Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp420484rwi; Mon, 10 Oct 2022 02:16:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM42X9QBODyGY3OHCPlV6w6x9x17UoiQMbizFciGyRViLucu9F6w40nFPkFrqyICIYZKYtqr X-Received: by 2002:a17:907:7b95:b0:72f:9c64:4061 with SMTP id ne21-20020a1709077b9500b0072f9c644061mr14100607ejc.351.1665393362219; Mon, 10 Oct 2022 02:16:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665393362; cv=none; d=google.com; s=arc-20160816; b=wb0PBWgB/tMA/y3+DdM+rZj5Mii4VrQ8FL6aaPgZRpUa3WSMxBvmzFJrZlyQhCZ8LZ PWCS4PLqQhwpn8LbbJEiXP/1FfPJNyMCd5QqIKIvzpeAdMRidV1mKMEe0eX2tHPYiJmR kQhRzV9UVtfvn0d9RXETRvdKWW9K0/uZPPyulwZJmA4t25akMPHThN5aN4+SmHq4kR5p bnUz42VjvHTNUU94p0IQ5hFCIl2SvGoXmfBXTJ9WBzELDxhXL1ths3QHgxnGi24Yqnxk ylQP2i7VYJaFqrwE1t8kgi5c5qz7+AwagvaH0+9LFNHJmhUtlenowRdPnsK2ghk8tAhh niYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=U+VesL5rKH0WdIVQgPmf1JjjeAqqTvnxJT8QtaNJZKQ=; b=NSpj2SaMS0szKMRmHU1fSx1TAYCYsJcY3ThyQqs9lbWIYsx/PyF0EMDRGOU/Qw16rt oaeajnF7DOvMGojHblkcT0V6jQ5iPd2uIbXqDQ1VJ0fVqtlBFI/rH/DKNNG3/g55F5Nf lvHzNkywji/ErQEs81y0FwFWhmDMO5GknXoYp0KQC4P0gQtSHSd7jN+MPrgR7xeO37JP MGZwq7qpN2zq4m3I7C1kHTsvyyBAd5sd3RwtMrj/Cxa2hVHrhwDsOGAsGBr+O8Rrrdor Af2lowgJ1NE4EpV+gooPzbQpg8hGrc7KtkgNlhT6njeA2Ew8zzwUkbDKl7O8bDUbIMD6 PH3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hZbMJ5kR; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hq12-20020a1709073f0c00b00786676b58d3si10578691ejc.490.2022.10.10.02.15.27; Mon, 10 Oct 2022 02:16:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hZbMJ5kR; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231503AbiJJIou (ORCPT + 99 others); Mon, 10 Oct 2022 04:44:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231329AbiJJIot (ORCPT ); Mon, 10 Oct 2022 04:44:49 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33FA8630A for ; Mon, 10 Oct 2022 01:44:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 2E566CE111C for ; Mon, 10 Oct 2022 08:44:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 789A9C433D6 for ; Mon, 10 Oct 2022 08:44:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1665391481; bh=U+VesL5rKH0WdIVQgPmf1JjjeAqqTvnxJT8QtaNJZKQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=hZbMJ5kRhgF13oQrYJb+wqTSpUOxijZ1HgmE+umbk7qkgCtGeEbLhQE/dXuNswj/r HxvxkxN2tLZH+eQDfeySA+HSGWpQkjo7PIjWp58OWofdH+lGK7f1owu0QzLnehJ8gp gWo779JJPlxo7nB65umKd0ksPgFC9q1M99CXzCgofJMzYv8zc6a45mNDFldUzz1oH1 GUQL/N0Zn0X1QZbyMZVh2r5OKiPSIprYlGeV/dGfnhvHJcwc3skJ68AbMloX0GpxEh bwY864r7xgEhyseeBoGrEuUYrHWwxjRxmw+9RE/fx3XSl8DPSq2VcGve1AtHhWGuMr TOhzj8dFIhe9Q== Received: by mail-lj1-f178.google.com with SMTP id f9so12425747ljk.12 for ; Mon, 10 Oct 2022 01:44:41 -0700 (PDT) X-Gm-Message-State: ACrzQf0kxG0WT0wOdqe2l/RczgE+or8z974bJ+IOPnFPCLwMRefSCm/q 0l2qBm9Fv5mJdXZ3rWbkAvCVPN+bYtcovzqI7kk= X-Received: by 2002:a2e:9a81:0:b0:26c:5b63:7a83 with SMTP id p1-20020a2e9a81000000b0026c5b637a83mr6780544lji.291.1665391479521; Mon, 10 Oct 2022 01:44:39 -0700 (PDT) MIME-Version: 1.0 References: <20221007152105.3057788-1-ardb@kernel.org> <3e395ad2-48f6-87f6-9042-a3ca21c0baba@amd.com> In-Reply-To: From: Ard Biesheuvel Date: Mon, 10 Oct 2022 10:44:28 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] crypto: gcm - Provide minimal library implementation To: "Nikunj A. Dadhania" Cc: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, ebiggers@kernel.org, keescook@chromium.org, jason@zx2c4.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, 10 Oct 2022 at 10:25, Nikunj A. Dadhania wrote: > > > > On 10/10/22 13:45, Ard Biesheuvel wrote: > > On Mon, 10 Oct 2022 at 09:27, Nikunj A. Dadhania wrote: > >> > >> Hi Ard, > >> > >> On 07/10/22 20:51, Ard Biesheuvel wrote: > >>> Implement a minimal library version of GCM based on the existing library > >>> implementations of AES and multiplication in GF(2^128). Using these > >>> primitives, GCM can be implemented in a straight-forward manner. > >>> > >>> GCM has a couple of sharp edges, i.e., the amount of input data > >>> processed with the same initialization vector (IV) should be capped to > >>> protect the counter from 32-bit rollover (or carry), and the size of the > >>> authentication tag should be fixed for a given key. [0] > >>> > >>> The former concern is addressed trivially, given that the function call > >>> API uses 32-bit signed types for the input lengths. It is still up to > >>> the caller to avoid IV reuse in general, but this is not something we > >>> can police at the implementation level. > >>> > >>> As for the latter concern, let's make the authentication tag size part > >>> of the key schedule, and only permit it to be configured as part of the > >>> key expansion routine. > >>> > >>> Note that table based AES implementations are susceptible to known > >>> plaintext timing attacks on the encryption key. The AES library already > >>> attempts to mitigate this to some extent, but given that the counter > >>> mode encryption used by GCM operates exclusively on known plaintext by > >>> construction (the IV and therefore the initial counter value are known > >>> to an attacker), let's take some extra care to mitigate this, by calling > >>> the AES library with interrupts disabled. > >>> > >>> > >>> Cc: "Nikunj A. Dadhania" > >>> Signed-off-by: Ard Biesheuvel > >>> --- ... > >> The gcm_mac computation seems to be broken in this version. When I receive the encrypted > >> packet back from the security processor the authtag does not match. Will debug further > >> and report back. > >> > > > > Sorry to hear that. If you find out what's wrong, can you please > > provide a test vector that reproduces it so we can add it to the list? > > My bad, it was wrong crypt_len that I was sending. Working fine now. > > Tested-by: Nikunj A Dadhania OK, good to know - thanks.