lib/crypto: aesgcm: Use new AES library API

Switch from the old AES library functions (which use struct
crypto_aes_ctx) to the new ones (which use struct aes_enckey).  This
eliminates the unnecessary computation and caching of the decryption
round keys.  The new AES en/decryption functions are also much faster
and use AES instructions when supported by the CPU.

Note that in addition to the change in the key preparation function and
the key struct type itself, the change in the type of the key struct
results in aes_encrypt() (which is temporarily a type-generic macro)
calling the new encryption function rather than the old one.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260112192035.10427-34-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h
index fd9df607a8364f72d907b90596e7ed5657b7c8cf..b524e47bd4d01a31aa4c09b2960bda10a7c87e5e 100644 (file)
--- a/include/crypto/gcm.h
+++ b/include/crypto/gcm.h
@@ -66,7 +66,7 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen)
 
 struct aesgcm_ctx {
        be128                   ghash_key;
-       struct crypto_aes_ctx   aes_ctx;
+       struct aes_enckey       aes_key;
        unsigned int            authsize;
 };
 

diff --git a/lib/crypto/aesgcm.c b/lib/crypto/aesgcm.c
index ac0b2fcfd6069a5f96c0b858e34b415193677cab..02f5b5f32c764b88dab8abfe52affb920b26ef12 100644 (file)
--- a/lib/crypto/aesgcm.c
+++ b/lib/crypto/aesgcm.c
@@ -12,7 +12,7 @@
 #include <linux/module.h>
 #include <asm/irqflags.h>
 
-static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
+static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
                                 const void *src)
 {
        unsigned long flags;
@@ -26,7 +26,7 @@ static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
         * effective when running with interrupts disabled.
         */
        local_irq_save(flags);
-       aes_encrypt(ctx, dst, src);
+       aes_encrypt(key, dst, src);
        local_irq_restore(flags);
 }
 
@@ -49,12 +49,12 @@ int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
        int ret;
 
        ret = crypto_gcm_check_authsize(authsize) ?:
-             aes_expandkey(&ctx->aes_ctx, key, keysize);
+             aes_prepareenckey(&ctx->aes_key, key, keysize);
        if (ret)
                return ret;
 
        ctx->authsize = authsize;
-       aesgcm_encrypt_block(&ctx->aes_ctx, &ctx->ghash_key, kin);
+       aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin);
 
        return 0;
 }
@@ -97,7 +97,7 @@ static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
        aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
 
        ctr[3] = cpu_to_be32(1);
-       aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
+       aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
        crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
 
        memzero_explicit(&ghash, sizeof(ghash));
@@ -119,7 +119,7 @@ static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
                 * len', this cannot happen, so no explicit test is necessary.
                 */
                ctr[3] = cpu_to_be32(n++);
-               aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
+               aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
                crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE));
 
                dst += AES_BLOCK_SIZE;