Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] wusb: switch to cbcmac transform
@ 2019-06-14  9:43 Ard Biesheuvel
  2019-06-14 10:05 ` Greg KH
  2019-06-14 21:30 ` kbuild test robot
  0 siblings, 2 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2019-06-14  9:43 UTC (permalink / raw)
  To: linux-usb; +Cc: gregkh, linux-crypto, ebiggers, herbert, Ard Biesheuvel

The wusb code takes a very peculiar approach at implementing CBC-MAC,
by using plain CBC into a scratch buffer, and taking the output IV
as the MAC.

We can clean up this code substantially by switching to the cbcmac
shash, as exposed by the CCM template. To ensure that the module is
loaded on demand, add the cbcmac template name as a module alias.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
v2: - use finup()/digest() where possible, and process b0+b1 using a single
      call to update()
    - make 'stv_hsmic_hs' static const and remove comment regarding GCC 4.1

NOTE: I don't have any hardware to test this, but the built-in selftest
      still passes.

 crypto/ccm.c                  |   1 +
 drivers/usb/wusbcore/crypto.c | 168 +++++---------------
 2 files changed, 44 insertions(+), 125 deletions(-)

diff --git a/crypto/ccm.c b/crypto/ccm.c
index 8c24605c791e..380eb619f657 100644
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -1009,3 +1009,4 @@ MODULE_DESCRIPTION("Counter with CBC MAC");
 MODULE_ALIAS_CRYPTO("ccm_base");
 MODULE_ALIAS_CRYPTO("rfc4309");
 MODULE_ALIAS_CRYPTO("ccm");
+MODULE_ALIAS_CRYPTO("cbcmac");
diff --git a/drivers/usb/wusbcore/crypto.c b/drivers/usb/wusbcore/crypto.c
index edb7263bff40..089c8e81f721 100644
--- a/drivers/usb/wusbcore/crypto.c
+++ b/drivers/usb/wusbcore/crypto.c
@@ -31,6 +31,8 @@
  *             funneled through AES are...16 bytes in size!
  */
 
+#include <crypto/aes.h>
+#include <crypto/hash.h>
 #include <crypto/skcipher.h>
 #include <linux/crypto.h>
 #include <linux/module.h>
@@ -109,16 +111,6 @@ struct aes_ccm_a {
 	__be16 counter;	/* Value of x */
 } __attribute__((packed));
 
-static void bytewise_xor(void *_bo, const void *_bi1, const void *_bi2,
-			 size_t size)
-{
-	u8 *bo = _bo;
-	const u8 *bi1 = _bi1, *bi2 = _bi2;
-	size_t itr;
-	for (itr = 0; itr < size; itr++)
-		bo[itr] = bi1[itr] ^ bi2[itr];
-}
-
 /* Scratch space for MAC calculations. */
 struct wusb_mac_scratch {
 	struct aes_ccm_b0 b0;
@@ -150,8 +142,7 @@ struct wusb_mac_scratch {
  * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
  *     we use exactly 14 bytes).
  *
- * @b: data stream to be processed; cannot be a global or const local
- *     (will confuse the scatterlists)
+ * @b: data stream to be processed
  *
  * @blen: size of b...
  *
@@ -160,16 +151,10 @@ struct wusb_mac_scratch {
  * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
  * take the payload and divide it in blocks (16 bytes), xor them with
  * the previous crypto result (16 bytes) and crypt it, repeat the next
- * block with the output of the previous one, rinse wash (I guess this
- * is what AES CBC mode means...but I truly have no idea). So we use
- * the CBC(AES) blkcipher, that does precisely that. The IV (Initial
+ * block with the output of the previous one, rinse wash. So we use
+ * the CBC-MAC(AES) shash, that does precisely that. The IV (Initial
  * Vector) is 16 bytes and is set to zero, so
  *
- * See rfc3610. Linux crypto has a CBC implementation, but the
- * documentation is scarce, to say the least, and the example code is
- * so intricated that is difficult to understand how things work. Most
- * of this is guess work -- bite me.
- *
  * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
  *     using the 14 bytes of @a to fill up
  *     b1.{mac_header,e0,security_reserved,padding}.
@@ -189,44 +174,24 @@ struct wusb_mac_scratch {
  * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
  *       what sg[4] is for. Maybe there is a smarter way to do this.
  */
-static int wusb_ccm_mac(struct crypto_sync_skcipher *tfm_cbc,
-			struct crypto_cipher *tfm_aes,
+static int wusb_ccm_mac(struct crypto_shash *tfm_cbcmac,
 			struct wusb_mac_scratch *scratch,
 			void *mic,
 			const struct aes_ccm_nonce *n,
 			const struct aes_ccm_label *a, const void *b,
 			size_t blen)
 {
-	int result = 0;
-	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm_cbc);
-	struct scatterlist sg[4], sg_dst;
-	void *dst_buf;
-	size_t dst_size;
-	u8 *iv;
-	size_t zero_padding;
+	SHASH_DESC_ON_STACK(desc, tfm_cbcmac);
+	u8 iv[AES_BLOCK_SIZE];
 
 	/*
 	 * These checks should be compile time optimized out
 	 * ensure @a fills b1's mac_header and following fields
 	 */
-	WARN_ON(sizeof(*a) != sizeof(scratch->b1) - sizeof(scratch->b1.la));
-	WARN_ON(sizeof(scratch->b0) != sizeof(struct aes_ccm_block));
-	WARN_ON(sizeof(scratch->b1) != sizeof(struct aes_ccm_block));
-	WARN_ON(sizeof(scratch->ax) != sizeof(struct aes_ccm_block));
-
-	result = -ENOMEM;
-	zero_padding = blen % sizeof(struct aes_ccm_block);
-	if (zero_padding)
-		zero_padding = sizeof(struct aes_ccm_block) - zero_padding;
-	dst_size = blen + sizeof(scratch->b0) + sizeof(scratch->b1) +
-		zero_padding;
-	dst_buf = kzalloc(dst_size, GFP_KERNEL);
-	if (!dst_buf)
-		goto error_dst_buf;
-
-	iv = kzalloc(crypto_sync_skcipher_ivsize(tfm_cbc), GFP_KERNEL);
-	if (!iv)
-		goto error_iv;
+	BUILD_BUG_ON(sizeof(*a) != sizeof(scratch->b1) - sizeof(scratch->b1.la));
+	BUILD_BUG_ON(sizeof(scratch->b0) != sizeof(struct aes_ccm_block));
+	BUILD_BUG_ON(sizeof(scratch->b1) != sizeof(struct aes_ccm_block));
+	BUILD_BUG_ON(sizeof(scratch->ax) != sizeof(struct aes_ccm_block));
 
 	/* Setup B0 */
 	scratch->b0.flags = 0x59;	/* Format B0 */
@@ -243,46 +208,28 @@ static int wusb_ccm_mac(struct crypto_sync_skcipher *tfm_cbc,
 	scratch->b1.la = cpu_to_be16(blen + 14);
 	memcpy(&scratch->b1.mac_header, a, sizeof(*a));
 
-	sg_init_table(sg, ARRAY_SIZE(sg));
-	sg_set_buf(&sg[0], &scratch->b0, sizeof(scratch->b0));
-	sg_set_buf(&sg[1], &scratch->b1, sizeof(scratch->b1));
-	sg_set_buf(&sg[2], b, blen);
-	/* 0 if well behaved :) */
-	sg_set_page(&sg[3], ZERO_PAGE(0), zero_padding, 0);
-	sg_init_one(&sg_dst, dst_buf, dst_size);
-
-	skcipher_request_set_sync_tfm(req, tfm_cbc);
-	skcipher_request_set_callback(req, 0, NULL, NULL);
-	skcipher_request_set_crypt(req, sg, &sg_dst, dst_size, iv);
-	result = crypto_skcipher_encrypt(req);
-	skcipher_request_zero(req);
-	if (result < 0) {
-		printk(KERN_ERR "E: can't compute CBC-MAC tag (MIC): %d\n",
-		       result);
-		goto error_cbc_crypt;
-	}
+	desc->tfm = tfm_cbcmac;
+	crypto_shash_init(desc);
+	crypto_shash_update(desc, (u8 *)&scratch->b0, sizeof(scratch->b0) +
+						      sizeof(scratch->b1));
+	crypto_shash_finup(desc, b, blen, iv);
 
