diff options
| author | Eric Biggers <ebiggers@kernel.org> | 2026-02-18 13:35:01 -0800 |
|---|---|---|
| committer | Eric Biggers <ebiggers@kernel.org> | 2026-03-09 13:27:21 -0700 |
| commit | 5e07ce466356d9833757b2d6c0380b6ee7b11a77 (patch) | |
| tree | 45270873bb8d17a04f2c7f0a29c1753c1fd91b77 | |
| parent | c9de7246d5422bbea5374a402e761cf7725a263e (diff) | |
wifi: mac80211: Use AES-CMAC library in aes_s2v()
Now that AES-CMAC has a library API, convert aes_s2v() to use it instead
of a "cmac(aes)" crypto_shash. The result is faster and simpler code.
It's also more reliable, since with the library the only step that can
fail is preparing the key. In contrast, crypto_shash_digest(),
crypto_shash_init(), crypto_shash_update(), and crypto_shash_final()
could all fail and return an errno value. aes_s2v() ignored these
errors, which was a bug. So that bug is fixed as well.
As part of this, change the prototype of aes_s2v() to take the raw key
directly instead of a prepared key. Its only two callers prepare a key
for each call, so it might as well be done directly in aes_s2v().
Since this removes the last dependency on the "cmac(aes)" crypto_shash
from mac80211, also remove the 'select CRYPTO_CMAC'.
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260218213501.136844-16-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
| -rw-r--r-- | net/mac80211/Kconfig | 1 | ||||
| -rw-r--r-- | net/mac80211/fils_aead.c | 48 |
2 files changed, 17 insertions, 32 deletions
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig index 0afbe4f4f976..d6bc295e23a1 100644 --- a/net/mac80211/Kconfig +++ b/net/mac80211/Kconfig @@ -8,7 +8,6 @@ config MAC80211 select CRYPTO_AES select CRYPTO_CCM select CRYPTO_GCM - select CRYPTO_CMAC select CRC32 help This option enables the hardware independent IEEE 802.11 diff --git a/net/mac80211/fils_aead.c b/net/mac80211/fils_aead.c index 912c46f74d24..d2f4a17eab99 100644 --- a/net/mac80211/fils_aead.c +++ b/net/mac80211/fils_aead.c @@ -4,13 +4,11 @@ * Copyright 2016, Qualcomm Atheros, Inc. */ -#include <crypto/aes.h> -#include <crypto/hash.h> +#include <crypto/aes-cbc-macs.h> #include <crypto/skcipher.h> #include <crypto/utils.h> #include "ieee80211_i.h" -#include "aes_cmac.h" #include "fils_aead.h" static void gf_mulx(u8 *pad) @@ -22,31 +20,35 @@ static void gf_mulx(u8 *pad) put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8); } -static int aes_s2v(struct crypto_shash *tfm, +static int aes_s2v(const u8 *in_key, size_t key_len, size_t num_elem, const u8 *addr[], size_t len[], u8 *v) { u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {}; - SHASH_DESC_ON_STACK(desc, tfm); + struct aes_cmac_key key; + struct aes_cmac_ctx ctx; size_t i; + int res; - desc->tfm = tfm; + res = aes_cmac_preparekey(&key, in_key, key_len); + if (res) + return res; /* D = AES-CMAC(K, <zero>) */ - crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d); + aes_cmac(&key, tmp, AES_BLOCK_SIZE, d); for (i = 0; i < num_elem - 1; i++) { /* D = dbl(D) xor AES_CMAC(K, Si) */ gf_mulx(d); /* dbl */ - crypto_shash_digest(desc, addr[i], len[i], tmp); + aes_cmac(&key, addr[i], len[i], tmp); crypto_xor(d, tmp, AES_BLOCK_SIZE); } - crypto_shash_init(desc); + aes_cmac_init(&ctx, &key); if (len[i] >= AES_BLOCK_SIZE) { /* len(Sn) >= 128 */ /* T = Sn xorend D */ - crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE); + aes_cmac_update(&ctx, addr[i], len[i] - AES_BLOCK_SIZE); crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE, AES_BLOCK_SIZE); } else { @@ -57,8 +59,10 @@ static int aes_s2v(struct crypto_shash *tfm, d[len[i]] ^= 0x80; } /* V = AES-CMAC(K, T) */ - crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v); + aes_cmac_update(&ctx, d, AES_BLOCK_SIZE); + aes_cmac_final(&ctx, v); + memzero_explicit(&key, sizeof(key)); return 0; } @@ -69,7 +73,6 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len, size_t len[], u8 *out) { u8 v[AES_BLOCK_SIZE]; - struct crypto_shash *tfm; struct crypto_skcipher *tfm2; struct skcipher_request *req; int res; @@ -83,15 +86,7 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len, num_elem++; /* S2V */ - - tfm = crypto_alloc_shash("cmac(aes)", 0, 0); - if (IS_ERR(tfm)) - return PTR_ERR(tfm); - /* K1 for S2V */ - res = crypto_shash_setkey(tfm, key, key_len); - if (!res) - res = aes_s2v(tfm, num_elem, addr, len, v); - crypto_free_shash(tfm); + res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, v); if (res) return res; @@ -146,7 +141,6 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[], size_t len[], u8 *out) { - struct crypto_shash *tfm; struct crypto_skcipher *tfm2; struct skcipher_request *req; struct scatterlist src[1], dst[1]; @@ -198,15 +192,7 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len, return res; /* S2V */ - - tfm = crypto_alloc_shash("cmac(aes)", 0, 0); - if (IS_ERR(tfm)) - return PTR_ERR(tfm); - /* K1 for S2V */ - res = crypto_shash_setkey(tfm, key, key_len); - if (!res) - res = aes_s2v(tfm, num_elem, addr, len, check); - crypto_free_shash(tfm); + res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, check); if (res) return res; if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0) |