1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Minimal library implementation of GCM
4
 *
5
 * Copyright 2022 Google LLC
6
 */
7

8
#include <crypto/algapi.h>
9
#include <crypto/gcm.h>
10
#include <crypto/ghash.h>
11
#include <linux/export.h>
12
#include <linux/module.h>
13
#include <asm/irqflags.h>
14

15
static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
16
				 const void *src)
17
{
18
	unsigned long flags;
19

20
	/*
21
	 * In AES-GCM, both the GHASH key derivation and the CTR mode
22
	 * encryption operate on known plaintext, making them susceptible to
23
	 * timing attacks on the encryption key. The AES library already
24
	 * mitigates this risk to some extent by pulling the entire S-box into
25
	 * the caches before doing any substitutions, but this strategy is more
26
	 * effective when running with interrupts disabled.
27
	 */
28
	local_irq_save(flags);
29
	aes_encrypt(ctx, dst, src);
30
	local_irq_restore(flags);
31
}
32

33
/**
34
 * aesgcm_expandkey - Expands the AES and GHASH keys for the AES-GCM key
35
 *		      schedule
36
 *
37
 * @ctx:	The data structure that will hold the AES-GCM key schedule
38
 * @key:	The AES encryption input key
39
 * @keysize:	The length in bytes of the input key
40
 * @authsize:	The size in bytes of the GCM authentication tag
41
 *
42
 * Returns: 0 on success, or -EINVAL if @keysize or @authsize contain values
43
 * that are not permitted by the GCM specification.
44
 */
45
int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key,
46
		     unsigned int keysize, unsigned int authsize)
47
{
48
	u8 kin[AES_BLOCK_SIZE] = {};
49
	int ret;
50

51
	ret = crypto_gcm_check_authsize(authsize) ?:
52
	      aes_expandkey(&ctx->aes_ctx, key, keysize);
53
	if (ret)
54
		return ret;
55

56
	ctx->authsize = authsize;
57
	aesgcm_encrypt_block(&ctx->aes_ctx, &ctx->ghash_key, kin);
58

59
	return 0;
60
}
61
EXPORT_SYMBOL(aesgcm_expandkey);
62

63
static void aesgcm_ghash(be128 *ghash, const be128 *key, const void *src,
64
			 int len)
65
{
66
	while (len > 0) {
67
		crypto_xor((u8 *)ghash, src, min(len, GHASH_BLOCK_SIZE));
68
		gf128mul_lle(ghash, key);
69

70
		src += GHASH_BLOCK_SIZE;
71
		len -= GHASH_BLOCK_SIZE;
72
	}
73
}
74

75
/**
76
 * aesgcm_mac - Generates the authentication tag using AES-GCM algorithm.
77
 * @ctx: The data structure that will hold the AES-GCM key schedule
78
 * @src: The input source data.
79
 * @src_len: Length of the source data.
80
 * @assoc: Points to the associated data.
81
 * @assoc_len: Length of the associated data values.
82
 * @ctr: Points to the counter value.
83
 * @authtag: The output buffer for the authentication tag.
84
 *
85
 * It takes in the AES-GCM context, source data, associated data, counter value,
86
 * and an output buffer for the authentication tag.
87
 */
88
static void aesgcm_mac(const struct aesgcm_ctx *ctx, const u8 *src, int src_len,
89
		       const u8 *assoc, int assoc_len, __be32 *ctr, u8 *authtag)
90
{
91
	be128 tail = { cpu_to_be64(assoc_len * 8), cpu_to_be64(src_len * 8) };
92
	u8 buf[AES_BLOCK_SIZE];
93
	be128 ghash = {};
94

95
	aesgcm_ghash(&ghash, &ctx->ghash_key, assoc, assoc_len);
96
	aesgcm_ghash(&ghash, &ctx->ghash_key, src, src_len);
97
	aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail));
98

99
	ctr[3] = cpu_to_be32(1);
100
	aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
101
	crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize);
102

103
	memzero_explicit(&ghash, sizeof(ghash));
104
	memzero_explicit(buf, sizeof(buf));
105
}
106

107
static void aesgcm_crypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
108
			 int len, __be32 *ctr)
109
{
110
	u8 buf[AES_BLOCK_SIZE];
111
	unsigned int n = 2;
112

113
	while (len > 0) {
114
		/*
115
		 * The counter increment below must not result in overflow or
116
		 * carry into the next 32-bit word, as this could result in
117
		 * inadvertent IV reuse, which must be avoided at all cost for
118
		 * stream ciphers such as AES-CTR. Given the range of 'int
119
		 * len', this cannot happen, so no explicit test is necessary.
120
		 */
121
		ctr[3] = cpu_to_be32(n++);
122
		aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr);
123
		crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE));
124

