xref: /openbmc/linux/lib/crypto/aesgcm.c (revision 8d59a64cbec8cebf2e1ec9977de4f67fc7341dc6)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Minimal library implementation of GCM
4  *
5  * Copyright 2022 Google LLC
6  */
7 
8 #include <linux/module.h>
9 
10 #include <crypto/algapi.h>
11 #include <crypto/gcm.h>
12 #include <crypto/ghash.h>
13 
14 #include <asm/irqflags.h>
15 
16 static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
17 				 const void *src)
18 {
19 	unsigned long flags;
20 
21 	/*
22 	 * In AES-GCM, both the GHASH key derivation and the CTR mode
23 	 * encryption operate on known plaintext, making them susceptible to
24 	 * timing attacks on the encryption key. The AES library already
25 	 * mitigates this risk to some extent by pulling the entire S-box into
26 	 * the caches before doing any substitutions, but this strategy is more
27 	 * effective when running with interrupts disabled.
28 	 */
29 	local_irq_save(flags);
30 	aes_encrypt(ctx, dst, src);
31 	local_irq_restore(flags);
32 }
33 
34 /**
35  * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
36  *		      schedule
37  *
38  * @ctx:	The data structure that will hold the AES-GCM key schedule
39  * @key:	The AES encryption input key
40  * @keysize:	The length in bytes of the input key
41  * @authsize:	The size in bytes of the GCM authentication tag
42  *
43  * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
44  * that are not permitted by the GCM specification.
45  */
46 int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
47 		     unsigned int keysize, unsigned int authsize)
48 {
49 	u8 kin[AES_BLOCK_SIZE] = {};
50 	int ret;
51 
52 	ret = crypto_gcm_check_authsize(authsize) ?:
53 	      aes_expandkey(&ctx->aes_ctx, key, keysize);
54 	if (ret)
55 		return ret;
56 
57 	ctx->authsize = authsize;
58 	aesgcm_encrypt_block(&ctx->aes_ctx, &ctx->ghash_key, kin);
59 
60 	return 0;
61 }
62 EXPORT_SYMBOL(aesgcm_expandkey);
63 
64 static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
65 			 int len)
66 {
67 	while (len > 0) {
68 		crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
69 		gf128mul_lle(ghash, key);
70 
71 		src += GHASH_BLOCK_SIZE;
72 		len -= GHASH_BLOCK_SIZE;
73 	}
74 }
75 
76 static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
77 		       const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
78 {
79 	be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
80 	u8 buf[AES_BLOCK_SIZE];
81 	be128 ghash = {};
82 
83 	aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
84 	aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
85 	aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
86 
87 	ctr[3] = cpu_to_be32(1);
88 	aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
89 	crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
90 
91 	memzero_explicit(&ghash, sizeof(ghash));
92 	memzero_explicit(buf, sizeof(buf));
93 }
94 
95 static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
96 			 int len, __be32 *ctr)
97 {
98 	u8 buf[AES_BLOCK_SIZE];
99 	unsigned int n = 2;
100 
101 	while (len > 0) {
102 		/*
103 		 * The counter increment below must not result in overflow or
104 		 * carry into the next 32-bit word, as this could result in
105 		 * inadvertent IV reuse, which must be avoided at all cost for
106 		 * stream ciphers such as AES-CTR. Given the range of 'int
107 		 * len', this cannot happen, so no explicit test is necessary.
108 		 */
109 		ctr[3] = cpu_to_be32(n++);
110 		aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
111 		crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE));
112 
113 		dst += AES_BLOCK_SIZE;
114 		src += AES_BLOCK_SIZE;
115 		len -= AES_BLOCK_SIZE;
116 	}
117 	memzero_explicit(buf, sizeof(buf));
118 }
119 
120 /**
121  * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
122  *
123  * @ctx:	The AES-GCM key schedule
124  * @dst:	Pointer to the ciphertext output buffer
125  * @src:	Pointer the plaintext (may equal @dst for encryption in place)
126  * @crypt_len:	The size in bytes of the plaintext and ciphertext.
127  * @assoc:	Pointer to the associated data,
128  * @assoc_len:	The size in bytes of the associated data
129  * @iv:		The initialization vector (IV) to use for this block of data
130  *		(must be 12 bytes in size as per the GCM spec recommendation)
131  * @authtag:	The address of the buffer in memory where the authentication
132  *		tag should be stored. The buffer is assumed to have space for
133  *		@ctx->authsize bytes.
134  */
135 void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
136 		    int crypt_len, const u8 *assoc, int assoc_len,
137 		    const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
138 {
139 	__be32 ctr[4];
140 
141 	memcpy(ctr, iv, GCM_AES_IV_SIZE);
142 
143 	aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
144 	aesgcm_mac(ctx, dst, crypt_len, assoc, assoc_len, ctr, authtag);
145 }
146 EXPORT_SYMBOL(aesgcm_encrypt);
147 
148 /**
149  * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
150  *
151  * @ctx:	The AES-GCM key schedule
152  * @dst:	Pointer to the plaintext output buffer
153  * @src:	Pointer the ciphertext (may equal @dst for decryption in place)
154  * @crypt_len:	The size in bytes of the plaintext and ciphertext.
155  * @assoc:	Pointer to the associated data,
156  * @assoc_len:	The size in bytes of the associated data
157  * @iv:		The initialization vector (IV) to use for this block of data
158  *		(must be 12 bytes in size as per the GCM spec recommendation)
159  * @authtag:	The address of the buffer in memory where the authentication
160  *		tag is stored.
161  *
162  * Returns: true on success, or false if the ciphertext failed authentication.
163  * On failure, no plaintext will be returned.
164  */
165 bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
166 				 const u8 *src, int crypt_len, const u8 *assoc,
167 				 int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
168 				 const u8 *authtag)
169 {
170 	u8 tagbuf[AES_BLOCK_SIZE];
171 	__be32 ctr[4];
172 
173 	memcpy(ctr, iv, GCM_AES_IV_SIZE);
174 
175 	aesgcm_mac(ctx, src, crypt_len, assoc, assoc_len, ctr, tagbuf);
176 	if (crypto_memneq(authtag, tagbuf, ctx->authsize)) {
177 		memzero_explicit(tagbuf, sizeof(tagbuf));
178 		return false;
179 	}
180 	aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
181 	return true;
182 }
183 EXPORT_SYMBOL(aesgcm_decrypt);
184 
185 MODULE_DESCRIPTION("Generic AES-GCM library");
186 MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
187 MODULE_LICENSE("GPL");
188 
189 #ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
190 
191 /*
192  * Test code below. Vectors taken from crypto/testmgr.h
193  */
194 
195 static const u8 __initconst ctext0[16] =
196 	"\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
197 	"\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
198 
199 static const u8 __initconst ptext1[16];
200 
201 static const u8 __initconst ctext1[32] =
202 	"\x03\x88\xda\xce\x60\xb6\xa3\x92"
203 	"\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
204 	"\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
205 	"\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
206 
207 static const u8 __initconst ptext2[64] =
208 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
209 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
210 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
211 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
212 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
213 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
214 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
215 	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
216 
217 static const u8 __initconst ctext2[80] =
218 	"\x42\x83\x1e\xc2\x21\x77\x74\x24"
219 	"\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
220 	"\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
221 	"\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
222 	"\x21\xd5\x14\xb2\x54\x66\x93\x1c"
223 	"\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
224 	"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
225 	"\x3d\x58\xe0\x91\x47\x3f\x59\x85"
226 	"\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
227 	"\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
228 
229 static const u8 __initconst ptext3[60] =
230 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
231 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
232 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
233 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
234 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
235 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
236 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
237 	"\xba\x63\x7b\x39";
238 
239 static const u8 __initconst ctext3[76] =
240 	"\x42\x83\x1e\xc2\x21\x77\x74\x24"
241 	"\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
242 	"\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
243 	"\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
244 	"\x21\xd5\x14\xb2\x54\x66\x93\x1c"
245 	"\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
246 	"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
247 	"\x3d\x58\xe0\x91"
248 	"\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
249 	"\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
250 
251 static const u8 __initconst ctext4[16] =
252 	"\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
253 	"\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
254 
255 static const u8 __initconst ctext5[32] =
256 	"\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
257 	"\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
258 	"\x2f\xf5\x8d\x80\x03\x39\x27\xab"
259 	"\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
260 
261 static const u8 __initconst ptext6[64] =
262 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
263 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
264 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
265 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
266 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
267 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
268 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
269 	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
270 
271 static const u8 __initconst ctext6[80] =
272 	"\x39\x80\xca\x0b\x3c\x00\xe8\x41"
273 	"\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
274 	"\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
275 	"\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
276 	"\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
277 	"\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
278 	"\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
279 	"\xcc\xda\x27\x10\xac\xad\xe2\x56"
280 	"\x99\x24\xa7\xc8\x58\x73\x36\xbf"
281 	"\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
282 
283 static const u8 __initconst ctext7[16] =
284 	"\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
285 	"\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
286 
287 static const u8 __initconst ctext8[32] =
288 	"\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
289 	"\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
290 	"\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
291 	"\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
292 
293 static const u8 __initconst ptext9[64] =
294 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
295 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
296 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
297 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
298 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
299 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
300 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
301 	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
302 
303 static const u8 __initconst ctext9[80] =
304 	"\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
305 	"\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
306 	"\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
307 	"\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
308 	"\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
309 	"\xa7\xb0\x8b\x10\x56\x82\x88\x38"
310 	"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
311 	"\xbc\xc9\xf6\x62\x89\x80\x15\xad"
312 	"\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
313 	"\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
314 
315 static const u8 __initconst ptext10[60] =
316 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
317 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
318 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
319 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
320 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
321 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
322 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
323 	"\xba\x63\x7b\x39";
324 
325 static const u8 __initconst ctext10[76] =
326 	"\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
327 	"\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
328 	"\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
329 	"\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
330 	"\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
331 	"\xa7\xb0\x8b\x10\x56\x82\x88\x38"
332 	"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
333 	"\xbc\xc9\xf6\x62"
334 	"\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
335 	"\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
336 
337 static const u8 __initconst ptext11[60] =
338 	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
339 	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
340 	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
341 	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
342 	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
343 	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
344 	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
345 	"\xba\x63\x7b\x39";
346 
347 static const u8 __initconst ctext11[76] =
348 	"\x39\x80\xca\x0b\x3c\x00\xe8\x41"
349 	"\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
350 	"\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
351 	"\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
352 	"\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
353 	"\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
354 	"\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
355 	"\xcc\xda\x27\x10"
356 	"\x25\x19\x49\x8e\x80\xf1\x47\x8f"
357 	"\x37\xba\x55\xbd\x6d\x27\x61\x8c";
358 
359 static const u8 __initconst ptext12[719] =
360 	"\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
361 	"\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
362 	"\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
363 	"\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
364 	"\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
365 	"\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
366 	"\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
367 	"\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
368 	"\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
369 	"\x00\xa4\x43\x54\x04\x54\x9b\x3b"
370 	"\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
371 	"\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
372 	"\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
373 	"\x35\x23\xf4\x20\x41\xd4\xad\x82"
374 	"\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
375 	"\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
376 	"\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
377 	"\xad\x49\x3a\xae\x98\xce\xa6\x66"
378 	"\x10\x30\x90\x8c\x55\x83\xd7\x7c"
379 	"\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
380 	"\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
381 	"\x57\xcc\x89\x09\x75\x9b\x78\x70"
382 	"\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
383 	"\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
384 	"\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
385 	"\x82\xd9\xec\xa2\x87\x68\x55\xf9"
386 	"\x8f\x9e\x73\x43\x47\x6a\x08\x36"
387 	"\x93\x67\xa8\x2d\xde\xac\x41\xa9"
388 	"\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
389 	"\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
390 	"\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
391 	"\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
392 	"\xab\x19\x37\xd9\xba\x76\x5e\xd2"
393 	"\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
394 	"\x02\x66\x49\xca\x7c\x91\x05\xf2"
395 	"\x45\x36\x1e\xf5\x77\xad\x1f\x46"
396 	"\xa8\x13\xfb\x63\xb6\x08\x99\x63"
397 	"\x82\xa2\xed\xb3\xac\xdf\x43\x19"
398 	"\x45\xea\x78\x73\xd9\xb7\x39\x11"
399 	"\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
400 	"\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
401 	"\xa4\x47\x7d\x80\x20\x26\xfd\x63"
402 	"\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
403 	"\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
404 	"\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
405 	"\x54\x03\xa4\x09\x0c\x37\x7a\x15"
406 	"\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
407 	"\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
408 	"\x03\x25\x3c\x8d\x48\x58\x71\x34"
409 	"\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
410 	"\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
411 	"\x80\x6f\x96\x0e\x05\x62\xc7\x78"
412 	"\x87\x79\x60\x38\x46\xb4\x25\x57"
413 	"\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
414 	"\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
415 	"\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
416 	"\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
417 	"\x09\xfc\x91\x96\x47\x87\x4f\x1a"
418 	"\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
419 	"\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
420 	"\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
421 	"\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
422 	"\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
423 	"\x0b\x63\xde\x87\x42\x79\x8a\x68"
424 	"\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
425 	"\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
426 	"\xe9\x83\x84\xcb\x28\x69\x09\x69"
427 	"\xce\x99\x46\x00\x54\xcb\xd8\x38"
428 	"\xf9\x53\x4a\xbf\x31\xce\x57\x15"
429 	"\x33\xfa\x96\x04\x33\x42\xe3\xc0"
430 	"\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
431 	"\x19\x95\xd0\x0e\x82\x07\x63\xf9"
432 	"\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
433 	"\xb5\x9f\x23\x28\x60\xe7\x20\x51"
434 	"\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
435 	"\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
436 	"\x78\xc6\x91\x22\x40\x91\x80\xbe"
437 	"\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
438 	"\x67\x10\xa4\x83\x98\x79\x23\xe7"
439 	"\x92\xda\xa9\x22\x16\xb1\xe7\x78"
440 	"\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
441 	"\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
442 	"\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
443 	"\x48\x11\x06\xbb\x2d\xf2\x63\x88"
444 	"\x3f\x73\x09\xe2\x45\x56\x31\x51"
445 	"\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
446 	"\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
447 	"\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
448 	"\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
449 	"\xa4\x78\xdb\x74\x3d\x8b\xb5";
450 
451 static const u8 __initconst ctext12[735] =
452 	"\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
453 	"\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
454 	"\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
455 	"\x4c\x1d\x38\x05\x54\xd1\x16\x73"
456 	"\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
457 	"\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
458 	"\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
459 	"\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
