> One can *probably* discuss
> that it would be appropriate to *facilitate* omission of H in context
> *other than* OpenSSL by avoiding H during most of the setup procedure.
> See attached patch for example. But do note that I'm not saying that it
> works or suggesting to include it right away, I only want to show what
> *might* be matter of discussion.
Missed the patch...
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index df9f654..e26651d 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -721,24 +721,24 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
ctx->block = block;
ctx->key = key;
- (*block) (ctx->H.c, ctx->H.c, key);
+ (*block) (ctx->Xi.c, ctx->Xi.c, key);
if (is_endian.little) {
/* H is stored in host byte order */
#ifdef BSWAP8
- ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
- ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
+ ctx->Xi.u[0] = BSWAP8(ctx->Xi.u[0]);
+ ctx->Xi.u[1] = BSWAP8(ctx->Xi.u[1]);
#else
- u8 *p = ctx->H.c;
+ u8 *p = ctx->Xi.c;
u64 hi, lo;
hi = (u64)GETU32(p) << 32 | GETU32(p + 4);
lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12);
- ctx->H.u[0] = hi;
- ctx->H.u[1] = lo;
+ ctx->Xi.u[0] = hi;
+ ctx->Xi.u[1] = lo;
#endif
}
#if TABLE_BITS==8
- gcm_init_8bit(ctx->Htable, ctx->H.u);
+ gcm_init_8bit(ctx->Htable, ctx->Xi.u);
#elif TABLE_BITS==4
# if defined(GHASH)
# define CTX__GHASH(f) (ctx->ghash = (f))
@@ -750,18 +750,18 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */
OPENSSL_ia32cap_P[1] & (1 << 1)) { /* check PCLMULQDQ bit */
if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
- gcm_init_avx(ctx->Htable, ctx->H.u);
+ gcm_init_avx(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_avx;
CTX__GHASH(gcm_ghash_avx);
} else {
- gcm_init_clmul(ctx->Htable, ctx->H.u);
+ gcm_init_clmul(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_clmul;
CTX__GHASH(gcm_ghash_clmul);
}
return;
}
# endif
- gcm_init_4bit(ctx->Htable, ctx->H.u);
+ gcm_init_4bit(ctx->Htable, ctx->Xi.u);
# if defined(GHASH_ASM_X86) /* x86 only */
# if defined(OPENSSL_IA32_SSE2)
if (OPENSSL_ia32cap_P[0] & (1 << 25)) { /* check SSE bit */
@@ -781,48 +781,52 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
# elif defined(GHASH_ASM_ARM)
# ifdef PMULL_CAPABLE
if (PMULL_CAPABLE) {
- gcm_init_v8(ctx->Htable, ctx->H.u);
+ gcm_init_v8(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_v8;
CTX__GHASH(gcm_ghash_v8);
} else
# endif
# ifdef NEON_CAPABLE
if (NEON_CAPABLE) {
- gcm_init_neon(ctx->Htable, ctx->H.u);
+ gcm_init_neon(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_neon;
CTX__GHASH(gcm_ghash_neon);
} else
# endif
{
- gcm_init_4bit(ctx->Htable, ctx->H.u);
+ gcm_init_4bit(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_4bit;
CTX__GHASH(gcm_ghash_4bit);
}
# elif defined(GHASH_ASM_SPARC)
if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) {
- gcm_init_vis3(ctx->Htable, ctx->H.u);
+ gcm_init_vis3(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_vis3;
CTX__GHASH(gcm_ghash_vis3);
} else {
- gcm_init_4bit(ctx->Htable, ctx->H.u);
+ gcm_init_4bit(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_4bit;
CTX__GHASH(gcm_ghash_4bit);
}
# elif defined(GHASH_ASM_PPC)
if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
- gcm_init_p8(ctx->Htable, ctx->H.u);
+ gcm_init_p8(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_p8;
CTX__GHASH(gcm_ghash_p8);
} else {
- gcm_init_4bit(ctx->Htable, ctx->H.u);
+ gcm_init_4bit(ctx->Htable, ctx->Xi.u);
ctx->gmult = gcm_gmult_4bit;
CTX__GHASH(gcm_ghash_4bit);
}
# else
- gcm_init_4bit(ctx->Htable, ctx->H.u);
+ gcm_init_4bit(ctx->Htable, ctx->Xi.u);
# endif
# undef CTX__GHASH
#endif
+ ctx->H.u[0] = ctx->Xi.u[0];
+ ctx->H.u[1] = ctx->Xi.u[1];
+ ctx->Xi.u[0] = 0;
+ ctx->Xi.u[1] = 0;
}
void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
