1] "m" (*c->u_mode.ocb.L[1]),
 		      [l3] "m" (*l)
 		    : "memory" );
       asm volatile ("movdqu %[abuf1],  %%xmm2\n\t"

More information about the Gcrypt-devel mailing list