Google Git
Sign in
boringssl / boringssl / a795743127c0efc250457492f5362f72fe0acb97^! / .
commita795743127c0efc250457492f5362f72fe0acb97[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Apr 14 15:37:33 2025 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Apr 14 13:18:04 2025 -0700
treed8ebae12557bd1e3d429ae52f9a88d0d84e2d5ad
parent5386d908a663a424d154cbae7f76f2266c60c2fe [diff]
Shave 8 bytes off EVP_AEAD_CTX

first is 1 if and only if min_next_nonce is non-zero, so we don't need
to waste the 8 bytes keep track of it.

(Note 564 in evp_aead_ctx_st_state was actually 568 because of
alignment. Going down to 560 reduces it by 8 bytes.)

Change-Id: I7156f317e4ccd227a39732360e421ff7e55cc611
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/78487
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/fipsmodule/cipher/e_aes.cc.inc b/crypto/fipsmodule/cipher/e_aes.cc.inc
index d2fc225..f0089c8 100644
--- a/crypto/fipsmodule/cipher/e_aes.cc.inc
+++ b/crypto/fipsmodule/cipher/e_aes.cc.inc

@@ -1123,7 +1123,6 @@
   struct aead_aes_gcm_ctx gcm_ctx;
   uint64_t min_next_nonce;
   uint64_t mask;
-  uint8_t first;
 };
 }  // namespace
 
@@ -1140,7 +1139,6 @@
       (struct aead_aes_gcm_tls13_ctx *)&ctx->state;
 
   gcm_ctx->min_next_nonce = 0;
-  gcm_ctx->first = 1;
 
   size_t actual_tag_len;
   if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
@@ -1171,20 +1169,20 @@
   uint64_t given_counter =
       CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t));
 
-  if (gcm_ctx->first) {
+  if (gcm_ctx->min_next_nonce == 0) {
     // In the first call the sequence number will be zero and therefore the
     // given nonce will be 0 ^ mask = mask.
     gcm_ctx->mask = given_counter;
-    gcm_ctx->first = 0;
+    gcm_ctx->min_next_nonce = 1;
+  } else {
+    given_counter ^= gcm_ctx->mask;
+    if (given_counter == UINT64_MAX ||
+        given_counter < gcm_ctx->min_next_nonce) {
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
+      return 0;
+    }
+    gcm_ctx->min_next_nonce = given_counter + 1;
   }
-  given_counter ^= gcm_ctx->mask;
-
-  if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
-    return 0;
-  }
-
-  gcm_ctx->min_next_nonce = given_counter + 1;
 
   if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
                                  max_out_tag_len, nonce, nonce_len, in, in_len,

diff --git a/include/openssl/aead.h b/include/openssl/aead.h
index 2b2240d..e9c8fbe 100644
--- a/include/openssl/aead.h
+++ b/include/openssl/aead.h

@@ -220,7 +220,7 @@
 // AEAD operations.
 
 union evp_aead_ctx_st_state {
-  uint8_t opaque[564];
+  uint8_t opaque[560];
   uint64_t alignment;
 };