From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
linux-s390@vger.kernel.org, x86@kernel.org,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 19/19] lib/crypto: aesgcm: Use GHASH library API
Date: Wed, 18 Mar 2026 23:17:20 -0700 [thread overview]
Message-ID: <20260319061723.1140720-20-ebiggers@kernel.org> (raw)
In-Reply-To: <20260319061723.1140720-1-ebiggers@kernel.org>
Make the AES-GCM library use the GHASH library instead of directly
calling gf128mul_lle(). This allows the architecture-optimized GHASH
implementations to be used, or the improved generic implementation if no
architecture-optimized implementation is usable.
Note: this means that <crypto/gcm.h> no longer needs to include
<crypto/gf128mul.h>. Remove that inclusion, and include
<crypto/gf128mul.h> explicitly from arch/x86/crypto/aesni-intel_glue.c
which previously was relying on the transitive inclusion.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
arch/x86/crypto/aesni-intel_glue.c | 1 +
include/crypto/gcm.h | 4 +--
lib/crypto/Kconfig | 2 +-
lib/crypto/aesgcm.c | 55 +++++++++++++++---------------
4 files changed, 32 insertions(+), 30 deletions(-)
diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
index e6c38d1d8a92..f522fff9231e 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -23,10 +23,11 @@
#include <linux/err.h>
#include <crypto/algapi.h>
#include <crypto/aes.h>
#include <crypto/b128ops.h>
#include <crypto/gcm.h>
+#include <crypto/gf128mul.h>
#include <crypto/xts.h>
#include <asm/cpu_device_id.h>
#include <asm/simd.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/aead.h>
diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h
index b524e47bd4d0..1d5f39ff1dc4 100644
--- a/include/crypto/gcm.h
+++ b/include/crypto/gcm.h
@@ -2,11 +2,11 @@
#define _CRYPTO_GCM_H
#include <linux/errno.h>
#include <crypto/aes.h>
-#include <crypto/gf128mul.h>
+#include <crypto/gf128hash.h>
#define GCM_AES_IV_SIZE 12
#define GCM_RFC4106_IV_SIZE 8
#define GCM_RFC4543_IV_SIZE 8
@@ -63,11 +63,11 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen)
return 0;
}
struct aesgcm_ctx {
- be128 ghash_key;
+ struct ghash_key ghash_key;
struct aes_enckey aes_key;
unsigned int authsize;
};
int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index a39e7707e9ee..32fafe245f47 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -39,11 +39,11 @@ config CRYPTO_LIB_AES_CBC_MACS
<crypto/aes-cbc-macs.h>.
config CRYPTO_LIB_AESGCM
tristate
select CRYPTO_LIB_AES
- select CRYPTO_LIB_GF128MUL
+ select CRYPTO_LIB_GF128HASH
select CRYPTO_LIB_UTILS
config CRYPTO_LIB_ARC4
tristate
diff --git a/lib/crypto/aesgcm.c b/lib/crypto/aesgcm.c
index 02f5b5f32c76..8c7e74d2d147 100644
--- a/lib/crypto/aesgcm.c
+++ b/lib/crypto/aesgcm.c
@@ -3,13 +3,12 @@
* Minimal library implementation of GCM
*
* Copyright 2022 Google LLC
*/
-#include <crypto/algapi.h>
#include <crypto/gcm.h>
-#include <crypto/ghash.h>
+#include <crypto/utils.h>
#include <linux/export.h>
#include <linux/module.h>
#include <asm/irqflags.h>
static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
@@ -43,37 +42,26 @@ static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
* that are not permitted by the GCM specification.
*/
int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
unsigned int keysize, unsigned int authsize)
{
- u8 kin[AES_BLOCK_SIZE] = {};
+ u8 h[AES_BLOCK_SIZE] = {};
int ret;
ret = crypto_gcm_check_authsize(authsize) ?:
aes_prepareenckey(&ctx->aes_key, key, keysize);
if (ret)
return ret;
ctx->authsize = authsize;
- aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin);
-
+ aesgcm_encrypt_block(&ctx->aes_key, h, h);
+ ghash_preparekey(&ctx->ghash_key, h);
+ memzero_explicit(h, sizeof(h));
return 0;
}
EXPORT_SYMBOL(aesgcm_expandkey);
-static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
- int len)
-{
- while (len > 0) {
- crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
- gf128mul_lle(ghash, key);
-
- src += GHASH_BLOCK_SIZE;
- len -= GHASH_BLOCK_SIZE;
- }
-}
-
/**
* aesgcm_mac - Generates the authentication tag using AES-GCM algorithm.
* @ctx: The data structure that will hold the AES-GCM key schedule
* @src: The input source data.
* @src_len: Length of the source data.
@@ -86,24 +74,37 @@ static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
* and an output buffer for the authentication tag.
*/
static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
{
- be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
- u8 buf[AES_BLOCK_SIZE];
- be128 ghash = {};
+ static const u8 zeroes[GHASH_BLOCK_SIZE];
+ __be64 tail[2] = {
+ cpu_to_be64((u64)assoc_len * 8),
+ cpu_to_be64((u64)src_len * 8),
+ };
+ struct ghash_ctx ghash;
+ u8 ghash_out[AES_BLOCK_SIZE];
+ u8 enc_ctr[AES_BLOCK_SIZE];
+
+ ghash_init(&ghash, &ctx->ghash_key);
+
+ ghash_update(&ghash, assoc, assoc_len);
+ ghash_update(&ghash, zeroes, -assoc_len & (GHASH_BLOCK_SIZE - 1));
- aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
- aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
- aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
+ ghash_update(&ghash, src, src_len);
+ ghash_update(&ghash, zeroes, -src_len & (GHASH_BLOCK_SIZE - 1));
+
+ ghash_update(&ghash, (const u8 *)&tail, sizeof(tail));
+
+ ghash_final(&ghash, ghash_out);
ctr[3] = cpu_to_be32(1);
- aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
- crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
+ aesgcm_encrypt_block(&ctx->aes_key, enc_ctr, ctr);
+ crypto_xor_cpy(authtag, ghash_out, enc_ctr, ctx->authsize);
- memzero_explicit(&ghash, sizeof(ghash));
- memzero_explicit(buf, sizeof(buf));
+ memzero_explicit(ghash_out, sizeof(ghash_out));
+ memzero_explicit(enc_ctr, sizeof(enc_ctr));
}
static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
int len, __be32 *ctr)
{
--
2.53.0
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
linux-s390@vger.kernel.org, x86@kernel.org,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 19/19] lib/crypto: aesgcm: Use GHASH library API
Date: Wed, 18 Mar 2026 23:17:20 -0700 [thread overview]
Message-ID: <20260319061723.1140720-20-ebiggers@kernel.org> (raw)
In-Reply-To: <20260319061723.1140720-1-ebiggers@kernel.org>
Make the AES-GCM library use the GHASH library instead of directly
calling gf128mul_lle(). This allows the architecture-optimized GHASH
implementations to be used, or the improved generic implementation if no
architecture-optimized implementation is usable.
Note: this means that <crypto/gcm.h> no longer needs to include
<crypto/gf128mul.h>. Remove that inclusion, and include
<crypto/gf128mul.h> explicitly from arch/x86/crypto/aesni-intel_glue.c
which previously was relying on the transitive inclusion.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
arch/x86/crypto/aesni-intel_glue.c | 1 +
include/crypto/gcm.h | 4 +--
lib/crypto/Kconfig | 2 +-
lib/crypto/aesgcm.c | 55 +++++++++++++++---------------
4 files changed, 32 insertions(+), 30 deletions(-)
diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
index e6c38d1d8a92..f522fff9231e 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -23,10 +23,11 @@
#include <linux/err.h>
#include <crypto/algapi.h>
#include <crypto/aes.h>
#include <crypto/b128ops.h>
#include <crypto/gcm.h>
+#include <crypto/gf128mul.h>
#include <crypto/xts.h>
#include <asm/cpu_device_id.h>
#include <asm/simd.h>
#include <crypto/scatterwalk.h>
#include <crypto/internal/aead.h>
diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h
index b524e47bd4d0..1d5f39ff1dc4 100644
--- a/include/crypto/gcm.h
+++ b/include/crypto/gcm.h
@@ -2,11 +2,11 @@
#define _CRYPTO_GCM_H
#include <linux/errno.h>
#include <crypto/aes.h>
-#include <crypto/gf128mul.h>
+#include <crypto/gf128hash.h>
#define GCM_AES_IV_SIZE 12
#define GCM_RFC4106_IV_SIZE 8
#define GCM_RFC4543_IV_SIZE 8
@@ -63,11 +63,11 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen)
return 0;
}
struct aesgcm_ctx {
- be128 ghash_key;
+ struct ghash_key ghash_key;
struct aes_enckey aes_key;
unsigned int authsize;
};
int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index a39e7707e9ee..32fafe245f47 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -39,11 +39,11 @@ config CRYPTO_LIB_AES_CBC_MACS
<crypto/aes-cbc-macs.h>.
config CRYPTO_LIB_AESGCM
tristate
select CRYPTO_LIB_AES
- select CRYPTO_LIB_GF128MUL
+ select CRYPTO_LIB_GF128HASH
select CRYPTO_LIB_UTILS
config CRYPTO_LIB_ARC4
tristate
diff --git a/lib/crypto/aesgcm.c b/lib/crypto/aesgcm.c
index 02f5b5f32c76..8c7e74d2d147 100644
--- a/lib/crypto/aesgcm.c
+++ b/lib/crypto/aesgcm.c
@@ -3,13 +3,12 @@
* Minimal library implementation of GCM
*
* Copyright 2022 Google LLC
*/
-#include <crypto/algapi.h>
#include <crypto/gcm.h>
-#include <crypto/ghash.h>
+#include <crypto/utils.h>
#include <linux/export.h>
#include <linux/module.h>
#include <asm/irqflags.h>
static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
@@ -43,37 +42,26 @@ static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
* that are not permitted by the GCM specification.
*/
int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
unsigned int keysize, unsigned int authsize)
{
- u8 kin[AES_BLOCK_SIZE] = {};
+ u8 h[AES_BLOCK_SIZE] = {};
int ret;
ret = crypto_gcm_check_authsize(authsize) ?:
aes_prepareenckey(&ctx->aes_key, key, keysize);
if (ret)
return ret;
ctx->authsize = authsize;
- aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin);
-
+ aesgcm_encrypt_block(&ctx->aes_key, h, h);
+ ghash_preparekey(&ctx->ghash_key, h);
+ memzero_explicit(h, sizeof(h));
return 0;
}
EXPORT_SYMBOL(aesgcm_expandkey);
-static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
- int len)
-{
- while (len > 0) {
- crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
- gf128mul_lle(ghash, key);
-
- src += GHASH_BLOCK_SIZE;
- len -= GHASH_BLOCK_SIZE;
- }
-}
-
/**
* aesgcm_mac - Generates the authentication tag using AES-GCM algorithm.
* @ctx: The data structure that will hold the AES-GCM key schedule
* @src: The input source data.
* @src_len: Length of the source data.
@@ -86,24 +74,37 @@ static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
* and an output buffer for the authentication tag.
*/
static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
{
- be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
- u8 buf[AES_BLOCK_SIZE];
- be128 ghash = {};
+ static const u8 zeroes[GHASH_BLOCK_SIZE];
+ __be64 tail[2] = {
+ cpu_to_be64((u64)assoc_len * 8),
+ cpu_to_be64((u64)src_len * 8),
+ };
+ struct ghash_ctx ghash;
+ u8 ghash_out[AES_BLOCK_SIZE];
+ u8 enc_ctr[AES_BLOCK_SIZE];
+
+ ghash_init(&ghash, &ctx->ghash_key);
+
+ ghash_update(&ghash, assoc, assoc_len);
+ ghash_update(&ghash, zeroes, -assoc_len & (GHASH_BLOCK_SIZE - 1));
- aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
- aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
- aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
+ ghash_update(&ghash, src, src_len);
+ ghash_update(&ghash, zeroes, -src_len & (GHASH_BLOCK_SIZE - 1));
+
+ ghash_update(&ghash, (const u8 *)&tail, sizeof(tail));
+
+ ghash_final(&ghash, ghash_out);
ctr[3] = cpu_to_be32(1);
- aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
- crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
+ aesgcm_encrypt_block(&ctx->aes_key, enc_ctr, ctr);
+ crypto_xor_cpy(authtag, ghash_out, enc_ctr, ctx->authsize);
- memzero_explicit(&ghash, sizeof(ghash));
- memzero_explicit(buf, sizeof(buf));
+ memzero_explicit(ghash_out, sizeof(ghash_out));
+ memzero_explicit(enc_ctr, sizeof(enc_ctr));
}
static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
int len, __be32 *ctr)
{
--
2.53.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2026-03-19 6:20 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 6:17 [PATCH 00/19] GHASH library Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 01/19] lib/crypto: gf128hash: Rename polyval module to gf128hash Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 02/19] lib/crypto: gf128hash: Support GF128HASH_ARCH without all POLYVAL functions Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 03/19] lib/crypto: gf128hash: Add GHASH support Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 04/19] lib/crypto: tests: Add KUnit tests for GHASH Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 05/19] crypto: arm/ghash - Make the "ghash" crypto_shash NEON-only Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 06/19] crypto: arm/ghash - Move NEON GHASH assembly into its own file Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 07/19] lib/crypto: arm/ghash: Migrate optimized code into library Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 08/19] crypto: arm64/ghash - Move NEON GHASH assembly into its own file Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 09/19] lib/crypto: arm64/ghash: Migrate optimized code into library Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 10/19] crypto: arm64/aes-gcm - Rename struct ghash_key and make fixed-sized Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 11/19] lib/crypto: powerpc/ghash: Migrate optimized code into library Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 12/19] lib/crypto: riscv/ghash: " Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 13/19] lib/crypto: s390/ghash: " Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 14/19] lib/crypto: x86/ghash: " Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 15/19] crypto: gcm - Use GHASH library instead of crypto_ahash Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 16/19] crypto: ghash - Remove ghash from crypto_shash API Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 17/19] lib/crypto: gf128mul: Remove unused 4k_lle functions Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` [PATCH 18/19] lib/crypto: gf128hash: Remove unused content from ghash.h Eric Biggers
2026-03-19 6:17 ` Eric Biggers
2026-03-19 6:17 ` Eric Biggers [this message]
2026-03-19 6:17 ` [PATCH 19/19] lib/crypto: aesgcm: Use GHASH library API Eric Biggers
2026-03-23 14:14 ` [PATCH 00/19] GHASH library Ard Biesheuvel
2026-03-23 14:14 ` Ard Biesheuvel
2026-03-24 0:50 ` Eric Biggers
2026-03-24 0:50 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260319061723.1140720-20-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.