From: Eric Biggers <ebiggers@kernel.org>
To: Thomas Huth <thuth@redhat.com>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support
Date: Mon, 13 Jul 2026 19:54:39 -0400 [thread overview]
Message-ID: <20260713235439.GB24654@quark> (raw)
In-Reply-To: <40932e40-a909-4b95-b739-c4727c1cc153@redhat.com>
On Mon, Jul 13, 2026 at 10:39:53AM +0200, Thomas Huth wrote:
> > diff --git a/Documentation/crypto/libcrypto-unauth-encryption.rst b/Documentation/crypto/libcrypto-unauth-encryption.rst
> > index fb8106034089..6aca01d715da 100644
> > --- a/Documentation/crypto/libcrypto-unauth-encryption.rst
> > +++ b/Documentation/crypto/libcrypto-unauth-encryption.rst
> > @@ -27,6 +27,13 @@ Support for AES in the CBC and CBC-CTS modes of operation.
> > .. kernel-doc:: include/crypto/aes-cbc.h
> > +AES-CTR and AES-XCTR
> > +--------------------
> > +
> > +Support for AES in the CTR and XCTR modes of operation.
>
> I guess you already have this on your radar, but just in case: It would be
> nice to turn this into a full sentence, too.
Yes, I'm making all of them full sentences.
> > +/**
> > + * aes_ctr() - AES-CTR en/decryption
> > + * @dst: The destination buffer. Can be in-place or out-of-place. For other
> > + * overlaps the behavior is unspecified.
> > + * @src: The source data
> > + * @len: Number of bytes to en/decrypt
> > + * @ctr: The counter. It will be incremented by ceil(@len / AES_BLOCK_SIZE).
> > + * @key: The key
> > + *
> > + * This implements AES in counter mode with a 128-bit big endian counter.
> > + *
> > + * This supports incremental en/decryption. The length of each non-final chunk
> > + * must be a multiple of AES_BLOCK_SIZE, and the updated @ctr must be passed in
> > + * each time.
>
> Maybe add some wording that ctr ideally should not be 0 for the first call,
> i.e. a "nonce" value?
It depends on the usage. If a distinct key is used for each message for
example, always starting at 0 is perfectly fine.
I'm not sure how far we should go to document the proper use of each
algorithm. Really the AES-CTR support is just for internal use by
AES-GCM and AES-CCM, and a few odd users that implement specific other
protocols that need AES-CTR. It's not intended to be a place to go to
receive an introduction to CTR mode.
> > +static __always_inline void inc_be128_ctr(u8 ctr[AES_BLOCK_SIZE])
> > +{
> > + /* Casts to u8 are needed because of the implicit integer promotion. */
> > + if (((u8)++ctr[AES_BLOCK_SIZE - 1]) != 0)
> > + return;
>
> Why do you handle the first value separately here? The code could be
> simplified to start with "int i = AES_BLOCK_SIZE -1" in the for-loop
> instead?
Just a trick to optimize performance by unrolling the first iteration,
since 255 times out of 256 the first iteration is enough.
> > +void aes_xctr(u8 *dst, const u8 *src, size_t len, u64 *ctr,
> > + const u8 iv[AES_BLOCK_SIZE], aes_encrypt_arg key)
> > +{
> > + const __le64 iv0 = get_unaligned((const __le64 *)&iv[0]);
> > + __le64 aes_input[2];
> > + u8 keystream[AES_BLOCK_SIZE] __aligned(__alignof__(long));
> > +
> > + if (likely(aes_xctr_arch(dst, src, len, ctr, iv, key.enc_key)))
> > + return;
> > +
> > + aes_input[1] = get_unaligned((const __le64 *)&iv[8]);
> > + /* Handle the full blocks. */
> > + for (; len >= AES_BLOCK_SIZE; len -= AES_BLOCK_SIZE) {
> > + aes_input[0] = iv0 ^ cpu_to_le64((*ctr)++);
>
> Do we want to have a BUG_ON or WARN_ON_ONCE somewhere to check that ctr does
> not wrap around (i.e. to make sure that ctr was really 1 for the first
> call)? Something like:
>
> WARN_ON_ONCE((s64)(cpu_to_le64(*ctr) + len / AES_BLOCK_SIZE) < 0)
>
> at the beginning of the function?
Maybe. Since the counter is a u64, and this function isn't going to be
called from very many places, I don't think it would be a particularly
valuable WARN_ON_ONCE. It shouldn't be BUG_ON.
