[PATCH 1/2] wifi: mac80211: use aesgcm library

[PATCH 1/2] wifi: mac80211: use aesgcm library

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

Instead of dynamically allocating the gcm(aes) algorithm, use
the library. This is faster and avoids the extra allocation.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/Kconfig   |  2 +-
 net/mac80211/aes_gcm.h | 39 +++++++++++++++++----------------------
 net/mac80211/key.c     | 11 +++--------
 net/mac80211/key.h     |  3 ++-
 net/mac80211/wpa.c     |  9 +++++----
 5 files changed, 28 insertions(+), 36 deletions(-)

diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index d6bc295e23a1..b51050257c01 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -5,9 +5,9 @@ config MAC80211
 	select CRYPTO
 	select CRYPTO_LIB_AES_CBC_MACS
 	select CRYPTO_LIB_ARC4
+	select CRYPTO_LIB_AESGCM
 	select CRYPTO_AES
 	select CRYPTO_CCM
-	select CRYPTO_GCM
 	select CRC32
 	help
 	  This option enables the hardware independent IEEE 802.11
diff --git a/net/mac80211/aes_gcm.h b/net/mac80211/aes_gcm.h
index b14093b2f7a9..8124b81412c8 100644
--- a/net/mac80211/aes_gcm.h
+++ b/net/mac80211/aes_gcm.h
@@ -6,38 +6,33 @@
 #ifndef AES_GCM_H
 #define AES_GCM_H
 
-#include "aead_api.h"
+#include <crypto/gcm.h>
 
 #define GCM_AAD_LEN	32
 
-static inline int ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm,
-					    u8 *j_0, u8 *aad,  u8 *data,
-					    size_t data_len, u8 *mic)
+static inline void ieee80211_aes_gcm_encrypt(struct aesgcm_ctx *ctx,
+					     u8 *j_0, u8 *aad,  u8 *data,
+					     size_t data_len, u8 *mic)
 {
-	return aead_encrypt(tfm, j_0, aad + 2,
-			    be16_to_cpup((__be16 *)aad),
-			    data, data_len, mic);
+	aesgcm_encrypt(ctx, data, data, data_len,
+		       aad + 2, be16_to_cpup((__be16 *)aad),
+		       j_0, mic);
 }
 
-static inline int ieee80211_aes_gcm_decrypt(struct crypto_aead *tfm,
-					    u8 *j_0, u8 *aad, u8 *data,
-					    size_t data_len, u8 *mic)
+static inline bool ieee80211_aes_gcm_decrypt(struct aesgcm_ctx *ctx,
+					     u8 *j_0, u8 *aad, u8 *data,
+					     size_t data_len, u8 *mic)
 {
-	return aead_decrypt(tfm, j_0, aad + 2,
-			    be16_to_cpup((__be16 *)aad),
-			    data, data_len, mic);
+	return aesgcm_decrypt(ctx, data, data, data_len,
+			      aad + 2, be16_to_cpup((__be16 *)aad),
+			      j_0, mic);
 }
 
-static inline struct crypto_aead *
-ieee80211_aes_gcm_key_setup_encrypt(const u8 key[], size_t key_len)
+static inline int
+ieee80211_aes_gcm_key_setup_encrypt(struct aesgcm_ctx *ctx,
+				    const u8 key[], size_t key_len)
 {
-	return aead_key_setup_encrypt("gcm(aes)", key,
-				      key_len, IEEE80211_GCMP_MIC_LEN);
-}
-
-static inline void ieee80211_aes_gcm_key_free(struct crypto_aead *tfm)
-{
-	return aead_key_free(tfm);
+	return aesgcm_expandkey(ctx, key, key_len, IEEE80211_GCMP_MIC_LEN);
 }
 
