[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-keyrings
Subject: Re: [PATCH 01/12] crypto: lib - implement library version of AES in CFB mode
From: Jarkko Sakkinen <jarkko () kernel ! org>
Date: 2023-02-27 7:47:47
Message-ID: Y/xgIzTC854qhr+G () kernel ! org
[Download RAW message or body]
On Thu, Feb 16, 2023 at 03:13:59PM -0500, James Bottomley wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
>
> Implement AES in CFB mode using the existing, mostly constant-time
> generic AES library implementation.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> ---
> include/crypto/aes.h | 5 +++
> lib/crypto/Kconfig | 5 +++
> lib/crypto/Makefile | 3 ++
> lib/crypto/aescfb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 88 insertions(+)
> create mode 100644 lib/crypto/aescfb.c
>
> diff --git a/include/crypto/aes.h b/include/crypto/aes.h
> index 2090729701ab..7b9e1df1ccb0 100644
> --- a/include/crypto/aes.h
> +++ b/include/crypto/aes.h
> @@ -87,4 +87,9 @@ void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in);
> extern const u8 crypto_aes_sbox[];
> extern const u8 crypto_aes_inv_sbox[];
>
> +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> + int len, const u8 *iv);
> +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> + int len, const u8 *iv);
> +
> #endif
> diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
> index 45436bfc6dff..b01253cac70a 100644
> --- a/lib/crypto/Kconfig
> +++ b/lib/crypto/Kconfig
> @@ -8,6 +8,11 @@ config CRYPTO_LIB_UTILS
> config CRYPTO_LIB_AES
> tristate
>
> +config CRYPTO_LIB_AESCFB
> + tristate
> + select CRYPTO_LIB_AES
> + select CRYPTO_LIB_UTILS
> +
> config CRYPTO_LIB_AESGCM
> tristate
> select CRYPTO_LIB_AES
> diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
> index 6ec2d4543d9c..33213a01aab1 100644
> --- a/lib/crypto/Makefile
> +++ b/lib/crypto/Makefile
> @@ -10,6 +10,9 @@ obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o
> obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
> libaes-y := aes.o
>
> +obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o
> +libaescfb-y := aescfb.o
> +
> obj-$(CONFIG_CRYPTO_LIB_AESGCM) += libaesgcm.o
> libaesgcm-y := aesgcm.o
>
> diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c
> new file mode 100644
> index 000000000000..e9de1c6d874a
> --- /dev/null
> +++ b/lib/crypto/aescfb.c
> @@ -0,0 +1,75 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Minimal library implementation of AES in CFB mode
> + *
> + * Copyright 2023 Google LLC
> + */
> +
> +#include <linux/module.h>
> +
> +#include <crypto/algapi.h>
> +#include <crypto/aes.h>
> +
> +#include <asm/irqflags.h>
I'd remove the newlines in-between.
> +
> +static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
> + const void *src)
> +{
> + unsigned long flags;
> +
> + /*
> + * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV
> + * and ciphertext), making it susceptible to timing attacks on the
> + * encryption key. The AES library already mitigates this risk to some
> + * extent by pulling the entire S-box into the caches before doing any
> + * substitutions, but this strategy is more effective when running with
> + * interrupts disabled.
> + */
> + local_irq_save(flags);
> + aes_encrypt(ctx, dst, src);
> + local_irq_restore(flags);
> +}
> +
> +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> + int len, const u8 *iv)
> +{
> + while (len > 0) {
> + u8 ks[AES_BLOCK_SIZE];
> +
> + aescfb_encrypt_block(ctx, ks, iv);
> + crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE));
> + iv = dst;
> +
> + dst += AES_BLOCK_SIZE;
> + src += AES_BLOCK_SIZE;
> + len -= AES_BLOCK_SIZE;
> + }
> +}
> +
> +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> + int len, const u8 *iv)
> +{
> + u8 ks[2][AES_BLOCK_SIZE];
> +
> + aescfb_encrypt_block(ctx, ks[0], iv);
> +
> + for (int i = 0; len > 0; i ^= 1) {
> + if (len > AES_BLOCK_SIZE)
> + /*
> + * Generate the keystream for the next block before
> + * performing the XOR, as that may update in place and
> + * overwrite the ciphertext.
> + */
> + aescfb_encrypt_block(ctx, ks[!i], src);
> +
> + crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE));
> +
> + dst += AES_BLOCK_SIZE;
> + src += AES_BLOCK_SIZE;
> + len -= AES_BLOCK_SIZE;
> + }
> +}
> +
> +MODULE_DESCRIPTION("Generic AES-CFB library");
> +MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
> +MODULE_LICENSE("GPL");
> --
> 2.35.3
>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic