crypto: gcm - make GMAC work when dst and src are different
Jussi Kivilinna [Sun, 7 Apr 2013 13:43:41 +0000 (16:43 +0300)]
The GMAC code assumes that dst==src, which causes problems when trying to add
rfc4543(gcm(aes)) test vectors.

So fix this code to work when source and destination buffer are different.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

crypto/Kconfig
crypto/gcm.c

index a654b13..6cc27f1 100644 (file)
@@ -198,6 +198,7 @@ config CRYPTO_GCM
        select CRYPTO_CTR
        select CRYPTO_AEAD
        select CRYPTO_GHASH
+       select CRYPTO_NULL
        help
          Support for Galois/Counter Mode (GCM) and Galois Message
          Authentication Code (GMAC). Required for IPSec.
index 137ad1e..4ff2139 100644 (file)
@@ -37,8 +37,14 @@ struct crypto_rfc4106_ctx {
        u8 nonce[4];
 };
 
+struct crypto_rfc4543_instance_ctx {
+       struct crypto_aead_spawn aead;
+       struct crypto_skcipher_spawn null;
+};
+
 struct crypto_rfc4543_ctx {
        struct crypto_aead *child;
+       struct crypto_blkcipher *null;
        u8 nonce[4];
 };
 
@@ -1094,20 +1100,20 @@ static int crypto_rfc4543_setauthsize(struct crypto_aead *parent,
 }
 
 static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
-                                                int enc)
+                                                bool enc)
 {
        struct crypto_aead *aead = crypto_aead_reqtfm(req);
        struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
        struct crypto_rfc4543_req_ctx *rctx = crypto_rfc4543_reqctx(req);
        struct aead_request *subreq = &rctx->subreq;
-       struct scatterlist *dst = req->dst;
+       struct scatterlist *src = req->src;
        struct scatterlist *cipher = rctx->cipher;
        struct scatterlist *payload = rctx->payload;
        struct scatterlist *assoc = rctx->assoc;
        unsigned int authsize = crypto_aead_authsize(aead);
        unsigned int assoclen = req->assoclen;
-       struct page *dstp;
-       u8 *vdst;
+       struct page *srcp;
+       u8 *vsrc;
        u8 *iv = PTR_ALIGN((u8 *)(rctx + 1) + crypto_aead_reqsize(ctx->child),
                           crypto_aead_alignmask(ctx->child) + 1);
 
@@ -1118,19 +1124,19 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
        if (enc)
                memset(rctx->auth_tag, 0, authsize);
        else
-               scatterwalk_map_and_copy(rctx->auth_tag, dst,
+               scatterwalk_map_and_copy(rctx->auth_tag, src,
                                         req->cryptlen - authsize,
                                         authsize, 0);
 
        sg_init_one(cipher, rctx->auth_tag, authsize);
 
        /* construct the aad */
-       dstp = sg_page(dst);
-       vdst = PageHighMem(dstp) ? NULL : page_address(dstp) + dst->offset;
+       srcp = sg_page(src);
+       vsrc = PageHighMem(srcp) ? NULL : page_address(srcp) + src->offset;
 
        sg_init_table(payload, 2);
        sg_set_buf(payload, req->iv, 8);
-       scatterwalk_crypto_chain(payload, dst, vdst == req->iv + 8, 2);
+       scatterwalk_crypto_chain(payload, src, vsrc == req->iv + 8, 2);
        assoclen += 8 + req->cryptlen - (enc ? 0 : authsize);
 
        sg_init_table(assoc, 2);
@@ -1147,6 +1153,19 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
        return subreq;
 }
 
+static int crypto_rfc4543_copy_src_to_dst(struct aead_request *req, bool enc)
+{
+       struct crypto_aead *aead = crypto_aead_reqtfm(req);
+       struct crypto_rfc4543_ctx *ctx = crypto_aead_ctx(aead);
+       unsigned int authsize = crypto_aead_authsize(aead);
+       unsigned int nbytes = req->cryptlen - (enc ? 0 : authsize);
+       struct blkcipher_desc desc = {
+               .tfm = ctx->null,
+       };
+
+       return crypto_blkcipher_encrypt(&desc, req->dst, req->src, nbytes);
+}
+
 static int crypto_rfc4543_encrypt(struct aead_request *req)
 {
        struct crypto_aead *aead = crypto_aead_reqtfm(req);
@@ -1154,7 +1173,13 @@ static int crypto_rfc4543_encrypt(struct aead_request *req)
        struct aead_request *subreq;
        int err;
 
-       subreq = crypto_rfc4543_crypt(req, 1);
+       if (req->src != req->dst) {
+               err = crypto_rfc4543_copy_src_to_dst(req, true);
+               if (err)
+                       return err;
+       }
+
+       subreq = crypto_rfc4543_crypt(req, true);
        err = crypto_aead_encrypt(subreq);
        if (err)
                return err;
@@ -1167,7 +1192,15 @@ static int crypto_rfc4543_encrypt(struct aead_request *req)
 
 static int crypto_rfc4543_decrypt(struct aead_request *req)
 {
-       req = crypto_rfc4543_crypt(req, 0);
+       int err;
+
+       if (req->src != req->dst) {
+               err = crypto_rfc4543_copy_src_to_dst(req, false);
+               if (err)
+                       return err;
+       }
+
+       req = crypto_rfc4543_crypt(req, false);
 
        return crypto_aead_decrypt(req);
 }
@@ -1175,16 +1208,25 @@ static int crypto_rfc4543_decrypt(struct aead_request *req)
 static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
 {
        struct crypto_instance *inst = (void *)tfm->__crt_alg;
-       struct crypto_aead_spawn *spawn = crypto_instance_ctx(inst);
+       struct crypto_rfc4543_instance_ctx *ictx = crypto_instance_ctx(inst);
+       struct crypto_aead_spawn *spawn = &ictx->aead;
        struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
        struct crypto_aead *aead;
+       struct crypto_blkcipher *null;
        unsigned long align;
+       int err = 0;
 
        aead = crypto_spawn_aead(spawn);
        if (IS_ERR(aead))
                return PTR_ERR(aead);
 
+       null = crypto_spawn_blkcipher(&ictx->null.base);
+       err = PTR_ERR(null);
+       if (IS_ERR(null))
+               goto err_free_aead;
+
        ctx->child = aead;
+       ctx->null = null;
 
        align = crypto_aead_alignmask(aead);
        align &= ~(crypto_tfm_ctx_alignment() - 1);
@@ -1194,6 +1236,10 @@ static int crypto_rfc4543_init_tfm(struct crypto_tfm *tfm)
                                align + 16;
 
        return 0;
+
+err_free_aead:
+       crypto_free_aead(aead);
+       return err;
 }
 
 static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
@@ -1201,6 +1247,7 @@ static void crypto_rfc4543_exit_tfm(struct crypto_tfm *tfm)
        struct crypto_rfc4543_ctx *ctx = crypto_tfm_ctx(tfm);
 
        crypto_free_aead(ctx->child);
+       crypto_free_blkcipher(ctx->null);
 }
 
 static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
@@ -1209,6 +1256,7 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
        struct crypto_instance *inst;
        struct crypto_aead_spawn *spawn;
        struct crypto_alg *alg;
+       struct crypto_rfc4543_instance_ctx *ctx;
        const char *ccm_name;
        int err;
 
@@ -1223,11 +1271,12 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
        if (IS_ERR(ccm_name))
                return ERR_CAST(ccm_name);
 
-       inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
+       inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
        if (!inst)
                return ERR_PTR(-ENOMEM);
 
-       spawn = crypto_instance_ctx(inst);
+       ctx = crypto_instance_ctx(inst);
+       spawn = &ctx->aead;
        crypto_set_aead_spawn(spawn, inst);
        err = crypto_grab_aead(spawn, ccm_name, 0,
                               crypto_requires_sync(algt->type, algt->mask));
@@ -1236,15 +1285,23 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
 
        alg = crypto_aead_spawn_alg(spawn);
 
+       crypto_set_skcipher_spawn(&ctx->null, inst);
+       err = crypto_grab_skcipher(&ctx->null, "ecb(cipher_null)", 0,
+                                  CRYPTO_ALG_ASYNC);
+       if (err)
+               goto out_drop_alg;
+
+       crypto_skcipher_spawn_alg(&ctx->null);
+
        err = -EINVAL;
 
        /* We only support 16-byte blocks. */
        if (alg->cra_aead.ivsize != 16)
-               goto out_drop_alg;
+               goto out_drop_ecbnull;
 
        /* Not a stream cipher? */
        if (alg->cra_blocksize != 1)
-               goto out_drop_alg;
+               goto out_drop_ecbnull;
 
        err = -ENAMETOOLONG;
        if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME,
@@ -1252,7 +1309,7 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
            snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME,
                     "rfc4543(%s)", alg->cra_driver_name) >=
            CRYPTO_MAX_ALG_NAME)
-               goto out_drop_alg;
+               goto out_drop_ecbnull;
 
        inst->alg.cra_flags = CRYPTO_ALG_TYPE_AEAD;
        inst->alg.cra_flags |= alg->cra_flags & CRYPTO_ALG_ASYNC;
@@ -1279,6 +1336,8 @@ static struct crypto_instance *crypto_rfc4543_alloc(struct rtattr **tb)
 out:
        return inst;
 
+out_drop_ecbnull:
+       crypto_drop_skcipher(&ctx->null);
 out_drop_alg:
        crypto_drop_aead(spawn);
 out_free_inst:
@@ -1289,7 +1348,11 @@ out_free_inst:
 
 static void crypto_rfc4543_free(struct crypto_instance *inst)
 {
-       crypto_drop_spawn(crypto_instance_ctx(inst));
+       struct crypto_rfc4543_instance_ctx *ctx = crypto_instance_ctx(inst);
+
+       crypto_drop_aead(&ctx->aead);
+       crypto_drop_skcipher(&ctx->null);
+
        kfree(inst);
 }