> Apologies for going back and forth on this, but it appears there may
> be another way to deal with this.
> First of all, we only need this handling for the authenticated data,
Are you sure b_0/j_0 aren't needed? We pass those
to aead_request_set_crypt(), and I wasn't sure what that really did
internally, perhaps like the internal data.
Testing with that on the stack does seem to work, in fact.
Surely we need zero for GMAC though, since we also put that into the sg
list. Thus for GMAC we definitely need 20+16 bytes, and since I round
up to a cacheline (at least on SMP) it doesn't really matter that we
could get 36 instead of the 48 I have now.
> and only for CCM and GCM, not CMAC (which does not use scatterlists
> at all, it simply calls the AES cipher directly)
I didn't modify CMAC, I think, only GMAC, which also uses scatterlists.
> So that leaves a fixed 20 bytes for GCM and fixed 32 bytes for CCM,
and 36 for GMAC :)