460 	"\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
461 	"\x20\x93\x6c\x4b\x37\x99\xb8\x23"
462 	"\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
463 	"\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
464 	"\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
465 	"\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
466 	"\xb9\x14\x13\x21\xdf\xce\xaa\x88"
467 	"\x44\x30\x1e\xce\x26\x01\x92\xf8"
468 	"\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
469 	"\x89\xca\x94\x66\x11\x21\x97\xca"
470 	"\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
471 	"\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
472 	"\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
473 	"\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
474 	"\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
475 	"\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
476 	"\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
477 	"\xde\x6b\x52\x98\x01\xef\x36\x3d"
478 	"\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
479 	"\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
480 	"\x48\x96\xe0\x90\x93\x6c\x48\x64"
481 	"\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
482 	"\x7a\x23\x7b\xaa\x20\x56\x12\xae"
483 	"\x16\x9d\x94\x0f\x54\xa1\xec\xca"
484 	"\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
485 	"\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
486 	"\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
487 	"\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
488 	"\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
489 	"\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
490 	"\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
491 	"\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
492 	"\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
493 	"\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
494 	"\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
495 	"\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
496 	"\x03\x60\x7a\xed\x69\xd5\x00\x8b"
497 	"\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
498 	"\xc1\x26\xce\x90\x97\x22\x64\x64"
499 	"\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
500 	"\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
501 	"\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
502 	"\x15\xb5\xa0\x8d\x12\x74\x49\x23"
503 	"\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
504 	"\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
505 	"\x61\x26\x94\x58\x70\xa6\x3c\xe4"
506 	"\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
507 	"\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
508 	"\x93\x77\xde\x48\xc4\xfa\x30\x4a"
509 	"\xda\x49\x80\x77\x0f\x1c\xbe\x11"
510 	"\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
511 	"\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
512 	"\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
513 	"\xb8\xfb\x86\xdc\x46\x24\x91\x60"
514 	"\x6c\x2f\xc9\x41\x37\x51\x49\x54"
515 	"\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
516 	"\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
517 	"\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
518 	"\x75\x54\x65\x93\xfe\xb1\x68\x6b"
519 	"\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
520 	"\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
521 	"\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
522 	"\x6a\x56\xff\x35\x4d\x42\x33\xaa"
523 	"\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
524 	"\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
525 	"\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
526 	"\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
527 	"\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
528 	"\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
529 	"\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
530 	"\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
531 	"\x6b\x6d\x33\xe1\x34\x06\x36\x21"
532 	"\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
533 	"\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
534 	"\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
535 	"\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
536 	"\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
537 	"\x0e\xe1\xb5\x11\x45\x61\x43\x46"
538 	"\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
539 	"\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
540 	"\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
541 	"\x38\x58\x9e\x8a\x43\xdc\x57"
542 	"\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
543 	"\x4b\x24\x52\x58\x55\xe1\x49\x14";
544 
545 static struct {
546 	const u8	*ptext;
547 	const u8	*ctext;
548 
549 	u8		key[AES_MAX_KEY_SIZE];
550 	u8		iv[GCM_AES_IV_SIZE];
551 	u8		assoc[20];
552 
553 	int		klen;
554 	int		clen;
555 	int		plen;
556 	int		alen;
557 } const aesgcm_tv[] __initconst = {
558 	{ /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
559 		.klen	= 16,
560 		.ctext	= ctext0,
561 		.clen	= sizeof(ctext0),
562 	}, {
563 		.klen	= 16,
564 		.ptext	= ptext1,
565 		.plen	= sizeof(ptext1),
566 		.ctext	= ctext1,
567 		.clen	= sizeof(ctext1),
568 	}, {
569 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
570 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
571 		.klen	= 16,
572 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
573 			  "\xde\xca\xf8\x88",
574 		.ptext	= ptext2,
575 		.plen	= sizeof(ptext2),
576 		.ctext	= ctext2,
577 		.clen	= sizeof(ctext2),
578 	}, {
579 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
580 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
581 		.klen	= 16,
582 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
583 			  "\xde\xca\xf8\x88",
584 		.ptext	= ptext3,
585 		.plen	= sizeof(ptext3),
586 		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
587 			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
588 			  "\xab\xad\xda\xd2",
589 		.alen	= 20,
590 		.ctext	= ctext3,
591 		.clen	= sizeof(ctext3),
592 	}, {
593 		.klen	= 24,
594 		.ctext	= ctext4,
595 		.clen	= sizeof(ctext4),
596 	}, {
597 		.klen	= 24,
598 		.ptext	= ptext1,
599 		.plen	= sizeof(ptext1),
600 		.ctext	= ctext5,
601 		.clen	= sizeof(ctext5),
602 	}, {
603 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
604 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
605 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
606 		.klen	= 24,
607 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
608 			  "\xde\xca\xf8\x88",
609 		.ptext	= ptext6,
610 		.plen	= sizeof(ptext6),
611 		.ctext	= ctext6,
612 		.clen	= sizeof(ctext6),
613 	}, {
614 		.klen	= 32,
615 		.ctext	= ctext7,
616 		.clen	= sizeof(ctext7),
617 	}, {
618 		.klen	= 32,
619 		.ptext	= ptext1,
620 		.plen	= sizeof(ptext1),
621 		.ctext	= ctext8,
622 		.clen	= sizeof(ctext8),
623 	}, {
624 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
625 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
626 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
627 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
628 		.klen	= 32,
629 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
630 			  "\xde\xca\xf8\x88",
631 		.ptext	= ptext9,
632 		.plen	= sizeof(ptext9),
633 		.ctext	= ctext9,
634 		.clen	= sizeof(ctext9),
635 	}, {
636 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
637 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
638 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
639 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
640 		.klen	= 32,
641 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
642 			  "\xde\xca\xf8\x88",
643 		.ptext	= ptext10,
644 		.plen	= sizeof(ptext10),
645 		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
646 			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
647 			  "\xab\xad\xda\xd2",
648 		.alen	= 20,
649 		.ctext	= ctext10,
650 		.clen	= sizeof(ctext10),
651 	}, {
652 		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
653 			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
654 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
655 		.klen	= 24,
656 		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
657 			  "\xde\xca\xf8\x88",
658 		.ptext	= ptext11,
659 		.plen	= sizeof(ptext11),
660 		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
661 			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
662 			  "\xab\xad\xda\xd2",
663 		.alen	= 20,
664 		.ctext	= ctext11,
665 		.clen	= sizeof(ctext11),
666 	}, {
667 		.key	= "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
668 			  "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
669 			  "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
670 			  "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
671 		.klen	= 32,
672 		.iv	= "\x00\xff\xff\xff\xff\x00\x00\xff"
673 			  "\xff\xff\x00\xff",
674 		.ptext	= ptext12,
675 		.plen	= sizeof(ptext12),
676 		.ctext	= ctext12,
677 		.clen	= sizeof(ctext12),
678 	}
679 };
680 
681 static int __init libaesgcm_init(void)
682 {
683 	for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
684 		u8 tagbuf[AES_BLOCK_SIZE];
685 		int plen = aesgcm_tv[i].plen;
686 		struct aesgcm_ctx ctx;
687 		u8 buf[sizeof(ptext12)];
688 
689 		if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
690 				     aesgcm_tv[i].clen - plen)) {
691 			pr_err("aesgcm_expandkey() failed on vector %d\n", i);
692 			return -ENODEV;
693 		}
694 
695 		if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
696 				    aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
697 				    aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
698 		    || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
699 			pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
700 			return -ENODEV;
701 		}
702 
703 		/* encrypt in place */
704 		aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
705 			       aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
706 		if (memcmp(buf, aesgcm_tv[i].ctext, plen)) {
707 			pr_err("aesgcm_encrypt() failed on vector %d\n", i);
708 			return -ENODEV;
709 		}
710 
711 		/* decrypt in place */
712 		if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
713 				    aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
714 		    || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
715 			pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
716 			return -ENODEV;
717 		}
718 	}
719 	return 0;
720 }
721 module_init(libaesgcm_init);
722 
723 static void __exit libaesgcm_exit(void)
724 {
725 }
726 module_exit(libaesgcm_exit);
727 #endif
728