Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp4841501rwi; Mon, 17 Oct 2022 11:29:28 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6gX2Sy1f9LjStVJWO84qOt5s44H4Pt8RKNOItNMItXNyBeYlDAvRqe6OoujopevYGiLVCE X-Received: by 2002:a17:90b:3890:b0:20a:9ab0:6fa2 with SMTP id mu16-20020a17090b389000b0020a9ab06fa2mr35467038pjb.49.1666031367799; Mon, 17 Oct 2022 11:29:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666031367; cv=none; d=google.com; s=arc-20160816; b=RTIgXt/xf/cV5EDclW5F7etSS10cMg2/9fh1VNRzVC9caYVjxXbbCy1olaPtPSr3TB nvb4+FCs88dBJg/WmMDXP99A5m2orP0cH8yyH2iehk0jBwBIq1AOeI3dOVk95AURKU8y SGaFIVDXIkt/E1zd9nYISYaw2H9yqcbCrD65iUGFYP+d3lQLwR5y1+rfYyQxQM27h3KH YcjZw4dqAk4VozdyRF17kAiShh5puzDBFHfRXsOAK8ixXAcM6T8REL3ljYrFgH1bh5l0 jAM9eERWuPPSeX9mKt2eTFySnkyXvYg0JboHNvkvV/0mwoc5SMS+3fyKP4OyftbEIu3s bhRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+tCIgWC2cl9O/3hqN2ObGfQswdEQeEJes9BZzbcIVnk=; b=nrdlwBjTsRR5uZe3sH1N694EnAJWe4U9A+/jqQ03rUFuzcaM9RaeVFR6Ui7vxwSb08 9lqebQoINntM8HnYXbXXwgJRL6qUXKY+OzLFi6iiYIjMoiXFlXm7+4KppvwTYWX6XCJV emBOjCQUKM8X8l3sWaaoigiSHc4asvsc1ImunUjknd2tB0Fu6m9WGsLvleEu4C0vcr3S l2dRvrgnpFCj69sBuu40t9T04kjoIHdYWjcXffuswTLRvVyHBmCgtz0DVqrpiqUvQI1W svM26bmWD+MKWTvXAGh53CrmYghu/LVd4Kg7rDE5YO9gaaAfo8fzTAcWkrBMmWgk3Z/B U+6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oB4u044n; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x191-20020a6386c8000000b0046040a85eacsi11003748pgd.538.2022.10.17.11.29.02; Mon, 17 Oct 2022 11:29:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oB4u044n; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230038AbiJQSU1 (ORCPT + 99 others); Mon, 17 Oct 2022 14:20:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230021AbiJQSUZ (ORCPT ); Mon, 17 Oct 2022 14:20:25 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 002764C02A for ; Mon, 17 Oct 2022 11:20:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E62BDB819D9 for ; Mon, 17 Oct 2022 18:20:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D10CC433D6; Mon, 17 Oct 2022 18:20:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666030820; bh=hkkJWDsveoQkK3tWWYnwGetFM4sqAcAz3V6vQQ8j+VI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=oB4u044nHJi8WVabMIpNyaSOtAgPun2xRc6a6IYUwovdzzSKeN/Tn9xpA9XwEFVHs s52yXRZtu4pkHbJdw8LaUZljZJLqNFZqnuHOaJmBWDtpWSFNh9ZAZsRZs8dXWC5XrF ElyHVbsQtB7JLk6gy04YPNYKcHbMS2B1YetA5Mr75GEeUk21YnW+wKSVyCUBoknBkw 5rUi+0TzWFadV7yQJz41wK0KR6fFJgkQ0/z/aWqPwWYRItUd5IbRjDX0sXjeyz2gZA GLsR06TaSfZHwEF7+u+Bm5nodQB49IO/CvUclAs6b99v7qk1LUinquzhEfnirbhJpM NZcXeEbSKgsFg== Date: Mon, 17 Oct 2022 11:20:18 -0700 From: Eric Biggers To: Ard Biesheuvel Cc: linux-crypto@vger.kernel.org, keescook@chromium.org, jason@zx2c4.com, herbert@gondor.apana.org.au, Nikunj A Dadhania Subject: Re: [PATCH v2] crypto: gcmaes - Provide minimal library implementation Message-ID: References: <20221014104713.2613195-1-ardb@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221014104713.2613195-1-ardb@kernel.org> X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, Oct 14, 2022 at 12:47:13PM +0200, Ard Biesheuvel wrote: > Note that table based AES implementations are susceptible to known > plaintext timing attacks on the encryption key. The AES library already > attempts to mitigate this to some extent, but given that the counter > mode encryption used by GCM operates exclusively on known plaintext by > construction (the IV and therefore the initial counter value are known > to an attacker), let's take some extra care to mitigate this, by calling > the AES library with interrupts disabled. Note that crypto/gf128mul.c has no mitigations against timing attacks. I take it that is something that needs to be tolerated here? > diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h > index 9d7eff04f224..dfbc381df5ae 100644 > --- a/include/crypto/gcm.h > +++ b/include/crypto/gcm.h > @@ -3,6 +3,9 @@ > > #include > > +#include > +#include > + > #define GCM_AES_IV_SIZE 12 > #define GCM_RFC4106_IV_SIZE 8 > #define GCM_RFC4543_IV_SIZE 8 > @@ -60,4 +63,67 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen) > > return 0; > } > + > +struct gcmaes_ctx { > + be128 ghash_key; > + struct crypto_aes_ctx aes_ctx; > + unsigned int authsize; > +}; > + > +/** > + * gcmaes_expandkey - Expands the AES and GHASH keys for the GCM-AES key > + * schedule > + * > + * @ctx: The data structure that will hold the GCM-AES key schedule > + * @key: The AES encryption input key > + * @keysize: The length in bytes of the input key > + * @authsize: The size in bytes of the GCM authentication tag > + * > + * Returns 0 on success, or -EINVAL if @keysize or @authsize contain values > + * that are not permitted by the GCM specification. > + */ > +int gcmaes_expandkey(struct gcmaes_ctx *ctx, const u8 *key, > + unsigned int keysize, unsigned int authsize); These comments are duplicated in the .c file too. They should be in just one place, probably the .c file since that approach is more common in the kernel. Also, this seems to be intended to be a kerneldoc comment, but the return value isn't documented in the correct format. It needs to be "Return:". Try this: $ ./scripts/kernel-doc -v -none lib/crypto/gcmaes.c lib/crypto/gcmaes.c:35: info: Scanning doc for function gcmaes_expandkey lib/crypto/gcmaes.c:48: warning: No description found for return value of 'gcmaes_expandkey' lib/crypto/gcmaes.c:114: info: Scanning doc for function gcmaes_encrypt lib/crypto/gcmaes.c:142: info: Scanning doc for function gcmaes_decrypt lib/crypto/gcmaes.c:162: warning: No description found for return value of 'gcmaes_decrypt' > +config CRYPTO_LIB_GCMAES > + tristate > + select CRYPTO_GF128MUL > + select CRYPTO_LIB_AES > + select CRYPTO_LIB_UTILS Doesn't this mean that crypto/gf128mul.c needs to be moved into lib/crypto/? - Eric