1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Minimal library implementation of GCM
4 *
5 * Copyright 2022 Google LLC
6 */
7
8#include <crypto/algapi.h>
9#include <crypto/gcm.h>
10#include <crypto/ghash.h>
11#include <linux/export.h>
12#include <linux/module.h>
13#include <asm/irqflags.h>
14
15static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
16 const void *src)
17{
18 unsigned long flags;
19
20 /*
21 * In AES-GCM, both the GHASH key derivation and the CTR mode
22 * encryption operate on known plaintext, making them susceptible to
23 * timing attacks on the encryption key. The AES library already
24 * mitigates this risk to some extent by pulling the entire S-box into
25 * the caches before doing any substitutions, but this strategy is more
26 * effective when running with interrupts disabled.
27 */
28 local_irq_save(flags);
29 aes_encrypt(ctx, out: dst, in: src);
30 local_irq_restore(flags);
31}
32
33/**
34 * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
35 * schedule
36 *
37 * @ctx: The data structure that will hold the AES-GCM key schedule
38 * @key: The AES encryption input key
39 * @keysize: The length in bytes of the input key
40 * @authsize: The size in bytes of the GCM authentication tag
41 *
42 * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
43 * that are not permitted by the GCM specification.
44 */
45int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
46 unsigned int keysize, unsigned int authsize)
47{
48 u8 kin[AES_BLOCK_SIZE] = {};
49 int ret;
50
51 ret = crypto_gcm_check_authsize(authsize) ?:
52 aes_expandkey(ctx: &ctx->aes_ctx, in_key: key, key_len: keysize);
53 if (ret)
54 return ret;
55
56 ctx->authsize = authsize;
57 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: &ctx->ghash_key, src: kin);
58
59 return 0;
60}
61EXPORT_SYMBOL(aesgcm_expandkey);
62
63static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
64 int len)
65{
66 while (len > 0) {
67 crypto_xor(dst: (u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
68 gf128mul_lle(a: ghash, b: key);
69
70 src += GHASH_BLOCK_SIZE;
71 len -= GHASH_BLOCK_SIZE;
72 }
73}
74
75/**
76 * aesgcm_mac - Generates the authentication tag using AES-GCM algorithm.
77 * @ctx: The data structure that will hold the AES-GCM key schedule
78 * @src: The input source data.
79 * @src_len: Length of the source data.
80 * @assoc: Points to the associated data.
81 * @assoc_len: Length of the associated data values.
82 * @ctr: Points to the counter value.
83 * @authtag: The output buffer for the authentication tag.
84 *
85 * It takes in the AES-GCM context, source data, associated data, counter value,
86 * and an output buffer for the authentication tag.
87 */
88static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
89 const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
90{
91 be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
92 u8 buf[AES_BLOCK_SIZE];
93 be128 ghash = {};
94
95 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src: assoc, len: assoc_len);
96 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src, len: src_len);
97 aesgcm_ghash(ghash: &ghash, key: &ctx->ghash_key, src: &tail, len: sizeof(tail));
98
99 ctr[3] = cpu_to_be32(1);
100 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: buf, src: ctr);
101 crypto_xor_cpy(dst: authtag, src1: buf, src2: (u8 *)&ghash, size: ctx->authsize);
102
103 memzero_explicit(s: &ghash, count: sizeof(ghash));
104 memzero_explicit(s: buf, count: sizeof(buf));
105}
106
107static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
108 int len, __be32 *ctr)
109{
110 u8 buf[AES_BLOCK_SIZE];
111 unsigned int n = 2;
112
113 while (len > 0) {
114 /*
115 * The counter increment below must not result in overflow or
116 * carry into the next 32-bit word, as this could result in
117 * inadvertent IV reuse, which must be avoided at all cost for
118 * stream ciphers such as AES-CTR. Given the range of 'int
119 * len', this cannot happen, so no explicit test is necessary.
120 */
121 ctr[3] = cpu_to_be32(n++);
122 aesgcm_encrypt_block(ctx: &ctx->aes_ctx, dst: buf, src: ctr);
123 crypto_xor_cpy(dst, src1: src, src2: buf, min(len, AES_BLOCK_SIZE));
124
125 dst += AES_BLOCK_SIZE;
126 src += AES_BLOCK_SIZE;
127 len -= AES_BLOCK_SIZE;
128 }
129 memzero_explicit(s: buf, count: sizeof(buf));
130}
131
132/**
133 * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
134 *
135 * @ctx: The AES-GCM key schedule
136 * @dst: Pointer to the ciphertext output buffer
137 * @src: Pointer the plaintext (may equal @dst for encryption in place)
138 * @crypt_len: The size in bytes of the plaintext and ciphertext.
139 * @assoc: Pointer to the associated data,
140 * @assoc_len: The size in bytes of the associated data
141 * @iv: The initialization vector (IV) to use for this block of data
142 * (must be 12 bytes in size as per the GCM spec recommendation)
143 * @authtag: The address of the buffer in memory where the authentication
144 * tag should be stored. The buffer is assumed to have space for
145 * @ctx->authsize bytes.
146 */
147void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
148 int crypt_len, const u8 *assoc, int assoc_len,
149 const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
150{
151 __be32 ctr[4];
152
153 memcpy(ctr, iv, GCM_AES_IV_SIZE);
154
155 aesgcm_crypt(ctx, dst, src, len: crypt_len, ctr);
156 aesgcm_mac(ctx, src: dst, src_len: crypt_len, assoc, assoc_len, ctr, authtag);
157}
158EXPORT_SYMBOL(aesgcm_encrypt);
159
160/**
161 * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
162 *
163 * @ctx: The AES-GCM key schedule
164 * @dst: Pointer to the plaintext output buffer
165 * @src: Pointer the ciphertext (may equal @dst for decryption in place)
166 * @crypt_len: The size in bytes of the plaintext and ciphertext.
167 * @assoc: Pointer to the associated data,
168 * @assoc_len: The size in bytes of the associated data
169 * @iv: The initialization vector (IV) to use for this block of data
170 * (must be 12 bytes in size as per the GCM spec recommendation)
171 * @authtag: The address of the buffer in memory where the authentication
172 * tag is stored.
173 *
174 * Returns: true on success, or false if the ciphertext failed authentication.
175 * On failure, no plaintext will be returned.
176 */
177bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
178 const u8 *src, int crypt_len, const u8 *assoc,
179 int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
180 const u8 *authtag)
181{
182 u8 tagbuf[AES_BLOCK_SIZE];
183 __be32 ctr[4];
184
185 memcpy(ctr, iv, GCM_AES_IV_SIZE);
186
187 aesgcm_mac(ctx, src, src_len: crypt_len, assoc, assoc_len, ctr, authtag: tagbuf);
188 if (crypto_memneq(a: authtag, b: tagbuf, size: ctx->authsize)) {
189 memzero_explicit(s: tagbuf, count: sizeof(tagbuf));
190 return false;
191 }
192 aesgcm_crypt(ctx, dst, src, len: crypt_len, ctr);
193 return true;
194}
195EXPORT_SYMBOL(aesgcm_decrypt);
196
197MODULE_DESCRIPTION("Generic AES-GCM library");
198MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
199MODULE_LICENSE("GPL");
200
201#ifdef CONFIG_CRYPTO_SELFTESTS
202
203/*
204 * Test code below. Vectors taken from crypto/testmgr.h
205 */
206
207static const u8 __initconst ctext0[16] __nonstring =
208 "\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
209 "\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
210
211static const u8 __initconst ptext1[16];
212
213static const u8 __initconst ctext1[32] __nonstring =
214 "\x03\x88\xda\xce\x60\xb6\xa3\x92"
215 "\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
216 "\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
217 "\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
218
219static const u8 __initconst ptext2[64] __nonstring =
220 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
221 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
222 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
223 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
224 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
225 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
226 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
227 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
228
229static const u8 __initconst ctext2[80] __nonstring =
230 "\x42\x83\x1e\xc2\x21\x77\x74\x24"
231 "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
232 "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
233 "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
234 "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
235 "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
236 "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
237 "\x3d\x58\xe0\x91\x47\x3f\x59\x85"
238 "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
239 "\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
240
241static const u8 __initconst ptext3[60] __nonstring =
242 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
243 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
244 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
245 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
246 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
247 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
248 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
249 "\xba\x63\x7b\x39";
250
251static const u8 __initconst ctext3[76] __nonstring =
252 "\x42\x83\x1e\xc2\x21\x77\x74\x24"
253 "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
254 "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
255 "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
256 "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
257 "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
258 "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
259 "\x3d\x58\xe0\x91"
260 "\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
261 "\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
262
263static const u8 __initconst ctext4[16] __nonstring =
264 "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
265 "\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
266
267static const u8 __initconst ctext5[32] __nonstring =
268 "\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
269 "\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
270 "\x2f\xf5\x8d\x80\x03\x39\x27\xab"
271 "\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
272
273static const u8 __initconst ptext6[64] __nonstring =
274 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
275 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
276 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
277 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
278 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
279 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
280 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
281 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
282
283static const u8 __initconst ctext6[80] __nonstring =
284 "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
285 "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
286 "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
287 "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
288 "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
289 "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
290 "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
291 "\xcc\xda\x27\x10\xac\xad\xe2\x56"
292 "\x99\x24\xa7\xc8\x58\x73\x36\xbf"
293 "\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
294
295static const u8 __initconst ctext7[16] __nonstring =
296 "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
297 "\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
298
299static const u8 __initconst ctext8[32] __nonstring =
300 "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
301 "\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
302 "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
303 "\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
304
305static const u8 __initconst ptext9[64] __nonstring =
306 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
307 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
308 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
309 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
310 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
311 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
312 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
313 "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
314
315static const u8 __initconst ctext9[80] __nonstring =
316 "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
317 "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
318 "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
319 "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
320 "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
321 "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
322 "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
323 "\xbc\xc9\xf6\x62\x89\x80\x15\xad"
324 "\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
325 "\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
326
327static const u8 __initconst ptext10[60] __nonstring =
328 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
329 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
330 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
331 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
332 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
333 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
334 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
335 "\xba\x63\x7b\x39";
336
337static const u8 __initconst ctext10[76] __nonstring =
338 "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
339 "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
340 "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
341 "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
342 "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
343 "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
344 "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
345 "\xbc\xc9\xf6\x62"
346 "\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
347 "\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
348
349static const u8 __initconst ptext11[60] __nonstring =
350 "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
351 "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
352 "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
353 "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
354 "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
355 "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
356 "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
357 "\xba\x63\x7b\x39";
358
359static const u8 __initconst ctext11[76] __nonstring =
360 "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
361 "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
362 "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
363 "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
364 "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
365 "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
366 "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
367 "\xcc\xda\x27\x10"
368 "\x25\x19\x49\x8e\x80\xf1\x47\x8f"
369 "\x37\xba\x55\xbd\x6d\x27\x61\x8c";
370
371static const u8 __initconst ptext12[719] __nonstring =
372 "\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
373 "\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
374 "\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
375 "\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
376 "\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
377 "\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
378 "\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
379 "\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
380 "\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
381 "\x00\xa4\x43\x54\x04\x54\x9b\x3b"
382 "\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
383 "\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
384 "\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
385 "\x35\x23\xf4\x20\x41\xd4\xad\x82"
386 "\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
387 "\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
388 "\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
389 "\xad\x49\x3a\xae\x98\xce\xa6\x66"
390 "\x10\x30\x90\x8c\x55\x83\xd7\x7c"
391 "\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
392 "\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
393 "\x57\xcc\x89\x09\x75\x9b\x78\x70"
394 "\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
395 "\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
396 "\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
397 "\x82\xd9\xec\xa2\x87\x68\x55\xf9"
398 "\x8f\x9e\x73\x43\x47\x6a\x08\x36"
399 "\x93\x67\xa8\x2d\xde\xac\x41\xa9"
400 "\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
401 "\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
402 "\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
403 "\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
404 "\xab\x19\x37\xd9\xba\x76\x5e\xd2"
405 "\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
406 "\x02\x66\x49\xca\x7c\x91\x05\xf2"
407 "\x45\x36\x1e\xf5\x77\xad\x1f\x46"
408 "\xa8\x13\xfb\x63\xb6\x08\x99\x63"
409 "\x82\xa2\xed\xb3\xac\xdf\x43\x19"
410 "\x45\xea\x78\x73\xd9\xb7\x39\x11"
411 "\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
412 "\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
413 "\xa4\x47\x7d\x80\x20\x26\xfd\x63"
414 "\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
415 "\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
416 "\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
417 "\x54\x03\xa4\x09\x0c\x37\x7a\x15"
418 "\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
419 "\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
420 "\x03\x25\x3c\x8d\x48\x58\x71\x34"
421 "\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
422 "\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
423 "\x80\x6f\x96\x0e\x05\x62\xc7\x78"
424 "\x87\x79\x60\x38\x46\xb4\x25\x57"
425 "\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
426 "\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
427 "\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
428 "\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
429 "\x09\xfc\x91\x96\x47\x87\x4f\x1a"
430 "\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
431 "\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
432 "\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
433 "\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
434 "\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
435 "\x0b\x63\xde\x87\x42\x79\x8a\x68"
436 "\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
437 "\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
438 "\xe9\x83\x84\xcb\x28\x69\x09\x69"
439 "\xce\x99\x46\x00\x54\xcb\xd8\x38"
440 "\xf9\x53\x4a\xbf\x31\xce\x57\x15"
441 "\x33\xfa\x96\x04\x33\x42\xe3\xc0"
442 "\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
443 "\x19\x95\xd0\x0e\x82\x07\x63\xf9"
444 "\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
445 "\xb5\x9f\x23\x28\x60\xe7\x20\x51"
446 "\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
447 "\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
448 "\x78\xc6\x91\x22\x40\x91\x80\xbe"
449 "\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
450 "\x67\x10\xa4\x83\x98\x79\x23\xe7"
451 "\x92\xda\xa9\x22\x16\xb1\xe7\x78"
452 "\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
453 "\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
454 "\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
455 "\x48\x11\x06\xbb\x2d\xf2\x63\x88"
456 "\x3f\x73\x09\xe2\x45\x56\x31\x51"
457 "\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
458 "\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
459 "\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
460 "\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
461 "\xa4\x78\xdb\x74\x3d\x8b\xb5";
462
463static const u8 __initconst ctext12[735] __nonstring =
464 "\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
465 "\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
466 "\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
467 "\x4c\x1d\x38\x05\x54\xd1\x16\x73"
468 "\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
469 "\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
470 "\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
471 "\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
472 "\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
473 "\x20\x93\x6c\x4b\x37\x99\xb8\x23"
474 "\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
475 "\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
476 "\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
477 "\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
478 "\xb9\x14\x13\x21\xdf\xce\xaa\x88"
479 "\x44\x30\x1e\xce\x26\x01\x92\xf8"
480 "\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
481 "\x89\xca\x94\x66\x11\x21\x97\xca"
482 "\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
483 "\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
484 "\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
485 "\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
486 "\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
487 "\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
488 "\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
489 "\xde\x6b\x52\x98\x01\xef\x36\x3d"
490 "\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
491 "\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
492 "\x48\x96\xe0\x90\x93\x6c\x48\x64"
493 "\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
494 "\x7a\x23\x7b\xaa\x20\x56\x12\xae"
495 "\x16\x9d\x94\x0f\x54\xa1\xec\xca"
496 "\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
497 "\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
498 "\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
499 "\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
500 "\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
501 "\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
502 "\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
503 "\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
504 "\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
505 "\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
506 "\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
507 "\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
508 "\x03\x60\x7a\xed\x69\xd5\x00\x8b"
509 "\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
510 "\xc1\x26\xce\x90\x97\x22\x64\x64"
511 "\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
512 "\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
513 "\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
514 "\x15\xb5\xa0\x8d\x12\x74\x49\x23"
515 "\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
516 "\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
517 "\x61\x26\x94\x58\x70\xa6\x3c\xe4"
518 "\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
519 "\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
520 "\x93\x77\xde\x48\xc4\xfa\x30\x4a"
521 "\xda\x49\x80\x77\x0f\x1c\xbe\x11"
522 "\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
523 "\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
524 "\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
525 "\xb8\xfb\x86\xdc\x46\x24\x91\x60"
526 "\x6c\x2f\xc9\x41\x37\x51\x49\x54"
527 "\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
528 "\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
529 "\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
530 "\x75\x54\x65\x93\xfe\xb1\x68\x6b"
531 "\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
532 "\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
533 "\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
534 "\x6a\x56\xff\x35\x4d\x42\x33\xaa"
535 "\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
536 "\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
537 "\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
538 "\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
539 "\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
540 "\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
541 "\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
542 "\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
543 "\x6b\x6d\x33\xe1\x34\x06\x36\x21"
544 "\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
545 "\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
546 "\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
547 "\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
548 "\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
549 "\x0e\xe1\xb5\x11\x45\x61\x43\x46"
550 "\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
551 "\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
552 "\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
553 "\x38\x58\x9e\x8a\x43\xdc\x57"
554 "\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
555 "\x4b\x24\x52\x58\x55\xe1\x49\x14";
556
557static struct {
558 const u8 *ptext;
559 const u8 *ctext;
560
561 u8 key[AES_MAX_KEY_SIZE] __nonstring;
562 u8 iv[GCM_AES_IV_SIZE] __nonstring;
563 u8 assoc[20] __nonstring;
564
565 int klen;
566 int clen;
567 int plen;
568 int alen;
569} const aesgcm_tv[] __initconst = {
570 { /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
571 .klen = 16,
572 .ctext = ctext0,
573 .clen = sizeof(ctext0),
574 }, {
575 .klen = 16,
576 .ptext = ptext1,
577 .plen = sizeof(ptext1),
578 .ctext = ctext1,
579 .clen = sizeof(ctext1),
580 }, {
581 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
582 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
583 .klen = 16,
584 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
585 "\xde\xca\xf8\x88",
586 .ptext = ptext2,
587 .plen = sizeof(ptext2),
588 .ctext = ctext2,
589 .clen = sizeof(ctext2),
590 }, {
591 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
592 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
593 .klen = 16,
594 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
595 "\xde\xca\xf8\x88",
596 .ptext = ptext3,
597 .plen = sizeof(ptext3),
598 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
599 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
600 "\xab\xad\xda\xd2",
601 .alen = 20,
602 .ctext = ctext3,
603 .clen = sizeof(ctext3),
604 }, {
605 .klen = 24,
606 .ctext = ctext4,
607 .clen = sizeof(ctext4),
608 }, {
609 .klen = 24,
610 .ptext = ptext1,
611 .plen = sizeof(ptext1),
612 .ctext = ctext5,
613 .clen = sizeof(ctext5),
614 }, {
615 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
616 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
617 "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
618 .klen = 24,
619 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
620 "\xde\xca\xf8\x88",
621 .ptext = ptext6,
622 .plen = sizeof(ptext6),
623 .ctext = ctext6,
624 .clen = sizeof(ctext6),
625 }, {
626 .klen = 32,
627 .ctext = ctext7,
628 .clen = sizeof(ctext7),
629 }, {
630 .klen = 32,
631 .ptext = ptext1,
632 .plen = sizeof(ptext1),
633 .ctext = ctext8,
634 .clen = sizeof(ctext8),
635 }, {
636 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
637 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
638 "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
639 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
640 .klen = 32,
641 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
642 "\xde\xca\xf8\x88",
643 .ptext = ptext9,
644 .plen = sizeof(ptext9),
645 .ctext = ctext9,
646 .clen = sizeof(ctext9),
647 }, {
648 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
649 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
650 "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
651 "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
652 .klen = 32,
653 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
654 "\xde\xca\xf8\x88",
655 .ptext = ptext10,
656 .plen = sizeof(ptext10),
657 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
658 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
659 "\xab\xad\xda\xd2",
660 .alen = 20,
661 .ctext = ctext10,
662 .clen = sizeof(ctext10),
663 }, {
664 .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
665 "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
666 "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
667 .klen = 24,
668 .iv = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
669 "\xde\xca\xf8\x88",
670 .ptext = ptext11,
671 .plen = sizeof(ptext11),
672 .assoc = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
673 "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
674 "\xab\xad\xda\xd2",
675 .alen = 20,
676 .ctext = ctext11,
677 .clen = sizeof(ctext11),
678 }, {
679 .key = "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
680 "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
681 "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
682 "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
683 .klen = 32,
684 .iv = "\x00\xff\xff\xff\xff\x00\x00\xff"
685 "\xff\xff\x00\xff",
686 .ptext = ptext12,
687 .plen = sizeof(ptext12),
688 .ctext = ctext12,
689 .clen = sizeof(ctext12),
690 }
691};
692
693static int __init libaesgcm_init(void)
694{
695 for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
696 u8 tagbuf[AES_BLOCK_SIZE];
697 int plen = aesgcm_tv[i].plen;
698 struct aesgcm_ctx ctx;
699 static u8 buf[sizeof(ptext12)];
700
701 if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
702 aesgcm_tv[i].clen - plen)) {
703 pr_err("aesgcm_expandkey() failed on vector %d\n", i);
704 return -ENODEV;
705 }
706
707 if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
708 aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
709 aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
710 || memcmp(p: buf, q: aesgcm_tv[i].ptext, size: plen)) {
711 pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
712 return -ENODEV;
713 }
714
715 /* encrypt in place */
716 aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
717 aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
718 if (memcmp(p: buf, q: aesgcm_tv[i].ctext, size: plen)) {
719 pr_err("aesgcm_encrypt() failed on vector %d\n", i);
720 return -ENODEV;
721 }
722
723 /* decrypt in place */
724 if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
725 aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
726 || memcmp(p: buf, q: aesgcm_tv[i].ptext, size: plen)) {
727 pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
728 return -ENODEV;
729 }
730 }
731 return 0;
732}
733module_init(libaesgcm_init);
734
735static void __exit libaesgcm_exit(void)
736{
737}
738module_exit(libaesgcm_exit);
739#endif
740

source code of linux/lib/crypto/aesgcm.c