 #endif /* AES_GCM_H */
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 4b8965633df3..1a2092aebaf6 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -727,10 +727,9 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
 		/* Initialize AES key state here as an optimization so that
 		 * it does not need to be initialized for every packet.
 		 */
-		key->u.gcmp.tfm = ieee80211_aes_gcm_key_setup_encrypt(key_data,
-								      key_len);
-		if (IS_ERR(key->u.gcmp.tfm)) {
-			err = PTR_ERR(key->u.gcmp.tfm);
+		err = ieee80211_aes_gcm_key_setup_encrypt(&key->u.gcmp.ctx,
+							  key_data, key_len);
+		if (err) {
 			kfree(key);
 			return ERR_PTR(err);
 		}
@@ -753,10 +752,6 @@ static void ieee80211_key_free_common(struct ieee80211_key *key)
 	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
 		ieee80211_aes_gmac_key_free(key->u.aes_gmac.tfm);
 		break;
-	case WLAN_CIPHER_SUITE_GCMP:
-	case WLAN_CIPHER_SUITE_GCMP_256:
-		ieee80211_aes_gcm_key_free(key->u.gcmp.tfm);
-		break;
 	}
 	kfree_sensitive(key);
 }
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index 826e4e9387c5..65450d3474bb 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -13,6 +13,7 @@
 #include <linux/crypto.h>
 #include <linux/rcupdate.h>
 #include <crypto/aes-cbc-macs.h>
+#include <crypto/gcm.h>
 #include <crypto/arc4.h>
 #include <net/mac80211.h>
 
@@ -111,7 +112,7 @@ struct ieee80211_key {
 			 * Management frames.
 			 */
 			u8 rx_pn[IEEE80211_NUM_TIDS + 1][IEEE80211_GCMP_PN_LEN];
-			struct crypto_aead *tfm;
+			struct aesgcm_ctx ctx;
 			u32 replays; /* dot11RSNAStatsGCMPReplays */
 		} gcmp;
 		struct {
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index be3a2e95303c..4440e09c5f80 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -709,8 +709,9 @@ static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
 	gcmp_special_blocks(skb, pn, j_0, aad,
 			    key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU,
 			    false);
-	return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
-					 skb_put(skb, IEEE80211_GCMP_MIC_LEN));
+	ieee80211_aes_gcm_encrypt(&key->u.gcmp.ctx, j_0, aad, pos, len,
+				  skb_put(skb, IEEE80211_GCMP_MIC_LEN));
+	return 0;
 }
 
 ieee80211_tx_result
@@ -797,8 +798,8 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
 					    key->conf.flags & IEEE80211_KEY_FLAG_SPP_AMSDU,
 					    aad_nonce_computed);
 
-			if (ieee80211_aes_gcm_decrypt(
-				    key->u.gcmp.tfm, j_0, aad,
+			if (!ieee80211_aes_gcm_decrypt(
+				    &key->u.gcmp.ctx, j_0, aad,
 				    skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN,
 				    data_len,
 				    skb->data + skb->len -
-- 
2.53.0

[PATCH 2/2] wifi: mac80211: use gf128hash library

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

Just like the previous conversion of aesgcm, it's simpler,
faster and avoids extra allocations, especially one in the
actual packet processing.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/Kconfig    |  1 +
 net/mac80211/aes_gmac.c | 90 +++++++++++++++--------------------------
 net/mac80211/aes_gmac.h | 14 ++++---
 net/mac80211/key.c      | 11 ++---
 net/mac80211/key.h      |  2 +-
 net/mac80211/wpa.c      | 15 +++----
 6 files changed, 52 insertions(+), 81 deletions(-)

diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index b51050257c01..ada7078db4cd 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -6,6 +6,7 @@ config MAC80211
 	select CRYPTO_LIB_AES_CBC_MACS
 	select CRYPTO_LIB_ARC4
 	select CRYPTO_LIB_AESGCM
+	select CRYPTO_LIB_GF128MUL
 	select CRYPTO_AES
 	select CRYPTO_CCM
 	select CRC32
diff --git a/net/mac80211/aes_gmac.c b/net/mac80211/aes_gmac.c
index 811a83d8d525..c6bb5761cc63 100644
--- a/net/mac80211/aes_gmac.c
+++ b/net/mac80211/aes_gmac.c
@@ -7,88 +7,62 @@
 #include <linux/kernel.h>
 #include <linux/types.h>
 #include <linux/err.h>
-#include <crypto/aead.h>
-#include <crypto/aes.h>
+#include <crypto/gf128hash.h>
+#include <crypto/utils.h>
 
