The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 23/33] wifi: mac80211: Use AES-CTR library in fils_aead.c
Date: Mon,  6 Jul 2026 22:34:53 -0700	[thread overview]
Message-ID: <20260707053503.209874-24-ebiggers@kernel.org> (raw)
In-Reply-To: <20260707053503.209874-1-ebiggers@kernel.org>

Now that there's a library API for AES-CTR, use it instead of a
"ctr(aes)" crypto_skcipher in aes_siv_encrypt() and aes_siv_decrypt().
This significantly simplifies the code.

Further simplify both aes_siv_encrypt() and aes_siv_decrypt() by
memmove()ing the source data to the destination buffer (which is offset
by 16 bytes from the source), then doing AES-CTR in-place.  This
eliminates the need for the temporary buffer in aes_siv_encrypt(), or to
rely on an unsupported overlapped operation in aes_siv_decrypt().  The
latter was technically a bug, though presumably it worked accidentally.

Finally, also fix the auth tag verification to use crypto_memneq().

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 net/mac80211/Kconfig     |  1 +
 net/mac80211/fils_aead.c | 90 ++++++++++++----------------------------
 2 files changed, 27 insertions(+), 64 deletions(-)

diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index d6bc295e23a1..8fe97e63ff39 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -4,6 +4,7 @@ config MAC80211
 	depends on CFG80211
 	select CRYPTO
 	select CRYPTO_LIB_AES_CBC_MACS
+	select CRYPTO_LIB_AES_CTR
 	select CRYPTO_LIB_ARC4
 	select CRYPTO_AES
 	select CRYPTO_CCM
diff --git a/net/mac80211/fils_aead.c b/net/mac80211/fils_aead.c
index d2f4a17eab99..1084c3d0a0e7 100644
--- a/net/mac80211/fils_aead.c
+++ b/net/mac80211/fils_aead.c
@@ -5,7 +5,7 @@
  */
 
 #include <crypto/aes-cbc-macs.h>
-#include <crypto/skcipher.h>
+#include <crypto/aes-ctr.h>
 #include <crypto/utils.h>
 
 #include "ieee80211_i.h"
@@ -73,11 +73,8 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len,
 			   size_t len[], u8 *out)
 {
 	u8 v[AES_BLOCK_SIZE];
-	struct crypto_skcipher *tfm2;
-	struct skcipher_request *req;
+	struct aes_enckey aes_key;
 	int res;
-	struct scatterlist src[1], dst[1];
-	u8 *tmp;
 
 	key_len /= 2; /* S2V key || CTR key */
 
@@ -90,12 +87,12 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len,
 	if (res)
 		return res;
 
-	/* Use a temporary buffer of the plaintext to handle need for
-	 * overwriting this during AES-CTR.
+	/*
+	 * Move the plaintext to prepare it for in-place encryption.  This
+	 * avoids needing to copy it into a temporary buffer to prevent it from
+	 * being clobbered by the IV copy or AES-CTR itself when out == plain.
 	 */
-	tmp = kmemdup(plain, plain_len, GFP_KERNEL);
-	if (!tmp)
-		return -ENOMEM;
+	memmove(out + AES_BLOCK_SIZE, plain, plain_len);
 
 	/* IV for CTR before encrypted data */
 	memcpy(out, v, AES_BLOCK_SIZE);
@@ -106,33 +103,14 @@ static int aes_siv_encrypt(const u8 *key, size_t key_len,
 	v[8] &= 0x7f;
 	v[12] &= 0x7f;
 
-	/* CTR */
-
-	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
-	if (IS_ERR(tfm2)) {
-		kfree(tmp);
-		return PTR_ERR(tfm2);
-	}
-	/* K2 for CTR */
-	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
+	/* CTR with K2 */
+	res = aes_prepareenckey(&aes_key, key + key_len, key_len);
 	if (res)
-		goto fail;
-
-	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
-	if (!req) {
-		res = -ENOMEM;
-		goto fail;
-	}
-
-	sg_init_one(src, tmp, plain_len);
-	sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len);
-	skcipher_request_set_crypt(req, src, dst, plain_len, v);
-	res = crypto_skcipher_encrypt(req);
-	skcipher_request_free(req);
-fail:
-	kfree(tmp);
-	crypto_free_skcipher(tfm2);
-	return res;
+		return res;
+	aes_ctr(out + AES_BLOCK_SIZE, out + AES_BLOCK_SIZE, plain_len, v,
+		&aes_key);
+	memzero_explicit(&aes_key, sizeof(aes_key));
+	return 0;
 }
 
 /* Note: addr[] and len[] needs to have one extra slot at the end. */
@@ -141,9 +119,7 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len,
 			   size_t num_elem, const u8 *addr[], size_t len[],
 			   u8 *out)
 {
-	struct crypto_skcipher *tfm2;
-	struct skcipher_request *req;
-	struct scatterlist src[1], dst[1];
+	struct aes_enckey aes_key;
 	size_t crypt_len;
 	int res;
 	u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE];
@@ -164,38 +140,24 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len,
 	iv[8] &= 0x7f;
 	iv[12] &= 0x7f;
 
-	/* CTR */
-
-	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
-	if (IS_ERR(tfm2))
-		return PTR_ERR(tfm2);
-	/* K2 for CTR */
-	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
-	if (res) {
-		crypto_free_skcipher(tfm2);
-		return res;
-	}
-
-	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
-	if (!req) {
-		crypto_free_skcipher(tfm2);
-		return -ENOMEM;
-	}
-
-	sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len);
-	sg_init_one(dst, out, crypt_len);
-	skcipher_request_set_crypt(req, src, dst, crypt_len, iv);
-	res = crypto_skcipher_decrypt(req);
-	skcipher_request_free(req);
-	crypto_free_skcipher(tfm2);
+	/* CTR with K2 */
+	res = aes_prepareenckey(&aes_key, key + key_len, key_len);
 	if (res)
 		return res;
+	/*
+	 * aes_ctr(out, iv_crypt + AES_BLOCK_SIZE, ...) is an unsupported
+	 * overlapped operation when out == iv_crypt, so memmove() the data to
+	 * 'out' first to enable standard in-place operation.
+	 */
+	memmove(out, iv_crypt + AES_BLOCK_SIZE, crypt_len);
+	aes_ctr(out, out, crypt_len, iv, &aes_key);
+	memzero_explicit(&aes_key, sizeof(aes_key));
 
 	/* S2V */
 	res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, check);
 	if (res)
 		return res;
-	if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0)
+	if (crypto_memneq(check, frame_iv, AES_BLOCK_SIZE))
 		return -EINVAL;
 	return 0;
 }
-- 
2.54.0


  parent reply	other threads:[~2026-07-07  5:37 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07  5:34 [PATCH 00/33] Library APIs for AES encryption modes Eric Biggers
2026-07-07  5:34 ` [PATCH 01/33] crypto: xts - Split out __xts_verify_key() helper Eric Biggers
2026-07-07 13:20   ` Thomas Huth
2026-07-07  5:34 ` [PATCH 02/33] lib/crypto: aes: Add ECB support Eric Biggers
2026-07-07 13:59   ` Thomas Huth
2026-07-07 19:22     ` Eric Biggers
2026-07-08  5:29       ` Thomas Huth
2026-07-07  5:34 ` [PATCH 03/33] lib/crypto: aes: Add CBC and CBC-CTS support Eric Biggers
2026-07-07  5:34 ` [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support Eric Biggers
2026-07-07  5:34 ` [PATCH 05/33] lib/crypto: aes: Add XTS support Eric Biggers
2026-07-07  5:34 ` [PATCH 06/33] lib/crypto: aes: Add GCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 07/33] lib/crypto: aes: Add CCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 08/33] crypto: aes - Add ECB support using library Eric Biggers
2026-07-07  5:34 ` [PATCH 09/33] crypto: aes - Add CBC and CBC-CTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 10/33] crypto: aes - Add CTR and XCTR " Eric Biggers
2026-07-07  5:34 ` [PATCH 11/33] crypto: aes - Add XTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 12/33] crypto: aes - Add GCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 13/33] crypto: aes - Add CCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 14/33] x86/sev: Use new AES-GCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 15/33] lib/crypto: aesgcm: Remove old " Eric Biggers
2026-07-07  5:34 ` [PATCH 16/33] crypto: aes - Remove AES-CBC-MAC support Eric Biggers
2026-07-07  5:34 ` [PATCH 17/33] lib/crypto: aes: Remove aes_cbcmac_* functions Eric Biggers
2026-07-07  5:34 ` [PATCH 18/33] fscrypt: Use aes_ecb_encrypt() for v1 key derivation Eric Biggers
2026-07-07  5:34 ` [PATCH 19/33] KEYS: encrypted: Use AES-CBC library instead of crypto_skcipher Eric Biggers
2026-07-07  5:34 ` [PATCH 20/33] KEYS: trusted: dcp: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 21/33] libceph: Use AES-CBC library in ceph_aes_crypt() Eric Biggers
2026-07-07  5:34 ` [PATCH 22/33] libceph: Reimplement messenger v2 encryption using AES-GCM library Eric Biggers
2026-07-07  5:34 ` Eric Biggers [this message]
2026-07-07  5:34 ` [PATCH 24/33] wifi: mac80211: Use AES-GCM library for GMAC suite Eric Biggers
2026-07-07  5:34 ` [PATCH 25/33] wifi: mac80211: Use crypto libraries for GCMP and CCMP suites Eric Biggers
2026-07-07  5:34 ` [PATCH 26/33] macsec: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 27/33] wifi: ipw2x00: Use AES-CCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 28/33] mac802154: Use AES-CCM and AES-CTR libraries Eric Biggers
2026-07-07  5:34 ` [PATCH 29/33] bpf: crypto: Use AES-CBC and AES-ECB libraries Eric Biggers
2026-07-07 15:01   ` Vadim Fedorenko
2026-07-07 18:20     ` Eric Biggers
2026-07-07 22:50       ` Vadim Fedorenko
2026-07-07 23:16         ` Eric Biggers
2026-07-08 11:47           ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 30/33] bpf: crypto: Add AES-GCM support Eric Biggers
2026-07-07 15:02   ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 31/33] smb: client: Use AES-GCM and AES-CCM libraries Eric Biggers
2026-07-07  5:35 ` [PATCH 32/33] ksmbd: " Eric Biggers
2026-07-07 10:51   ` Namjae Jeon
2026-07-07  5:35 ` [PATCH 33/33] net: tipc: Use AES-GCM library instead of crypto_aead Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707053503.209874-24-ebiggers@kernel.org \
    --to=ebiggers@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox