HomeFreeBSD

armv8crypto: Fix some edge cases in the AES-GCM implementation

Description

armv8crypto: Fix some edge cases in the AES-GCM implementation

  • We were only hashing up to the first 16 bytes of the AAD.
  • When computing the digest during decryption, handle the case where len == trailer, i.e., len < AES_BLOCK_LEN, properly.

While here:

  • trailer is always smaller than AES_BLOCK_LEN, so remove a pair of unnecessary modulus operations.
  • Replace some byte-by-byte loops with memcpy() and memset() calls. In particular, zero the full block before copying a partial block into it since we do that elsewhere and it means that the memset() length is known at compile time.

Reviewed by: jhb
Sponsored by: Ampere Computing
Submitted by: Klara, Inc.
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28501

Details

Provenance
markjAuthored on Feb 8 2021, 2:19 PM
Reviewer
jhb
Differential Revision
D28501: armv8crypto: Fix some edge cases in the AES-GCM implementation
Parents
rGb5aa9ad43aea: ktls: Make configuration sysctls available as tunables
Branches
Unknown
Tags
Unknown