From a00cafc50ca599cc91f240f5347f0a01cca7bf7d Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 30 Nov 2016 12:37:45 -0800 Subject: [PATCH] Drop H (the key) from the GCM context. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The key is only needed during initialisation because after that point it is implicit in the table of powers. So no need to keep it around. There was a non-specific “haunted house” comment about not changing this, but I've successfully tested with all the assembly versions so I think that comment is no longer true. Change-Id: Id110156afb528904f114d9a4ff2440e03a1a69b8 Reviewed-on: https://boringssl-review.googlesource.com/12477 CQ-Verified: CQ bot account: commit-bot@chromium.org Reviewed-by: David Benjamin Commit-Queue: David Benjamin --- crypto/modes/gcm.c | 36 +++++++++++++++++++++--------------- crypto/modes/internal.h | 4 +--- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/crypto/modes/gcm.c b/crypto/modes/gcm.c index acf6a530..46aabc74 100644 --- a/crypto/modes/gcm.c +++ b/crypto/modes/gcm.c @@ -395,35 +395,41 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key, memset(ctx, 0, sizeof(*ctx)); ctx->block = block; - (*block)(ctx->H.c, ctx->H.c, key); + union { + uint64_t u[2]; + uint8_t c[16]; + } H; + + memset(&H, 0, sizeof(H)); + (*block)(H.c, H.c, key); /* H is stored in host byte order */ #ifdef BSWAP8 - ctx->H.u[0] = BSWAP8(ctx->H.u[0]); - ctx->H.u[1] = BSWAP8(ctx->H.u[1]); + H.u[0] = BSWAP8(H.u[0]); + H.u[1] = BSWAP8(H.u[1]); #else - uint8_t *p = ctx->H.c; + uint8_t *p = H.c; uint64_t hi, lo; hi = (uint64_t)GETU32(p) << 32 | GETU32(p + 4); lo = (uint64_t)GETU32(p + 8) << 32 | GETU32(p + 12); - ctx->H.u[0] = hi; - ctx->H.u[1] = lo; + H.u[0] = hi; + H.u[1] = lo; #endif #if defined(GHASH_ASM_X86_OR_64) if (crypto_gcm_clmul_enabled()) { if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ - gcm_init_avx(ctx->Htable, ctx->H.u); + gcm_init_avx(ctx->Htable, H.u); ctx->gmult = gcm_gmult_avx; ctx->ghash = gcm_ghash_avx; } else { - gcm_init_clmul(ctx->Htable, ctx->H.u); + gcm_init_clmul(ctx->Htable, H.u); ctx->gmult = gcm_gmult_clmul; ctx->ghash = gcm_ghash_clmul; } return; } - gcm_init_4bit(ctx->Htable, ctx->H.u); + gcm_init_4bit(ctx->Htable, H.u); #if defined(GHASH_ASM_X86) /* x86 only */ if (OPENSSL_ia32cap_P[0] & (1 << 25)) { /* check SSE bit */ ctx->gmult = gcm_gmult_4bit_mmx; @@ -438,30 +444,30 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key, #endif #elif defined(GHASH_ASM_ARM) if (pmull_capable()) { - gcm_init_v8(ctx->Htable, ctx->H.u); + gcm_init_v8(ctx->Htable, H.u); ctx->gmult = gcm_gmult_v8; ctx->ghash = gcm_ghash_v8; } else if (neon_capable()) { - gcm_init_neon(ctx->Htable,ctx->H.u); + gcm_init_neon(ctx->Htable, H.u); ctx->gmult = gcm_gmult_neon; ctx->ghash = gcm_ghash_neon; } else { - gcm_init_4bit(ctx->Htable, ctx->H.u); + gcm_init_4bit(ctx->Htable, H.u); ctx->gmult = gcm_gmult_4bit; ctx->ghash = gcm_ghash_4bit; } #elif defined(GHASH_ASM_PPC64LE) if (CRYPTO_is_PPC64LE_vcrypto_capable()) { - gcm_init_p8(ctx->Htable, ctx->H.u); + gcm_init_p8(ctx->Htable, H.u); ctx->gmult = gcm_gmult_p8; ctx->ghash = gcm_ghash_p8; } else { - gcm_init_4bit(ctx->Htable, ctx->H.u); + gcm_init_4bit(ctx->Htable, H.u); ctx->gmult = gcm_gmult_4bit; ctx->ghash = gcm_ghash_4bit; } #else - gcm_init_4bit(ctx->Htable, ctx->H.u); + gcm_init_4bit(ctx->Htable, H.u); ctx->gmult = gcm_gmult_4bit; ctx->ghash = gcm_ghash_4bit; #endif diff --git a/crypto/modes/internal.h b/crypto/modes/internal.h index 430d0401..d682ad2e 100644 --- a/crypto/modes/internal.h +++ b/crypto/modes/internal.h @@ -166,10 +166,8 @@ struct gcm128_context { uint32_t d[4]; uint8_t c[16]; size_t t[16 / sizeof(size_t)]; - } Yi, EKi, EK0, len, Xi, H; + } Yi, EKi, EK0, len, Xi; - /* Relative position of Xi, H and pre-computed Htable is used in some - * assembler modules, i.e. don't change the order! */ u128 Htable[16]; void (*gmult)(uint64_t Xi[2], const u128 Htable[16]); void (*ghash)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,