 #include <net/mac80211.h>
 #include "key.h"
 #include "aes_gmac.h"
 
-int ieee80211_aes_gmac(struct crypto_aead *tfm, const u8 *aad, u8 *nonce,
+int ieee80211_aes_gmac(struct aesgcm_ctx *ctx, const u8 *aad, u8 *nonce,
 		       const u8 *data, size_t data_len, u8 *mic)
 {
-	struct scatterlist sg[5];
-	u8 *zero, *__aad, iv[AES_BLOCK_SIZE];
-	struct aead_request *aead_req;
-	int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
+	static const u8 zero[GHASH_BLOCK_SIZE];
+	struct ghash_ctx ghash;
+	u8 iv[AES_BLOCK_SIZE];
+	size_t total_len = GMAC_AAD_LEN + data_len;
+	__be64 tail[2] = {
+		cpu_to_be64((u64)total_len * 8),
+		0, /* no data since it's just GMAC */
+	};
+	u8 ghash_out[AES_BLOCK_SIZE];
+	u8 enc_ctr[AES_BLOCK_SIZE];
 	const __le16 *fc;
-	int ret;
 
 	if (data_len < IEEE80211_GMAC_MIC_LEN)
 		return -EINVAL;
 
-	aead_req = kzalloc(reqsize + IEEE80211_GMAC_MIC_LEN + GMAC_AAD_LEN,
-			   GFP_ATOMIC);
-	if (!aead_req)
-		return -ENOMEM;
+	ghash_init(&ghash, &ctx->ghash_key);
 
-	zero = (u8 *)aead_req + reqsize;
-	__aad = zero + IEEE80211_GMAC_MIC_LEN;
-	memcpy(__aad, aad, GMAC_AAD_LEN);
+	ghash_update(&ghash, aad, GMAC_AAD_LEN);
 
 	fc = (const __le16 *)aad;
 	if (ieee80211_is_beacon(*fc)) {
 		/* mask Timestamp field to zero */
-		sg_init_table(sg, 5);
-		sg_set_buf(&sg[0], __aad, GMAC_AAD_LEN);
-		sg_set_buf(&sg[1], zero, 8);
-		sg_set_buf(&sg[2], data + 8,
-			   data_len - 8 - IEEE80211_GMAC_MIC_LEN);
-		sg_set_buf(&sg[3], zero, IEEE80211_GMAC_MIC_LEN);
-		sg_set_buf(&sg[4], mic, IEEE80211_GMAC_MIC_LEN);
+		ghash_update(&ghash, zero, 8);
+		ghash_update(&ghash, data + 8, data_len - 8 - IEEE80211_GMAC_MIC_LEN);
 	} else {
-		sg_init_table(sg, 4);
-		sg_set_buf(&sg[0], __aad, GMAC_AAD_LEN);
-		sg_set_buf(&sg[1], data, data_len - IEEE80211_GMAC_MIC_LEN);
-		sg_set_buf(&sg[2], zero, IEEE80211_GMAC_MIC_LEN);
-		sg_set_buf(&sg[3], mic, IEEE80211_GMAC_MIC_LEN);
+		ghash_update(&ghash, data, data_len - IEEE80211_GMAC_MIC_LEN);
 	}
 
