linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC)
@ 2017-02-03 14:49 Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 1/3] crypto: testmgr - add test cases for cbcmac(aes) Ard Biesheuvel
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-03 14:49 UTC (permalink / raw)
  To: linux-crypto, herbert, ebiggers3; +Cc: linux-arm-kernel, Ard Biesheuvel

This series is primarily directed at improving the performance and security
of CCM on the Rasperry Pi 3. This involves splitting the MAC handling of
CCM into a separate driver so that we can efficiently replace it by something
else using the ordinary algo resolution machinery.

Patch #1 adds some testcases for cbcmac(aes), which will be introduced later.

Patch #2 replaces the open coded CBC MAC hashing routines in the CCM driver
with calls to a cbcmac() hash, and implements a template for producing such
cbcmac transforms. This eliminates all the fuzzy scatterwalk code as well.

Patch #3 implements cbcmac(aes) using NEON on arm64, and CMAC/XCBC at the
same time, since it is trivially implemented reusing the same core transform

Changes since v2:
- dropped fixed time generic AES patch, this is only vaguely related, and can
  be discussed separately
- add CMAC and XCBC code to patch #3
- fix stack corruption bug in patch #2
- move patch #2 to use crypto_xor() for the cbcmac transform (which either needs
  an alignmask, or the updated alignment agnostic crypto_xor() code whose v2
  was sent out yesterday)

Changes since v1:
- remove ilen, and add missing flags assignment (#2)
- deal with zero cryptlen (#2)
- use correctly sized dg[] array in desc ctx (#3, #4)
- fix bug in update routine (#3)
- various other tweaks

Ard Biesheuvel (3):
  crypto: testmgr - add test cases for cbcmac(aes)
  crypto: ccm - switch to separate cbcmac driver
  crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver

 arch/arm64/crypto/aes-glue.c  | 240 +++++++++++-
 arch/arm64/crypto/aes-modes.S |  29 +-
 crypto/Kconfig                |   1 +
 crypto/ccm.c                  | 381 +++++++++++++-------
 crypto/testmgr.c              |   7 +
 crypto/testmgr.h              |  60 +++
 6 files changed, 579 insertions(+), 139 deletions(-)

-- 
2.7.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v3 1/3] crypto: testmgr - add test cases for cbcmac(aes)
  2017-02-03 14:49 [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Ard Biesheuvel
@ 2017-02-03 14:49 ` Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver Ard Biesheuvel
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-03 14:49 UTC (permalink / raw)
  To: linux-crypto, herbert, ebiggers3; +Cc: linux-arm-kernel, Ard Biesheuvel

In preparation of splitting off the CBC-MAC transform in the CCM
driver into a separate algorithm, define some test cases for the
AES incarnation of cbcmac.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 crypto/testmgr.c |  7 +++
 crypto/testmgr.h | 60 ++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 98eb09782db8..f9c378af3907 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2514,6 +2514,13 @@ static const struct alg_test_desc alg_test_descs[] = {
 			}
 		}
 	}, {
+		.alg = "cbcmac(aes)",
+		.fips_allowed = 1,
+		.test = alg_test_hash,
+		.suite = {
+			.hash = __VECS(aes_cbcmac_tv_template)
+		}
+	}, {
 		.alg = "ccm(aes)",
 		.test = alg_test_aead,
 		.fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 64595f067d72..f85e51cf7dcc 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -3413,6 +3413,66 @@ static struct hash_testvec aes_cmac128_tv_template[] = {
 	}
 };
 
+static struct hash_testvec aes_cbcmac_tv_template[] = {
+	{
+		.key		= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
+				  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+		.plaintext	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+				  "\xe9\x3d\x7e\x11\x73\x93\x17\x2a",
+		.digest		= "\x3a\xd7\x7b\xb4\x0d\x7a\x36\x60"
+				  "\xa8\x9e\xca\xf3\x24\x66\xef\x97",
+		.psize		= 16,
+		.ksize		= 16,
+	}, {
+		.key		= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
+				  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+		.plaintext	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+				  "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+				  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
+				  "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+				  "\x30",
+		.digest		= "\x9d\x0d\xd0\x63\xfb\xcb\x24\x43"
+				  "\xf8\xf2\x76\x03\xac\x39\xb0\x9d",
+		.psize		= 33,
+		.ksize		= 16,
+		.np		= 2,
+		.tap		= { 7, 26 },
+	}, {
+		.key		= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
+				  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+		.plaintext	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+				  "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+				  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
+				  "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+				  "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
+				  "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+				  "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
+				  "\xad\x2b\x41\x7b\xe6\x6c\x37",
+		.digest		= "\xc0\x71\x73\xb8\xa0\x2c\x11\x7c"
+				  "\xaf\xdc\xb2\xf8\x89\x32\xa3\x3a",
+		.psize		= 63,
+		.ksize		= 16,
+	}, {
+		.key		= "\x60\x3d\xeb\x10\x15\xca\x71\xbe"
+				  "\x2b\x73\xae\xf0\x85\x7d\x77\x81"
+				  "\x1f\x35\x2c\x07\x3b\x61\x08\xd7"
+				  "\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
+		.plaintext	= "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+				  "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+				  "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
+				  "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+				  "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
+				  "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+				  "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
+				  "\xad\x2b\x41\x7b\xe6\x6c\x37\x10"
+				  "\x1c",
+		.digest		= "\x6a\x4e\xdb\x21\x47\x51\xdf\x4f"
+				  "\xa8\x4d\x4c\x10\x3b\x72\x7d\xd6",
+		.psize		= 65,
+		.ksize		= 32,
+	}
+};
+
 static struct hash_testvec des3_ede_cmac64_tv_template[] = {
 /*
  * From NIST Special Publication 800-38B, Three Key TDEA
-- 
2.7.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver
  2017-02-03 14:49 [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 1/3] crypto: testmgr - add test cases for cbcmac(aes) Ard Biesheuvel
@ 2017-02-03 14:49 ` Ard Biesheuvel
  2017-02-06 10:52   ` Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 3/3] crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver Ard Biesheuvel
  2017-02-11 10:53 ` [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Herbert Xu
  3 siblings, 1 reply; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-03 14:49 UTC (permalink / raw)
  To: linux-crypto, herbert, ebiggers3; +Cc: linux-arm-kernel, Ard Biesheuvel

Update the generic CCM driver to defer CBC-MAC processing to a
dedicated CBC-MAC ahash transform rather than open coding this
transform (and much of the associated scatterwalk plumbing) in
the CCM driver itself.

This cleans up the code considerably, but more importantly, it allows
the use of alternative CBC-MAC implementations that don't suffer from
performance degradation due to significant setup time (e.g., the NEON
based AES code needs to enable/disable the NEON, and load the S-box
into 16 SIMD registers, which cannot be amortized over the entire input
when using the cipher interface)

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 crypto/Kconfig |   1 +
 crypto/ccm.c   | 381 +++++++++++++-------
 2 files changed, 245 insertions(+), 137 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 160f08e721cc..e8269d1b0282 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -263,6 +263,7 @@ comment "Authenticated Encryption with Associated Data"
 config CRYPTO_CCM
 	tristate "CCM support"
 	select CRYPTO_CTR
+	select CRYPTO_HASH
 	select CRYPTO_AEAD
 	help
 	  Support for Counter with CBC MAC. Required for IPsec.
diff --git a/crypto/ccm.c b/crypto/ccm.c
index 26b924d1e582..52e307807ff6 100644
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -11,6 +11,7 @@
  */
 
 #include <crypto/internal/aead.h>
+#include <crypto/internal/hash.h>
 #include <crypto/internal/skcipher.h>
 #include <crypto/scatterwalk.h>
 #include <linux/err.h>
@@ -23,11 +24,11 @@
 
 struct ccm_instance_ctx {
 	struct crypto_skcipher_spawn ctr;
-	struct crypto_spawn cipher;
+	struct crypto_ahash_spawn mac;
 };
 
 struct crypto_ccm_ctx {
-	struct crypto_cipher *cipher;
+	struct crypto_ahash *mac;
 	struct crypto_skcipher *ctr;
 };
 
@@ -44,15 +45,22 @@ struct crypto_rfc4309_req_ctx {
 
 struct crypto_ccm_req_priv_ctx {
 	u8 odata[16];
-	u8 idata[16];
 	u8 auth_tag[16];
-	u32 ilen;
 	u32 flags;
 	struct scatterlist src[3];
 	struct scatterlist dst[3];
 	struct skcipher_request skreq;
 };
 
+struct cbcmac_tfm_ctx {
+	struct crypto_cipher *child;
+};
+
+struct cbcmac_desc_ctx {
+	unsigned int len;
+	u8 dg[];
+};
+
 static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
 	struct aead_request *req)
 {
@@ -84,7 +92,7 @@ static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
 {
 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
 	struct crypto_skcipher *ctr = ctx->ctr;
-	struct crypto_cipher *tfm = ctx->cipher;
+	struct crypto_ahash *mac = ctx->mac;
 	int err = 0;
 
 	crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
@@ -96,11 +104,11 @@ static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
 	if (err)
 		goto out;
 
-	crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK);
-	crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) &
+	crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
+	crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
 				    CRYPTO_TFM_REQ_MASK);
-	err = crypto_cipher_setkey(tfm, key, keylen);
-	crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) &
+	err = crypto_ahash_setkey(mac, key, keylen);
+	crypto_aead_set_flags(aead, crypto_ahash_get_flags(mac) &
 			      CRYPTO_TFM_RES_MASK);
 
 out:
@@ -167,119 +175,61 @@ static int format_adata(u8 *adata, unsigned int a)
 	return len;
 }
 
-static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n,
-		       struct crypto_ccm_req_priv_ctx *pctx)
-{
-	unsigned int bs = 16;
-	u8 *odata = pctx->odata;
-	u8 *idata = pctx->idata;
-	int datalen, getlen;
-
-	datalen = n;
-
-	/* first time in here, block may be partially filled. */
-	getlen = bs - pctx->ilen;
-	if (datalen >= getlen) {
-		memcpy(idata + pctx->ilen, data, getlen);
-		crypto_xor(odata, idata, bs);
-		crypto_cipher_encrypt_one(tfm, odata, odata);
-		datalen -= getlen;
-		data += getlen;
-		pctx->ilen = 0;
-	}
-
-	/* now encrypt rest of data */
-	while (datalen >= bs) {
-		crypto_xor(odata, data, bs);
-		crypto_cipher_encrypt_one(tfm, odata, odata);
-
-		datalen -= bs;
-		data += bs;
-	}
-
-	/* check and see if there's leftover data that wasn't
-	 * enough to fill a block.
-	 */
-	if (datalen) {
-		memcpy(idata + pctx->ilen, data, datalen);
-		pctx->ilen += datalen;
-	}
-}
-
-static void get_data_to_compute(struct crypto_cipher *tfm,
-			       struct crypto_ccm_req_priv_ctx *pctx,
-			       struct scatterlist *sg, unsigned int len)
-{
-	struct scatter_walk walk;
-	u8 *data_src;
-	int n;
-
-	scatterwalk_start(&walk, sg);
-
-	while (len) {
-		n = scatterwalk_clamp(&walk, len);
-		if (!n) {
-			scatterwalk_start(&walk, sg_next(walk.sg));
-			n = scatterwalk_clamp(&walk, len);
-		}
-		data_src = scatterwalk_map(&walk);
-
-		compute_mac(tfm, data_src, n, pctx);
-		len -= n;
-
-		scatterwalk_unmap(data_src);
-		scatterwalk_advance(&walk, n);
-		scatterwalk_done(&walk, 0, len);
-		if (len)
-			crypto_yield(pctx->flags);
-	}
-
-	/* any leftover needs padding and then encrypted */
-	if (pctx->ilen) {
-		int padlen;
-		u8 *odata = pctx->odata;
-		u8 *idata = pctx->idata;
-
-		padlen = 16 - pctx->ilen;
-		memset(idata + pctx->ilen, 0, padlen);
-		crypto_xor(odata, idata, 16);
-		crypto_cipher_encrypt_one(tfm, odata, odata);
-		pctx->ilen = 0;
-	}
-}
-
 static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
 			   unsigned int cryptlen)
 {
+	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
-	struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
-	struct crypto_cipher *cipher = ctx->cipher;
+	AHASH_REQUEST_ON_STACK(ahreq, ctx->mac);
 	unsigned int assoclen = req->assoclen;
-	u8 *odata = pctx->odata;
-	u8 *idata = pctx->idata;
-	int err;
+	struct scatterlist sg[3];
+	u8 odata[16];
+	u8 idata[16];
+	int ilen, err;
 
 	/* format control data for input */
 	err = format_input(odata, req, cryptlen);
 	if (err)
 		goto out;
 
-	/* encrypt first block to use as start in computing mac  */
-	crypto_cipher_encrypt_one(cipher, odata, odata);
+	sg_init_table(sg, 3);
+	sg_set_buf(&sg[0], odata, 16);
 
 	/* format associated data and compute into mac */
 	if (assoclen) {
-		pctx->ilen = format_adata(idata, assoclen);
-		get_data_to_compute(cipher, pctx, req->src, req->assoclen);
+		ilen = format_adata(idata, assoclen);
+		sg_set_buf(&sg[1], idata, ilen);
+		sg_chain(sg, 3, req->src);
 	} else {
-		pctx->ilen = 0;
+		ilen = 0;
+		sg_chain(sg, 2, req->src);
 	}
 
-	/* compute plaintext into mac */
-	if (cryptlen)
-		get_data_to_compute(cipher, pctx, plain, cryptlen);
+	ahash_request_set_tfm(ahreq, ctx->mac);
+	ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
+	ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
+	err = crypto_ahash_init(ahreq);
+	if (err)
+		goto out;
+	err = crypto_ahash_update(ahreq);
+	if (err)
+		goto out;
 
+	/* we need to pad the MAC input to a round multiple of the block size */
+	ilen = 16 - (assoclen + ilen) % 16;
+	if (ilen < 16) {
+		memset(idata, 0, ilen);
+		sg_init_table(sg, 2);
+		sg_set_buf(&sg[0], idata, ilen);
+		if (plain)
+			sg_chain(sg, 2, plain);
+		plain = sg;
+		cryptlen += ilen;
+	}
+
+	ahash_request_set_crypt(ahreq, plain, pctx->odata, cryptlen);
+	err = crypto_ahash_finup(ahreq);
 out:
 	return err;
 }
@@ -453,21 +403,21 @@ static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
 	struct aead_instance *inst = aead_alg_instance(tfm);
 	struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
-	struct crypto_cipher *cipher;
+	struct crypto_ahash *mac;
 	struct crypto_skcipher *ctr;
 	unsigned long align;
 	int err;
 
-	cipher = crypto_spawn_cipher(&ictx->cipher);
-	if (IS_ERR(cipher))
-		return PTR_ERR(cipher);
+	mac = crypto_spawn_ahash(&ictx->mac);
+	if (IS_ERR(mac))
+		return PTR_ERR(mac);
 
 	ctr = crypto_spawn_skcipher(&ictx->ctr);
 	err = PTR_ERR(ctr);
 	if (IS_ERR(ctr))
-		goto err_free_cipher;
+		goto err_free_mac;
 
-	ctx->cipher = cipher;
+	ctx->mac = mac;
 	ctx->ctr = ctr;
 
 	align = crypto_aead_alignmask(tfm);
@@ -479,8 +429,8 @@ static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
 
 	return 0;
 
-err_free_cipher:
-	crypto_free_cipher(cipher);
+err_free_mac:
+	crypto_free_ahash(mac);
 	return err;
 }
 
@@ -488,7 +438,7 @@ static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
 {
 	struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
 
-	crypto_free_cipher(ctx->cipher);
+	crypto_free_ahash(ctx->mac);
 	crypto_free_skcipher(ctx->ctr);
 }
 
@@ -496,7 +446,7 @@ static void crypto_ccm_free(struct aead_instance *inst)
 {
 	struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
 
-	crypto_drop_spawn(&ctx->cipher);
+	crypto_drop_ahash(&ctx->mac);
 	crypto_drop_skcipher(&ctx->ctr);
 	kfree(inst);
 }
@@ -505,12 +455,13 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
 				    struct rtattr **tb,
 				    const char *full_name,
 				    const char *ctr_name,
-				    const char *cipher_name)
+				    const char *mac_name)
 {
 	struct crypto_attr_type *algt;
 	struct aead_instance *inst;
 	struct skcipher_alg *ctr;
-	struct crypto_alg *cipher;
+	struct crypto_alg *mac_alg;
+	struct hash_alg_common *mac;
 	struct ccm_instance_ctx *ictx;
 	int err;
 
@@ -521,25 +472,26 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
 	if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
 		return -EINVAL;
 
-	cipher = crypto_alg_mod_lookup(cipher_name,  CRYPTO_ALG_TYPE_CIPHER,
-				       CRYPTO_ALG_TYPE_MASK);
-	if (IS_ERR(cipher))
-		return PTR_ERR(cipher);
+	mac_alg = crypto_find_alg(mac_name, &crypto_ahash_type,
+				  CRYPTO_ALG_TYPE_HASH,
+				  CRYPTO_ALG_TYPE_AHASH_MASK |
+				  CRYPTO_ALG_ASYNC);
+	if (IS_ERR(mac_alg))
+		return PTR_ERR(mac_alg);
 
+	mac = __crypto_hash_alg_common(mac_alg);
 	err = -EINVAL;
-	if (cipher->cra_blocksize != 16)
-		goto out_put_cipher;
+	if (mac->digestsize != 16)
+		goto out_put_mac;
 
 	inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
 	err = -ENOMEM;
 	if (!inst)
-		goto out_put_cipher;
+		goto out_put_mac;
 
 	ictx = aead_instance_ctx(inst);
-
-	err = crypto_init_spawn(&ictx->cipher, cipher,
-				aead_crypto_instance(inst),
-				CRYPTO_ALG_TYPE_MASK);
+	err = crypto_init_ahash_spawn(&ictx->mac, mac,
+				      aead_crypto_instance(inst));
 	if (err)
 		goto err_free_inst;
 
@@ -548,7 +500,7 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
 				   crypto_requires_sync(algt->type,
 							algt->mask));
 	if (err)
-		goto err_drop_cipher;
+		goto err_drop_mac;
 
 	ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
 
@@ -564,16 +516,16 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
 	err = -ENAMETOOLONG;
 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
 		     "ccm_base(%s,%s)", ctr->base.cra_driver_name,
-		     cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
+		     mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
 		goto err_drop_ctr;
 
 	memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
 
 	inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC;
-	inst->alg.base.cra_priority = (cipher->cra_priority +
+	inst->alg.base.cra_priority = (mac->base.cra_priority +
 				       ctr->base.cra_priority) / 2;
 	inst->alg.base.cra_blocksize = 1;
-	inst->alg.base.cra_alignmask = cipher->cra_alignmask |
+	inst->alg.base.cra_alignmask = mac->base.cra_alignmask |
 				       ctr->base.cra_alignmask |
 				       (__alignof__(u32) - 1);
 	inst->alg.ivsize = 16;
@@ -593,23 +545,24 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
 	if (err)
 		goto err_drop_ctr;
 
-out_put_cipher:
-	crypto_mod_put(cipher);
+out_put_mac:
+	crypto_mod_put(mac_alg);
 	return err;
 
 err_drop_ctr:
 	crypto_drop_skcipher(&ictx->ctr);
-err_drop_cipher:
-	crypto_drop_spawn(&ictx->cipher);
+err_drop_mac:
+	crypto_drop_ahash(&ictx->mac);
 err_free_inst:
 	kfree(inst);
-	goto out_put_cipher;
+	goto out_put_mac;
 }
 
 static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
 {
 	const char *cipher_name;
 	char ctr_name[CRYPTO_MAX_ALG_NAME];
+	char mac_name[CRYPTO_MAX_ALG_NAME];
 	char full_name[CRYPTO_MAX_ALG_NAME];
 
 	cipher_name = crypto_attr_alg_name(tb[1]);
@@ -620,12 +573,16 @@ static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
 		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
 		return -ENAMETOOLONG;
 
+	if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
+		     cipher_name) >= CRYPTO_MAX_ALG_NAME)
+		return -ENAMETOOLONG;
+
 	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >=
 	    CRYPTO_MAX_ALG_NAME)
 		return -ENAMETOOLONG;
 
 	return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
-					cipher_name);
+					mac_name);
 }
 
 static struct crypto_template crypto_ccm_tmpl = {
@@ -899,14 +856,161 @@ static struct crypto_template crypto_rfc4309_tmpl = {
 	.module = THIS_MODULE,
 };
 
+static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
+				     const u8 *inkey, unsigned int keylen)
+{
+	struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
+
+	return crypto_cipher_setkey(ctx->child, inkey, keylen);
+}
+
+static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
+{
+	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
+	int bs = crypto_shash_digestsize(pdesc->tfm);
+
+	ctx->len = 0;
+	memset(ctx->dg, 0, bs);
+
+	return 0;
+}
+
+static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
+				       unsigned int len)
+{
+	struct crypto_shash *parent = pdesc->tfm;
+	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
+	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
+	struct crypto_cipher *tfm = tctx->child;
+	int bs = crypto_shash_digestsize(parent);
+
+	while (len > 0) {
+		unsigned int l = min(len, bs - ctx->len);
+
+		crypto_xor(ctx->dg + ctx->len, p, l);
+		ctx->len +=l;
+		len -= l;
+		p += l;
+
+		if (ctx->len == bs) {
+			crypto_cipher_encrypt_one(tfm, ctx->dg, ctx->dg);
+			ctx->len = 0;
+		}
+	}
+
+	return 0;
+}
+
+static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out)
+{
+	struct crypto_shash *parent = pdesc->tfm;
+	struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
+	struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
+	struct crypto_cipher *tfm = tctx->child;
+	int bs = crypto_shash_digestsize(parent);
+
+	if (ctx->len)
+		crypto_cipher_encrypt_one(tfm, out, ctx->dg);
+	else
+		memcpy(out, ctx->dg, bs);
+
+	return 0;
+}
+
+static int cbcmac_init_tfm(struct crypto_tfm *tfm)
+{
+	struct crypto_cipher *cipher;
+	struct crypto_instance *inst = (void *)tfm->__crt_alg;
+	struct crypto_spawn *spawn = crypto_instance_ctx(inst);
+	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
+
+	cipher = crypto_spawn_cipher(spawn);
+	if (IS_ERR(cipher))
+		return PTR_ERR(cipher);
+
+	ctx->child = cipher;
+
+	return 0;
+};
+
+static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
+{
+	struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
+	crypto_free_cipher(ctx->child);
+}
+
+static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
+{
+	struct shash_instance *inst;
+	struct crypto_alg *alg;
+	int err;
+
+	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH);
+	if (err)
+		return err;
+
+	alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
+				  CRYPTO_ALG_TYPE_MASK);
+	if (IS_ERR(alg))
+		return PTR_ERR(alg);
+
+	inst = shash_alloc_instance("cbcmac", alg);
+	err = PTR_ERR(inst);
+	if (IS_ERR(inst))
+		goto out_put_alg;
+
+	err = crypto_init_spawn(shash_instance_ctx(inst), alg,
+				shash_crypto_instance(inst),
+				CRYPTO_ALG_TYPE_MASK);
+	if (err)
+		goto out_free_inst;
+
+	inst->alg.base.cra_priority = alg->cra_priority;
+	inst->alg.base.cra_blocksize = 1;
+
+	inst->alg.digestsize = alg->cra_blocksize;
+	inst->alg.descsize = sizeof(struct cbcmac_desc_ctx) +
+			     alg->cra_blocksize;
+
+	inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
+	inst->alg.base.cra_init = cbcmac_init_tfm;
+	inst->alg.base.cra_exit = cbcmac_exit_tfm;
+
+	inst->alg.init = crypto_cbcmac_digest_init;
+	inst->alg.update = crypto_cbcmac_digest_update;
+	inst->alg.final = crypto_cbcmac_digest_final;
+	inst->alg.setkey = crypto_cbcmac_digest_setkey;
+
+	err = shash_register_instance(tmpl, inst);
+
+out_free_inst:
+	if (err)
+		shash_free_instance(shash_crypto_instance(inst));
+
+out_put_alg:
+	crypto_mod_put(alg);
+	return err;
+}
+
+static struct crypto_template crypto_cbcmac_tmpl = {
+	.name = "cbcmac",
+	.create = cbcmac_create,
+	.free = shash_free_instance,
+	.module = THIS_MODULE,
+};
+
 static int __init crypto_ccm_module_init(void)
 {
 	int err;
 
-	err = crypto_register_template(&crypto_ccm_base_tmpl);
+	err = crypto_register_template(&crypto_cbcmac_tmpl);
 	if (err)
 		goto out;
 
+	err = crypto_register_template(&crypto_ccm_base_tmpl);
+	if (err)
+		goto out_undo_cbcmac;
+
 	err = crypto_register_template(&crypto_ccm_tmpl);
 	if (err)
 		goto out_undo_base;
@@ -922,6 +1026,8 @@ static int __init crypto_ccm_module_init(void)
 	crypto_unregister_template(&crypto_ccm_tmpl);
 out_undo_base:
 	crypto_unregister_template(&crypto_ccm_base_tmpl);
+out_undo_cbcmac:
+	crypto_register_template(&crypto_cbcmac_tmpl);
 	goto out;
 }
 
@@ -930,6 +1036,7 @@ static void __exit crypto_ccm_module_exit(void)
 	crypto_unregister_template(&crypto_rfc4309_tmpl);
 	crypto_unregister_template(&crypto_ccm_tmpl);
 	crypto_unregister_template(&crypto_ccm_base_tmpl);
+	crypto_unregister_template(&crypto_cbcmac_tmpl);
 }
 
 module_init(crypto_ccm_module_init);
-- 
2.7.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v3 3/3] crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver
  2017-02-03 14:49 [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 1/3] crypto: testmgr - add test cases for cbcmac(aes) Ard Biesheuvel
  2017-02-03 14:49 ` [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver Ard Biesheuvel
@ 2017-02-03 14:49 ` Ard Biesheuvel
  2017-02-11 10:53 ` [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Herbert Xu
  3 siblings, 0 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-03 14:49 UTC (permalink / raw)
  To: linux-crypto, herbert, ebiggers3; +Cc: linux-arm-kernel, Ard Biesheuvel

On ARMv8 implementations that do not support the Crypto Extensions,
such as the Raspberry Pi 3, the CCM driver falls back to the generic
table based AES implementation to perform the MAC part of the
algorithm, which is slow and not time invariant. So add a CBCMAC
implementation to the shared glue code between NEON AES and Crypto
Extensions AES, so that it can be used instead now that the CCM
driver has been updated to look for CBCMAC implementations other
than the one it supplies itself.

Also, given how these algorithms mostly only differ in the way the key
handling and the final encryption are implemented, expose CMAC and XCBC
algorithms as well based on the same core update code.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/crypto/aes-glue.c  | 240 +++++++++++++++++++-
 arch/arm64/crypto/aes-modes.S |  29 ++-
 2 files changed, 267 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
index 055bc3f61138..bcf596b0197e 100644
--- a/arch/arm64/crypto/aes-glue.c
+++ b/arch/arm64/crypto/aes-glue.c
@@ -1,7 +1,7 @@
 /*
  * linux/arch/arm64/crypto/aes-glue.c - wrapper code for ARMv8 AES
  *
- * Copyright (C) 2013 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -11,6 +11,7 @@
 #include <asm/neon.h>
 #include <asm/hwcap.h>
 #include <crypto/aes.h>
+#include <crypto/internal/hash.h>
 #include <crypto/internal/simd.h>
 #include <crypto/internal/skcipher.h>
 #include <linux/module.h>
@@ -31,6 +32,7 @@
 #define aes_ctr_encrypt		ce_aes_ctr_encrypt
 #define aes_xts_encrypt		ce_aes_xts_encrypt
 #define aes_xts_decrypt		ce_aes_xts_decrypt
+#define aes_mac_update		ce_aes_mac_update
 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 Crypto Extensions");
 #else
 #define MODE			"neon"
@@ -44,11 +46,15 @@ MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 Crypto Extensions");
 #define aes_ctr_encrypt		neon_aes_ctr_encrypt
 #define aes_xts_encrypt		neon_aes_xts_encrypt
 #define aes_xts_decrypt		neon_aes_xts_decrypt
+#define aes_mac_update		neon_aes_mac_update
 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 NEON");
 MODULE_ALIAS_CRYPTO("ecb(aes)");
 MODULE_ALIAS_CRYPTO("cbc(aes)");
 MODULE_ALIAS_CRYPTO("ctr(aes)");
 MODULE_ALIAS_CRYPTO("xts(aes)");
+MODULE_ALIAS_CRYPTO("cmac(aes)");
+MODULE_ALIAS_CRYPTO("xcbc(aes)");
+MODULE_ALIAS_CRYPTO("cbcmac(aes)");
 #endif
 
 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
@@ -75,11 +81,25 @@ asmlinkage void aes_xts_decrypt(u8 out[], u8 const in[], u8 const rk1[],
 				int rounds, int blocks, u8 const rk2[], u8 iv[],
 				int first);
 
+asmlinkage void aes_mac_update(u8 const in[], u32 const rk[], int rounds,
+			       int blocks, u8 dg[], int enc_before,
+			       int enc_after);
+
 struct crypto_aes_xts_ctx {
 	struct crypto_aes_ctx key1;
 	struct crypto_aes_ctx __aligned(8) key2;
 };
 
+struct mac_tfm_ctx {
+	struct crypto_aes_ctx key;
+	u8 __aligned(8) consts[];
+};
+
+struct mac_desc_ctx {
+	unsigned int len;
+	u8 dg[AES_BLOCK_SIZE];
+};
+
 static int skcipher_aes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
 			       unsigned int key_len)
 {
@@ -357,6 +377,217 @@ static struct skcipher_alg aes_algs[] = { {
 	.decrypt	= xts_decrypt,
 } };
 
+static int cbcmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
+			 unsigned int key_len)
+{
+	struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+	int err;
+
+	err = aes_expandkey(&ctx->key, in_key, key_len);
+	if (err)
+		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+
+	return err;
+}
+
+static void cmac_gf128_mul_by_x(be128 *y, const be128 *x)
+{
+	u64 a = be64_to_cpu(x->a);
+	u64 b = be64_to_cpu(x->b);
+
+	y->a = cpu_to_be64((a << 1) | (b >> 63));
+	y->b = cpu_to_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0));
+}
+
+static int cmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
+		       unsigned int key_len)
+{
+	struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+	be128 *consts = (be128 *)ctx->consts;
+	u8 *rk = (u8 *)ctx->key.key_enc;
+	int rounds = 6 + key_len / 4;
+	int err;
+
+	err = cbcmac_setkey(tfm, in_key, key_len);
+	if (err)
+		return err;
+
+	/* encrypt the zero vector */
+	kernel_neon_begin();
+	aes_ecb_encrypt(ctx->consts, (u8[AES_BLOCK_SIZE]){}, rk, rounds, 1, 1);
+	kernel_neon_end();
+
+	cmac_gf128_mul_by_x(consts, consts);
+	cmac_gf128_mul_by_x(consts + 1, consts);
+
+	return 0;
+}
+
+static int xcbc_setkey(struct crypto_shash *tfm, const u8 *in_key,
+		       unsigned int key_len)
+{
+	static u8 const ks[3][AES_BLOCK_SIZE] = {
+		{ [0 ... AES_BLOCK_SIZE - 1] = 0x1 },
+		{ [0 ... AES_BLOCK_SIZE - 1] = 0x2 },
+		{ [0 ... AES_BLOCK_SIZE - 1] = 0x3 },
+	};
+
+	struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+	u8 *rk = (u8 *)ctx->key.key_enc;
+	int rounds = 6 + key_len / 4;
+	u8 key[AES_BLOCK_SIZE];
+	int err;
+
+	err = cbcmac_setkey(tfm, in_key, key_len);
+	if (err)
+		return err;
+
+	kernel_neon_begin();
+	aes_ecb_encrypt(key, ks[0], rk, rounds, 1, 1);
+	aes_ecb_encrypt(ctx->consts, ks[1], rk, rounds, 2, 0);
+	kernel_neon_end();
+
+	return cbcmac_setkey(tfm, key, sizeof(key));
+}
+
+static int mac_init(struct shash_desc *desc)
+{
+	struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+
+	memset(ctx->dg, 0, AES_BLOCK_SIZE);
+	ctx->len = 0;
+
+	return 0;
+}
+
+static int mac_update(struct shash_desc *desc, const u8 *p, unsigned int len)
+{
+	struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+	struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+	int rounds = 6 + tctx->key.key_length / 4;
+
+	while (len > 0) {
+		unsigned int l;
+
+		if ((ctx->len % AES_BLOCK_SIZE) == 0 &&
+		    (ctx->len + len) > AES_BLOCK_SIZE) {
+
+			int blocks = len / AES_BLOCK_SIZE;
+
+			len %= AES_BLOCK_SIZE;
+
+			kernel_neon_begin();
+			aes_mac_update(p, tctx->key.key_enc, rounds, blocks,
+				       ctx->dg, (ctx->len != 0), (len != 0));
+			kernel_neon_end();
+
+			p += blocks * AES_BLOCK_SIZE;
+
+			if (!len) {
+				ctx->len = AES_BLOCK_SIZE;
+				break;
+			}
+			ctx->len = 0;
+		}
+
+		l = min(len, AES_BLOCK_SIZE - ctx->len);
+
+		if (l <= AES_BLOCK_SIZE) {
+			crypto_xor(ctx->dg + ctx->len, p, l);
+			ctx->len += l;
+			len -= l;
+			p += l;
+		}
+	}
+
+	return 0;
+}
+
+static int cbcmac_final(struct shash_desc *desc, u8 *out)
+{
+	struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+	struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+	int rounds = 6 + tctx->key.key_length / 4;
+
+	kernel_neon_begin();
+	aes_mac_update(NULL, tctx->key.key_enc, rounds, 0, ctx->dg, 1, 0);
+	kernel_neon_end();
+
+	memcpy(out, ctx->dg, AES_BLOCK_SIZE);
+
+	return 0;
+}
+
+static int cmac_final(struct shash_desc *desc, u8 *out)
+{
+	struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+	struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+	int rounds = 6 + tctx->key.key_length / 4;
+	u8 *consts = tctx->consts;
+
+	if (ctx->len != AES_BLOCK_SIZE) {
+		ctx->dg[ctx->len] ^= 0x80;
+		consts += AES_BLOCK_SIZE;
+	}
+
+	kernel_neon_begin();
+	aes_mac_update(consts, tctx->key.key_enc, rounds, 1, ctx->dg, 0, 1);
+	kernel_neon_end();
+
+	memcpy(out, ctx->dg, AES_BLOCK_SIZE);
+
+	return 0;
+}
+
+static struct shash_alg mac_algs[] = { {
+	.base.cra_name		= "cmac(aes)",
+	.base.cra_driver_name	= "cmac-aes-" MODE,
+	.base.cra_priority	= PRIO,
+	.base.cra_flags		= CRYPTO_ALG_TYPE_SHASH,
+	.base.cra_blocksize	= AES_BLOCK_SIZE,
+	.base.cra_ctxsize	= sizeof(struct mac_tfm_ctx) +
+				  2 * AES_BLOCK_SIZE,
+	.base.cra_module	= THIS_MODULE,
+
+	.digestsize		= AES_BLOCK_SIZE,
+	.init			= mac_init,
+	.update			= mac_update,
+	.final			= cmac_final,
+	.setkey			= cmac_setkey,
+	.descsize		= sizeof(struct mac_desc_ctx),
+}, {
+	.base.cra_name		= "xcbc(aes)",
+	.base.cra_driver_name	= "xcbc-aes-" MODE,
+	.base.cra_priority	= PRIO,
+	.base.cra_flags		= CRYPTO_ALG_TYPE_SHASH,
+	.base.cra_blocksize	= AES_BLOCK_SIZE,
+	.base.cra_ctxsize	= sizeof(struct mac_tfm_ctx) +
+				  2 * AES_BLOCK_SIZE,
+	.base.cra_module	= THIS_MODULE,
+
+	.digestsize		= AES_BLOCK_SIZE,
+	.init			= mac_init,
+	.update			= mac_update,
+	.final			= cmac_final,
+	.setkey			= xcbc_setkey,
+	.descsize		= sizeof(struct mac_desc_ctx),
+}, {
+	.base.cra_name		= "cbcmac(aes)",
+	.base.cra_driver_name	= "cbcmac-aes-" MODE,
+	.base.cra_priority	= PRIO,
+	.base.cra_flags		= CRYPTO_ALG_TYPE_SHASH,
+	.base.cra_blocksize	= 1,
+	.base.cra_ctxsize	= sizeof(struct mac_tfm_ctx),
+	.base.cra_module	= THIS_MODULE,
+
+	.digestsize		= AES_BLOCK_SIZE,
+	.init			= mac_init,
+	.update			= mac_update,
+	.final			= cbcmac_final,
+	.setkey			= cbcmac_setkey,
+	.descsize		= sizeof(struct mac_desc_ctx),
+} };
+
 static struct simd_skcipher_alg *aes_simd_algs[ARRAY_SIZE(aes_algs)];
 
 static void aes_exit(void)
@@ -367,6 +598,7 @@ static void aes_exit(void)
 		if (aes_simd_algs[i])
 			simd_skcipher_free(aes_simd_algs[i]);
 
+	crypto_unregister_shashes(mac_algs, ARRAY_SIZE(mac_algs));
 	crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
 }
 
@@ -383,6 +615,10 @@ static int __init aes_init(void)
 	if (err)
 		return err;
 
+	err = crypto_register_shashes(mac_algs, ARRAY_SIZE(mac_algs));
+	if (err)
+		goto unregister_ciphers;
+
 	for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
 		if (!(aes_algs[i].base.cra_flags & CRYPTO_ALG_INTERNAL))
 			continue;
@@ -402,6 +638,8 @@ static int __init aes_init(void)
 
 unregister_simds:
 	aes_exit();
+unregister_ciphers:
+	crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
 	return err;
 }
 
diff --git a/arch/arm64/crypto/aes-modes.S b/arch/arm64/crypto/aes-modes.S
index 92b982a8b112..2674d43d1384 100644
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -1,7 +1,7 @@
 /*
  * linux/arch/arm64/crypto/aes-modes.S - chaining mode wrappers for AES
  *
- * Copyright (C) 2013 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -525,3 +525,30 @@ AES_ENTRY(aes_xts_decrypt)
 	FRAME_POP
 	ret
 AES_ENDPROC(aes_xts_decrypt)
+
+	/*
+	 * aes_mac_update(u8 const in[], u32 const rk[], int rounds,
+	 *		  int blocks, u8 dg[], int enc_before, int enc_after)
+	 */
+AES_ENTRY(aes_mac_update)
+	ld1		{v0.16b}, [x4]			/* get dg */
+	enc_prepare	w2, x1, x7
+	cbnz		w5, .Lmacenc
+
+.Lmacloop:
+	cbz		w3, .Lmacout
+	ld1		{v1.16b}, [x0], #16		/* get next pt block */
+	eor		v0.16b, v0.16b, v1.16b		/* ..and xor with dg */
+
+	subs		w3, w3, #1
+	csinv		x5, x6, xzr, eq
+	cbz		w5, .Lmacout
+
+.Lmacenc:
+	encrypt_block	v0, w2, x1, x7, w8
+	b		.Lmacloop
+
+.Lmacout:
+	st1		{v0.16b}, [x4]			/* return dg */
+	ret
+AES_ENDPROC(aes_mac_update)
-- 
2.7.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver
  2017-02-03 14:49 ` [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver Ard Biesheuvel
@ 2017-02-06 10:52   ` Ard Biesheuvel
  0 siblings, 0 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-06 10:52 UTC (permalink / raw)
  To: linux-crypto, Herbert Xu, Eric Biggers; +Cc: linux-arm-kernel, Ard Biesheuvel

On 3 February 2017 at 14:49, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> Update the generic CCM driver to defer CBC-MAC processing to a
> dedicated CBC-MAC ahash transform rather than open coding this
> transform (and much of the associated scatterwalk plumbing) in
> the CCM driver itself.
>
> This cleans up the code considerably, but more importantly, it allows
> the use of alternative CBC-MAC implementations that don't suffer from
> performance degradation due to significant setup time (e.g., the NEON
> based AES code needs to enable/disable the NEON, and load the S-box
> into 16 SIMD registers, which cannot be amortized over the entire input
> when using the cipher interface)
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  crypto/Kconfig |   1 +
>  crypto/ccm.c   | 381 +++++++++++++-------
>  2 files changed, 245 insertions(+), 137 deletions(-)
>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 160f08e721cc..e8269d1b0282 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -263,6 +263,7 @@ comment "Authenticated Encryption with Associated Data"
>  config CRYPTO_CCM
>         tristate "CCM support"
>         select CRYPTO_CTR
> +       select CRYPTO_HASH
>         select CRYPTO_AEAD
>         help
>           Support for Counter with CBC MAC. Required for IPsec.
> diff --git a/crypto/ccm.c b/crypto/ccm.c
> index 26b924d1e582..52e307807ff6 100644
> --- a/crypto/ccm.c
> +++ b/crypto/ccm.c
> @@ -11,6 +11,7 @@
>   */
>
>  #include <crypto/internal/aead.h>
> +#include <crypto/internal/hash.h>
>  #include <crypto/internal/skcipher.h>
>  #include <crypto/scatterwalk.h>
>  #include <linux/err.h>
> @@ -23,11 +24,11 @@
>
>  struct ccm_instance_ctx {
>         struct crypto_skcipher_spawn ctr;
> -       struct crypto_spawn cipher;
> +       struct crypto_ahash_spawn mac;
>  };
>
>  struct crypto_ccm_ctx {
> -       struct crypto_cipher *cipher;
> +       struct crypto_ahash *mac;
>         struct crypto_skcipher *ctr;
>  };
>
> @@ -44,15 +45,22 @@ struct crypto_rfc4309_req_ctx {
>
>  struct crypto_ccm_req_priv_ctx {
>         u8 odata[16];
> -       u8 idata[16];
>         u8 auth_tag[16];
> -       u32 ilen;
>         u32 flags;
>         struct scatterlist src[3];
>         struct scatterlist dst[3];
>         struct skcipher_request skreq;
>  };
>
> +struct cbcmac_tfm_ctx {
> +       struct crypto_cipher *child;
> +};
> +
> +struct cbcmac_desc_ctx {
> +       unsigned int len;
> +       u8 dg[];

This should be

u8 dg[] CRYPTO_MINALIGN_ATTR;



> +};
> +
>  static inline struct crypto_ccm_req_priv_ctx *crypto_ccm_reqctx(
>         struct aead_request *req)
>  {
> @@ -84,7 +92,7 @@ static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
>  {
>         struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
>         struct crypto_skcipher *ctr = ctx->ctr;
> -       struct crypto_cipher *tfm = ctx->cipher;
> +       struct crypto_ahash *mac = ctx->mac;
>         int err = 0;
>
>         crypto_skcipher_clear_flags(ctr, CRYPTO_TFM_REQ_MASK);
> @@ -96,11 +104,11 @@ static int crypto_ccm_setkey(struct crypto_aead *aead, const u8 *key,
>         if (err)
>                 goto out;
>
> -       crypto_cipher_clear_flags(tfm, CRYPTO_TFM_REQ_MASK);
> -       crypto_cipher_set_flags(tfm, crypto_aead_get_flags(aead) &
> +       crypto_ahash_clear_flags(mac, CRYPTO_TFM_REQ_MASK);
> +       crypto_ahash_set_flags(mac, crypto_aead_get_flags(aead) &
>                                     CRYPTO_TFM_REQ_MASK);
> -       err = crypto_cipher_setkey(tfm, key, keylen);
> -       crypto_aead_set_flags(aead, crypto_cipher_get_flags(tfm) &
> +       err = crypto_ahash_setkey(mac, key, keylen);
> +       crypto_aead_set_flags(aead, crypto_ahash_get_flags(mac) &
>                               CRYPTO_TFM_RES_MASK);
>
>  out:
> @@ -167,119 +175,61 @@ static int format_adata(u8 *adata, unsigned int a)
>         return len;
>  }
>
> -static void compute_mac(struct crypto_cipher *tfm, u8 *data, int n,
> -                      struct crypto_ccm_req_priv_ctx *pctx)
> -{
> -       unsigned int bs = 16;
> -       u8 *odata = pctx->odata;
> -       u8 *idata = pctx->idata;
> -       int datalen, getlen;
> -
> -       datalen = n;
> -
> -       /* first time in here, block may be partially filled. */
> -       getlen = bs - pctx->ilen;
> -       if (datalen >= getlen) {
> -               memcpy(idata + pctx->ilen, data, getlen);
> -               crypto_xor(odata, idata, bs);
> -               crypto_cipher_encrypt_one(tfm, odata, odata);
> -               datalen -= getlen;
> -               data += getlen;
> -               pctx->ilen = 0;
> -       }
> -
> -       /* now encrypt rest of data */
> -       while (datalen >= bs) {
> -               crypto_xor(odata, data, bs);
> -               crypto_cipher_encrypt_one(tfm, odata, odata);
> -
> -               datalen -= bs;
> -               data += bs;
> -       }
> -
> -       /* check and see if there's leftover data that wasn't
> -        * enough to fill a block.
> -        */
> -       if (datalen) {
> -               memcpy(idata + pctx->ilen, data, datalen);
> -               pctx->ilen += datalen;
> -       }
> -}
> -
> -static void get_data_to_compute(struct crypto_cipher *tfm,
> -                              struct crypto_ccm_req_priv_ctx *pctx,
> -                              struct scatterlist *sg, unsigned int len)
> -{
> -       struct scatter_walk walk;
> -       u8 *data_src;
> -       int n;
> -
> -       scatterwalk_start(&walk, sg);
> -
> -       while (len) {
> -               n = scatterwalk_clamp(&walk, len);
> -               if (!n) {
> -                       scatterwalk_start(&walk, sg_next(walk.sg));
> -                       n = scatterwalk_clamp(&walk, len);
> -               }
> -               data_src = scatterwalk_map(&walk);
> -
> -               compute_mac(tfm, data_src, n, pctx);
> -               len -= n;
> -
> -               scatterwalk_unmap(data_src);
> -               scatterwalk_advance(&walk, n);
> -               scatterwalk_done(&walk, 0, len);
> -               if (len)
> -                       crypto_yield(pctx->flags);
> -       }
> -
> -       /* any leftover needs padding and then encrypted */
> -       if (pctx->ilen) {
> -               int padlen;
> -               u8 *odata = pctx->odata;
> -               u8 *idata = pctx->idata;
> -
> -               padlen = 16 - pctx->ilen;
> -               memset(idata + pctx->ilen, 0, padlen);
> -               crypto_xor(odata, idata, 16);
> -               crypto_cipher_encrypt_one(tfm, odata, odata);
> -               pctx->ilen = 0;
> -       }
> -}
> -
>  static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
>                            unsigned int cryptlen)
>  {
> +       struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
>         struct crypto_aead *aead = crypto_aead_reqtfm(req);
>         struct crypto_ccm_ctx *ctx = crypto_aead_ctx(aead);
> -       struct crypto_ccm_req_priv_ctx *pctx = crypto_ccm_reqctx(req);
> -       struct crypto_cipher *cipher = ctx->cipher;
> +       AHASH_REQUEST_ON_STACK(ahreq, ctx->mac);
>         unsigned int assoclen = req->assoclen;
> -       u8 *odata = pctx->odata;
> -       u8 *idata = pctx->idata;
> -       int err;
> +       struct scatterlist sg[3];
> +       u8 odata[16];
> +       u8 idata[16];
> +       int ilen, err;
>
>         /* format control data for input */
>         err = format_input(odata, req, cryptlen);
>         if (err)
>                 goto out;
>
> -       /* encrypt first block to use as start in computing mac  */
> -       crypto_cipher_encrypt_one(cipher, odata, odata);
> +       sg_init_table(sg, 3);
> +       sg_set_buf(&sg[0], odata, 16);
>
>         /* format associated data and compute into mac */
>         if (assoclen) {
> -               pctx->ilen = format_adata(idata, assoclen);
> -               get_data_to_compute(cipher, pctx, req->src, req->assoclen);
> +               ilen = format_adata(idata, assoclen);
> +               sg_set_buf(&sg[1], idata, ilen);
> +               sg_chain(sg, 3, req->src);
>         } else {
> -               pctx->ilen = 0;
> +               ilen = 0;
> +               sg_chain(sg, 2, req->src);
>         }
>
> -       /* compute plaintext into mac */
> -       if (cryptlen)
> -               get_data_to_compute(cipher, pctx, plain, cryptlen);
> +       ahash_request_set_tfm(ahreq, ctx->mac);
> +       ahash_request_set_callback(ahreq, pctx->flags, NULL, NULL);
> +       ahash_request_set_crypt(ahreq, sg, NULL, assoclen + ilen + 16);
> +       err = crypto_ahash_init(ahreq);
> +       if (err)
> +               goto out;
> +       err = crypto_ahash_update(ahreq);
> +       if (err)
> +               goto out;
>
> +       /* we need to pad the MAC input to a round multiple of the block size */
> +       ilen = 16 - (assoclen + ilen) % 16;
> +       if (ilen < 16) {
> +               memset(idata, 0, ilen);
> +               sg_init_table(sg, 2);
> +               sg_set_buf(&sg[0], idata, ilen);
> +               if (plain)
> +                       sg_chain(sg, 2, plain);
> +               plain = sg;
> +               cryptlen += ilen;
> +       }
> +
> +       ahash_request_set_crypt(ahreq, plain, pctx->odata, cryptlen);
> +       err = crypto_ahash_finup(ahreq);
>  out:
>         return err;
>  }
> @@ -453,21 +403,21 @@ static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
>         struct aead_instance *inst = aead_alg_instance(tfm);
>         struct ccm_instance_ctx *ictx = aead_instance_ctx(inst);
>         struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
> -       struct crypto_cipher *cipher;
> +       struct crypto_ahash *mac;
>         struct crypto_skcipher *ctr;
>         unsigned long align;
>         int err;
>
> -       cipher = crypto_spawn_cipher(&ictx->cipher);
> -       if (IS_ERR(cipher))
> -               return PTR_ERR(cipher);
> +       mac = crypto_spawn_ahash(&ictx->mac);
> +       if (IS_ERR(mac))
> +               return PTR_ERR(mac);
>
>         ctr = crypto_spawn_skcipher(&ictx->ctr);
>         err = PTR_ERR(ctr);
>         if (IS_ERR(ctr))
> -               goto err_free_cipher;
> +               goto err_free_mac;
>
> -       ctx->cipher = cipher;
> +       ctx->mac = mac;
>         ctx->ctr = ctr;
>
>         align = crypto_aead_alignmask(tfm);
> @@ -479,8 +429,8 @@ static int crypto_ccm_init_tfm(struct crypto_aead *tfm)
>
>         return 0;
>
> -err_free_cipher:
> -       crypto_free_cipher(cipher);
> +err_free_mac:
> +       crypto_free_ahash(mac);
>         return err;
>  }
>
> @@ -488,7 +438,7 @@ static void crypto_ccm_exit_tfm(struct crypto_aead *tfm)
>  {
>         struct crypto_ccm_ctx *ctx = crypto_aead_ctx(tfm);
>
> -       crypto_free_cipher(ctx->cipher);
> +       crypto_free_ahash(ctx->mac);
>         crypto_free_skcipher(ctx->ctr);
>  }
>
> @@ -496,7 +446,7 @@ static void crypto_ccm_free(struct aead_instance *inst)
>  {
>         struct ccm_instance_ctx *ctx = aead_instance_ctx(inst);
>
> -       crypto_drop_spawn(&ctx->cipher);
> +       crypto_drop_ahash(&ctx->mac);
>         crypto_drop_skcipher(&ctx->ctr);
>         kfree(inst);
>  }
> @@ -505,12 +455,13 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
>                                     struct rtattr **tb,
>                                     const char *full_name,
>                                     const char *ctr_name,
> -                                   const char *cipher_name)
> +                                   const char *mac_name)
>  {
>         struct crypto_attr_type *algt;
>         struct aead_instance *inst;
>         struct skcipher_alg *ctr;
> -       struct crypto_alg *cipher;
> +       struct crypto_alg *mac_alg;
> +       struct hash_alg_common *mac;
>         struct ccm_instance_ctx *ictx;
>         int err;
>
> @@ -521,25 +472,26 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
>         if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
>                 return -EINVAL;
>
> -       cipher = crypto_alg_mod_lookup(cipher_name,  CRYPTO_ALG_TYPE_CIPHER,
> -                                      CRYPTO_ALG_TYPE_MASK);
> -       if (IS_ERR(cipher))
> -               return PTR_ERR(cipher);
> +       mac_alg = crypto_find_alg(mac_name, &crypto_ahash_type,
> +                                 CRYPTO_ALG_TYPE_HASH,
> +                                 CRYPTO_ALG_TYPE_AHASH_MASK |
> +                                 CRYPTO_ALG_ASYNC);
> +       if (IS_ERR(mac_alg))
> +               return PTR_ERR(mac_alg);
>
> +       mac = __crypto_hash_alg_common(mac_alg);
>         err = -EINVAL;
> -       if (cipher->cra_blocksize != 16)
> -               goto out_put_cipher;
> +       if (mac->digestsize != 16)
> +               goto out_put_mac;
>
>         inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
>         err = -ENOMEM;
>         if (!inst)
> -               goto out_put_cipher;
> +               goto out_put_mac;
>
>         ictx = aead_instance_ctx(inst);
> -
> -       err = crypto_init_spawn(&ictx->cipher, cipher,
> -                               aead_crypto_instance(inst),
> -                               CRYPTO_ALG_TYPE_MASK);
> +       err = crypto_init_ahash_spawn(&ictx->mac, mac,
> +                                     aead_crypto_instance(inst));
>         if (err)
>                 goto err_free_inst;
>
> @@ -548,7 +500,7 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
>                                    crypto_requires_sync(algt->type,
>                                                         algt->mask));
>         if (err)
> -               goto err_drop_cipher;
> +               goto err_drop_mac;
>
>         ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
>
> @@ -564,16 +516,16 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
>         err = -ENAMETOOLONG;
>         if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
>                      "ccm_base(%s,%s)", ctr->base.cra_driver_name,
> -                    cipher->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
> +                    mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
>                 goto err_drop_ctr;
>
>         memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
>
>         inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC;
> -       inst->alg.base.cra_priority = (cipher->cra_priority +
> +       inst->alg.base.cra_priority = (mac->base.cra_priority +
>                                        ctr->base.cra_priority) / 2;
>         inst->alg.base.cra_blocksize = 1;
> -       inst->alg.base.cra_alignmask = cipher->cra_alignmask |
> +       inst->alg.base.cra_alignmask = mac->base.cra_alignmask |
>                                        ctr->base.cra_alignmask |
>                                        (__alignof__(u32) - 1);
>         inst->alg.ivsize = 16;
> @@ -593,23 +545,24 @@ static int crypto_ccm_create_common(struct crypto_template *tmpl,
>         if (err)
>                 goto err_drop_ctr;
>
> -out_put_cipher:
> -       crypto_mod_put(cipher);
> +out_put_mac:
> +       crypto_mod_put(mac_alg);
>         return err;
>
>  err_drop_ctr:
>         crypto_drop_skcipher(&ictx->ctr);
> -err_drop_cipher:
> -       crypto_drop_spawn(&ictx->cipher);
> +err_drop_mac:
> +       crypto_drop_ahash(&ictx->mac);
>  err_free_inst:
>         kfree(inst);
> -       goto out_put_cipher;
> +       goto out_put_mac;
>  }
>
>  static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
>  {
>         const char *cipher_name;
>         char ctr_name[CRYPTO_MAX_ALG_NAME];
> +       char mac_name[CRYPTO_MAX_ALG_NAME];
>         char full_name[CRYPTO_MAX_ALG_NAME];
>
>         cipher_name = crypto_attr_alg_name(tb[1]);
> @@ -620,12 +573,16 @@ static int crypto_ccm_create(struct crypto_template *tmpl, struct rtattr **tb)
>                      cipher_name) >= CRYPTO_MAX_ALG_NAME)
>                 return -ENAMETOOLONG;
>
> +       if (snprintf(mac_name, CRYPTO_MAX_ALG_NAME, "cbcmac(%s)",
> +                    cipher_name) >= CRYPTO_MAX_ALG_NAME)
> +               return -ENAMETOOLONG;
> +
>         if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >=
>             CRYPTO_MAX_ALG_NAME)
>                 return -ENAMETOOLONG;
>
>         return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
> -                                       cipher_name);
> +                                       mac_name);
>  }
>
>  static struct crypto_template crypto_ccm_tmpl = {
> @@ -899,14 +856,161 @@ static struct crypto_template crypto_rfc4309_tmpl = {
>         .module = THIS_MODULE,
>  };
>
> +static int crypto_cbcmac_digest_setkey(struct crypto_shash *parent,
> +                                    const u8 *inkey, unsigned int keylen)
> +{
> +       struct cbcmac_tfm_ctx *ctx = crypto_shash_ctx(parent);
> +
> +       return crypto_cipher_setkey(ctx->child, inkey, keylen);
> +}
> +
> +static int crypto_cbcmac_digest_init(struct shash_desc *pdesc)
> +{
> +       struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
> +       int bs = crypto_shash_digestsize(pdesc->tfm);
> +
> +       ctx->len = 0;
> +       memset(ctx->dg, 0, bs);
> +
> +       return 0;
> +}
> +
> +static int crypto_cbcmac_digest_update(struct shash_desc *pdesc, const u8 *p,
> +                                      unsigned int len)
> +{
> +       struct crypto_shash *parent = pdesc->tfm;
> +       struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
> +       struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
> +       struct crypto_cipher *tfm = tctx->child;
> +       int bs = crypto_shash_digestsize(parent);
> +
> +       while (len > 0) {
> +               unsigned int l = min(len, bs - ctx->len);
> +
> +               crypto_xor(ctx->dg + ctx->len, p, l);
> +               ctx->len +=l;
> +               len -= l;
> +               p += l;
> +
> +               if (ctx->len == bs) {
> +                       crypto_cipher_encrypt_one(tfm, ctx->dg, ctx->dg);
> +                       ctx->len = 0;
> +               }
> +       }
> +
> +       return 0;
> +}
> +
> +static int crypto_cbcmac_digest_final(struct shash_desc *pdesc, u8 *out)
> +{
> +       struct crypto_shash *parent = pdesc->tfm;
> +       struct cbcmac_tfm_ctx *tctx = crypto_shash_ctx(parent);
> +       struct cbcmac_desc_ctx *ctx = shash_desc_ctx(pdesc);
> +       struct crypto_cipher *tfm = tctx->child;
> +       int bs = crypto_shash_digestsize(parent);
> +
> +       if (ctx->len)
> +               crypto_cipher_encrypt_one(tfm, out, ctx->dg);
> +       else
> +               memcpy(out, ctx->dg, bs);
> +
> +       return 0;
> +}
> +
> +static int cbcmac_init_tfm(struct crypto_tfm *tfm)
> +{
> +       struct crypto_cipher *cipher;
> +       struct crypto_instance *inst = (void *)tfm->__crt_alg;
> +       struct crypto_spawn *spawn = crypto_instance_ctx(inst);
> +       struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
> +
> +       cipher = crypto_spawn_cipher(spawn);
> +       if (IS_ERR(cipher))
> +               return PTR_ERR(cipher);
> +
> +       ctx->child = cipher;
> +
> +       return 0;
> +};
> +
> +static void cbcmac_exit_tfm(struct crypto_tfm *tfm)
> +{
> +       struct cbcmac_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
> +       crypto_free_cipher(ctx->child);
> +}
> +
> +static int cbcmac_create(struct crypto_template *tmpl, struct rtattr **tb)
> +{
> +       struct shash_instance *inst;
> +       struct crypto_alg *alg;
> +       int err;
> +
> +       err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH);
> +       if (err)
> +               return err;
> +
> +       alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER,
> +                                 CRYPTO_ALG_TYPE_MASK);
> +       if (IS_ERR(alg))
> +               return PTR_ERR(alg);
> +
> +       inst = shash_alloc_instance("cbcmac", alg);
> +       err = PTR_ERR(inst);
> +       if (IS_ERR(inst))
> +               goto out_put_alg;
> +
> +       err = crypto_init_spawn(shash_instance_ctx(inst), alg,
> +                               shash_crypto_instance(inst),
> +                               CRYPTO_ALG_TYPE_MASK);
> +       if (err)
> +               goto out_free_inst;
> +
> +       inst->alg.base.cra_priority = alg->cra_priority;
> +       inst->alg.base.cra_blocksize = 1;
> +
> +       inst->alg.digestsize = alg->cra_blocksize;
> +       inst->alg.descsize = sizeof(struct cbcmac_desc_ctx) +
> +                            alg->cra_blocksize;
> +
> +       inst->alg.base.cra_ctxsize = sizeof(struct cbcmac_tfm_ctx);
> +       inst->alg.base.cra_init = cbcmac_init_tfm;
> +       inst->alg.base.cra_exit = cbcmac_exit_tfm;
> +
> +       inst->alg.init = crypto_cbcmac_digest_init;
> +       inst->alg.update = crypto_cbcmac_digest_update;
> +       inst->alg.final = crypto_cbcmac_digest_final;
> +       inst->alg.setkey = crypto_cbcmac_digest_setkey;
> +
> +       err = shash_register_instance(tmpl, inst);
> +
> +out_free_inst:
> +       if (err)
> +               shash_free_instance(shash_crypto_instance(inst));
> +
> +out_put_alg:
> +       crypto_mod_put(alg);
> +       return err;
> +}
> +
> +static struct crypto_template crypto_cbcmac_tmpl = {
> +       .name = "cbcmac",
> +       .create = cbcmac_create,
> +       .free = shash_free_instance,
> +       .module = THIS_MODULE,
> +};
> +
>  static int __init crypto_ccm_module_init(void)
>  {
>         int err;
>
> -       err = crypto_register_template(&crypto_ccm_base_tmpl);
> +       err = crypto_register_template(&crypto_cbcmac_tmpl);
>         if (err)
>                 goto out;
>
> +       err = crypto_register_template(&crypto_ccm_base_tmpl);
> +       if (err)
> +               goto out_undo_cbcmac;
> +
>         err = crypto_register_template(&crypto_ccm_tmpl);
>         if (err)
>                 goto out_undo_base;
> @@ -922,6 +1026,8 @@ static int __init crypto_ccm_module_init(void)
>         crypto_unregister_template(&crypto_ccm_tmpl);
>  out_undo_base:
>         crypto_unregister_template(&crypto_ccm_base_tmpl);
> +out_undo_cbcmac:
> +       crypto_register_template(&crypto_cbcmac_tmpl);
>         goto out;
>  }
>
> @@ -930,6 +1036,7 @@ static void __exit crypto_ccm_module_exit(void)
>         crypto_unregister_template(&crypto_rfc4309_tmpl);
>         crypto_unregister_template(&crypto_ccm_tmpl);
>         crypto_unregister_template(&crypto_ccm_base_tmpl);
> +       crypto_unregister_template(&crypto_cbcmac_tmpl);
>  }
>
>  module_init(crypto_ccm_module_init);
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC)
  2017-02-03 14:49 [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Ard Biesheuvel
                   ` (2 preceding siblings ...)
  2017-02-03 14:49 ` [PATCH v3 3/3] crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver Ard Biesheuvel
@ 2017-02-11 10:53 ` Herbert Xu
  2017-02-11 18:05   ` Ard Biesheuvel
  3 siblings, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2017-02-11 10:53 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: linux-crypto, ebiggers3, linux-arm-kernel

On Fri, Feb 03, 2017 at 02:49:34PM +0000, Ard Biesheuvel wrote:
> This series is primarily directed at improving the performance and security
> of CCM on the Rasperry Pi 3. This involves splitting the MAC handling of
> CCM into a separate driver so that we can efficiently replace it by something
> else using the ordinary algo resolution machinery.
> 
> Patch #1 adds some testcases for cbcmac(aes), which will be introduced later.
> 
> Patch #2 replaces the open coded CBC MAC hashing routines in the CCM driver
> with calls to a cbcmac() hash, and implements a template for producing such
> cbcmac transforms. This eliminates all the fuzzy scatterwalk code as well.
> 
> Patch #3 implements cbcmac(aes) using NEON on arm64, and CMAC/XCBC at the
> same time, since it is trivially implemented reusing the same core transform

All applied.  Please send any fixups on top of these patches.
Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC)
  2017-02-11 10:53 ` [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Herbert Xu
@ 2017-02-11 18:05   ` Ard Biesheuvel
  0 siblings, 0 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2017-02-11 18:05 UTC (permalink / raw)
  To: Herbert Xu; +Cc: linux-crypto, Eric Biggers, linux-arm-kernel

On 11 February 2017 at 10:53, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Fri, Feb 03, 2017 at 02:49:34PM +0000, Ard Biesheuvel wrote:
>> This series is primarily directed at improving the performance and security
>> of CCM on the Rasperry Pi 3. This involves splitting the MAC handling of
>> CCM into a separate driver so that we can efficiently replace it by something
>> else using the ordinary algo resolution machinery.
>>
>> Patch #1 adds some testcases for cbcmac(aes), which will be introduced later.
>>
>> Patch #2 replaces the open coded CBC MAC hashing routines in the CCM driver
>> with calls to a cbcmac() hash, and implements a template for producing such
>> cbcmac transforms. This eliminates all the fuzzy scatterwalk code as well.
>>
>> Patch #3 implements cbcmac(aes) using NEON on arm64, and CMAC/XCBC at the
>> same time, since it is trivially implemented reusing the same core transform
>
> All applied.  Please send any fixups on top of these patches.

Thanks Herbert. I do have a fixup for #2, which currently does not
correctly take the alignmask of the MAC's subordinate cipher into
account. I will send a fix for that shortly.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-02-11 18:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-03 14:49 [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Ard Biesheuvel
2017-02-03 14:49 ` [PATCH v3 1/3] crypto: testmgr - add test cases for cbcmac(aes) Ard Biesheuvel
2017-02-03 14:49 ` [PATCH v3 2/3] crypto: ccm - switch to separate cbcmac driver Ard Biesheuvel
2017-02-06 10:52   ` Ard Biesheuvel
2017-02-03 14:49 ` [PATCH v3 3/3] crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver Ard Biesheuvel
2017-02-11 10:53 ` [PATCH v3 0/3] crypto: time invariant AES for CCM (and CMAC/XCBC) Herbert Xu
2017-02-11 18:05   ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).