- Eric
next prev parent reply other threads:[~2026-07-13 23:54 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 5:34 [PATCH 00/33] Library APIs for AES encryption modes Eric Biggers
2026-07-07 5:34 ` [PATCH 01/33] crypto: xts - Split out __xts_verify_key() helper Eric Biggers
2026-07-07 13:20 ` Thomas Huth
2026-07-07 5:34 ` [PATCH 02/33] lib/crypto: aes: Add ECB support Eric Biggers
2026-07-07 13:59 ` Thomas Huth
2026-07-07 19:22 ` Eric Biggers
2026-07-08 5:29 ` Thomas Huth
2026-07-07 5:34 ` [PATCH 03/33] lib/crypto: aes: Add CBC and CBC-CTS support Eric Biggers
2026-07-09 13:06 ` Thomas Huth
2026-07-13 23:37 ` Eric Biggers
2026-07-07 5:34 ` [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support Eric Biggers
2026-07-13 8:39 ` Thomas Huth
2026-07-13 23:54 ` Eric Biggers [this message]
2026-07-14 4:53 ` Thomas Huth
2026-07-07 5:34 ` [PATCH 05/33] lib/crypto: aes: Add XTS support Eric Biggers
2026-07-13 12:15 ` Thomas Huth
2026-07-14 0:23 ` Eric Biggers
2026-07-07 5:34 ` [PATCH 06/33] lib/crypto: aes: Add GCM support Eric Biggers
2026-07-07 5:34 ` [PATCH 07/33] lib/crypto: aes: Add CCM support Eric Biggers
2026-07-07 5:34 ` [PATCH 08/33] crypto: aes - Add ECB support using library Eric Biggers
2026-07-07 5:34 ` [PATCH 09/33] crypto: aes - Add CBC and CBC-CTS " Eric Biggers
2026-07-07 5:34 ` [PATCH 10/33] crypto: aes - Add CTR and XCTR " Eric Biggers
2026-07-07 5:34 ` [PATCH 11/33] crypto: aes - Add XTS " Eric Biggers
2026-07-07 5:34 ` [PATCH 12/33] crypto: aes - Add GCM " Eric Biggers
2026-07-07 5:34 ` [PATCH 13/33] crypto: aes - Add CCM " Eric Biggers
2026-07-07 5:34 ` [PATCH 14/33] x86/sev: Use new AES-GCM library Eric Biggers
2026-07-07 5:34 ` [PATCH 15/33] lib/crypto: aesgcm: Remove old " Eric Biggers
2026-07-07 5:34 ` [PATCH 16/33] crypto: aes - Remove AES-CBC-MAC support Eric Biggers
2026-07-07 5:34 ` [PATCH 17/33] lib/crypto: aes: Remove aes_cbcmac_* functions Eric Biggers
2026-07-07 5:34 ` [PATCH 18/33] fscrypt: Use aes_ecb_encrypt() for v1 key derivation Eric Biggers
2026-07-07 5:34 ` [PATCH 19/33] KEYS: encrypted: Use AES-CBC library instead of crypto_skcipher Eric Biggers
2026-07-07 5:34 ` [PATCH 20/33] KEYS: trusted: dcp: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07 5:34 ` [PATCH 21/33] libceph: Use AES-CBC library in ceph_aes_crypt() Eric Biggers
2026-07-07 5:34 ` [PATCH 22/33] libceph: Reimplement messenger v2 encryption using AES-GCM library Eric Biggers
2026-07-07 5:34 ` [PATCH 23/33] wifi: mac80211: Use AES-CTR library in fils_aead.c Eric Biggers
2026-07-07 5:34 ` [PATCH 24/33] wifi: mac80211: Use AES-GCM library for GMAC suite Eric Biggers
2026-07-07 5:34 ` [PATCH 25/33] wifi: mac80211: Use crypto libraries for GCMP and CCMP suites Eric Biggers
2026-07-07 5:34 ` [PATCH 26/33] macsec: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07 5:34 ` [PATCH 27/33] wifi: ipw2x00: Use AES-CCM library Eric Biggers
2026-07-07 5:34 ` [PATCH 28/33] mac802154: Use AES-CCM and AES-CTR libraries Eric Biggers
2026-07-07 5:34 ` [PATCH 29/33] bpf: crypto: Use AES-CBC and AES-ECB libraries Eric Biggers
2026-07-07 15:01 ` Vadim Fedorenko
2026-07-07 18:20 ` Eric Biggers
2026-07-07 22:50 ` Vadim Fedorenko
2026-07-07 23:16 ` Eric Biggers
2026-07-08 11:47 ` Vadim Fedorenko
2026-07-09 15:47 ` Eric Biggers
2026-07-09 16:46 ` Vadim Fedorenko
2026-07-07 5:35 ` [PATCH 30/33] bpf: crypto: Add AES-GCM support Eric Biggers
2026-07-07 15:02 ` Vadim Fedorenko
2026-07-07 5:35 ` [PATCH 31/33] smb: client: Use AES-GCM and AES-CCM libraries Eric Biggers
2026-07-07 5:35 ` [PATCH 32/33] ksmbd: " Eric Biggers
2026-07-07 10:51 ` Namjae Jeon
2026-07-07 5:35 ` [PATCH 33/33] net: tipc: Use AES-GCM library instead of crypto_aead Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713235439.GB24654@quark \
--to=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox