Prefer vpaes over bsaes in AES-GCM-SIV and AES-CCM.
The AES-GCM-SIV code does not use ctr128_f at all so bsaes is simply identical to aes_nohw. Also, while CCM encrypts with CTR mode, its MAC is not parallelizable at all. (Given the existence of non-parallelizable modes, we ought to make a vpaes-armv7.pl to ensure constant-time AES on NEON. For now, pick the right implementation for x86_64 at least.) aes_ctr_set_key and friends probably aren't the right abstraction (observe the large vs small inputs hint *almost* matches whether you touch block128_f), but the right abstraction depends on a couple questions: - If you don't provide ctr128_f, is there a perf hit to implementing ctr128_f on top of your block128_f to unify calling code? - It is almost certainly better to use bsaes with gcm.c by calling ctr128_f exclusively and paying some copies (a dedicated calling convention would be even better, but would be a headache) to integrate leading and trailing blocks into the CTR pass. Is this a win, loss, or no-op for hwaes, where block128_f is just fine? hwaes is the one mode we really should not regress. Hopefully those will get answered as we continue to chip away at this. Bug: 256 Change-Id: I8f0150b223b671e68f7da6faaff94a3bea398d4d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35169 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
da8bb847fd
commit
b8d7b7498c
@ -67,7 +67,7 @@ static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
|||||||
|
|
||||||
block128_f block;
|
block128_f block;
|
||||||
ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len,
|
ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len,
|
||||||
1 /* large inputs */);
|
0 /* small inputs */);
|
||||||
ctx->tag_len = tag_len;
|
ctx->tag_len = tag_len;
|
||||||
if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
|
if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
|
||||||
OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
|
OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
|
||||||
|
@ -595,7 +595,7 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
|||||||
OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
|
OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
|
||||||
|
|
||||||
aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,
|
aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,
|
||||||
key_len, 1 /* large inputs */);
|
key_len, 0 /* small inputs */);
|
||||||
gcm_siv_ctx->is_256 = (key_len == 32);
|
gcm_siv_ctx->is_256 = (key_len == 32);
|
||||||
ctx->tag_len = tag_len;
|
ctx->tag_len = tag_len;
|
||||||
|
|
||||||
@ -720,7 +720,7 @@ static void gcm_siv_keys(
|
|||||||
OPENSSL_memcpy(out_keys->auth_key, key_material, 16);
|
OPENSSL_memcpy(out_keys->auth_key, key_material, 16);
|
||||||
aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
|
aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
|
||||||
key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16,
|
key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16,
|
||||||
1 /* large inputs */);
|
0 /* small inputs */);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int aead_aes_gcm_siv_seal_scatter(
|
static int aead_aes_gcm_siv_seal_scatter(
|
||||||
|
Loading…
Reference in New Issue
Block a user