520af5da66
Implement a minimal library version of AES-GCM based on the existing library implementations of AES and multiplication in GF(2^128). Using these primitives, GCM can be implemented in a straight-forward manner. GCM has a couple of sharp edges, i.e., the amount of input data processed with the same initialization vector (IV) should be capped to protect the counter from 32-bit rollover (or carry), and the size of the authentication tag should be fixed for a given key. [0] The former concern is addressed trivially, given that the function call API uses 32-bit signed types for the input lengths. It is still up to the caller to avoid IV reuse in general, but this is not something we can police at the implementation level. As for the latter concern, let's make the authentication tag size part of the key schedule, and only permit it to be configured as part of the key expansion routine. Note that table based AES implementations are susceptible to known plaintext timing attacks on the encryption key. The AES library already attempts to mitigate this to some extent, but given that the counter mode encryption used by GCM operates exclusively on known plaintext by construction (the IV and therefore the initial counter value are known to an attacker), let's take some extra care to mitigate this, by calling the AES library with interrupts disabled. [0] https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf Link: https://lore.kernel.org/all/c6fb9b25-a4b6-2e4a-2dd1-63adda055a49@amd.com/ Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
56 lines
1.8 KiB
Makefile
56 lines
1.8 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o
|
|
libcryptoutils-y := memneq.o utils.o
|
|
|
|
# chacha is used by the /dev/random driver which is always builtin
|
|
obj-y += chacha.o
|
|
obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
|
|
libaes-y := aes.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_AESGCM) += libaesgcm.o
|
|
libaesgcm-y := aesgcm.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
|
|
libarc4-y := arc4.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_GF128MUL) += gf128mul.o
|
|
|
|
# blake2s is used by the /dev/random driver which is always builtin
|
|
obj-y += libblake2s.o
|
|
libblake2s-y := blake2s.o
|
|
libblake2s-$(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) += blake2s-generic.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) += libchacha20poly1305.o
|
|
libchacha20poly1305-y += chacha20poly1305.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += libcurve25519-generic.o
|
|
libcurve25519-generic-y := curve25519-fiat32.o
|
|
libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o
|
|
libcurve25519-generic-y += curve25519-generic.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o
|
|
libcurve25519-y += curve25519.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
|
|
libdes-y := des.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += libpoly1305.o
|
|
libpoly1305-y := poly1305-donna32.o
|
|
libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
|
|
libpoly1305-y += poly1305.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_SHA1) += libsha1.o
|
|
libsha1-y := sha1.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
|
|
libsha256-y := sha256.o
|
|
|
|
ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
|
|
libblake2s-y += blake2s-selftest.o
|
|
libchacha20poly1305-y += chacha20poly1305-selftest.o
|
|
libcurve25519-y += curve25519-selftest.o
|
|
endif
|