Merge tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave...
[platform/kernel/linux-starfive.git] / lib / crypto / aesgcm.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Minimal library implementation of GCM
4  *
5  * Copyright 2022 Google LLC
6  */
7
8 #include <linux/module.h>
9
10 #include <crypto/algapi.h>
11 #include <crypto/gcm.h>
12 #include <crypto/ghash.h>
13
14 #include <asm/irqflags.h>
15
16 static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
17                                  const void *src)
18 {
19         unsigned long flags;
20
21         /*
22          * In AES-GCM, both the GHASH key derivation and the CTR mode
23          * encryption operate on known plaintext, making them susceptible to
24          * timing attacks on the encryption key. The AES library already
25          * mitigates this risk to some extent by pulling the entire S-box into
26          * the caches before doing any substitutions, but this strategy is more
27          * effective when running with interrupts disabled.
28          */
29         local_irq_save(flags);
30         aes_encrypt(ctx, dst, src);
31         local_irq_restore(flags);
32 }
33
34 /**
35  * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
36  *                    schedule
37  *
38  * @ctx:        The data structure that will hold the AES-GCM key schedule
39  * @key:        The AES encryption input key
40  * @keysize:    The length in bytes of the input key
41  * @authsize:   The size in bytes of the GCM authentication tag
42  *
43  * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
44  * that are not permitted by the GCM specification.
45  */
46 int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
47                      unsigned int keysize, unsigned int authsize)
48 {
49         u8 kin[AES_BLOCK_SIZE] = {};
50         int ret;
51
52         ret = crypto_gcm_check_authsize(authsize) ?:
53               aes_expandkey(&ctx->aes_ctx, key, keysize);
54         if (ret)
55                 return ret;
56
57         ctx->authsize = authsize;
58         aesgcm_encrypt_block(&ctx->aes_ctx, &ctx->ghash_key, kin);
59
60         return 0;
61 }
62 EXPORT_SYMBOL(aesgcm_expandkey);
63
64 static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
65                          int len)
66 {
67         while (len > 0) {
68                 crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
69                 gf128mul_lle(ghash, key);
70
71                 src += GHASH_BLOCK_SIZE;
72                 len -= GHASH_BLOCK_SIZE;
73         }
74 }
75
76 static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
77                        const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
78 {
79         be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
80         u8 buf[AES_BLOCK_SIZE];
81         be128 ghash = {};
82
83         aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
84         aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
85         aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
86
87         ctr[3] = cpu_to_be32(1);
88         aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
89         crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
90
91         memzero_explicit(&ghash, sizeof(ghash));
92         memzero_explicit(buf, sizeof(buf));
93 }
94
95 static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
96                          int len, __be32 *ctr)
97 {
98         u8 buf[AES_BLOCK_SIZE];
99         unsigned int n = 2;
100
101         while (len > 0) {
102                 /*
103                  * The counter increment below must not result in overflow or
104                  * carry into the next 32-bit word, as this could result in
105                  * inadvertent IV reuse, which must be avoided at all cost for
106                  * stream ciphers such as AES-CTR. Given the range of 'int
107                  * len', this cannot happen, so no explicit test is necessary.
108                  */
109                 ctr[3] = cpu_to_be32(n++);
110                 aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
111                 crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE));
112
113                 dst += AES_BLOCK_SIZE;
114                 src += AES_BLOCK_SIZE;
115                 len -= AES_BLOCK_SIZE;
116         }
117         memzero_explicit(buf, sizeof(buf));
118 }
119
120 /**
121  * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
122  *
123  * @ctx:        The AES-GCM key schedule
124  * @dst:        Pointer to the ciphertext output buffer
125  * @src:        Pointer the plaintext (may equal @dst for encryption in place)
126  * @crypt_len:  The size in bytes of the plaintext and ciphertext.
127  * @assoc:      Pointer to the associated data,
128  * @assoc_len:  The size in bytes of the associated data
129  * @iv:         The initialization vector (IV) to use for this block of data
130  *              (must be 12 bytes in size as per the GCM spec recommendation)
131  * @authtag:    The address of the buffer in memory where the authentication
132  *              tag should be stored. The buffer is assumed to have space for
133  *              @ctx->authsize bytes.
134  */
135 void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
136                     int crypt_len, const u8 *assoc, int assoc_len,
137                     const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
138 {
139         __be32 ctr[4];
140
141         memcpy(ctr, iv, GCM_AES_IV_SIZE);
142
143         aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
144         aesgcm_mac(ctx, dst, crypt_len, assoc, assoc_len, ctr, authtag);
145 }
146 EXPORT_SYMBOL(aesgcm_encrypt);
147
148 /**
149  * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
150  *
151  * @ctx:        The AES-GCM key schedule
152  * @dst:        Pointer to the plaintext output buffer
153  * @src:        Pointer the ciphertext (may equal @dst for decryption in place)
154  * @crypt_len:  The size in bytes of the plaintext and ciphertext.
155  * @assoc:      Pointer to the associated data,
156  * @assoc_len:  The size in bytes of the associated data
157  * @iv:         The initialization vector (IV) to use for this block of data
158  *              (must be 12 bytes in size as per the GCM spec recommendation)
159  * @authtag:    The address of the buffer in memory where the authentication
160  *              tag is stored.
161  *
162  * Returns: true on success, or false if the ciphertext failed authentication.
163  * On failure, no plaintext will be returned.
164  */
165 bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
166                                  const u8 *src, int crypt_len, const u8 *assoc,
167                                  int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
168                                  const u8 *authtag)
169 {
170         u8 tagbuf[AES_BLOCK_SIZE];
171         __be32 ctr[4];
172
173         memcpy(ctr, iv, GCM_AES_IV_SIZE);
174
175         aesgcm_mac(ctx, src, crypt_len, assoc, assoc_len, ctr, tagbuf);
176         if (crypto_memneq(authtag, tagbuf, ctx->authsize)) {
177                 memzero_explicit(tagbuf, sizeof(tagbuf));
178                 return false;
179         }
180         aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
181         return true;
182 }
183 EXPORT_SYMBOL(aesgcm_decrypt);
184
185 MODULE_DESCRIPTION("Generic AES-GCM library");
186 MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
187 MODULE_LICENSE("GPL");
188
189 #ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
190
191 /*
192  * Test code below. Vectors taken from crypto/testmgr.h
193  */
194
195 static const u8 __initconst ctext0[16] =
196         "\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
197         "\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
198
199 static const u8 __initconst ptext1[16];
200
201 static const u8 __initconst ctext1[32] =
202         "\x03\x88\xda\xce\x60\xb6\xa3\x92"
203         "\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
204         "\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
205         "\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
206
207 static const u8 __initconst ptext2[64] =
208         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
209         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
210         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
211         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
212         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
213         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
214         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
215         "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
216
217 static const u8 __initconst ctext2[80] =
218         "\x42\x83\x1e\xc2\x21\x77\x74\x24"
219         "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
220         "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
221         "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
222         "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
223         "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
224         "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
225         "\x3d\x58\xe0\x91\x47\x3f\x59\x85"
226         "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
227         "\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
228
229 static const u8 __initconst ptext3[60] =
230         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
231         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
232         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
233         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
234         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
235         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
236         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
237         "\xba\x63\x7b\x39";
238
239 static const u8 __initconst ctext3[76] =
240         "\x42\x83\x1e\xc2\x21\x77\x74\x24"
241         "\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
242         "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
243         "\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
244         "\x21\xd5\x14\xb2\x54\x66\x93\x1c"
245         "\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
246         "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
247         "\x3d\x58\xe0\x91"
248         "\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
249         "\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
250
251 static const u8 __initconst ctext4[16] =
252         "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
253         "\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
254
255 static const u8 __initconst ctext5[32] =
256         "\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
257         "\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
258         "\x2f\xf5\x8d\x80\x03\x39\x27\xab"
259         "\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
260
261 static const u8 __initconst ptext6[64] =
262         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
263         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
264         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
265         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
266         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
267         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
268         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
269         "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
270
271 static const u8 __initconst ctext6[80] =
272         "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
273         "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
274         "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
275         "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
276         "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
277         "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
278         "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
279         "\xcc\xda\x27\x10\xac\xad\xe2\x56"
280         "\x99\x24\xa7\xc8\x58\x73\x36\xbf"
281         "\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
282
283 static const u8 __initconst ctext7[16] =
284         "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
285         "\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
286
287 static const u8 __initconst ctext8[32] =
288         "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
289         "\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
290         "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
291         "\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
292
293 static const u8 __initconst ptext9[64] =
294         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