 	/* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
 	 * The procedure is to AES crypt the A0 block and XOR the MIC
 	 * Tag against it; we only do the first 8 bytes and place it
 	 * directly in the destination buffer.
-	 *
-	 * POS Crypto API: size is assumed to be AES's block size.
-	 * Thanks for documenting it -- tip taken from airo.c
 	 */
 	scratch->ax.flags = 0x01;		/* as per WUSB 1.0 spec */
 	scratch->ax.ccm_nonce = *n;
 	scratch->ax.counter = 0;
-	crypto_cipher_encrypt_one(tfm_aes, (void *)&scratch->ax,
-				  (void *)&scratch->ax);
-	bytewise_xor(mic, &scratch->ax, iv, 8);
-	result = 8;
-error_cbc_crypt:
-	kfree(iv);
-error_iv:
-	kfree(dst_buf);
-error_dst_buf:
-	return result;
+
+	/* reuse the CBC-MAC transform to perform the single block encryption */
+	crypto_shash_digest(desc, (u8 *)&scratch->ax, sizeof(scratch->ax),
+			    (u8 *)&scratch->ax);
+
+	crypto_xor_cpy(mic, (u8 *)&scratch->ax, iv, 8);
+
+	return 8;
 }
 
 /*
@@ -298,45 +245,28 @@ ssize_t wusb_prf(void *out, size_t out_size,
 {
 	ssize_t result, bytes = 0, bitr;
 	struct aes_ccm_nonce n = *_n;
-	struct crypto_sync_skcipher *tfm_cbc;
-	struct crypto_cipher *tfm_aes;
-	struct wusb_mac_scratch *scratch;
+	struct crypto_shash *tfm_cbcmac;
+	struct wusb_mac_scratch scratch;
 	u64 sfn = 0;
 	__le64 sfn_le;
 
-	tfm_cbc = crypto_alloc_sync_skcipher("cbc(aes)", 0, 0);
-	if (IS_ERR(tfm_cbc)) {
-		result = PTR_ERR(tfm_cbc);
-		printk(KERN_ERR "E: can't load CBC(AES): %d\n", (int)result);
-		goto error_alloc_cbc;
-	}
-	result = crypto_sync_skcipher_setkey(tfm_cbc, key, 16);
-	if (result < 0) {
-		printk(KERN_ERR "E: can't set CBC key: %d\n", (int)result);
-		goto error_setkey_cbc;
+	tfm_cbcmac = crypto_alloc_shash("cbcmac(aes)", 0, 0);
+	if (IS_ERR(tfm_cbcmac)) {
+		result = PTR_ERR(tfm_cbcmac);
+		printk(KERN_ERR "E: can't load CBCMAC-AES: %d\n", (int)result);
+		goto error_alloc_cbcmac;
 	}
 
-	tfm_aes = crypto_alloc_cipher("aes", 0, 0);
-	if (IS_ERR(tfm_aes)) {
-		result = PTR_ERR(tfm_aes);
-		printk(KERN_ERR "E: can't load AES: %d\n", (int)result);
-		goto error_alloc_aes;
-	}
-	result = crypto_cipher_setkey(tfm_aes, key, 16);
+	result = crypto_shash_setkey(tfm_cbcmac, key, AES_BLOCK_SIZE);
 	if (result < 0) {
-		printk(KERN_ERR "E: can't set AES key: %d\n", (int)result);
-		goto error_setkey_aes;
-	}
-	scratch = kmalloc(sizeof(*scratch), GFP_KERNEL);
-	if (!scratch) {
-		result = -ENOMEM;
-		goto error_alloc_scratch;
+		printk(KERN_ERR "E: can't set CBCMAC-AES key: %d\n", (int)result);
+		goto error_setkey_cbcmac;
 	}
 
 	for (bitr = 0; bitr < (len + 63) / 64; bitr++) {
 		sfn_le = cpu_to_le64(sfn++);
 		memcpy(&n.sfn, &sfn_le, sizeof(n.sfn));	/* n.sfn++... */
-		result = wusb_ccm_mac(tfm_cbc, tfm_aes, scratch, out + bytes,
+		result = wusb_ccm_mac(tfm_cbcmac, &scratch, out + bytes,
 				      &n, a, b, blen);
 		if (result < 0)
 			goto error_ccm_mac;
@@ -344,15 +274,10 @@ ssize_t wusb_prf(void *out, size_t out_size,
 	}
 	result = bytes;
 
-	kfree(scratch);
-error_alloc_scratch:
 error_ccm_mac:
-error_setkey_aes:
-	crypto_free_cipher(tfm_aes);
-error_alloc_aes:
-error_setkey_cbc:
-	crypto_free_sync_skcipher(tfm_cbc);
-error_alloc_cbc:
+error_setkey_cbcmac:
+	crypto_free_shash(tfm_cbcmac);
+error_alloc_cbcmac:
 	return result;
 }
 
@@ -377,12 +302,8 @@ static int wusb_oob_mic_verify(void)
 {
 	int result;
 	u8 mic[8];
-	/* WUSB1.0[A.2] test vectors
-	 *
-	 * Need to keep it in the local stack as GCC 4.1.3something
-	 * messes up and generates noise.
-	 */
-	struct usb_handshake stv_hsmic_hs = {
+	/* WUSB1.0[A.2] test vectors */
+	static const struct usb_handshake stv_hsmic_hs = {
 		.bMessageNumber = 2,
 		.bStatus 	= 00,
 		.tTKID 		= { 0x76, 0x98, 0x01 },
@@ -457,11 +378,8 @@ static int wusb_key_derive_verify(void)
 {
 	int result = 0;
 	struct wusb_keydvt_out keydvt_out;
-	/* These come from WUSB1.0[A.1] + 2006/12 errata
-	 * NOTE: can't make this const or global -- somehow it seems
-	 *       the scatterlists for crypto get confused and we get
-	 *       bad data. There is no doc on this... */
-	struct wusb_keydvt_in stv_keydvt_in_a1 = {
+	/* These come from WUSB1.0[A.1] + 2006/12 errata */
+	static const struct wusb_keydvt_in stv_keydvt_in_a1 = {
 		.hnonce = {
 			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
 			0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] wusb: switch to cbcmac transform
  2019-06-14  9:43 [PATCH v2] wusb: switch to cbcmac transform Ard Biesheuvel
@ 2019-06-14 10:05 ` Greg KH
  2019-06-14 10:07   ` Ard Biesheuvel
  2019-06-14 21:30 ` kbuild test robot
  1 sibling, 1 reply; 4+ messages in thread
From: Greg KH @ 2019-06-14 10:05 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: linux-usb, linux-crypto, ebiggers, herbert

On Fri, Jun 14, 2019 at 11:43:53AM +0200, Ard Biesheuvel wrote:
> The wusb code takes a very peculiar approach at implementing CBC-MAC,
> by using plain CBC into a scratch buffer, and taking the output IV
> as the MAC.
> 
> We can clean up this code substantially by switching to the cbcmac
> shash, as exposed by the CCM template. To ensure that the module is
> loaded on demand, add the cbcmac template name as a module alias.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> v2: - use finup()/digest() where possible, and process b0+b1 using a single
>       call to update()
>     - make 'stv_hsmic_hs' static const and remove comment regarding GCC 4.1
> 
> NOTE: I don't have any hardware to test this, but the built-in selftest
>       still passes.

No one has this hardware :)

I'll take this, but I think I'll be moving all of the wireless usb code
to staging to drop it in a few kernel versions as there are no users of
it anymore that I can tell.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] wusb: switch to cbcmac transform
  2019-06-14 10:05 ` Greg KH
@ 2019-06-14 10:07   ` Ard Biesheuvel
  0 siblings, 0 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2019-06-14 10:07 UTC (permalink / raw)
  To: Greg KH
  Cc: linux-usb, open list:HARDWARE RANDOM NUMBER GENERATOR CORE,
	Eric Biggers, Herbert Xu

On Fri, 14 Jun 2019 at 12:05, Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Fri, Jun 14, 2019 at 11:43:53AM +0200, Ard Biesheuvel wrote:
> > The wusb code takes a very peculiar approach at implementing CBC-MAC,
> > by using plain CBC into a scratch buffer, and taking the output IV
> > as the MAC.
> >
> > We can clean up this code substantially by switching to the cbcmac
> > shash, as exposed by the CCM template. To ensure that the module is
> > loaded on demand, add the cbcmac template name as a module alias.
> >
> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > ---
> > v2: - use finup()/digest() where possible, and process b0+b1 using a single
> >       call to update()
> >     - make 'stv_hsmic_hs' static const and remove comment regarding GCC 4.1
> >
> > NOTE: I don't have any hardware to test this, but the built-in selftest
> >       still passes.
>
> No one has this hardware :)
>

I kind of suspected that :-)

> I'll take this, but I think I'll be moving all of the wireless usb code
> to staging to drop it in a few kernel versions as there are no users of
> it anymore that I can tell.
>

That is fine. I just wanted to make sure it stops using an interface
that I am eager to make private to the crypto subsystem, but the
resulting code is arguably better in any case.

Thanks,

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] wusb: switch to cbcmac transform
  2019-06-14  9:43 [PATCH v2] wusb: switch to cbcmac transform Ard Biesheuvel
  2019-06-14 10:05 ` Greg KH
@ 2019-06-14 21:30 ` kbuild test robot
  1 sibling, 0 replies; 4+ messages in thread
From: kbuild test robot @ 2019-06-14 21:30 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: kbuild-all, linux-usb, gregkh, linux-crypto, ebiggers, herbert,
	Ard Biesheuvel

[-- Attachment #1: Type: text/plain, Size: 6376 bytes --]

Hi Ard,

I love your patch! Yet something to improve:

[auto build test ERROR on cryptodev/master]
[also build test ERROR on v5.2-rc4 next-20190614]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Ard-Biesheuvel/wusb-switch-to-cbcmac-transform/20190615-042110
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 7.4.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=7.4.0 make.cross ARCH=xtensa 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   drivers/usb//wusbcore/crypto.c: In function 'wusb_ccm_mac':
>> drivers/usb//wusbcore/crypto.c:230:2: error: implicit declaration of function 'crypto_xor_cpy'; did you mean 'crypto_comp_crt'? [-Werror=implicit-function-declaration]
     crypto_xor_cpy(mic, (u8 *)&scratch->ax, iv, 8);
     ^~~~~~~~~~~~~~
     crypto_comp_crt
   cc1: some warnings being treated as errors

vim +230 drivers/usb//wusbcore/crypto.c

   120	
   121	/*
   122	 * CC-MAC function WUSB1.0[6.5]
   123	 *
   124	 * Take a data string and produce the encrypted CBC Counter-mode MIC
   125	 *
   126	 * Note the names for most function arguments are made to (more or
   127	 * less) match those used in the pseudo-function definition given in
   128	 * WUSB1.0[6.5].
   129	 *
   130	 * @tfm_cbc: CBC(AES) blkcipher handle (initialized)
   131	 *
   132	 * @tfm_aes: AES cipher handle (initialized)
   133	 *
   134	 * @mic: buffer for placing the computed MIC (Message Integrity
   135	 *       Code). This is exactly 8 bytes, and we expect the buffer to
   136	 *       be at least eight bytes in length.
   137	 *
   138	 * @key: 128 bit symmetric key
   139	 *
   140	 * @n: CCM nonce
   141	 *
   142	 * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
   143	 *     we use exactly 14 bytes).
   144	 *
   145	 * @b: data stream to be processed
   146	 *
   147	 * @blen: size of b...
   148	 *
   149	 * Still not very clear how this is done, but looks like this: we
   150	 * create block B0 (as WUSB1.0[6.5] says), then we AES-crypt it with
   151	 * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
   152	 * take the payload and divide it in blocks (16 bytes), xor them with
   153	 * the previous crypto result (16 bytes) and crypt it, repeat the next
   154	 * block with the output of the previous one, rinse wash. So we use
   155	 * the CBC-MAC(AES) shash, that does precisely that. The IV (Initial
   156	 * Vector) is 16 bytes and is set to zero, so
   157	 *
   158	 * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
   159	 *     using the 14 bytes of @a to fill up
   160	 *     b1.{mac_header,e0,security_reserved,padding}.
   161	 *
   162	 * NOTE: The definition of l(a) in WUSB1.0[6.5] vs the definition of
   163	 *       l(m) is orthogonal, they bear no relationship, so it is not
   164	 *       in conflict with the parameter's relation that
   165	 *       WUSB1.0[6.4.2]) defines.
   166	 *
   167	 * NOTE: WUSB1.0[A.1]: Host Nonce is missing a nibble? (1e); fixed in
   168	 *       first errata released on 2005/07.
   169	 *
   170	 * NOTE: we need to clean IV to zero at each invocation to make sure
   171	 *       we start with a fresh empty Initial Vector, so that the CBC
   172	 *       works ok.
   173	 *
   174	 * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
   175	 *       what sg[4] is for. Maybe there is a smarter way to do this.
   176	 */
   177	static int wusb_ccm_mac(struct crypto_shash *tfm_cbcmac,
   178				struct wusb_mac_scratch *scratch,
   179				void *mic,
   180				const struct aes_ccm_nonce *n,
   181				const struct aes_ccm_label *a, const void *b,
   182				size_t blen)
   183	{
   184		SHASH_DESC_ON_STACK(desc, tfm_cbcmac);
   185		u8 iv[AES_BLOCK_SIZE];
   186	
   187		/*
   188		 * These checks should be compile time optimized out
   189		 * ensure @a fills b1's mac_header and following fields
   190		 */
   191		BUILD_BUG_ON(sizeof(*a) != sizeof(scratch->b1) - sizeof(scratch->b1.la));
   192		BUILD_BUG_ON(sizeof(scratch->b0) != sizeof(struct aes_ccm_block));
   193		BUILD_BUG_ON(sizeof(scratch->b1) != sizeof(struct aes_ccm_block));
   194		BUILD_BUG_ON(sizeof(scratch->ax) != sizeof(struct aes_ccm_block));
   195	
   196		/* Setup B0 */
   197		scratch->b0.flags = 0x59;	/* Format B0 */
   198		scratch->b0.ccm_nonce = *n;
   199		scratch->b0.lm = cpu_to_be16(0);	/* WUSB1.0[6.5] sez l(m) is 0 */
   200	
   201		/* Setup B1
   202		 *
   203		 * The WUSB spec is anything but clear! WUSB1.0[6.5]
   204		 * says that to initialize B1 from A with 'l(a) = blen +
   205		 * 14'--after clarification, it means to use A's contents
   206		 * for MAC Header, EO, sec reserved and padding.
   207		 */
   208		scratch->b1.la = cpu_to_be16(blen + 14);
   209		memcpy(&scratch->b1.mac_header, a, sizeof(*a));
   210	
   211		desc->tfm = tfm_cbcmac;
   212		crypto_shash_init(desc);
   213		crypto_shash_update(desc, (u8 *)&scratch->b0, sizeof(scratch->b0) +
   214							      sizeof(scratch->b1));
   215		crypto_shash_finup(desc, b, blen, iv);
   216	
   217		/* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
   218		 * The procedure is to AES crypt the A0 block and XOR the MIC
   219		 * Tag against it; we only do the first 8 bytes and place it
   220		 * directly in the destination buffer.
   221		 */
   222		scratch->ax.flags = 0x01;		/* as per WUSB 1.0 spec */
   223		scratch->ax.ccm_nonce = *n;
   224		scratch->ax.counter = 0;
   225	
   226		/* reuse the CBC-MAC transform to perform the single block encryption */
   227		crypto_shash_digest(desc, (u8 *)&scratch->ax, sizeof(scratch->ax),
   228				    (u8 *)&scratch->ax);
   229	
 > 230		crypto_xor_cpy(mic, (u8 *)&scratch->ax, iv, 8);
   231	
   232		return 8;
   233	}
   234	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 58635 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-14  9:43 [PATCH v2] wusb: switch to cbcmac transform Ard Biesheuvel
2019-06-14 10:05 ` Greg KH
2019-06-14 10:07   ` Ard Biesheuvel
2019-06-14 21:30 ` kbuild test robot

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox