Google Git
Sign in
boringssl / boringssl / b8d7b7498c2d198ceef431ae2869bcc3acd43a74^! / .
commitb8d7b7498c2d198ceef431ae2869bcc3acd43a74[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sat Mar 02 18:53:58 2019 -0600
committerAdam Langley <agl@google.com>Tue Mar 05 17:55:03 2019 +0000
treeb499cd313e59faab9028cf16bc9bf6c911fa0229
parentda8bb847fd9aa9b029bf0383cbe0de9796495c1a [diff]
Prefer vpaes over bsaes in AES-GCM-SIV and AES-CCM.

The AES-GCM-SIV code does not use ctr128_f at all so bsaes is simply
identical to aes_nohw. Also, while CCM encrypts with CTR mode, its MAC
is not parallelizable at all.

(Given the existence of non-parallelizable modes, we ought to make a
vpaes-armv7.pl to ensure constant-time AES on NEON. For now, pick the
right implementation for x86_64 at least.)

aes_ctr_set_key and friends probably aren't the right abstraction
(observe the large vs small inputs hint *almost* matches whether you
touch block128_f), but the right abstraction depends on a couple
questions:

- If you don't provide ctr128_f, is there a perf hit to implementing
  ctr128_f on top of your block128_f to unify calling code?

- It is almost certainly better to use bsaes with gcm.c by calling
  ctr128_f exclusively and paying some copies (a dedicated calling
  convention would be even better, but would be a headache) to integrate
  leading and trailing blocks into the CTR pass. Is this a win, loss, or
  no-op for hwaes, where block128_f is just fine? hwaes is the one mode
  we really should not regress.

Hopefully those will get answered as we continue to chip away at this.

Bug: 256
Change-Id: I8f0150b223b671e68f7da6faaff94a3bea398d4d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35169
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/cipher_extra/e_aesccm.c b/crypto/cipher_extra/e_aesccm.c
index 144a909..4e6668c 100644
--- a/crypto/cipher_extra/e_aesccm.c
+++ b/crypto/cipher_extra/e_aesccm.c

@@ -67,7 +67,7 @@
 
   block128_f block;
   ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len,
-                                 1 /* large inputs */);
+                                 0 /* small inputs */);
   ctx->tag_len = tag_len;
   if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
     OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);

diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c
index 0e5063c..fb08a42 100644
--- a/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/crypto/cipher_extra/e_aesgcmsiv.c

@@ -595,7 +595,7 @@
   OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
 
   aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,
-                  key_len, 1 /* large inputs */);
+                  key_len, 0 /* small inputs */);
   gcm_siv_ctx->is_256 = (key_len == 32);
   ctx->tag_len = tag_len;
 
@@ -720,7 +720,7 @@
   OPENSSL_memcpy(out_keys->auth_key, key_material, 16);
   aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
                   key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16,
-                  1 /* large inputs */);
+                  0 /* small inputs */);
 }
 
 static int aead_aes_gcm_siv_seal_scatter(