1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Minimal library implementation of GCM
4 *
5 * Copyright 2022 Google LLC
6 */
7
8#include <linux/module.h>
9
10#include <crypto/algapi.h>
11#include <crypto/gcm.h>
12#include <crypto/ghash.h>
13
14#include <asm/irqflags.h>
15
16static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
17 const void *src)
18{
19 unsigned long flags;
20
21 /*
22 * In AES-GCM, both the GHASH key derivation and the CTR mode
23 * encryption operate on known plaintext, making them susceptible to
24 * timing attacks on the encryption key. The AES library already
25 * mitigates this risk to some extent by pulling the entire S-box into
26 * the caches before doing any substitutions, but this strategy is more
27 * effective when running with interrupts disabled.
28 */
29 local_irq_save(flags);
30 aes_encrypt(ctx, out: dst, in: src);
31 local_irq_restore(flags);
32}
33
34/**
35 * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
36 * schedule
37 *
38 * @ctx: The data structure that will hold the AES-GCM key schedule
39 * @key: The AES encryption input key
40 * @keysize: The length in bytes of the input key
41 * @authsize: The size in bytes of the GCM authentication tag
42 *
43 * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
44 * that are not permitted by the GCM specification.
45 */
46int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
47 unsigned int keysize, unsigned int authsize)
48{
49 u8 kin[AES_BLOCK_SIZE] = {};
50 int ret;
51
52 ret = crypto_gcm_check_authsize(authsize) ?:
53 aes_expandkey(ctx: &ctx->aes_ctx, in_key: key, key_len: keysize);
54 if (ret)
55 return ret;
56
57 ctx->authsize = authsize;
58 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: &ctx->ghash_key, src: kin);
59
60 return 0;
61}
62EXPORT_SYMBOL(aesgcm_expandkey);
63
64static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
65 int len)
66{
67 while (len > 0) {
68 crypto_xor(dst: (u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
69 gf128mul_lle(a: ghash, b: key);
70
71 src += GHASH_BLOCK_SIZE;
72 len -= GHASH_BLOCK_SIZE;
73 }
74}
75
76static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
77 const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
78{
79 be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
80 u8 buf[AES_BLOCK_SIZE];
81 be128 ghash = {};
82
83 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src: assoc, len: assoc_len);
84 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src, len: src_len);
85 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src: &tail, len: sizeof(tail));
86
87 ctr[3] = cpu_to_be32(1);
88 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: buf, src: ctr);
89 crypto_xor_cpy(dst: authtag, src1: buf, src2: (u8 *)&ghash, size: ctx->authsize);
90
91 memzero_explicit(s: &ghash, count: sizeof(ghash));
92 memzero_explicit(s: buf, count: sizeof(buf));
93}
94
95static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
96 int len, __be32 *ctr)
97{
98 u8 buf[AES_BLOCK_SIZE];
99 unsigned int n = 2;
100
101 while (len > 0) {
102 /*
103 * The counter increment below must not result in overflow or
104 * carry into the next 32-bit word, as this could result in
105 * inadvertent IV reuse, which must be avoided at all cost for
106 * stream ciphers such as AES-CTR. Given the range of 'int
107 * len', this cannot happen, so no explicit test is necessary.
108 */
109 ctr[3] = cpu_to_be32(n++);
110 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: buf, src: ctr);
111 crypto_xor_cpy(dst, src1: src, src2: buf, min(len, AES_BLOCK_SIZE));
112
113 dst += AES_BLOCK_SIZE;
114 src += AES_BLOCK_SIZE;
115 len -= AES_BLOCK_SIZE;
116 }
117 memzero_explicit(s: buf, count: sizeof(buf));
118}
119
120/**
121 * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
122 *
123 * @ctx: The AES-GCM key schedule
124 * @dst: Pointer to the ciphertext output buffer
125 * @src: Pointer the plaintext (may equal @dst for encryption in place)
126 * @crypt_len: The size in bytes of the plaintext and ciphertext.
127 * @assoc: Pointer to the associated data,
128 * @assoc_len: The size in bytes of the associated data
129 * @iv: The initialization vector (IV) to use for this block of data
130 * (must be 12 bytes in size as per the GCM spec recommendation)
131 * @authtag: The address of the buffer in memory where the authentication
132 * tag should be stored. The buffer is assumed to have space for
133 * @ctx->authsize bytes.
134 */
135void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
136 int crypt_len, const u8 *assoc, int assoc_len,
137 const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
138{
139 __be32 ctr[4];
140
141 memcpy(ctr, iv, GCM_AES_IV_SIZE);
142
143 aesgcm_crypt(ctx, dst, src, len: crypt_len, ctr);
144 aesgcm_mac(ctx, src: dst, src_len: crypt_len, assoc, assoc_len, ctr, authtag);
145}
146EXPORT_SYMBOL(aesgcm_encrypt);
147
148/**
149 * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
150 *
151 * @ctx: The AES-GCM key schedule
152 * @dst: Pointer to the plaintext output buffer
153 * @src: Pointer the ciphertext (may equal @dst for decryption in place)
154 * @crypt_len: The size in bytes of the plaintext and ciphertext.
155 * @assoc: Pointer to the associated data,
156 * @assoc_len: The size in bytes of the associated data
157 * @iv: The initialization vector (IV) to use for this block of data
158 * (must be 12 bytes in size as per the GCM spec recommendation)
159 * @authtag: The address of the buffer in memory where the authentication
160 * tag is stored.
161 *
162 * Returns: true on success, or false if the ciphertext failed authentication.
163 * On failure, no plaintext will be returned.
164 */
165bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
166 const u8 *src, int crypt_len, const u8 *assoc,
167 int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
168 const u8 *authtag)
169{
170 u8 tagbuf[AES_BLOCK_SIZE];
171 __be32 ctr[4];
172
173 memcpy(ctr, iv, GCM_AES_IV_SIZE);
174
175 aesgcm_mac(ctx, src, src_len: crypt_len, assoc, assoc_len, ctr, authtag: tagbuf);
176 if (crypto_memneq(a: authtag, b: tagbuf, size: ctx->authsize)) {
177 memzero_explicit(s: tagbuf, count: sizeof(tagbuf));
178 return false;
179 }
180 aesgcm_crypt(ctx, dst, src, len: crypt_len, ctr);
181 return true;
182}
183EXPORT_SYMBOL(aesgcm_decrypt);
184
185MODULE_DESCRIPTION("Generic AES-GCM library");
186MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
187MODULE_LICENSE("GPL");
188
189#ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
190
191/*
192 * Test code below. Vectors taken from crypto/testmgr.h
193 */
194
195static const u8 __initconst ctext0[16] =
196 "\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
197 "\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
198
199static const u8 __initconst ptext1[16];
200
201static const u8 __initconst ctext1[32] =
202 "\x03\x88\xda\xce\x60\xb6\xa3\x92"
203 "\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
204 "\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
205 "\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
206
207static const u8 __initconst ptext2[64] =
208 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
209 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
210 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
211 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
212 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
213 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
214 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
215 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
216
217static const u8 __initconst ctext2[80] =
218 "\x42\x83\x1e\xc2\x21\x77\x74\x24"
219 "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
220 "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
221 "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
222 "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
223 "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
224 "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
225 "\x3d\x58\xe0\x91\x47\x3f\x59\x85"
226 "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
227 "\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
228
229static const u8 __initconst ptext3[60] =
230 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
231 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
232 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
233 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
234 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
235 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
236 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
237 "\xba\x63\x7b\x39";
238
239static const u8 __initconst ctext3[76] =
240 "\x42\x83\x1e\xc2\x21\x77\x74\x24"
241 "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
242 "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
243 "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
244 "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
245 "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
246 "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
247 "\x3d\x58\xe0\x91"
248 "\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
249 "\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
250
251static const u8 __initconst ctext4[16] =
252 "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
253 "\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
254
255static const u8 __initconst ctext5[32] =
256 "\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
257 "\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
258 "\x2f\xf5\x8d\x80\x03\x39\x27\xab"
259 "\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
260
261static const u8 __initconst ptext6[64] =
262 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
263 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
264 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
265 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
266 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
267 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
268 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
269 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
270
271static const u8 __initconst ctext6[80] =
272 "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
273 "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
274 "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
275 "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
276 "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
277 "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
278 "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
279 "\xcc\xda\x27\x10\xac\xad\xe2\x56"
280 "\x99\x24\xa7\xc8\x58\x73\x36\xbf"
281 "\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
282
283static const u8 __initconst ctext7[16] =
284 "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
285 "\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
286
287static const u8 __initconst ctext8[32] =
288 "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
289 "\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
290 "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
291 "\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
292
293static const u8 __initconst ptext9[64] =
294 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
295 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
296 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
297 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
298 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
299 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
300 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
301 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
302
303static const u8 __initconst ctext9[80] =
304 "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
305 "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
306 "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
307 "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
308 "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
309 "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
310 "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
311 "\xbc\xc9\xf6\x62\x89\x80\x15\xad"
312 "\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
313 "\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
314
315static const u8 __initconst ptext10[60] =
316 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
317 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
318 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
319 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
320 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
321 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
322 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
323 "\xba\x63\x7b\x39";
324
325static const u8 __initconst ctext10[76] =
326 "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
327 "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
328 "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
329 "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
330 "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
331 "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
332 "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
333 "\xbc\xc9\xf6\x62"
334 "\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
335 "\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
336
337static const u8 __initconst ptext11[60] =
338 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
339 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
340 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
341 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
342 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
343 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
344 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
345 "\xba\x63\x7b\x39";
346
347static const u8 __initconst ctext11[76] =
348 "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
349 "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
350 "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
351 "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
352 "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
353 "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
354 "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
355 "\xcc\xda\x27\x10"
356 "\x25\x19\x49\x8e\x80\xf1\x47\x8f"
357 "\x37\xba\x55\xbd\x6d\x27\x61\x8c";
358
359static const u8 __initconst ptext12[719] =
360 "\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
361 "\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
362 "\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
363 "\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
364 "\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
365 "\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
366 "\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
367 "\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
368 "\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
369 "\x00\xa4\x43\x54\x04\x54\x9b\x3b"
370 "\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
371 "\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
372 "\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
373 "\x35\x23\xf4\x20\x41\xd4\xad\x82"
374 "\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
375 "\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
376 "\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
377 "\xad\x49\x3a\xae\x98\xce\xa6\x66"
378 "\x10\x30\x90\x8c\x55\x83\xd7\x7c"
379 "\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
380 "\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
381 "\x57\xcc\x89\x09\x75\x9b\x78\x70"
382 "\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
383 "\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
384 "\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
385 "\x82\xd9\xec\xa2\x87\x68\x55\xf9"
386 "\x8f\x9e\x73\x43\x47\x6a\x08\x36"
387 "\x93\x67\xa8\x2d\xde\xac\x41\xa9"
388 "\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
389 "\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
390 "\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
391 "\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
392 "\xab\x19\x37\xd9\xba\x76\x5e\xd2"
393 "\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
394 "\x02\x66\x49\xca\x7c\x91\x05\xf2"
395 "\x45\x36\x1e\xf5\x77\xad\x1f\x46"
396 "\xa8\x13\xfb\x63\xb6\x08\x99\x63"
397 "\x82\xa2\xed\xb3\xac\xdf\x43\x19"
398 "\x45\xea\x78\x73\xd9\xb7\x39\x11"
399 "\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
400 "\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
401 "\xa4\x47\x7d\x80\x20\x26\xfd\x63"
402 "\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
403 "\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
404 "\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
405 "\x54\x03\xa4\x09\x0c\x37\x7a\x15"
406 "\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
407 "\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
408 "\x03\x25\x3c\x8d\x48\x58\x71\x34"
409 "\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
410 "\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
411 "\x80\x6f\x96\x0e\x05\x62\xc7\x78"
412 "\x87\x79\x60\x38\x46\xb4\x25\x57"
413 "\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
414 "\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
415 "\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
416 "\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
417 "\x09\xfc\x91\x96\x47\x87\x4f\x1a"
418 "\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
419 "\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
420 "\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
421 "\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
422 "\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
423 "\x0b\x63\xde\x87\x42\x79\x8a\x68"
424 "\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
425 "\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
426 "\xe9\x83\x84\xcb\x28\x69\x09\x69"
427 "\xce\x99\x46\x00\x54\xcb\xd8\x38"
428 "\xf9\x53\x4a\xbf\x31\xce\x57\x15"
429 "\x33\xfa\x96\x04\x33\x42\xe3\xc0"
430 "\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
431 "\x19\x95\xd0\x0e\x82\x07\x63\xf9"
432 "\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
433 "\xb5\x9f\x23\x28\x60\xe7\x20\x51"
434 "\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
435 "\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
436 "\x78\xc6\x91\x22\x40\x91\x80\xbe"
437 "\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
438 "\x67\x10\xa4\x83\x98\x79\x23\xe7"
439 "\x92\xda\xa9\x22\x16\xb1\xe7\x78"
440 "\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
441 "\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
442 "\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
443 "\x48\x11\x06\xbb\x2d\xf2\x63\x88"
444 "\x3f\x73\x09\xe2\x45\x56\x31\x51"
445 "\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
446 "\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
447 "\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
448 "\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
449 "\xa4\x78\xdb\x74\x3d\x8b\xb5";
450
451static const u8 __initconst ctext12[735] =
452 "\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
453 "\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
454 "\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
455 "\x4c\x1d\x38\x05\x54\xd1\x16\x73"
456 "\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
457 "\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
458 "\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
459 "\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
460 "\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
461 "\x20\x93\x6c\x4b\x37\x99\xb8\x23"
462 "\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
463 "\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
464 "\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
465 "\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
466 "\xb9\x14\x13\x21\xdf\xce\xaa\x88"
467 "\x44\x30\x1e\xce\x26\x01\x92\xf8"
468 "\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
469 "\x89\xca\x94\x66\x11\x21\x97\xca"
470 "\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
471 "\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
472 "\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
473 "\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
474 "\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
475 "\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
476 "\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
477 "\xde\x6b\x52\x98\x01\xef\x36\x3d"
478 "\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
479 "\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
480 "\x48\x96\xe0\x90\x93\x6c\x48\x64"
481 "\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
482 "\x7a\x23\x7b\xaa\x20\x56\x12\xae"
483 "\x16\x9d\x94\x0f\x54\xa1\xec\xca"
484 "\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
485 "\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
486 "\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
487 "\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
488 "\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
489 "\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
490 "\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
491 "\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
492 "\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
493 "\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
494 "\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
495 "\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
496 "\x03\x60\x7a\xed\x69\xd5\x00\x8b"
497 "\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
498 "\xc1\x26\xce\x90\x97\x22\x64\x64"
499 "\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
500 "\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
501 "\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
502 "\x15\xb5\xa0\x8d\x12\x74\x49\x23"
503 "\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
504 "\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
505 "\x61\x26\x94\x58\x70\xa6\x3c\xe4"
506 "\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
507 "\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
508 "\x93\x77\xde\x48\xc4\xfa\x30\x4a"
509 "\xda\x49\x80\x77\x0f\x1c\xbe\x11"
510 "\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
511 "\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
512 "\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
513 "\xb8\xfb\x86\xdc\x46\x24\x91\x60"
514 "\x6c\x2f\xc9\x41\x37\x51\x49\x54"
515 "\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
516 "\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
517 "\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
518 "\x75\x54\x65\x93\xfe\xb1\x68\x6b"
519 "\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
520 "\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
521 "\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
522 "\x6a\x56\xff\x35\x4d\x42\x33\xaa"
523 "\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
524 "\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
525 "\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
526 "\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
527 "\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
528 "\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
529 "\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
530 "\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
531 "\x6b\x6d\x33\xe1\x34\x06\x36\x21"
532 "\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
533 "\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
534 "\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
535 "\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
536 "\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
537 "\x0e\xe1\xb5\x11\x45\x61\x43\x46"
538 "\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
539 "\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
540 "\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
541 "\x38\x58\x9e\x8a\x43\xdc\x57"
542 "\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
543 "\x4b\x24\x52\x58\x55\xe1\x49\x14";
544
545static struct {
546 const u8 *ptext;
547 const u8 *ctext;
548
549 u8 key[AES_MAX_KEY_SIZE];
550 u8 iv[GCM_AES_IV_SIZE];
551 u8 assoc[20];
552
553 int klen;
554 int clen;
555 int plen;
556 int alen;
557} const aesgcm_tv[] __initconst = {
558 { /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
559 .klen = 16,
560 .ctext = ctext0,
561 .clen = sizeof(ctext0),
562 }, {
563 .klen = 16,
564 .ptext = ptext1,
565 .plen = sizeof(ptext1),
566 .ctext = ctext1,
567 .clen = sizeof(ctext1),
568 }, {
569 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
570 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
571 .klen = 16,
572 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
573 "\xde\xca\xf8\x88",
574 .ptext = ptext2,
575 .plen = sizeof(ptext2),
576 .ctext = ctext2,
577 .clen = sizeof(ctext2),
578 }, {
579 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
580 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
581 .klen = 16,
582 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
583 "\xde\xca\xf8\x88",
584 .ptext = ptext3,
585 .plen = sizeof(ptext3),
586 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
587 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
588 "\xab\xad\xda\xd2",
589 .alen = 20,
590 .ctext = ctext3,
591 .clen = sizeof(ctext3),
592 }, {
593 .klen = 24,
594 .ctext = ctext4,
595 .clen = sizeof(ctext4),
596 }, {
597 .klen = 24,
598 .ptext = ptext1,
599 .plen = sizeof(ptext1),
600 .ctext = ctext5,
601 .clen = sizeof(ctext5),
602 }, {
603 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
604 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
605 "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
606 .klen = 24,
607 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
608 "\xde\xca\xf8\x88",
609 .ptext = ptext6,
610 .plen = sizeof(ptext6),
611 .ctext = ctext6,
612 .clen = sizeof(ctext6),
613 }, {
614 .klen = 32,
615 .ctext = ctext7,
616 .clen = sizeof(ctext7),
617 }, {
618 .klen = 32,
619 .ptext = ptext1,
620 .plen = sizeof(ptext1),
621 .ctext = ctext8,
622 .clen = sizeof(ctext8),
623 }, {
624 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
625 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
626 "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
627 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
628 .klen = 32,
629 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
630 "\xde\xca\xf8\x88",
631 .ptext = ptext9,
632 .plen = sizeof(ptext9),
633 .ctext = ctext9,
634 .clen = sizeof(ctext9),
635 }, {
636 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
637 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
638 "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
639 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
640 .klen = 32,
641 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
642 "\xde\xca\xf8\x88",
643 .ptext = ptext10,
644 .plen = sizeof(ptext10),
645 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
646 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
647 "\xab\xad\xda\xd2",
648 .alen = 20,
649 .ctext = ctext10,
650 .clen = sizeof(ctext10),
651 }, {
652 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
653 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
654 "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
655 .klen = 24,
656 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
657 "\xde\xca\xf8\x88",
658 .ptext = ptext11,
659 .plen = sizeof(ptext11),
660 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
661 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
662 "\xab\xad\xda\xd2",
663 .alen = 20,
664 .ctext = ctext11,
665 .clen = sizeof(ctext11),
666 }, {
667 .key = "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
668 "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
669 "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
670 "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
671 .klen = 32,
672 .iv = "\x00\xff\xff\xff\xff\x00\x00\xff"
673 "\xff\xff\x00\xff",
674 .ptext = ptext12,
675 .plen = sizeof(ptext12),
676 .ctext = ctext12,
677 .clen = sizeof(ctext12),
678 }
679};
680
681static int __init libaesgcm_init(void)
682{
683 for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
684 u8 tagbuf[AES_BLOCK_SIZE];
685 int plen = aesgcm_tv[i].plen;
686 struct aesgcm_ctx ctx;
687 u8 buf[sizeof(ptext12)];
688
689 if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
690 aesgcm_tv[i].clen - plen)) {
691 pr_err("aesgcm_expandkey() failed on vector %d\n", i);
692 return -ENODEV;
693 }
694
695 if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
696 aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
697 aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
698 || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
699 pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
700 return -ENODEV;
701 }
702
703 /* encrypt in place */
704 aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
705 aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
706 if (memcmp(buf, aesgcm_tv[i].ctext, plen)) {
707 pr_err("aesgcm_encrypt() failed on vector %d\n", i);
708 return -ENODEV;
709 }
710
711 /* decrypt in place */
712 if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
713 aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
714 || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
715 pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
716 return -ENODEV;
717 }
718 }
719 return 0;
720}
721module_init(libaesgcm_init);
722
723static void __exit libaesgcm_exit(void)
724{
725}
726module_exit(libaesgcm_exit);
727#endif
728

source code of linux/lib/crypto/aesgcm.c