295         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
296         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
297         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
298         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
299         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
300         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
301         "\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
302
303 static const u8 __initconst ctext9[80] =
304         "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
305         "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
306         "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
307         "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
308         "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
309         "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
310         "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
311         "\xbc\xc9\xf6\x62\x89\x80\x15\xad"
312         "\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
313         "\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
314
315 static const u8 __initconst ptext10[60] =
316         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
317         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
318         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
319         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
320         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
321         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
322         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
323         "\xba\x63\x7b\x39";
324
325 static const u8 __initconst ctext10[76] =
326         "\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
327         "\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
328         "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
329         "\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
330         "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
331         "\xa7\xb0\x8b\x10\x56\x82\x88\x38"
332         "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
333         "\xbc\xc9\xf6\x62"
334         "\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
335         "\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
336
337 static const u8 __initconst ptext11[60] =
338         "\xd9\x31\x32\x25\xf8\x84\x06\xe5"
339         "\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
340         "\x86\xa7\xa9\x53\x15\x34\xf7\xda"
341         "\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
342         "\x1c\x3c\x0c\x95\x95\x68\x09\x53"
343         "\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
344         "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
345         "\xba\x63\x7b\x39";
346
347 static const u8 __initconst ctext11[76] =
348         "\x39\x80\xca\x0b\x3c\x00\xe8\x41"
349         "\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
350         "\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
351         "\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
352         "\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
353         "\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
354         "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
355         "\xcc\xda\x27\x10"
356         "\x25\x19\x49\x8e\x80\xf1\x47\x8f"
357         "\x37\xba\x55\xbd\x6d\x27\x61\x8c";
358
359 static const u8 __initconst ptext12[719] =
360         "\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
361         "\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
362         "\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
363         "\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
364         "\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
365         "\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
366         "\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
367         "\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
368         "\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
369         "\x00\xa4\x43\x54\x04\x54\x9b\x3b"
370         "\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
371         "\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
372         "\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
373         "\x35\x23\xf4\x20\x41\xd4\xad\x82"
374         "\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
375         "\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
376         "\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
377         "\xad\x49\x3a\xae\x98\xce\xa6\x66"
378         "\x10\x30\x90\x8c\x55\x83\xd7\x7c"
379         "\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
380         "\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
381         "\x57\xcc\x89\x09\x75\x9b\x78\x70"
382         "\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
383         "\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
384         "\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
385         "\x82\xd9\xec\xa2\x87\x68\x55\xf9"
386         "\x8f\x9e\x73\x43\x47\x6a\x08\x36"
387         "\x93\x67\xa8\x2d\xde\xac\x41\xa9"
388         "\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
389         "\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
390         "\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
391         "\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
392         "\xab\x19\x37\xd9\xba\x76\x5e\xd2"
393         "\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
394         "\x02\x66\x49\xca\x7c\x91\x05\xf2"
395         "\x45\x36\x1e\xf5\x77\xad\x1f\x46"
396         "\xa8\x13\xfb\x63\xb6\x08\x99\x63"
397         "\x82\xa2\xed\xb3\xac\xdf\x43\x19"
398         "\x45\xea\x78\x73\xd9\xb7\x39\x11"
399         "\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
400         "\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
401         "\xa4\x47\x7d\x80\x20\x26\xfd\x63"
402         "\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
403         "\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
404         "\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
405         "\x54\x03\xa4\x09\x0c\x37\x7a\x15"
406         "\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
407         "\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
408         "\x03\x25\x3c\x8d\x48\x58\x71\x34"
409         "\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
410         "\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
411         "\x80\x6f\x96\x0e\x05\x62\xc7\x78"
412         "\x87\x79\x60\x38\x46\xb4\x25\x57"
413         "\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
414         "\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
415         "\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
416         "\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
417         "\x09\xfc\x91\x96\x47\x87\x4f\x1a"
418         "\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
419         "\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
420         "\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
421         "\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
422         "\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
423         "\x0b\x63\xde\x87\x42\x79\x8a\x68"
424         "\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
425         "\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
426         "\xe9\x83\x84\xcb\x28\x69\x09\x69"
427         "\xce\x99\x46\x00\x54\xcb\xd8\x38"
428         "\xf9\x53\x4a\xbf\x31\xce\x57\x15"
429         "\x33\xfa\x96\x04\x33\x42\xe3\xc0"
