Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp378915rwi;
        Mon, 10 Oct 2022 01:28:54 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6UYx8mbryh6YLSnciiV9JPweMy/Hecr3Fy9gYubttswouHHYAu7iNOdAg/xquZ9ySYjr4c
X-Received: by 2002:a17:907:6d8c:b0:78d:b65a:ab12 with SMTP id sb12-20020a1709076d8c00b0078db65aab12mr3434926ejc.573.1665390534038;
        Mon, 10 Oct 2022 01:28:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665390534; cv=none;
        d=google.com; s=arc-20160816;
        b=K/YnJczLeYXEOwgYT90tfEZscglvXwdTGZR0Q18s+rv4/Ic76wA6varFlnAqH+k1RQ
         Q+5JJw+ETi8YOicUzrREucKQ1nwOtuTeOSPJzWc9g6TVkO1Y+HcORN+Kt3Q0OQ/YeO5C
         IMK6UlRBQt8UgutVv+HmdmXKnQh0r5XZ+BmEzUdlggvdwefftyZUkNc+epCPv5+CWTva
         IQAIznKZiGgCVo9Ks6rBnk/4jU6M5THkjOTw7ftxC5mIlyPft6dagTbWnICNH3qMjb2W
         sf2FhxtRzcdBXHxUJdEQZx6ZKZ7ewI2bTWHK127DSqx8c9c7VbDXB4/SG9uNocS46gRe
         8oQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=eGe2a3uNqcC0qjGT66PxqoFM4DCA5caNk/WsCcn02Rs=;
        b=MiMVIKcbFHh16pf0gANvC/O1MJByCPOLQPAxdchyZC3O3Yi2VJ4mkXeB2WbtLDYgCL
         uS40DObcQ94MTbcOPQrWAjsY/i4IJl+anE8/e4BDfrqZwUhSPPLsnRoRDfdeBhd+5wrX
         caA9yOn9m7FysbV3tDzdlWM0hvdOX0Jd2npvC8EQouUkr/YO86MqrX37MSaIqwfX5MhY
         5iy2nTP6hjIufKuOUiVByvtvGNNmNaWlIqXpv5W68MHBJdxTkdWq+Gb79RBNWxgt9kBr
         4zl++1AtiFtTnvwfZ7ky/BkvRwpqdRiRhsP5wH5b+gETQqQGwVIwLfQywYelOiJmL9IY
         XPAg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E2XnQiFP;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id mp33-20020a1709071b2100b0078d221bd0c2si10902293ejc.1009.2022.10.10.01.28.23;
        Mon, 10 Oct 2022 01:28:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E2XnQiFP;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230512AbiJJIQK (ORCPT <rfc822;logchen2009@gmail.com>
        + 99 others); Mon, 10 Oct 2022 04:16:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39776 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231204AbiJJIQJ (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 10 Oct 2022 04:16:09 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C00FB580B5
        for <linux-crypto@vger.kernel.org>; Mon, 10 Oct 2022 01:16:07 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 69FF4B80D39
        for <linux-crypto@vger.kernel.org>; Mon, 10 Oct 2022 08:16:06 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EB8CC43142
        for <linux-crypto@vger.kernel.org>; Mon, 10 Oct 2022 08:16:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1665389765;
        bh=B9f6M1D2jX62mSJPBxEvHGNDg2iYr2XbOaQv8AyQy9M=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=E2XnQiFPPaneN1QRX8QPk79Nh2diBDCuq40Zn0MwDZX3ipM6UP3r7M2rLOCM/2/pY
         c1e7e9+U6/5prKS5v43sSpTpf5iBEV7A5ogD1BQACdNGLZWSJscOrI0AMpqjsl1hQH
         fbg23bMgpjaDWkx7rCE3GjSigTdlxHDSXMKeu3XlG6HCaJOBGqRuW6K+IJUECpPWSU
         3nIite91F9ybeHVogTFToAOl0Z1YjF+cVDmmZvlIfR9uXOKQpBOi3zGASLNC7mLC4I
         H7dvd/JDRCj77meUxVav5IBj3zPFB5oEFCdvoqu0uSTWPaw0iDGZlEBY8GWYob3aWh
         8XvgtF8az3j8A==
Received: by mail-lf1-f41.google.com with SMTP id j4so15606391lfk.0
        for <linux-crypto@vger.kernel.org>; Mon, 10 Oct 2022 01:16:04 -0700 (PDT)
X-Gm-Message-State: ACrzQf3wp34YZ8CSG3HdYPSKMm+v4YKcPPWz5ExkOGi3oU5rmOAunXQf
        8nUaU+vM2KL1XLXLOLtEP83iDZt8Y7evZMBxyYM=
X-Received: by 2002:a19:c20b:0:b0:4a2:40e5:78b1 with SMTP id
 l11-20020a19c20b000000b004a240e578b1mr6147903lfc.228.1665389763060; Mon, 10
 Oct 2022 01:16:03 -0700 (PDT)
MIME-Version: 1.0
References: <20221007152105.3057788-1-ardb@kernel.org> <3e395ad2-48f6-87f6-9042-a3ca21c0baba@amd.com>
In-Reply-To: <3e395ad2-48f6-87f6-9042-a3ca21c0baba@amd.com>
From:   Ard Biesheuvel <ardb@kernel.org>
Date:   Mon, 10 Oct 2022 10:15:51 +0200
X-Gmail-Original-Message-ID: <CAMj1kXGNXYvS9_-RwzzO-VeZN8+ZErhxGiCbfbBA5thJ84RxYA@mail.gmail.com>
Message-ID: <CAMj1kXGNXYvS9_-RwzzO-VeZN8+ZErhxGiCbfbBA5thJ84RxYA@mail.gmail.com>
Subject: Re: [PATCH] crypto: gcm - Provide minimal library implementation
To:     "Nikunj A. Dadhania" <nikunj@amd.com>
Cc:     linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au,
        ebiggers@kernel.org, keescook@chromium.org, jason@zx2c4.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Mon, 10 Oct 2022 at 09:27, Nikunj A. Dadhania <nikunj@amd.com> wrote:
>
> Hi Ard,
>
> On 07/10/22 20:51, Ard Biesheuvel wrote:
> > Implement a minimal library version of GCM based on the existing library
> > implementations of AES and multiplication in GF(2^128). Using these
> > primitives, GCM can be implemented in a straight-forward manner.
> >
> > GCM has a couple of sharp edges, i.e., the amount of input data
> > processed with the same initialization vector (IV) should be capped to
> > protect the counter from 32-bit rollover (or carry), and the size of the
> > authentication tag should be fixed for a given key. [0]
> >
> > The former concern is addressed trivially, given that the function call
> > API uses 32-bit signed types for the input lengths. It is still up to
> > the caller to avoid IV reuse in general, but this is not something we
> > can police at the implementation level.
> >
> > As for the latter concern, let's make the authentication tag size part
> > of the key schedule, and only permit it to be configured as part of the
> > key expansion routine.
> >
> > Note that table based AES implementations are susceptible to known
> > plaintext timing attacks on the encryption key. The AES library already
> > attempts to mitigate this to some extent, but given that the counter
> > mode encryption used by GCM operates exclusively on known plaintext by
> > construction (the IV and therefore the initial counter value are known
> > to an attacker), let's take some extra care to mitigate this, by calling
> > the AES library with interrupts disabled.
> >
> > [0] https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
> >
> > Cc: "Nikunj A. Dadhania" <nikunj@amd.com>
> > Link: https://lore.kernel.org/all/c6fb9b25-a4b6-2e4a-2dd1-63adda055a49@amd.com/
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> > ---
> > +/**
> > + * gcm_decrypt - Perform GCM decryption on a block of data
> > + * @ctx:     The GCM key schedule
> > + * @dst:     Pointer to the plaintext output buffer
> > + * @src:     Pointer the ciphertext (may equal @dst for decryption in place)
> > + * @crypt_len:       The size in bytes of the plaintext and ciphertext.
> > + * @assoc:   Pointer to the associated data,
> > + * @assoc_len:       The size in bytes of the associated data
> > + * @iv:              The initialization vector (IV) to use for this block of data
> > + *           (must be 12 bytes in size as per the GCM spec recommendation)
> > + * @authtag: The address of the buffer in memory where the authentication
> > + *           tag is stored.
> > + *
> > + * Returns 0 on success, or -EBADMSG if the ciphertext failed authentication.
> > + * On failure, no plaintext will be returned.
> > + */
> > +int __must_check gcm_decrypt(const struct gcm_ctx *ctx, u8 *dst, const u8 *src,
> > +                          int crypt_len, const u8 *assoc, int assoc_len,
> > +                          const u8 iv[GCM_AES_IV_SIZE], const u8 *authtag)
> > +{
> > +     u8 tagbuf[AES_BLOCK_SIZE];
> > +     __be32 ctr[4];
> > +
> > +     memcpy(ctr, iv, GCM_AES_IV_SIZE);
> > +
> > +     gcm_mac(ctx, src, crypt_len, assoc, assoc_len, ctr, tagbuf);
> > +     if (crypto_memneq(authtag, tagbuf, ctx->authsize)) {
> > +             memzero_explicit(tagbuf, sizeof(tagbuf));
> > +             return -EBADMSG;
> > +     }
>
> The gcm_mac computation seems to be broken in this version. When I receive the encrypted
> packet back from the security processor the authtag does not match. Will debug further
> and report back.
>

Sorry to hear that. If you find out what's wrong, can you please
provide a test vector that reproduces it so we can add it to the list?