git.ipfire.org Git - thirdparty/linux.git/commit

author	Eric Biggers <ebiggers@kernel.org>
	Thu, 19 Mar 2026 06:17:04 +0000 (23:17 -0700)
committer	Eric Biggers <ebiggers@kernel.org>
	Mon, 23 Mar 2026 20:15:13 +0000 (13:15 -0700)
commit	c417e7045b70345f59643fb2db67b0e7fbd7fbd0
tree	1685779a09103dad4fccb193a1e26ed8d391f93a	tree \| snapshot
parent	b3b6e8f9b38911e9b30a5abe845541ade0797327	commit \| diff

lib/crypto: gf128hash: Add GHASH support

Add GHASH support to the gf128hash module.

This will replace the GHASH support in the crypto_shash API.  It will be
used by the "gcm" template and by the AES-GCM library (when an
arch-optimized implementation of the full AES-GCM is unavailable).

This consists of a simple API that mirrors the existing POLYVAL API, a
generic implementation of that API based on the existing efficient and
side-channel-resistant polyval_mul_generic(), and the framework for
architecture-optimized implementations of the GHASH functions.

The GHASH accumulator is stored in POLYVAL format rather than GHASH
format, since this is what most modern GHASH implementations actually
need.  The few implementations that expect the accumulator in GHASH
format will just convert the accumulator to/from GHASH format
temporarily.  (Supporting architecture-specific accumulator formats
would be possible, but doesn't seem worth the complexity.)

However, architecture-specific formats of struct ghash_key will be
supported, since a variety of formats will be needed there anyway.  The
default format is just the key in POLYVAL format.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260319061723.1140720-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

include/crypto/gf128hash.h		diff \| blob \| blame \| history
lib/crypto/gf128hash.c		diff \| blob \| blame \| history