430         "\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
431         "\x19\x95\xd0\x0e\x82\x07\x63\xf9"
432         "\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
433         "\xb5\x9f\x23\x28\x60\xe7\x20\x51"
434         "\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
435         "\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
436         "\x78\xc6\x91\x22\x40\x91\x80\xbe"
437         "\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
438         "\x67\x10\xa4\x83\x98\x79\x23\xe7"
439         "\x92\xda\xa9\x22\x16\xb1\xe7\x78"
440         "\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
441         "\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
442         "\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
443         "\x48\x11\x06\xbb\x2d\xf2\x63\x88"
444         "\x3f\x73\x09\xe2\x45\x56\x31\x51"
445         "\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
446         "\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
447         "\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
448         "\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
449         "\xa4\x78\xdb\x74\x3d\x8b\xb5";
450
451 static const u8 __initconst ctext12[735] =
452         "\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
453         "\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
454         "\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
455         "\x4c\x1d\x38\x05\x54\xd1\x16\x73"
456         "\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
457         "\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
458         "\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
459         "\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
460         "\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
461         "\x20\x93\x6c\x4b\x37\x99\xb8\x23"
462         "\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
463         "\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
464         "\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
465         "\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
466         "\xb9\x14\x13\x21\xdf\xce\xaa\x88"
467         "\x44\x30\x1e\xce\x26\x01\x92\xf8"
468         "\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
469         "\x89\xca\x94\x66\x11\x21\x97\xca"
470         "\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
471         "\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
472         "\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
473         "\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
474         "\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
475         "\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
476         "\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
477         "\xde\x6b\x52\x98\x01\xef\x36\x3d"
478         "\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
479         "\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
480         "\x48\x96\xe0\x90\x93\x6c\x48\x64"
481         "\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
482         "\x7a\x23\x7b\xaa\x20\x56\x12\xae"
483         "\x16\x9d\x94\x0f\x54\xa1\xec\xca"
484         "\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
485         "\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
486         "\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
487         "\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
488         "\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
489         "\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
490         "\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
491         "\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
492         "\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
493         "\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
494         "\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
495         "\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
496         "\x03\x60\x7a\xed\x69\xd5\x00\x8b"
497         "\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
498         "\xc1\x26\xce\x90\x97\x22\x64\x64"
499         "\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
500         "\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
501         "\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
502         "\x15\xb5\xa0\x8d\x12\x74\x49\x23"
503         "\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
504         "\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
505         "\x61\x26\x94\x58\x70\xa6\x3c\xe4"
506         "\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
507         "\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
508         "\x93\x77\xde\x48\xc4\xfa\x30\x4a"
509         "\xda\x49\x80\x77\x0f\x1c\xbe\x11"
510         "\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
511         "\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
512         "\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
513         "\xb8\xfb\x86\xdc\x46\x24\x91\x60"
514         "\x6c\x2f\xc9\x41\x37\x51\x49\x54"
515         "\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
516         "\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
517         "\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
518         "\x75\x54\x65\x93\xfe\xb1\x68\x6b"
519         "\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
520         "\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
521         "\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
522         "\x6a\x56\xff\x35\x4d\x42\x33\xaa"
523         "\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
524         "\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
525         "\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
526         "\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
527         "\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
528         "\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
529         "\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
530         "\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
531         "\x6b\x6d\x33\xe1\x34\x06\x36\x21"
532         "\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
533         "\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
534         "\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
535         "\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
536         "\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
537         "\x0e\xe1\xb5\x11\x45\x61\x43\x46"
538         "\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
539         "\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
540         "\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
541         "\x38\x58\x9e\x8a\x43\xdc\x57"
542         "\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
543         "\x4b\x24\x52\x58\x55\xe1\x49\x14";
544
545 static struct {
546         const u8        *ptext;
547         const u8        *ctext;
548
549         u8              key[AES_MAX_KEY_SIZE];
550         u8              iv[GCM_AES_IV_SIZE];
551         u8              assoc[20];
552
553         int             klen;
554         int             clen;
555         int             plen;
556         int             alen;
557 } const aesgcm_tv[] __initconst = {
558         { /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
559                 .klen   = 16,
560                 .ctext  = ctext0,
561                 .clen   = sizeof(ctext0),
562         }, {
563                 .klen   = 16,
564                 .ptext  = ptext1,
565                 .plen   = sizeof(ptext1),
566                 .ctext  = ctext1,
567                 .clen   = sizeof(ctext1),
568         }, {
569                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
570                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
571                 .klen   = 16,
572                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
573                           "\xde\xca\xf8\x88",
574                 .ptext  = ptext2,
575                 .plen   = sizeof(ptext2),
576                 .ctext  = ctext2,
577                 .clen   = sizeof(ctext2),
578         }, {
579                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
580                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
581                 .klen   = 16,
582                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
583                           "\xde\xca\xf8\x88",
584                 .ptext  = ptext3,
585                 .plen   = sizeof(ptext3),
586                 .assoc  = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
587                           "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
588                           "\xab\xad\xda\xd2",
589                 .alen   = 20,
590                 .ctext  = ctext3,
591                 .clen   = sizeof(ctext3),
592         }, {
593                 .klen   = 24,
594                 .ctext  = ctext4,
595                 .clen   = sizeof(ctext4),
596         }, {
597                 .klen   = 24,
598                 .ptext  = ptext1,
599                 .plen   = sizeof(ptext1),
600                 .ctext  = ctext5,
601                 .clen   = sizeof(ctext5),
602         }, {
603                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
604                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
605                           "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
606                 .klen   = 24,
607                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
608                           "\xde\xca\xf8\x88",
609                 .ptext  = ptext6,
610                 .plen   = sizeof(ptext6),
611                 .ctext  = ctext6,
612                 .clen   = sizeof(ctext6),
613         }, {
614                 .klen   = 32,
615                 .ctext  = ctext7,
616                 .clen   = sizeof(ctext7),
617         }, {
618                 .klen   = 32,
619                 .ptext  = ptext1,
620                 .plen   = sizeof(ptext1),
621                 .ctext  = ctext8,
622                 .clen   = sizeof(ctext8),
623         }, {
624                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
625                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
626                           "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
627                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
628                 .klen   = 32,
629                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
630                           "\xde\xca\xf8\x88",
631                 .ptext  = ptext9,
632                 .plen   = sizeof(ptext9),
633                 .ctext  = ctext9,
634                 .clen   = sizeof(ctext9),
635         }, {
636                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
637                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
638                           "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
639                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
640                 .klen   = 32,
641                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
642                           "\xde\xca\xf8\x88",
643                 .ptext  = ptext10,
644                 .plen   = sizeof(ptext10),
645                 .assoc  = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
646                           "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
647                           "\xab\xad\xda\xd2",
648                 .alen   = 20,
649                 .ctext  = ctext10,
650                 .clen   = sizeof(ctext10),
651         }, {
652                 .key    = "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
653                           "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
654                           "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
655                 .klen   = 24,
656                 .iv     = "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
657                           "\xde\xca\xf8\x88",
658                 .ptext  = ptext11,
659                 .plen   = sizeof(ptext11),
660                 .assoc  = "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
661                           "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
662                           "\xab\xad\xda\xd2",
663                 .alen   = 20,
664                 .ctext  = ctext11,
665                 .clen   = sizeof(ctext11),
666         }, {
667                 .key    = "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
668                           "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
669                           "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
670                           "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
671                 .klen   = 32,
672                 .iv     = "\x00\xff\xff\xff\xff\x00\x00\xff"
673                           "\xff\xff\x00\xff",
674                 .ptext  = ptext12,
675                 .plen   = sizeof(ptext12),
676                 .ctext  = ctext12,
677                 .clen   = sizeof(ctext12),
678         }
679 };
680
681 static int __init libaesgcm_init(void)
682 {
683         for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
684                 u8 tagbuf[AES_BLOCK_SIZE];
685                 int plen = aesgcm_tv[i].plen;
686                 struct aesgcm_ctx ctx;
687                 u8 buf[sizeof(ptext12)];
688
689                 if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
690                                      aesgcm_tv[i].clen - plen)) {
691                         pr_err("aesgcm_expandkey() failed on vector %d\n", i);
692                         return -ENODEV;
693                 }
694
695                 if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
696                                     aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
697                                     aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
698                     || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
699                         pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
700                         return -ENODEV;
701                 }
702
703                 /* encrypt in place */
704                 aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
705                                aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
706                 if (memcmp(buf, aesgcm_tv[i].ctext, plen)) {
707                         pr_err("aesgcm_encrypt() failed on vector %d\n", i);
708                         return -ENODEV;
709                 }
710
711                 /* decrypt in place */
712                 if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
713                                     aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
714                     || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
715                         pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
716                         return -ENODEV;
717                 }
718         }
719         return 0;
720 }
721 module_init(libaesgcm_init);
722
723 static void __exit libaesgcm_exit(void)
724 {
725 }
726 module_exit(libaesgcm_exit);
727 #endif