aesgcm.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Minimal library implementation of GCM
  4. *
  5. * Copyright 2022 Google LLC
  6. */
  7. #include <crypto/algapi.h>
  8. #include <crypto/gcm.h>
  9. #include <crypto/ghash.h>
  10. #include <linux/export.h>
  11. #include <linux/module.h>
  12. #include <asm/irqflags.h>
  13. static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst,
  14. const void *src)
  15. {
  16. unsigned long flags;
  17. /*
  18. * In AES-GCM, both the GHASH key derivation and the CTR mode
  19. * encryption operate on known plaintext, making them susceptible to
  20. * timing attacks on the encryption key. The AES library already
  21. * mitigates this risk to some extent by pulling the entire S-box into
  22. * the caches before doing any substitutions, but this strategy is more
  23. * effective when running with interrupts disabled.
  24. */
  25. local_irq_save(flags);
  26. aes_encrypt(key, dst, src);
  27. local_irq_restore(flags);
  28. }
  29. /**
  30. * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
  31. * schedule
  32. *
  33. * @ctx: The data structure that will hold the AES-GCM key schedule
  34. * @key: The AES encryption input key
  35. * @keysize: The length in bytes of the input key
  36. * @authsize: The size in bytes of the GCM authentication tag
  37. *
  38. * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
  39. * that are not permitted by the GCM specification.
  40. */
  41. int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
  42. unsigned int keysize, unsigned int authsize)
  43. {
  44. u8 kin[AES_BLOCK_SIZE] = {};
  45. int ret;
  46. ret = crypto_gcm_check_authsize(authsize) ?:
  47. aes_prepareenckey(&ctx->aes_key, key, keysize);
  48. if (ret)
  49. return ret;
  50. ctx->authsize = authsize;
  51. aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin);
  52. return 0;
  53. }
  54. EXPORT_SYMBOL(aesgcm_expandkey);
  55. static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
  56. int len)
  57. {
  58. while (len > 0) {
  59. crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
  60. gf128mul_lle(ghash, key);
  61. src += GHASH_BLOCK_SIZE;
  62. len -= GHASH_BLOCK_SIZE;
  63. }
  64. }
  65. /**
  66. * aesgcm_mac - Generates the authentication tag using AES-GCM algorithm.
  67. * @ctx: The data structure that will hold the AES-GCM key schedule
  68. * @src: The input source data.
  69. * @src_len: Length of the source data.
  70. * @assoc: Points to the associated data.
  71. * @assoc_len: Length of the associated data values.
  72. * @ctr: Points to the counter value.
  73. * @authtag: The output buffer for the authentication tag.
  74. *
  75. * It takes in the AES-GCM context, source data, associated data, counter value,
  76. * and an output buffer for the authentication tag.
  77. */
  78. static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
  79. const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
  80. {
  81. be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
  82. u8 buf[AES_BLOCK_SIZE];
  83. be128 ghash = {};
  84. aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
  85. aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
  86. aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
  87. ctr[3] = cpu_to_be32(1);
  88. aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
  89. crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
  90. memzero_explicit(&ghash, sizeof(ghash));
  91. memzero_explicit(buf, sizeof(buf));
  92. }
  93. static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
  94. int len, __be32 *ctr)
  95. {
  96. u8 buf[AES_BLOCK_SIZE];
  97. unsigned int n = 2;
  98. while (len > 0) {
  99. /*
  100. * The counter increment below must not result in overflow or
  101. * carry into the next 32-bit word, as this could result in
  102. * inadvertent IV reuse, which must be avoided at all cost for
  103. * stream ciphers such as AES-CTR. Given the range of 'int
  104. * len', this cannot happen, so no explicit test is necessary.
  105. */
  106. ctr[3] = cpu_to_be32(n++);
  107. aesgcm_encrypt_block(&ctx->aes_key, buf, ctr);
  108. crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE));
  109. dst += AES_BLOCK_SIZE;
  110. src += AES_BLOCK_SIZE;
  111. len -= AES_BLOCK_SIZE;
  112. }
  113. memzero_explicit(buf, sizeof(buf));
  114. }
  115. /**
  116. * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
  117. *
  118. * @ctx: The AES-GCM key schedule
  119. * @dst: Pointer to the ciphertext output buffer
  120. * @src: Pointer the plaintext (may equal @dst for encryption in place)
  121. * @crypt_len: The size in bytes of the plaintext and ciphertext.
  122. * @assoc: Pointer to the associated data,
  123. * @assoc_len: The size in bytes of the associated data
  124. * @iv: The initialization vector (IV) to use for this block of data
  125. * (must be 12 bytes in size as per the GCM spec recommendation)
  126. * @authtag: The address of the buffer in memory where the authentication
  127. * tag should be stored. The buffer is assumed to have space for
  128. * @ctx->authsize bytes.
  129. */
  130. void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
  131. int crypt_len, const u8 *assoc, int assoc_len,
  132. const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
  133. {
  134. __be32 ctr[4];
  135. memcpy(ctr, iv, GCM_AES_IV_SIZE);
  136. aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
  137. aesgcm_mac(ctx, dst, crypt_len, assoc, assoc_len, ctr, authtag);
  138. }
  139. EXPORT_SYMBOL(aesgcm_encrypt);
  140. /**
  141. * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
  142. *
  143. * @ctx: The AES-GCM key schedule
  144. * @dst: Pointer to the plaintext output buffer
  145. * @src: Pointer the ciphertext (may equal @dst for decryption in place)
  146. * @crypt_len: The size in bytes of the plaintext and ciphertext.
  147. * @assoc: Pointer to the associated data,
  148. * @assoc_len: The size in bytes of the associated data
  149. * @iv: The initialization vector (IV) to use for this block of data
  150. * (must be 12 bytes in size as per the GCM spec recommendation)
  151. * @authtag: The address of the buffer in memory where the authentication
  152. * tag is stored.
  153. *
  154. * Returns: true on success, or false if the ciphertext failed authentication.
  155. * On failure, no plaintext will be returned.
  156. */
  157. bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
  158. const u8 *src, int crypt_len, const u8 *assoc,
  159. int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
  160. const u8 *authtag)
  161. {
  162. u8 tagbuf[AES_BLOCK_SIZE];
  163. __be32 ctr[4];
  164. memcpy(ctr, iv, GCM_AES_IV_SIZE);
  165. aesgcm_mac(ctx, src, crypt_len, assoc, assoc_len, ctr, tagbuf);
  166. if (crypto_memneq(authtag, tagbuf, ctx->authsize)) {
  167. memzero_explicit(tagbuf, sizeof(tagbuf));
  168. return false;
  169. }
  170. aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
  171. return true;
  172. }
  173. EXPORT_SYMBOL(aesgcm_decrypt);
  174. MODULE_DESCRIPTION("Generic AES-GCM library");
  175. MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
  176. MODULE_LICENSE("GPL");
  177. #ifdef CONFIG_CRYPTO_SELFTESTS
  178. /*
  179. * Test code below. Vectors taken from crypto/testmgr.h
  180. */
  181. static const u8 __initconst ctext0[16] __nonstring =
  182. "\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
  183. "\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
  184. static const u8 __initconst ptext1[16];
  185. static const u8 __initconst ctext1[32] __nonstring =
  186. "\x03\x88\xda\xce\x60\xb6\xa3\x92"
  187. "\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
  188. "\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
  189. "\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
  190. static const u8 __initconst ptext2[64] __nonstring =
  191. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  192. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  193. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  194. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  195. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  196. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  197. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  198. "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
  199. static const u8 __initconst ctext2[80] __nonstring =
  200. "\x42\x83\x1e\xc2\x21\x77\x74\x24"
  201. "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
  202. "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
  203. "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
  204. "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
  205. "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
  206. "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
  207. "\x3d\x58\xe0\x91\x47\x3f\x59\x85"
  208. "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
  209. "\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
  210. static const u8 __initconst ptext3[60] __nonstring =
  211. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  212. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  213. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  214. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  215. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  216. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  217. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  218. "\xba\x63\x7b\x39";
  219. static const u8 __initconst ctext3[76] __nonstring =
  220. "\x42\x83\x1e\xc2\x21\x77\x74\x24"
  221. "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
  222. "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
  223. "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
  224. "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
  225. "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
  226. "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
  227. "\x3d\x58\xe0\x91"
  228. "\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
  229. "\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
  230. static const u8 __initconst ctext4[16] __nonstring =
  231. "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
  232. "\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
  233. static const u8 __initconst ctext5[32] __nonstring =
  234. "\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
  235. "\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
  236. "\x2f\xf5\x8d\x80\x03\x39\x27\xab"
  237. "\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
  238. static const u8 __initconst ptext6[64] __nonstring =
  239. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  240. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  241. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  242. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  243. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  244. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  245. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  246. "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
  247. static const u8 __initconst ctext6[80] __nonstring =
  248. "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
  249. "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
  250. "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
  251. "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
  252. "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
  253. "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
  254. "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
  255. "\xcc\xda\x27\x10\xac\xad\xe2\x56"
  256. "\x99\x24\xa7\xc8\x58\x73\x36\xbf"
  257. "\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
  258. static const u8 __initconst ctext7[16] __nonstring =
  259. "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
  260. "\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
  261. static const u8 __initconst ctext8[32] __nonstring =
  262. "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
  263. "\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
  264. "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
  265. "\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
  266. static const u8 __initconst ptext9[64] __nonstring =
  267. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  268. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  269. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  270. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  271. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  272. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  273. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  274. "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
  275. static const u8 __initconst ctext9[80] __nonstring =
  276. "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
  277. "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
  278. "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
  279. "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
  280. "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
  281. "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
  282. "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
  283. "\xbc\xc9\xf6\x62\x89\x80\x15\xad"
  284. "\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
  285. "\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
  286. static const u8 __initconst ptext10[60] __nonstring =
  287. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  288. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  289. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  290. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  291. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  292. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  293. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  294. "\xba\x63\x7b\x39";
  295. static const u8 __initconst ctext10[76] __nonstring =
  296. "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
  297. "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
  298. "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
  299. "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
  300. "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
  301. "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
  302. "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
  303. "\xbc\xc9\xf6\x62"
  304. "\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
  305. "\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
  306. static const u8 __initconst ptext11[60] __nonstring =
  307. "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
  308. "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
  309. "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
  310. "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
  311. "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
  312. "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
  313. "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
  314. "\xba\x63\x7b\x39";
  315. static const u8 __initconst ctext11[76] __nonstring =
  316. "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
  317. "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
  318. "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
  319. "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
  320. "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
  321. "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
  322. "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
  323. "\xcc\xda\x27\x10"
  324. "\x25\x19\x49\x8e\x80\xf1\x47\x8f"
  325. "\x37\xba\x55\xbd\x6d\x27\x61\x8c";
  326. static const u8 __initconst ptext12[719] __nonstring =
  327. "\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
  328. "\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
  329. "\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
  330. "\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
  331. "\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
  332. "\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
  333. "\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
  334. "\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
  335. "\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
  336. "\x00\xa4\x43\x54\x04\x54\x9b\x3b"
  337. "\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
  338. "\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
  339. "\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
  340. "\x35\x23\xf4\x20\x41\xd4\xad\x82"
  341. "\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
  342. "\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
  343. "\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
  344. "\xad\x49\x3a\xae\x98\xce\xa6\x66"
  345. "\x10\x30\x90\x8c\x55\x83\xd7\x7c"
  346. "\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
  347. "\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
  348. "\x57\xcc\x89\x09\x75\x9b\x78\x70"
  349. "\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
  350. "\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
  351. "\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
  352. "\x82\xd9\xec\xa2\x87\x68\x55\xf9"
  353. "\x8f\x9e\x73\x43\x47\x6a\x08\x36"
  354. "\x93\x67\xa8\x2d\xde\xac\x41\xa9"
  355. "\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
  356. "\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
  357. "\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
  358. "\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
  359. "\xab\x19\x37\xd9\xba\x76\x5e\xd2"
  360. "\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
  361. "\x02\x66\x49\xca\x7c\x91\x05\xf2"
  362. "\x45\x36\x1e\xf5\x77\xad\x1f\x46"
  363. "\xa8\x13\xfb\x63\xb6\x08\x99\x63"
  364. "\x82\xa2\xed\xb3\xac\xdf\x43\x19"
  365. "\x45\xea\x78\x73\xd9\xb7\x39\x11"
  366. "\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
  367. "\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
  368. "\xa4\x47\x7d\x80\x20\x26\xfd\x63"
  369. "\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
  370. "\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
  371. "\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
  372. "\x54\x03\xa4\x09\x0c\x37\x7a\x15"
  373. "\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
  374. "\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
  375. "\x03\x25\x3c\x8d\x48\x58\x71\x34"
  376. "\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
  377. "\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
  378. "\x80\x6f\x96\x0e\x05\x62\xc7\x78"
  379. "\x87\x79\x60\x38\x46\xb4\x25\x57"
  380. "\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
  381. "\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
  382. "\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
  383. "\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
  384. "\x09\xfc\x91\x96\x47\x87\x4f\x1a"
  385. "\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
  386. "\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
  387. "\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
  388. "\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
  389. "\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
  390. "\x0b\x63\xde\x87\x42\x79\x8a\x68"
  391. "\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
  392. "\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
  393. "\xe9\x83\x84\xcb\x28\x69\x09\x69"
  394. "\xce\x99\x46\x00\x54\xcb\xd8\x38"
  395. "\xf9\x53\x4a\xbf\x31\xce\x57\x15"
  396. "\x33\xfa\x96\x04\x33\x42\xe3\xc0"
  397. "\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
  398. "\x19\x95\xd0\x0e\x82\x07\x63\xf9"
  399. "\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
  400. "\xb5\x9f\x23\x28\x60\xe7\x20\x51"
  401. "\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
  402. "\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
  403. "\x78\xc6\x91\x22\x40\x91\x80\xbe"
  404. "\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
  405. "\x67\x10\xa4\x83\x98\x79\x23\xe7"
  406. "\x92\xda\xa9\x22\x16\xb1\xe7\x78"
  407. "\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
  408. "\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
  409. "\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
  410. "\x48\x11\x06\xbb\x2d\xf2\x63\x88"
  411. "\x3f\x73\x09\xe2\x45\x56\x31\x51"
  412. "\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
  413. "\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
  414. "\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
  415. "\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
  416. "\xa4\x78\xdb\x74\x3d\x8b\xb5";
  417. static const u8 __initconst ctext12[735] __nonstring =
  418. "\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
  419. "\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
  420. "\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
  421. "\x4c\x1d\x38\x05\x54\xd1\x16\x73"
  422. "\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
  423. "\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
  424. "\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
  425. "\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
  426. "\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
  427. "\x20\x93\x6c\x4b\x37\x99\xb8\x23"
  428. "\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
  429. "\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
  430. "\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
  431. "\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
  432. "\xb9\x14\x13\x21\xdf\xce\xaa\x88"
  433. "\x44\x30\x1e\xce\x26\x01\x92\xf8"
  434. "\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
  435. "\x89\xca\x94\x66\x11\x21\x97\xca"
  436. "\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
  437. "\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
  438. "\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
  439. "\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
  440. "\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
  441. "\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
  442. "\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
  443. "\xde\x6b\x52\x98\x01\xef\x36\x3d"
  444. "\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
  445. "\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
  446. "\x48\x96\xe0\x90\x93\x6c\x48\x64"
  447. "\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
  448. "\x7a\x23\x7b\xaa\x20\x56\x12\xae"
  449. "\x16\x9d\x94\x0f\x54\xa1\xec\xca"
  450. "\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
  451. "\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
  452. "\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
  453. "\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
  454. "\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
  455. "\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
  456. "\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
  457. "\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
  458. "\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
  459. "\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
  460. "\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
  461. "\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
  462. "\x03\x60\x7a\xed\x69\xd5\x00\x8b"
  463. "\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
  464. "\xc1\x26\xce\x90\x97\x22\x64\x64"
  465. "\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
  466. "\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
  467. "\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
  468. "\x15\xb5\xa0\x8d\x12\x74\x49\x23"
  469. "\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
  470. "\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
  471. "\x61\x26\x94\x58\x70\xa6\x3c\xe4"
  472. "\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
  473. "\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
  474. "\x93\x77\xde\x48\xc4\xfa\x30\x4a"
  475. "\xda\x49\x80\x77\x0f\x1c\xbe\x11"
  476. "\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
  477. "\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
  478. "\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
  479. "\xb8\xfb\x86\xdc\x46\x24\x91\x60"
  480. "\x6c\x2f\xc9\x41\x37\x51\x49\x54"
  481. "\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
  482. "\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
  483. "\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
  484. "\x75\x54\x65\x93\xfe\xb1\x68\x6b"
  485. "\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
  486. "\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
  487. "\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
  488. "\x6a\x56\xff\x35\x4d\x42\x33\xaa"
  489. "\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
  490. "\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
  491. "\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
  492. "\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
  493. "\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
  494. "\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
  495. "\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
  496. "\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
  497. "\x6b\x6d\x33\xe1\x34\x06\x36\x21"
  498. "\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
  499. "\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
  500. "\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
  501. "\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
  502. "\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
  503. "\x0e\xe1\xb5\x11\x45\x61\x43\x46"
  504. "\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
  505. "\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
  506. "\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
  507. "\x38\x58\x9e\x8a\x43\xdc\x57"
  508. "\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
  509. "\x4b\x24\x52\x58\x55\xe1\x49\x14";
  510. static struct {
  511. const u8 *ptext;
  512. const u8 *ctext;
  513. u8 key[AES_MAX_KEY_SIZE] __nonstring;
  514. u8 iv[GCM_AES_IV_SIZE] __nonstring;
  515. u8 assoc[20] __nonstring;
  516. int klen;
  517. int clen;
  518. int plen;
  519. int alen;
  520. } const aesgcm_tv[] __initconst = {
  521. { /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
  522. .klen = 16,
  523. .ctext = ctext0,
  524. .clen = sizeof(ctext0),
  525. }, {
  526. .klen = 16,
  527. .ptext = ptext1,
  528. .plen = sizeof(ptext1),
  529. .ctext = ctext1,
  530. .clen = sizeof(ctext1),
  531. }, {
  532. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  533. "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
  534. .klen = 16,
  535. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  536. "\xde\xca\xf8\x88",
  537. .ptext = ptext2,
  538. .plen = sizeof(ptext2),
  539. .ctext = ctext2,
  540. .clen = sizeof(ctext2),
  541. }, {
  542. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  543. "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
  544. .klen = 16,
  545. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  546. "\xde\xca\xf8\x88",
  547. .ptext = ptext3,
  548. .plen = sizeof(ptext3),
  549. .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  550. "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  551. "\xab\xad\xda\xd2",
  552. .alen = 20,
  553. .ctext = ctext3,
  554. .clen = sizeof(ctext3),
  555. }, {
  556. .klen = 24,
  557. .ctext = ctext4,
  558. .clen = sizeof(ctext4),
  559. }, {
  560. .klen = 24,
  561. .ptext = ptext1,
  562. .plen = sizeof(ptext1),
  563. .ctext = ctext5,
  564. .clen = sizeof(ctext5),
  565. }, {
  566. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  567. "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
  568. "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
  569. .klen = 24,
  570. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  571. "\xde\xca\xf8\x88",
  572. .ptext = ptext6,
  573. .plen = sizeof(ptext6),
  574. .ctext = ctext6,
  575. .clen = sizeof(ctext6),
  576. }, {
  577. .klen = 32,
  578. .ctext = ctext7,
  579. .clen = sizeof(ctext7),
  580. }, {
  581. .klen = 32,
  582. .ptext = ptext1,
  583. .plen = sizeof(ptext1),
  584. .ctext = ctext8,
  585. .clen = sizeof(ctext8),
  586. }, {
  587. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  588. "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
  589. "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  590. "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
  591. .klen = 32,
  592. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  593. "\xde\xca\xf8\x88",
  594. .ptext = ptext9,
  595. .plen = sizeof(ptext9),
  596. .ctext = ctext9,
  597. .clen = sizeof(ctext9),
  598. }, {
  599. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  600. "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
  601. "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  602. "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
  603. .klen = 32,
  604. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  605. "\xde\xca\xf8\x88",
  606. .ptext = ptext10,
  607. .plen = sizeof(ptext10),
  608. .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  609. "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  610. "\xab\xad\xda\xd2",
  611. .alen = 20,
  612. .ctext = ctext10,
  613. .clen = sizeof(ctext10),
  614. }, {
  615. .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
  616. "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
  617. "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
  618. .klen = 24,
  619. .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
  620. "\xde\xca\xf8\x88",
  621. .ptext = ptext11,
  622. .plen = sizeof(ptext11),
  623. .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  624. "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
  625. "\xab\xad\xda\xd2",
  626. .alen = 20,
  627. .ctext = ctext11,
  628. .clen = sizeof(ctext11),
  629. }, {
  630. .key = "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
  631. "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
  632. "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
  633. "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
  634. .klen = 32,
  635. .iv = "\x00\xff\xff\xff\xff\x00\x00\xff"
  636. "\xff\xff\x00\xff",
  637. .ptext = ptext12,
  638. .plen = sizeof(ptext12),
  639. .ctext = ctext12,
  640. .clen = sizeof(ctext12),
  641. }
  642. };
  643. static int __init libaesgcm_init(void)
  644. {
  645. for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
  646. u8 tagbuf[AES_BLOCK_SIZE];
  647. int plen = aesgcm_tv[i].plen;
  648. struct aesgcm_ctx ctx;
  649. static u8 buf[sizeof(ptext12)];
  650. if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
  651. aesgcm_tv[i].clen - plen)) {
  652. pr_err("aesgcm_expandkey() failed on vector %d\n", i);
  653. return -ENODEV;
  654. }
  655. if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
  656. aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
  657. aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
  658. || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
  659. pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
  660. return -ENODEV;
  661. }
  662. /* encrypt in place */
  663. aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
  664. aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
  665. if (memcmp(buf, aesgcm_tv[i].ctext, plen)) {
  666. pr_err("aesgcm_encrypt() failed on vector %d\n", i);
  667. return -ENODEV;
  668. }
  669. /* decrypt in place */
  670. if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
  671. aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
  672. || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
  673. pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
  674. return -ENODEV;
  675. }
  676. }
  677. return 0;
  678. }
  679. module_init(libaesgcm_init);
  680. static void __exit libaesgcm_exit(void)
  681. {
  682. }
  683. module_exit(libaesgcm_exit);
  684. #endif