+	/* set MIC value to zero */
+	ghash_update(&ghash, zero, IEEE80211_GMAC_MIC_LEN);
+	/* pad */
+	ghash_update(&ghash, zero, -total_len & (GHASH_BLOCK_SIZE - 1));
+
+	ghash_update(&ghash, (const u8 *)&tail, sizeof(tail));
+
+	ghash_final(&ghash, ghash_out);
+
 	memcpy(iv, nonce, GMAC_NONCE_LEN);
 	memset(iv + GMAC_NONCE_LEN, 0, sizeof(iv) - GMAC_NONCE_LEN);
 	iv[AES_BLOCK_SIZE - 1] = 0x01;
 
-	aead_request_set_tfm(aead_req, tfm);
-	aead_request_set_crypt(aead_req, sg, sg, 0, iv);
-	aead_request_set_ad(aead_req, GMAC_AAD_LEN + data_len);
+	aes_encrypt(&ctx->aes_key, enc_ctr, (const u8 *)iv);
+	crypto_xor_cpy(mic, ghash_out, enc_ctr, IEEE80211_GMAC_MIC_LEN);
 
-	ret = crypto_aead_encrypt(aead_req);
-	kfree_sensitive(aead_req);
+	memzero_explicit(ghash_out, sizeof(ghash_out));
+	memzero_explicit(enc_ctr, sizeof(enc_ctr));
 
-	return ret;
-}
-
-struct crypto_aead *ieee80211_aes_gmac_key_setup(const u8 key[],
-						 size_t key_len)
-{
-	struct crypto_aead *tfm;
-	int err;
-
-	tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
-	if (IS_ERR(tfm))
-		return tfm;
-
-	err = crypto_aead_setkey(tfm, key, key_len);
-	if (!err)
-		err = crypto_aead_setauthsize(tfm, IEEE80211_GMAC_MIC_LEN);
-	if (!err)
-		return tfm;
-
-	crypto_free_aead(tfm);
-	return ERR_PTR(err);
-}
-
-void ieee80211_aes_gmac_key_free(struct crypto_aead *tfm)
-{
-	crypto_free_aead(tfm);
+	return 0;
 }
diff --git a/net/mac80211/aes_gmac.h b/net/mac80211/aes_gmac.h
index 206136b60bca..e1db4a47fc9c 100644
--- a/net/mac80211/aes_gmac.h
+++ b/net/mac80211/aes_gmac.h
@@ -6,15 +6,19 @@
 #ifndef AES_GMAC_H
 #define AES_GMAC_H
 
-#include <linux/crypto.h>
+#include <crypto/gcm.h>
 
 #define GMAC_AAD_LEN	20
 #define GMAC_NONCE_LEN	12
 
-struct crypto_aead *ieee80211_aes_gmac_key_setup(const u8 key[],
-						 size_t key_len);
-int ieee80211_aes_gmac(struct crypto_aead *tfm, const u8 *aad, u8 *nonce,
+static inline int
+ieee80211_aes_gmac_key_setup(struct aesgcm_ctx *ctx,
+			     const u8 key[], size_t key_len)
+{
+	return aesgcm_expandkey(ctx, key, key_len, IEEE80211_GCMP_MIC_LEN);
+}
+
+int ieee80211_aes_gmac(struct aesgcm_ctx *ctx, const u8 *aad, u8 *nonce,
 		       const u8 *data, size_t data_len, u8 *mic);
-void ieee80211_aes_gmac_key_free(struct crypto_aead *tfm);
 
 #endif /* AES_GMAC_H */
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 1a2092aebaf6..71cbd7a8b818 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -708,10 +708,9 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
 		/* Initialize AES key state here as an optimization so that
 		 * it does not need to be initialized for every packet.
 		 */
-		key->u.aes_gmac.tfm =
-			ieee80211_aes_gmac_key_setup(key_data, key_len);
-		if (IS_ERR(key->u.aes_gmac.tfm)) {
-			err = PTR_ERR(key->u.aes_gmac.tfm);
+		err = ieee80211_aes_gmac_key_setup(&key->u.aes_gmac.ctx,
+						   key_data, key_len);
+		if (err) {
 			kfree(key);
 			return ERR_PTR(err);
 		}
@@ -748,10 +747,6 @@ static void ieee80211_key_free_common(struct ieee80211_key *key)
 	case WLAN_CIPHER_SUITE_CCMP_256:
 		ieee80211_aes_key_free(key->u.ccmp.tfm);
 		break;
-	case WLAN_CIPHER_SUITE_BIP_GMAC_128:
-	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
-		ieee80211_aes_gmac_key_free(key->u.aes_gmac.tfm);
-		break;
 	}
 	kfree_sensitive(key);
 }
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index 65450d3474bb..0ee0548e02ed 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -101,7 +101,7 @@ struct ieee80211_key {
 		} aes_cmac;
 		struct {
 			u8 rx_pn[IEEE80211_GMAC_PN_LEN];
-			struct crypto_aead *tfm;
+			struct aesgcm_ctx ctx;
 			u32 replays; /* dot11RSNAStatsCMACReplays */
 			u32 icverrors; /* dot11RSNAStatsCMACICVErrors */
 		} aes_gmac;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 4440e09c5f80..0a55de4bc853 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -1008,8 +1008,8 @@ ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx)
 	bip_ipn_swap(nonce + ETH_ALEN, mmie->sequence_number);
 
 	/* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */
-	if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
-			       skb->data + 24, skb->len - 24, mmie->mic) < 0)
+	if (ieee80211_aes_gmac(&key->u.aes_gmac.ctx, aad, nonce,
+			       skb->data + 24, skb->len - 24, mmie->mic))
 		return TX_DROP;
 
 	return TX_CONTINUE;
@@ -1022,7 +1022,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 	struct ieee80211_key *key = rx->key;
 	struct ieee80211_mmie_16 *mmie;
-	u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
+	u8 aad[GMAC_AAD_LEN], ipn[6], nonce[GMAC_NONCE_LEN];
 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
 
 	if (!ieee80211_is_mgmt(hdr->frame_control))
@@ -1047,24 +1047,21 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
 	}
 
 	if (!(status->flag & RX_FLAG_DECRYPTED)) {
+		u8 mic[IEEE80211_GMAC_MIC_LEN];
+
 		/* hardware didn't decrypt/verify MIC */
 		bip_aad(skb, aad);
 
 		memcpy(nonce, hdr->addr2, ETH_ALEN);
 		memcpy(nonce + ETH_ALEN, ipn, 6);
 
-		mic = kmalloc(IEEE80211_GMAC_MIC_LEN, GFP_ATOMIC);
-		if (!mic)
-			return RX_DROP_U_OOM;
-		if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
+		if (ieee80211_aes_gmac(&key->u.aes_gmac.ctx, aad, nonce,
 				       skb->data + 24, skb->len - 24,
 				       mic) < 0 ||
 		    crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
 			key->u.aes_gmac.icverrors++;
-			kfree(mic);
 			return RX_DROP_U_MIC_FAIL;
 		}
-		kfree(mic);
 	}
 
 	memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
-- 
2.53.0

Re: [PATCH 1/2] wifi: mac80211: use aesgcm library

[Eric Biggers]

Hi Johannes,

On Tue, May 05, 2026 at 11:18:38PM +0200, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> Instead of dynamically allocating the gcm(aes) algorithm, use
> the library. This is faster and avoids the extra allocation.
> 
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
>  net/mac80211/Kconfig   |  2 +-
>  net/mac80211/aes_gcm.h | 39 +++++++++++++++++----------------------
>  net/mac80211/key.c     | 11 +++--------
>  net/mac80211/key.h     |  3 ++-
>  net/mac80211/wpa.c     |  9 +++++----
>  5 files changed, 28 insertions(+), 36 deletions(-)

I really appreciate the enthusiasm for the crypto library!  And it isn't
surprising, since it's clearly the way to go.  But I do think these two
patches are jumping the gun a bit, since we haven't yet migrated all the
optimized AES-GCM code into the library, or added an improved AES-GCM
API that provides enough functionality to fulfill all the in-kernel use
cases (for example, incremental computation of AES-GMAC).

So as-is these two patches could regress performance in some cases
(despite the library having less overhead).  And also the AES-GCM API is
likely to change a bit.  In particular I don't think code outside the
crypto subsystem should be constructing its own AES-GMAC by combining
the GHASH functions with the AES functions, as your second patch does.
Instead they should invoke an AES-GMAC API (or AES-GCM, of which
AES-GMAC is a special case) provided by lib/crypto/.

So I'd ask that we wait just a bit until I can finish getting the
AES-GCM library APIs into a good state.  I got a lot of the prerequisite
work in for 7.0 and 7.1, and I'll see if I can finish it in 7.2.  I've
just been a bit busy with other things in the past few weeks.

Thanks,

- Eric

Re: [PATCH 1/2] wifi: mac80211: use aesgcm library

[Johannes Berg]

Hi Eric,

> I really appreciate the enthusiasm for the crypto library!

:)

> And it isn't
> surprising, since it's clearly the way to go.

I was kinda just playing with it, having been reminded that some code
was already ported.

> But I do think these two
> patches are jumping the gun a bit, since we haven't yet migrated all the
> optimized AES-GCM code into the library, or added an improved AES-GCM
> API that provides enough functionality to fulfill all the in-kernel use
> cases (for example, incremental computation of AES-GMAC).

> So as-is these two patches could regress performance in some cases
> (despite the library having less overhead).

Fair. I don't think the performance matters all that much (though I
shouldn't lie about it in the commit log) since this is mostly used for
testing - I don't think there are many users of software crypto beyond
that. Some, for sure, but I believe those are all old drivers that will
get you a maximum of ~25 Mbps throughput (both directions combined) if
you're lucky :)

Anyway, I don't really disagree either, none of this is urgent or
important at this point.

Also, there's a separate conversation to be had here - I was looking and
we also instantiate ccm(aes) and ctr(aes) in mac80211, and I didn't find
equivalent library calls for those.

> And also the AES-GCM API is
> likely to change a bit.  In particular I don't think code outside the
> crypto subsystem should be constructing its own AES-GMAC by combining
> the GHASH functions with the AES functions, as your second patch does.
> Instead they should invoke an AES-GMAC API (or AES-GCM, of which
> AES-GMAC is a special case) provided by lib/crypto/.

I _was_ thinking that could be better ... and forgot that GMAC is just a
GCM special case, despite obviously constructing it by hand. Oops.

I actually thought about exporting aesgcm_mac(), but of course that'd
basically be equivalent to just using aesgcm_encrypt() without data.

However, both of them can only use a single buffer for the associated
data, so they can't be used here. The crypto API used sg tables which
aren't great either, but definitely more flexible than the current
function. Note that in this case I actually need to use three or four
AAD buffers:

 - the pseudo-header constructed outside the frame buffer specifically
   for WiFi, representing the frame header but not exactly the same
 - for beacons an 8-byte zero buffer representing the Timestamp
 - the frame payload without the MIC
   (and without the Timestamp for beacons)
 - a 16-byte zero buffer representing the MIC

This would require a more specific GMAC API like the CMAC API, or,
equivalently but more flexible, an init/aad_update/data_update/final GCM
API. Could even have

  aes_gcm_init()
  aes_gcm_update_aad()
  aes_gcm_update_data()
  aes_gcm_final()

and
  #define aes_gmac_init aes_gcm_init
  #define aes_gmac_update aes_gmac_update_aad
  #define aes_gmac_final aes_gcm_final

or something like that, I guess.

> So I'd ask that we wait just a bit until I can finish getting the
> AES-GCM library APIs into a good state.  I got a lot of the prerequisite
> work in for 7.0 and 7.1, and I'll see if I can finish it in 7.2.  I've
> just been a bit busy with other things in the past few weeks.

Sure, no hurry, was mostly playing with how that'd look like. Maybe it
even helps figure out the right APIs ;-)

Thanks,
johannes