From b8d7b7498c2d198ceef431ae2869bcc3acd43a74 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 2 Mar 2019 18:53:58 -0600 Subject: [PATCH] Prefer vpaes over bsaes in AES-GCM-SIV and AES-CCM. The AES-GCM-SIV code does not use ctr128_f at all so bsaes is simply identical to aes_nohw. Also, while CCM encrypts with CTR mode, its MAC is not parallelizable at all. (Given the existence of non-parallelizable modes, we ought to make a vpaes-armv7.pl to ensure constant-time AES on NEON. For now, pick the right implementation for x86_64 at least.) aes_ctr_set_key and friends probably aren't the right abstraction (observe the large vs small inputs hint *almost* matches whether you touch block128_f), but the right abstraction depends on a couple questions: - If you don't provide ctr128_f, is there a perf hit to implementing ctr128_f on top of your block128_f to unify calling code? - It is almost certainly better to use bsaes with gcm.c by calling ctr128_f exclusively and paying some copies (a dedicated calling convention would be even better, but would be a headache) to integrate leading and trailing blocks into the CTR pass. Is this a win, loss, or no-op for hwaes, where block128_f is just fine? hwaes is the one mode we really should not regress. Hopefully those will get answered as we continue to chip away at this. Bug: 256 Change-Id: I8f0150b223b671e68f7da6faaff94a3bea398d4d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35169 Reviewed-by: Adam Langley --- crypto/cipher_extra/e_aesccm.c | 2 +- crypto/cipher_extra/e_aesgcmsiv.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/cipher_extra/e_aesccm.c b/crypto/cipher_extra/e_aesccm.c index 144a9093..4e6668c0 100644 --- a/crypto/cipher_extra/e_aesccm.c +++ b/crypto/cipher_extra/e_aesccm.c @@ -67,7 +67,7 @@ static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, block128_f block; ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len, - 1 /* large inputs */); + 0 /* small inputs */); ctx->tag_len = tag_len; if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) { OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR); diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c index 0e5063cd..fb08a428 100644 --- a/crypto/cipher_extra/e_aesgcmsiv.c +++ b/crypto/cipher_extra/e_aesgcmsiv.c @@ -595,7 +595,7 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key, OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx)); aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key, - key_len, 1 /* large inputs */); + key_len, 0 /* small inputs */); gcm_siv_ctx->is_256 = (key_len == 32); ctx->tag_len = tag_len; @@ -720,7 +720,7 @@ static void gcm_siv_keys( OPENSSL_memcpy(out_keys->auth_key, key_material, 16); aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block, key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16, - 1 /* large inputs */); + 0 /* small inputs */); } static int aead_aes_gcm_siv_seal_scatter(