The GMAC code assumes that dst==src, which causes problems when trying to add
rfc4543(gcm(aes)) test vectors.
So fix this code to work when source and destination buffer are different.
Signed-off-by: Jussi Kivilinna <[email protected]>
---
crypto/Kconfig | 1 +
crypto/gcm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++----------
2 files changed, 81 insertions(+), 17 deletions(-)
diff --git a/crypto/Kconfig b/crypto/Kconfig
index a654b13..6cc27f1 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -198,6 +198,7 @@ config CRYPTO_GCM
select CRYPTO_CTR
select CRYPTO_AEAD
select CRYPTO_GHASH
+ select CRYPTO_NULL
help
Support for Galois/Counter Mode (GCM) and Galois Message
Authentication Code (GMAC). Required for IPSec.
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 137ad1e..4ff2139 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -37,8 +37,14 @@ struct crypto_rfc4106_ctx {
u8 nonce[4];
};
+struct crypto_rfc4543_instance_ctx {
+ struct crypto_aead_spawn aead;
+ struct crypto_skcipher_spawn null;
+};
+
struct crypto_rfc4543_ctx {
struct crypto_aead *child;
+ struct crypto_blkcipher *null;
u8 nonce[4];
};
@@ -1094,20 +1100,20 @@ static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
}
static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
- int enc)
+ bool enc)
{
struct crypto_aead *aead = crypto_aead_reqtfm(req);
struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
struct aead_request *subreq = &rctx->subreq;
- struct scatterlist *dst = req->dst;
+ struct scatterlist *src = req->src;
struct scatterlist *cipher = rctx->cipher;
struct scatterlist *payload = rctx->payload;
struct scatterlist *assoc = rctx->assoc;
unsigned int authsize = crypto_aead_authsize(aead);
unsigned int assoclen = req->assoclen;
- struct page *dstp;
- u8 *vdst;
+ struct page *srcp;
+ u8 *vsrc;
u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
crypto_aead_alignmask(ctx->child) + 1);
@@ -1118,19 +1124,19 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
if (enc)
memset(rctx->auth_tag, 0, authsize);
else
- scatterwalk_map_and_copy(rctx->auth_tag, dst,
+ scatterwalk_map_and_copy(rctx->auth_tag, src,
req->cryptlen - authsize,
authsize, 0);
sg_init_one(cipher, rctx->auth_tag, authsize);
/* construct the aad */
- dstp = sg_page(dst);
- vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
+ srcp = sg_page(src);
+ vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset;
sg_init_table(payload, 2);
sg_set_buf(payload, req->iv, 8);
- scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
+ scatterwalk_crypto_chain(payload, src, vsrc == req->iv + 8, 2);
assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
sg_init_table(assoc, 2);
@@ -1147,6 +1153,19 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
return subreq;
}
+static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
+{
+ struct crypto_aead *aead = crypto_aead_reqtfm(req);
+ struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
+ unsigned int authsize = crypto_aead_authsize(aead);
+ unsigned int nbytes = req->cryptlen - (enc ? 0 : authsize);
+ struct blkcipher_desc desc = {
+ .tfm = ctx->null,
+ };
+
+ return crypto_blkcipher_encrypt(&desc, req->dst, req->src, nbytes);
+}
+
static int crypto_rfc4543_encrypt(struct aead_request *req)
{
struct crypto_aead *aead = crypto_aead_reqtfm(req);
@@ -1154,7 +1173,13 @@ static int crypto_rfc4543_encrypt(struct aead_request *req)
struct aead_request *subreq;
int err;
- subreq = crypto_rfc4543_crypt(req, 1);
+ if (req->src != req->dst) {
+ err = crypto_rfc4543_copy_src_to_dst(req, true);
+ if (err)
+ return err;
+ }
+
+ subreq = crypto_rfc4543_crypt(req, true);
err = crypto_aead_encrypt(subreq);
if (err)
return err;
@@ -1167,7 +1192,15 @@ static int crypto_rfc4543_encrypt(struct aead_request *req)
static int crypto_rfc4543_decrypt(struct aead_request *req)
