• Ard Biesheuvel's avatar
    crypto: lib/aesgcm - Provide minimal library implementation · 520af5da
    Ard Biesheuvel authored
    Implement a minimal library version of AES-GCM based on the existing
    library implementations of AES and multiplication in GF(2^128). Using
    these primitives, GCM can be implemented in a straight-forward manner.
    
    GCM has a couple of sharp edges, i.e., the amount of input data
    processed with the same initialization vector (IV) should be capped to
    protect the counter from 32-bit rollover (or carry), and the size of the
    authentication tag should be fixed for a given key. [0]
    
    The former concern is addressed trivially, given that the function call
    API uses 32-bit signed types for the input lengths. It is still up to
    the caller to avoid IV reuse in general, but this is not something we
    can police at the implementation level.
    
    As for the latter concern, let's make the authentication tag size part
    of the key schedule, and only permit it to be configured as part of the
    key expansion routine.
    
    Note that table based AES implementations are susceptible to known
    plaintext timing attacks on the encryption key. The AES library already
    attempts to mitigate this to some extent, but given that the counter
    mode encryption used by GCM operates exclusively on known plaintext by
    construction (the IV and therefore the initial counter value are known
    to an attacker), let's take some extra care to mitigate this, by calling
    the AES library with interrupts disabled.
    
    [0] https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
    
    Link: https://lore.kernel.org/all/c6fb9b25-a4b6-2e4a-2dd1-63adda055a49@amd.com/Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    Tested-by: default avatarNikunj A Dadhania <nikunj@amd.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    520af5da
aesgcm.c 22.1 KB