125
		dst += AES_BLOCK_SIZE;
126
		src += AES_BLOCK_SIZE;
127
		len -= AES_BLOCK_SIZE;
128
	}
129
	memzero_explicit(buf, sizeof(buf));
130
}
131

132
/**
133
 * aesgcm_encrypt - Perform AES-GCM encryption on a block of data
134
 *
135
 * @ctx:	The AES-GCM key schedule
136
 * @dst:	Pointer to the ciphertext output buffer
137
 * @src:	Pointer the plaintext (may equal @dst for encryption in place)
138
 * @crypt_len:	The size in bytes of the plaintext and ciphertext.
139
 * @assoc:	Pointer to the associated data,
140
 * @assoc_len:	The size in bytes of the associated data
141
 * @iv:		The initialization vector (IV) to use for this block of data
142
 *		(must be 12 bytes in size as per the GCM spec recommendation)
143
 * @authtag:	The address of the buffer in memory where the authentication
144
 *		tag should be stored. The buffer is assumed to have space for
145
 *		@ctx->authsize bytes.
146
 */
147
void aesgcm_encrypt(const struct aesgcm_ctx *ctx, u8 *dst, const u8 *src,
148
		    int crypt_len, const u8 *assoc, int assoc_len,
149
		    const u8 iv[GCM_AES_IV_SIZE], u8 *authtag)
150
{
151
	__be32 ctr[4];
152

153
	memcpy(ctr, iv, GCM_AES_IV_SIZE);
154

155
	aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
156
	aesgcm_mac(ctx, dst, crypt_len, assoc, assoc_len, ctr, authtag);
157
}
158
EXPORT_SYMBOL(aesgcm_encrypt);
159

160
/**
161
 * aesgcm_decrypt - Perform AES-GCM decryption on a block of data
162
 *
163
 * @ctx:	The AES-GCM key schedule
164
 * @dst:	Pointer to the plaintext output buffer
165
 * @src:	Pointer the ciphertext (may equal @dst for decryption in place)
166
 * @crypt_len:	The size in bytes of the plaintext and ciphertext.
167
 * @assoc:	Pointer to the associated data,
168
 * @assoc_len:	The size in bytes of the associated data
169
 * @iv:		The initialization vector (IV) to use for this block of data
170
 *		(must be 12 bytes in size as per the GCM spec recommendation)
171
 * @authtag:	The address of the buffer in memory where the authentication
172
 *		tag is stored.
173
 *
174
 * Returns: true on success, or false if the ciphertext failed authentication.
175
 * On failure, no plaintext will be returned.
176
 */
177
bool __must_check aesgcm_decrypt(const struct aesgcm_ctx *ctx, u8 *dst,
178
				 const u8 *src, int crypt_len, const u8 *assoc,
179
				 int assoc_len, const u8 iv[GCM_AES_IV_SIZE],
180
				 const u8 *authtag)
181
{
182
	u8 tagbuf[AES_BLOCK_SIZE];
183
	__be32 ctr[4];
184

185
	memcpy(ctr, iv, GCM_AES_IV_SIZE);
186

187
	aesgcm_mac(ctx, src, crypt_len, assoc, assoc_len, ctr, tagbuf);
188
	if (crypto_memneq(authtag, tagbuf, ctx->authsize)) {
189
		memzero_explicit(tagbuf, sizeof(tagbuf));
190
		return false;
191
	}
192
	aesgcm_crypt(ctx, dst, src, crypt_len, ctr);
193
	return true;
194
}
195
EXPORT_SYMBOL(aesgcm_decrypt);
196

197
MODULE_DESCRIPTION("Generic AES-GCM library");
198
MODULE_AUTHOR("Ard Biesheuvel <[email protected]>");
199
MODULE_LICENSE("GPL");
200

201
#ifdef CONFIG_CRYPTO_SELFTESTS
202

203
/*
204
 * Test code below. Vectors taken from crypto/testmgr.h
205
 */
206

207
static const u8 __initconst ctext0[16] __nonstring =
208
	"\x58\xe2\xfc\xce\xfa\x7e\x30\x61"
209
	"\x36\x7f\x1d\x57\xa4\xe7\x45\x5a";
210

211
static const u8 __initconst ptext1[16];
212

213
static const u8 __initconst ctext1[32] __nonstring =
214
	"\x03\x88\xda\xce\x60\xb6\xa3\x92"
215
	"\xf3\x28\xc2\xb9\x71\xb2\xfe\x78"
216
	"\xab\x6e\x47\xd4\x2c\xec\x13\xbd"
217
	"\xf5\x3a\x67\xb2\x12\x57\xbd\xdf";
218

219
static const u8 __initconst ptext2[64] __nonstring =
220
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
221
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
222
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
223
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
224
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
225
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
226
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
227
	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
228

229
static const u8 __initconst ctext2[80] __nonstring =
230
	"\x42\x83\x1e\xc2\x21\x77\x74\x24"
231
	"\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
232
	"\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
233
	"\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
234
	"\x21\xd5\x14\xb2\x54\x66\x93\x1c"
235
	"\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
236
	"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
237
	"\x3d\x58\xe0\x91\x47\x3f\x59\x85"
238
	"\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6"
239
	"\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4";
240

241
static const u8 __initconst ptext3[60] __nonstring =
242
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
243
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
244
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
245
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
246
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
247
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
248
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
249
	"\xba\x63\x7b\x39";
250

251
static const u8 __initconst ctext3[76] __nonstring =
252
	"\x42\x83\x1e\xc2\x21\x77\x74\x24"
253
	"\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
254
	"\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0"
255
	"\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
256
	"\x21\xd5\x14\xb2\x54\x66\x93\x1c"
257
	"\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
258
	"\x1b\xa3\x0b\x39\x6a\x0a\xac\x97"
259
	"\x3d\x58\xe0\x91"
260
	"\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb"
261
	"\x94\xfa\xe9\x5a\xe7\x12\x1a\x47";
262

263
static const u8 __initconst ctext4[16] __nonstring =
264
	"\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b"
265
	"\xa0\x0e\xd1\xf3\x12\x57\x24\x35";
266

267
static const u8 __initconst ctext5[32] __nonstring =
268
	"\x98\xe7\x24\x7c\x07\xf0\xfe\x41"
269
	"\x1c\x26\x7e\x43\x84\xb0\xf6\x00"
270
	"\x2f\xf5\x8d\x80\x03\x39\x27\xab"
271
	"\x8e\xf4\xd4\x58\x75\x14\xf0\xfb";
272

273
static const u8 __initconst ptext6[64] __nonstring =
274
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
275
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
276
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
277
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
278
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
279
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
280
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
281
	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
282

283
static const u8 __initconst ctext6[80] __nonstring =
284
	"\x39\x80\xca\x0b\x3c\x00\xe8\x41"
285
	"\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
286
	"\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
287
	"\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
288
	"\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
289
	"\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
290
	"\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
291
	"\xcc\xda\x27\x10\xac\xad\xe2\x56"
292
	"\x99\x24\xa7\xc8\x58\x73\x36\xbf"
293
	"\xb1\x18\x02\x4d\xb8\x67\x4a\x14";
294

295
static const u8 __initconst ctext7[16] __nonstring =
296
	"\x53\x0f\x8a\xfb\xc7\x45\x36\xb9"
297
	"\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b";
298

299
static const u8 __initconst ctext8[32] __nonstring =
300
	"\xce\xa7\x40\x3d\x4d\x60\x6b\x6e"
301
	"\x07\x4e\xc5\xd3\xba\xf3\x9d\x18"
302
	"\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0"
303
	"\x26\x5b\x98\xb5\xd4\x8a\xb9\x19";
304

305
static const u8 __initconst ptext9[64] __nonstring =
306
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
307
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
308
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
309
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
310
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
311
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
312
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
313
	"\xba\x63\x7b\x39\x1a\xaf\xd2\x55";
314

315
static const u8 __initconst ctext9[80] __nonstring =
316
	"\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
317
	"\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
318
	"\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
319
	"\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
320
	"\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
321
	"\xa7\xb0\x8b\x10\x56\x82\x88\x38"
322
	"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
323
	"\xbc\xc9\xf6\x62\x89\x80\x15\xad"
324
	"\xb0\x94\xda\xc5\xd9\x34\x71\xbd"
325
	"\xec\x1a\x50\x22\x70\xe3\xcc\x6c";
326

327
static const u8 __initconst ptext10[60] __nonstring =
328
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
329
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
330
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
331
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
332
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
333
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
334
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
335
	"\xba\x63\x7b\x39";
336

337
static const u8 __initconst ctext10[76] __nonstring =
338
	"\x52\x2d\xc1\xf0\x99\x56\x7d\x07"
339
	"\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
340
	"\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9"
341
	"\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
342
	"\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d"
343
	"\xa7\xb0\x8b\x10\x56\x82\x88\x38"
344
	"\xc5\xf6\x1e\x63\x93\xba\x7a\x0a"
345
	"\xbc\xc9\xf6\x62"
346
	"\x76\xfc\x6e\xce\x0f\x4e\x17\x68"
347
	"\xcd\xdf\x88\x53\xbb\x2d\x55\x1b";
348

349
static const u8 __initconst ptext11[60] __nonstring =
350
	"\xd9\x31\x32\x25\xf8\x84\x06\xe5"
351
	"\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
352
	"\x86\xa7\xa9\x53\x15\x34\xf7\xda"
353
	"\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
354
	"\x1c\x3c\x0c\x95\x95\x68\x09\x53"
355
	"\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
356
	"\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57"
357
	"\xba\x63\x7b\x39";
358

359
static const u8 __initconst ctext11[76] __nonstring =
360
	"\x39\x80\xca\x0b\x3c\x00\xe8\x41"
361
	"\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
362
	"\x85\x9e\x1c\xea\xa6\xef\xd9\x84"
363
	"\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
364
	"\x7d\x77\x3d\x00\xc1\x44\xc5\x25"
365
	"\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
366
	"\x18\xe2\x44\x8b\x2f\xe3\x24\xd9"
367
	"\xcc\xda\x27\x10"
368
	"\x25\x19\x49\x8e\x80\xf1\x47\x8f"
369
	"\x37\xba\x55\xbd\x6d\x27\x61\x8c";
370

371
static const u8 __initconst ptext12[719] __nonstring =
372
	"\x42\xc1\xcc\x08\x48\x6f\x41\x3f"
373
	"\x2f\x11\x66\x8b\x2a\x16\xf0\xe0"
374
	"\x58\x83\xf0\xc3\x70\x14\xc0\x5b"
375
	"\x3f\xec\x1d\x25\x3c\x51\xd2\x03"
376
	"\xcf\x59\x74\x1f\xb2\x85\xb4\x07"
377
	"\xc6\x6a\x63\x39\x8a\x5b\xde\xcb"
378
	"\xaf\x08\x44\xbd\x6f\x91\x15\xe1"
379
	"\xf5\x7a\x6e\x18\xbd\xdd\x61\x50"
380
	"\x59\xa9\x97\xab\xbb\x0e\x74\x5c"
381
	"\x00\xa4\x43\x54\x04\x54\x9b\x3b"
382
	"\x77\xec\xfd\x5c\xa6\xe8\x7b\x08"
383
	"\xae\xe6\x10\x3f\x32\x65\xd1\xfc"
384
	"\xa4\x1d\x2c\x31\xfb\x33\x7a\xb3"
385
	"\x35\x23\xf4\x20\x41\xd4\xad\x82"
386
	"\x8b\xa4\xad\x96\x1c\x20\x53\xbe"
387
	"\x0e\xa6\xf4\xdc\x78\x49\x3e\x72"
388
	"\xb1\xa9\xb5\x83\xcb\x08\x54\xb7"
389
	"\xad\x49\x3a\xae\x98\xce\xa6\x66"
390
	"\x10\x30\x90\x8c\x55\x83\xd7\x7c"
391
	"\x8b\xe6\x53\xde\xd2\x6e\x18\x21"
392
	"\x01\x52\xd1\x9f\x9d\xbb\x9c\x73"
393
	"\x57\xcc\x89\x09\x75\x9b\x78\x70"
394
	"\xed\x26\x97\x4d\xb4\xe4\x0c\xa5"
395
	"\xfa\x70\x04\x70\xc6\x96\x1c\x7d"
396
	"\x54\x41\x77\xa8\xe3\xb0\x7e\x96"
397
	"\x82\xd9\xec\xa2\x87\x68\x55\xf9"
398
	"\x8f\x9e\x73\x43\x47\x6a\x08\x36"
399
	"\x93\x67\xa8\x2d\xde\xac\x41\xa9"
400
	"\x5c\x4d\x73\x97\x0f\x70\x68\xfa"
401
	"\x56\x4d\x00\xc2\x3b\x1f\xc8\xb9"
402
	"\x78\x1f\x51\x07\xe3\x9a\x13\x4e"
403
	"\xed\x2b\x2e\xa3\xf7\x44\xb2\xe7"
404
	"\xab\x19\x37\xd9\xba\x76\x5e\xd2"
405
	"\xf2\x53\x15\x17\x4c\x6b\x16\x9f"
406
	"\x02\x66\x49\xca\x7c\x91\x05\xf2"
407
	"\x45\x36\x1e\xf5\x77\xad\x1f\x46"
408
	"\xa8\x13\xfb\x63\xb6\x08\x99\x63"
409
	"\x82\xa2\xed\xb3\xac\xdf\x43\x19"
410
	"\x45\xea\x78\x73\xd9\xb7\x39\x11"
411
	"\xa3\x13\x7c\xf8\x3f\xf7\xad\x81"
412
	"\x48\x2f\xa9\x5c\x5f\xa0\xf0\x79"
413
	"\xa4\x47\x7d\x80\x20\x26\xfd\x63"
414
	"\x0a\xc7\x7e\x6d\x75\x47\xff\x76"
415
	"\x66\x2e\x8a\x6c\x81\x35\xaf\x0b"
416
	"\x2e\x6a\x49\x60\xc1\x10\xe1\xe1"
417
	"\x54\x03\xa4\x09\x0c\x37\x7a\x15"
418
	"\x23\x27\x5b\x8b\x4b\xa5\x64\x97"
419
	"\xae\x4a\x50\x73\x1f\x66\x1c\x5c"
420
	"\x03\x25\x3c\x8d\x48\x58\x71\x34"
421
	"\x0e\xec\x4e\x55\x1a\x03\x6a\xe5"
422
	"\xb6\x19\x2b\x84\x2a\x20\xd1\xea"
423
	"\x80\x6f\x96\x0e\x05\x62\xc7\x78"
424
	"\x87\x79\x60\x38\x46\xb4\x25\x57"
425
	"\x6e\x16\x63\xf8\xad\x6e\xd7\x42"
426
	"\x69\xe1\x88\xef\x6e\xd5\xb4\x9a"
427
	"\x3c\x78\x6c\x3b\xe5\xa0\x1d\x22"
428
	"\x86\x5c\x74\x3a\xeb\x24\x26\xc7"
429
	"\x09\xfc\x91\x96\x47\x87\x4f\x1a"
430
	"\xd6\x6b\x2c\x18\x47\xc0\xb8\x24"
431
	"\xa8\x5a\x4a\x9e\xcb\x03\xe7\x2a"
432
	"\x09\xe6\x4d\x9c\x6d\x86\x60\xf5"
433
	"\x2f\x48\x69\x37\x9f\xf2\xd2\xcb"
434
	"\x0e\x5a\xdd\x6e\x8a\xfb\x6a\xfe"
435
	"\x0b\x63\xde\x87\x42\x79\x8a\x68"
436
	"\x51\x28\x9b\x7a\xeb\xaf\xb8\x2f"
437
	"\x9d\xd1\xc7\x45\x90\x08\xc9\x83"
438
	"\xe9\x83\x84\xcb\x28\x69\x09\x69"
439
	"\xce\x99\x46\x00\x54\xcb\xd8\x38"
440
	"\xf9\x53\x4a\xbf\x31\xce\x57\x15"
441
	"\x33\xfa\x96\x04\x33\x42\xe3\xc0"
442
	"\xb7\x54\x4a\x65\x7a\x7c\x02\xe6"
443
	"\x19\x95\xd0\x0e\x82\x07\x63\xf9"
444
	"\xe1\x2b\x2a\xfc\x55\x92\x52\xc9"
445
	"\xb5\x9f\x23\x28\x60\xe7\x20\x51"
446
	"\x10\xd3\xed\x6d\x9b\xab\xb8\xe2"
447
	"\x5d\x9a\x34\xb3\xbe\x9c\x64\xcb"
448
	"\x78\xc6\x91\x22\x40\x91\x80\xbe"
449
	"\xd7\x78\x5c\x0e\x0a\xdc\x08\xe9"
450
	"\x67\x10\xa4\x83\x98\x79\x23\xe7"
451
	"\x92\xda\xa9\x22\x16\xb1\xe7\x78"
452
	"\xa3\x1c\x6c\x8f\x35\x7c\x4d\x37"
453
	"\x2f\x6e\x0b\x50\x5c\x34\xb9\xf9"
454
	"\xe6\x3d\x91\x0d\x32\x95\xaa\x3d"
455
	"\x48\x11\x06\xbb\x2d\xf2\x63\x88"
456
	"\x3f\x73\x09\xe2\x45\x56\x31\x51"
457
	"\xfa\x5e\x4e\x62\xf7\x90\xf9\xa9"
458
	"\x7d\x7b\x1b\xb1\xc8\x26\x6e\x66"
459
	"\xf6\x90\x9a\x7f\xf2\x57\xcc\x23"
460
	"\x59\xfa\xfa\xaa\x44\x04\x01\xa7"
461
	"\xa4\x78\xdb\x74\x3d\x8b\xb5";
462

463
static const u8 __initconst ctext12[735] __nonstring =
464
	"\x84\x0b\xdb\xd5\xb7\xa8\xfe\x20"
465
	"\xbb\xb1\x12\x7f\x41\xea\xb3\xc0"
466
	"\xa2\xb4\x37\x19\x11\x58\xb6\x0b"
467
	"\x4c\x1d\x38\x05\x54\xd1\x16\x73"
468
	"\x8e\x1c\x20\x90\xa2\x9a\xb7\x74"
469
	"\x47\xe6\xd8\xfc\x18\x3a\xb4\xea"
470
	"\xd5\x16\x5a\x2c\x53\x01\x46\xb3"
471
	"\x18\x33\x74\x6c\x50\xf2\xe8\xc0"
472
	"\x73\xda\x60\x22\xeb\xe3\xe5\x9b"
473
	"\x20\x93\x6c\x4b\x37\x99\xb8\x23"
474
	"\x3b\x4e\xac\xe8\x5b\xe8\x0f\xb7"
475
	"\xc3\x8f\xfb\x4a\x37\xd9\x39\x95"
476
	"\x34\xf1\xdb\x8f\x71\xd9\xc7\x0b"
477
	"\x02\xf1\x63\xfc\x9b\xfc\xc5\xab"
478
	"\xb9\x14\x13\x21\xdf\xce\xaa\x88"
479
	"\x44\x30\x1e\xce\x26\x01\x92\xf8"
480
	"\x9f\x00\x4b\x0c\x4b\xf7\x5f\xe0"
481
	"\x89\xca\x94\x66\x11\x21\x97\xca"
482
	"\x3e\x83\x74\x2d\xdb\x4d\x11\xeb"
483
	"\x97\xc2\x14\xff\x9e\x1e\xa0\x6b"
484
	"\x08\xb4\x31\x2b\x85\xc6\x85\x6c"
485
	"\x90\xec\x39\xc0\xec\xb3\xb5\x4e"
486
	"\xf3\x9c\xe7\x83\x3a\x77\x0a\xf4"
487
	"\x56\xfe\xce\x18\x33\x6d\x0b\x2d"
488
	"\x33\xda\xc8\x05\x5c\xb4\x09\x2a"
489
	"\xde\x6b\x52\x98\x01\xef\x36\x3d"
490
	"\xbd\xf9\x8f\xa8\x3e\xaa\xcd\xd1"
491
	"\x01\x2d\x42\x49\xc3\xb6\x84\xbb"
492
	"\x48\x96\xe0\x90\x93\x6c\x48\x64"
493
	"\xd4\xfa\x7f\x93\x2c\xa6\x21\xc8"
494
	"\x7a\x23\x7b\xaa\x20\x56\x12\xae"
495
	"\x16\x9d\x94\x0f\x54\xa1\xec\xca"
496
	"\x51\x4e\xf2\x39\xf4\xf8\x5f\x04"
497
	"\x5a\x0d\xbf\xf5\x83\xa1\x15\xe1"
498
	"\xf5\x3c\xd8\x62\xa3\xed\x47\x89"
499
	"\x85\x4c\xe5\xdb\xac\x9e\x17\x1d"
500
	"\x0c\x09\xe3\x3e\x39\x5b\x4d\x74"
501
	"\x0e\xf5\x34\xee\x70\x11\x4c\xfd"
502
	"\xdb\x34\xb1\xb5\x10\x3f\x73\xb7"
503
	"\xf5\xfa\xed\xb0\x1f\xa5\xcd\x3c"
504
	"\x8d\x35\x83\xd4\x11\x44\x6e\x6c"
505
	"\x5b\xe0\x0e\x69\xa5\x39\xe5\xbb"
506
	"\xa9\x57\x24\x37\xe6\x1f\xdd\xcf"
507
	"\x16\x2a\x13\xf9\x6a\x2d\x90\xa0"
508
	"\x03\x60\x7a\xed\x69\xd5\x00\x8b"
509
	"\x7e\x4f\xcb\xb9\xfa\x91\xb9\x37"
510
	"\xc1\x26\xce\x90\x97\x22\x64\x64"
511
	"\xc1\x72\x43\x1b\xf6\xac\xc1\x54"
512
	"\x8a\x10\x9c\xdd\x8d\xd5\x8e\xb2"
513
	"\xe4\x85\xda\xe0\x20\x5f\xf4\xb4"
514
	"\x15\xb5\xa0\x8d\x12\x74\x49\x23"
515
	"\x3a\xdf\x4a\xd3\xf0\x3b\x89\xeb"
516
	"\xf8\xcc\x62\x7b\xfb\x93\x07\x41"
517
	"\x61\x26\x94\x58\x70\xa6\x3c\xe4"
518
	"\xff\x58\xc4\x13\x3d\xcb\x36\x6b"
519
	"\x32\xe5\xb2\x6d\x03\x74\x6f\x76"
520
	"\x93\x77\xde\x48\xc4\xfa\x30\x4a"
521
	"\xda\x49\x80\x77\x0f\x1c\xbe\x11"
522
	"\xc8\x48\xb1\xe5\xbb\xf2\x8a\xe1"
523
	"\x96\x2f\x9f\xd1\x8e\x8a\x5c\xe2"
524
	"\xf7\xd7\xd8\x54\xf3\x3f\xc4\x91"
525
	"\xb8\xfb\x86\xdc\x46\x24\x91\x60"
526
	"\x6c\x2f\xc9\x41\x37\x51\x49\x54"
527
	"\x09\x81\x21\xf3\x03\x9f\x2b\xe3"
528
	"\x1f\x39\x63\xaf\xf4\xd7\x53\x60"
529
	"\xa7\xc7\x54\xf9\xee\xb1\xb1\x7d"
530
	"\x75\x54\x65\x93\xfe\xb1\x68\x6b"
531
	"\x57\x02\xf9\xbb\x0e\xf9\xf8\xbf"
532
	"\x01\x12\x27\xb4\xfe\xe4\x79\x7a"
533
	"\x40\x5b\x51\x4b\xdf\x38\xec\xb1"
534
	"\x6a\x56\xff\x35\x4d\x42\x33\xaa"
535
	"\x6f\x1b\xe4\xdc\xe0\xdb\x85\x35"
536
	"\x62\x10\xd4\xec\xeb\xc5\x7e\x45"
537
	"\x1c\x6f\x17\xca\x3b\x8e\x2d\x66"
538
	"\x4f\x4b\x36\x56\xcd\x1b\x59\xaa"
539
	"\xd2\x9b\x17\xb9\x58\xdf\x7b\x64"
540
	"\x8a\xff\x3b\x9c\xa6\xb5\x48\x9e"
541
	"\xaa\xe2\x5d\x09\x71\x32\x5f\xb6"
542
	"\x29\xbe\xe7\xc7\x52\x7e\x91\x82"
543
	"\x6b\x6d\x33\xe1\x34\x06\x36\x21"
544
	"\x5e\xbe\x1e\x2f\x3e\xc1\xfb\xea"
545
	"\x49\x2c\xb5\xca\xf7\xb0\x37\xea"
546
	"\x1f\xed\x10\x04\xd9\x48\x0d\x1a"
547
	"\x1c\xfb\xe7\x84\x0e\x83\x53\x74"
548
	"\xc7\x65\xe2\x5c\xe5\xba\x73\x4c"
549
	"\x0e\xe1\xb5\x11\x45\x61\x43\x46"
550
	"\xaa\x25\x8f\xbd\x85\x08\xfa\x4c"
551
	"\x15\xc1\xc0\xd8\xf5\xdc\x16\xbb"
552
	"\x7b\x1d\xe3\x87\x57\xa7\x2a\x1d"
553
	"\x38\x58\x9e\x8a\x43\xdc\x57"
554
	"\xd1\x81\x7d\x2b\xe9\xff\x99\x3a"
555
	"\x4b\x24\x52\x58\x55\xe1\x49\x14";
556

557
static struct {
558
	const u8	*ptext;
559
	const u8	*ctext;
560

561
	u8		key[AES_MAX_KEY_SIZE] __nonstring;
562
	u8		iv[GCM_AES_IV_SIZE] __nonstring;
563
	u8		assoc[20] __nonstring;
564

565
	int		klen;
566
	int		clen;
567
	int		plen;
568
	int		alen;
569
} const aesgcm_tv[] __initconst = {
570
	{ /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
571
		.klen	= 16,
572
		.ctext	= ctext0,
573
		.clen	= sizeof(ctext0),
574
	}, {
575
		.klen	= 16,
576
		.ptext	= ptext1,
577
		.plen	= sizeof(ptext1),
578
		.ctext	= ctext1,
579
		.clen	= sizeof(ctext1),
580
	}, {
581
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
582
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
583
		.klen	= 16,
584
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
585
			  "\xde\xca\xf8\x88",
586
		.ptext	= ptext2,
587
		.plen	= sizeof(ptext2),
588
		.ctext	= ctext2,
589
		.clen	= sizeof(ctext2),
590
	}, {
591
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
592
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
593
		.klen	= 16,
594
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
595
			  "\xde\xca\xf8\x88",
596
		.ptext	= ptext3,
597
		.plen	= sizeof(ptext3),
598
		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
599
			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
600
			  "\xab\xad\xda\xd2",
601
		.alen	= 20,
602
		.ctext	= ctext3,
603
		.clen	= sizeof(ctext3),
604
	}, {
605
		.klen	= 24,
606
		.ctext	= ctext4,
607
		.clen	= sizeof(ctext4),
608
	}, {
609
		.klen	= 24,
610
		.ptext	= ptext1,
611
		.plen	= sizeof(ptext1),
612
		.ctext	= ctext5,
613
		.clen	= sizeof(ctext5),
614
	}, {
615
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
616
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
617
			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
618
		.klen	= 24,
619
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
620
			  "\xde\xca\xf8\x88",
621
		.ptext	= ptext6,
622
		.plen	= sizeof(ptext6),
623
		.ctext	= ctext6,
624
		.clen	= sizeof(ctext6),
625
	}, {
626
		.klen	= 32,
627
		.ctext	= ctext7,
628
		.clen	= sizeof(ctext7),
629
	}, {
630
		.klen	= 32,
631
		.ptext	= ptext1,
632
		.plen	= sizeof(ptext1),
633
		.ctext	= ctext8,
634
		.clen	= sizeof(ctext8),
635
	}, {
636
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
637
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
638
			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
639
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
640
		.klen	= 32,
641
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
642
			  "\xde\xca\xf8\x88",
643
		.ptext	= ptext9,
644
		.plen	= sizeof(ptext9),
645
		.ctext	= ctext9,
646
		.clen	= sizeof(ctext9),
647
	}, {
648
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
649
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
650
			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
651
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08",
652
		.klen	= 32,
653
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
654
			  "\xde\xca\xf8\x88",
655
		.ptext	= ptext10,
656
		.plen	= sizeof(ptext10),
657
		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
658
			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
659
			  "\xab\xad\xda\xd2",
660
		.alen	= 20,
661
		.ctext	= ctext10,
662
		.clen	= sizeof(ctext10),
663
	}, {
664
		.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c"
665
			  "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
666
			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c",
667
		.klen	= 24,
668
		.iv	= "\xca\xfe\xba\xbe\xfa\xce\xdb\xad"
669
			  "\xde\xca\xf8\x88",
670
		.ptext	= ptext11,
671
		.plen	= sizeof(ptext11),
672
		.assoc	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
673
			  "\xfe\xed\xfa\xce\xde\xad\xbe\xef"
674
			  "\xab\xad\xda\xd2",
675
		.alen	= 20,
676
		.ctext	= ctext11,
677
		.clen	= sizeof(ctext11),
678
	}, {
679
		.key	= "\x62\x35\xf8\x95\xfc\xa5\xeb\xf6"
680
			  "\x0e\x92\x12\x04\xd3\xa1\x3f\x2e"
681
			  "\x8b\x32\xcf\xe7\x44\xed\x13\x59"
682
			  "\x04\x38\x77\xb0\xb9\xad\xb4\x38",
683
		.klen	= 32,
684
		.iv	= "\x00\xff\xff\xff\xff\x00\x00\xff"
685
			  "\xff\xff\x00\xff",
686
		.ptext	= ptext12,
687
		.plen	= sizeof(ptext12),
688
		.ctext	= ctext12,
689
		.clen	= sizeof(ctext12),
690
	}
691
};
692

693
static int __init libaesgcm_init(void)
694
{
695
	for (int i = 0; i < ARRAY_SIZE(aesgcm_tv); i++) {
696
		u8 tagbuf[AES_BLOCK_SIZE];
697
		int plen = aesgcm_tv[i].plen;
698
		struct aesgcm_ctx ctx;
699
		static u8 buf[sizeof(ptext12)];
700

701
		if (aesgcm_expandkey(&ctx, aesgcm_tv[i].key, aesgcm_tv[i].klen,
702
				     aesgcm_tv[i].clen - plen)) {
703
			pr_err("aesgcm_expandkey() failed on vector %d\n", i);
704
			return -ENODEV;
705
		}
706

707
		if (!aesgcm_decrypt(&ctx, buf, aesgcm_tv[i].ctext, plen,
708
				    aesgcm_tv[i].assoc, aesgcm_tv[i].alen,
709
				    aesgcm_tv[i].iv, aesgcm_tv[i].ctext + plen)
710
		    || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
711
			pr_err("aesgcm_decrypt() #1 failed on vector %d\n", i);
712
			return -ENODEV;
713
		}
714

715
		/* encrypt in place */
716
		aesgcm_encrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
717
			       aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf);
718
		if (memcmp(buf, aesgcm_tv[i].ctext, plen)) {
719
			pr_err("aesgcm_encrypt() failed on vector %d\n", i);
720
			return -ENODEV;
721
		}
722

723
		/* decrypt in place */
724
		if (!aesgcm_decrypt(&ctx, buf, buf, plen, aesgcm_tv[i].assoc,
725
				    aesgcm_tv[i].alen, aesgcm_tv[i].iv, tagbuf)
726
		    || memcmp(buf, aesgcm_tv[i].ptext, plen)) {
727
			pr_err("aesgcm_decrypt() #2 failed on vector %d\n", i);
728
			return -ENODEV;
729
		}
730
	}
731
	return 0;
732
}
733
module_init(libaesgcm_init);
734

735
static void __exit libaesgcm_exit(void)
736
{
737
}
738
module_exit(libaesgcm_exit);
739
#endif
740

741