{
- req = crypto_rfc4543_crypt(req, 0);
+ int err;
+
+ if (req->src != req->dst) {
+ err = crypto_rfc4543_copy_src_to_dst(req, false);
+ if (err)
+ return err;
+ }
+
+ req = crypto_rfc4543_crypt(req, false);
return crypto_aead_decrypt(req);
}
@@ -1175,16 +1208,25 @@ static int crypto_rfc4543_decrypt(struct aead_request *req)
static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
{
struct crypto_instance *inst = (void *)tfm->__crt_alg;
- struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
+ struct crypto_rfc4543_instance_ctx *ictx = crypto_instance_ctx(inst);
+ struct crypto_aead_spawn *spawn = &ictx->aead;
struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
struct crypto_aead *aead;
+ struct crypto_blkcipher *null;
unsigned long align;
+ int err = 0;
aead = crypto_spawn_aead(spawn);
if (IS_ERR(aead))
return PTR_ERR(aead);
+ null = crypto_spawn_blkcipher(&ictx->null.base);
+ err = PTR_ERR(null);
+ if (IS_ERR(null))
+ goto err_free_aead;
+
ctx->child = aead;
+ ctx->null = null;
align = crypto_aead_alignmask(aead);
align &= ~(crypto_tfm_ctx_alignment() - 1);
@@ -1194,6 +1236,10 @@ static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
align + 16;
return 0;
+
+err_free_aead:
+ crypto_free_aead(aead);
+ return err;
}
static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
@@ -1201,6 +1247,7 @@ static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
crypto_free_aead(ctx->child);
+ crypto_free_blkcipher(ctx->null);
}
static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
@@ -1209,6 +1256,7 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
struct crypto_instance *inst;
struct crypto_aead_spawn *spawn;
struct crypto_alg *alg;
+ struct crypto_rfc4543_instance_ctx *ctx;
const char *ccm_name;
int err;
@@ -1223,11 +1271,12 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
if (IS_ERR(ccm_name))
return ERR_CAST(ccm_name);
- inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
+ inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
if (!inst)
return ERR_PTR(-ENOMEM);
- spawn = crypto_instance_ctx(inst);
+ ctx = crypto_instance_ctx(inst);
+ spawn = &ctx->aead;
crypto_set_aead_spawn(spawn, inst);
err = crypto_grab_aead(spawn, ccm_name, 0,
crypto_requires_sync(algt->type, algt->mask));
@@ -1236,15 +1285,23 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
alg = crypto_aead_spawn_alg(spawn);
+ crypto_set_skcipher_spawn(&ctx->null, inst);
+ err = crypto_grab_skcipher(&ctx->null, "ecb(cipher_null)", 0,
+ CRYPTO_ALG_ASYNC);
+ if (err)
+ goto out_drop_alg;
+
+ crypto_skcipher_spawn_alg(&ctx->null);
+
err = -EINVAL;
/* We only support 16-byte blocks. */
if (alg->cra_aead.ivsize != 16)
- goto out_drop_alg;
+ goto out_drop_ecbnull;
/* Not a stream cipher? */
if (alg->cra_blocksize != 1)
- goto out_drop_alg;
+ goto out_drop_ecbnull;
err = -ENAMETOOLONG;
if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
@@ -1252,7 +1309,7 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
"rfc4543(%s)", alg->cra_driver_name) >=
CRYPTO_MAX_ALG_NAME)
- goto out_drop_alg;
+ goto out_drop_ecbnull;
inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
@@ -1279,6 +1336,8 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
out:
return inst;
+out_drop_ecbnull:
+ crypto_drop_skcipher(&ctx->null);
out_drop_alg:
crypto_drop_aead(spawn);
out_free_inst:
@@ -1289,7 +1348,11 @@ out_free_inst:
static void crypto_rfc4543_free(struct crypto_instance *inst)
{
- crypto_drop_spawn(crypto_instance_ctx(inst));
+ struct crypto_rfc4543_instance_ctx *ctx = crypto_instance_ctx(inst);
+
+ crypto_drop_aead(&ctx->aead);
+ crypto_drop_skcipher(&ctx->null);
+
kfree(inst);
}
If the gcm cipher used by rfc4543 does not complete request immediately,
the authentication tag is not copied to destination buffer. Patch adds
correct async logic for this case.
Signed-off-by: Jussi Kivilinna <[email protected]>
---
crypto/gcm.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 4ff2139..b0d3cb1 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -1099,6 +1099,21 @@ static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
return crypto_aead_setauthsize(ctx->child, authsize);
}
+static void crypto_rfc4543_done(struct crypto_async_request *areq, int err)
+{
+ struct aead_request *req = areq->data;
+ struct crypto_aead *aead = crypto_aead_reqtfm(req);
+ struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
+
+ if (!err) {
+ scatterwalk_map_and_copy(rctx->auth_tag, req->dst,
+ req->cryptlen,
+ crypto_aead_authsize(aead), 1);
+ }
+
+ aead_request_complete(req, err);
+}
+
static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
bool enc)
{
@@ -1145,8 +1160,8 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
scatterwalk_crypto_chain(assoc, payload, 0, 2);
aead_request_set_tfm(subreq, ctx->child);
- aead_request_set_callback(subreq, req->base.flags, req->base.complete,
- req->base.data);
+ aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done,
+ req);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
aead_request_set_assoc(subreq, assoc, assoclen);
Signed-off-by: Jussi Kivilinna <[email protected]>
---
crypto/tcrypt.c | 4 ++
crypto/testmgr.c | 17 +++++++++-
crypto/testmgr.h | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 108 insertions(+), 2 deletions(-)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 87ef7d6..6b911ef 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -1225,6 +1225,10 @@ static int do_test(int m)
ret += tcrypt_test("rfc4106(gcm(aes))");
break;
+ case 152:
+ ret += tcrypt_test("rfc4543(gcm(aes))");
+ break;
+
case 200:
test_cipher_speed("ecb(aes)", ENCRYPT, sec, NULL, 0,
speed_template_16_24_32);
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index efd8b20..442ddb4 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2696,8 +2696,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}
}, {
-
-
.alg = "rfc4309(ccm(aes))",
.test = alg_test_aead,
.fips_allowed = 1,
@@ -2714,6 +2712,21 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}
}, {
+ .alg = "rfc4543(gcm(aes))",
+ .test = alg_test_aead,
+ .suite = {
+ .aead = {
+ .enc = {
+ .vecs = aes_gcm_rfc4543_enc_tv_template,
+ .count = AES_GCM_4543_ENC_TEST_VECTORS
+ },
+ .dec = {
+ .vecs = aes_gcm_rfc4543_dec_tv_template,
+ .count = AES_GCM_4543_DEC_TEST_VECTORS
+ },
+ }
+ }
+ }, {
.alg = "rmd128",
.test = alg_test_hash,
.suite = {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index b5721e0..92db37d 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -12680,6 +12680,8 @@ static struct cipher_testvec cast6_xts_dec_tv_template[] = {
#define AES_GCM_DEC_TEST_VECTORS 8
#define AES_GCM_4106_ENC_TEST_VECTORS 7
#define AES_GCM_4106_DEC_TEST_VECTORS 7
+#define AES_GCM_4543_ENC_TEST_VECTORS 1
+#define AES_GCM_4543_DEC_TEST_VECTORS 2
#define AES_CCM_ENC_TEST_VECTORS 7
#define AES_CCM_DEC_TEST_VECTORS 7
#define AES_CCM_4309_ENC_TEST_VECTORS 7
@@ -18193,6 +18195,93 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
}
};
+static struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = {
+ { /* From draft-mcgrew-gcm-test-01 */
+ .key = "\x4c\x80\xcd\xef\xbb\x5d\x10\xda"
+ "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
+ "\x22\x43\x3c\x64",
+ .klen = 20,
+ .iv = zeroed_string,
+ .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07",
+ .alen = 8,
+ .input = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01",
+ .ilen = 52,
+ .result = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01\xf2\xa9\xa8\x36"
+ "\xe1\x55\x10\x6a\xa8\xdc\xd6\x18"
+ "\xe4\x09\x9a\xaa",
+ .rlen = 68,
+ }
+};
+
+static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
+ { /* From draft-mcgrew-gcm-test-01 */
+ .key = "\x4c\x80\xcd\xef\xbb\x5d\x10\xda"
+ "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
+ "\x22\x43\x3c\x64",
+ .klen = 20,
+ .iv = zeroed_string,
+ .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07",
+ .alen = 8,
+ .input = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01\xf2\xa9\xa8\x36"
+ "\xe1\x55\x10\x6a\xa8\xdc\xd6\x18"
+ "\xe4\x09\x9a\xaa",
+ .ilen = 68,
+ .result = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01",
+ .rlen = 52,
+ }, { /* nearly same as previous, but should fail */
+ .key = "\x4c\x80\xcd\xef\xbb\x5d\x10\xda"
+ "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
+ "\x22\x43\x3c\x64",
+ .klen = 20,
+ .iv = zeroed_string,
+ .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07",
+ .alen = 8,
+ .input = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01\xf2\xa9\xa8\x36"
+ "\xe1\x55\x10\x6a\xa8\xdc\xd6\x18"
+ "\x00\x00\x00\x00",
+ .ilen = 68,
+ .novrfy = 1,
+ .result = "\x45\x00\x00\x30\xda\x3a\x00\x00"
+ "\x80\x01\xdf\x3b\xc0\xa8\x00\x05"
+ "\xc0\xa8\x00\x01\x08\x00\xc6\xcd"
+ "\x02\x00\x07\x00\x61\x62\x63\x64"
+ "\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+ "\x6d\x6e\x6f\x70\x71\x72\x73\x74"
+ "\x01\x02\x02\x01",
+ .rlen = 52,
+ },
+};
+
static struct aead_testvec aes_ccm_enc_tv_template[] = {
{ /* From RFC 3610 */
.key = "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
Without these, kernel log shows:
[ 5.984881] alg: No test for cipher_null (cipher_null-generic)
[ 5.985096] alg: No test for ecb(cipher_null) (ecb-cipher_null)
[ 5.985170] alg: No test for compress_null (compress_null-generic)
[ 5.985297] alg: No test for digest_null (digest_null-generic)
Signed-off-by: Jussi Kivilinna <[email protected]>
---
crypto/testmgr.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 442ddb4..f37e544 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1913,6 +1913,9 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}
}, {
+ .alg = "compress_null",
+ .test = alg_test_null,
+ }, {
.alg = "crc32c",
.test = alg_test_crc32c,
.fips_allowed = 1,
@@ -2127,6 +2130,9 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}
}, {
+ .alg = "digest_null",
+ .test = alg_test_null,
+ }, {
.alg = "ecb(__aes-aesni)",
.test = alg_test_null,
.fips_allowed = 1,
@@ -2237,6 +2243,9 @@ static const struct alg_test_desc alg_test_descs[] = {
}
}
}, {
+ .alg = "ecb(cipher_null)",
+ .test = alg_test_null,
+ }, {
.alg = "ecb(des)",
.test = alg_test_skcipher,
.fips_allowed = 1,
On Sun, Apr 07, 2013 at 04:43:41PM +0300, Jussi Kivilinna wrote:
> The GMAC code assumes that dst==src, which causes problems when trying to add
> rfc4543(gcm(aes)) test vectors.
>
> So fix this code to work when source and destination buffer are different.
>
> Signed-off-by: Jussi Kivilinna <[email protected]>
All applied. Thanks Jussi!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt